BASELINE: Update Chromium to 77.0.3865.59

Change-Id: I1e89a5f3b009a9519a6705102ad65c92fe736f21
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>

1178 files changed, 57796 insertions, 28497 deletions

diff --git a/chromium/net/BUILD.gn b/chromium/net/BUILD.gn
index b3d97f6a0a6..be5b930f97e 100644
--- a/chromium/net/BUILD.gn
+++ b/chromium/net/BUILD.gn
@@ -7,7 +7,6 @@ import("//build/config/chromecast_build.gni")
 import("//build/config/compiler/compiler.gni")
 import("//build/config/crypto.gni")
 import("//build/config/features.gni")
-import("//build/config/ui.gni")
 import("//net/features.gni")
 import("//testing/libfuzzer/fuzzer_test.gni")
 import("//testing/test.gni")
@@ -15,10 +14,7 @@ import("//third_party/icu/config.gni")
 import("//third_party/protobuf/proto_library.gni")
 import("//tools/grit/grit_rule.gni")
 import("//url/features.gni")
-
-if (!is_proto_quic) {
-  import("//v8/gni/v8.gni")
-}
+import("//v8/gni/v8.gni")
 
 if (is_android) {
   import("//build/config/android/config.gni")
@@ -34,8 +30,8 @@ if (is_android) {
 # So enable it for x86 only for now.
 posix_avoid_mmap = is_android && current_cpu != "x86"
 
-use_v8_in_net = !is_ios && !is_proto_quic
-enable_built_in_dns = !is_ios && !is_proto_quic
+use_v8_in_net = !is_ios
+enable_built_in_dns = !is_ios
 
 # Unix sockets are not supported on iOS or NaCl.
 enable_unix_sockets = is_posix && !is_ios && !is_nacl
@@ -55,6 +51,18 @@ enable_python_utils =
 # won't get either.
 use_remote_test_server = !enable_python_utils && !is_ios
 
+# Whether //net should use an external GSSAPI library for implementing HTTP
+# Negotiate authentication. All platforms for which use_kerberos is true should
+# have some external implementation since //net doesn't have intrinsic support
+# for Kerberos. This implementation is an external GSSAPI library on all
+# platforms except on:
+#
+#    Windows : Uses SSPI for Negotiate authentication.
+#
+#    Android : Uses an external authenticator. See
+#              https://www.chromium.org/developers/design-documents/http-authentication/writing-a-spnego-authenticator-for-chrome-on-android
+use_external_gssapi = use_kerberos && !is_android && !is_win
+
 config("net_test_config") {
   if (use_remote_test_server) {
     defines = [ "USE_REMOTE_TEST_SERVER" ]
@@ -72,15 +80,14 @@ buildflag_header("buildflags") {
     "ENABLE_WEBSOCKETS=$enable_websockets",
     "INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST=$include_transport_security_state_preload_list",
     "USE_KERBEROS=$use_kerberos",
+    "USE_EXTERNAL_GSSAPI=$use_external_gssapi",
     "TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED=$trial_comparison_cert_verifier_supported",
+    "BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED=$builtin_cert_verifier_feature_supported",
   ]
 }
 
 config("net_internal_config") {
-  defines = [
-    "DLOPEN_KERBEROS",
-    "NET_IMPLEMENTATION",
-  ]
+  defines = [ "NET_IMPLEMENTATION" ]
 
   if (use_kerberos && is_android) {
     include_dirs = [ "/usr/include/kerberosV" ]
@@ -202,6 +209,8 @@ component("net") {
     "cert/internal/certificate_policies.h",
     "cert/internal/common_cert_errors.cc",
     "cert/internal/common_cert_errors.h",
+    "cert/internal/crl.cc",
+    "cert/internal/crl.h",
     "cert/internal/extended_key_usage.cc",
     "cert/internal/extended_key_usage.h",
     "cert/internal/general_names.cc",
@@ -305,11 +314,12 @@ component("net") {
     "log/net_log_entry.h",
     "log/net_log_event_type.h",
     "log/net_log_event_type_list.h",
-    "log/net_log_parameters_callback.h",
     "log/net_log_source.cc",
     "log/net_log_source.h",
     "log/net_log_source_type.h",
     "log/net_log_source_type_list.h",
+    "log/net_log_values.cc",
+    "log/net_log_values.h",
     "log/net_log_with_source.cc",
     "log/net_log_with_source.h",
     "socket/client_socket_handle.cc",
@@ -352,6 +362,7 @@ component("net") {
     "ssl/ssl_config_service.cc",
     "ssl/ssl_config_service.h",
     "ssl/ssl_connection_status_flags.h",
+    "ssl/ssl_handshake_details.h",
     "ssl/ssl_info.cc",
     "ssl/ssl_info.h",
     "ssl/ssl_key_logger.h",
@@ -491,6 +502,8 @@ component("net") {
       "base/network_interfaces_win.h",
       "base/network_isolation_key.cc",
       "base/network_isolation_key.h",
+      "base/network_notification_thread_mac.cc",
+      "base/network_notification_thread_mac.h",
       "base/platform_mime_util.h",
       "base/platform_mime_util_linux.cc",
       "base/platform_mime_util_mac.mm",
@@ -559,6 +572,7 @@ component("net") {
       "cert/ev_root_ca_metadata.h",
       "cert/internal/system_trust_store.cc",
       "cert/internal/system_trust_store.h",
+      "cert/internal/system_trust_store_nss.h",
       "cert/internal/trust_store_mac.cc",
       "cert/internal/trust_store_mac.h",
       "cert/internal/trust_store_nss.cc",
@@ -863,6 +877,8 @@ component("net") {
       "nqe/effective_connection_type_observer.h",
       "nqe/event_creator.cc",
       "nqe/event_creator.h",
+      "nqe/network_congestion_analyzer.cc",
+      "nqe/network_congestion_analyzer.h",
       "nqe/network_id.cc",
       "nqe/network_id.h",
       "nqe/network_qualities_prefs_manager.cc",
@@ -883,6 +899,7 @@ component("net") {
       "nqe/network_quality_store.h",
       "nqe/observation_buffer.cc",
       "nqe/observation_buffer.h",
+      "nqe/peer_to_peer_connections_count_observer.h",
       "nqe/rtt_throughput_estimates_observer.h",
       "nqe/socket_watcher.cc",
       "nqe/socket_watcher.h",
@@ -973,6 +990,7 @@ component("net") {
       "quic/network_connection.h",
       "quic/platform/impl/quic_aligned_impl.h",
       "quic/platform/impl/quic_arraysize_impl.h",
+      "quic/platform/impl/quic_bbr2_sender_impl.h",
       "quic/platform/impl/quic_bug_tracker_impl.h",
       "quic/platform/impl/quic_cert_utils_impl.h",
       "quic/platform/impl/quic_chromium_clock.cc",
@@ -991,8 +1009,6 @@ component("net") {
       "quic/platform/impl/quic_hostname_utils_impl.cc",
       "quic/platform/impl/quic_hostname_utils_impl.h",
       "quic/platform/impl/quic_iovec_impl.h",
-      "quic/platform/impl/quic_ip_address_impl.cc",
-      "quic/platform/impl/quic_ip_address_impl.h",
       "quic/platform/impl/quic_logging_impl.h",
       "quic/platform/impl/quic_macros_impl.h",
       "quic/platform/impl/quic_map_util_impl.h",
@@ -1200,8 +1216,6 @@ component("net") {
       "ssl/ssl_platform_key_util.cc",
       "ssl/ssl_platform_key_util.h",
       "ssl/ssl_platform_key_win.cc",
-      "ssl/test_ssl_private_key.cc",
-      "ssl/test_ssl_private_key.h",
       "ssl/threaded_ssl_private_key.cc",
       "ssl/threaded_ssl_private_key.h",
       "third_party/mozilla_security_manager/nsNSSCertificateDB.cpp",
@@ -1414,6 +1428,12 @@ component("net") {
       "third_party/quiche/src/quic/core/crypto/quic_hkdf.h",
       "third_party/quiche/src/quic/core/crypto/quic_random.cc",
       "third_party/quiche/src/quic/core/crypto/quic_random.h",
+      "third_party/quiche/src/quic/core/crypto/tls_client_connection.cc",
+      "third_party/quiche/src/quic/core/crypto/tls_client_connection.h",
+      "third_party/quiche/src/quic/core/crypto/tls_connection.cc",
+      "third_party/quiche/src/quic/core/crypto/tls_connection.h",
+      "third_party/quiche/src/quic/core/crypto/tls_server_connection.cc",
+      "third_party/quiche/src/quic/core/crypto/tls_server_connection.h",
       "third_party/quiche/src/quic/core/crypto/transport_parameters.cc",
       "third_party/quiche/src/quic/core/crypto/transport_parameters.h",
       "third_party/quiche/src/quic/core/frames/quic_ack_frame.cc",
@@ -1487,6 +1507,8 @@ component("net") {
       "third_party/quiche/src/quic/core/http/quic_spdy_stream.h",
       "third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer.cc",
       "third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer.h",
+      "third_party/quiche/src/quic/core/http/spdy_server_push_utils.cc",
+      "third_party/quiche/src/quic/core/http/spdy_server_push_utils.h",
       "third_party/quiche/src/quic/core/http/spdy_utils.cc",
       "third_party/quiche/src/quic/core/http/spdy_utils.h",
       "third_party/quiche/src/quic/core/legacy_quic_stream_id_manager.cc",
@@ -1516,8 +1538,12 @@ component("net") {
       "third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h",
       "third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.cc",
       "third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h",
-      "third_party/quiche/src/quic/core/qpack/qpack_progressive_encoder.cc",
-      "third_party/quiche/src/quic/core/qpack/qpack_progressive_encoder.h",
+      "third_party/quiche/src/quic/core/qpack/qpack_receive_stream.cc",
+      "third_party/quiche/src/quic/core/qpack/qpack_receive_stream.h",
+      "third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.cc",
+      "third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.h",
+      "third_party/quiche/src/quic/core/qpack/qpack_send_stream.cc",
+      "third_party/quiche/src/quic/core/qpack/qpack_send_stream.h",
       "third_party/quiche/src/quic/core/qpack/qpack_static_table.cc",
       "third_party/quiche/src/quic/core/qpack/qpack_static_table.h",
       "third_party/quiche/src/quic/core/qpack/value_splitting_header_list.cc",
@@ -1637,6 +1663,7 @@ component("net") {
       "third_party/quiche/src/quic/core/uber_received_packet_manager.h",
       "third_party/quiche/src/quic/platform/api/quic_aligned.h",
       "third_party/quiche/src/quic/platform/api/quic_arraysize.h",
+      "third_party/quiche/src/quic/platform/api/quic_bbr2_sender.h",
       "third_party/quiche/src/quic/platform/api/quic_bug_tracker.h",
       "third_party/quiche/src/quic/platform/api/quic_cert_utils.h",
       "third_party/quiche/src/quic/platform/api/quic_client_stats.h",
@@ -1907,7 +1934,7 @@ component("net") {
       ]
     }
 
-    if (use_kerberos && ((is_posix && !is_android) || is_fuchsia)) {
+    if (use_external_gssapi) {
       sources += [
         "http/http_auth_gssapi_posix.cc",
         "http/http_auth_gssapi_posix.h",
@@ -1928,6 +1955,7 @@ component("net") {
 
     if (!use_nss_certs) {
       sources -= [
+        "cert/internal/system_trust_store_nss.h",
         "cert/internal/trust_store_nss.cc",
         "cert/internal/trust_store_nss.h",
         "cert/known_roots_nss.cc",
@@ -2401,29 +2429,27 @@ proto_library("net_quic_proto") {
   extra_configs = [ "//build/config/compiler:wexit_time_destructors" ]
 }
 
-if (!is_proto_quic) {
-  component("extras") {
-    sources = [
-      "extras/sqlite/cookie_crypto_delegate.h",
-      "extras/sqlite/sqlite_persistent_cookie_store.cc",
-      "extras/sqlite/sqlite_persistent_cookie_store.h",
-      "extras/sqlite/sqlite_persistent_store_backend_base.cc",
-      "extras/sqlite/sqlite_persistent_store_backend_base.h",
-    ]
-    defines = [ "IS_NET_EXTRAS_IMPL" ]
-    configs += [ "//build/config/compiler:wexit_time_destructors" ]
-    deps = [
-      ":net",
-      "//base",
-      "//sql:sql",
-    ]
+component("extras") {
+  sources = [
+    "extras/sqlite/cookie_crypto_delegate.h",
+    "extras/sqlite/sqlite_persistent_cookie_store.cc",
+    "extras/sqlite/sqlite_persistent_cookie_store.h",
+    "extras/sqlite/sqlite_persistent_store_backend_base.cc",
+    "extras/sqlite/sqlite_persistent_store_backend_base.h",
+  ]
+  defines = [ "IS_NET_EXTRAS_IMPL" ]
+  configs += [ "//build/config/compiler:wexit_time_destructors" ]
+  deps = [
+    ":net",
+    "//base",
+    "//sql:sql",
+  ]
 
-    if (enable_reporting) {
-      sources += [
-        "extras/sqlite/sqlite_persistent_reporting_and_nel_store.cc",
-        "extras/sqlite/sqlite_persistent_reporting_and_nel_store.h",
-      ]
-    }
+  if (enable_reporting) {
+    sources += [
+      "extras/sqlite/sqlite_persistent_reporting_and_nel_store.cc",
+      "extras/sqlite/sqlite_persistent_reporting_and_nel_store.h",
+    ]
   }
 }
 
@@ -2654,8 +2680,6 @@ bundle_data("test_support_bundle_data") {
     "data/ssl/certificates/treadclimber.sctlist",
     "data/ssl/certificates/unescaped.pem",
     "data/ssl/certificates/unittest.key.bin",
-    "data/ssl/certificates/unittest.originbound.der",
-    "data/ssl/certificates/unittest.originbound.key.der",
     "data/ssl/certificates/unittest.selfsigned.der",
     "data/ssl/certificates/verisign_class3_g5_crosssigned-trusted.keychain",
     "data/ssl/certificates/verisign_class3_g5_crosssigned.pem",
@@ -2729,8 +2753,6 @@ static_library("test_support") {
     "http/transport_security_state_test_util.h",
     "log/test_net_log.cc",
     "log/test_net_log.h",
-    "log/test_net_log_entry.cc",
-    "log/test_net_log_entry.h",
     "log/test_net_log_util.cc",
     "log/test_net_log_util.h",
     "nqe/network_quality_estimator_test_util.cc",
@@ -2743,6 +2765,8 @@ static_library("test_support") {
     "proxy_resolution/mock_proxy_resolver.h",
     "proxy_resolution/proxy_config_service_common_unittest.cc",
     "proxy_resolution/proxy_config_service_common_unittest.h",
+    "quic/quic_test_packet_printer.cc",
+    "quic/quic_test_packet_printer.h",
     "socket/socket_test_util.cc",
     "socket/socket_test_util.h",
     "spdy/spdy_test_util_common.cc",
@@ -2751,6 +2775,8 @@ static_library("test_support") {
     "ssl/client_cert_identity_test_util.h",
     "ssl/ssl_private_key_test_util.cc",
     "ssl/ssl_private_key_test_util.h",
+    "ssl/test_ssl_private_key.cc",
+    "ssl/test_ssl_private_key.h",
     "test/cert_test_util.cc",
     "test/cert_test_util.h",
     "test/cert_test_util_nss.cc",
@@ -2925,8 +2951,6 @@ if (use_v8_in_net) {
       "proxy_resolution/proxy_resolver_v8.h",
       "proxy_resolution/proxy_resolver_v8_tracing.cc",
       "proxy_resolution/proxy_resolver_v8_tracing.h",
-      "proxy_resolution/proxy_resolver_v8_tracing_wrapper.cc",
-      "proxy_resolution/proxy_resolver_v8_tracing_wrapper.h",
     ]
 
     defines = [ "NET_IMPLEMENTATION" ]
@@ -3072,6 +3096,31 @@ if (!is_ios && !is_android) {
   }
 }
 
+if (use_external_gssapi) {
+  # In order for the tests to be reliable, these two targets cannot depend on a
+  # valid GSSAPI library. This is easy to achieve on most platforms. But on
+  # macOS care must be taken to not depend directly or indirectly on
+  # GSS.framework. This is suprisingly easy to get wrong since
+  # Security.framework is such a common dependency and it indirectly depends on
+  # GSS.
+  shared_library("test_gssapi") {
+    testonly = true
+    sources = [
+      "tools/gssapi/gss_import_name.cc",
+      "tools/gssapi/gss_methods.cc",
+      "tools/gssapi/gss_types.h",
+    ]
+  }
+
+  shared_library("test_badgssapi") {
+    testonly = true
+    sources = [
+      "tools/gssapi/gss_methods.cc",
+      "tools/gssapi/gss_types.h",
+    ]
+  }
+}
+
 if (is_linux || is_mac) {
   executable("cachetool") {
     testonly = true
@@ -3217,7 +3266,6 @@ if (is_android) {
       "android/java/src/org/chromium/net/ProxyChangeListener.java",
       "android/java/src/org/chromium/net/X509Util.java",
     ]
-    jni_package = "net"
   }
   generate_jni("net_test_jni_headers") {
     sources = [
@@ -3227,7 +3275,6 @@ if (is_android) {
       "test/android/javatests/src/org/chromium/net/test/DummySpnegoAuthenticator.java",
       "test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerImpl.java",
     ]
-    jni_package = "net/test"
   }
 }
 
@@ -3268,10 +3315,14 @@ source_set("spdy_test_tools") {
   sources = [
     "spdy/fuzzing/hpack_fuzz_util.cc",
     "spdy/fuzzing/hpack_fuzz_util.h",
+    "spdy/platform/impl/spdy_test_impl.h",
+    "third_party/quiche/src/spdy/platform/api/spdy_test.h",
   ]
   deps = [
     ":net",
     "//base",
+    "//testing/gmock",
+    "//testing/gtest",
   ]
 }
 
@@ -3683,6 +3734,72 @@ bundle_data("net_unittests_bundle_data") {
     "data/certificate_policies_unittest/policy_1_2_3_and_1_2_4_with_qualifiers.pem",
     "data/certificate_policies_unittest/policy_1_2_3_with_custom_qualifier.pem",
     "data/certificate_policies_unittest/policy_1_2_3_with_qualifier.pem",
+    "data/crl_unittest/bad_crldp_has_crlissuer.pem",
+    "data/crl_unittest/bad_fake_critical_crlentryextension.pem",
+    "data/crl_unittest/bad_fake_critical_extension.pem",
+    "data/crl_unittest/bad_idp_contains_wrong_uri.pem",
+    "data/crl_unittest/bad_idp_indirectcrl.pem",
+    "data/crl_unittest/bad_idp_onlycontainscacerts.pem",
+    "data/crl_unittest/bad_idp_onlycontainscacerts_no_basic_constraints.pem",
+    "data/crl_unittest/bad_idp_onlycontainsusercerts.pem",
+    "data/crl_unittest/bad_idp_uri_and_onlycontainscacerts.pem",
+    "data/crl_unittest/bad_idp_uri_and_onlycontainsusercerts.pem",
+    "data/crl_unittest/bad_key_rollover_signature.pem",
+    "data/crl_unittest/bad_nextupdate_too_old.pem",
+    "data/crl_unittest/bad_signature.pem",
+    "data/crl_unittest/bad_thisupdate_in_future.pem",
+    "data/crl_unittest/bad_thisupdate_too_old.pem",
+    "data/crl_unittest/bad_wrong_issuer.pem",
+    "data/crl_unittest/good.pem",
+    "data/crl_unittest/good_fake_extension.pem",
+    "data/crl_unittest/good_fake_extension_no_nextupdate.pem",
+    "data/crl_unittest/good_generalizedtime.pem",
+    "data/crl_unittest/good_idp_contains_uri.pem",
+    "data/crl_unittest/good_idp_onlycontainscacerts.pem",
+    "data/crl_unittest/good_idp_onlycontainsusercerts.pem",
+    "data/crl_unittest/good_idp_onlycontainsusercerts_no_basic_constraints.pem",
+    "data/crl_unittest/good_idp_uri_and_onlycontainscacerts.pem",
+    "data/crl_unittest/good_idp_uri_and_onlycontainsusercerts.pem",
+    "data/crl_unittest/good_issuer_name_normalization.pem",
+    "data/crl_unittest/good_issuer_no_keyusage.pem",
+    "data/crl_unittest/good_key_rollover.pem",
+    "data/crl_unittest/good_no_crldp.pem",
+    "data/crl_unittest/good_no_nextupdate.pem",
+    "data/crl_unittest/good_no_version.pem",
+    "data/crl_unittest/invalid_garbage_after_crlentryextensions.pem",
+    "data/crl_unittest/invalid_garbage_after_extensions.pem",
+    "data/crl_unittest/invalid_garbage_after_nextupdate.pem",
+    "data/crl_unittest/invalid_garbage_after_revocationdate.pem",
+    "data/crl_unittest/invalid_garbage_after_revokedcerts.pem",
+    "data/crl_unittest/invalid_garbage_after_signaturevalue.pem",
+    "data/crl_unittest/invalid_garbage_after_thisupdate.pem",
+    "data/crl_unittest/invalid_garbage_crlentry.pem",
+    "data/crl_unittest/invalid_garbage_issuer_name.pem",
+    "data/crl_unittest/invalid_garbage_revocationdate.pem",
+    "data/crl_unittest/invalid_garbage_revoked_serial_number.pem",
+    "data/crl_unittest/invalid_garbage_signaturealgorithm.pem",
+    "data/crl_unittest/invalid_garbage_signaturevalue.pem",
+    "data/crl_unittest/invalid_garbage_tbs_signature_algorithm.pem",
+    "data/crl_unittest/invalid_garbage_tbscertlist.pem",
+    "data/crl_unittest/invalid_garbage_thisupdate.pem",
+    "data/crl_unittest/invalid_garbage_version.pem",
+    "data/crl_unittest/invalid_idp_dpname_choice_extra_data.pem",
+    "data/crl_unittest/invalid_idp_empty_sequence.pem",
+    "data/crl_unittest/invalid_idp_onlycontains_user_and_ca_certs.pem",
+    "data/crl_unittest/invalid_idp_onlycontainsusercerts_v1_leaf.pem",
+    "data/crl_unittest/invalid_issuer_keyusage_no_crlsign.pem",
+    "data/crl_unittest/invalid_key_rollover_issuer_keyusage_no_crlsign.pem",
+    "data/crl_unittest/invalid_mismatched_signature_algorithm.pem",
+    "data/crl_unittest/invalid_revoked_empty_sequence.pem",
+    "data/crl_unittest/invalid_v1_explicit.pem",
+    "data/crl_unittest/invalid_v1_with_crlentryextension.pem",
+    "data/crl_unittest/invalid_v1_with_extension.pem",
+    "data/crl_unittest/invalid_v3.pem",
+    "data/crl_unittest/revoked.pem",
+    "data/crl_unittest/revoked_fake_crlentryextension.pem",
+    "data/crl_unittest/revoked_generalized_revocationdate.pem",
+    "data/crl_unittest/revoked_key_rollover.pem",
+    "data/crl_unittest/revoked_no_nextupdate.pem",
     "data/embedded_test_server/mock-headers-without-crlf.html",
     "data/embedded_test_server/mock-headers-without-crlf.html.mock-http-headers",
     "data/filter_unittests/google.br",
@@ -4963,6 +5080,7 @@ test("net_unittests") {
     "cert/internal/cert_issuer_source_static_unittest.cc",
     "cert/internal/cert_issuer_source_sync_unittest.h",
     "cert/internal/certificate_policies_unittest.cc",
+    "cert/internal/crl_unittest.cc",
     "cert/internal/extended_key_usage_unittest.cc",
     "cert/internal/general_names_unittest.cc",
     "cert/internal/name_constraints_unittest.cc",
@@ -4979,6 +5097,7 @@ test("net_unittests") {
     "cert/internal/revocation_util_unittest.cc",
     "cert/internal/signature_algorithm_unittest.cc",
     "cert/internal/simple_path_builder_delegate_unittest.cc",
+    "cert/internal/system_trust_store_nss_unittest.cc",
     "cert/internal/test_helpers.cc",
     "cert/internal/test_helpers.h",
     "cert/internal/trust_store_collection_unittest.cc",
@@ -5106,9 +5225,11 @@ test("net_unittests") {
     "log/net_log_capture_mode_unittest.cc",
     "log/net_log_unittest.cc",
     "log/net_log_util_unittest.cc",
+    "log/net_log_values_unittest.cc",
     "log/trace_net_log_observer_unittest.cc",
     "nqe/effective_connection_type_unittest.cc",
     "nqe/event_creator_unittest.cc",
+    "nqe/network_congestion_analyzer_unittest.cc",
     "nqe/network_id_unittest.cc",
     "nqe/network_qualities_prefs_manager_unittest.cc",
     "nqe/network_quality_estimator_params_unittest.cc",
@@ -5140,7 +5261,6 @@ test("net_unittests") {
     "proxy_resolution/proxy_list_unittest.cc",
     "proxy_resolution/proxy_resolution_service_unittest.cc",
     "proxy_resolution/proxy_resolver_v8_tracing_unittest.cc",
-    "proxy_resolution/proxy_resolver_v8_tracing_wrapper_unittest.cc",
     "proxy_resolution/proxy_resolver_v8_unittest.cc",
     "proxy_resolution/proxy_server_unittest.cc",
     "quic/bidirectional_stream_quic_impl_unittest.cc",
@@ -5373,6 +5493,7 @@ test("net_unittests") {
     "third_party/quiche/src/quic/core/http/quic_spdy_session_test.cc",
     "third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer_test.cc",
     "third_party/quiche/src/quic/core/http/quic_spdy_stream_test.cc",
+    "third_party/quiche/src/quic/core/http/spdy_server_push_utils_test.cc",
     "third_party/quiche/src/quic/core/http/spdy_utils_test.cc",
     "third_party/quiche/src/quic/core/legacy_quic_stream_id_manager_test.cc",
     "third_party/quiche/src/quic/core/packet_number_indexed_queue_test.cc",
@@ -5386,8 +5507,10 @@ test("net_unittests") {
     "third_party/quiche/src/quic/core/qpack/qpack_header_table_test.cc",
     "third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder_test.cc",
     "third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder_test.cc",
-    "third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder_test.cc",
+    "third_party/quiche/src/quic/core/qpack/qpack_receive_stream_test.cc",
+    "third_party/quiche/src/quic/core/qpack/qpack_required_insert_count_test.cc",
     "third_party/quiche/src/quic/core/qpack/qpack_round_trip_test.cc",
+    "third_party/quiche/src/quic/core/qpack/qpack_send_stream_test.cc",
     "third_party/quiche/src/quic/core/qpack/qpack_static_table_test.cc",
     "third_party/quiche/src/quic/core/qpack/value_splitting_header_list_test.cc",
     "third_party/quiche/src/quic/core/quic_alarm_test.cc",
@@ -5511,6 +5634,7 @@ test("net_unittests") {
     "url_request/url_request_file_dir_job_unittest.cc",
     "url_request/url_request_file_job_unittest.cc",
     "url_request/url_request_filter_unittest.cc",
+    "url_request/url_request_ftp_job_unittest.cc",
     "url_request/url_request_http_job_unittest.cc",
     "url_request/url_request_job_factory_impl_unittest.cc",
     "url_request/url_request_job_unittest.cc",
@@ -5578,13 +5702,16 @@ test("net_unittests") {
   defines = []
 
   deps = [
+    ":extras",
     ":net",
+    ":preload_decoder",
     ":quic_test_tools",
     ":quiche_test_tools",
     ":simple_quic_tools",
     ":spdy_test_tools",
     ":test_support",
     "//base",
+    "//base:i18n",
     "//base/third_party/dynamic_annotations",
     "//crypto",
     "//crypto:platform",
@@ -5594,6 +5721,8 @@ test("net_unittests") {
     "//net/dns/public:tests",
     "//net/http:transport_security_state_unittest_data",
     "//net/http:transport_security_state_unittest_data_default",
+    "//net/tools/huffman_trie:huffman_trie_generator_sources",
+    "//sql",
     "//testing/gmock",
     "//testing/gtest",
     "//third_party/protobuf:protobuf_lite",
@@ -5631,20 +5760,10 @@ test("net_unittests") {
     ]
   }
 
-  if (!is_proto_quic) {
-    deps += [
-      ":extras",
-      "//base:i18n",
-      "//sql",
+  if (enable_reporting) {
+    sources += [
+      "extras/sqlite/sqlite_persistent_reporting_and_nel_store_unittest.cc",
     ]
-
-    if (enable_reporting) {
-      sources += [
-        "extras/sqlite/sqlite_persistent_reporting_and_nel_store_unittest.cc",
-      ]
-    }
-  } else {
-    sources -= [ "extras/sqlite/sqlite_persistent_cookie_store_unittest.cc" ]
   }
 
   data = []
@@ -5714,7 +5833,7 @@ test("net_unittests") {
     sources -= [ "proxy_resolution/proxy_config_service_linux_unittest.cc" ]
   }
 
-  if (!is_proto_quic && v8_use_external_startup_data) {
+  if (v8_use_external_startup_data) {
     deps += [ "//gin" ]
   }
 
@@ -5744,6 +5863,7 @@ test("net_unittests") {
 
   if (!use_nss_certs) {
     sources -= [
+      "cert/internal/system_trust_store_nss_unittest.cc",
       "cert/internal/trust_store_nss_unittest.cc",
       "cert/nss_cert_database_unittest.cc",
       "cert/x509_util_nss_unittest.cc",
@@ -5758,15 +5878,18 @@ test("net_unittests") {
     }
   }
 
-  # These are excluded on Android, because the actual Kerberos support, which
-  # these test, is in a separate app on Android.
-  if (use_kerberos && ((is_posix && !is_android) || is_fuchsia)) {
+  if (use_external_gssapi) {
     sources += [
       "http/http_auth_gssapi_posix_unittest.cc",
       "http/mock_gssapi_library_posix.cc",
       "http/mock_gssapi_library_posix.h",
     ]
+    data_deps += [
+      ":test_gssapi",
+      ":test_badgssapi",
+    ]
   }
+
   if (!use_kerberos) {
     sources -= [ "http/http_auth_handler_negotiate_unittest.cc" ]
   }
@@ -5824,6 +5947,7 @@ test("net_unittests") {
       "ftp/ftp_directory_listing_parser_windows_unittest.cc",
       "ftp/ftp_network_transaction_unittest.cc",
       "ftp/ftp_util_unittest.cc",
+      "url_request/url_request_ftp_job_unittest.cc",
     ]
   }
 
@@ -5836,7 +5960,6 @@ test("net_unittests") {
   } else {
     sources -= [
       "proxy_resolution/proxy_resolver_v8_tracing_unittest.cc",
-      "proxy_resolution/proxy_resolver_v8_tracing_wrapper_unittest.cc",
       "proxy_resolution/proxy_resolver_v8_unittest.cc",
     ]
   }
@@ -5981,7 +6104,7 @@ test("net_unittests") {
 }
 
 # !is_android && !is_win && !is_mac
-if (!is_ios && !is_proto_quic) {
+if (!is_ios) {
   # TODO(crbug.com/594965): this should be converted to "app" template and
   # enabled on iOS too.
   test("net_perftests") {
@@ -6222,6 +6345,50 @@ fuzzer_test("net_cert_verify_name_in_subtree_fuzzer") {
   ]
 }
 
+fuzzer_test("net_cert_crl_parse_crl_certificatelist_fuzzer") {
+  sources = [
+    "cert/internal/crl_parse_crl_certificatelist_fuzzer.cc",
+  ]
+  seed_corpus = "data/fuzzer_data/crl_parse_crl_certificatelist_fuzzer"
+  deps = [
+    "//base",
+    "//net",
+  ]
+}
+
+fuzzer_test("net_cert_crl_parse_crl_tbscertlist_fuzzer") {
+  sources = [
+    "cert/internal/crl_parse_crl_tbscertlist_fuzzer.cc",
+  ]
+  seed_corpus = "data/fuzzer_data/crl_parse_crl_tbscertlist_fuzzer"
+  deps = [
+    "//base",
+    "//net",
+  ]
+}
+
+fuzzer_test("net_cert_crl_parse_issuing_distribution_point_fuzzer") {
+  sources = [
+    "cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc",
+  ]
+  seed_corpus = "data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer"
+  deps = [
+    "//base",
+    "//net",
+  ]
+}
+
+fuzzer_test("net_cert_crl_getcrlstatusforcert_fuzzer") {
+  sources = [
+    "cert/internal/crl_getcrlstatusforcert_fuzzer.cc",
+  ]
+  seed_corpus = "data/fuzzer_data/crl_getcrlstatusforcert_fuzzer"
+  deps = [
+    "//base",
+    "//net",
+  ]
+}
+
 fuzzer_test("net_cert_ocsp_parse_ocsp_cert_id_fuzzer") {
   sources = [
     "cert/internal/ocsp_parse_ocsp_cert_id_fuzzer.cc",
@@ -6276,6 +6443,17 @@ fuzzer_test("net_cert_parse_certificate_fuzzer") {
   ]
 }
 
+fuzzer_test("net_canonical_cookie_fuzzer") {
+  sources = [
+    "cookies/canonical_cookie_fuzzer.cc",
+  ]
+  deps = [
+    ":net_fuzzer_test_support",
+    "//net",
+  ]
+  seed_corpus = "data/fuzzer_data/net_canonical_cookie_fuzzer/"
+}
+
 fuzzer_test("net_parse_cookie_line_fuzzer") {
   sources = [
     "cookies/parse_cookie_line_fuzzer.cc",
@@ -6342,6 +6520,19 @@ fuzzer_test("net_gzip_source_stream_fuzzer") {
   ]
 }
 
+fuzzer_test("net_crl_set_fuzzer") {
+  sources = [
+    "cert/crl_set_fuzzer.cc",
+  ]
+  deps = [
+    ":net_fuzzer_test_support",
+    ":test_support",
+    "//base",
+    "//net",
+  ]
+  seed_corpus = "data/fuzzer_data/net_crl_set_fuzzer/"
+}
+
 if (!disable_ftp_support) {
   fuzzer_test("net_ftp_ctrl_response_fuzzer") {
     sources = [
diff --git a/chromium/net/DEPS b/chromium/net/DEPS
index df77e036579..5b608efb487 100644
--- a/chromium/net/DEPS
+++ b/chromium/net/DEPS
@@ -1,8 +1,8 @@
 include_rules = [
   "+crypto",
   "+gin",
-  "+jni",
   "+mojo/public",
+  "+net/net_jni_headers",
   "+third_party/apple_apsl",
   "+third_party/boringssl/src/include",
   "+third_party/nss",
@@ -69,9 +69,10 @@ specific_include_rules = {
     "+base/i18n",
   ],
 
-  # Needed for fuzz targets written using libprotobuf-mutator library.
+  # Dependencies specific for fuzz targets and other fuzzing-related code.
   ".*fuzz.*": [
-    "+third_party/libprotobuf-mutator",
+    "+third_party/libFuzzer/src/utils",  # This contains FuzzedDataProvider.
+    "+third_party/libprotobuf-mutator",  # This is needed for LPM-based fuzzers.
   ]
 }
 
diff --git a/chromium/net/OWNERS b/chromium/net/OWNERS
index 08065b9bea3..b2ff564f4f2 100644
--- a/chromium/net/OWNERS
+++ b/chromium/net/OWNERS
@@ -6,7 +6,6 @@ ericorth@chromium.org
 eroman@chromium.org
 jkarlin@chromium.org
 mattm@chromium.org
-mef@chromium.org
 mmenke@chromium.org
 morlovich@chromium.org
 nharper@chromium.org
diff --git a/chromium/net/android/android_http_util.cc b/chromium/net/android/android_http_util.cc
index fa4f64f1902..83f8831548f 100644
--- a/chromium/net/android/android_http_util.cc
+++ b/chromium/net/android/android_http_util.cc
@@ -3,8 +3,8 @@
 // found in the LICENSE file.
 
 #include "base/android/jni_string.h"
-#include "jni/HttpUtil_jni.h"
 #include "net/http/http_util.h"
+#include "net/net_jni_headers/HttpUtil_jni.h"
 #include "url/gurl.h"
 
 using base::android::JavaParamRef;
diff --git a/chromium/net/android/cellular_signal_strength.cc b/chromium/net/android/cellular_signal_strength.cc
index 32424618651..35254402a9e 100644
--- a/chromium/net/android/cellular_signal_strength.cc
+++ b/chromium/net/android/cellular_signal_strength.cc
@@ -4,7 +4,7 @@
 
 #include "net/android/cellular_signal_strength.h"
 
-#include "jni/AndroidCellularSignalStrength_jni.h"
+#include "net/net_jni_headers/AndroidCellularSignalStrength_jni.h"
 
 namespace net {
 
diff --git a/chromium/net/android/cert_verify_result_android.cc b/chromium/net/android/cert_verify_result_android.cc
index eff90d8beca..39655b60571 100644
--- a/chromium/net/android/cert_verify_result_android.cc
+++ b/chromium/net/android/cert_verify_result_android.cc
@@ -6,7 +6,7 @@
 
 #include "base/android/jni_android.h"
 #include "base/android/jni_array.h"
-#include "jni/AndroidCertVerifyResult_jni.h"
+#include "net/net_jni_headers/AndroidCertVerifyResult_jni.h"
 
 using base::android::AttachCurrentThread;
 using base::android::JavaArrayOfByteArrayToStringVector;
diff --git a/chromium/net/android/dummy_spnego_authenticator.cc b/chromium/net/android/dummy_spnego_authenticator.cc
index b251f6f1bb3..7ff2ca11cc5 100644
--- a/chromium/net/android/dummy_spnego_authenticator.cc
+++ b/chromium/net/android/dummy_spnego_authenticator.cc
@@ -6,7 +6,7 @@
 #include "base/android/jni_string.h"
 #include "base/base64.h"
 #include "base/stl_util.h"
-#include "net/test/jni/DummySpnegoAuthenticator_jni.h"
+#include "net/net_test_jni_headers/DummySpnegoAuthenticator_jni.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using base::android::JavaParamRef;
diff --git a/chromium/net/android/dummy_spnego_authenticator.h b/chromium/net/android/dummy_spnego_authenticator.h
index 5525c62e34d..ae51b0226d5 100644
--- a/chromium/net/android/dummy_spnego_authenticator.h
+++ b/chromium/net/android/dummy_spnego_authenticator.h
@@ -137,6 +137,9 @@ class DummySpnegoAuthenticator {
 };
 
 }  // namespace android
+
+using MockAuthLibrary = android::DummySpnegoAuthenticator;
+
 }  // namespace net
 
 #endif  // NET_ANDROID_DUMMY_SPNEGO_AUTHENTICATOR_H_
diff --git a/chromium/net/android/gurl_utils.cc b/chromium/net/android/gurl_utils.cc
index 68d65b3c5d3..764324ba4e8 100644
--- a/chromium/net/android/gurl_utils.cc
+++ b/chromium/net/android/gurl_utils.cc
@@ -3,7 +3,7 @@
 // found in the LICENSE file.
 
 #include "base/android/jni_string.h"
-#include "jni/GURLUtils_jni.h"
+#include "net/net_jni_headers/GURLUtils_jni.h"
 #include "url/gurl.h"
 
 using base::android::JavaParamRef;
diff --git a/chromium/net/android/http_auth_negotiate_android.cc b/chromium/net/android/http_auth_negotiate_android.cc
index e83f94baa6f..4beca169464 100644
--- a/chromium/net/android/http_auth_negotiate_android.cc
+++ b/chromium/net/android/http_auth_negotiate_android.cc
@@ -11,12 +11,13 @@
 #include "base/location.h"
 #include "base/single_thread_task_runner.h"
 #include "base/threading/thread_task_runner_handle.h"
-#include "jni/HttpNegotiateAuthenticator_jni.h"
 #include "net/base/auth.h"
 #include "net/base/net_errors.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/http_auth_multi_round_parse.h"
 #include "net/http/http_auth_preferences.h"
+#include "net/log/net_log_with_source.h"
+#include "net/net_jni_headers/HttpNegotiateAuthenticator_jni.h"
 
 using base::android::AttachCurrentThread;
 using base::android::ConvertUTF8ToJavaString;
@@ -69,7 +70,7 @@ HttpAuthNegotiateAndroid::HttpAuthNegotiateAndroid(
 HttpAuthNegotiateAndroid::~HttpAuthNegotiateAndroid() {
 }
 
-bool HttpAuthNegotiateAndroid::Init() {
+bool HttpAuthNegotiateAndroid::Init(const NetLogWithSource& net_log) {
   return true;
 }
 
@@ -92,11 +93,22 @@ HttpAuth::AuthorizationResult HttpAuthNegotiateAndroid::ParseChallenge(
                                        &decoded_auth_token);
 }
 
+int HttpAuthNegotiateAndroid::GenerateAuthTokenAndroid(
+    const AuthCredentials* credentials,
+    const std::string& spn,
+    const std::string& channel_bindings,
+    std::string* auth_token,
+    net::CompletionOnceCallback callback) {
+  return GenerateAuthToken(credentials, spn, channel_bindings, auth_token,
+                           NetLogWithSource(), std::move(callback));
+}
+
 int HttpAuthNegotiateAndroid::GenerateAuthToken(
     const AuthCredentials* credentials,
     const std::string& spn,
     const std::string& channel_bindings,
     std::string* auth_token,
+    const NetLogWithSource& net_log,
     net::CompletionOnceCallback callback) {
   if (GetAuthAndroidNegotiateAccountType().empty()) {
     // This can happen if there is a policy change, removing the account type,
diff --git a/chromium/net/android/http_auth_negotiate_android.h b/chromium/net/android/http_auth_negotiate_android.h
index 2bd89fc4d03..78e29a1bdc2 100644
--- a/chromium/net/android/http_auth_negotiate_android.h
+++ b/chromium/net/android/http_auth_negotiate_android.h
@@ -74,7 +74,7 @@ class NET_EXPORT_PRIVATE HttpAuthNegotiateAndroid
   ~HttpAuthNegotiateAndroid() override;
 
   // HttpNegotiateAuthSystem implementation:
-  bool Init() override;
+  bool Init(const NetLogWithSource& net_log) override;
   bool NeedsIdentity() const override;
   bool AllowsExplicitCredentials() const override;
   HttpAuth::AuthorizationResult ParseChallenge(
@@ -83,9 +83,20 @@ class NET_EXPORT_PRIVATE HttpAuthNegotiateAndroid
                         const std::string& spn,
                         const std::string& channel_bindings,
                         std::string* auth_token,
+                        const NetLogWithSource& net_log,
                         CompletionOnceCallback callback) override;
   void SetDelegation(HttpAuth::DelegationType delegation_type) override;
 
+  // Unlike the platform agnostic GenerateAuthToken(), the Android specific
+  // version doesn't require a NetLogWithSource. The call is made across service
+  // boundaries, so currently the goings-on within the GenerateAuthToken()
+  // handler is outside the scope of the NetLog.
+  int GenerateAuthTokenAndroid(const AuthCredentials* credentials,
+                               const std::string& spn,
+                               const std::string& channel_bindings,
+                               std::string* auth_token,
+                               CompletionOnceCallback callback);
+
   bool can_delegate() const { return can_delegate_; }
   void set_can_delegate(bool can_delegate) { can_delegate_ = can_delegate; }
 
diff --git a/chromium/net/android/http_auth_negotiate_android_unittest.cc b/chromium/net/android/http_auth_negotiate_android_unittest.cc
index 154084bf740..e88265d0f4d 100644
--- a/chromium/net/android/http_auth_negotiate_android_unittest.cc
+++ b/chromium/net/android/http_auth_negotiate_android_unittest.cc
@@ -11,6 +11,7 @@
 #include "net/base/test_completion_callback.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/mock_allow_http_auth_preferences.h"
+#include "net/log/net_log_with_source.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
@@ -32,12 +33,12 @@ TEST(HttpAuthNegotiateAndroidTest, GenerateAuthToken) {
   prefs.set_auth_android_negotiate_account_type(
       "org.chromium.test.DummySpnegoAuthenticator");
   HttpAuthNegotiateAndroid auth(&prefs);
-  EXPECT_TRUE(auth.Init());
+  EXPECT_TRUE(auth.Init(NetLogWithSource()));
 
   TestCompletionCallback callback;
-  EXPECT_EQ(OK, callback.GetResult(
-                    auth.GenerateAuthToken(nullptr, "Dummy", std::string(),
-                                           &auth_token, callback.callback())));
+  EXPECT_EQ(OK, callback.GetResult(auth.GenerateAuthToken(
+                    nullptr, "Dummy", std::string(), &auth_token,
+                    NetLogWithSource(), callback.callback())));
 
   EXPECT_EQ("Negotiate DummyToken", auth_token);
 
diff --git a/chromium/net/android/keystore.cc b/chromium/net/android/keystore.cc
index ce0aa7920d3..a3e577f3a02 100644
--- a/chromium/net/android/keystore.cc
+++ b/chromium/net/android/keystore.cc
@@ -10,7 +10,7 @@
 #include "base/android/jni_array.h"
 #include "base/android/jni_string.h"
 #include "base/logging.h"
-#include "jni/AndroidKeyStore_jni.h"
+#include "net/net_jni_headers/AndroidKeyStore_jni.h"
 
 using base::android::AttachCurrentThread;
 using base::android::ConvertJavaStringToUTF8;
diff --git a/chromium/net/android/network_change_notifier_android.cc b/chromium/net/android/network_change_notifier_android.cc
index bccdad11b93..db6cb73c559 100644
--- a/chromium/net/android/network_change_notifier_android.cc
+++ b/chromium/net/android/network_change_notifier_android.cc
@@ -72,7 +72,6 @@
 #include "base/task/task_traits.h"
 #include "base/threading/thread.h"
 #include "net/base/address_tracker_linux.h"
-#include "net/dns/dns_config_service_posix.h"
 
 namespace net {
 
@@ -100,8 +99,6 @@ class NetworkChangeNotifierAndroid::BlockingThreadObjects {
 
   void Init() {
     address_tracker_.Init();
-    dns_config_service_.WatchConfig(
-        base::Bind(&NetworkChangeNotifier::SetDnsConfig));
   }
 
   static void NotifyNetworkChangeNotifierObservers() {
@@ -110,7 +107,6 @@ class NetworkChangeNotifierAndroid::BlockingThreadObjects {
   }
 
  private:
-  internal::DnsConfigServicePosix dns_config_service_;
   // Used to detect tunnel state changes.
   internal::AddressTrackerLinux address_tracker_;
 
diff --git a/chromium/net/android/network_change_notifier_delegate_android.cc b/chromium/net/android/network_change_notifier_delegate_android.cc
index a659534549b..b5fbd2f0389 100644
--- a/chromium/net/android/network_change_notifier_delegate_android.cc
+++ b/chromium/net/android/network_change_notifier_delegate_android.cc
@@ -6,8 +6,8 @@
 
 #include "base/android/jni_array.h"
 #include "base/logging.h"
-#include "jni/NetworkChangeNotifier_jni.h"
 #include "net/android/network_change_notifier_android.h"
+#include "net/net_jni_headers/NetworkChangeNotifier_jni.h"
 
 using base::android::JavaParamRef;
 using base::android::JavaRef;
diff --git a/chromium/net/android/network_change_notifier_factory_android.cc b/chromium/net/android/network_change_notifier_factory_android.cc
index 64b9ca2a215..71269a83785 100644
--- a/chromium/net/android/network_change_notifier_factory_android.cc
+++ b/chromium/net/android/network_change_notifier_factory_android.cc
@@ -4,6 +4,7 @@
 
 #include "net/android/network_change_notifier_factory_android.h"
 
+#include "base/memory/ptr_util.h"
 #include "net/android/network_change_notifier_android.h"
 #include "net/android/network_change_notifier_delegate_android.h"
 
@@ -13,8 +14,9 @@ NetworkChangeNotifierFactoryAndroid::NetworkChangeNotifierFactoryAndroid() {}
 
 NetworkChangeNotifierFactoryAndroid::~NetworkChangeNotifierFactoryAndroid() {}
 
-NetworkChangeNotifier* NetworkChangeNotifierFactoryAndroid::CreateInstance() {
-  return new NetworkChangeNotifierAndroid(&delegate_);
+std::unique_ptr<NetworkChangeNotifier>
+NetworkChangeNotifierFactoryAndroid::CreateInstance() {
+  return base::WrapUnique(new NetworkChangeNotifierAndroid(&delegate_));
 }
 
 }  // namespace net
diff --git a/chromium/net/android/network_change_notifier_factory_android.h b/chromium/net/android/network_change_notifier_factory_android.h
index 17eb11bc525..db982e86c10 100644
--- a/chromium/net/android/network_change_notifier_factory_android.h
+++ b/chromium/net/android/network_change_notifier_factory_android.h
@@ -29,7 +29,7 @@ class NET_EXPORT NetworkChangeNotifierFactoryAndroid :
   ~NetworkChangeNotifierFactoryAndroid() override;
 
   // NetworkChangeNotifierFactory:
-  NetworkChangeNotifier* CreateInstance() override;
+  std::unique_ptr<NetworkChangeNotifier> CreateInstance() override;
 
  private:
   // Delegate passed to the instances created by this class.
diff --git a/chromium/net/android/network_library.cc b/chromium/net/android/network_library.cc
index 41665c43481..6ed1e80958c 100644
--- a/chromium/net/android/network_library.cc
+++ b/chromium/net/android/network_library.cc
@@ -9,8 +9,8 @@
 #include "base/android/jni_string.h"
 #include "base/android/scoped_java_ref.h"
 #include "base/logging.h"
-#include "jni/AndroidNetworkLibrary_jni.h"
 #include "net/dns/public/dns_protocol.h"
+#include "net/net_jni_headers/AndroidNetworkLibrary_jni.h"
 
 using base::android::AttachCurrentThread;
 using base::android::ConvertJavaStringToUTF8;
diff --git a/chromium/net/android/traffic_stats.cc b/chromium/net/android/traffic_stats.cc
index e690974e154..48cdcd25751 100644
--- a/chromium/net/android/traffic_stats.cc
+++ b/chromium/net/android/traffic_stats.cc
@@ -4,7 +4,7 @@
 
 #include "net/android/traffic_stats.h"
 
-#include "jni/AndroidTrafficStats_jni.h"
+#include "net/net_jni_headers/AndroidTrafficStats_jni.h"
 
 namespace net {
 
diff --git a/chromium/net/android/unittest_support/AndroidManifest.xml b/chromium/net/android/unittest_support/AndroidManifest.xml
index e9175e9fb48..7f34abc3629 100644
--- a/chromium/net/android/unittest_support/AndroidManifest.xml
+++ b/chromium/net/android/unittest_support/AndroidManifest.xml
@@ -10,7 +10,6 @@ found in the LICENSE file.
       android:versionCode="1"
       android:versionName="1.0">
 
-    <uses-sdk android:minSdkVersion="19" android:targetSdkVersion="23" />
     <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
     <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
     <uses-permission android:name="android.permission.AUTHENTICATE_ACCOUNTS"/>
diff --git a/chromium/net/base/address_list.cc b/chromium/net/base/address_list.cc
index 20a6d3d4cc0..94eea32bf5d 100644
--- a/chromium/net/base/address_list.cc
+++ b/chromium/net/base/address_list.cc
@@ -15,23 +15,6 @@
 
 namespace net {
 
-namespace {
-
-base::Value NetLogAddressListCallback(const AddressList* address_list,
-                                      NetLogCaptureMode capture_mode) {
-  base::Value dict(base::Value::Type::DICTIONARY);
-  base::Value list(base::Value::Type::LIST);
-
-  for (const auto& ip_endpoint : *address_list)
-    list.GetList().emplace_back(ip_endpoint.ToString());
-
-  dict.SetKey("address_list", std::move(list));
-  dict.SetStringKey("canonical_name", address_list->canonical_name());
-  return dict;
-}
-
-}  // namespace
-
 AddressList::AddressList() = default;
 
 AddressList::AddressList(const AddressList&) = default;
@@ -91,8 +74,16 @@ void AddressList::SetDefaultCanonicalName() {
   set_canonical_name(front().ToStringWithoutPort());
 }
 
-NetLogParametersCallback AddressList::CreateNetLogCallback() const {
-  return base::Bind(&NetLogAddressListCallback, this);
+base::Value AddressList::NetLogParams() const {
+  base::Value dict(base::Value::Type::DICTIONARY);
+  base::Value list(base::Value::Type::LIST);
+
+  for (const auto& ip_endpoint : *this)
+    list.GetList().emplace_back(ip_endpoint.ToString());
+
+  dict.SetKey("address_list", std::move(list));
+  dict.SetStringKey("canonical_name", canonical_name());
+  return dict;
 }
 
 }  // namespace net
diff --git a/chromium/net/base/address_list.h b/chromium/net/base/address_list.h
index 9b4a6741856..1baf593701d 100644
--- a/chromium/net/base/address_list.h
+++ b/chromium/net/base/address_list.h
@@ -13,10 +13,13 @@
 #include "base/compiler_specific.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_export.h"
-#include "net/log/net_log_parameters_callback.h"
 
 struct addrinfo;
 
+namespace base {
+class Value;
+}
+
 namespace net {
 
 class IPAddress;
@@ -52,10 +55,9 @@ class NET_EXPORT AddressList {
   // Sets canonical name to the literal of the first IP address on the list.
   void SetDefaultCanonicalName();
 
-  // Creates a callback for use with the NetLog that returns a Value
-  // representation of the address list.  The callback must be destroyed before
-  // |this| is.
-  NetLogParametersCallback CreateNetLogCallback() const;
+  // Creates a value representation of the address list, appropriate for
+  // inclusion in a NetLog.
+  base::Value NetLogParams() const;
 
   using iterator = std::vector<IPEndPoint>::iterator;
   using const_iterator = std::vector<IPEndPoint>::const_iterator;
diff --git a/chromium/net/base/cache_type.h b/chromium/net/base/cache_type.h
index 23995948c69..f7eb3a140f2 100644
--- a/chromium/net/base/cache_type.h
+++ b/chromium/net/base/cache_type.h
@@ -9,14 +9,16 @@ namespace net {
 
 // The types of caches that can be created.
 enum CacheType {
-  DISK_CACHE,            // Disk is used as the backing storage.
-  MEMORY_CACHE,          // Data is stored only in memory.
-  MEDIA_CACHE,           // Optimized to handle media files.
-  APP_CACHE,             // Backing store for an AppCache.
-  SHADER_CACHE,          // Backing store for the GL shader cache.
-  PNACL_CACHE,           // Backing store the PNaCl translation cache
-  GENERATED_CODE_CACHE,  // Backing store for data (like code for JavaScript)
-                         // generated by renderer.
+  DISK_CACHE,                 // Disk is used as the backing storage.
+  MEMORY_CACHE,               // Data is stored only in memory.
+  MEDIA_CACHE,                // Optimized to handle media files.
+  APP_CACHE,                  // Backing store for an AppCache.
+  SHADER_CACHE,               // Backing store for the GL shader cache.
+  PNACL_CACHE,                // Backing store the PNaCl translation cache
+  GENERATED_BYTE_CODE_CACHE,  // Backing store for renderer generated data like
+                              // bytecode for JavaScript.
+  GENERATED_NATIVE_CODE_CACHE,  // Backing store for renderer generated data
+                                // like native code for WebAssembly.
 };
 
 // The types of disk cache backend, only used at backend instantiation.
diff --git a/chromium/net/base/chunked_upload_data_stream.cc b/chromium/net/base/chunked_upload_data_stream.cc
index f7e2a66f473..f4db7d73a60 100644
--- a/chromium/net/base/chunked_upload_data_stream.cc
+++ b/chromium/net/base/chunked_upload_data_stream.cc
@@ -31,8 +31,7 @@ ChunkedUploadDataStream::ChunkedUploadDataStream(int64_t identifier)
       read_index_(0),
       read_offset_(0),
       all_data_appended_(false),
-      read_buffer_len_(0),
-      weak_factory_(this) {}
+      read_buffer_len_(0) {}
 
 ChunkedUploadDataStream::~ChunkedUploadDataStream() = default;
 
diff --git a/chromium/net/base/chunked_upload_data_stream.h b/chromium/net/base/chunked_upload_data_stream.h
index 65da00deae0..50f644f94bf 100644
--- a/chromium/net/base/chunked_upload_data_stream.h
+++ b/chromium/net/base/chunked_upload_data_stream.h
@@ -98,7 +98,7 @@ class NET_EXPORT ChunkedUploadDataStream : public UploadDataStream {
   scoped_refptr<IOBuffer> read_buffer_;
   int read_buffer_len_;
 
-  base::WeakPtrFactory<ChunkedUploadDataStream> weak_factory_;
+  base::WeakPtrFactory<ChunkedUploadDataStream> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(ChunkedUploadDataStream);
 };
diff --git a/chromium/net/base/elements_upload_data_stream.cc b/chromium/net/base/elements_upload_data_stream.cc
index 9465b746162..5cc6590811f 100644
--- a/chromium/net/base/elements_upload_data_stream.cc
+++ b/chromium/net/base/elements_upload_data_stream.cc
@@ -19,8 +19,7 @@ ElementsUploadDataStream::ElementsUploadDataStream(
     : UploadDataStream(false, identifier),
       element_readers_(std::move(element_readers)),
       element_index_(0),
-      read_error_(OK),
-      weak_ptr_factory_(this) {}
+      read_error_(OK) {}
 
 ElementsUploadDataStream::~ElementsUploadDataStream() = default;
 
diff --git a/chromium/net/base/elements_upload_data_stream.h b/chromium/net/base/elements_upload_data_stream.h
index 4ad404897fe..ba8f9457e7c 100644
--- a/chromium/net/base/elements_upload_data_stream.h
+++ b/chromium/net/base/elements_upload_data_stream.h
@@ -80,7 +80,7 @@ class NET_EXPORT ElementsUploadDataStream : public UploadDataStream {
   // Set to actual error if read fails, otherwise set to net::OK.
   int read_error_;
 
-  base::WeakPtrFactory<ElementsUploadDataStream> weak_ptr_factory_;
+  base::WeakPtrFactory<ElementsUploadDataStream> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(ElementsUploadDataStream);
 };
diff --git a/chromium/net/base/expiring_cache_unittest.cc b/chromium/net/base/expiring_cache_unittest.cc
index f1414f90656..1f3c5d38073 100644
--- a/chromium/net/base/expiring_cache_unittest.cc
+++ b/chromium/net/base/expiring_cache_unittest.cc
@@ -119,16 +119,16 @@ TEST(ExpiringCacheTest, Compact) {
   }
   EXPECT_EQ(10U, cache.size());
 
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "valid0"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "valid1"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "valid2"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "valid3"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "valid4"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "expired0"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "expired1"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "expired2"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "negative0"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "negative1"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "valid0"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "valid1"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "valid2"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "valid3"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "valid4"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "expired0"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "expired1"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "expired2"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "negative0"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "negative1"));
 
   // Shrink the new max constraints bound and compact. The "negative" and
   // "expired" entries should be dropped.
@@ -136,16 +136,16 @@ TEST(ExpiringCacheTest, Compact) {
   cache.Compact(now);
   EXPECT_EQ(5U, cache.size());
 
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "valid0"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "valid1"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "valid2"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "valid3"));
-  EXPECT_TRUE(base::ContainsKey(cache.entries_, "valid4"));
-  EXPECT_FALSE(base::ContainsKey(cache.entries_, "expired0"));
-  EXPECT_FALSE(base::ContainsKey(cache.entries_, "expired1"));
-  EXPECT_FALSE(base::ContainsKey(cache.entries_, "expired2"));
-  EXPECT_FALSE(base::ContainsKey(cache.entries_, "negative0"));
-  EXPECT_FALSE(base::ContainsKey(cache.entries_, "negative1"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "valid0"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "valid1"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "valid2"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "valid3"));
+  EXPECT_TRUE(base::Contains(cache.entries_, "valid4"));
+  EXPECT_FALSE(base::Contains(cache.entries_, "expired0"));
+  EXPECT_FALSE(base::Contains(cache.entries_, "expired1"));
+  EXPECT_FALSE(base::Contains(cache.entries_, "expired2"));
+  EXPECT_FALSE(base::Contains(cache.entries_, "negative0"));
+  EXPECT_FALSE(base::Contains(cache.entries_, "negative1"));
 
   // Shrink further -- this time the compact will start dropping valid entries
   // to make space.
diff --git a/chromium/net/base/features.cc b/chromium/net/base/features.cc
index ae53c907147..6bc86e560f0 100644
--- a/chromium/net/base/features.cc
+++ b/chromium/net/base/features.cc
@@ -7,28 +7,14 @@
 namespace net {
 namespace features {
 
-// Toggles the `Accept-Language` HTTP request header, which
-// https://github.com/WICG/lang-client-hint proposes that we deprecate.
 const base::Feature kAcceptLanguageHeader{"AcceptLanguageHeader",
                                           base::FEATURE_ENABLED_BY_DEFAULT};
 
 const base::Feature kCapRefererHeaderLength = {
-    "CapRefererHeaderLength", base::FEATURE_DISABLED_BY_DEFAULT};
+    "CapRefererHeaderLength", base::FEATURE_ENABLED_BY_DEFAULT};
 const base::FeatureParam<int> kMaxRefererHeaderLength = {
     &kCapRefererHeaderLength, "MaxRefererHeaderLength", 4096};
 
-// Uses a site isolated code cache that is keyed on the resource url and the
-// origin lock of the renderer that is requesting the resource. The requests
-// to site-isolated code cache are handled by the content/GeneratedCodeCache
-// When this flag is enabled, the metadata field of the HttpCache is unused.
-const base::Feature kIsolatedCodeCache = {"IsolatedCodeCache",
-                                          base::FEATURE_ENABLED_BY_DEFAULT};
-
-// Enables the additional TLS 1.3 server-random-based downgrade protection
-// described in https://tools.ietf.org/html/rfc8446#section-4.1.3
-//
-// This is a MUST-level requirement of TLS 1.3, but has compatibility issues
-// with some buggy non-compliant TLS-terminating proxies.
 const base::Feature kEnforceTLS13Downgrade{"EnforceTLS13Downgrade",
                                            base::FEATURE_ENABLED_BY_DEFAULT};
 
@@ -38,13 +24,17 @@ const base::Feature kEnableTLS13EarlyData{"EnableTLS13EarlyData",
 const base::Feature kNetworkQualityEstimator{"NetworkQualityEstimator",
                                              base::FEATURE_DISABLED_BY_DEFAULT};
 
-const base::Feature kSplitCacheByTopFrameOrigin{
-    "SplitCacheByTopFrameOrigin", base::FEATURE_DISABLED_BY_DEFAULT};
+const base::Feature kSplitCacheByNetworkIsolationKey{
+    "SplitCacheByNetworkIsolationKey", base::FEATURE_DISABLED_BY_DEFAULT};
 
 const base::Feature kPartitionConnectionsByNetworkIsolationKey{
     "PartitionConnectionsByNetworkIsolationKey",
     base::FEATURE_DISABLED_BY_DEFAULT};
 
+const base::Feature kPartitionSSLSessionsByNetworkIsolationKey{
+    "PartitionSSLSessionsByNetworkIsolationKey",
+    base::FEATURE_DISABLED_BY_DEFAULT};
+
 const base::Feature kTLS13KeyUpdate{"TLS13KeyUpdate",
                                     base::FEATURE_DISABLED_BY_DEFAULT};
 
@@ -60,5 +50,14 @@ const base::Feature kSameSiteByDefaultCookies{
 const base::Feature kCookiesWithoutSameSiteMustBeSecure{
     "CookiesWithoutSameSiteMustBeSecure", base::FEATURE_DISABLED_BY_DEFAULT};
 
+#if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
+const base::Feature kCertVerifierBuiltinFeature{
+    "CertVerifierBuiltin", base::FEATURE_DISABLED_BY_DEFAULT};
+#endif
+
+const base::Feature kAppendFrameOriginToNetworkIsolationKey{
+    "AppendFrameOriginToNetworkIsolationKey",
+    base::FEATURE_DISABLED_BY_DEFAULT};
+
 }  // namespace features
 }  // namespace net
diff --git a/chromium/net/base/features.h b/chromium/net/base/features.h
index 00856023cc4..3e2bd969f1a 100644
--- a/chromium/net/base/features.h
+++ b/chromium/net/base/features.h
@@ -8,6 +8,7 @@
 #include "base/feature_list.h"
 #include "base/metrics/field_trial_params.h"
 #include "net/base/net_export.h"
+#include "net/net_buildflags.h"
 
 namespace net {
 namespace features {
@@ -21,12 +22,6 @@ NET_EXPORT extern const base::Feature kAcceptLanguageHeader;
 NET_EXPORT extern const base::Feature kCapRefererHeaderLength;
 NET_EXPORT extern const base::FeatureParam<int> kMaxRefererHeaderLength;
 
-// Uses a site isolated code cache that is keyed on the resource url and the
-// origin lock of the renderer that is requesting the resource. The requests
-// to site-isolated code cache are handled by the content/GeneratedCodeCache
-// When this flag is enabled, the metadata field of the HttpCache is unused.
-NET_EXPORT extern const base::Feature kIsolatedCodeCache;
-
 // Enables the additional TLS 1.3 server-random-based downgrade protection
 // described in https://tools.ietf.org/html/rfc8446#section-4.1.3
 //
@@ -41,14 +36,23 @@ NET_EXPORT extern const base::Feature kEnableTLS13EarlyData;
 // quality estimator (NQE).
 NET_EXPORT extern const base::Feature kNetworkQualityEstimator;
 
-// Splits cache entries by the request's top frame's origin if one is available.
-NET_EXPORT extern const base::Feature kSplitCacheByTopFrameOrigin;
+// Splits cache entries by the request's network isolation key if one is
+// available.
+NET_EXPORT extern const base::Feature kSplitCacheByNetworkIsolationKey;
 
 // Partitions connections based on the NetworkIsolationKey associated with a
 // request.
 NET_EXPORT extern const base::Feature
     kPartitionConnectionsByNetworkIsolationKey;
 
+// Partitions TLS sessions and QUIC server configs based on the
+// NetworkIsolationKey associated with a request.
+//
+// This feature requires kPartitionConnectionsByNetworkIsolationKey to be
+// enabled to work.
+NET_EXPORT extern const base::Feature
+    kPartitionSSLSessionsByNetworkIsolationKey;
+
 // Enables sending TLS 1.3 Key Update messages on TLS 1.3 connections in order
 // to ensure that this corner of the spec is exercised. This is currently
 // disabled by default because we discovered incompatibilities with some
@@ -74,6 +78,13 @@ NET_EXPORT extern const base::Feature kSameSiteByDefaultCookies;
 // SameSiteByDefaultCookies is also enabled.
 NET_EXPORT extern const base::Feature kCookiesWithoutSameSiteMustBeSecure;
 
+#if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
+// When enabled, use the builtin cert verifier instead of the platform verifier.
+NET_EXPORT extern const base::Feature kCertVerifierBuiltinFeature;
+#endif
+
+NET_EXPORT extern const base::Feature kAppendFrameOriginToNetworkIsolationKey;
+
 }  // namespace features
 }  // namespace net
 
diff --git a/chromium/net/base/file_stream_unittest.cc b/chromium/net/base/file_stream_unittest.cc
index e9cf586e671..34caefaa6ff 100644
--- a/chromium/net/base/file_stream_unittest.cc
+++ b/chromium/net/base/file_stream_unittest.cc
@@ -537,7 +537,6 @@ class TestWriteReadCompletionCallback {
           base::MakeRefCounted<IOBufferWithSize>(4);
       rv = stream_->Read(buf.get(), buf->size(), callback.callback());
       if (rv == ERR_IO_PENDING) {
-        base::MessageLoopCurrent::ScopedNestableTaskAllower allow;
         rv = callback.WaitForResult();
       }
       EXPECT_LE(0, rv);
@@ -574,7 +573,6 @@ class TestWriteReadCompletionCallback {
       EXPECT_THAT(stream_->Seek(0, callback64.callback()),
                   IsError(ERR_IO_PENDING));
       {
-        base::MessageLoopCurrent::ScopedNestableTaskAllower allow;
         EXPECT_LE(0, callback64.WaitForResult());
       }
     }
diff --git a/chromium/net/base/filename_util_internal.cc b/chromium/net/base/filename_util_internal.cc
index 46dc33aaaf8..b8ce2e01b35 100644
--- a/chromium/net/base/filename_util_internal.cc
+++ b/chromium/net/base/filename_util_internal.cc
@@ -55,7 +55,7 @@ base::FilePath::StringType GetCorrectedExtensionUnsafe(
   // "foo.jpg" to "foo.jpeg".
   std::vector<base::FilePath::StringType> all_mime_extensions;
   GetExtensionsForMimeType(mime_type, &all_mime_extensions);
-  if (base::ContainsValue(all_mime_extensions, extension))
+  if (base::Contains(all_mime_extensions, extension))
     return extension;
 
   // Get the "final" extension. In most cases, this is the same as the
@@ -69,7 +69,7 @@ base::FilePath::StringType GetCorrectedExtensionUnsafe(
   // If there's a double extension, and the second extension is in the
   // list of valid extensions for the given type, keep the double extension.
   // This avoids renaming things like "foo.tar.gz" to "foo.gz".
-  if (base::ContainsValue(all_mime_extensions, final_extension))
+  if (base::Contains(all_mime_extensions, final_extension))
     return extension;
   return preferred_mime_extension;
 }
diff --git a/chromium/net/base/logging_network_change_observer.cc b/chromium/net/base/logging_network_change_observer.cc
index 5ca13b70189..e408f526c0f 100644
--- a/chromium/net/base/logging_network_change_observer.cc
+++ b/chromium/net/base/logging_network_change_observer.cc
@@ -38,9 +38,8 @@ int HumanReadableNetworkHandle(NetworkChangeNotifier::NetworkHandle network) {
 // Return a dictionary of values that provide information about a
 // network-specific change. This also includes relevant current state
 // like the default network, and the types of active networks.
-base::Value NetworkSpecificNetLogCallback(
-    NetworkChangeNotifier::NetworkHandle network,
-    NetLogCaptureMode capture_mode) {
+base::Value NetworkSpecificNetLogParams(
+    NetworkChangeNotifier::NetworkHandle network) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("changed_network_handle", HumanReadableNetworkHandle(network));
   dict.SetStringKey(
@@ -62,6 +61,16 @@ base::Value NetworkSpecificNetLogCallback(
   return dict;
 }
 
+void NetLogNetworkSpecific(NetLog* net_log,
+                           NetLogEventType type,
+                           NetworkChangeNotifier::NetworkHandle network) {
+  if (!net_log)
+    return;
+
+  net_log->AddGlobalEntry(type,
+                          [&] { return NetworkSpecificNetLogParams(network); });
+}
+
 }  // namespace
 
 LoggingNetworkChangeObserver::LoggingNetworkChangeObserver(NetLog* net_log)
@@ -95,9 +104,9 @@ void LoggingNetworkChangeObserver::OnConnectionTypeChanged(
   VLOG(1) << "Observed a change to network connectivity state "
           << type_as_string;
 
-  net_log_->AddGlobalEntry(
-      NetLogEventType::NETWORK_CONNECTIVITY_CHANGED,
-      NetLog::StringCallback("new_connection_type", &type_as_string));
+  net_log_->AddGlobalEntryWithStringParams(
+      NetLogEventType::NETWORK_CONNECTIVITY_CHANGED, "new_connection_type",
+      type_as_string);
 }
 
 void LoggingNetworkChangeObserver::OnNetworkChanged(
@@ -107,41 +116,40 @@ void LoggingNetworkChangeObserver::OnNetworkChanged(
 
   VLOG(1) << "Observed a network change to state " << type_as_string;
 
-  net_log_->AddGlobalEntry(
-      NetLogEventType::NETWORK_CHANGED,
-      NetLog::StringCallback("new_connection_type", &type_as_string));
+  net_log_->AddGlobalEntryWithStringParams(
+      NetLogEventType::NETWORK_CHANGED, "new_connection_type", type_as_string);
 }
 
 void LoggingNetworkChangeObserver::OnNetworkConnected(
     NetworkChangeNotifier::NetworkHandle network) {
   VLOG(1) << "Observed network " << network << " connect";
 
-  net_log_->AddGlobalEntry(NetLogEventType::SPECIFIC_NETWORK_CONNECTED,
-                           base::Bind(&NetworkSpecificNetLogCallback, network));
+  NetLogNetworkSpecific(net_log_, NetLogEventType::SPECIFIC_NETWORK_CONNECTED,
+                        network);
 }
 
 void LoggingNetworkChangeObserver::OnNetworkDisconnected(
     NetworkChangeNotifier::NetworkHandle network) {
   VLOG(1) << "Observed network " << network << " disconnect";
 
-  net_log_->AddGlobalEntry(NetLogEventType::SPECIFIC_NETWORK_DISCONNECTED,
-                           base::Bind(&NetworkSpecificNetLogCallback, network));
+  NetLogNetworkSpecific(
+      net_log_, NetLogEventType::SPECIFIC_NETWORK_DISCONNECTED, network);
 }
 
 void LoggingNetworkChangeObserver::OnNetworkSoonToDisconnect(
     NetworkChangeNotifier::NetworkHandle network) {
   VLOG(1) << "Observed network " << network << " soon to disconnect";
 
-  net_log_->AddGlobalEntry(NetLogEventType::SPECIFIC_NETWORK_SOON_TO_DISCONNECT,
-                           base::Bind(&NetworkSpecificNetLogCallback, network));
+  NetLogNetworkSpecific(
+      net_log_, NetLogEventType::SPECIFIC_NETWORK_SOON_TO_DISCONNECT, network);
 }
 
 void LoggingNetworkChangeObserver::OnNetworkMadeDefault(
     NetworkChangeNotifier::NetworkHandle network) {
   VLOG(1) << "Observed network " << network << " made the default network";
 
-  net_log_->AddGlobalEntry(NetLogEventType::SPECIFIC_NETWORK_MADE_DEFAULT,
-                           base::Bind(&NetworkSpecificNetLogCallback, network));
+  NetLogNetworkSpecific(
+      net_log_, NetLogEventType::SPECIFIC_NETWORK_MADE_DEFAULT, network);
 }
 
 }  // namespace net
diff --git a/chromium/net/base/mime_util.cc b/chromium/net/base/mime_util.cc
index a2ff77a7895..09a10df7910 100644
--- a/chromium/net/base/mime_util.cc
+++ b/chromium/net/base/mime_util.cc
@@ -194,6 +194,7 @@ static const MimeInfo kSecondaryMappings[] = {
     {"application/x-mpegurl", "m3u8"},
     {"application/x-shockwave-flash", "swf,swl"},
     {"application/x-tar", "tar"},
+    {"application/x-x509-ca-cert", "cer,crt"},
     {"application/zip", "zip"},
     {"audio/mpeg", "mp3"},
     // This is the platform mapping on recent versions of Windows 10.
diff --git a/chromium/net/base/mime_util_unittest.cc b/chromium/net/base/mime_util_unittest.cc
index 49ce6342a6b..ade41926fd6 100644
--- a/chromium/net/base/mime_util_unittest.cc
+++ b/chromium/net/base/mime_util_unittest.cc
@@ -37,6 +37,8 @@ TEST(MimeUtilTest, ExtensionTest) {
     // These are test cases for testing platform mime types on Chrome OS.
     {FILE_PATH_LITERAL("epub"), "application/epub+zip", true},
     {FILE_PATH_LITERAL("apk"), "application/vnd.android.package-archive", true},
+    {FILE_PATH_LITERAL("cer"), "application/x-x509-ca-cert", true},
+    {FILE_PATH_LITERAL("crt"), "application/x-x509-ca-cert", true},
     {FILE_PATH_LITERAL("zip"), "application/zip", true},
     {FILE_PATH_LITERAL("ics"), "text/calendar", true},
 #endif
@@ -328,7 +330,7 @@ TEST(MimeUtilTest, TestGetExtensionsForMimeType) {
           test.contained_result,
           test.contained_result + strlen(test.contained_result));
 
-      bool found = base::ContainsValue(extensions, contained_result);
+      bool found = base::Contains(extensions, contained_result);
 
       ASSERT_TRUE(found) << "Must find at least the contained result within "
                          << test.mime_type;
diff --git a/chromium/net/base/mock_file_stream.cc b/chromium/net/base/mock_file_stream.cc
index 4cff945228c..64104ee200b 100644
--- a/chromium/net/base/mock_file_stream.cc
+++ b/chromium/net/base/mock_file_stream.cc
@@ -20,9 +20,7 @@ MockFileStream::MockFileStream(
     : FileStream(task_runner),
       forced_error_(OK),
       async_error_(false),
-      throttled_(false),
-      weak_factory_(this) {
-}
+      throttled_(false) {}
 
 MockFileStream::MockFileStream(
     base::File file,
@@ -30,8 +28,7 @@ MockFileStream::MockFileStream(
     : FileStream(std::move(file), task_runner),
       forced_error_(OK),
       async_error_(false),
-      throttled_(false),
-      weak_factory_(this) {}
+      throttled_(false) {}
 
 MockFileStream::~MockFileStream() = default;
 
diff --git a/chromium/net/base/mock_file_stream.h b/chromium/net/base/mock_file_stream.h
index 9f1eb98b94a..fba7843256c 100644
--- a/chromium/net/base/mock_file_stream.h
+++ b/chromium/net/base/mock_file_stream.h
@@ -98,7 +98,7 @@ class MockFileStream : public FileStream {
   base::OnceClosure throttled_task_;
   base::FilePath path_;
 
-  base::WeakPtrFactory<MockFileStream> weak_factory_;
+  base::WeakPtrFactory<MockFileStream> weak_factory_{this};
 };
 
 }  // namespace testing
diff --git a/chromium/net/base/mock_network_change_notifier.cc b/chromium/net/base/mock_network_change_notifier.cc
index 65e3f96be43..872f5cf4949 100644
--- a/chromium/net/base/mock_network_change_notifier.cc
+++ b/chromium/net/base/mock_network_change_notifier.cc
@@ -4,15 +4,28 @@
 
 #include "net/base/mock_network_change_notifier.h"
 
+#include <utility>
+
+#include "base/memory/ptr_util.h"
 #include "base/run_loop.h"
+#include "net/dns/dns_config_service.h"
+#include "net/dns/system_dns_config_change_notifier.h"
 
 namespace net {
 namespace test {
 
-MockNetworkChangeNotifier::MockNetworkChangeNotifier()
-    : force_network_handles_supported_(false),
-      connection_type_(CONNECTION_UNKNOWN) {}
-MockNetworkChangeNotifier::~MockNetworkChangeNotifier() = default;
+// static
+std::unique_ptr<MockNetworkChangeNotifier> MockNetworkChangeNotifier::Create() {
+  // Use an empty noop SystemDnsConfigChangeNotifier to disable actual system
+  // DNS configuration notifications.
+  return base::WrapUnique(new MockNetworkChangeNotifier(
+      std::make_unique<SystemDnsConfigChangeNotifier>(
+          nullptr /* task_runner */, nullptr /* dns_config_service */)));
+}
+
+MockNetworkChangeNotifier::~MockNetworkChangeNotifier() {
+  StopSystemDnsConfigNotifier();
+}
 
 MockNetworkChangeNotifier::ConnectionType
 MockNetworkChangeNotifier::GetCurrentConnectionType() const {
@@ -72,10 +85,18 @@ void MockNetworkChangeNotifier::NotifyNetworkConnected(
   base::RunLoop().RunUntilIdle();
 }
 
+MockNetworkChangeNotifier::MockNetworkChangeNotifier(
+    std::unique_ptr<SystemDnsConfigChangeNotifier> dns_config_notifier)
+    : NetworkChangeNotifier(NetworkChangeCalculatorParams(),
+                            dns_config_notifier.get()),
+      force_network_handles_supported_(false),
+      connection_type_(CONNECTION_UNKNOWN),
+      dns_config_notifier_(std::move(dns_config_notifier)) {}
+
 ScopedMockNetworkChangeNotifier::ScopedMockNetworkChangeNotifier()
     : disable_network_change_notifier_for_tests_(
           new NetworkChangeNotifier::DisableForTest()),
-      mock_network_change_notifier_(new MockNetworkChangeNotifier()) {}
+      mock_network_change_notifier_(MockNetworkChangeNotifier::Create()) {}
 
 ScopedMockNetworkChangeNotifier::~ScopedMockNetworkChangeNotifier() = default;
 
diff --git a/chromium/net/base/mock_network_change_notifier.h b/chromium/net/base/mock_network_change_notifier.h
index e8d4269dd8c..c047536ea65 100644
--- a/chromium/net/base/mock_network_change_notifier.h
+++ b/chromium/net/base/mock_network_change_notifier.h
@@ -5,14 +5,19 @@
 #ifndef NET_BASE_MOCK_NETWORK_CHANGE_NOTIFIER_H_
 #define NET_BASE_MOCK_NETWORK_CHANGE_NOTIFIER_H_
 
+#include <memory>
+
 #include "net/base/network_change_notifier.h"
 
 namespace net {
+
+class SystemDnsConfigChangeNotifier;
+
 namespace test {
 
 class MockNetworkChangeNotifier : public NetworkChangeNotifier {
  public:
-  MockNetworkChangeNotifier();
+  static std::unique_ptr<MockNetworkChangeNotifier> Create();
   ~MockNetworkChangeNotifier() override;
 
   ConnectionType GetCurrentConnectionType() const override;
@@ -47,9 +52,14 @@ class MockNetworkChangeNotifier : public NetworkChangeNotifier {
   void NotifyNetworkConnected(NetworkChangeNotifier::NetworkHandle network);
 
  private:
+  // Create using MockNetworkChangeNotifier::Create().
+  MockNetworkChangeNotifier(
+      std::unique_ptr<SystemDnsConfigChangeNotifier> dns_config_notifier);
+
   bool force_network_handles_supported_;
   ConnectionType connection_type_;
   NetworkChangeNotifier::NetworkList connected_networks_;
+  std::unique_ptr<SystemDnsConfigChangeNotifier> dns_config_notifier_;
 };
 
 // Class to replace existing NetworkChangeNotifier singleton with a
diff --git a/chromium/net/base/net_error_list.h b/chromium/net/base/net_error_list.h
index 9614b3d857d..6fc8c5ea1d2 100644
--- a/chromium/net/base/net_error_list.h
+++ b/chromium/net/base/net_error_list.h
@@ -309,9 +309,7 @@ NET_ERROR(SSL_PINNED_KEY_NOT_IN_CERT_CHAIN, -150)
 // Server request for client certificate did not contain any types we support.
 NET_ERROR(CLIENT_AUTH_CERT_TYPE_UNSUPPORTED, -151)
 
-// Server requested one type of cert, then requested a different type while the
-// first was still being generated.
-NET_ERROR(ORIGIN_BOUND_CERT_GENERATION_TYPE_MISMATCH, -152)
+// Error -152 was removed (ORIGIN_BOUND_CERT_GENERATION_TYPE_MISMATCH)
 
 // An SSL peer sent us a fatal decrypt_error alert. This typically occurs when
 // a peer could not correctly verify a signature (in CertificateVerify or
@@ -627,8 +625,8 @@ NET_ERROR(UNRECOGNIZED_FTP_DIRECTORY_LISTING_FORMAT, -334)
 // There are no supported proxies in the provided list.
 NET_ERROR(NO_SUPPORTED_PROXIES, -336)
 
-// There is a SPDY protocol error.
-NET_ERROR(SPDY_PROTOCOL_ERROR, -337)
+// There is an HTTP/2 protocol error.
+NET_ERROR(HTTP2_PROTOCOL_ERROR, -337)
 
 // Credentials could not be established during HTTP Authentication.
 NET_ERROR(INVALID_AUTH_CREDENTIALS, -338)
@@ -659,9 +657,9 @@ NET_ERROR(RESPONSE_BODY_TOO_BIG_TO_DRAIN, -345)
 // The HTTP response contained multiple distinct Content-Length headers.
 NET_ERROR(RESPONSE_HEADERS_MULTIPLE_CONTENT_LENGTH, -346)
 
-// SPDY Headers have been received, but not all of them - status or version
+// HTTP/2 headers have been received, but not all of them - status or version
 // headers are missing, so we're expecting additional frames to complete them.
-NET_ERROR(INCOMPLETE_SPDY_HEADERS, -347)
+NET_ERROR(INCOMPLETE_HTTP2_HEADERS, -347)
 
 // No PAC URL configuration could be retrieved from DHCP. This can indicate
 // either a failure to retrieve the DHCP configuration, or that there was no
@@ -679,10 +677,10 @@ NET_ERROR(RESPONSE_HEADERS_MULTIPLE_LOCATION, -350)
 // stream id corresponding to the request indicating that this request has not
 // been processed yet, or a RST_STREAM frame with error code REFUSED_STREAM.
 // Client MAY retry (on a different connection).  See RFC7540 Section 8.1.4.
-NET_ERROR(SPDY_SERVER_REFUSED_STREAM, -351)
+NET_ERROR(HTTP2_SERVER_REFUSED_STREAM, -351)
 
-// SPDY server didn't respond to the PING message.
-NET_ERROR(SPDY_PING_FAILED, -352)
+// HTTP/2 server didn't respond to the PING message.
+NET_ERROR(HTTP2_PING_FAILED, -352)
 
 // Obsolete.  Kept here to avoid reuse, as the old error can still appear on
 // histograms.
@@ -710,17 +708,17 @@ NET_ERROR(QUIC_HANDSHAKE_FAILED, -358)
 // histograms.
 // NET_ERROR(REQUEST_FOR_SECURE_RESOURCE_OVER_INSECURE_QUIC, -359)
 
-// Transport security is inadequate for the SPDY version.
-NET_ERROR(SPDY_INADEQUATE_TRANSPORT_SECURITY, -360)
+// Transport security is inadequate for the HTTP/2 version.
+NET_ERROR(HTTP2_INADEQUATE_TRANSPORT_SECURITY, -360)
 
-// The peer violated SPDY flow control.
-NET_ERROR(SPDY_FLOW_CONTROL_ERROR, -361)
+// The peer violated HTTP/2 flow control.
+NET_ERROR(HTTP2_FLOW_CONTROL_ERROR, -361)
 
-// The peer sent an improperly sized SPDY frame.
-NET_ERROR(SPDY_FRAME_SIZE_ERROR, -362)
+// The peer sent an improperly sized HTTP/2 frame.
+NET_ERROR(HTTP2_FRAME_SIZE_ERROR, -362)
 
-// Decoding or encoding of compressed SPDY headers failed.
-NET_ERROR(SPDY_COMPRESSION_ERROR, -363)
+// Decoding or encoding of compressed HTTP/2 headers failed.
+NET_ERROR(HTTP2_COMPRESSION_ERROR, -363)
 
 // Proxy Auth Requested without a valid Client Socket Handle.
 NET_ERROR(PROXY_AUTH_REQUESTED_WITH_NO_CONNECTION, -364)
@@ -749,14 +747,14 @@ NET_ERROR(CONTENT_DECODING_INIT_FAILED, -371)
 // Received HTTP/2 RST_STREAM frame with NO_ERROR error code.  This error should
 // be handled internally by HTTP/2 code, and should not make it above the
 // SpdyStream layer.
-NET_ERROR(SPDY_RST_STREAM_NO_ERROR_RECEIVED, -372)
+NET_ERROR(HTTP2_RST_STREAM_NO_ERROR_RECEIVED, -372)
 
 // The pushed stream claimed by the request is no longer available.
-NET_ERROR(SPDY_PUSHED_STREAM_NOT_AVAILABLE, -373)
+NET_ERROR(HTTP2_PUSHED_STREAM_NOT_AVAILABLE, -373)
 
 // A pushed stream was claimed and later reset by the server. When this happens,
 // the request should be retried.
-NET_ERROR(SPDY_CLAIMED_PUSHED_STREAM_RESET_BY_SERVER, -374)
+NET_ERROR(HTTP2_CLAIMED_PUSHED_STREAM_RESET_BY_SERVER, -374)
 
 // An HTTP transaction was retried too many times due for authentication or
 // invalid certificates. This may be due to a bug in the net stack that would
@@ -765,14 +763,14 @@ NET_ERROR(SPDY_CLAIMED_PUSHED_STREAM_RESET_BY_SERVER, -374)
 NET_ERROR(TOO_MANY_RETRIES, -375)
 
 // Received an HTTP/2 frame on a closed stream.
-NET_ERROR(SPDY_STREAM_CLOSED, -376)
+NET_ERROR(HTTP2_STREAM_CLOSED, -376)
 
 // Client is refusing an HTTP/2 stream.
-NET_ERROR(SPDY_CLIENT_REFUSED_STREAM, -377)
+NET_ERROR(HTTP2_CLIENT_REFUSED_STREAM, -377)
 
 // A pushed HTTP/2 stream was claimed by a request based on matching URL and
 // request headers, but the pushed response headers do not match the request.
-NET_ERROR(SPDY_PUSHED_RESPONSE_DOES_NOT_MATCH, -378)
+NET_ERROR(HTTP2_PUSHED_RESPONSE_DOES_NOT_MATCH, -378)
 
 // The cache does not have the requested entry.
 NET_ERROR(CACHE_MISS, -400)
diff --git a/chromium/net/base/net_string_util_icu_alternatives_android.cc b/chromium/net/base/net_string_util_icu_alternatives_android.cc
index 222312e18f5..fad7f451270 100644
--- a/chromium/net/base/net_string_util_icu_alternatives_android.cc
+++ b/chromium/net/base/net_string_util_icu_alternatives_android.cc
@@ -6,8 +6,8 @@
 #include "base/android/jni_string.h"
 #include "base/strings/string16.h"
 #include "base/strings/string_piece.h"
-#include "jni/NetStringUtil_jni.h"
 #include "net/base/net_string_util.h"
+#include "net/net_jni_headers/NetStringUtil_jni.h"
 
 using base::android::ScopedJavaLocalRef;
 
diff --git a/chromium/net/base/network_change_notifier.cc b/chromium/net/base/network_change_notifier.cc
index 48fb8504ff5..dd6a55f1b57 100644
--- a/chromium/net/base/network_change_notifier.cc
+++ b/chromium/net/base/network_change_notifier.cc
@@ -5,10 +5,15 @@
 #include "net/base/network_change_notifier.h"
 
 #include <limits>
+#include <string>
 #include <unordered_set>
+#include <utility>
 
 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
+#include "base/no_destructor.h"
+#include "base/optional.h"
+#include "base/sequence_checker.h"
 #include "base/stl_util.h"
 #include "base/strings/string_util.h"
 #include "base/synchronization/lock.h"
@@ -19,6 +24,8 @@
 #include "net/base/network_interfaces.h"
 #include "net/base/url_util.h"
 #include "net/dns/dns_config.h"
+#include "net/dns/dns_config_service.h"
+#include "net/dns/system_dns_config_change_notifier.h"
 #include "net/url_request/url_request.h"
 #include "url/gurl.h"
 
@@ -49,22 +56,27 @@ NetworkChangeNotifierFactory* g_network_change_notifier_factory = nullptr;
 
 class MockNetworkChangeNotifier : public NetworkChangeNotifier {
  public:
+  MockNetworkChangeNotifier(
+      std::unique_ptr<SystemDnsConfigChangeNotifier> dns_config_notifier)
+      : NetworkChangeNotifier(NetworkChangeCalculatorParams(),
+                              dns_config_notifier.get()),
+        dns_config_notifier_(std::move(dns_config_notifier)) {}
+
+  ~MockNetworkChangeNotifier() override { StopSystemDnsConfigNotifier(); }
+
   ConnectionType GetCurrentConnectionType() const override {
     return CONNECTION_UNKNOWN;
   }
-};
 
-}  // namespace
-
-// static
-bool NetworkChangeNotifier::test_notifications_only_ = false;
-// static
-const NetworkChangeNotifier::NetworkHandle
-    NetworkChangeNotifier::kInvalidNetworkHandle = -1;
+ private:
+  std::unique_ptr<SystemDnsConfigChangeNotifier> dns_config_notifier_;
+};
 
 // NetworkState is thread safe.
-class NetworkChangeNotifier::NetworkState
-    : public base::RefCountedThreadSafe<NetworkChangeNotifier::NetworkState> {
+//
+// TODO(crbug.com/971411): Remove once HostResolverManager converted to directly
+// use SystemDnsConfigChangeNotifier.
+class NetworkState : public base::RefCountedThreadSafe<NetworkState> {
  public:
   NetworkState() = default;
 
@@ -95,6 +107,14 @@ class NetworkChangeNotifier::NetworkState
   bool set_ = false;
 };
 
+}  // namespace
+
+// static
+bool NetworkChangeNotifier::test_notifications_only_ = false;
+// static
+const NetworkChangeNotifier::NetworkHandle
+    NetworkChangeNotifier::kInvalidNetworkHandle = -1;
+
 NetworkChangeNotifier::NetworkChangeCalculatorParams::
     NetworkChangeCalculatorParams() = default;
 
@@ -177,6 +197,43 @@ class NetworkChangeNotifier::NetworkChangeCalculator
   DISALLOW_COPY_AND_ASSIGN(NetworkChangeCalculator);
 };
 
+class NetworkChangeNotifier::SystemDnsConfigObserver
+    : public SystemDnsConfigChangeNotifier::Observer {
+ public:
+  virtual ~SystemDnsConfigObserver() = default;
+
+  void OnSystemDnsConfigChanged(base::Optional<DnsConfig> config) override {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+    bool was_set = network_state_->SetDnsConfig(config.value_or(DnsConfig()));
+    DCHECK_EQ(initial_config_received_, was_set);
+
+    if (initial_config_received_) {
+      NotifyObserversOfDNSChange();
+    } else {
+      initial_config_received_ = true;
+      NotifyObserversOfInitialDNSConfigRead();
+    }
+  }
+
+  scoped_refptr<const NetworkState> network_state() { return network_state_; }
+
+  void ClearDnsConfigForTesting() {
+    initial_config_received_ = false;
+    network_state_->ClearDnsConfigForTesting();
+  }
+
+ private:
+  bool initial_config_received_ = false;
+
+  // TODO(crbug.com/971411): Remove once HostResolverManager converted to
+  // directly use SystemDnsConfigChangeNotifier.
+  scoped_refptr<NetworkState> network_state_ =
+      base::MakeRefCounted<NetworkState>();
+
+  SEQUENCE_CHECKER(sequence_checker_);
+};
+
 void NetworkChangeNotifier::ClearGlobalPointer() {
   if (!cleared_global_pointer_) {
     cleared_global_pointer_ = true;
@@ -188,6 +245,7 @@ void NetworkChangeNotifier::ClearGlobalPointer() {
 NetworkChangeNotifier::~NetworkChangeNotifier() {
   network_change_calculator_.reset();
   ClearGlobalPointer();
+  StopSystemDnsConfigNotifier();
 }
 
 // static
@@ -203,13 +261,13 @@ void NetworkChangeNotifier::SetFactory(
 }
 
 // static
-NetworkChangeNotifier* NetworkChangeNotifier::Create() {
+std::unique_ptr<NetworkChangeNotifier> NetworkChangeNotifier::Create() {
   if (g_network_change_notifier_factory)
     return g_network_change_notifier_factory->CreateInstance();
 
 #if defined(OS_WIN)
-  NetworkChangeNotifierWin* network_change_notifier =
-      new NetworkChangeNotifierWin();
+  std::unique_ptr<NetworkChangeNotifierWin> network_change_notifier =
+      std::make_unique<NetworkChangeNotifierWin>();
   network_change_notifier->WatchForAddressChange();
   return network_change_notifier;
 #elif defined(OS_ANDROID)
@@ -217,13 +275,16 @@ NetworkChangeNotifier* NetworkChangeNotifier::Create() {
   CHECK(false);
   return NULL;
 #elif defined(OS_CHROMEOS)
-  return new NetworkChangeNotifierPosix(CONNECTION_NONE, SUBTYPE_NONE);
+  return std::make_unique<NetworkChangeNotifierPosix>(CONNECTION_NONE,
+                                                      SUBTYPE_NONE);
 #elif defined(OS_LINUX)
-  return new NetworkChangeNotifierLinux(std::unordered_set<std::string>());
+  return std::make_unique<NetworkChangeNotifierLinux>(
+      std::unordered_set<std::string>());
 #elif defined(OS_MACOSX)
-  return new NetworkChangeNotifierMac();
+  return std::make_unique<NetworkChangeNotifierMac>();
 #elif defined(OS_FUCHSIA)
-  return new NetworkChangeNotifierFuchsia(0 /* required_features */);
+  return std::make_unique<NetworkChangeNotifierFuchsia>(
+      0 /* required_features */);
 #else
   NOTIMPLEMENTED();
   return NULL;
@@ -383,8 +444,8 @@ void NetworkChangeNotifier::GetDnsConfig(DnsConfig* config) {
   if (!g_network_change_notifier) {
     *config = DnsConfig();
   } else {
-    scoped_refptr<NetworkState> network_state =
-        g_network_change_notifier->network_state_;
+    scoped_refptr<const NetworkState> network_state =
+        g_network_change_notifier->system_dns_config_observer_->network_state();
     network_state->GetDnsConfig(config);
   }
 }
@@ -491,8 +552,12 @@ NetworkChangeNotifier::ConnectionTypeFromInterfaceList(
 }
 
 // static
-NetworkChangeNotifier* NetworkChangeNotifier::CreateMock() {
-  return new MockNetworkChangeNotifier();
+std::unique_ptr<NetworkChangeNotifier> NetworkChangeNotifier::CreateMock() {
+  // Use an empty noop SystemDnsConfigChangeNotifier to disable actual system
+  // DNS configuration notifications.
+  return std::make_unique<MockNetworkChangeNotifier>(
+      std::make_unique<SystemDnsConfigChangeNotifier>(
+          nullptr /* task_runner */, nullptr /* dns_config_service */));
 }
 
 NetworkChangeNotifier::IPAddressObserver::IPAddressObserver() = default;
@@ -664,7 +729,8 @@ void NetworkChangeNotifier::SetTestNotificationsOnly(bool test_only) {
 
 NetworkChangeNotifier::NetworkChangeNotifier(
     const NetworkChangeCalculatorParams& params
-    /*= NetworkChangeCalculatorParams()*/)
+    /*= NetworkChangeCalculatorParams()*/,
+    SystemDnsConfigChangeNotifier* system_dns_config_notifier /*= nullptr */)
     : ip_address_observer_list_(
           new base::ObserverListThreadSafe<IPAddressObserver>(
               base::ObserverListPolicy::EXISTING_ONLY)),
@@ -682,11 +748,19 @@ NetworkChangeNotifier::NetworkChangeNotifier(
               base::ObserverListPolicy::EXISTING_ONLY)),
       network_observer_list_(new base::ObserverListThreadSafe<NetworkObserver>(
           base::ObserverListPolicy::EXISTING_ONLY)),
-      network_state_(new NetworkState()),
+      system_dns_config_notifier_(system_dns_config_notifier),
+      system_dns_config_observer_(std::make_unique<SystemDnsConfigObserver>()),
       network_change_calculator_(new NetworkChangeCalculator(params)) {
+  if (!system_dns_config_notifier_) {
+    static base::NoDestructor<SystemDnsConfigChangeNotifier> singleton{};
+    system_dns_config_notifier_ = singleton.get();
+  }
+
   DCHECK(!g_network_change_notifier);
   g_network_change_notifier = this;
   network_change_calculator_->Init();
+
+  system_dns_config_notifier_->AddObserver(system_dns_config_observer_.get());
 }
 
 #if defined(OS_LINUX)
@@ -799,24 +873,29 @@ void NetworkChangeNotifier::NotifyObserversOfSpecificNetworkChange(
 }
 
 // static
-void NetworkChangeNotifier::SetDnsConfig(const DnsConfig& config) {
-  if (!g_network_change_notifier)
-    return;
-  scoped_refptr<NetworkState> network_state =
-      g_network_change_notifier->network_state_;
-  if (network_state->SetDnsConfig(config)) {
-    NotifyObserversOfDNSChange();
-  } else {
-    NotifyObserversOfInitialDNSConfigRead();
+void NetworkChangeNotifier::SetDnsConfigForTesting(const DnsConfig& config) {
+  if (g_network_change_notifier) {
+    g_network_change_notifier->system_dns_config_observer_
+        ->OnSystemDnsConfigChanged(config);
   }
 }
 
+// static
 void NetworkChangeNotifier::ClearDnsConfigForTesting() {
   if (!g_network_change_notifier)
     return;
-  scoped_refptr<NetworkState> network_state =
-      g_network_change_notifier->network_state_;
-  network_state->ClearDnsConfigForTesting();
+  g_network_change_notifier->system_dns_config_observer_
+      ->ClearDnsConfigForTesting();
+}
+
+void NetworkChangeNotifier::StopSystemDnsConfigNotifier() {
+  if (!system_dns_config_notifier_)
+    return;
+
+  system_dns_config_notifier_->RemoveObserver(
+      system_dns_config_observer_.get());
+  system_dns_config_observer_ = nullptr;
+  system_dns_config_notifier_ = nullptr;
 }
 
 void NetworkChangeNotifier::NotifyObserversOfIPAddressChangeImpl() {
diff --git a/chromium/net/base/network_change_notifier.h b/chromium/net/base/network_change_notifier.h
index 9cf4f6f240b..e6d06cf0dcd 100644
--- a/chromium/net/base/network_change_notifier.h
+++ b/chromium/net/base/network_change_notifier.h
@@ -21,6 +21,7 @@ namespace net {
 struct DnsConfig;
 class NetworkChangeNotifierFactory;
 struct NetworkInterface;
+class SystemDnsConfigChangeNotifier;
 typedef std::vector<NetworkInterface> NetworkInterfaceList;
 
 #if defined(OS_LINUX)
@@ -293,7 +294,7 @@ class NET_EXPORT NetworkChangeNotifier {
   // monitored), but if you do create it, you must do so before any other
   // threads try to access the API below, and it must outlive all other threads
   // which might try to use it.
-  static NetworkChangeNotifier* Create();
+  static std::unique_ptr<NetworkChangeNotifier> Create();
 
   // Returns whether the process-wide, platform-specific NetworkChangeNotifier
   // has been created.
@@ -369,6 +370,9 @@ class NET_EXPORT NetworkChangeNotifier {
 
   // Retrieve the last read DnsConfig. This could be expensive if the system has
   // a large HOSTS file.
+  //
+  // TODO(crbug.com/971411): Remove once HostResolverManager converted to
+  // directly use SystemDnsConfigChangeNotifier.
   static void GetDnsConfig(DnsConfig* config);
 
 #if defined(OS_LINUX)
@@ -402,7 +406,7 @@ class NET_EXPORT NetworkChangeNotifier {
 
   // Like Create(), but for use in tests.  The mock object doesn't monitor any
   // events, it merely rebroadcasts notifications when requested.
-  static NetworkChangeNotifier* CreateMock();
+  static std::unique_ptr<NetworkChangeNotifier> CreateMock();
 
   // Registers |observer| to receive notifications of network changes.  The
   // thread on which this is called is the thread on which |observer| will be
@@ -509,9 +513,12 @@ class NET_EXPORT NetworkChangeNotifier {
     base::TimeDelta connection_type_online_delay_;
   };
 
-  explicit NetworkChangeNotifier(
+  // If |system_dns_config_notifier| is null (the default), a shared singleton
+  // will be used that will be leaked on shutdown.
+  NetworkChangeNotifier(
       const NetworkChangeCalculatorParams& params =
-          NetworkChangeCalculatorParams());
+          NetworkChangeCalculatorParams(),
+      SystemDnsConfigChangeNotifier* system_dns_config_notifier = nullptr);
 
 #if defined(OS_LINUX)
   // Returns the AddressTrackerLinux if present.
@@ -550,7 +557,7 @@ class NET_EXPORT NetworkChangeNotifier {
 
   // Stores |config| in NetworkState and notifies observers. The first
   // notification will be OnInitialDNSConfigRead, and after that OnDNSChanged.
-  static void SetDnsConfig(const DnsConfig& config);
+  static void SetDnsConfigForTesting(const DnsConfig& config);
 
   // Clears previous DnsConfig, if any, to simulate the first one being set.
   static void ClearDnsConfigForTesting();
@@ -559,6 +566,14 @@ class NET_EXPORT NetworkChangeNotifier {
   // have the same type, return it, otherwise return CONNECTION_UNKNOWN.
   static ConnectionType ConnectionTypeFromInterfaces();
 
+  SystemDnsConfigChangeNotifier* system_dns_config_notifier() {
+    DCHECK(system_dns_config_notifier_);
+    return system_dns_config_notifier_;
+  }
+  // Unregisters and clears |system_dns_config_notifier_|. Useful if a subclass
+  // owns the notifier and is destroying it before |this|'s destructor is called
+  void StopSystemDnsConfigNotifier();
+
   // Clears the global NetworkChangeNotifier pointer.  This should be called
   // as early as possible in the destructor to prevent races.
   void ClearGlobalPointer();
@@ -569,8 +584,8 @@ class NET_EXPORT NetworkChangeNotifier {
   friend class NetworkChangeNotifierLinuxTest;
   friend class NetworkChangeNotifierWinTest;
 
-  class NetworkState;
   class NetworkChangeCalculator;
+  class SystemDnsConfigObserver;
 
   void NotifyObserversOfIPAddressChangeImpl();
   void NotifyObserversOfConnectionTypeChangeImpl(ConnectionType type);
@@ -595,8 +610,8 @@ class NET_EXPORT NetworkChangeNotifier {
   const scoped_refptr<base::ObserverListThreadSafe<NetworkObserver>>
       network_observer_list_;
 
-  // The current network state. Hosts DnsConfig, exposed via GetDnsConfig.
-  scoped_refptr<NetworkState> network_state_;
+  SystemDnsConfigChangeNotifier* system_dns_config_notifier_;
+  std::unique_ptr<SystemDnsConfigObserver> system_dns_config_observer_;
 
   // Computes NetworkChange signal from IPAddress and ConnectionType signals.
   std::unique_ptr<NetworkChangeCalculator> network_change_calculator_;
diff --git a/chromium/net/base/network_change_notifier_factory.h b/chromium/net/base/network_change_notifier_factory.h
index 88cc15ab44d..203e9972528 100644
--- a/chromium/net/base/network_change_notifier_factory.h
+++ b/chromium/net/base/network_change_notifier_factory.h
@@ -5,6 +5,8 @@
 #ifndef NET_BASE_NETWORK_CHANGE_NOTIFIER_FACTORY_H_
 #define NET_BASE_NETWORK_CHANGE_NOTIFIER_FACTORY_H_
 
+#include <memory>
+
 #include "net/base/net_export.h"
 
 namespace net {
@@ -16,7 +18,7 @@ class NET_EXPORT NetworkChangeNotifierFactory {
  public:
   NetworkChangeNotifierFactory() {}
   virtual ~NetworkChangeNotifierFactory() {}
-  virtual NetworkChangeNotifier* CreateInstance() = 0;
+  virtual std::unique_ptr<NetworkChangeNotifier> CreateInstance() = 0;
 };
 
 }  // namespace net
diff --git a/chromium/net/base/network_change_notifier_fuchsia.cc b/chromium/net/base/network_change_notifier_fuchsia.cc
index f3d48538629..ddeae7d0e3a 100644
--- a/chromium/net/base/network_change_notifier_fuchsia.cc
+++ b/chromium/net/base/network_change_notifier_fuchsia.cc
@@ -28,14 +28,18 @@ NetworkChangeNotifierFuchsia::NetworkChangeNotifierFuchsia(
 
 NetworkChangeNotifierFuchsia::NetworkChangeNotifierFuchsia(
     fuchsia::netstack::NetstackPtr netstack,
-    uint32_t required_features)
-    : required_features_(required_features) {
+    uint32_t required_features,
+    SystemDnsConfigChangeNotifier* system_dns_config_notifier)
+    : NetworkChangeNotifier(NetworkChangeCalculatorParams(),
+                            system_dns_config_notifier),
+      required_features_(required_features) {
   DCHECK(netstack);
 
   // Temporarily re-wrap our Netstack channel so we can query the interfaces
   // and routing table synchronously to populate the initial state.
   fuchsia::netstack::NetstackSyncPtr sync_netstack;
   sync_netstack.Bind(netstack.Unbind());
+  DCHECK(sync_netstack);
 
   // Manually fetch the interfaces and routes.
   std::vector<fuchsia::netstack::NetInterface> interfaces;
@@ -48,6 +52,7 @@ NetworkChangeNotifierFuchsia::NetworkChangeNotifierFuchsia(
 
   // Re-wrap Netstack back into an asynchronous pointer.
   netstack_.Bind(sync_netstack.Unbind());
+  DCHECK(netstack_);
   netstack_.set_error_handler([](zx_status_t status) {
     // TODO(https://crbug.com/901092): Unit tests that use NetworkService are
     // crashing because NetworkService does not clean up properly, and the
diff --git a/chromium/net/base/network_change_notifier_fuchsia.h b/chromium/net/base/network_change_notifier_fuchsia.h
index acee7d48f14..7fddead7682 100644
--- a/chromium/net/base/network_change_notifier_fuchsia.h
+++ b/chromium/net/base/network_change_notifier_fuchsia.h
@@ -36,8 +36,10 @@ class NET_EXPORT_PRIVATE NetworkChangeNotifierFuchsia
   // For testing purposes. Receives a |netstack| pointer for easy mocking.
   // Interfaces can be filtered out by passing in |required_features|, which is
   // defined in fuchsia::hardware::ethernet.
-  NetworkChangeNotifierFuchsia(fuchsia::netstack::NetstackPtr netstack,
-                               uint32_t required_features);
+  NetworkChangeNotifierFuchsia(
+      fuchsia::netstack::NetstackPtr netstack,
+      uint32_t required_features,
+      SystemDnsConfigChangeNotifier* system_dns_config_notifier = nullptr);
 
   // Forwards the network interface list along with the result of
   // GetRouteTable() to OnRouteTableReceived().
diff --git a/chromium/net/base/network_change_notifier_fuchsia_unittest.cc b/chromium/net/base/network_change_notifier_fuchsia_unittest.cc
index b301f08d878..cd339bf8d10 100644
--- a/chromium/net/base/network_change_notifier_fuchsia_unittest.cc
+++ b/chromium/net/base/network_change_notifier_fuchsia_unittest.cc
@@ -16,6 +16,8 @@
 #include "base/threading/sequence_bound.h"
 #include "base/threading/thread.h"
 #include "net/base/ip_address.h"
+#include "net/dns/dns_config_service.h"
+#include "net/dns/system_dns_config_change_notifier.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -234,8 +236,12 @@ class NetworkChangeNotifierFuchsiaTest : public testing::Test {
     // notifier queries it.
     netstack_.Synchronize();
 
-    notifier_.reset(new NetworkChangeNotifierFuchsia(std::move(netstack_ptr_),
-                                                     required_features));
+    // Use a noop DNS notifier.
+    dns_config_notifier_ = std::make_unique<SystemDnsConfigChangeNotifier>(
+        nullptr /* task_runner */, nullptr /* dns_config_service */);
+    notifier_.reset(new NetworkChangeNotifierFuchsia(
+        std::move(netstack_ptr_), required_features,
+        dns_config_notifier_.get()));
 
     NetworkChangeNotifier::AddConnectionTypeObserver(&observer_);
     NetworkChangeNotifier::AddIPAddressObserver(&ip_observer_);
@@ -260,6 +266,7 @@ class NetworkChangeNotifierFuchsiaTest : public testing::Test {
 
   // Allows us to allocate our own NetworkChangeNotifier for unit testing.
   NetworkChangeNotifier::DisableForTest disable_for_test_;
+  std::unique_ptr<SystemDnsConfigChangeNotifier> dns_config_notifier_;
   std::unique_ptr<NetworkChangeNotifierFuchsia> notifier_;
 
   testing::InSequence seq_;
diff --git a/chromium/net/base/network_change_notifier_linux.cc b/chromium/net/base/network_change_notifier_linux.cc
index 682395d63da..6dc7d2c6ba9 100644
--- a/chromium/net/base/network_change_notifier_linux.cc
+++ b/chromium/net/base/network_change_notifier_linux.cc
@@ -40,7 +40,6 @@ class NetworkChangeNotifierLinux::BlockingThreadObjects {
  private:
   void OnIPAddressChanged();
   void OnLinkChanged();
-  internal::DnsConfigServicePosix dns_config_service_;
   // Used to detect online/offline state and IP address changes.
   internal::AddressTrackerLinux address_tracker_;
   NetworkChangeNotifier::ConnectionType last_type_;
@@ -64,8 +63,6 @@ NetworkChangeNotifierLinux::BlockingThreadObjects::BlockingThreadObjects(
 void NetworkChangeNotifierLinux::BlockingThreadObjects::Init() {
   address_tracker_.Init();
   last_type_ = GetCurrentConnectionType();
-  dns_config_service_.WatchConfig(
-      base::Bind(&NetworkChangeNotifier::SetDnsConfig));
 }
 
 void NetworkChangeNotifierLinux::BlockingThreadObjects::OnIPAddressChanged() {
diff --git a/chromium/net/base/network_change_notifier_linux.h b/chromium/net/base/network_change_notifier_linux.h
index fa14f307587..8c4c3255924 100644
--- a/chromium/net/base/network_change_notifier_linux.h
+++ b/chromium/net/base/network_change_notifier_linux.h
@@ -33,10 +33,11 @@ class NET_EXPORT_PRIVATE NetworkChangeNotifierLinux
   explicit NetworkChangeNotifierLinux(
       const std::unordered_set<std::string>& ignored_interfaces);
 
+  ~NetworkChangeNotifierLinux() override;
+
  private:
   class BlockingThreadObjects;
 
-  ~NetworkChangeNotifierLinux() override;
   static NetworkChangeCalculatorParams NetworkChangeCalculatorParamsLinux();
 
   // NetworkChangeNotifier:
diff --git a/chromium/net/base/network_change_notifier_mac.cc b/chromium/net/base/network_change_notifier_mac.cc
index 76ad20fd8c1..c082e84822e 100644
--- a/chromium/net/base/network_change_notifier_mac.cc
+++ b/chromium/net/base/network_change_notifier_mac.cc
@@ -28,28 +28,7 @@ NetworkChangeNotifierMac::NetworkChangeNotifierMac()
       connection_type_(CONNECTION_UNKNOWN),
       connection_type_initialized_(false),
       initial_connection_type_cv_(&connection_type_lock_),
-      forwarder_(this)
-#if !defined(OS_IOS)
-      ,
-      dns_config_service_runner_(
-          base::CreateSequencedTaskRunnerWithTraits({base::MayBlock()})),
-      dns_config_service_(
-          DnsConfigService::CreateSystemService().release(),
-          // Ensure DnsConfigService lives on |dns_config_service_runner_|
-          // to prevent races where NetworkChangeNotifierPosix outlives
-          // ScopedTaskEnvironment. https://crbug.com/938126
-          base::OnTaskRunnerDeleter(dns_config_service_runner_)) {
-  // DnsConfigService on iOS doesn't watch the config so its result can become
-  // inaccurate at any time.  Disable it to prevent promulgation of inaccurate
-  // DnsConfigs.
-  dns_config_service_runner_->PostTask(
-      FROM_HERE, base::BindOnce(&DnsConfigService::WatchConfig,
-                                base::Unretained(dns_config_service_.get()),
-                                base::BindRepeating(
-                                    &NetworkChangeNotifier::SetDnsConfig)));
-#else
-{
-#endif  // defined(OS_IOS)
+      forwarder_(this) {
   // Must be initialized after the rest of this object, as it may call back into
   // SetInitialConnectionType().
   config_watcher_ = std::make_unique<NetworkConfigWatcherMac>(&forwarder_);
diff --git a/chromium/net/base/network_change_notifier_mac.h b/chromium/net/base/network_change_notifier_mac.h
index 4037534350d..516264d27d5 100644
--- a/chromium/net/base/network_change_notifier_mac.h
+++ b/chromium/net/base/network_change_notifier_mac.h
@@ -19,15 +19,8 @@
 #include "net/base/network_change_notifier.h"
 #include "net/base/network_config_watcher_mac.h"
 
-namespace base {
-class SequencedTaskRunner;
-struct OnTaskRunnerDeleter;
-}  // namespace base
-
 namespace net {
 
-class DnsConfigService;
-
 class NetworkChangeNotifierMac: public NetworkChangeNotifier {
  public:
   NetworkChangeNotifierMac();
@@ -83,14 +76,6 @@ class NetworkChangeNotifierMac: public NetworkChangeNotifier {
   Forwarder forwarder_;
   std::unique_ptr<const NetworkConfigWatcherMac> config_watcher_;
 
-#if !defined(OS_IOS)
-  // |dns_config_service_| will live on this runner.
-  scoped_refptr<base::SequencedTaskRunner> dns_config_service_runner_;
-  // DnsConfigService that lives on |dns_config_service_runner_|.
-  std::unique_ptr<DnsConfigService, base::OnTaskRunnerDeleter>
-      dns_config_service_;
-#endif
-
   DISALLOW_COPY_AND_ASSIGN(NetworkChangeNotifierMac);
 };
 
diff --git a/chromium/net/base/network_change_notifier_posix.cc b/chromium/net/base/network_change_notifier_posix.cc
index adb09dc4cd5..c5aa68d40ac 100644
--- a/chromium/net/base/network_change_notifier_posix.cc
+++ b/chromium/net/base/network_change_notifier_posix.cc
@@ -3,14 +3,15 @@
 // found in the LICENSE file.
 
 #include <string>
+#include <utility>
 
 #include "base/bind.h"
-#include "base/sequenced_task_runner.h"
 #include "base/task/post_task.h"
 #include "base/task/task_traits.h"
 #include "build/build_config.h"
 #include "net/base/network_change_notifier_posix.h"
 #include "net/dns/dns_config_service_posix.h"
+#include "net/dns/system_dns_config_change_notifier.h"
 
 #if defined(OS_ANDROID)
 #include "net/android/network_change_notifier_android.h"
@@ -18,65 +19,21 @@
 
 namespace net {
 
-// DNS config services on Chrome OS and Android are signalled by the network
-// state handler rather than relying on watching files in /etc.
-class NetworkChangeNotifierPosix::DnsConfigService
-    : public net::internal::DnsConfigServicePosix {
- public:
-  DnsConfigService() = default;
-  ~DnsConfigService() override = default;
-
-  // net::internal::DnsConfigService() overrides.
-  bool StartWatching() override {
-    CreateReaders();
-    // DNS config changes are handled and notified by the network
-    // state handlers.
-    return true;
-  }
-
-  void OnNetworkChange() {
-    InvalidateConfig();
-    InvalidateHosts();
-    ReadNow();
-  }
-};
-
 NetworkChangeNotifierPosix::NetworkChangeNotifierPosix(
     NetworkChangeNotifier::ConnectionType initial_connection_type,
     NetworkChangeNotifier::ConnectionSubtype initial_connection_subtype)
     : NetworkChangeNotifier(NetworkChangeCalculatorParamsPosix()),
-      dns_config_service_runner_(
-          base::CreateSequencedTaskRunnerWithTraits({base::MayBlock()})),
-      dns_config_service_(
-          new DnsConfigService(),
-          // Ensure DnsConfigService lives on |dns_config_service_runner_|
-          // to prevent races where NetworkChangeNotifierPosix outlives
-          // ScopedTaskEnvironment. https://crbug.com/938126
-          base::OnTaskRunnerDeleter(dns_config_service_runner_)),
       connection_type_(initial_connection_type),
       max_bandwidth_mbps_(
           NetworkChangeNotifier::GetMaxBandwidthMbpsForConnectionSubtype(
-              initial_connection_subtype)) {
-  dns_config_service_runner_->PostTask(
-      FROM_HERE,
-      base::BindOnce(
-          &NetworkChangeNotifierPosix::DnsConfigService::WatchConfig,
-          base::Unretained(dns_config_service_.get()),
-          base::BindRepeating(&NetworkChangeNotifier::SetDnsConfig)));
-  OnDNSChanged();
-}
+              initial_connection_subtype)) {}
 
 NetworkChangeNotifierPosix::~NetworkChangeNotifierPosix() {
   ClearGlobalPointer();
 }
 
 void NetworkChangeNotifierPosix::OnDNSChanged() {
-  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-  dns_config_service_runner_->PostTask(
-      FROM_HERE,
-      base::BindOnce(
-          &NetworkChangeNotifierPosix::DnsConfigService::OnNetworkChange,
-          base::Unretained(dns_config_service_.get())));
+  system_dns_config_notifier()->RefreshConfig();
 }
 
 void NetworkChangeNotifierPosix::OnIPAddressChanged() {
diff --git a/chromium/net/base/network_change_notifier_posix.h b/chromium/net/base/network_change_notifier_posix.h
index eefd15f2c58..76171243881 100644
--- a/chromium/net/base/network_change_notifier_posix.h
+++ b/chromium/net/base/network_change_notifier_posix.h
@@ -18,11 +18,6 @@
 #include "net/base/net_export.h"
 #include "net/base/network_change_notifier.h"
 
-namespace base {
-class SequencedTaskRunner;
-struct OnTaskRunnerDeleter;
-}  // namespace base
-
 namespace net {
 
 // A NetworkChangeNotifier that needs to be told about network changes by some
@@ -57,14 +52,6 @@ class NET_EXPORT NetworkChangeNotifierPosix : public NetworkChangeNotifier {
  private:
   friend class NetworkChangeNotifierPosixTest;
 
-  class DnsConfigService;
-
-  // |dns_config_service_| will live on this runner.
-  scoped_refptr<base::SequencedTaskRunner> dns_config_service_runner_;
-  // DnsConfigService that lives on |dns_config_service_runner_|.
-  std::unique_ptr<DnsConfigService, base::OnTaskRunnerDeleter>
-      dns_config_service_;
-
   // Calculates parameters used for network change notifier online/offline
   // signals.
   static NetworkChangeNotifier::NetworkChangeCalculatorParams
diff --git a/chromium/net/base/network_change_notifier_posix_unittest.cc b/chromium/net/base/network_change_notifier_posix_unittest.cc
index c540877f651..682fb2e00d0 100644
--- a/chromium/net/base/network_change_notifier_posix_unittest.cc
+++ b/chromium/net/base/network_change_notifier_posix_unittest.cc
@@ -4,8 +4,12 @@
 
 #include "net/base/network_change_notifier_posix.h"
 
+#include <utility>
+
 #include "base/test/scoped_task_environment.h"
 #include "net/base/network_change_notifier.h"
+#include "net/dns/system_dns_config_change_notifier.h"
+#include "net/dns/test_dns_config_service.h"
 #include "testing/gmock/include/gmock/gmock.h"
 
 namespace net {
@@ -14,21 +18,28 @@ class NetworkChangeNotifierPosixTest : public testing::Test {
  public:
   NetworkChangeNotifierPosixTest()
       : scoped_task_environment_(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME),
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME),
         notifier_(new NetworkChangeNotifierPosix(
             NetworkChangeNotifier::CONNECTION_UNKNOWN,
-            NetworkChangeNotifier::SUBTYPE_UNKNOWN)) {}
+            NetworkChangeNotifier::SUBTYPE_UNKNOWN)) {
+    auto dns_config_service = std::make_unique<TestDnsConfigService>();
+    dns_config_service_ = dns_config_service.get();
+    notifier_->system_dns_config_notifier()->SetDnsConfigServiceForTesting(
+        std::move(dns_config_service));
+  }
 
   void FastForwardUntilIdle() {
     scoped_task_environment_.FastForwardUntilNoTasksRemain();
   }
 
   NetworkChangeNotifierPosix* notifier() { return notifier_.get(); }
+  TestDnsConfigService* dns_config_service() { return dns_config_service_; }
 
  private:
   base::test::ScopedTaskEnvironment scoped_task_environment_;
   net::NetworkChangeNotifier::DisableForTest mock_notifier_disabler_;
   std::unique_ptr<NetworkChangeNotifierPosix> notifier_;
+  TestDnsConfigService* dns_config_service_;
 };
 
 class MockIPAddressObserver : public NetworkChangeNotifier::IPAddressObserver {
@@ -86,4 +97,17 @@ TEST_F(NetworkChangeNotifierPosixTest, OnMaxBandwidthChanged) {
   NetworkChangeNotifier::RemoveMaxBandwidthObserver(&observer);
 }
 
+TEST_F(NetworkChangeNotifierPosixTest, OnDNSChanged) {
+  DnsConfig expected_config;
+  expected_config.nameservers = {IPEndPoint(IPAddress(1, 2, 3, 4), 233)};
+  dns_config_service()->SetConfigForRefresh(expected_config);
+
+  notifier()->OnDNSChanged();
+  FastForwardUntilIdle();
+
+  DnsConfig actual_config;
+  NetworkChangeNotifier::GetDnsConfig(&actual_config);
+  EXPECT_EQ(expected_config, actual_config);
+}
+
 }  // namespace net
diff --git a/chromium/net/base/network_change_notifier_win.cc b/chromium/net/base/network_change_notifier_win.cc
index 44336d60c12..e39014bd214 100644
--- a/chromium/net/base/network_change_notifier_win.cc
+++ b/chromium/net/base/network_change_notifier_win.cc
@@ -7,6 +7,8 @@
 #include <iphlpapi.h>
 #include <winsock2.h>
 
+#include <utility>
+
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/logging.h"
@@ -22,7 +24,6 @@
 #include "base/time/time.h"
 #include "net/base/winsock_init.h"
 #include "net/base/winsock_util.h"
-#include "net/dns/dns_config_service.h"
 
 namespace net {
 
@@ -37,14 +38,8 @@ NetworkChangeNotifierWin::NetworkChangeNotifierWin()
     : NetworkChangeNotifier(NetworkChangeCalculatorParamsWin()),
       is_watching_(false),
       sequential_failures_(0),
-      dns_config_service_runner_(
+      blocking_task_runner_(
           base::CreateSequencedTaskRunnerWithTraits({base::MayBlock()})),
-      dns_config_service_(
-          DnsConfigService::CreateSystemService().release(),
-          // Ensure DnsConfigService lives on |dns_config_service_runner_|
-          // to prevent races where NetworkChangeNotifierWin outlives
-          // ScopedTaskEnvironment. https://crbug.com/938126
-          base::OnTaskRunnerDeleter(dns_config_service_runner_)),
       last_computed_connection_type_(RecomputeCurrentConnectionType()),
       last_announced_offline_(last_computed_connection_type_ ==
                               CONNECTION_NONE),
@@ -194,12 +189,12 @@ NetworkChangeNotifierWin::RecomputeCurrentConnectionType() const {
                           : NetworkChangeNotifier::CONNECTION_NONE;
 }
 
-void NetworkChangeNotifierWin::RecomputeCurrentConnectionTypeOnDnsSequence(
+void NetworkChangeNotifierWin::RecomputeCurrentConnectionTypeOnBlockingSequence(
     base::OnceCallback<void(ConnectionType)> reply_callback) const {
   // Unretained is safe in this call because this object owns the thread and the
   // thread is stopped in this object's destructor.
   base::PostTaskAndReplyWithResult(
-      dns_config_service_runner_.get(), FROM_HERE,
+      blocking_task_runner_.get(), FROM_HERE,
       base::BindOnce(&NetworkChangeNotifierWin::RecomputeCurrentConnectionType,
                      base::Unretained(this)),
       std::move(reply_callback));
@@ -225,7 +220,7 @@ void NetworkChangeNotifierWin::OnObjectSignaled(HANDLE object) {
   // Start watching for the next address change.
   WatchForAddressChange();
 
-  RecomputeCurrentConnectionTypeOnDnsSequence(base::BindOnce(
+  RecomputeCurrentConnectionTypeOnBlockingSequence(base::BindOnce(
       &NetworkChangeNotifierWin::NotifyObservers, weak_factory_.GetWeakPtr()));
 }
 
@@ -277,7 +272,7 @@ void NetworkChangeNotifierWin::WatchForAddressChange() {
   // network change event, since network changes were not being observed in
   // that interval.
   if (sequential_failures_ > 0) {
-    RecomputeCurrentConnectionTypeOnDnsSequence(
+    RecomputeCurrentConnectionTypeOnBlockingSequence(
         base::Bind(&NetworkChangeNotifierWin::NotifyObservers,
                    weak_factory_.GetWeakPtr()));
   }
@@ -294,15 +289,6 @@ void NetworkChangeNotifierWin::WatchForAddressChange() {
 bool NetworkChangeNotifierWin::WatchForAddressChangeInternal() {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
-  if (!posted_watch_config_) {
-    posted_watch_config_ = true;
-    dns_config_service_runner_->PostTask(
-        FROM_HERE, base::BindOnce(&DnsConfigService::WatchConfig,
-                                  base::Unretained(dns_config_service_.get()),
-                                  base::BindRepeating(
-                                      &NetworkChangeNotifier::SetDnsConfig)));
-  }
-
   ResetEventIfSignaled(addr_overlapped_.hEvent);
   HANDLE handle = nullptr;
   DWORD ret = NotifyAddrChange(&handle, &addr_overlapped_);
@@ -314,7 +300,7 @@ bool NetworkChangeNotifierWin::WatchForAddressChangeInternal() {
 }
 
 void NetworkChangeNotifierWin::NotifyParentOfConnectionTypeChange() {
-  RecomputeCurrentConnectionTypeOnDnsSequence(base::BindOnce(
+  RecomputeCurrentConnectionTypeOnBlockingSequence(base::BindOnce(
       &NetworkChangeNotifierWin::NotifyParentOfConnectionTypeChangeImpl,
       weak_factory_.GetWeakPtr()));
 }
diff --git a/chromium/net/base/network_change_notifier_win.h b/chromium/net/base/network_change_notifier_win.h
index e7a00b9cd71..ca8a28e51df 100644
--- a/chromium/net/base/network_change_notifier_win.h
+++ b/chromium/net/base/network_change_notifier_win.h
@@ -22,13 +22,10 @@
 
 namespace base {
 class SequencedTaskRunner;
-struct OnTaskRunnerDeleter;
 }  // namespace base
 
 namespace net {
 
-class DnsConfigService;
-
 // NetworkChangeNotifierWin uses a SequenceChecker, as all its internal
 // notification code must be called on the sequence it is created and destroyed
 // on.  All the NetworkChangeNotifier methods it implements are threadsafe.
@@ -37,6 +34,7 @@ class NET_EXPORT_PRIVATE NetworkChangeNotifierWin
       public base::win::ObjectWatcher::Delegate {
  public:
   NetworkChangeNotifierWin();
+  ~NetworkChangeNotifierWin() override;
 
   // Begins listening for a single subsequent address change.  If it fails to
   // start watching, it retries on a timer.  Must be called only once, on the
@@ -48,8 +46,6 @@ class NET_EXPORT_PRIVATE NetworkChangeNotifierWin
   void WatchForAddressChange();
 
  protected:
-  ~NetworkChangeNotifierWin() override;
-
   // For unit tests only.
   bool is_watching() { return is_watching_; }
   void set_is_watching(bool is_watching) { is_watching_ = is_watching; }
@@ -71,7 +67,7 @@ class NET_EXPORT_PRIVATE NetworkChangeNotifierWin
 
   // Calls RecomputeCurrentConnectionTypeImpl on the DNS sequence and runs
   // |reply_callback| with the type on the calling sequence.
-  virtual void RecomputeCurrentConnectionTypeOnDnsSequence(
+  virtual void RecomputeCurrentConnectionTypeOnBlockingSequence(
       base::OnceCallback<void(ConnectionType)> reply_callback) const;
 
   void SetCurrentConnectionType(ConnectionType connection_type);
@@ -109,11 +105,7 @@ class NET_EXPORT_PRIVATE NetworkChangeNotifierWin
   // Number of times WatchForAddressChange has failed in a row.
   int sequential_failures_;
 
-  // |dns_config_service_| will live on this runner.
-  scoped_refptr<base::SequencedTaskRunner> dns_config_service_runner_;
-  // DnsConfigService that lives on |dns_config_service_runner_|.
-  std::unique_ptr<DnsConfigService, base::OnTaskRunnerDeleter>
-      dns_config_service_;
+  scoped_refptr<base::SequencedTaskRunner> blocking_task_runner_;
 
   mutable base::Lock last_computed_connection_type_lock_;
   ConnectionType last_computed_connection_type_;
@@ -124,9 +116,6 @@ class NET_EXPORT_PRIVATE NetworkChangeNotifierWin
   // Number of times polled to check if still offline.
   int offline_polls_;
 
-  // Keeps track of whether DnsConfigService::WatchConfig() has been called.
-  bool posted_watch_config_ = false;
-
   SEQUENCE_CHECKER(sequence_checker_);
 
   // Used for calling WatchForAddressChange again on failure.
diff --git a/chromium/net/base/network_change_notifier_win_unittest.cc b/chromium/net/base/network_change_notifier_win_unittest.cc
index 0d512053c2d..1f2d4bd5fdd 100644
--- a/chromium/net/base/network_change_notifier_win_unittest.cc
+++ b/chromium/net/base/network_change_notifier_win_unittest.cc
@@ -4,6 +4,8 @@
 
 #include "net/base/network_change_notifier_win.h"
 
+#include <utility>
+
 #include "base/bind.h"
 #include "base/macros.h"
 #include "base/run_loop.h"
@@ -43,7 +45,7 @@ class TestNetworkChangeNotifierWin : public NetworkChangeNotifierWin {
   }
 
   // From NetworkChangeNotifierWin.
-  void RecomputeCurrentConnectionTypeOnDnsSequence(
+  void RecomputeCurrentConnectionTypeOnBlockingSequence(
       base::OnceCallback<void(ConnectionType)> reply_callback) const override {
     base::ThreadTaskRunnerHandle::Get()->PostTask(
         FROM_HERE, base::BindOnce(std::move(reply_callback),
diff --git a/chromium/net/base/network_interfaces_win.cc b/chromium/net/base/network_interfaces_win.cc
index 6c3dde17188..c8b9fe09be3 100644
--- a/chromium/net/base/network_interfaces_win.cc
+++ b/chromium/net/base/network_interfaces_win.cc
@@ -15,6 +15,7 @@
 #include "base/strings/sys_string_conversions.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/scoped_blocking_call.h"
+#include "base/threading/scoped_thread_priority.h"
 #include "base/win/scoped_handle.h"
 #include "net/base/escape.h"
 #include "net/base/ip_endpoint.h"
@@ -103,11 +104,12 @@ WlanApi& WlanApi::GetInstance() {
 }
 
 WlanApi::WlanApi() : initialized(false) {
-  // Use an absolute path to load the DLL to avoid DLL preloading attacks.
-  static const wchar_t* const kDLL = L"%WINDIR%\\system32\\wlanapi.dll";
-  wchar_t path[MAX_PATH] = {0};
-  ExpandEnvironmentStrings(kDLL, path, base::size(path));
-  module = ::LoadLibraryEx(path, nullptr, LOAD_WITH_ALTERED_SEARCH_PATH);
+  // Mitigate the issues caused by loading DLLs on a background thread
+  // (http://crbug/973868).
+  base::ScopedThreadMayLoadLibraryOnBackgroundThread priority_boost(FROM_HERE);
+
+  HMODULE module =
+      ::LoadLibraryEx(L"wlanapi.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32);
   if (!module)
     return;
 
diff --git a/chromium/net/base/network_isolation_key.cc b/chromium/net/base/network_isolation_key.cc
index 183c87f5260..646d615c666 100644
--- a/chromium/net/base/network_isolation_key.cc
+++ b/chromium/net/base/network_isolation_key.cc
@@ -3,14 +3,32 @@
 // found in the LICENSE file.
 
 #include "net/base/network_isolation_key.h"
+#include "base/feature_list.h"
+#include "net/base/features.h"
 
 namespace net {
 
-NetworkIsolationKey::NetworkIsolationKey(
-    const base::Optional<url::Origin>& top_frame_origin)
-    : top_frame_origin_(top_frame_origin) {}
+namespace {
+
+std::string GetOriginDebugString(const base::Optional<url::Origin>& origin) {
+  return origin ? origin->GetDebugString() : "null";
+}
 
-NetworkIsolationKey::NetworkIsolationKey() = default;
+}  // namespace
+
+NetworkIsolationKey::NetworkIsolationKey(const url::Origin& top_frame_origin,
+                                         const url::Origin& frame_origin)
+    : use_frame_origin_(base::FeatureList::IsEnabled(
+          net::features::kAppendFrameOriginToNetworkIsolationKey)),
+      top_frame_origin_(top_frame_origin) {
+  if (use_frame_origin_) {
+    frame_origin_ = frame_origin;
+  }
+}
+
+NetworkIsolationKey::NetworkIsolationKey()
+    : use_frame_origin_(base::FeatureList::IsEnabled(
+          net::features::kAppendFrameOriginToNetworkIsolationKey)) {}
 
 NetworkIsolationKey::NetworkIsolationKey(
     const NetworkIsolationKey& network_isolation_key) = default;
@@ -24,25 +42,37 @@ NetworkIsolationKey& NetworkIsolationKey::operator=(
     NetworkIsolationKey&& network_isolation_key) = default;
 
 std::string NetworkIsolationKey::ToString() const {
-  if (top_frame_origin_ && !top_frame_origin_->opaque())
-    return top_frame_origin_->Serialize();
-  return std::string();
+  if (IsTransient())
+    return "";
+
+  return top_frame_origin_->Serialize() +
+         (use_frame_origin_ ? " " + frame_origin_->Serialize() : "");
 }
 
 std::string NetworkIsolationKey::ToDebugString() const {
-  if (!top_frame_origin_)
-    return "null";
-  return top_frame_origin_->GetDebugString();
+  // The space-separated serialization of |top_frame_origin_| and
+  // |frame_origin_|.
+  std::string return_string = GetOriginDebugString(top_frame_origin_);
+  if (use_frame_origin_) {
+    return_string += " " + GetOriginDebugString(frame_origin_);
+  }
+  return return_string;
 }
 
 bool NetworkIsolationKey::IsFullyPopulated() const {
-  return top_frame_origin_.has_value();
+  return top_frame_origin_.has_value() &&
+         (!use_frame_origin_ || frame_origin_.has_value());
 }
 
 bool NetworkIsolationKey::IsTransient() const {
   if (!IsFullyPopulated())
     return true;
-  return top_frame_origin_->opaque();
+  return top_frame_origin_->opaque() ||
+         (use_frame_origin_ && frame_origin_->opaque());
+}
+
+bool NetworkIsolationKey::IsEmpty() const {
+  return !top_frame_origin_.has_value();
 }
 
 }  // namespace net
diff --git a/chromium/net/base/network_isolation_key.h b/chromium/net/base/network_isolation_key.h
index ced5858a40c..82bfba04cfc 100644
--- a/chromium/net/base/network_isolation_key.h
+++ b/chromium/net/base/network_isolation_key.h
@@ -18,7 +18,10 @@ namespace net {
 // the context on which they were made.
 class NET_EXPORT NetworkIsolationKey {
  public:
-  NetworkIsolationKey(const base::Optional<url::Origin>& top_frame_origin);
+  // Full constructor.  When a request is initiated by the top frame, it must
+  // also populate the |frame_origin| parameter when calling this constructor.
+  explicit NetworkIsolationKey(const url::Origin& top_frame_origin,
+                               const url::Origin& frame_origin);
 
   // Construct an empty key.
   NetworkIsolationKey();
@@ -31,18 +34,27 @@ class NET_EXPORT NetworkIsolationKey {
       const NetworkIsolationKey& network_isolation_key);
   NetworkIsolationKey& operator=(NetworkIsolationKey&& network_isolation_key);
 
+  // Compare keys for equality, true if all enabled fields are equal.
   bool operator==(const NetworkIsolationKey& other) const {
-    return top_frame_origin_ == other.top_frame_origin_;
+    return top_frame_origin_ == other.top_frame_origin_ &&
+           frame_origin_ == other.frame_origin_;
   }
 
-  bool operator<(const NetworkIsolationKey& other) const {
-    return top_frame_origin_ < other.top_frame_origin_;
+  // Compare keys for inequality, true if any enabled field varies.
+  bool operator!=(const NetworkIsolationKey& other) const {
+    return (top_frame_origin_ != other.top_frame_origin_) ||
+           (frame_origin_ != other.frame_origin_);
   }
 
-  // TODO(shivanisha): Use feature flags in the below methods to determine which
-  // parts of the key are being used based on the enabled experiment.
+  // Provide an ordering for keys based on all enabled fields.
+  bool operator<(const NetworkIsolationKey& other) const {
+    return top_frame_origin_ < other.top_frame_origin_ ||
+           (top_frame_origin_ == other.top_frame_origin_ &&
+            frame_origin_ < other.frame_origin_);
+  }
 
-  // Returns the string representation of the key.
+  // Returns the string representation of the key, which is the string
+  // representation of each piece of the key separated by spaces.
   std::string ToString() const;
 
   // Returns string for debugging. Difference from ToString() is that transient
@@ -56,11 +68,27 @@ class NET_EXPORT NetworkIsolationKey {
   // to persist state to disk related to it (e.g., disk cache).
   bool IsTransient() const;
 
+  // APIs for serialization to and from the mojo structure.
+  const base::Optional<url::Origin>& GetTopFrameOrigin() const {
+    return top_frame_origin_;
+  }
+
+  const base::Optional<url::Origin>& GetFrameOrigin() const {
+    return frame_origin_;
+  }
+
+  // Returns true if all parts of the key are empty.
+  bool IsEmpty() const;
+
  private:
-  // The origin of the top frame of the request (if applicable).
+  // Whether or not to use the |frame_origin_| as part of the key.
+  bool use_frame_origin_;
+
+  // The origin of the top frame of the page making the request.
   base::Optional<url::Origin> top_frame_origin_;
 
-  // TODO(crbug.com/950069): Also add initiator origin to the key.
+  // The origin of the frame that initiates the request.
+  base::Optional<url::Origin> frame_origin_;
 };
 
 }  // namespace net
diff --git a/chromium/net/base/network_isolation_key_unittest.cc b/chromium/net/base/network_isolation_key_unittest.cc
index 74549a84e7f..c3b52dc724d 100644
--- a/chromium/net/base/network_isolation_key_unittest.cc
+++ b/chromium/net/base/network_isolation_key_unittest.cc
@@ -5,6 +5,8 @@
 #include "net/base/network_isolation_key.h"
 
 #include "base/stl_util.h"
+#include "base/test/scoped_feature_list.h"
+#include "net/base/features.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
 #include "url/origin.h"
@@ -21,7 +23,7 @@ TEST(NetworkIsolationKeyTest, EmptyKey) {
 
 TEST(NetworkIsolationKeyTest, NonEmptyKey) {
   url::Origin origin = url::Origin::Create(GURL("http://a.test/"));
-  NetworkIsolationKey key(origin);
+  NetworkIsolationKey key(origin, origin);
   EXPECT_TRUE(key.IsFullyPopulated());
   EXPECT_EQ(origin.Serialize(), key.ToString());
   EXPECT_FALSE(key.IsTransient());
@@ -31,16 +33,16 @@ TEST(NetworkIsolationKeyTest, NonEmptyKey) {
 TEST(NetworkIsolationKeyTest, OpaqueOriginKey) {
   url::Origin origin_data =
       url::Origin::Create(GURL("data:text/html,<body>Hello World</body>"));
-  NetworkIsolationKey key(origin_data);
+  NetworkIsolationKey key(origin_data, origin_data);
   EXPECT_TRUE(key.IsFullyPopulated());
   EXPECT_EQ(std::string(), key.ToString());
   EXPECT_TRUE(key.IsTransient());
 
   // Create another opaque origin, and make sure it has a different debug
   // string.
-  EXPECT_NE(
-      key.ToDebugString(),
-      NetworkIsolationKey(origin_data.DeriveNewOpaqueOrigin()).ToDebugString());
+  const auto kOriginNew = origin_data.DeriveNewOpaqueOrigin();
+  EXPECT_NE(key.ToDebugString(),
+            NetworkIsolationKey(kOriginNew, kOriginNew).ToDebugString());
 }
 
 TEST(NetworkIsolationKeyTest, Operators) {
@@ -50,11 +52,16 @@ TEST(NetworkIsolationKeyTest, Operators) {
       // Unique origins are still sorted by scheme, so data is before file, and
       // file before http.
       NetworkIsolationKey(
+          url::Origin::Create(GURL("data:text/html,<body>Hello World</body>")),
           url::Origin::Create(GURL("data:text/html,<body>Hello World</body>"))),
-      NetworkIsolationKey(url::Origin::Create(GURL("file:///foo"))),
-      NetworkIsolationKey(url::Origin::Create(GURL("http://a.test/"))),
-      NetworkIsolationKey(url::Origin::Create(GURL("http://b.test/"))),
-      NetworkIsolationKey(url::Origin::Create(GURL("https://a.test/"))),
+      NetworkIsolationKey(url::Origin::Create(GURL("file:///foo")),
+                          url::Origin::Create(GURL("file:///foo"))),
+      NetworkIsolationKey(url::Origin::Create(GURL("http://a.test/")),
+                          url::Origin::Create(GURL("http://a.test/"))),
+      NetworkIsolationKey(url::Origin::Create(GURL("http://b.test/")),
+                          url::Origin::Create(GURL("http://b.test/"))),
+      NetworkIsolationKey(url::Origin::Create(GURL("https://a.test/")),
+                          url::Origin::Create(GURL("https://a.test/"))),
   };
 
   for (size_t first = 0; first < base::size(kKeys); ++first) {
@@ -84,10 +91,12 @@ TEST(NetworkIsolationKeyTest, Operators) {
 }
 
 TEST(NetworkIsolationKeyTest, UniqueOriginOperators) {
-  NetworkIsolationKey key1(
-      url::Origin::Create(GURL("data:text/html,<body>Hello World</body>")));
-  NetworkIsolationKey key2(
-      url::Origin::Create(GURL("data:text/html,<body>Hello World</body>")));
+  const auto kOrigin1 =
+      url::Origin::Create(GURL("data:text/html,<body>Hello World</body>"));
+  const auto kOrigin2 =
+      url::Origin::Create(GURL("data:text/html,<body>Hello World</body>"));
+  NetworkIsolationKey key1(kOrigin1, kOrigin1);
+  NetworkIsolationKey key2(kOrigin2, kOrigin2);
 
   EXPECT_TRUE(key1 == key1);
   EXPECT_TRUE(key2 == key2);
@@ -104,4 +113,126 @@ TEST(NetworkIsolationKeyTest, UniqueOriginOperators) {
   EXPECT_TRUE(!(key1 < key2) || !(key2 < key1));
 }
 
+TEST(NetworkIsolationKeyTest, WithFrameOrigin) {
+  const auto kOriginA = url::Origin::Create(GURL("http://a.test"));
+  const auto kOriginB = url::Origin::Create(GURL("http://b.test"));
+  NetworkIsolationKey key1(kOriginB, kOriginB);
+  NetworkIsolationKey key2(kOriginB, kOriginA);
+  EXPECT_TRUE(key2.IsFullyPopulated());
+  EXPECT_FALSE(key2.IsTransient());
+  EXPECT_EQ("http://b.test", key2.ToString());
+  EXPECT_EQ("http://b.test", key2.ToDebugString());
+
+  EXPECT_TRUE(key1 == key2);
+  EXPECT_FALSE(key1 != key2);
+  EXPECT_FALSE(key1 < key2);
+  EXPECT_FALSE(key2 < key1);
+}
+
+TEST(NetworkIsolationKeyTest, OpaqueOriginKeyWithFrameOrigin) {
+  url::Origin origin_data =
+      url::Origin::Create(GURL("data:text/html,<body>Hello World</body>"));
+
+  NetworkIsolationKey key1(url::Origin::Create(GURL("http://a.test")),
+                           origin_data);
+  EXPECT_TRUE(key1.IsFullyPopulated());
+  EXPECT_FALSE(key1.IsTransient());
+  EXPECT_EQ("http://a.test", key1.ToString());
+  EXPECT_EQ("http://a.test", key1.ToDebugString());
+
+  NetworkIsolationKey key2(origin_data,
+                           url::Origin::Create(GURL("http://a.test")));
+  EXPECT_TRUE(key2.IsFullyPopulated());
+  EXPECT_TRUE(key2.IsTransient());
+  EXPECT_EQ("", key2.ToString());
+  EXPECT_EQ(origin_data.GetDebugString(), key2.ToDebugString());
+  EXPECT_NE(origin_data.DeriveNewOpaqueOrigin().GetDebugString(),
+            key2.ToDebugString());
+}
+
+class NetworkIsolationKeyWithFrameOriginTest : public testing::Test {
+ public:
+  NetworkIsolationKeyWithFrameOriginTest() {
+    feature_list_.InitAndEnableFeature(
+        net::features::kAppendFrameOriginToNetworkIsolationKey);
+  }
+
+ private:
+  base::test::ScopedFeatureList feature_list_;
+};
+
+TEST_F(NetworkIsolationKeyWithFrameOriginTest, WithFrameOrigin) {
+  NetworkIsolationKey key(url::Origin::Create(GURL("http://b.test")),
+                          url::Origin::Create(GURL("http://a.test/")));
+  EXPECT_TRUE(key.IsFullyPopulated());
+  EXPECT_FALSE(key.IsTransient());
+  EXPECT_EQ("http://b.test http://a.test", key.ToString());
+  EXPECT_EQ("http://b.test http://a.test", key.ToDebugString());
+
+  EXPECT_TRUE(key == key);
+  EXPECT_FALSE(key != key);
+  EXPECT_FALSE(key < key);
+}
+
+TEST_F(NetworkIsolationKeyWithFrameOriginTest, OpaqueOriginKey) {
+  url::Origin origin_data =
+      url::Origin::Create(GURL("data:text/html,<body>Hello World</body>"));
+
+  NetworkIsolationKey key1(url::Origin::Create(GURL("http://a.test")),
+                           origin_data);
+  EXPECT_TRUE(key1.IsFullyPopulated());
+  EXPECT_TRUE(key1.IsTransient());
+  EXPECT_EQ("", key1.ToString());
+  EXPECT_EQ("http://a.test " + origin_data.GetDebugString(),
+            key1.ToDebugString());
+  EXPECT_NE(
+      "http://a.test " + origin_data.DeriveNewOpaqueOrigin().GetDebugString(),
+      key1.ToDebugString());
+
+  NetworkIsolationKey key2(origin_data,
+                           url::Origin::Create(GURL("http://a.test")));
+  EXPECT_TRUE(key2.IsFullyPopulated());
+  EXPECT_TRUE(key2.IsTransient());
+  EXPECT_EQ("", key2.ToString());
+  EXPECT_EQ(origin_data.GetDebugString() + " http://a.test",
+            key2.ToDebugString());
+  EXPECT_NE(
+      origin_data.DeriveNewOpaqueOrigin().GetDebugString() + " http://a.test",
+      key2.ToDebugString());
+}
+
+TEST_F(NetworkIsolationKeyWithFrameOriginTest, OpaqueOriginKeyBoth) {
+  url::Origin origin_data_1 =
+      url::Origin::Create(GURL("data:text/html,<body>Hello World</body>"));
+  url::Origin origin_data_2 =
+      url::Origin::Create(GURL("data:text/html,<body>Hello Universe</body>"));
+  url::Origin origin_data_3 =
+      url::Origin::Create(GURL("data:text/html,<body>Hello Cosmos</body>"));
+
+  NetworkIsolationKey key1(origin_data_1, origin_data_2);
+  NetworkIsolationKey key2(origin_data_1, origin_data_2);
+  NetworkIsolationKey key3(origin_data_1, origin_data_3);
+
+  // All the keys should be fully populated and transient.
+  EXPECT_TRUE(key1.IsFullyPopulated());
+  EXPECT_TRUE(key2.IsFullyPopulated());
+  EXPECT_TRUE(key3.IsFullyPopulated());
+  EXPECT_TRUE(key1.IsTransient());
+  EXPECT_TRUE(key2.IsTransient());
+  EXPECT_TRUE(key3.IsTransient());
+
+  // Test the equality/comparisons of the various keys
+  EXPECT_TRUE(key1 == key2);
+  EXPECT_FALSE(key1 == key3);
+  EXPECT_FALSE(key1 < key2 || key2 < key1);
+  EXPECT_TRUE(key1 < key3 || key3 < key1);
+
+  // Test the ToString and ToDebugString
+  EXPECT_EQ(key1.ToDebugString(), key2.ToDebugString());
+  EXPECT_NE(key1.ToDebugString(), key3.ToDebugString());
+  EXPECT_EQ("", key1.ToString());
+  EXPECT_EQ("", key2.ToString());
+  EXPECT_EQ("", key3.ToString());
+}
+
 }  // namespace net
diff --git a/chromium/net/base/network_notification_thread_mac.cc b/chromium/net/base/network_notification_thread_mac.cc
new file mode 100644
index 00000000000..436b99b6ca4
--- /dev/null
+++ b/chromium/net/base/network_notification_thread_mac.cc
@@ -0,0 +1,51 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/network_notification_thread_mac.h"
+
+#include "base/no_destructor.h"
+#include "base/threading/thread.h"
+
+namespace net {
+
+namespace {
+
+class NotificationThreadMac {
+ public:
+  scoped_refptr<base::SingleThreadTaskRunner> task_runner() const {
+    return task_runner_;
+  }
+
+ private:
+  friend base::NoDestructor<NotificationThreadMac>;
+
+  NotificationThreadMac() : thread_("NetworkNotificationThreadMac") {
+    base::Thread::Options options;
+    options.message_loop_type = base::MessageLoop::TYPE_UI;
+    options.joinable = false;
+    thread_.StartWithOptions(options);
+    task_runner_ = thread_.task_runner();
+    thread_.DetachFromSequence();
+  }
+
+  ~NotificationThreadMac() = delete;
+
+  // The |thread_| object is not thread-safe. This should not be accessed
+  // outside the constructor.
+  base::Thread thread_;
+
+  // Saved TaskRunner handle that can be accessed from any thread.
+  scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
+
+  DISALLOW_COPY_AND_ASSIGN(NotificationThreadMac);
+};
+
+}  // namespace
+
+scoped_refptr<base::SingleThreadTaskRunner> GetNetworkNotificationThreadMac() {
+  static base::NoDestructor<NotificationThreadMac> notification_thread;
+  return notification_thread->task_runner();
+}
+
+}  // namespace net
diff --git a/chromium/net/base/network_notification_thread_mac.h b/chromium/net/base/network_notification_thread_mac.h
new file mode 100644
index 00000000000..8ced7568203
--- /dev/null
+++ b/chromium/net/base/network_notification_thread_mac.h
@@ -0,0 +1,20 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_NETWORK_NOTIFICATION_THREAD_MAC_H_
+#define NET_BASE_NETWORK_NOTIFICATION_THREAD_MAC_H_
+
+#include "base/single_thread_task_runner.h"
+
+namespace net {
+
+// Returns a TaskRunner that runs on a TYPE_UI thread, for macOS notification
+// APIs that require a CFRunLoop. The thread is not joined on shutdown (like
+// TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN), so any users of this thread
+// must take care not to access invalid objects during shutdown.
+scoped_refptr<base::SingleThreadTaskRunner> GetNetworkNotificationThreadMac();
+
+}  // namespace net
+
+#endif  // NET_BASE_NETWORK_NOTIFICATION_THREAD_MAC_H_
diff --git a/chromium/net/base/network_throttle_manager_impl.cc b/chromium/net/base/network_throttle_manager_impl.cc
index d5043bcf390..0c0e7ec5450 100644
--- a/chromium/net/base/network_throttle_manager_impl.cc
+++ b/chromium/net/base/network_throttle_manager_impl.cc
@@ -240,8 +240,8 @@ void NetworkThrottleManagerImpl::OnThrottleDestroyed(ThrottleImpl* throttle) {
       break;
   }
 
-  DCHECK(!base::ContainsValue(blocked_throttles_, throttle));
-  DCHECK(!base::ContainsValue(outstanding_throttles_, throttle));
+  DCHECK(!base::Contains(blocked_throttles_, throttle));
+  DCHECK(!base::Contains(outstanding_throttles_, throttle));
 
   // Unblock the throttles if there's some chance there's a throttle to
   // unblock.
diff --git a/chromium/net/base/port_util.h b/chromium/net/base/port_util.h
index 72d4b394ed6..b64b137be98 100644
--- a/chromium/net/base/port_util.h
+++ b/chromium/net/base/port_util.h
@@ -21,7 +21,7 @@ NET_EXPORT bool IsPortValid(int port);
 
 // Returns true if the port is in the range [0, 1023]. These ports are
 // registered by IANA and typically need root access to listen on.
-bool IsWellKnownPort(int port);
+NET_EXPORT bool IsWellKnownPort(int port);
 
 // Checks if the port is allowed for the specified scheme.  Ports set as allowed
 // with SetExplicitlyAllowedPorts() or by using ScopedPortException() will be
diff --git a/chromium/net/base/test_completion_callback.cc b/chromium/net/base/test_completion_callback.cc
index 3cd8957c685..7f88f799168 100644
--- a/chromium/net/base/test_completion_callback.cc
+++ b/chromium/net/base/test_completion_callback.cc
@@ -23,7 +23,8 @@ void TestCompletionCallbackBaseInternal::DidSetResult() {
 void TestCompletionCallbackBaseInternal::WaitForResult() {
   DCHECK(!run_loop_);
   if (!have_result_) {
-    run_loop_.reset(new base::RunLoop());
+    run_loop_ = std::make_unique<base::RunLoop>(
+        base::RunLoop::Type::kNestableTasksAllowed);
     run_loop_->Run();
     run_loop_.reset();
     DCHECK(have_result_);
diff --git a/chromium/net/base/upload_data_stream.cc b/chromium/net/base/upload_data_stream.cc
index 6804a1e794f..ed6c705d6ed 100644
--- a/chromium/net/base/upload_data_stream.cc
+++ b/chromium/net/base/upload_data_stream.cc
@@ -4,7 +4,6 @@
 
 #include "net/base/upload_data_stream.h"
 
-#include "base/bind.h"
 #include "base/logging.h"
 #include "base/values.h"
 #include "net/base/io_buffer.h"
@@ -15,10 +14,9 @@ namespace net {
 
 namespace {
 
-base::Value NetLogInitEndInfoCallback(int result,
-                                      int total_size,
-                                      bool is_chunked,
-                                      NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogInitEndInfoParams(int result,
+                                    int total_size,
+                                    bool is_chunked) {
   base::Value dict(base::Value::Type::DICTIONARY);
 
   dict.SetIntKey("net_error", result);
@@ -27,8 +25,7 @@ base::Value NetLogInitEndInfoCallback(int result,
   return dict;
 }
 
-base::Value NetLogReadInfoCallback(int current_position,
-                                   NetLogCaptureMode /* capture_mode */) {
+base::Value CreateReadInfoParams(int current_position) {
   base::Value dict(base::Value::Type::DICTIONARY);
 
   dict.SetIntKey("current_position", current_position);
@@ -76,7 +73,7 @@ int UploadDataStream::Read(IOBuffer* buf,
   DCHECK_GT(buf_len, 0);
 
   net_log_.BeginEvent(NetLogEventType::UPLOAD_DATA_STREAM_READ,
-                      base::Bind(&NetLogReadInfoCallback, current_position_));
+                      [&] { return CreateReadInfoParams(current_position_); });
 
   int result = 0;
   if (!is_eof_)
@@ -156,9 +153,9 @@ void UploadDataStream::OnInitCompleted(int result) {
       is_eof_ = true;
   }
 
-  net_log_.EndEvent(
-      NetLogEventType::UPLOAD_DATA_STREAM_INIT,
-      base::Bind(&NetLogInitEndInfoCallback, result, total_size_, is_chunked_));
+  net_log_.EndEvent(NetLogEventType::UPLOAD_DATA_STREAM_INIT, [&] {
+    return NetLogInitEndInfoParams(result, total_size_, is_chunked_);
+  });
 
   if (!callback_.is_null())
     std::move(callback_).Run(result);
diff --git a/chromium/net/base/upload_file_element_reader.cc b/chromium/net/base/upload_file_element_reader.cc
index adf4e74551c..b393600077a 100644
--- a/chromium/net/base/upload_file_element_reader.cc
+++ b/chromium/net/base/upload_file_element_reader.cc
@@ -38,8 +38,7 @@ UploadFileElementReader::UploadFileElementReader(
       content_length_(0),
       bytes_remaining_(0),
       next_state_(State::IDLE),
-      init_called_while_operation_pending_(false),
-      weak_ptr_factory_(this) {
+      init_called_while_operation_pending_(false) {
   DCHECK(file.IsValid());
   DCHECK(task_runner_.get());
   file_stream_ = std::make_unique<FileStream>(std::move(file), task_runner);
@@ -59,8 +58,7 @@ UploadFileElementReader::UploadFileElementReader(
       content_length_(0),
       bytes_remaining_(0),
       next_state_(State::IDLE),
-      init_called_while_operation_pending_(false),
-      weak_ptr_factory_(this) {
+      init_called_while_operation_pending_(false) {
   DCHECK(task_runner_.get());
 }
 
diff --git a/chromium/net/base/upload_file_element_reader.h b/chromium/net/base/upload_file_element_reader.h
index 190bbc4b8f1..706137af85e 100644
--- a/chromium/net/base/upload_file_element_reader.h
+++ b/chromium/net/base/upload_file_element_reader.h
@@ -129,7 +129,7 @@ class NET_EXPORT UploadFileElementReader : public UploadElementReader {
   // True if Init() was called while an async operation was in progress.
   bool init_called_while_operation_pending_;
 
-  base::WeakPtrFactory<UploadFileElementReader> weak_ptr_factory_;
+  base::WeakPtrFactory<UploadFileElementReader> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(UploadFileElementReader);
 };
diff --git a/chromium/net/cert/cert_verify_proc.cc b/chromium/net/cert/cert_verify_proc.cc
index 1fb2c2c5db9..906b843e3a9 100644
--- a/chromium/net/cert/cert_verify_proc.cc
+++ b/chromium/net/cert/cert_verify_proc.cc
@@ -19,6 +19,7 @@
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "crypto/sha2.h"
+#include "net/base/features.h"
 #include "net/base/net_errors.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/base/url_util.h"
@@ -30,6 +31,7 @@
 #include "net/cert/crl_set.h"
 #include "net/cert/internal/ocsp.h"
 #include "net/cert/internal/parse_certificate.h"
+#include "net/cert/internal/revocation_checker.h"
 #include "net/cert/internal/signature_algorithm.h"
 #include "net/cert/known_roots.h"
 #include "net/cert/ocsp_revocation_status.h"
@@ -37,9 +39,14 @@
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "net/der/encode_values.h"
+#include "net/net_buildflags.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
 #include "url/url_canon.h"
 
+#if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
+#include "net/cert/cert_verify_proc_builtin.h"
+#endif
+
 #if defined(USE_NSS_CERTS)
 #include "net/cert/cert_verify_proc_nss.h"
 #elif defined(OS_ANDROID)
@@ -243,7 +250,7 @@ void BestEffortCheckOCSP(const std::string& raw_response,
 
   verify_result->revocation_status =
       CheckOCSP(raw_response, cert_der, issuer_der, base::Time::Now(),
-                kMaxOCSPLeafUpdateAge, &verify_result->response_status);
+                kMaxRevocationLeafUpdateAge, &verify_result->response_status);
 }
 
 // Records histograms indicating whether the certificate |cert|, which
@@ -453,6 +460,12 @@ WARN_UNUSED_RESULT bool InspectSignatureAlgorithmsInChain(
 // static
 scoped_refptr<CertVerifyProc> CertVerifyProc::CreateDefault(
     scoped_refptr<CertNetFetcher> cert_net_fetcher) {
+#if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
+  if (base::FeatureList::IsEnabled(features::kCertVerifierBuiltinFeature)) {
+    return CreateCertVerifyProcBuiltin(std::move(cert_net_fetcher),
+                                       /*system_trust_store_provider=*/nullptr);
+  }
+#endif
 #if defined(USE_NSS_CERTS)
   return new CertVerifyProcNSS();
 #elif defined(OS_ANDROID)
@@ -464,7 +477,8 @@ scoped_refptr<CertVerifyProc> CertVerifyProc::CreateDefault(
 #elif defined(OS_WIN)
   return new CertVerifyProcWin();
 #elif defined(OS_FUCHSIA)
-  return CreateCertVerifyProcBuiltin(std::move(cert_net_fetcher));
+  return CreateCertVerifyProcBuiltin(std::move(cert_net_fetcher),
+                                     /*system_trust_store_provider=*/nullptr);
 #else
 #error Unsupported platform
 #endif
diff --git a/chromium/net/cert/cert_verify_proc_blacklist.inc b/chromium/net/cert/cert_verify_proc_blacklist.inc
index 4014d81025f..e5be854ce3a 100644
--- a/chromium/net/cert/cert_verify_proc_blacklist.inc
+++ b/chromium/net/cert/cert_verify_proc_blacklist.inc
@@ -117,6 +117,10 @@ static constexpr uint8_t
         {0x71, 0x65, 0xe9, 0x91, 0xad, 0xe7, 0x91, 0x6d, 0x86, 0xb4, 0x66,
          0xab, 0xeb, 0xb6, 0xe4, 0x57, 0xca, 0x93, 0x1c, 0x80, 0x4e, 0x58,
          0xce, 0x1f, 0xba, 0xba, 0xe5, 0x09, 0x15, 0x6f, 0xfb, 0x43},
+        // 3ae699d94e8febdacb86d4f90d40903333478e65e0655c432451197e33fa07f2.pem
+        {0x78, 0x1a, 0x4c, 0xf2, 0xe9, 0x24, 0x52, 0xf3, 0xee, 0x01, 0xd0,
+         0xc3, 0x81, 0xa4, 0x21, 0x4f, 0x39, 0x04, 0x16, 0x5c, 0x39, 0x0a,
+         0xdb, 0xd6, 0x1f, 0xcd, 0x11, 0x24, 0x4e, 0x09, 0xb2, 0xdc},
         // 8b45da1c06f791eb0cabf26be588f5fb23165c2e614bf885562d0dce50b29b02.pem
         {0x7a, 0xed, 0xdd, 0xf3, 0x6b, 0x18, 0xf8, 0xac, 0xb7, 0x37, 0x9f,
          0xe1, 0xce, 0x18, 0x32, 0x12, 0xb2, 0x35, 0x0d, 0x07, 0x88, 0xab,
@@ -203,6 +207,10 @@ static constexpr uint8_t
         {0xb4, 0xd5, 0xc9, 0x20, 0x41, 0x5e, 0xd0, 0xcc, 0x4f, 0x5d, 0xbc,
          0x7f, 0x54, 0x26, 0x36, 0x76, 0x2e, 0x80, 0xda, 0x66, 0x25, 0xf3,
          0x3f, 0x2b, 0x6a, 0xd6, 0xdb, 0x68, 0xbd, 0xba, 0xb2, 0x9a},
+        // d8888f4a84f74c974dffb573a1bf5bbbacd1713b905096f8eb015062bf396c4d.pem
+        {0xc0, 0xed, 0x20, 0x53, 0x46, 0xbb, 0xbd, 0xe0, 0x6e, 0xb5, 0x60,
+         0xf5, 0xce, 0xe0, 0x2a, 0x36, 0x34, 0xe2, 0x47, 0x4a, 0x7e, 0x76,
+         0xcf, 0x8f, 0xbe, 0xf5, 0x63, 0xbb, 0x11, 0x7d, 0xd0, 0xe3},
         // 372447c43185c38edd2ce0e9c853f9ac1576ddd1704c2f54d96076c089cb4227.pem
         {0xc1, 0x73, 0xf0, 0x62, 0x64, 0x56, 0xca, 0x85, 0x4f, 0xf2, 0xa7,
          0xf0, 0xb1, 0x33, 0xa7, 0xcf, 0x4d, 0x02, 0x11, 0xe5, 0x52, 0xf2,
@@ -299,4 +307,8 @@ static constexpr uint8_t
         {0xfa, 0x00, 0xbe, 0xc7, 0x3d, 0xd9, 0x97, 0x95, 0xdf, 0x11, 0x62,
          0xc7, 0x89, 0x98, 0x70, 0x04, 0xc2, 0x6c, 0xbf, 0x90, 0xaf, 0x4d,
          0xb4, 0x42, 0xf6, 0x62, 0x20, 0xde, 0x41, 0x35, 0x4a, 0xc9},
+        // a25a19546819d048000ef9c6577c4bcd8d2155b1e4346a4599d6c8b79799d4a1.pem
+        {0xfc, 0xd7, 0x6c, 0xca, 0x23, 0x47, 0xe5, 0xcd, 0x5b, 0x39, 0x34,
+         0x7f, 0x51, 0xcf, 0x43, 0x65, 0x4b, 0x69, 0xa2, 0xbf, 0xc9, 0x07,
+         0x36, 0x70, 0xa6, 0xbe, 0x47, 0xd8, 0x70, 0x1e, 0x6e, 0x0e},
 };
diff --git a/chromium/net/cert/cert_verify_proc_builtin.cc b/chromium/net/cert/cert_verify_proc_builtin.cc
index 60706a5cb4b..b5ef8e73f3c 100644
--- a/chromium/net/cert/cert_verify_proc_builtin.cc
+++ b/chromium/net/cert/cert_verify_proc_builtin.cc
@@ -36,6 +36,13 @@ namespace net {
 
 namespace {
 
+// Very conservative iteration count limit.
+// TODO(https://crbug.com/634470): Make this smaller.
+constexpr uint32_t kPathBuilderIterationLimit = 25000;
+
+constexpr base::TimeDelta kMaxVerificationTime =
+    base::TimeDelta::FromSeconds(60);
+
 DEFINE_CERT_ERROR_ID(kPathLacksEVPolicy, "Path does not have an EV policy");
 
 RevocationPolicy NoRevocationChecking() {
@@ -258,7 +265,9 @@ class PathBuilderDelegateImpl : public SimplePathBuilderDelegate {
 
 class CertVerifyProcBuiltin : public CertVerifyProc {
  public:
-  explicit CertVerifyProcBuiltin(scoped_refptr<CertNetFetcher> net_fetcher);
+  CertVerifyProcBuiltin(
+      scoped_refptr<CertNetFetcher> net_fetcher,
+      std::unique_ptr<SystemTrustStoreProvider> system_trust_store_provider);
 
   bool SupportsAdditionalTrustAnchors() const override;
 
@@ -276,11 +285,14 @@ class CertVerifyProcBuiltin : public CertVerifyProc {
                      CertVerifyResult* verify_result) override;
 
   scoped_refptr<CertNetFetcher> net_fetcher_;
+  std::unique_ptr<SystemTrustStoreProvider> system_trust_store_provider_;
 };
 
 CertVerifyProcBuiltin::CertVerifyProcBuiltin(
-    scoped_refptr<CertNetFetcher> net_fetcher)
-    : net_fetcher_(std::move(net_fetcher)) {}
+    scoped_refptr<CertNetFetcher> net_fetcher,
+    std::unique_ptr<SystemTrustStoreProvider> system_trust_store_provider)
+    : net_fetcher_(std::move(net_fetcher)),
+      system_trust_store_provider_(std::move(system_trust_store_provider)) {}
 
 CertVerifyProcBuiltin::~CertVerifyProcBuiltin() = default;
 
@@ -413,6 +425,7 @@ void TryBuildPath(const scoped_refptr<ParsedCertificate>& target,
                   CertIssuerSourceStatic* intermediates,
                   SystemTrustStore* ssl_trust_store,
                   base::Time verification_time,
+                  base::TimeTicks deadline,
                   VerificationType verification_type,
                   SimplePathBuilderDelegate::DigestPolicy digest_policy,
                   int flags,
@@ -465,6 +478,9 @@ void TryBuildPath(const scoped_refptr<ParsedCertificate>& target,
     LOG(ERROR) << "No net_fetcher for performing AIA chasing.";
   }
 
+  path_builder.SetIterationLimit(kPathBuilderIterationLimit);
+  path_builder.SetDeadline(deadline);
+
   path_builder.Run();
 }
 
@@ -573,6 +589,7 @@ int CertVerifyProcBuiltin::VerifyInternal(
   // VerifyInternal() is expected to carry out verifications using the current
   // time stamp.
   base::Time verification_time = base::Time::Now();
+  base::TimeTicks deadline = base::TimeTicks::Now() + kMaxVerificationTime;
 
   // Parse the target certificate.
   scoped_refptr<ParsedCertificate> target =
@@ -589,7 +606,9 @@ int CertVerifyProcBuiltin::VerifyInternal(
 
   // Parse the additional trust anchors and setup trust store.
   std::unique_ptr<SystemTrustStore> ssl_trust_store =
-      CreateSslSystemTrustStore();
+      system_trust_store_provider_
+          ? system_trust_store_provider_->CreateSystemTrustStore()
+          : CreateSslSystemTrustStore();
 
   for (const auto& x509_cert : additional_trust_anchors) {
     scoped_refptr<ParsedCertificate> cert =
@@ -634,12 +653,12 @@ int CertVerifyProcBuiltin::VerifyInternal(
 
     // Run the attempt through the path builder.
     TryBuildPath(target, &intermediates, ssl_trust_store.get(),
-                 verification_time, cur_attempt.verification_type,
+                 verification_time, deadline, cur_attempt.verification_type,
                  cur_attempt.digest_policy, flags, ocsp_response, crl_set,
                  net_fetcher_.get(), ev_metadata, &result,
                  &checked_revocation_for_some_path);
 
-    if (result.HasValidPath())
+    if (result.HasValidPath() || result.exceeded_deadline)
       break;
 
     // If this path building attempt (may have) failed due to the chain using a
@@ -676,8 +695,10 @@ int CertVerifyProcBuiltin::VerifyInternal(
 }  // namespace
 
 scoped_refptr<CertVerifyProc> CreateCertVerifyProcBuiltin(
-    scoped_refptr<CertNetFetcher> net_fetcher) {
-  return base::MakeRefCounted<CertVerifyProcBuiltin>(std::move(net_fetcher));
+    scoped_refptr<CertNetFetcher> net_fetcher,
+    std::unique_ptr<SystemTrustStoreProvider> system_trust_store_provider) {
+  return base::MakeRefCounted<CertVerifyProcBuiltin>(
+      std::move(net_fetcher), std::move(system_trust_store_provider));
 }
 
 }  // namespace net
diff --git a/chromium/net/cert/cert_verify_proc_builtin.h b/chromium/net/cert/cert_verify_proc_builtin.h
index 97b774118a0..da2ddac8c8b 100644
--- a/chromium/net/cert/cert_verify_proc_builtin.h
+++ b/chromium/net/cert/cert_verify_proc_builtin.h
@@ -5,6 +5,8 @@
 #ifndef NET_CERT_CERT_VERIFY_PROC_BUILTIN_H_
 #define NET_CERT_CERT_VERIFY_PROC_BUILTIN_H_
 
+#include <memory>
+
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
 
@@ -12,12 +14,33 @@ namespace net {
 
 class CertNetFetcher;
 class CertVerifyProc;
+class SystemTrustStore;
+
+// Will be used to create the system trust store. Implementations must be
+// thread-safe - CreateSystemTrustStore may be invoked concurrently on worker
+// threads.
+class NET_EXPORT SystemTrustStoreProvider {
+ public:
+  virtual ~SystemTrustStoreProvider() {}
+
+  // Create and return a SystemTrustStore to be used during certificate
+  // verification.
+  // This function may be invoked concurrently on worker threads and must be
+  // thread-safe. However, the returned SystemTrustStore will only be used on
+  // a single thread.
+  virtual std::unique_ptr<SystemTrustStore> CreateSystemTrustStore() = 0;
+};
 
 // TODO(crbug.com/649017): This is not how other cert_verify_proc_*.h are
 // implemented -- they expose the type in the header. Use a consistent style
 // here too.
+// If |system_trust_store_provider| is null, the default SystemTrustStore will
+// be created.
+// If |system_trust_store_provider| is non-null, it will be used to create the
+// SystemTrustStore instance for certificate verification.
 NET_EXPORT scoped_refptr<CertVerifyProc> CreateCertVerifyProcBuiltin(
-    scoped_refptr<CertNetFetcher> net_fetcher);
+    scoped_refptr<CertNetFetcher> net_fetcher,
+    std::unique_ptr<SystemTrustStoreProvider> system_trust_store_provider);
 
 }  // namespace net
 
diff --git a/chromium/net/cert/cert_verify_proc_ios.cc b/chromium/net/cert/cert_verify_proc_ios.cc
index 1ff9410e7b6..d8045b95682 100644
--- a/chromium/net/cert/cert_verify_proc_ios.cc
+++ b/chromium/net/cert/cert_verify_proc_ios.cc
@@ -7,6 +7,7 @@
 #include <CommonCrypto/CommonDigest.h>
 
 #include "base/logging.h"
+#include "base/mac/foundation_util.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "crypto/sha2.h"
 #include "net/base/net_errors.h"
@@ -162,12 +163,6 @@ void GetCertChainInfo(CFArrayRef cert_chain, CertVerifyResult* verify_result) {
     HashValue sha256(HASH_VALUE_SHA256);
     CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data());
     verify_result->public_key_hashes.push_back(sha256);
-
-    // Ignore the signature algorithm for the trust anchor.
-    if ((verify_result->cert_status & CERT_STATUS_AUTHORITY_INVALID) == 0 &&
-        i == count - 1) {
-      continue;
-    }
   }
   if (!verified_cert) {
     NOTREACHED();
@@ -262,6 +257,7 @@ CertStatus CertVerifyProcIOS::GetCertFailureStatusFromTrust(SecTrustRef trust) {
     } else if (CFEqual(error, root_certificate_error)) {
       reason |= CERT_STATUS_AUTHORITY_INVALID;
     } else {
+      LOG(ERROR) << "Unrecognized error: " << error;
       reason |= CERT_STATUS_INVALID;
     }
   }
diff --git a/chromium/net/cert/cert_verify_proc_unittest.cc b/chromium/net/cert/cert_verify_proc_unittest.cc
index 484db21a4ca..64dd41625b1 100644
--- a/chromium/net/cert/cert_verify_proc_unittest.cc
+++ b/chromium/net/cert/cert_verify_proc_unittest.cc
@@ -40,6 +40,7 @@
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "net/cert_net/cert_net_fetcher_impl.h"
+#include "net/der/encode_values.h"
 #include "net/der/input.h"
 #include "net/der/parser.h"
 #include "net/proxy_resolution/proxy_config.h"
@@ -59,19 +60,20 @@
 #include "third_party/boringssl/src/include/openssl/mem.h"
 
 #if defined(USE_NSS_CERTS)
+#include "net/cert/cert_verify_proc_nss.h"
 #include "net/cert_net/nss_ocsp.h"
-#endif
-
-#if defined(OS_ANDROID)
+#elif defined(OS_ANDROID)
 #include "base/android/build_info.h"
-#endif
-
-#if defined(OS_MACOSX) && !defined(OS_IOS)
+#include "net/cert/cert_verify_proc_android.h"
+#elif defined(OS_IOS)
+#include "base/ios/ios_util.h"
+#include "net/cert/cert_verify_proc_ios.h"
+#elif defined(OS_MACOSX)
 #include "base/mac/mac_util.h"
-#endif
-
-#if defined(OS_WIN)
+#include "net/cert/cert_verify_proc_mac.h"
+#elif defined(OS_WIN)
 #include "base/win/windows_version.h"
+#include "net/cert/cert_verify_proc_win.h"
 #endif
 
 // TODO(crbug.com/649017): Add tests that only certificates with
@@ -148,27 +150,6 @@ enum CertVerifyProcType {
   CERT_VERIFY_PROC_BUILTIN,
 };
 
-// Returns the CertVerifyProcType corresponding to what
-// CertVerifyProc::CreateDefault() returns. This needs to be kept in sync with
-// CreateDefault().
-CertVerifyProcType GetDefaultCertVerifyProcType() {
-#if defined(USE_NSS_CERTS)
-  return CERT_VERIFY_PROC_NSS;
-#elif defined(OS_ANDROID)
-  return CERT_VERIFY_PROC_ANDROID;
-#elif defined(OS_IOS)
-  return CERT_VERIFY_PROC_IOS;
-#elif defined(OS_MACOSX)
-  return CERT_VERIFY_PROC_MAC;
-#elif defined(OS_WIN)
-  return CERT_VERIFY_PROC_WIN;
-#elif defined(OS_FUCHSIA)
-  return CERT_VERIFY_PROC_BUILTIN;
-#else
-// Will fail to compile.
-#endif
-}
-
 // Whether the test is running within the iphone simulator.
 const bool kTargetIsIphoneSimulator =
 #if TARGET_IPHONE_SIMULATOR
@@ -177,6 +158,15 @@ const bool kTargetIsIphoneSimulator =
     false;
 #endif
 
+// Wrapper for base::mac::IsAtLeastOS10_12() to avoid littering ifdefs.
+bool IsMacAtLeastOS10_12() {
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+  return base::mac::IsAtLeastOS10_12();
+#else
+  return false;
+#endif
+}
+
 // Returns a textual description of the CertVerifyProc implementation
 // that is being tested, used to give better names to parameterized
 // tests.
@@ -200,19 +190,57 @@ std::string VerifyProcTypeToName(
   return nullptr;
 }
 
-// The set of all CertVerifyProcTypes that tests should be
-// parameterized on.
-const std::vector<CertVerifyProcType> kAllCertVerifiers = {
-    GetDefaultCertVerifyProcType()
+scoped_refptr<CertVerifyProc> CreateCertVerifyProc(
+    CertVerifyProcType type,
+    scoped_refptr<CertNetFetcher> cert_net_fetcher) {
+  switch (type) {
+#if defined(USE_NSS_CERTS)
+    case CERT_VERIFY_PROC_NSS:
+      return new CertVerifyProcNSS();
+#elif defined(OS_ANDROID)
+    case CERT_VERIFY_PROC_ANDROID:
+      return new CertVerifyProcAndroid(std::move(cert_net_fetcher));
+#elif defined(OS_IOS)
+    case CERT_VERIFY_PROC_IOS:
+      return new CertVerifyProcIOS();
+#elif defined(OS_MACOSX)
+    case CERT_VERIFY_PROC_MAC:
+      return new CertVerifyProcMac();
+#elif defined(OS_WIN)
+    case CERT_VERIFY_PROC_WIN:
+      return new CertVerifyProcWin();
+#endif
+    case CERT_VERIFY_PROC_BUILTIN:
+      return CreateCertVerifyProcBuiltin(
+          std::move(cert_net_fetcher),
+          nullptr /* system_trust_store_provider */);
+    default:
+      return nullptr;
+  }
+}
 
-// TODO(crbug.com/649017): Enable this everywhere. Right now this is
-// gated on having CertVerifyProcBuiltin understand the roots added
+// The set of all CertVerifyProcTypes that tests should be parameterized on.
+// This needs to be kept in sync with CertVerifyProc::CreateDefault().
+// TODO(crbug.com/649017): Enable CERT_VERIFY_PROC_BUILTIN everywhere. Right
+// now this is gated on having CertVerifyProcBuiltin understand the roots added
 // via TestRootCerts.
-#if defined(USE_NSS_CERTS) || (defined(OS_MACOSX) && !defined(OS_IOS))
-        ,
+const std::vector<CertVerifyProcType> kAllCertVerifiers = {
+#if defined(USE_NSS_CERTS)
+    CERT_VERIFY_PROC_NSS, CERT_VERIFY_PROC_BUILTIN
+#elif defined(OS_ANDROID)
+    CERT_VERIFY_PROC_ANDROID
+#elif defined(OS_IOS)
+    CERT_VERIFY_PROC_IOS
+#elif defined(OS_MACOSX)
+    CERT_VERIFY_PROC_MAC, CERT_VERIFY_PROC_BUILTIN
+#elif defined(OS_WIN)
+    CERT_VERIFY_PROC_WIN
+#elif defined(OS_FUCHSIA)
     CERT_VERIFY_PROC_BUILTIN
+#else
+#error Unsupported platform
 #endif
-};
+};  // namespace
 
 // Returns true if a test root added through ScopedTestRoot can verify
 // successfully as a target certificate with chain of length 1 on the given
@@ -224,6 +252,18 @@ bool ScopedTestRootCanTrustTargetCert(CertVerifyProcType verify_proc_type) {
          verify_proc_type == CERT_VERIFY_PROC_ANDROID;
 }
 
+// Returns true if a non-self-signed CA certificate added through
+// ScopedTestRoot can verify successfully as the root of a chain by the given
+// CertVerifyProcType.
+bool ScopedTestRootCanTrustIntermediateCert(
+    CertVerifyProcType verify_proc_type) {
+  return verify_proc_type == CERT_VERIFY_PROC_MAC ||
+         verify_proc_type == CERT_VERIFY_PROC_IOS ||
+         verify_proc_type == CERT_VERIFY_PROC_NSS ||
+         verify_proc_type == CERT_VERIFY_PROC_BUILTIN ||
+         verify_proc_type == CERT_VERIFY_PROC_ANDROID;
+}
+
 // TODO(crbug.com/649017): This is not parameterized by the CertVerifyProc
 // because the CertVerifyProc::Verify() does this unconditionally based on the
 // platform.
@@ -238,6 +278,16 @@ bool AreSHA1IntermediatesAllowed() {
 #endif
 }
 
+// Helper to make creating an X509Certificate chain less verbose.
+scoped_refptr<X509Certificate> CreateX509CertificateWithIntermediate(
+    bssl::UniquePtr<CRYPTO_BUFFER> cert_buffer,
+    bssl::UniquePtr<CRYPTO_BUFFER> intermediate_buffer) {
+  std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
+  intermediates.push_back(std::move(intermediate_buffer));
+  return X509Certificate::CreateFromBuffer(std::move(cert_buffer),
+                                           std::move(intermediates));
+}
+
 std::string MakeRandomHexString(size_t num_bytes) {
   std::vector<char> rand_bytes;
   rand_bytes.resize(num_bytes);
@@ -246,6 +296,81 @@ std::string MakeRandomHexString(size_t num_bytes) {
   return base::HexEncode(&rand_bytes[0], rand_bytes.size());
 }
 
+std::string Sha256WithRSAEncryption() {
+  const uint8_t kSha256WithRSAEncryption[] = {0x30, 0x0D, 0x06, 0x09, 0x2a,
+                                              0x86, 0x48, 0x86, 0xf7, 0x0d,
+                                              0x01, 0x01, 0x0b, 0x05, 0x00};
+  return std::string(std::begin(kSha256WithRSAEncryption),
+                     std::end(kSha256WithRSAEncryption));
+}
+
+std::string Sha1WithRSAEncryption() {
+  const uint8_t kSha1WithRSAEncryption[] = {0x30, 0x0D, 0x06, 0x09, 0x2a,
+                                            0x86, 0x48, 0x86, 0xf7, 0x0d,
+                                            0x01, 0x01, 0x05, 0x05, 0x00};
+  return std::string(std::begin(kSha1WithRSAEncryption),
+                     std::end(kSha1WithRSAEncryption));
+}
+
+std::string Md5WithRSAEncryption() {
+  const uint8_t kMd5WithRSAEncryption[] = {0x30, 0x0d, 0x06, 0x09, 0x2a,
+                                           0x86, 0x48, 0x86, 0xf7, 0x0d,
+                                           0x01, 0x01, 0x04, 0x05, 0x00};
+  return std::string(std::begin(kMd5WithRSAEncryption),
+                     std::end(kMd5WithRSAEncryption));
+}
+
+// Adds bytes (specified as a StringPiece) to the given CBB.
+// The argument ordering follows the boringssl CBB_* api style.
+bool CBBAddBytes(CBB* cbb, base::StringPiece bytes) {
+  return CBB_add_bytes(cbb, reinterpret_cast<const uint8_t*>(bytes.data()),
+                       bytes.size());
+}
+
+// Adds bytes (from fixed size array) to the given CBB.
+// The argument ordering follows the boringssl CBB_* api style.
+template <size_t N>
+bool CBBAddBytes(CBB* cbb, const uint8_t (&data)[N]) {
+  return CBB_add_bytes(cbb, data, N);
+}
+
+// Adds a RFC 5280 Time value to the given CBB.
+// The argument ordering follows the boringssl CBB_* api style.
+bool CBBAddTime(CBB* cbb, const base::Time& time) {
+  der::GeneralizedTime generalized_time;
+  if (!der::EncodeTimeAsGeneralizedTime(time, &generalized_time))
+    return false;
+  CBB time_cbb;
+  if (generalized_time.year < 2050) {
+    uint8_t out[der::kUTCTimeLength];
+    if (!der::EncodeUTCTime(generalized_time, out) ||
+        !CBB_add_asn1(cbb, &time_cbb, CBS_ASN1_UTCTIME) ||
+        !CBBAddBytes(&time_cbb, out) || !CBB_flush(cbb))
+      return false;
+  } else {
+    uint8_t out[der::kGeneralizedTimeLength];
+    if (!der::EncodeGeneralizedTime(generalized_time, out) ||
+        !CBB_add_asn1(cbb, &time_cbb, CBS_ASN1_GENERALIZEDTIME) ||
+        !CBBAddBytes(&time_cbb, out) || !CBB_flush(cbb))
+      return false;
+  }
+  return true;
+}
+
+// Finalizes the CBB to a std::string.
+std::string FinishCBB(CBB* cbb) {
+  size_t cbb_len;
+  uint8_t* cbb_bytes;
+
+  if (!CBB_finish(cbb, &cbb_bytes, &cbb_len)) {
+    ADD_FAILURE() << "CBB_finish() failed";
+    return std::string();
+  }
+
+  bssl::UniquePtr<uint8_t> delete_bytes(cbb_bytes);
+  return std::string(reinterpret_cast<char*>(cbb_bytes), cbb_len);
+}
+
 // CertBuilder is a helper class to dynamically create a test certificate.
 //
 // CertBuilder is initialized using an existing certificate, from which it
@@ -279,6 +404,13 @@ class CertBuilder {
     Invalidate();
   }
 
+  // Removes an extension (if present).
+  void EraseExtension(const der::Input& oid) {
+    extensions_.erase(oid.AsString());
+
+    Invalidate();
+  }
+
   // Sets an AIA extension with a single caIssuers access method.
   void SetCaIssuersUrl(const GURL& url) {
     std::string url_spec = url.spec();
@@ -297,15 +429,49 @@ class CertBuilder {
     ASSERT_TRUE(CBB_add_asn1(cbb.get(), &aia, CBS_ASN1_SEQUENCE));
     ASSERT_TRUE(CBB_add_asn1(&aia, &ca_issuer, CBS_ASN1_SEQUENCE));
     ASSERT_TRUE(CBB_add_asn1(&ca_issuer, &access_method, CBS_ASN1_OBJECT));
-    ASSERT_TRUE(
-        AddBytesToCBB(&access_method, AdCaIssuersOid().AsStringPiece()));
+    ASSERT_TRUE(CBBAddBytes(&access_method, AdCaIssuersOid().AsStringPiece()));
     ASSERT_TRUE(CBB_add_asn1(&ca_issuer, &access_location,
                              CBS_ASN1_CONTEXT_SPECIFIC | 6));
-    ASSERT_TRUE(AddBytesToCBB(&access_location, url_spec));
+    ASSERT_TRUE(CBBAddBytes(&access_location, url_spec));
 
     SetExtension(AuthorityInfoAccessOid(), FinishCBB(cbb.get()));
   }
 
+  void SetCrlDistributionPointUrl(const GURL& url) {
+    std::string url_spec = url.spec();
+
+    bssl::ScopedCBB cbb;
+    ASSERT_TRUE(CBB_init(cbb.get(), url_spec.size()));
+    CBB dps, dp, dp_name, dp_fullname, dp_url;
+
+    //    CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+    ASSERT_TRUE(CBB_add_asn1(cbb.get(), &dps, CBS_ASN1_SEQUENCE));
+
+    //    DistributionPoint ::= SEQUENCE {
+    //         distributionPoint       [0]     DistributionPointName OPTIONAL,
+    //         reasons                 [1]     ReasonFlags OPTIONAL,
+    //         cRLIssuer               [2]     GeneralNames OPTIONAL }
+    ASSERT_TRUE(CBB_add_asn1(&dps, &dp, CBS_ASN1_SEQUENCE));
+    ASSERT_TRUE(CBB_add_asn1(
+        &dp, &dp_name, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0));
+
+    //    DistributionPointName ::= CHOICE {
+    //         fullName                [0]     GeneralNames,
+    //         nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
+    ASSERT_TRUE(
+        CBB_add_asn1(&dp_name, &dp_fullname,
+                     CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0));
+
+    //   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+    //   GeneralName ::= CHOICE {
+    // uniformResourceIdentifier       [6]     IA5String,
+    ASSERT_TRUE(
+        CBB_add_asn1(&dp_fullname, &dp_url, CBS_ASN1_CONTEXT_SPECIFIC | 6));
+    ASSERT_TRUE(CBBAddBytes(&dp_url, url_spec));
+
+    SetExtension(CrlDistributionPointsOid(), FinishCBB(cbb.get()));
+  }
+
   // Sets the SAN for the certificate to a single dNSName.
   void SetSubjectAltName(const std::string& dns_name) {
     // From RFC 5280:
@@ -325,7 +491,7 @@ class CertBuilder {
     ASSERT_TRUE(CBB_add_asn1(cbb.get(), &general_names, CBS_ASN1_SEQUENCE));
     ASSERT_TRUE(CBB_add_asn1(&general_names, &general_name,
                              CBS_ASN1_CONTEXT_SPECIFIC | 2));
-    ASSERT_TRUE(AddBytesToCBB(&general_name, dns_name));
+    ASSERT_TRUE(CBBAddBytes(&general_name, dns_name));
 
     SetExtension(SubjectAltNameOid(), FinishCBB(cbb.get()));
   }
@@ -335,20 +501,12 @@ class CertBuilder {
   void SetSignatureAlgorithmRsaPkca1(DigestAlgorithm digest) {
     switch (digest) {
       case DigestAlgorithm::Sha256: {
-        const uint8_t kSha256WithRSAEncryption[] = {
-            0x30, 0x0D, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
-            0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00};
-        SetSignatureAlgorithm(std::string(std::begin(kSha256WithRSAEncryption),
-                                          std::end(kSha256WithRSAEncryption)));
+        SetSignatureAlgorithm(Sha256WithRSAEncryption());
         break;
       }
 
       case DigestAlgorithm::Sha1: {
-        const uint8_t kSha1WithRSAEncryption[] = {0x30, 0x0D, 0x06, 0x09, 0x2a,
-                                                  0x86, 0x48, 0x86, 0xf7, 0x0d,
-                                                  0x01, 0x01, 0x05, 0x05, 0x00};
-        SetSignatureAlgorithm(std::string(std::begin(kSha1WithRSAEncryption),
-                                          std::end(kSha1WithRSAEncryption)));
+        SetSignatureAlgorithm(Sha1WithRSAEncryption());
         break;
       }
 
@@ -385,6 +543,13 @@ class CertBuilder {
     return subject_tlv_;
   }
 
+  // Returns the serial number for the generated certificate.
+  uint64_t GetSerialNumber() {
+    if (!serial_number_)
+      serial_number_ = base::RandUint64();
+    return serial_number_;
+  }
+
   // Returns the (RSA) key for the generated certificate.
   EVP_PKEY* GetKey() {
     if (!key_)
@@ -415,26 +580,6 @@ class CertBuilder {
     key_ = bssl::UpRef(private_key->key());
   }
 
-  // Adds bytes (specified as a StringPiece) to the given CBB.
-  static bool AddBytesToCBB(CBB* cbb, base::StringPiece bytes) {
-    return CBB_add_bytes(cbb, reinterpret_cast<const uint8_t*>(bytes.data()),
-                         bytes.size());
-  }
-
-  // Finalizes the CBB to a std::string.
-  static std::string FinishCBB(CBB* cbb) {
-    size_t cbb_len;
-    uint8_t* cbb_bytes;
-
-    if (!CBB_finish(cbb, &cbb_bytes, &cbb_len)) {
-      ADD_FAILURE() << "CBB_finish() failed";
-      return std::string();
-    }
-
-    bssl::UniquePtr<uint8_t> delete_bytes(cbb_bytes);
-    return std::string(reinterpret_cast<char*>(cbb_bytes), cbb_len);
-  }
-
   // Generates a random subject for the certificate, comprised of just a CN.
   void GenerateSubject() {
     ASSERT_TRUE(subject_tlv_.empty());
@@ -453,20 +598,13 @@ class CertBuilder {
     ASSERT_TRUE(CBB_add_asn1(&rdns, &rdn, CBS_ASN1_SET));
     ASSERT_TRUE(CBB_add_asn1(&rdn, &attr, CBS_ASN1_SEQUENCE));
     ASSERT_TRUE(CBB_add_asn1(&attr, &type, CBS_ASN1_OBJECT));
-    ASSERT_TRUE(CBB_add_bytes(&type, kCommonName, sizeof(kCommonName)));
+    ASSERT_TRUE(CBBAddBytes(&type, kCommonName));
     ASSERT_TRUE(CBB_add_asn1(&attr, &value, CBS_ASN1_UTF8STRING));
-    ASSERT_TRUE(AddBytesToCBB(&value, common_name));
+    ASSERT_TRUE(CBBAddBytes(&value, common_name));
 
     subject_tlv_ = FinishCBB(cbb.get());
   }
 
-  // Returns the serial number for the generated certificate.
-  uint64_t GetSerialNumber() {
-    if (!serial_number_)
-      serial_number_ = base::RandUint64();
-    return serial_number_;
-  }
-
   // Parses |cert| and copies the following properties:
   //   * All extensions (dropping any duplicates)
   //   * Signature algorithm (from Certificate)
@@ -564,9 +702,9 @@ class CertBuilder {
     ASSERT_TRUE(CBB_add_asn1_uint64(&version, 2));
     ASSERT_TRUE(CBB_add_asn1_uint64(&tbs_cert, GetSerialNumber()));
     ASSERT_TRUE(AddSignatureAlgorithm(&tbs_cert));
-    ASSERT_TRUE(AddBytesToCBB(&tbs_cert, issuer_->GetSubject()));
-    ASSERT_TRUE(AddBytesToCBB(&tbs_cert, validity_tlv_));
-    ASSERT_TRUE(AddBytesToCBB(&tbs_cert, GetSubject()));
+    ASSERT_TRUE(CBBAddBytes(&tbs_cert, issuer_->GetSubject()));
+    ASSERT_TRUE(CBBAddBytes(&tbs_cert, validity_tlv_));
+    ASSERT_TRUE(CBBAddBytes(&tbs_cert, GetSubject()));
     ASSERT_TRUE(EVP_marshal_public_key(&tbs_cert, GetKey()));
 
     // Serialize all the extensions.
@@ -590,14 +728,14 @@ class CertBuilder {
         ASSERT_TRUE(
             CBB_add_asn1(&extensions, &extension_seq, CBS_ASN1_SEQUENCE));
         ASSERT_TRUE(CBB_add_asn1(&extension_seq, &oid, CBS_ASN1_OBJECT));
-        ASSERT_TRUE(AddBytesToCBB(&oid, extension_it.first));
+        ASSERT_TRUE(CBBAddBytes(&oid, extension_it.first));
         if (extension_it.second.critical) {
           ASSERT_TRUE(CBB_add_asn1_bool(&extension_seq, true));
         }
 
         ASSERT_TRUE(
             CBB_add_asn1(&extension_seq, &extn_value, CBS_ASN1_OCTETSTRING));
-        ASSERT_TRUE(AddBytesToCBB(&extn_value, extension_it.second.value));
+        ASSERT_TRUE(CBBAddBytes(&extn_value, extension_it.second.value));
         ASSERT_TRUE(CBB_flush(&extensions));
       }
     }
@@ -606,7 +744,7 @@ class CertBuilder {
   }
 
   bool AddSignatureAlgorithm(CBB* cbb) {
-    return AddBytesToCBB(cbb, signature_algorithm_tlv_);
+    return CBBAddBytes(cbb, signature_algorithm_tlv_);
   }
 
   void GenerateCertificate() {
@@ -649,7 +787,7 @@ class CertBuilder {
 
     ASSERT_TRUE(CBB_init(cbb.get(), tbs_cert.size()));
     ASSERT_TRUE(CBB_add_asn1(cbb.get(), &cert, CBS_ASN1_SEQUENCE));
-    ASSERT_TRUE(AddBytesToCBB(&cert, tbs_cert));
+    ASSERT_TRUE(CBBAddBytes(&cert, tbs_cert));
     ASSERT_TRUE(AddSignatureAlgorithm(&cert));
     ASSERT_TRUE(CBB_add_asn1(&cert, &signature, CBS_ASN1_BITSTRING));
     ASSERT_TRUE(CBB_add_u8(&signature, 0 /* no unused bits */));
@@ -701,13 +839,8 @@ class CertVerifyProcInternalTest
   // fetching by calling SetUpWithCertNetFetcher instead of SetUp.
   void SetUpWithCertNetFetcher(scoped_refptr<CertNetFetcher> cert_net_fetcher) {
     CertVerifyProcType type = verify_proc_type();
-    if (type == CERT_VERIFY_PROC_BUILTIN) {
-      verify_proc_ = CreateCertVerifyProcBuiltin(std::move(cert_net_fetcher));
-    } else if (type == GetDefaultCertVerifyProcType()) {
-      verify_proc_ = CertVerifyProc::CreateDefault(std::move(cert_net_fetcher));
-    } else {
-      ADD_FAILURE() << "Unhandled CertVerifyProcType";
-    }
+    verify_proc_ = CreateCertVerifyProc(type, std::move(cert_net_fetcher));
+    ASSERT_TRUE(verify_proc_);
   }
 
   int Verify(X509Certificate* cert,
@@ -741,7 +874,14 @@ class CertVerifyProcInternalTest
   }
 
   bool WeakKeysAreInvalid() const {
-#if defined(OS_MACOSX) && !defined(OS_IOS)
+#if defined(OS_IOS)
+    // Starting with iOS 13, certs with weak keys are treated as (recoverable)
+    // invalid certificate errors.
+    if (verify_proc_type() == CERT_VERIFY_PROC_IOS &&
+        base::ios::IsRunningOnIOS13OrLater()) {
+      return true;
+    }
+#elif defined(OS_MACOSX)
     // Starting with Mac OS 10.12, certs with weak keys are treated as
     // (recoverable) invalid certificate errors.
     if (verify_proc_type() == CERT_VERIFY_PROC_MAC &&
@@ -773,6 +913,19 @@ class CertVerifyProcInternalTest
            verify_proc_type() == CERT_VERIFY_PROC_BUILTIN;
   }
 
+  bool SupportsSoftFailRevChecking() const {
+    return verify_proc_type() == CERT_VERIFY_PROC_NSS ||
+           verify_proc_type() == CERT_VERIFY_PROC_WIN ||
+           verify_proc_type() == CERT_VERIFY_PROC_MAC ||
+           verify_proc_type() == CERT_VERIFY_PROC_BUILTIN;
+  }
+
+  bool SupportsRevCheckingRequiredLocalAnchors() const {
+    return verify_proc_type() == CERT_VERIFY_PROC_NSS ||
+           verify_proc_type() == CERT_VERIFY_PROC_WIN ||
+           verify_proc_type() == CERT_VERIFY_PROC_BUILTIN;
+  }
+
   CertVerifyProc* verify_proc() const { return verify_proc_.get(); }
 
  private:
@@ -899,6 +1052,99 @@ TEST_P(CertVerifyProcInternalTest,
   EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV);
 }
 
+// Target cert has an EV policy, and has a valid path to the EV root, but the
+// intermediate has been trusted directly. Should stop building the path at the
+// intermediate and verify OK but not with STATUS_IS_EV.
+// See https://crbug.com/979801
+TEST_P(CertVerifyProcInternalTest, TrustedIntermediateCertWithEVPolicy) {
+  if (!SupportsEV()) {
+    LOG(INFO) << "Skipping test as EV verification is not yet supported";
+    return;
+  }
+  if (!ScopedTestRootCanTrustIntermediateCert(verify_proc_type())) {
+    LOG(INFO) << "Skipping test as intermediate cert cannot be trusted";
+    return;
+  }
+
+  CertificateList orig_certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "explicit-policy-chain.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(3U, orig_certs.size());
+
+  for (bool trust_the_intermediate : {false, true}) {
+    // Need to build unique certs for each try otherwise caching can break
+    // things.
+    CertBuilder root(orig_certs[2]->cert_buffer(), nullptr);
+    CertBuilder intermediate(orig_certs[1]->cert_buffer(), &root);
+    CertBuilder leaf(orig_certs[0]->cert_buffer(), &intermediate);
+
+    // The policy that "explicit-policy-chain.pem" target certificate asserts.
+    static const char kEVTestCertPolicy[] = "1.2.3.4";
+    // Consider the root of the test chain a valid EV root for the test policy.
+    ScopedTestEVPolicy scoped_test_ev_policy(
+        EVRootCAMetadata::GetInstance(),
+        X509Certificate::CalculateFingerprint256(root.GetCertBuffer()),
+        kEVTestCertPolicy);
+
+    // CRLSet which covers the leaf.
+    base::StringPiece intermediate_spki;
+    ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(
+        x509_util::CryptoBufferAsStringPiece(intermediate.GetCertBuffer()),
+        &intermediate_spki));
+    SHA256HashValue intermediate_spki_hash;
+    crypto::SHA256HashString(intermediate_spki, &intermediate_spki_hash,
+                             sizeof(SHA256HashValue));
+    scoped_refptr<CRLSet> crl_set =
+        CRLSet::ForTesting(false, &intermediate_spki_hash, "", "", {});
+
+    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
+    intermediates.push_back(bssl::UpRef(intermediate.GetCertBuffer()));
+    scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBuffer(
+        bssl::UpRef(leaf.GetCertBuffer()), std::move(intermediates));
+    ASSERT_TRUE(cert.get());
+
+    scoped_refptr<X509Certificate> intermediate_cert =
+        X509Certificate::CreateFromBuffer(
+            bssl::UpRef(intermediate.GetCertBuffer()), {});
+    ASSERT_TRUE(intermediate_cert.get());
+
+    scoped_refptr<X509Certificate> root_cert =
+        X509Certificate::CreateFromBuffer(bssl::UpRef(root.GetCertBuffer()),
+                                          {});
+    ASSERT_TRUE(root_cert.get());
+
+    if (!trust_the_intermediate) {
+      // First trust just the root. This verifies that the test setup is
+      // actually correct.
+      ScopedTestRoot scoped_test_root({root_cert});
+      CertVerifyResult verify_result;
+      int flags = 0;
+      int error = Verify(cert.get(), "policy_test.example", flags,
+                         crl_set.get(), CertificateList(), &verify_result);
+      EXPECT_THAT(error, IsOk());
+      ASSERT_TRUE(verify_result.verified_cert);
+      // Verified chain should include the intermediate and the root.
+      EXPECT_EQ(2U, verify_result.verified_cert->intermediate_buffers().size());
+      // Should be EV.
+      EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
+    } else {
+      // Now try with trusting both the intermediate and the root.
+      ScopedTestRoot scoped_test_root({intermediate_cert, root_cert});
+      CertVerifyResult verify_result;
+      int flags = 0;
+      int error = Verify(cert.get(), "policy_test.example", flags,
+                         crl_set.get(), CertificateList(), &verify_result);
+      EXPECT_THAT(error, IsOk());
+      ASSERT_TRUE(verify_result.verified_cert);
+      // Verified chain should only go to the trusted intermediate, not the
+      // root.
+      EXPECT_EQ(1U, verify_result.verified_cert->intermediate_buffers().size());
+      // Should not be EV.
+      EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV);
+    }
+  }
+}
+
 // TODO(crbug.com/605457): the test expectation was incorrect on some
 // configurations, so disable the test until it is fixed (better to have
 // a bug to track a failing test than a false sense of security due to
@@ -1071,6 +1317,22 @@ TEST_P(CertVerifyProcInternalTest, RejectExpiredCert) {
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID);
 }
 
+static int GetMinimumRsaDsaKeySize() {
+#if defined(OS_IOS)
+  // Beginning with iOS 13, the minimum key size for RSA/DSA algorithms is
+  // 2048 bits. See https://support.apple.com/en-us/HT210176
+  if (base::ios::IsRunningOnIOS13OrLater())
+    return 2048;
+#elif defined(OS_MACOSX)
+  // Beginning with macOS 10.15, the minimum key size for RSA/DSA algorithms
+  // is 2048 bits. See https://support.apple.com/en-us/HT210176
+  if (base::mac::IsAtLeastOS10_15())
+    return 2048;
+#endif
+
+  return 1024;
+}
+
 // Currently, only RSA and DSA keys are checked for weakness, and our example
 // weak size is 768. These could change in the future.
 //
@@ -1078,11 +1340,15 @@ TEST_P(CertVerifyProcInternalTest, RejectExpiredCert) {
 // algorithms and which are weak will pass this test.
 static bool IsWeakKeyType(const std::string& key_type) {
   size_t pos = key_type.find("-");
-  std::string size = key_type.substr(0, pos);
+  std::string size_str = key_type.substr(0, pos);
   std::string type = key_type.substr(pos + 1);
+  int size = 0;
+
+  if (!base::StringToInt(size_str, &size))
+    return false;
 
   if (type == "rsa" || type == "dsa")
-    return size == "768";
+    return size < GetMinimumRsaDsaKeySize();
 
   return false;
 }
@@ -1138,10 +1404,15 @@ TEST_P(CertVerifyProcInternalTest, RejectWeakKeys) {
 
       if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
         EXPECT_NE(OK, error);
-        EXPECT_EQ(CERT_STATUS_WEAK_KEY,
-                  verify_result.cert_status & CERT_STATUS_WEAK_KEY);
-        EXPECT_EQ(WeakKeysAreInvalid() ? CERT_STATUS_INVALID : 0,
-                  verify_result.cert_status & CERT_STATUS_INVALID);
+        if (WeakKeysAreInvalid()) {
+          EXPECT_EQ(CERT_STATUS_INVALID,
+                    verify_result.cert_status & CERT_STATUS_INVALID);
+
+        } else {
+          EXPECT_EQ(CERT_STATUS_WEAK_KEY,
+                    verify_result.cert_status & CERT_STATUS_WEAK_KEY);
+          EXPECT_EQ(0u, verify_result.cert_status & CERT_STATUS_INVALID);
+        }
       } else {
         EXPECT_THAT(error, IsOk());
         EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
@@ -1833,12 +2104,12 @@ TEST_P(CertVerifyProcInternalTest, Sha1IntermediateUsesServerGatedCrypto) {
 
   if (AreSHA1IntermediatesAllowed()) {
     EXPECT_THAT(error, IsOk());
-    EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
+    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
   } else {
-    EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
-    EXPECT_EQ(CERT_STATUS_WEAK_SIGNATURE_ALGORITHM |
-                  CERT_STATUS_SHA1_SIGNATURE_PRESENT,
-              verify_result.cert_status);
+    EXPECT_NE(error, OK);
+    EXPECT_TRUE(verify_result.cert_status &
+                CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
+    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
   }
 }
 
@@ -2249,10 +2520,6 @@ TEST_P(CertVerifyProcInternalTest, IsIssuedByKnownRootIgnoresTestRoots) {
 // Test verification with a leaf that does not contain embedded SCTs, and which
 // has a notBefore date after 2018/10/15, and with no |sct_list|.
 // On recent macOS and iOS versions this should fail to verify.
-// The iOS simulator has different verifier behavior than a real device, and
-// verification succeeds on all currently available versions. If this test
-// fails on iossim in the future, disable the test on TARGET_IPHONE_SIMULATOR
-// and file a bug against mattm.
 TEST_P(CertVerifyProcInternalTest, LeafNewerThan20181015NoScts) {
   scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile(
       GetTestCertsDirectory(), "treadclimber.pem",
@@ -2274,7 +2541,7 @@ TEST_P(CertVerifyProcInternalTest, LeafNewerThan20181015NoScts) {
 
 #if defined(OS_IOS) && !TARGET_IPHONE_SIMULATOR
   if (verify_proc_type() == CERT_VERIFY_PROC_IOS) {
-    if (__builtin_available(iOS 12.2, *)) {
+    if (base::ios::IsRunningOnOrLater(12, 2, 0)) {
       // TODO(mattm): Check if this can this be mapped to some better error.
       EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
       EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
@@ -2282,8 +2549,9 @@ TEST_P(CertVerifyProcInternalTest, LeafNewerThan20181015NoScts) {
     }
   }
 #elif defined(OS_MACOSX)
-  if (verify_proc_type() == CERT_VERIFY_PROC_MAC) {
-    if (__builtin_available(macOS 10.14.2, *)) {
+  if (verify_proc_type() == CERT_VERIFY_PROC_MAC ||
+      verify_proc_type() == CERT_VERIFY_PROC_IOS) {
+    if (__builtin_available(macOS 10.14.2, iOS 13, *)) {
       // TODO(mattm): SecTrustEvaluate just gives a generic
       // CSSMERR_TP_VERIFY_ACTION_FAILED error. Not sure there's much that
       // could be done about that.
@@ -2806,14 +3074,17 @@ class CertVerifyProcInternalWithNetFetchingTest
   // Registers a handler with the test server that responds with the given
   // Content-Type, HTTP status code, and response body, for GET requests
   // to |path|.
-  void RegisterSimpleTestServerHandler(std::string path,
+  // Returns the full URL to |path| for the current test server.
+  GURL RegisterSimpleTestServerHandler(std::string path,
                                        HttpStatusCode status_code,
                                        std::string content_type,
                                        std::string content) {
+    GURL handler_url(GetTestServerAbsoluteUrl(path));
     base::AutoLock lock(request_handlers_lock_);
     request_handlers_.push_back(base::BindRepeating(
         &SimpleTestServerHandler, std::move(path), status_code,
         std::move(content_type), std::move(content)));
+    return handler_url;
   }
 
   // Returns a random URL path (starting with /) that has the given suffix.
@@ -2826,15 +3097,14 @@ class CertVerifyProcInternalWithNetFetchingTest
     return test_server_.GetURL(path);
   }
 
-  // Creates a certificate chain for www.example.com, where the leaf certificate
-  // has an AIA URL pointing to the test server.
-  void CreateSimpleChainWithAIA(
-      scoped_refptr<X509Certificate>* out_leaf,
-      std::string* ca_issuers_path,
-      bssl::UniquePtr<CRYPTO_BUFFER>* out_intermediate,
-      scoped_refptr<X509Certificate>* out_root) {
+  // Creates a simple leaf->intermediate->root chain of CertBuilders with no AIA
+  // or CrlDistributionPoint extensions, and leaf having a subjectAltName of
+  // www.example.com.
+  static void CreateSimpleCertBuilderChain(
+      std::unique_ptr<CertBuilder>* out_leaf,
+      std::unique_ptr<CertBuilder>* out_intermediate,
+      std::unique_ptr<CertBuilder>* out_root) {
     const char kHostname[] = "www.example.com";
-
     base::FilePath certs_dir =
         GetTestNetDataDirectory()
             .AppendASCII("verify_certificate_chain_unittest")
@@ -2844,24 +3114,169 @@ class CertVerifyProcInternalWithNetFetchingTest
         certs_dir, "chain.pem", X509Certificate::FORMAT_AUTO);
     ASSERT_EQ(3U, orig_certs.size());
 
-    // Build a slightly modified variant of |orig_certs|.
-    CertBuilder root(orig_certs[2]->cert_buffer(), nullptr);
-    CertBuilder intermediate(orig_certs[1]->cert_buffer(), &root);
-    CertBuilder leaf(orig_certs[0]->cert_buffer(), &intermediate);
+    // Build slightly modified variants of |orig_certs|.
+    *out_root =
+        std::make_unique<CertBuilder>(orig_certs[2]->cert_buffer(), nullptr);
+    *out_intermediate = std::make_unique<CertBuilder>(
+        orig_certs[1]->cert_buffer(), out_root->get());
+    (*out_intermediate)->EraseExtension(CrlDistributionPointsOid());
+    (*out_intermediate)->EraseExtension(AuthorityInfoAccessOid());
+    *out_leaf = std::make_unique<CertBuilder>(orig_certs[0]->cert_buffer(),
+                                              out_intermediate->get());
+    (*out_leaf)->SetSubjectAltName(kHostname);
+    (*out_leaf)->EraseExtension(CrlDistributionPointsOid());
+    (*out_leaf)->EraseExtension(AuthorityInfoAccessOid());
+  }
+
+  // Creates a certificate chain for www.example.com, where the leaf certificate
+  // has an AIA URL pointing to the test server.
+  void CreateSimpleChainWithAIA(
+      scoped_refptr<X509Certificate>* out_leaf,
+      std::string* ca_issuers_path,
+      bssl::UniquePtr<CRYPTO_BUFFER>* out_intermediate,
+      scoped_refptr<X509Certificate>* out_root) {
+    std::unique_ptr<CertBuilder> leaf, intermediate, root;
+    CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+    ASSERT_TRUE(leaf && intermediate && root);
 
     // Make the leaf certificate have an AIA (CA Issuers) that points to the
     // embedded test server. This uses a random URL for predictable behavior in
     // the presence of global caching.
     *ca_issuers_path = MakeRandomPath(".cer");
     GURL ca_issuers_url = GetTestServerAbsoluteUrl(*ca_issuers_path);
-    leaf.SetCaIssuersUrl(ca_issuers_url);
-    leaf.SetSubjectAltName(kHostname);
+    leaf->SetCaIssuersUrl(ca_issuers_url);
 
     // The chain being verified is solely the leaf certificate (missing the
     // intermediate and root).
-    *out_leaf = leaf.GetX509Certificate();
-    *out_root = root.GetX509Certificate();
-    *out_intermediate = intermediate.DupCertBuffer();
+    *out_leaf = leaf->GetX509Certificate();
+    *out_root = root->GetX509Certificate();
+    *out_intermediate = intermediate->DupCertBuffer();
+  }
+
+  // Creates a CRL issued and signed by |crl_issuer|, marking |revoked_serials|
+  // as revoked.
+  // Returns the DER-encoded CRL.
+  static std::string CreateCrl(CertBuilder* crl_issuer,
+                               const std::vector<uint64_t>& revoked_serials,
+                               DigestAlgorithm digest) {
+    std::string signature_algorithm;
+    const EVP_MD* md = nullptr;
+    switch (digest) {
+      case DigestAlgorithm::Sha256: {
+        signature_algorithm = Sha256WithRSAEncryption();
+        md = EVP_sha256();
+        break;
+      }
+
+      case DigestAlgorithm::Sha1: {
+        signature_algorithm = Sha1WithRSAEncryption();
+        md = EVP_sha1();
+        break;
+      }
+
+      case DigestAlgorithm::Md5: {
+        signature_algorithm = Md5WithRSAEncryption();
+        md = EVP_md5();
+        break;
+      }
+
+      default:
+        ADD_FAILURE();
+        return std::string();
+    }
+    //    TBSCertList  ::=  SEQUENCE  {
+    //         version                 Version OPTIONAL,
+    //                                      -- if present, MUST be v2
+    //         signature               AlgorithmIdentifier,
+    //         issuer                  Name,
+    //         thisUpdate              Time,
+    //         nextUpdate              Time OPTIONAL,
+    //         revokedCertificates     SEQUENCE OF SEQUENCE  {
+    //              userCertificate         CertificateSerialNumber,
+    //              revocationDate          Time,
+    //              crlEntryExtensions      Extensions OPTIONAL
+    //                                       -- if present, version MUST be v2
+    //                                   }  OPTIONAL,
+    //         crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
+    //                                       -- if present, version MUST be v2
+    //                                   }
+    bssl::ScopedCBB tbs_cbb;
+    CBB tbs_cert_list, revoked_serials_cbb;
+    if (!CBB_init(tbs_cbb.get(), 10) ||
+        !CBB_add_asn1(tbs_cbb.get(), &tbs_cert_list, CBS_ASN1_SEQUENCE) ||
+        !CBB_add_asn1_uint64(&tbs_cert_list, 1 /* V2 */) ||
+        !CBBAddBytes(&tbs_cert_list, signature_algorithm) ||
+        !CBBAddBytes(&tbs_cert_list, crl_issuer->GetSubject()) ||
+        !CBBAddTime(&tbs_cert_list,
+                    base::Time::Now() - base::TimeDelta::FromDays(1)) ||
+        !CBBAddTime(&tbs_cert_list,
+                    base::Time::Now() + base::TimeDelta::FromDays(6))) {
+      ADD_FAILURE();
+      return std::string();
+    }
+    if (!revoked_serials.empty()) {
+      if (!CBB_add_asn1(&tbs_cert_list, &revoked_serials_cbb,
+                        CBS_ASN1_SEQUENCE)) {
+        ADD_FAILURE();
+        return std::string();
+      }
+      for (const int64_t revoked_serial : revoked_serials) {
+        CBB revoked_serial_cbb;
+        if (!CBB_add_asn1(&revoked_serials_cbb, &revoked_serial_cbb,
+                          CBS_ASN1_SEQUENCE) ||
+            !CBB_add_asn1_uint64(&revoked_serial_cbb, revoked_serial) ||
+            !CBBAddTime(&revoked_serial_cbb,
+                        base::Time::Now() - base::TimeDelta::FromDays(1)) ||
+            !CBB_flush(&revoked_serials_cbb)) {
+          ADD_FAILURE();
+          return std::string();
+        }
+      }
+    }
+
+    std::string tbs_tlv = FinishCBB(tbs_cbb.get());
+
+    //    CertificateList  ::=  SEQUENCE  {
+    //         tbsCertList          TBSCertList,
+    //         signatureAlgorithm   AlgorithmIdentifier,
+    //         signatureValue       BIT STRING  }
+    bssl::ScopedCBB crl_cbb;
+    CBB cert_list, signature;
+    bssl::ScopedEVP_MD_CTX ctx;
+    uint8_t* sig_out;
+    size_t sig_len;
+    if (!CBB_init(crl_cbb.get(), 10) ||
+        !CBB_add_asn1(crl_cbb.get(), &cert_list, CBS_ASN1_SEQUENCE) ||
+        !CBBAddBytes(&cert_list, tbs_tlv) ||
+        !CBBAddBytes(&cert_list, signature_algorithm) ||
+        !CBB_add_asn1(&cert_list, &signature, CBS_ASN1_BITSTRING) ||
+        !CBB_add_u8(&signature, 0 /* no unused bits */) ||
+        !EVP_DigestSignInit(ctx.get(), nullptr, md, nullptr,
+                            crl_issuer->GetKey()) ||
+        !EVP_DigestSign(ctx.get(), nullptr, &sig_len,
+                        reinterpret_cast<const uint8_t*>(tbs_tlv.data()),
+                        tbs_tlv.size()) ||
+        !CBB_reserve(&signature, &sig_out, sig_len) ||
+        !EVP_DigestSign(ctx.get(), sig_out, &sig_len,
+                        reinterpret_cast<const uint8_t*>(tbs_tlv.data()),
+                        tbs_tlv.size()) ||
+        !CBB_did_write(&signature, sig_len)) {
+      ADD_FAILURE();
+      return std::string();
+    }
+    return FinishCBB(crl_cbb.get());
+  }
+
+  // Creates a CRL issued and signed by |crl_issuer|, marking |revoked_serials|
+  // as revoked, and registers it to be served by the test server.
+  // Returns the full URL to retrieve the CRL from the test server.
+  GURL CreateAndServeCrl(CertBuilder* crl_issuer,
+                         const std::vector<uint64_t>& revoked_serials,
+                         DigestAlgorithm digest = DigestAlgorithm::Sha256) {
+    std::string crl = CreateCrl(crl_issuer, revoked_serials, digest);
+    std::string crl_path = MakeRandomPath(".crl");
+    return RegisterSimpleTestServerHandler(crl_path, HTTP_OK,
+                                           "application/pkix-crl", crl);
   }
 
  private:
@@ -3235,15 +3650,741 @@ TEST_P(CertVerifyProcInternalWithNetFetchingTest,
     // This seemed to be working on Windows when !AreSHA1IntermediatesAllowed()
     // from previous testing, but then failed on the Windows 10 bot.
     if (error != OK) {
+      EXPECT_TRUE(verify_result.cert_status &
+                  CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
+      EXPECT_TRUE(verify_result.cert_status &
+                  CERT_STATUS_SHA1_SIGNATURE_PRESENT);
       EXPECT_TRUE(verify_result.has_sha1);
       EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
     }
   } else {
+    EXPECT_NE(OK, error);
+    EXPECT_TRUE(verify_result.cert_status &
+                CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
+    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
     EXPECT_TRUE(verify_result.has_sha1);
-    EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
   }
 }
 
+TEST_P(CertVerifyProcInternalWithNetFetchingTest, RevocationHardFailNoCrls) {
+  if (!SupportsRevCheckingRequiredLocalAnchors()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS";
+    return;
+  }
+
+  // Create certs which have no AIA or CRL distribution points.
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with hard-fail revocation checking for local anchors.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  // "Hard fail" handling varies for certificates that have no revocation
+  // mechanisms at all. Some implementations consider it okay, some consider it
+  // a failure.
+  if (verify_proc_type() == CERT_VERIFY_PROC_BUILTIN ||
+      verify_proc_type() == CERT_VERIFY_PROC_WIN) {
+    EXPECT_THAT(error, IsOk());
+  } else {
+    EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
+  }
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+// CRL hard fail test where both leaf and intermediate are covered by valid
+// CRLs which have empty (non-present) revokedCertificates list. Verification
+// should succeed.
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationHardFailCrlGoodNoRevokedCertificates) {
+  if (!SupportsRevCheckingRequiredLocalAnchors()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Serve a root-issued CRL which does not revoke intermediate.
+  intermediate->SetCrlDistributionPointUrl(CreateAndServeCrl(root.get(), {}));
+
+  // Serve an intermediate-issued CRL which does not revoke leaf.
+  leaf->SetCrlDistributionPointUrl(CreateAndServeCrl(intermediate.get(), {}));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with hard-fail revocation checking for local anchors.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  // Should pass, leaf and intermediate were covered by CRLs and were not
+  // revoked.
+  EXPECT_THAT(error, IsOk());
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+// CRL hard fail test where both leaf and intermediate are covered by valid
+// CRLs which have revokedCertificates lists that revoke other irrelevant
+// serial numbers. Verification should succeed.
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationHardFailCrlGoodIrrelevantSerialsRevoked) {
+  if (!SupportsRevCheckingRequiredLocalAnchors()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Root-issued CRL revokes leaf's serial number. This is irrelevant.
+  intermediate->SetCrlDistributionPointUrl(
+      CreateAndServeCrl(root.get(), {leaf->GetSerialNumber()}));
+
+  // Intermediate-issued CRL revokes intermediates's serial number. This is
+  // irrelevant.
+  leaf->SetCrlDistributionPointUrl(
+      CreateAndServeCrl(intermediate.get(), {intermediate->GetSerialNumber()}));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with hard-fail revocation checking for local anchors.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  // Should pass, leaf and intermediate were covered by CRLs and were not
+  // revoked.
+  EXPECT_THAT(error, IsOk());
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationHardFailLeafRevokedByCrl) {
+  if (!SupportsRevCheckingRequiredLocalAnchors()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Root-issued CRL which does not revoke intermediate.
+  intermediate->SetCrlDistributionPointUrl(CreateAndServeCrl(root.get(), {}));
+
+  // Leaf is revoked by intermediate issued CRL.
+  leaf->SetCrlDistributionPointUrl(
+      CreateAndServeCrl(intermediate.get(), {leaf->GetSerialNumber()}));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with hard-fail revocation checking for local anchors.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  // Should fail, leaf is revoked.
+  EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationHardFailIntermediateRevokedByCrl) {
+  if (!SupportsRevCheckingRequiredLocalAnchors()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Intermediate is revoked by root issued CRL.
+  intermediate->SetCrlDistributionPointUrl(
+      CreateAndServeCrl(root.get(), {intermediate->GetSerialNumber()}));
+
+  // Intermediate-issued CRL which does not revoke leaf.
+  leaf->SetCrlDistributionPointUrl(CreateAndServeCrl(intermediate.get(), {}));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with hard-fail revocation checking for local anchors.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  // Should fail, intermediate is revoked.
+  EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+// CRL hard fail test where the intermediate certificate has a good CRL, but
+// the leaf's distribution point returns an http error. Verification should
+// fail.
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationHardFailLeafCrlDpHttpError) {
+  if (!SupportsRevCheckingRequiredLocalAnchors()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Serve a root-issued CRL which does not revoke intermediate.
+  intermediate->SetCrlDistributionPointUrl(CreateAndServeCrl(root.get(), {}));
+
+  // Serve a 404 for the intermediate-issued CRL distribution point url.
+  leaf->SetCrlDistributionPointUrl(RegisterSimpleTestServerHandler(
+      MakeRandomPath(".crl"), HTTP_NOT_FOUND, "text/plain", "Not Found"));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with hard-fail revocation checking for local anchors.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  // Should fail since no revocation information was available for the leaf.
+  if (verify_proc_type() == CERT_VERIFY_PROC_BUILTIN) {
+    // TODO(https://crbug.com/964416): This should probably be ERR_CERT_REVOKED.
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else {
+    EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
+  }
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+// CRL hard fail test where the leaf certificate has a good CRL, but
+// the intermediate's distribution point returns an http error. Verification
+// should fail.
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationHardFailIntermediateCrlDpHttpError) {
+  if (!SupportsRevCheckingRequiredLocalAnchors()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Serve a 404 for the root-issued CRL distribution point url.
+  intermediate->SetCrlDistributionPointUrl(RegisterSimpleTestServerHandler(
+      MakeRandomPath(".crl"), HTTP_NOT_FOUND, "text/plain", "Not Found"));
+
+  // Serve an intermediate-issued CRL which does not revoke leaf.
+  leaf->SetCrlDistributionPointUrl(CreateAndServeCrl(intermediate.get(), {}));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with hard-fail revocation checking for local anchors.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  // Should fail since no revocation information was available for the
+  // intermediate.
+  if (verify_proc_type() == CERT_VERIFY_PROC_BUILTIN) {
+    // TODO(https://crbug.com/964416): This should probably be ERR_CERT_REVOKED.
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else {
+    EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
+  }
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+TEST_P(CertVerifyProcInternalWithNetFetchingTest, RevocationSoftFailNoCrls) {
+  if (!SupportsSoftFailRevChecking()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_ENABLED";
+    return;
+  }
+
+  // Create certs which have no AIA or CRL distribution points.
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with soft-fail revocation checking.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_ENABLED;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  if (verify_proc_type() == CERT_VERIFY_PROC_MAC && IsMacAtLeastOS10_12()) {
+    // CRL handling seems broken on macOS >= 10.12.
+    // TODO(mattm): followup on this.
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else {
+    // Soft-fail revocation checking should succeed when no revocation mechanism
+    // is available.
+    EXPECT_THAT(error, IsOk());
+  }
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+// CRL soft fail test where both leaf and intermediate are covered by valid
+// CRLs which have empty (non-present) revokedCertificates list. Verification
+// should succeed.
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationSoftFailCrlGoodNoRevokedCertificates) {
+  if (!SupportsSoftFailRevChecking()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_ENABLED";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Serve a root-issued CRL which does not revoke intermediate.
+  intermediate->SetCrlDistributionPointUrl(CreateAndServeCrl(root.get(), {}));
+
+  // Serve an intermediate-issued CRL which does not revoke leaf.
+  leaf->SetCrlDistributionPointUrl(CreateAndServeCrl(intermediate.get(), {}));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with soft-fail revocation checking.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_ENABLED;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  if (verify_proc_type() == CERT_VERIFY_PROC_MAC && IsMacAtLeastOS10_12()) {
+    // CRL handling seems broken on macOS >= 10.12.
+    // TODO(mattm): followup on this.
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else {
+    // Should pass, leaf and intermediate were covered by CRLs and were not
+    // revoked.
+    EXPECT_THAT(error, IsOk());
+  }
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+// CRL soft fail test where both leaf and intermediate are covered by valid
+// CRLs which have revokedCertificates lists that revoke other irrelevant
+// serial numbers. Verification should succeed.
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationSoftFailCrlGoodIrrelevantSerialsRevoked) {
+  if (!SupportsSoftFailRevChecking()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_ENABLED";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Root-issued CRL revokes leaf's serial number. This is irrelevant.
+  intermediate->SetCrlDistributionPointUrl(
+      CreateAndServeCrl(root.get(), {leaf->GetSerialNumber()}));
+
+  // Intermediate-issued CRL revokes intermediates's serial number. This is
+  // irrelevant.
+  leaf->SetCrlDistributionPointUrl(
+      CreateAndServeCrl(intermediate.get(), {intermediate->GetSerialNumber()}));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with soft-fail revocation checking.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_ENABLED;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  if (verify_proc_type() == CERT_VERIFY_PROC_MAC && IsMacAtLeastOS10_12()) {
+    // CRL handling seems broken on macOS >= 10.12.
+    // TODO(mattm): followup on this.
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else {
+    // Should pass, leaf and intermediate were covered by CRLs and were not
+    // revoked.
+    EXPECT_THAT(error, IsOk());
+  }
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationSoftFailLeafRevokedByCrl) {
+  if (!SupportsSoftFailRevChecking()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_ENABLED";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Root-issued CRL which does not revoke intermediate.
+  intermediate->SetCrlDistributionPointUrl(CreateAndServeCrl(root.get(), {}));
+
+  // Leaf is revoked by intermediate issued CRL.
+  leaf->SetCrlDistributionPointUrl(
+      CreateAndServeCrl(intermediate.get(), {leaf->GetSerialNumber()}));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with soft-fail revocation checking.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_ENABLED;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  if (verify_proc_type() == CERT_VERIFY_PROC_MAC && IsMacAtLeastOS10_12()) {
+    // CRL handling seems broken on macOS >= 10.12.
+    // TODO(mattm): followup on this.
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else {
+    // Should fail, leaf is revoked.
+    EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
+  }
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationSoftFailIntermediateRevokedByCrl) {
+  if (!SupportsSoftFailRevChecking()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_ENABLED";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Intermediate is revoked by root issued CRL.
+  intermediate->SetCrlDistributionPointUrl(
+      CreateAndServeCrl(root.get(), {intermediate->GetSerialNumber()}));
+
+  // Intermediate-issued CRL which does not revoke leaf.
+  leaf->SetCrlDistributionPointUrl(CreateAndServeCrl(intermediate.get(), {}));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with soft-fail revocation checking.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_ENABLED;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  if (verify_proc_type() == CERT_VERIFY_PROC_MAC && IsMacAtLeastOS10_12()) {
+    // CRL handling seems broken on macOS >= 10.12.
+    // TODO(mattm): followup on this.
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else {
+    // Should fail, intermediate is revoked.
+    EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
+  }
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationSoftFailLeafRevokedBySha1Crl) {
+  if (!SupportsSoftFailRevChecking()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_ENABLED";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Root-issued CRL which does not revoke intermediate.
+  intermediate->SetCrlDistributionPointUrl(CreateAndServeCrl(root.get(), {}));
+
+  // Leaf is revoked by intermediate issued CRL which is signed with
+  // sha1WithRSAEncryption.
+  leaf->SetCrlDistributionPointUrl(CreateAndServeCrl(
+      intermediate.get(), {leaf->GetSerialNumber()}, DigestAlgorithm::Sha1));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with soft-fail revocation checking.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_ENABLED;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  if (verify_proc_type() == CERT_VERIFY_PROC_MAC && IsMacAtLeastOS10_12()) {
+    // CRL handling seems broken on macOS >= 10.12.
+    // TODO(mattm): followup on this.
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else {
+    // Should fail, leaf is revoked.
+    EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
+  }
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationSoftFailLeafRevokedByMd5Crl) {
+  if (!SupportsSoftFailRevChecking()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_ENABLED";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Root-issued CRL which does not revoke intermediate.
+  intermediate->SetCrlDistributionPointUrl(CreateAndServeCrl(root.get(), {}));
+
+  // Leaf is revoked by intermediate issued CRL which is signed with
+  // md5WithRSAEncryption.
+  leaf->SetCrlDistributionPointUrl(CreateAndServeCrl(
+      intermediate.get(), {leaf->GetSerialNumber()}, DigestAlgorithm::Md5));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with soft-fail revocation checking.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_ENABLED;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  if (verify_proc_type() == CERT_VERIFY_PROC_BUILTIN) {
+    // TODO(https://crbug.com/964416): This should be OK?
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else if (verify_proc_type() == CERT_VERIFY_PROC_MAC &&
+             IsMacAtLeastOS10_12()) {
+    // CRL handling seems broken on macOS >= 10.12.
+    // TODO(mattm): followup on this.
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else if (verify_proc_type() == CERT_VERIFY_PROC_WIN ||
+             verify_proc_type() == CERT_VERIFY_PROC_MAC) {
+    // Windows and Mac <= 10.11 honor MD5 CRLs. ¯\_(ăƒ„)_/¯
+    EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
+  } else {
+    // Verification should succeed: MD5 signature algorithm is not supported
+    // and soft-fail checking will ignore the inability to get revocation
+    // status.
+    EXPECT_THAT(error, IsOk());
+  }
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+// CRL soft fail test where the intermediate certificate has a good CRL, but
+// the leaf's distribution point returns an http error. Verification should
+// succeed.
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationSoftFailLeafCrlDpHttpError) {
+  if (!SupportsSoftFailRevChecking()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_ENABLED";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Serve a root-issued CRL which does not revoke intermediate.
+  intermediate->SetCrlDistributionPointUrl(CreateAndServeCrl(root.get(), {}));
+
+  // Serve a 404 for the intermediate-issued CRL distribution point url.
+  leaf->SetCrlDistributionPointUrl(RegisterSimpleTestServerHandler(
+      MakeRandomPath(".crl"), HTTP_NOT_FOUND, "text/plain", "Not Found"));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with soft-fail revocation checking.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_ENABLED;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  if (verify_proc_type() == CERT_VERIFY_PROC_WIN) {
+    // Win gives ERR_CERT_UNABLE_TO_CHECK_REVOCATION if the revocation checking
+    // network requests failed. TODO(https://crbug.com/964416): should be OK?
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else if (verify_proc_type() == CERT_VERIFY_PROC_MAC &&
+             IsMacAtLeastOS10_12()) {
+    // CRL handling seems broken on macOS >= 10.12.
+    // TODO(mattm): followup on this.
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else {
+    // Should succeed due to soft-fail revocation checking.
+    EXPECT_THAT(error, IsOk());
+  }
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+// CRL soft fail test where the leaf certificate has a good CRL, but
+// the intermediate's distribution point returns an http error. Verification
+// should succeed.
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       RevocationSoftFailIntermediateCrlDpHttpError) {
+  if (!SupportsSoftFailRevChecking()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support "
+                 "VERIFY_REV_CHECKING_ENABLED";
+    return;
+  }
+
+  const char kHostname[] = "www.example.com";
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateSimpleCertBuilderChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  // Serve a 404 for the root-issued CRL distribution point url.
+  intermediate->SetCrlDistributionPointUrl(RegisterSimpleTestServerHandler(
+      MakeRandomPath(".crl"), HTTP_NOT_FOUND, "text/plain", "Not Found"));
+
+  // Serve an intermediate-issued CRL which does not revoke leaf.
+  leaf->SetCrlDistributionPointUrl(CreateAndServeCrl(intermediate.get(), {}));
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = CreateX509CertificateWithIntermediate(
+      leaf->DupCertBuffer(), intermediate->DupCertBuffer());
+  ASSERT_TRUE(chain.get());
+
+  // Verify with soft-fail revocation checking.
+  const int flags = CertVerifyProc::VERIFY_REV_CHECKING_ENABLED;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(chain.get(), kHostname, flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  if (verify_proc_type() == CERT_VERIFY_PROC_WIN) {
+    // Win gives ERR_CERT_UNABLE_TO_CHECK_REVOCATION if the revocation checking
+    // network requests failed. TODO(https://crbug.com/964416): should be OK?
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else if (verify_proc_type() == CERT_VERIFY_PROC_MAC &&
+             IsMacAtLeastOS10_12()) {
+    // CRL handling seems broken on macOS >= 10.12.
+    // TODO(mattm): followup on this.
+    EXPECT_THAT(error, IsError(ERR_CERT_UNABLE_TO_CHECK_REVOCATION));
+  } else {
+    // Should succeed due to soft-fail revocation checking.
+    EXPECT_THAT(error, IsOk());
+  }
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
 TEST(CertVerifyProcTest, RejectsMD2) {
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
diff --git a/chromium/net/cert/cert_verify_proc_win.h b/chromium/net/cert/cert_verify_proc_win.h
index e5849069fbf..b89f08839b3 100644
--- a/chromium/net/cert/cert_verify_proc_win.h
+++ b/chromium/net/cert/cert_verify_proc_win.h
@@ -11,7 +11,7 @@ namespace net {
 
 // Performs certificate path construction and validation using Windows'
 // CryptoAPI.
-class CertVerifyProcWin : public CertVerifyProc {
+class NET_EXPORT_PRIVATE CertVerifyProcWin : public CertVerifyProc {
  public:
   CertVerifyProcWin();
 
diff --git a/chromium/net/cert/crl_set_fuzzer.cc b/chromium/net/cert/crl_set_fuzzer.cc
new file mode 100644
index 00000000000..3b83709d190
--- /dev/null
+++ b/chromium/net/cert/crl_set_fuzzer.cc
@@ -0,0 +1,32 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/cert/crl_set.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size < 32 + 32 + 20)
+    return 0;
+
+  FuzzedDataProvider data_provider(data, size);
+  std::string spki_hash = data_provider.ConsumeBytesAsString(32);
+  std::string issuer_hash = data_provider.ConsumeBytesAsString(32);
+  size_t serial_length = data_provider.ConsumeIntegralInRange(4, 19);
+  std::string serial = data_provider.ConsumeBytesAsString(serial_length);
+  std::string crlset_data = data_provider.ConsumeRemainingBytesAsString();
+
+  scoped_refptr<net::CRLSet> out_crl_set;
+  net::CRLSet::Parse(crlset_data, &out_crl_set);
+
+  if (out_crl_set) {
+    out_crl_set->CheckSPKI(spki_hash);
+    out_crl_set->CheckSerial(serial, issuer_hash);
+    out_crl_set->IsExpired();
+  }
+
+  return 0;
+}
diff --git a/chromium/net/cert/ct_signed_certificate_timestamp_log_param.cc b/chromium/net/cert/ct_signed_certificate_timestamp_log_param.cc
index 88f0dd59620..e90fb45853b 100644
--- a/chromium/net/cert/ct_signed_certificate_timestamp_log_param.cc
+++ b/chromium/net/cert/ct_signed_certificate_timestamp_log_param.cc
@@ -13,7 +13,6 @@
 #include "base/values.h"
 #include "net/cert/ct_sct_to_string.h"
 #include "net/cert/signed_certificate_timestamp.h"
-#include "net/log/net_log_capture_mode.h"
 
 namespace net {
 
@@ -72,9 +71,8 @@ base::Value SCTListToPrintableValues(
 
 }  // namespace
 
-base::Value NetLogSignedCertificateTimestampCallback(
-    const SignedCertificateTimestampAndStatusList* scts,
-    NetLogCaptureMode capture_mode) {
+base::Value NetLogSignedCertificateTimestampParams(
+    const SignedCertificateTimestampAndStatusList* scts) {
   base::Value dict(base::Value::Type::DICTIONARY);
 
   dict.SetKey("scts", SCTListToPrintableValues(*scts));
@@ -82,11 +80,10 @@ base::Value NetLogSignedCertificateTimestampCallback(
   return dict;
 }
 
-base::Value NetLogRawSignedCertificateTimestampCallback(
+base::Value NetLogRawSignedCertificateTimestampParams(
     base::StringPiece embedded_scts,
     base::StringPiece sct_list_from_ocsp,
-    base::StringPiece sct_list_from_tls_extension,
-    NetLogCaptureMode capture_mode) {
+    base::StringPiece sct_list_from_tls_extension) {
   base::Value dict(base::Value::Type::DICTIONARY);
 
   SetBinaryData("embedded_scts", embedded_scts, &dict);
diff --git a/chromium/net/cert/ct_signed_certificate_timestamp_log_param.h b/chromium/net/cert/ct_signed_certificate_timestamp_log_param.h
index 89eb38ced2e..5704f82a5e9 100644
--- a/chromium/net/cert/ct_signed_certificate_timestamp_log_param.h
+++ b/chromium/net/cert/ct_signed_certificate_timestamp_log_param.h
@@ -16,25 +16,21 @@ class Value;
 
 namespace net {
 
-class NetLogCaptureMode;
-
 // Creates a dictionary of processed Signed Certificate Timestamps to be
 // logged in the NetLog.
 // See the documentation for SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED
 // in net/log/net_log_event_type_list.h
-base::Value NetLogSignedCertificateTimestampCallback(
-    const SignedCertificateTimestampAndStatusList* scts,
-    NetLogCaptureMode capture_mode);
+base::Value NetLogSignedCertificateTimestampParams(
+    const SignedCertificateTimestampAndStatusList* scts);
 
 // Creates a dictionary of raw Signed Certificate Timestamps to be logged
 // in the NetLog.
 // See the documentation for SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED
 // in net/log/net_log_event_type_list.h
-base::Value NetLogRawSignedCertificateTimestampCallback(
+base::Value NetLogRawSignedCertificateTimestampParams(
     base::StringPiece embedded_scts,
     base::StringPiece sct_list_from_ocsp,
-    base::StringPiece sct_list_from_tls_extension,
-    NetLogCaptureMode capture_mode);
+    base::StringPiece sct_list_from_tls_extension);
 
 }  // namespace net
 
diff --git a/chromium/net/cert/internal/crl.cc b/chromium/net/cert/internal/crl.cc
new file mode 100644
index 00000000000..1e580ad7678
--- /dev/null
+++ b/chromium/net/cert/internal/crl.cc
@@ -0,0 +1,603 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/internal/crl.h"
+
+#include "base/stl_util.h"
+#include "net/cert/internal/cert_errors.h"
+#include "net/cert/internal/revocation_util.h"
+#include "net/cert/internal/signature_algorithm.h"
+#include "net/cert/internal/verify_name_match.h"
+#include "net/cert/internal/verify_signed_data.h"
+#include "net/der/input.h"
+#include "net/der/parse_values.h"
+#include "net/der/parser.h"
+#include "net/der/tag.h"
+
+namespace net {
+
+namespace {
+
+// id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
+// In dotted notation: 2.5.29.28
+der::Input IssuingDistributionPointOid() {
+  static const uint8_t oid[] = {0x55, 0x1d, 0x1c};
+  return der::Input(oid);
+}
+
+WARN_UNUSED_RESULT bool NormalizeNameTLV(const der::Input& name_tlv,
+                                         std::string* out_normalized_name) {
+  der::Parser parser(name_tlv);
+  der::Input name_rdn;
+  net::CertErrors unused_errors;
+  return parser.ReadTag(der::kSequence, &name_rdn) &&
+         NormalizeName(name_rdn, out_normalized_name, &unused_errors) &&
+         !parser.HasMore();
+}
+
+bool ContainsExactMatchingName(std::vector<base::StringPiece> a,
+                               std::vector<base::StringPiece> b) {
+  std::sort(a.begin(), a.end());
+  std::sort(b.begin(), b.end());
+  return !base::STLSetIntersection<std::vector<base::StringPiece>>(a, b)
+              .empty();
+}
+
+}  // namespace
+
+bool ParseCrlCertificateList(const der::Input& crl_tlv,
+                             der::Input* out_tbs_cert_list_tlv,
+                             der::Input* out_signature_algorithm_tlv,
+                             der::BitString* out_signature_value) {
+  der::Parser parser(crl_tlv);
+
+  //   CertificateList  ::=  SEQUENCE  {
+  der::Parser certificate_list_parser;
+  if (!parser.ReadSequence(&certificate_list_parser))
+    return false;
+
+  //        tbsCertList          TBSCertList
+  if (!certificate_list_parser.ReadRawTLV(out_tbs_cert_list_tlv))
+    return false;
+
+  //        signatureAlgorithm   AlgorithmIdentifier,
+  if (!certificate_list_parser.ReadRawTLV(out_signature_algorithm_tlv))
+    return false;
+
+  //        signatureValue       BIT STRING  }
+  if (!certificate_list_parser.ReadBitString(out_signature_value))
+    return false;
+
+  // There isn't an extension point at the end of CertificateList.
+  if (certificate_list_parser.HasMore())
+    return false;
+
+  // By definition the input was a single CertificateList, so there shouldn't be
+  // unconsumed data.
+  if (parser.HasMore())
+    return false;
+
+  return true;
+}
+
+bool ParseCrlTbsCertList(const der::Input& tbs_tlv, ParsedCrlTbsCertList* out) {
+  der::Parser parser(tbs_tlv);
+
+  //   TBSCertList  ::=  SEQUENCE  {
+  der::Parser tbs_parser;
+  if (!parser.ReadSequence(&tbs_parser))
+    return false;
+
+  //         version                 Version OPTIONAL,
+  //                                      -- if present, MUST be v2
+  base::Optional<der::Input> version_der;
+  if (!tbs_parser.ReadOptionalTag(der::kInteger, &version_der))
+    return false;
+  if (version_der.has_value()) {
+    uint64_t version64;
+    if (!der::ParseUint64(*version_der, &version64))
+      return false;
+    // If version is present, it MUST be v2(1).
+    if (version64 != 1)
+      return false;
+    out->version = CrlVersion::V2;
+  } else {
+    // Uh, RFC 5280 doesn't actually say it anywhere, but presumably if version
+    // is not specified, it is V1.
+    out->version = CrlVersion::V1;
+  }
+
+  //         signature               AlgorithmIdentifier,
+  if (!tbs_parser.ReadRawTLV(&out->signature_algorithm_tlv))
+    return false;
+
+  //         issuer                  Name,
+  if (!tbs_parser.ReadRawTLV(&out->issuer_tlv))
+    return false;
+
+  //         thisUpdate              Time,
+  if (!ReadUTCOrGeneralizedTime(&tbs_parser, &out->this_update))
+    return false;
+
+  //         nextUpdate              Time OPTIONAL,
+  der::Tag maybe_next_update_tag;
+  der::Input unused_next_update_input;
+  if (tbs_parser.PeekTagAndValue(&maybe_next_update_tag,
+                                 &unused_next_update_input) &&
+      (maybe_next_update_tag == der::kUtcTime ||
+       maybe_next_update_tag == der::kGeneralizedTime)) {
+    der::GeneralizedTime next_update_time;
+    if (!ReadUTCOrGeneralizedTime(&tbs_parser, &next_update_time))
+      return false;
+    out->next_update = next_update_time;
+  } else {
+    out->next_update = base::nullopt;
+  }
+
+  //         revokedCertificates     SEQUENCE OF SEQUENCE  { ... } OPTIONAL,
+  der::Input unused_revoked_certificates;
+  der::Tag maybe_revoked_certifigates_tag;
+  if (tbs_parser.PeekTagAndValue(&maybe_revoked_certifigates_tag,
+                                 &unused_revoked_certificates) &&
+      maybe_revoked_certifigates_tag == der::kSequence) {
+    der::Input revoked_certificates_tlv;
+    if (!tbs_parser.ReadRawTLV(&revoked_certificates_tlv))
+      return false;
+    out->revoked_certificates_tlv = revoked_certificates_tlv;
+  } else {
+    out->revoked_certificates_tlv = base::nullopt;
+  }
+
+  //         crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
+  //                                       -- if present, version MUST be v2
+  if (!tbs_parser.ReadOptionalTag(der::ContextSpecificConstructed(0),
+                                  &out->crl_extensions_tlv)) {
+    return false;
+  }
+  if (out->crl_extensions_tlv.has_value()) {
+    if (out->version != CrlVersion::V2)
+      return false;
+  }
+
+  if (tbs_parser.HasMore()) {
+    // Invalid or extraneous elements.
+    return false;
+  }
+
+  // By definition the input was a single sequence, so there shouldn't be
+  // unconsumed data.
+  if (parser.HasMore())
+    return false;
+
+  return true;
+}
+
+bool ParseIssuingDistributionPoint(
+    const der::Input& extension_value,
+    std::unique_ptr<GeneralNames>* out_distribution_point_names,
+    ContainedCertsType* out_only_contains_cert_type) {
+  der::Parser idp_extension_value_parser(extension_value);
+  // IssuingDistributionPoint ::= SEQUENCE {
+  der::Parser idp_parser;
+  if (!idp_extension_value_parser.ReadSequence(&idp_parser))
+    return false;
+
+  // 5.2.5.  Conforming CRLs issuers MUST NOT issue CRLs where the DER
+  //    encoding of the issuing distribution point extension is an empty
+  //    sequence.
+  if (!idp_parser.HasMore())
+    return false;
+
+  //  distributionPoint          [0] DistributionPointName OPTIONAL,
+  base::Optional<der::Input> distribution_point;
+  if (!idp_parser.ReadOptionalTag(
+          der::kTagContextSpecific | der::kTagConstructed | 0,
+          &distribution_point)) {
+    return false;
+  }
+
+  if (distribution_point.has_value()) {
+    //   DistributionPointName ::= CHOICE {
+    der::Parser dp_name_parser(*distribution_point);
+    //        fullName                [0]     GeneralNames,
+    //        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
+    base::Optional<der::Input> der_full_name;
+    if (!dp_name_parser.ReadOptionalTag(
+            der::kTagContextSpecific | der::kTagConstructed | 0,
+            &der_full_name)) {
+      return false;
+    }
+    if (!der_full_name) {
+      // Only fullName is supported.
+      return false;
+    }
+    CertErrors errors;
+    *out_distribution_point_names =
+        GeneralNames::CreateFromValue(*der_full_name, &errors);
+    if (!*out_distribution_point_names)
+      return false;
+
+    if (dp_name_parser.HasMore()) {
+      // CHOICE represents a single value.
+      return false;
+    }
+  }
+
+  *out_only_contains_cert_type = ContainedCertsType::ANY_CERTS;
+
+  //  onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
+  base::Optional<der::Input> only_contains_user_certs;
+  if (!idp_parser.ReadOptionalTag(der::kTagContextSpecific | 1,
+                                  &only_contains_user_certs)) {
+    return false;
+  }
+  if (only_contains_user_certs.has_value()) {
+    bool bool_value;
+    if (!der::ParseBool(*only_contains_user_certs, &bool_value))
+      return false;
+    if (!bool_value)
+      return false;  // DER-encoding requires DEFAULT values be omitted.
+    *out_only_contains_cert_type = ContainedCertsType::USER_CERTS;
+  }
+
+  //  onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
+  base::Optional<der::Input> only_contains_ca_certs;
+  if (!idp_parser.ReadOptionalTag(der::kTagContextSpecific | 2,
+                                  &only_contains_ca_certs)) {
+    return false;
+  }
+  if (only_contains_ca_certs.has_value()) {
+    bool bool_value;
+    if (!der::ParseBool(*only_contains_ca_certs, &bool_value))
+      return false;
+    if (!bool_value)
+      return false;  // DER-encoding requires DEFAULT values be omitted.
+    if (*out_only_contains_cert_type != ContainedCertsType::ANY_CERTS) {
+      // 5.2.5.  at most one of onlyContainsUserCerts, onlyContainsCACerts,
+      //         and onlyContainsAttributeCerts may be set to TRUE.
+      return false;
+    }
+    *out_only_contains_cert_type = ContainedCertsType::CA_CERTS;
+  }
+
+  //  onlySomeReasons            [3] ReasonFlags OPTIONAL,
+  //  indirectCRL                [4] BOOLEAN DEFAULT FALSE,
+  //  onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
+  // onlySomeReasons, indirectCRL, and onlyContainsAttributeCerts are not
+  // supported, fail parsing if they are present.
+  if (idp_parser.HasMore())
+    return false;
+
+  return true;
+}
+
+CRLRevocationStatus GetCRLStatusForCert(
+    const der::Input& cert_serial,
+    CrlVersion crl_version,
+    const base::Optional<der::Input>& revoked_certificates_tlv) {
+  if (!revoked_certificates_tlv.has_value()) {
+    // RFC 5280 Section 5.1.2.6: "When there are no revoked certificates, the
+    // revoked certificates list MUST be absent."
+    // No covered certificates are revoked, therefore the cert is good.
+    return CRLRevocationStatus::GOOD;
+  }
+
+  der::Parser parser(*revoked_certificates_tlv);
+
+  //         revokedCertificates     SEQUENCE OF SEQUENCE  {
+  der::Parser revoked_certificates_parser;
+  if (!parser.ReadSequence(&revoked_certificates_parser))
+    return CRLRevocationStatus::UNKNOWN;
+
+  // RFC 5280 Section 5.1.2.6: "When there are no revoked certificates, the
+  // revoked certificates list MUST be absent."
+  if (!revoked_certificates_parser.HasMore())
+    return CRLRevocationStatus::UNKNOWN;
+
+  // By definition the input was a single Extensions sequence, so there
+  // shouldn't be unconsumed data.
+  if (parser.HasMore())
+    return CRLRevocationStatus::UNKNOWN;
+
+  bool found_matching_serial = false;
+
+  while (revoked_certificates_parser.HasMore()) {
+    //         revokedCertificates     SEQUENCE OF SEQUENCE  {
+    der::Parser crl_entry_parser;
+    if (!revoked_certificates_parser.ReadSequence(&crl_entry_parser))
+      return CRLRevocationStatus::UNKNOWN;
+
+    der::Input revoked_cert_serial_number;
+    //              userCertificate         CertificateSerialNumber,
+    if (!crl_entry_parser.ReadTag(der::kInteger, &revoked_cert_serial_number))
+      return CRLRevocationStatus::UNKNOWN;
+
+    //              revocationDate          Time,
+    der::GeneralizedTime unused_revocation_date;
+    if (!ReadUTCOrGeneralizedTime(&crl_entry_parser, &unused_revocation_date))
+      return CRLRevocationStatus::UNKNOWN;
+
+    //              crlEntryExtensions      Extensions OPTIONAL
+    if (crl_entry_parser.HasMore()) {
+      //                                       -- if present, version MUST be v2
+      if (crl_version != CrlVersion::V2)
+        return CRLRevocationStatus::UNKNOWN;
+
+      der::Input crl_entry_extensions_tlv;
+      if (!crl_entry_parser.ReadRawTLV(&crl_entry_extensions_tlv))
+        return CRLRevocationStatus::UNKNOWN;
+
+      std::map<der::Input, ParsedExtension> extensions;
+      if (!ParseExtensions(crl_entry_extensions_tlv, &extensions))
+        return CRLRevocationStatus::UNKNOWN;
+
+      // RFC 5280 Section 5.3: "If a CRL contains a critical CRL entry
+      // extension that the application cannot process, then the application
+      // MUST NOT use that CRL to determine the status of any certificates."
+      for (const auto& ext : extensions) {
+        if (ext.second.critical)
+          return CRLRevocationStatus::UNKNOWN;
+      }
+    }
+
+    if (crl_entry_parser.HasMore())
+      return CRLRevocationStatus::UNKNOWN;
+
+    if (revoked_cert_serial_number == cert_serial) {
+      // Cert is revoked, but can't return yet since there might be critical
+      // extensions on later entries that would prevent use of this CRL.
+      found_matching_serial = true;
+    }
+  }
+
+  if (found_matching_serial)
+    return CRLRevocationStatus::REVOKED;
+
+  // |cert| is not present in the revokedCertificates list.
+  return CRLRevocationStatus::GOOD;
+}
+
+ParsedCrlTbsCertList::ParsedCrlTbsCertList() = default;
+ParsedCrlTbsCertList::~ParsedCrlTbsCertList() = default;
+
+CRLRevocationStatus CheckCRL(base::StringPiece raw_crl,
+                             const ParsedCertificateList& valid_chain,
+                             size_t target_cert_index,
+                             const ParsedDistributionPoint& cert_dp,
+                             const base::Time& verify_time,
+                             const base::TimeDelta& max_age) {
+  DCHECK_LT(target_cert_index, valid_chain.size());
+  const ParsedCertificate* target_cert = valid_chain[target_cert_index].get();
+
+  // 6.3.3 (a) Update the local CRL cache by obtaining a complete CRL, a
+  //           delta CRL, or both, as required.
+  //
+  // This implementation only supports complete CRLs and takes the CRL as
+  // input, it is up to the caller to provide an up to date CRL.
+
+  der::Input tbs_cert_list_tlv;
+  der::Input signature_algorithm_tlv;
+  der::BitString signature_value;
+  if (!ParseCrlCertificateList(der::Input(raw_crl), &tbs_cert_list_tlv,
+                               &signature_algorithm_tlv, &signature_value)) {
+    return CRLRevocationStatus::UNKNOWN;
+  }
+
+  ParsedCrlTbsCertList tbs_cert_list;
+  if (!ParseCrlTbsCertList(tbs_cert_list_tlv, &tbs_cert_list))
+    return CRLRevocationStatus::UNKNOWN;
+
+  // 5.1.1.2  signatureAlgorithm
+  //    This field MUST contain the same algorithm identifier as the
+  //    signature field in the sequence tbsCertList (Section 5.1.2.2).
+  if (!SignatureAlgorithm::IsEquivalent(
+          signature_algorithm_tlv, tbs_cert_list.signature_algorithm_tlv)) {
+    return CRLRevocationStatus::UNKNOWN;
+  }
+  // TODO(https://crbug.com/749276): Check the signature algorithm against
+  // policy.
+  std::unique_ptr<SignatureAlgorithm> signature_algorithm =
+      SignatureAlgorithm::Create(signature_algorithm_tlv, /*errors=*/nullptr);
+  if (!signature_algorithm)
+    return CRLRevocationStatus::UNKNOWN;
+
+  // Check CRL dates. Roughly corresponds to 6.3.3 (a) (1) but does not attempt
+  // to update the CRL if it is out of date.
+  if (!CheckRevocationDateValid(
+          tbs_cert_list.this_update,
+          base::OptionalOrNullptr(tbs_cert_list.next_update), verify_time,
+          max_age)) {
+    return CRLRevocationStatus::UNKNOWN;
+  }
+
+  // 6.3.3 (a) (2) is skipped: This implementation does not support delta CRLs.
+
+  // 6.3.3 (b) Verify the issuer and scope of the complete CRL as follows:
+  // 6.3.3 (b) (1) If the DP includes cRLIssuer, then verify that the issuer
+  //               field in the complete CRL matches cRLIssuer in the DP and
+  //               that the complete CRL contains an issuing distribution
+  //               point extension with the indirectCRL boolean asserted.
+  if (cert_dp.has_crl_issuer) {
+    // Indirect CRLs are not supported.
+    return CRLRevocationStatus::UNKNOWN;
+  }
+  // 6.3.3 (b) (1) Otherwise, verify that the CRL issuer matches the
+  //               certificate issuer.
+  //
+  // Normalization for the name comparison is used although the RFC is not
+  // clear on this. There are several places that explicitly are called out as
+  // requiring identical encodings:
+  //
+  // 4.2.1.13.  CRL Distribution Points (cert extension) says the DP cRLIssuer
+  //    field MUST be exactly the same as the encoding in issuer field of the
+  //    CRL.
+  //
+  // 5.2.5.  Issuing Distribution Point (crl extension)
+  //    The identical encoding MUST be used in the distributionPoint fields
+  //    of the certificate and the CRL.
+  //
+  // 5.3.3.  Certificate Issuer (crl entry extension) also says "The encoding of
+  //    the DN MUST be identical to the encoding used in the certificate"
+  //
+  // But 6.3.3 (b) (1) just says "matches". Also NIST PKITS includes at least
+  // one test that requires normalization here.
+  // TODO(https://crbug.com/749276): could do exact comparison first and only
+  // fall back to normalizing if that fails.
+  std::string normalized_crl_issuer;
+  if (!NormalizeNameTLV(tbs_cert_list.issuer_tlv, &normalized_crl_issuer))
+    return CRLRevocationStatus::UNKNOWN;
+  if (der::Input(&normalized_crl_issuer) != target_cert->normalized_issuer())
+    return CRLRevocationStatus::UNKNOWN;
+
+  if (tbs_cert_list.crl_extensions_tlv.has_value()) {
+    std::map<der::Input, ParsedExtension> extensions;
+    if (!ParseExtensions(*tbs_cert_list.crl_extensions_tlv, &extensions))
+      return CRLRevocationStatus::UNKNOWN;
+
+    // 6.3.3 (b) (2) If the complete CRL includes an issuing distribution point
+    //               (IDP) CRL extension, check the following:
+    ParsedExtension idp_extension;
+    if (ConsumeExtension(IssuingDistributionPointOid(), &extensions,
+                         &idp_extension)) {
+      std::unique_ptr<GeneralNames> distribution_point_names;
+      ContainedCertsType only_contains_cert_type;
+      if (!ParseIssuingDistributionPoint(idp_extension.value,
+                                         &distribution_point_names,
+                                         &only_contains_cert_type)) {
+        return CRLRevocationStatus::UNKNOWN;
+      }
+
+      if (distribution_point_names) {
+        // 6.3.3. (b) (2) (i) If the distribution point name is present in the
+        //                    IDP CRL extension and the distribution field is
+        //                    present in the DP, then verify that one of the
+        //                    names in the IDP matches one of the names in the
+        //                    DP.
+        // 5.2.5.  The identical encoding MUST be used in the distributionPoint
+        //         fields of the certificate and the CRL.
+        // TODO(https://crbug.com/749276): Check other name types?
+        if (!ContainsExactMatchingName(
+                cert_dp.uris,
+                distribution_point_names->uniform_resource_identifiers)) {
+          return CRLRevocationStatus::UNKNOWN;
+        }
+
+        // 6.3.3. (b) (2) (i) If the distribution point name is present in the
+        //                    IDP CRL extension and the distribution field is
+        //                    omitted from the DP, then verify that one of the
+        //                    names in the IDP matches one of the names in the
+        //                    cRLIssuer field of the DP.
+        // Indirect CRLs are not supported, if indirectCRL was specified,
+        // ParseIssuingDistributionPoint would already have failed.
+      }
+
+      switch (only_contains_cert_type) {
+        case ContainedCertsType::USER_CERTS:
+          // 6.3.3. (b) (2) (ii)  If the onlyContainsUserCerts boolean is
+          //                      asserted in the IDP CRL extension, verify
+          //                      that the certificate does not include the
+          //                      basic constraints extension with the cA
+          //                      boolean asserted.
+          // 5.2.5.  If either onlyContainsUserCerts or onlyContainsCACerts is
+          //         set to TRUE, then the scope of the CRL MUST NOT include any
+          //         version 1 or version 2 certificates.
+          if ((target_cert->has_basic_constraints() &&
+               target_cert->basic_constraints().is_ca) ||
+              target_cert->tbs().version == CertificateVersion::V1 ||
+              target_cert->tbs().version == CertificateVersion::V2) {
+            return CRLRevocationStatus::UNKNOWN;
+          }
+          break;
+
+        case ContainedCertsType::CA_CERTS:
+          // 6.3.3. (b) (2) (iii) If the onlyContainsCACerts boolean is asserted
+          //                      in the IDP CRL extension, verify that the
+          //                      certificate includes the basic constraints
+          //                      extension with the cA boolean asserted.
+          // The version check is not done here, as the basicConstraints
+          // extension is required, and could not be present unless it is a V3
+          // certificate.
+          if (!target_cert->has_basic_constraints() ||
+              !target_cert->basic_constraints().is_ca) {
+            return CRLRevocationStatus::UNKNOWN;
+          }
+          break;
+
+        case ContainedCertsType::ANY_CERTS:
+          //                (iv)  Verify that the onlyContainsAttributeCerts
+          //                      boolean is not asserted.
+          // If onlyContainsAttributeCerts was present,
+          // ParseIssuingDistributionPoint would already have failed.
+          break;
+      }
+    }
+
+    for (const auto& ext : extensions) {
+      // Fail if any unhandled critical CRL extensions are present.
+      if (ext.second.critical)
+        return CRLRevocationStatus::UNKNOWN;
+    }
+  }
+
+  // 6.3.3 (c-e) skipped: delta CRLs and reason codes are not supported.
+
+  // This implementation only supports direct CRLs where the CRL was signed by
+  // one of the certs in its validated issuer chain. This allows handling some
+  // cases of key rollover without requiring additional CRL issuer cert
+  // discovery & path building.
+  // TODO(https://crbug.com/749276): should this loop start at
+  // |target_cert_index|? There doesn't seem to be anything in the specs that
+  // precludes a CRL signed by a self-issued cert from covering itself. On the
+  // other hand it seems like a pretty weird thing to allow and causes NIST
+  // PKITS 4.5.3 to pass when it seems like it would not be intended to (since
+  // issuingDistributionPoint CRL extension is not handled).
+  for (size_t i = target_cert_index + 1; i < valid_chain.size(); ++i) {
+    const ParsedCertificate* issuer_cert = valid_chain[i].get();
+
+    // 6.3.3 (f) Obtain and validate the certification path for the issuer of
+    //           the complete CRL.  The trust anchor for the certification
+    //           path MUST be the same as the trust anchor used to validate
+    //           the target certificate.
+    //
+    // As the |issuer_cert| is from the already validated chain, it is already
+    // known to chain to the same trust anchor as the target certificate.
+    if (der::Input(&normalized_crl_issuer) != issuer_cert->normalized_subject())
+      continue;
+
+    // 6.3.3 (f) If a key usage extension is present in the CRL issuer's
+    //           certificate, verify that the cRLSign bit is set.
+    if (issuer_cert->has_key_usage() &&
+        !issuer_cert->key_usage().AssertsBit(KEY_USAGE_BIT_CRL_SIGN)) {
+      continue;
+    }
+
+    // 6.3.3 (g) Validate the signature on the complete CRL using the public
+    //           key validated in step (f).
+    if (!VerifySignedData(*signature_algorithm, tbs_cert_list_tlv,
+                          signature_value, issuer_cert->tbs().spki_tlv)) {
+      continue;
+    }
+
+    // 6.3.3 (h,i) skipped. This implementation does not support delta CRLs.
+
+    // 6.3.3 (j) If (cert_status is UNREVOKED), then search for the
+    //           certificate on the complete CRL.  If an entry is found that
+    //           matches the certificate issuer and serial number as described
+    //           in Section 5.3.3, then set the cert_status variable to the
+    //           indicated reason as described in step (i).
+    //
+    // CRL is valid and covers |target_cert|, check if |target_cert| is present
+    // in the revokedCertificates sequence.
+    return GetCRLStatusForCert(target_cert->tbs().serial_number,
+                               tbs_cert_list.version,
+                               tbs_cert_list.revoked_certificates_tlv);
+
+    // 6.3.3 (k,l) skipped. This implementation does not support reason codes.
+  }
+
+  // Did not find the issuer & signer of |raw_crl| in |valid_chain|.
+  return CRLRevocationStatus::UNKNOWN;
+}
+
+}  // namespace net
diff --git a/chromium/net/cert/internal/crl.h b/chromium/net/cert/internal/crl.h
new file mode 100644
index 00000000000..a61b2156faf
--- /dev/null
+++ b/chromium/net/cert/internal/crl.h
@@ -0,0 +1,224 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_INTERNAL_CRL_H_
+#define NET_CERT_INTERNAL_CRL_H_
+
+#include "base/optional.h"
+#include "base/strings/string_piece_forward.h"
+#include "base/time/time.h"
+#include "net/base/net_export.h"
+#include "net/cert/internal/general_names.h"
+#include "net/cert/internal/parsed_certificate.h"
+#include "net/der/input.h"
+#include "net/der/parse_values.h"
+
+namespace net {
+
+struct ParsedCrlTbsCertList;
+struct ParsedDistributionPoint;
+
+// TODO(https://crbug.com/749276): This is the same enum with the same meaning
+// as OCSPRevocationStatus, maybe they should be merged?
+enum class CRLRevocationStatus {
+  GOOD = 0,
+  REVOKED = 1,
+  UNKNOWN = 2,
+  MAX_VALUE = UNKNOWN
+};
+
+// Parses a DER-encoded CRL "CertificateList" as specified by RFC 5280 Section
+// 5.1. Returns true on success and sets the results in the |out_*| parameters.
+// The contents of the output data is not validated.
+//
+// Note that on success the out parameters alias data from the input |crl_tlv|.
+// Hence the output values are only valid as long as |crl_tlv| remains valid.
+//
+// On failure the out parameters have an undefined state. Some of them may have
+// been updated during parsing, whereas others may not have been changed.
+//
+//    CertificateList  ::=  SEQUENCE  {
+//         tbsCertList          TBSCertList,
+//         signatureAlgorithm   AlgorithmIdentifier,
+//         signatureValue       BIT STRING  }
+NET_EXPORT_PRIVATE bool ParseCrlCertificateList(
+    const der::Input& crl_tlv,
+    der::Input* out_tbs_cert_list_tlv,
+    der::Input* out_signature_algorithm_tlv,
+    der::BitString* out_signature_value) WARN_UNUSED_RESULT;
+
+// Parses a DER-encoded "TBSCertList" as specified by RFC 5280 Section 5.1.
+// Returns true on success and sets the results in |out|.
+//
+// Note that on success |out| aliases data from the input |tbs_tlv|.
+// Hence the fields of the ParsedCrlTbsCertList are only valid as long as
+// |tbs_tlv| remains valid.
+//
+// On failure |out| has an undefined state. Some of its fields may have been
+// updated during parsing, whereas others may not have been changed.
+//
+// Refer to the per-field documentation of ParsedCrlTbsCertList for details on
+// what validity checks parsing performs.
+//
+//    TBSCertList  ::=  SEQUENCE  {
+//         version                 Version OPTIONAL,
+//                                      -- if present, MUST be v2
+//         signature               AlgorithmIdentifier,
+//         issuer                  Name,
+//         thisUpdate              Time,
+//         nextUpdate              Time OPTIONAL,
+//         revokedCertificates     SEQUENCE OF SEQUENCE  {
+//              userCertificate         CertificateSerialNumber,
+//              revocationDate          Time,
+//              crlEntryExtensions      Extensions OPTIONAL
+//                                       -- if present, version MUST be v2
+//                                   }  OPTIONAL,
+//         crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
+//                                       -- if present, version MUST be v2
+//                                   }
+NET_EXPORT_PRIVATE bool ParseCrlTbsCertList(const der::Input& tbs_tlv,
+                                            ParsedCrlTbsCertList* out)
+    WARN_UNUSED_RESULT;
+
+// Represents a CRL "Version" from RFC 5280. TBSCertList reuses the same
+// Version definition from TBSCertificate, however only v1(not present) and
+// v2(1) are valid values, so a unique enum is used to avoid confusion.
+enum class CrlVersion {
+  V1,
+  V2,
+};
+
+// Corresponds with "TBSCertList" from RFC 5280 Section 5.1:
+struct NET_EXPORT_PRIVATE ParsedCrlTbsCertList {
+  ParsedCrlTbsCertList();
+  ~ParsedCrlTbsCertList();
+
+  //         version                 Version OPTIONAL,
+  //                                      -- if present, MUST be v2
+  //
+  // Parsing guarantees that the version is one of v1 or v2.
+  CrlVersion version = CrlVersion::V1;
+
+  //         signature               AlgorithmIdentifier,
+  //
+  // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
+  // guarantees are made regarding the value of this SEQUENCE.
+  //
+  // This can be further parsed using SignatureValue::Create().
+  der::Input signature_algorithm_tlv;
+
+  //         issuer               Name,
+  //
+  // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
+  // guarantees are made regarding the value of this SEQUENCE.
+  der::Input issuer_tlv;
+
+  //         thisUpdate              Time,
+  //         nextUpdate              Time OPTIONAL,
+  //
+  // Parsing guarantees that thisUpdate and nextUpdate(if present) are valid
+  // DER-encoded dates, however it DOES NOT guarantee anything about their
+  // values. For instance notAfter could be before notBefore, or the dates
+  // could indicate an expired CRL.
+  der::GeneralizedTime this_update;
+  base::Optional<der::GeneralizedTime> next_update;
+
+  //         revokedCertificates     SEQUENCE OF SEQUENCE  {
+  //              userCertificate         CertificateSerialNumber,
+  //              revocationDate          Time,
+  //              crlEntryExtensions      Extensions OPTIONAL
+  //                                       -- if present, version MUST be v2
+  //                                   }  OPTIONAL,
+  //
+  // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
+  // guarantees are made regarding the value of this SEQUENCE.
+  base::Optional<der::Input> revoked_certificates_tlv;
+
+  //         crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
+  //                                       -- if present, version MUST be v2
+  //
+  // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
+  // guarantees are made regarding the value of this SEQUENCE. (Note that the
+  // EXPLICIT outer tag is stripped.)
+  //
+  // Parsing guarantees that if extensions is present the version is v2.
+  base::Optional<der::Input> crl_extensions_tlv;
+};
+
+// Represents the IssuingDistributionPoint certificate type constraints:
+enum class ContainedCertsType {
+  // Neither onlyContainsUserCerts or onlyContainsCACerts was present.
+  ANY_CERTS,
+  // onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
+  USER_CERTS,
+  // onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
+  CA_CERTS,
+};
+
+// Parses a DER-encoded IssuingDistributionPoint extension value.
+// Returns true on success and sets the results in the |out_*| parameters.
+//
+// If the IssuingDistributionPoint contains a distributionPoint fullName field,
+// |out_distribution_point_names| will contain the parsed representation.
+// If the distributionPoint type is nameRelativeToCRLIssuer, parsing will fail.
+//
+// |out_only_contains_cert_type| will contain the logical representation of the
+// onlyContainsUserCerts and onlyContainsCACerts fields (or their absence).
+//
+// indirectCRL and onlyContainsAttributeCerts are not supported and parsing will
+// fail if they are present.
+//
+// Note that on success |out_distribution_point_names| aliases data from the
+// input |extension_value|.
+//
+// On failure the |out_*| parameters have undefined state.
+//
+// IssuingDistributionPoint ::= SEQUENCE {
+//     distributionPoint          [0] DistributionPointName OPTIONAL,
+//     onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
+//     onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
+//     onlySomeReasons            [3] ReasonFlags OPTIONAL,
+//     indirectCRL                [4] BOOLEAN DEFAULT FALSE,
+//     onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
+NET_EXPORT_PRIVATE bool ParseIssuingDistributionPoint(
+    const der::Input& extension_value,
+    std::unique_ptr<GeneralNames>* out_distribution_point_names,
+    ContainedCertsType* out_only_contains_cert_type) WARN_UNUSED_RESULT;
+
+NET_EXPORT_PRIVATE CRLRevocationStatus
+GetCRLStatusForCert(const der::Input& cert_serial,
+                    CrlVersion crl_version,
+                    const base::Optional<der::Input>& revoked_certificates_tlv);
+
+// Checks the revocation status of the certificate |cert| by using the
+// DER-encoded |raw_crl|. |cert| must already have passed certificate path
+// validation.
+//
+// Returns GOOD if the CRL indicates the certificate is not revoked,
+// REVOKED if it indicates it is revoked, or UNKNOWN for all other cases.
+//
+//  * |raw_crl|: A DER encoded CRL CertificateList.
+//  * |valid_chain|: The validated certificate chain containing the target cert.
+//  * |target_cert_index|: The index into |valid_chain| of the certificate being
+//        checked for revocation.
+//  * |cert_dp|: The distribution point from the target certificate's CRL
+//        distribution points extension that |raw_crl| corresponds to. If
+//        |raw_crl| was not specified in a distribution point, the caller must
+//        synthesize a ParsedDistributionPoint object as specified by RFC 5280
+//        6.3.3.
+//  * |verify_time|: The time to use when checking revocation status.
+//  * |max_age|: The maximum age for a CRL, implemented as time since
+//        the |thisUpdate| field in the CRL TBSCertList. Responses older than
+//        |max_age| will be considered invalid.
+NET_EXPORT CRLRevocationStatus
+CheckCRL(base::StringPiece raw_crl,
+         const ParsedCertificateList& valid_chain,
+         size_t target_cert_index,
+         const ParsedDistributionPoint& cert_dp,
+         const base::Time& verify_time,
+         const base::TimeDelta& max_age) WARN_UNUSED_RESULT;
+
+}  // namespace net
+
+#endif  // NET_CERT_INTERNAL_CRL_H_
diff --git a/chromium/net/cert/internal/crl_getcrlstatusforcert_fuzzer.cc b/chromium/net/cert/internal/crl_getcrlstatusforcert_fuzzer.cc
new file mode 100644
index 00000000000..a02ad88cb56
--- /dev/null
+++ b/chromium/net/cert/internal/crl_getcrlstatusforcert_fuzzer.cc
@@ -0,0 +1,28 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "crypto/sha2.h"
+#include "net/cert/internal/crl.h"
+#include "net/der/input.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  const net::der::Input input_der(data, size);
+
+  const std::string data_hash =
+      crypto::SHA256HashString(input_der.AsStringPiece());
+  const net::CrlVersion crl_version =
+      (data_hash[0] % 2) ? net::CrlVersion::V2 : net::CrlVersion::V1;
+  const size_t serial_len = data_hash[1] % (data_hash.size() - 2);
+  CHECK_LT(serial_len + 2, data_hash.size());
+  const net::der::Input cert_serial(
+      reinterpret_cast<const uint8_t*>(data_hash.data() + 2), serial_len);
+
+  net::GetCRLStatusForCert(cert_serial, crl_version,
+                           base::make_optional(input_der));
+
+  return 0;
+}
diff --git a/chromium/net/cert/internal/crl_parse_crl_certificatelist_fuzzer.cc b/chromium/net/cert/internal/crl_parse_crl_certificatelist_fuzzer.cc
new file mode 100644
index 00000000000..e735e327d8a
--- /dev/null
+++ b/chromium/net/cert/internal/crl_parse_crl_certificatelist_fuzzer.cc
@@ -0,0 +1,22 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/cert/internal/crl.h"
+#include "net/der/input.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  net::der::Input crl_der(data, size);
+
+  net::der::Input tbs_cert_list_tlv;
+  net::der::Input signature_algorithm_tlv;
+  net::der::BitString signature_value;
+
+  ignore_result(net::ParseCrlCertificateList(
+      crl_der, &tbs_cert_list_tlv, &signature_algorithm_tlv, &signature_value));
+
+  return 0;
+}
diff --git a/chromium/net/cert/internal/crl_parse_crl_tbscertlist_fuzzer.cc b/chromium/net/cert/internal/crl_parse_crl_tbscertlist_fuzzer.cc
new file mode 100644
index 00000000000..2fe8a0ea83b
--- /dev/null
+++ b/chromium/net/cert/internal/crl_parse_crl_tbscertlist_fuzzer.cc
@@ -0,0 +1,18 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/cert/internal/crl.h"
+#include "net/der/input.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  net::der::Input input_der(data, size);
+
+  net::ParsedCrlTbsCertList tbs_cert_list;
+  ignore_result(net::ParseCrlTbsCertList(input_der, &tbs_cert_list));
+
+  return 0;
+}
diff --git a/chromium/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc b/chromium/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc
new file mode 100644
index 00000000000..24bce9866f8
--- /dev/null
+++ b/chromium/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc
@@ -0,0 +1,25 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/cert/internal/crl.h"
+#include "net/der/input.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  net::der::Input idp_der(data, size);
+
+  std::unique_ptr<net::GeneralNames> distribution_point_names;
+  net::ContainedCertsType only_contains_cert_type;
+
+  if (net::ParseIssuingDistributionPoint(idp_der, &distribution_point_names,
+                                         &only_contains_cert_type)) {
+    CHECK((distribution_point_names &&
+           distribution_point_names->present_name_types !=
+               net::GENERAL_NAME_NONE) ||
+          only_contains_cert_type != net::ContainedCertsType::ANY_CERTS);
+  }
+  return 0;
+}
diff --git a/chromium/net/cert/internal/crl_unittest.cc b/chromium/net/cert/internal/crl_unittest.cc
new file mode 100644
index 00000000000..728159d8b60
--- /dev/null
+++ b/chromium/net/cert/internal/crl_unittest.cc
@@ -0,0 +1,202 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/internal/crl.h"
+
+#include "net/cert/internal/cert_errors.h"
+#include "net/cert/internal/parsed_certificate.h"
+#include "net/cert/internal/test_helpers.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/boringssl/src/include/openssl/pool.h"
+
+namespace net {
+
+namespace {
+
+constexpr base::TimeDelta kAgeOneWeek = base::TimeDelta::FromDays(7);
+
+std::string GetFilePath(base::StringPiece file_name) {
+  return std::string("net/data/crl_unittest/") + file_name.as_string();
+}
+
+scoped_refptr<ParsedCertificate> ParseCertificate(base::StringPiece data) {
+  CertErrors errors;
+  return ParsedCertificate::Create(
+      bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
+          reinterpret_cast<const uint8_t*>(data.data()), data.size(), nullptr)),
+      {}, &errors);
+}
+
+class CheckCRLTest : public ::testing::TestWithParam<const char*> {};
+
+// Test prefix naming scheme:
+//   good = valid CRL, cert affirmatively not revoked
+//   revoked = valid CRL, cert affirmatively revoked
+//   bad = valid CRL, but cert status is unknown (cases like unhandled features,
+//           mismatching issuer or signature, etc)
+//   invalid = corrupt or violates some spec requirement
+constexpr char const* kTestParams[] = {
+    "good.pem",
+    "good_issuer_name_normalization.pem",
+    "good_issuer_no_keyusage.pem",
+    "good_no_nextupdate.pem",
+    "good_fake_extension.pem",
+    "good_fake_extension_no_nextupdate.pem",
+    "good_generalizedtime.pem",
+    "good_no_version.pem",
+    "good_no_crldp.pem",
+    "good_key_rollover.pem",
+    "good_idp_contains_uri.pem",
+    "good_idp_onlycontainsusercerts.pem",
+    "good_idp_onlycontainsusercerts_no_basic_constraints.pem",
+    "good_idp_onlycontainscacerts.pem",
+    "good_idp_uri_and_onlycontainsusercerts.pem",
+    "good_idp_uri_and_onlycontainscacerts.pem",
+    "revoked.pem",
+    "revoked_no_nextupdate.pem",
+    "revoked_fake_crlentryextension.pem",
+    "revoked_generalized_revocationdate.pem",
+    "revoked_key_rollover.pem",
+    "bad_crldp_has_crlissuer.pem",
+    "bad_fake_critical_extension.pem",
+    "bad_fake_critical_crlentryextension.pem",
+    "bad_signature.pem",
+    "bad_thisupdate_in_future.pem",
+    "bad_thisupdate_too_old.pem",
+    "bad_nextupdate_too_old.pem",
+    "bad_wrong_issuer.pem",
+    "bad_key_rollover_signature.pem",
+    "bad_idp_contains_wrong_uri.pem",
+    "bad_idp_indirectcrl.pem",
+    "bad_idp_onlycontainsusercerts.pem",
+    "bad_idp_onlycontainscacerts.pem",
+    "bad_idp_onlycontainscacerts_no_basic_constraints.pem",
+    "bad_idp_uri_and_onlycontainsusercerts.pem",
+    "bad_idp_uri_and_onlycontainscacerts.pem",
+    "invalid_mismatched_signature_algorithm.pem",
+    "invalid_revoked_empty_sequence.pem",
+    "invalid_v1_with_extension.pem",
+    "invalid_v1_with_crlentryextension.pem",
+    "invalid_v1_explicit.pem",
+    "invalid_v3.pem",
+    "invalid_issuer_keyusage_no_crlsign.pem",
+    "invalid_key_rollover_issuer_keyusage_no_crlsign.pem",
+    "invalid_garbage_version.pem",
+    "invalid_garbage_tbs_signature_algorithm.pem",
+    "invalid_garbage_issuer_name.pem",
+    "invalid_garbage_thisupdate.pem",
+    "invalid_garbage_after_thisupdate.pem",
+    "invalid_garbage_after_nextupdate.pem",
+    "invalid_garbage_after_revokedcerts.pem",
+    "invalid_garbage_after_extensions.pem",
+    "invalid_garbage_tbscertlist.pem",
+    "invalid_garbage_signaturealgorithm.pem",
+    "invalid_garbage_signaturevalue.pem",
+    "invalid_garbage_after_signaturevalue.pem",
+    "invalid_garbage_revoked_serial_number.pem",
+    "invalid_garbage_revocationdate.pem",
+    "invalid_garbage_after_revocationdate.pem",
+    "invalid_garbage_after_crlentryextensions.pem",
+    "invalid_garbage_crlentry.pem",
+    "invalid_idp_dpname_choice_extra_data.pem",
+    "invalid_idp_empty_sequence.pem",
+    "invalid_idp_onlycontains_user_and_ca_certs.pem",
+    "invalid_idp_onlycontainsusercerts_v1_leaf.pem",
+};
+
+struct PrintTestName {
+  std::string operator()(
+      const testing::TestParamInfo<const char*>& info) const {
+    base::StringPiece name(info.param);
+    // Strip ".pem" from the end as GTest names cannot contain period.
+    name.remove_suffix(4);
+    return name.as_string();
+  }
+};
+
+INSTANTIATE_TEST_SUITE_P(,
+                         CheckCRLTest,
+                         ::testing::ValuesIn(kTestParams),
+                         PrintTestName());
+
+TEST_P(CheckCRLTest, FromFile) {
+  base::StringPiece file_name(GetParam());
+
+  std::string crl_data;
+  std::string ca_data_2;
+  std::string ca_data;
+  std::string cert_data;
+  const PemBlockMapping mappings[] = {
+      {"CRL", &crl_data},
+      {"CA CERTIFICATE 2", &ca_data_2, /*optional=*/true},
+      {"CA CERTIFICATE", &ca_data},
+      {"CERTIFICATE", &cert_data},
+  };
+
+  ASSERT_TRUE(ReadTestDataFromPemFile(GetFilePath(file_name), mappings));
+
+  scoped_refptr<ParsedCertificate> cert = ParseCertificate(cert_data);
+  ASSERT_TRUE(cert);
+  scoped_refptr<ParsedCertificate> issuer_cert = ParseCertificate(ca_data);
+  ASSERT_TRUE(issuer_cert);
+  ParsedCertificateList certs = {cert, issuer_cert};
+  if (!ca_data_2.empty()) {
+    scoped_refptr<ParsedCertificate> issuer_cert_2 =
+        ParseCertificate(ca_data_2);
+    ASSERT_TRUE(issuer_cert_2);
+    certs.push_back(issuer_cert_2);
+  }
+
+  // Assumes that all the target certs in the test data certs have at most 1
+  // CRL distributionPoint. If the cert has a CRL distributionPoint, it is
+  // used for verifying the CRL, otherwise the CRL is verified with a
+  // synthesized distributionPoint. This is allowed since there are some
+  // conditions that require a V1 certificate to test, which cannot have a
+  // crlDistributionPoints extension.
+  // TODO(https://crbug.com/749276): This seems slightly hacky. Maybe the
+  // distribution point to use should be specified separately in the test PEM?
+  ParsedDistributionPoint fake_cert_dp;
+  ParsedDistributionPoint* cert_dp = &fake_cert_dp;
+  std::vector<ParsedDistributionPoint> distribution_points;
+  ParsedExtension crl_dp_extension;
+  if (cert->GetExtension(CrlDistributionPointsOid(), &crl_dp_extension)) {
+    ASSERT_TRUE(ParseCrlDistributionPoints(crl_dp_extension.value,
+                                           &distribution_points));
+    ASSERT_LE(distribution_points.size(), 1U);
+    if (!distribution_points.empty())
+      cert_dp = &distribution_points[0];
+  }
+  ASSERT_TRUE(cert_dp);
+
+  // Mar 9 00:00:00 2017 GMT
+  base::Time kVerifyTime =
+      base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1489017600);
+
+  CRLRevocationStatus expected_revocation_status = CRLRevocationStatus::UNKNOWN;
+  if (file_name.starts_with("good"))
+    expected_revocation_status = CRLRevocationStatus::GOOD;
+  else if (file_name.starts_with("revoked"))
+    expected_revocation_status = CRLRevocationStatus::REVOKED;
+
+  CRLRevocationStatus revocation_status =
+      CheckCRL(crl_data, certs, /*target_cert_index=*/0, *cert_dp, kVerifyTime,
+               kAgeOneWeek);
+  EXPECT_EQ(expected_revocation_status, revocation_status);
+
+  // Test with a random cert added to the front of the chain and
+  // |target_cert_index=1|. This is a hacky way to verify that
+  // target_cert_index is actually being honored.
+  ParsedCertificateList other_certs;
+  ASSERT_TRUE(ReadCertChainFromFile("net/data/ssl/certificates/ok_cert.pem",
+                                    &other_certs));
+  ASSERT_FALSE(other_certs.empty());
+  certs.insert(certs.begin(), other_certs[0]);
+  revocation_status = CheckCRL(crl_data, certs, /*target_cert_index=*/1,
+                               *cert_dp, kVerifyTime, kAgeOneWeek);
+  EXPECT_EQ(expected_revocation_status, revocation_status);
+}
+
+}  // namespace
+
+}  // namespace net
diff --git a/chromium/net/cert/internal/ocsp.h b/chromium/net/cert/internal/ocsp.h
index e8ab44efbbc..5a4dca150c1 100644
--- a/chromium/net/cert/internal/ocsp.h
+++ b/chromium/net/cert/internal/ocsp.h
@@ -224,24 +224,6 @@ struct NET_EXPORT OCSPResponse {
   std::vector<der::Input> certs;
 };
 
-// Baseline Requirements 1.5.6, section 4.9.10:
-//   For the status of Subscriber Certificates: The CA SHALL update information
-//     provided via an Online Certificate Status Protocol at least every four
-//     days.  OCSP responses from this service MUST have a maximum expiration
-//     time of ten days.
-// TODO(mattm): Document the rationale for 7 days.
-constexpr base::TimeDelta kMaxOCSPLeafUpdateAge = base::TimeDelta::FromDays(7);
-
-// Baseline Requirements 1.5.6, section 4.9.10:
-//   For the status of Subordinate CA Certificates: The CA SHALL update
-//     information provided via an Online Certificate Status Protocol at least
-//     (i) every twelve months and (ii) within 24 hours after revoking a
-//     Subordinate CA Certificate.
-// Use 366 days to allow for leap years, though it is overly permissive in
-// other years.
-constexpr base::TimeDelta kMaxOCSPIntermediateUpdateAge =
-    base::TimeDelta::FromDays(366);
-
 // From RFC 6960:
 //
 // id-pkix-ocsp           OBJECT IDENTIFIER ::= { id-ad-ocsp }
diff --git a/chromium/net/cert/internal/path_builder.cc b/chromium/net/cert/internal/path_builder.cc
index b04dfdb05d8..c39f67c01a7 100644
--- a/chromium/net/cert/internal/path_builder.cc
+++ b/chromium/net/cert/internal/path_builder.cc
@@ -9,6 +9,7 @@
 #include <unordered_set>
 
 #include "base/logging.h"
+#include "base/metrics/histogram_functions.h"
 #include "base/strings/string_number_conversions.h"
 #include "crypto/sha2.h"
 #include "net/base/net_errors.h"
@@ -55,6 +56,11 @@ std::string PathDebugString(const ParsedCertificateList& certs) {
   return s;
 }
 
+void RecordIterationCountHistogram(uint32_t iteration_count) {
+  base::UmaHistogramCounts10000("Net.CertVerifier.PathBuilderIterationCount",
+                                iteration_count);
+}
+
 // This structure describes a certificate and its trust level. Note that |cert|
 // may be null to indicate an "empty" entry.
 struct IssuerEntry {
@@ -372,6 +378,7 @@ class CertPathIter {
   // returns false.
   bool GetNextPath(ParsedCertificateList* out_certs,
                    CertificateTrust* out_last_cert_trust,
+                   const base::TimeTicks deadline,
                    uint32_t* iteration_count,
                    const uint32_t max_iteration_count);
 
@@ -405,9 +412,13 @@ void CertPathIter::AddCertIssuerSource(CertIssuerSource* cert_issuer_source) {
 
 bool CertPathIter::GetNextPath(ParsedCertificateList* out_certs,
                                CertificateTrust* out_last_cert_trust,
+                               const base::TimeTicks deadline,
                                uint32_t* iteration_count,
                                const uint32_t max_iteration_count) {
   while (true) {
+    if (!deadline.is_null() && base::TimeTicks::Now() > deadline)
+      return false;
+
     if (!next_issuer_.cert) {
       if (cur_path_.Empty()) {
         DVLOG(1) << "CertPathIter exhausted all paths...";
@@ -565,6 +576,10 @@ void CertPathBuilder::SetIterationLimit(uint32_t limit) {
   max_iteration_count_ = limit;
 }
 
+void CertPathBuilder::SetDeadline(base::TimeTicks deadline) {
+  deadline_ = deadline;
+}
+
 void CertPathBuilder::Run() {
   uint32_t iteration_count = 0;
 
@@ -573,12 +588,16 @@ void CertPathBuilder::Run() {
         std::make_unique<CertPathBuilderResultPath>();
 
     if (!cert_path_iter_->GetNextPath(&result_path->certs,
-                                      &result_path->last_cert_trust,
+                                      &result_path->last_cert_trust, deadline_,
                                       &iteration_count, max_iteration_count_)) {
       // No more paths to check.
       if (max_iteration_count_ > 0 && iteration_count > max_iteration_count_) {
         out_result_->exceeded_iteration_limit = true;
       }
+      if (!deadline_.is_null() && base::TimeTicks::Now() > deadline_) {
+        out_result_->exceeded_deadline = true;
+      }
+      RecordIterationCountHistogram(iteration_count);
       return;
     }
 
@@ -600,6 +619,7 @@ void CertPathBuilder::Run() {
     AddResultPath(std::move(result_path));
 
     if (path_is_good) {
+      RecordIterationCountHistogram(iteration_count);
       // Found a valid path, return immediately.
       // TODO(mattm): add debug/test mode that tries all possible paths.
       return;
diff --git a/chromium/net/cert/internal/path_builder.h b/chromium/net/cert/internal/path_builder.h
index ec095177123..5562c4ebd32 100644
--- a/chromium/net/cert/internal/path_builder.h
+++ b/chromium/net/cert/internal/path_builder.h
@@ -133,6 +133,10 @@ class NET_EXPORT CertPathBuilder {
     // configured with |SetIterationLimit|.
     bool exceeded_iteration_limit = false;
 
+    // True if the search stopped because it exceeded the deadline configured
+    // with |SetDeadline|.
+    bool exceeded_deadline = false;
+
    private:
     DISALLOW_COPY_AND_ASSIGN(Result);
   };
@@ -177,6 +181,12 @@ class NET_EXPORT CertPathBuilder {
   // new intermediate over all potential paths.
   void SetIterationLimit(uint32_t limit);
 
+  // Sets a deadline for completing path building. If |deadline| has passed and
+  // path building has not completed, path building will stop. Note that this
+  // is not a hard limit, there is no guarantee how far past |deadline| time
+  // will be when path building is aborted.
+  void SetDeadline(base::TimeTicks deadline);
+
   // Executes verification of the target certificate.
   //
   // Upon return results are written to the |result| object passed into the
@@ -196,6 +206,7 @@ class NET_EXPORT CertPathBuilder {
   const InitialPolicyMappingInhibit initial_policy_mapping_inhibit_;
   const InitialAnyPolicyInhibit initial_any_policy_inhibit_;
   uint32_t max_iteration_count_ = 0;
+  base::TimeTicks deadline_;
 
   Result* out_result_;
 
diff --git a/chromium/net/cert/internal/path_builder_pkits_unittest.cc b/chromium/net/cert/internal/path_builder_pkits_unittest.cc
index 9c0d90e2201..32dd630f7d7 100644
--- a/chromium/net/cert/internal/path_builder_pkits_unittest.cc
+++ b/chromium/net/cert/internal/path_builder_pkits_unittest.cc
@@ -6,27 +6,109 @@
 
 #include "net/base/net_errors.h"
 #include "net/cert/internal/cert_issuer_source_static.h"
+#include "net/cert/internal/common_cert_errors.h"
+#include "net/cert/internal/crl.h"
 #include "net/cert/internal/parse_certificate.h"
 #include "net/cert/internal/parsed_certificate.h"
 #include "net/cert/internal/simple_path_builder_delegate.h"
 #include "net/cert/internal/trust_store_in_memory.h"
 #include "net/cert/internal/verify_certificate_chain.h"
+#include "net/der/encode_values.h"
 #include "net/der/input.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
 
-
-// TODO(mattm): these require CRL support:
-#define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \
-  DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4
-#define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \
-  DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5
-
 #include "net/cert/internal/nist_pkits_unittest.h"
 
 namespace net {
 
 namespace {
 
+class CrlCheckingPathBuilderDelegate : public SimplePathBuilderDelegate {
+ public:
+  CrlCheckingPathBuilderDelegate(const std::vector<std::string>& der_crls,
+                                 const base::Time& verify_time,
+                                 const base::TimeDelta& max_age,
+                                 size_t min_rsa_modulus_length_bits,
+                                 DigestPolicy digest_policy)
+      : SimplePathBuilderDelegate(min_rsa_modulus_length_bits, digest_policy),
+        der_crls_(der_crls),
+        verify_time_(verify_time),
+        max_age_(max_age) {}
+
+  void CheckPathAfterVerification(CertPathBuilderResultPath* path) override {
+    SimplePathBuilderDelegate::CheckPathAfterVerification(path);
+
+    if (!path->IsValid())
+      return;
+
+    // It would be preferable if this test could use
+    // CheckValidatedChainRevocation somehow, but that only supports getting
+    // CRLs by http distributionPoints. So this just settles for writing a
+    // little bit of wrapper code to test CheckCRL directly.
+    const ParsedCertificateList& certs = path->certs;
+    for (size_t reverse_i = 0; reverse_i < certs.size(); ++reverse_i) {
+      size_t i = certs.size() - reverse_i - 1;
+
+      // Trust anchors bypass OCSP/CRL revocation checks. (The only way to
+      // revoke trust anchors is via CRLSet or the built-in SPKI blacklist).
+      if (reverse_i == 0 && path->last_cert_trust.IsTrustAnchor())
+        continue;
+
+      // RFC 5280 6.3.3.  [If the CRL was not specified in a distribution
+      //                  point], assume a DP with both the reasons and the
+      //                  cRLIssuer fields omitted and a distribution point
+      //                  name of the certificate issuer.
+      // Since this implementation only supports URI names in distribution
+      // points, this means a default-initialized ParsedDistributionPoint is
+      // sufficient.
+      ParsedDistributionPoint fake_cert_dp;
+      ParsedDistributionPoint* cert_dp = &fake_cert_dp;
+
+      // If the target cert does have a distribution point, use it.
+      std::vector<ParsedDistributionPoint> distribution_points;
+      ParsedExtension crl_dp_extension;
+      if (certs[i]->GetExtension(CrlDistributionPointsOid(),
+                                 &crl_dp_extension)) {
+        ASSERT_TRUE(ParseCrlDistributionPoints(crl_dp_extension.value,
+                                               &distribution_points));
+        ASSERT_LE(distribution_points.size(), 1U);
+        if (!distribution_points.empty())
+          cert_dp = &distribution_points[0];
+      }
+
+      bool cert_good = false;
+
+      for (const auto& der_crl : der_crls_) {
+        CRLRevocationStatus crl_status =
+            CheckCRL(der_crl, certs, i, *cert_dp, verify_time_, max_age_);
+        if (crl_status == CRLRevocationStatus::REVOKED) {
+          path->errors.GetErrorsForCert(i)->AddError(
+              cert_errors::kCertificateRevoked);
+          return;
+        }
+        if (crl_status == CRLRevocationStatus::GOOD) {
+          cert_good = true;
+          break;
+        }
+      }
+      if (!cert_good) {
+        // PKITS tests assume hard-fail revocation checking.
+        // From PKITS 4.4: "When running the tests in this section, the
+        // application should be configured in such a way that the
+        // certification path is not accepted unless valid, up-to-date
+        // revocation data is available for every certificate in the path."
+        path->errors.GetErrorsForCert(i)->AddError(
+            cert_errors::kUnableToCheckRevocation);
+      }
+    }
+  }
+
+ private:
+  std::vector<std::string> der_crls_;
+  const base::Time verify_time_;
+  const base::TimeDelta max_age_;
+};
+
 class PathBuilderPkitsTestDelegate {
  public:
   static void RunTest(std::vector<std::string> cert_ders,
@@ -56,19 +138,44 @@ class PathBuilderPkitsTestDelegate {
 
     scoped_refptr<ParsedCertificate> target_cert(certs.back());
 
-    SimplePathBuilderDelegate path_builder_delegate(
-        1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
+    base::StringPiece test_number = info.test_number;
+    std::unique_ptr<CertPathBuilderDelegate> path_builder_delegate;
+    if (test_number == "4.4.19" || test_number == "4.5.3" ||
+        test_number == "4.5.4" || test_number == "4.5.6") {
+      // TODO(https://crbug.com/749276): extend CRL support: These tests
+      // require better CRL issuer cert discovery & path building and/or
+      // issuingDistributionPoint extension handling. Disable CRL checking for
+      // them for now. Maybe should just run these with CRL checking enabled
+      // and expect them to fail?
+      path_builder_delegate = std::make_unique<SimplePathBuilderDelegate>(
+          1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
+    } else {
+      base::Time verify_time;
+      ASSERT_TRUE(der::GeneralizedTimeToTime(info.time, &verify_time));
+      path_builder_delegate = std::make_unique<CrlCheckingPathBuilderDelegate>(
+          crl_ders, verify_time, /*max_age=*/base::TimeDelta::FromDays(365 * 2),
+          1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
+    }
 
     CertPathBuilder::Result result;
     CertPathBuilder path_builder(
-        std::move(target_cert), &trust_store, &path_builder_delegate, info.time,
-        KeyPurpose::ANY_EKU, info.initial_explicit_policy,
+        std::move(target_cert), &trust_store, path_builder_delegate.get(),
+        info.time, KeyPurpose::ANY_EKU, info.initial_explicit_policy,
         info.initial_policy_set, info.initial_policy_mapping_inhibit,
         info.initial_inhibit_any_policy, &result);
     path_builder.AddCertIssuerSource(&cert_issuer_source);
 
     path_builder.Run();
 
+    if (info.should_validate != result.HasValidPath()) {
+      for (size_t i = 0; i < result.paths.size(); ++i) {
+        const net::CertPathBuilderResultPath* result_path =
+            result.paths[i].get();
+        LOG(ERROR) << "path " << i << " errors:\n"
+                   << result_path->errors.ToDebugString(result_path->certs);
+      }
+    }
+
     ASSERT_EQ(info.should_validate, result.HasValidPath());
 
     if (result.HasValidPath()) {
@@ -90,6 +197,13 @@ INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
                                PkitsTest03VerifyingNameChaining,
                                PathBuilderPkitsTestDelegate);
 INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
+                               PkitsTest04BasicCertificateRevocationTests,
+                               PathBuilderPkitsTestDelegate);
+INSTANTIATE_TYPED_TEST_SUITE_P(
+    PathBuilder,
+    PkitsTest05VerifyingPathswithSelfIssuedCertificates,
+    PathBuilderPkitsTestDelegate);
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
                                PkitsTest06VerifyingBasicConstraints,
                                PathBuilderPkitsTestDelegate);
 INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
@@ -117,8 +231,9 @@ INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
                                PkitsTest16PrivateCertificateExtensions,
                                PathBuilderPkitsTestDelegate);
 
-// TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests,
-// PkitsTest05VerifyingPathswithSelfIssuedCertificates,
-// PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs
+// TODO(https://crbug.com/749276): extend CRL support?:
+// PkitsTest14DistributionPoints: indirect CRLs and reason codes are not
+// supported.
+// PkitsTest15DeltaCRLs: Delta CRLs are not supported.
 
 }  // namespace net
diff --git a/chromium/net/cert/internal/path_builder_unittest.cc b/chromium/net/cert/internal/path_builder_unittest.cc
index a2bba7fdc06..1a954a76e92 100644
--- a/chromium/net/cert/internal/path_builder_unittest.cc
+++ b/chromium/net/cert/internal/path_builder_unittest.cc
@@ -7,6 +7,7 @@
 #include "base/base_paths.h"
 #include "base/files/file_util.h"
 #include "base/path_service.h"
+#include "base/test/metrics/histogram_tester.h"
 #include "net/cert/internal/cert_error_params.h"
 #include "net/cert/internal/cert_issuer_source_static.h"
 #include "net/cert/internal/common_cert_errors.h"
@@ -30,6 +31,7 @@ namespace net {
 namespace {
 
 using ::testing::_;
+using ::testing::ElementsAre;
 using ::testing::Invoke;
 using ::testing::NiceMock;
 using ::testing::Return;
@@ -450,12 +452,11 @@ TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) {
 }
 
 TEST_F(PathBuilderMultiRootTest, TestIterationLimit) {
-  // Both D(D) and C(D) are trusted roots.
+  // D(D) is the trust root.
   TrustStoreInMemory trust_store;
   trust_store.AddTrustAnchor(d_by_d_);
-  trust_store.AddTrustAnchor(c_by_d_);
 
-  // Certs B(C), and C(D) are all supplied.
+  // Certs B(C) and C(D) are supplied.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(b_by_c_);
   sync_certs.AddCert(c_by_d_);
@@ -481,10 +482,60 @@ TEST_F(PathBuilderMultiRootTest, TestIterationLimit) {
       path_builder.SetIterationLimit(5);
     }
 
+    base::HistogramTester histogram_tester;
     path_builder.Run();
 
     EXPECT_EQ(!insufficient_limit, result.HasValidPath());
     EXPECT_EQ(insufficient_limit, result.exceeded_iteration_limit);
+
+    if (insufficient_limit) {
+      EXPECT_THAT(histogram_tester.GetAllSamples(
+                      "Net.CertVerifier.PathBuilderIterationCount"),
+                  ElementsAre(base::Bucket(/*sample=*/2, /*count=*/1)));
+    } else {
+      EXPECT_THAT(histogram_tester.GetAllSamples(
+                      "Net.CertVerifier.PathBuilderIterationCount"),
+                  ElementsAre(base::Bucket(/*sample=*/3, /*count=*/1)));
+    }
+  }
+}
+
+TEST_F(PathBuilderMultiRootTest, TestTrivialDeadline) {
+  // C(D) is the trust root.
+  TrustStoreInMemory trust_store;
+  trust_store.AddTrustAnchor(c_by_d_);
+
+  // Cert B(C) is supplied.
+  CertIssuerSourceStatic sync_certs;
+  sync_certs.AddCert(b_by_c_);
+
+  for (const bool insufficient_limit : {true, false}) {
+    SCOPED_TRACE(insufficient_limit);
+
+    CertPathBuilder::Result result;
+    CertPathBuilder path_builder(
+        a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
+        initial_explicit_policy_, user_initial_policy_set_,
+        initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result);
+    path_builder.AddCertIssuerSource(&sync_certs);
+
+    if (insufficient_limit) {
+      // Set a deadline one millisecond in the past. Path building should fail
+      // since the deadline is already past.
+      path_builder.SetDeadline(base::TimeTicks::Now() -
+                               base::TimeDelta::FromMilliseconds(1));
+    } else {
+      // The other tests in this file exercise the case that |SetDeadline|
+      // isn't called. Therefore set a sufficient limit for the path to be
+      // found.
+      path_builder.SetDeadline(base::TimeTicks::Now() +
+                               base::TimeDelta::FromDays(1));
+    }
+
+    path_builder.Run();
+
+    EXPECT_EQ(!insufficient_limit, result.HasValidPath());
+    EXPECT_EQ(insufficient_limit, result.exceeded_deadline);
   }
 }
 
diff --git a/chromium/net/cert/internal/revocation_checker.cc b/chromium/net/cert/internal/revocation_checker.cc
index e01b9104a85..9b444c5c11b 100644
--- a/chromium/net/cert/internal/revocation_checker.cc
+++ b/chromium/net/cert/internal/revocation_checker.cc
@@ -10,6 +10,7 @@
 #include "crypto/sha2.h"
 #include "net/cert/cert_net_fetcher.h"
 #include "net/cert/internal/common_cert_errors.h"
+#include "net/cert/internal/crl.h"
 #include "net/cert/internal/ocsp.h"
 #include "net/cert/internal/parsed_certificate.h"
 #include "net/cert/internal/trust_store.h"
@@ -26,17 +27,24 @@ void MarkCertificateRevoked(CertErrors* errors) {
   errors->AddError(cert_errors::kCertificateRevoked);
 }
 
-// Checks the revocation status of |cert| according to |policy|. If the checks
-// failed, returns false and adds errors to |cert_errors|.
+// Checks the revocation status of |certs[target_cert_index]| according to
+// |policy|. If the checks failed, returns false and adds errors to
+// |cert_errors|.
 //
 // TODO(eroman): Make the verification time an input.
-bool CheckCertRevocation(const ParsedCertificate* cert,
-                         const ParsedCertificate* issuer_cert,
+bool CheckCertRevocation(const ParsedCertificateList& certs,
+                         size_t target_cert_index,
                          const RevocationPolicy& policy,
                          base::StringPiece stapled_ocsp_response,
                          base::TimeDelta max_age,
                          CertNetFetcher* net_fetcher,
                          CertErrors* cert_errors) {
+  DCHECK_LT(target_cert_index, certs.size());
+  const ParsedCertificate* cert = certs[target_cert_index].get();
+  const ParsedCertificate* issuer_cert =
+      target_cert_index + 1 < certs.size() ? certs[target_cert_index + 1].get()
+                                           : nullptr;
+
   // Check using stapled OCSP, if available.
   if (!stapled_ocsp_response.empty() && issuer_cert) {
     // TODO(eroman): CheckOCSP() re-parses the certificates, perhaps just pass
@@ -61,8 +69,6 @@ bool CheckCertRevocation(const ParsedCertificate* cert,
     }
   }
 
-  // TODO(eroman): Check CRL.
-
   if (!policy.check_revocation) {
     // TODO(eroman): Should still check CRL/OCSP caches.
     return true;
@@ -145,6 +151,80 @@ bool CheckCertRevocation(const ParsedCertificate* cert,
     }
   }
 
+  // Check CRLs.
+  ParsedExtension crl_dp_extension;
+  if (cert->GetExtension(CrlDistributionPointsOid(), &crl_dp_extension)) {
+    std::vector<ParsedDistributionPoint> distribution_points;
+    if (ParseCrlDistributionPoints(crl_dp_extension.value,
+                                   &distribution_points)) {
+      for (const auto& distribution_point : distribution_points) {
+        if (distribution_point.has_crl_issuer) {
+          // Ignore indirect CRLs (CRL where CRLissuer != cert issuer), which
+          // are optional according to RFC 5280's profile.
+          continue;
+        }
+
+        for (const auto& crl_uri : distribution_point.uris) {
+          // Only consider http:// URLs (https:// could create a circular
+          // dependency).
+          GURL parsed_crl_url(crl_uri);
+          if (!parsed_crl_url.is_valid() ||
+              !parsed_crl_url.SchemeIs(url::kHttpScheme)) {
+            continue;
+          }
+
+          found_revocation_info = true;
+
+          if (!policy.networking_allowed)
+            continue;
+
+          if (!net_fetcher) {
+            LOG(ERROR) << "Cannot fetch CRL as didn't specify a |net_fetcher|";
+            continue;
+          }
+
+          // Fetch it over network.
+          //
+          // Note that no attempt is made to refetch without cache if a cached
+          // CRL is too old, nor is there a separate CRL cache. It is assumed
+          // the CRL server will send reasonable HTTP caching headers.
+          //
+          // TODO(eroman): Bound the maximum time allowed spent doing network
+          // requests.
+          std::unique_ptr<CertNetFetcher::Request> net_crl_request =
+              net_fetcher->FetchCrl(parsed_crl_url, CertNetFetcher::DEFAULT,
+                                    CertNetFetcher::DEFAULT);
+
+          Error net_error;
+          std::vector<uint8_t> crl_response_bytes;
+          net_crl_request->WaitForResult(&net_error, &crl_response_bytes);
+
+          if (net_error != OK) {
+            failed_network_fetch = true;
+            continue;
+          }
+
+          CRLRevocationStatus crl_status = CheckCRL(
+              base::StringPiece(
+                  reinterpret_cast<const char*>(crl_response_bytes.data()),
+                  crl_response_bytes.size()),
+              certs, target_cert_index, distribution_point, base::Time::Now(),
+              max_age);
+
+          switch (crl_status) {
+            case CRLRevocationStatus::REVOKED:
+              MarkCertificateRevoked(cert_errors);
+              return false;
+            case CRLRevocationStatus::GOOD:
+              return true;
+            case CRLRevocationStatus::UNKNOWN:
+              break;
+          }
+        }
+      }
+    }
+  }
+
   // Reaching here means that revocation checking was inconclusive. Determine
   // whether failure to complete revocation checking constitutes an error.
 
@@ -191,9 +271,6 @@ void CheckValidatedChainRevocation(const ParsedCertificateList& certs,
   // are added to |errors|.
   for (size_t reverse_i = 0; reverse_i < certs.size(); ++reverse_i) {
     size_t i = certs.size() - reverse_i - 1;
-    const ParsedCertificate* cert = certs[i].get();
-    const ParsedCertificate* issuer_cert =
-        i + 1 < certs.size() ? certs[i + 1].get() : nullptr;
 
     // Trust anchors bypass OCSP/CRL revocation checks. (The only way to revoke
     // trust anchors is via CRLSet or the built-in SPKI blacklist). Since
@@ -206,13 +283,16 @@ void CheckValidatedChainRevocation(const ParsedCertificateList& certs,
     base::StringPiece stapled_ocsp =
         (i == 0) ? stapled_leaf_ocsp_response : base::StringPiece();
 
-    base::TimeDelta max_age =
-        (i == 0) ? kMaxOCSPLeafUpdateAge : kMaxOCSPIntermediateUpdateAge;
+    // TODO(https://crbug.com/971714): This applies Baseline Requirements max
+    // update age to all revocation checks, including locally trusted anchors.
+    // Confirm whether this causes any issues in enterprise deployments.
+    base::TimeDelta max_age = (i == 0) ? kMaxRevocationLeafUpdateAge
+                                       : kMaxRevocationIntermediateUpdateAge;
 
     // Check whether this certificate's revocation status complies with the
     // policy.
     bool cert_ok =
-        CheckCertRevocation(cert, issuer_cert, policy, stapled_ocsp, max_age,
+        CheckCertRevocation(certs, i, policy, stapled_ocsp, max_age,
                             net_fetcher, errors->GetErrorsForCert(i));
 
     if (!cert_ok) {
diff --git a/chromium/net/cert/internal/revocation_checker.h b/chromium/net/cert/internal/revocation_checker.h
index e22972fbaca..89590bb2667 100644
--- a/chromium/net/cert/internal/revocation_checker.h
+++ b/chromium/net/cert/internal/revocation_checker.h
@@ -15,6 +15,41 @@ namespace net {
 class CertPathErrors;
 class CertNetFetcher;
 
+// Baseline Requirements 1.6.5, section 4.9.7:
+//     For the status of Subscriber Certificates: If the CA publishes a CRL,
+//     then the CA SHALL update and reissue CRLs at least once every seven
+//     days, and the value of the nextUpdate field MUST NOT be more than ten
+//     days beyond the value of the thisUpdate field.
+//
+// Baseline Requirements 1.6.5, section 4.9.10:
+//     For the status of Subscriber Certificates: The CA SHALL update
+//     information provided via an Online Certificate Status Protocol at least
+//     every four days.  OCSP responses from this service MUST have a maximum
+//     expiration time of ten days.
+//
+// Use 7 days as the max allowable leaf revocation status age, which is
+// sufficient for both CRL and OCSP, and which aligns with Microsoft policies.
+constexpr base::TimeDelta kMaxRevocationLeafUpdateAge =
+    base::TimeDelta::FromDays(7);
+
+// Baseline Requirements 1.6.5, section 4.9.7:
+//     For the status of Subordinate CA Certificates: The CA SHALL update and
+//     reissue CRLs at least (i) once every twelve months and (ii) within 24
+//     hours after revoking a Subordinate CA Certificate, and the value of the
+//     nextUpdate field MUST NOT be more than twelve months beyond the value of
+//     the thisUpdate field.
+//
+// Baseline Requirements 1.6.5, section 4.9.10:
+//     For the status of Subordinate CA Certificates: The CA SHALL update
+//     information provided via an Online Certificate Status Protocol at least
+//     (i) every twelve months and (ii) within 24 hours after revoking a
+//     Subordinate CA Certificate.
+//
+// Use 366 days to allow for leap years, though it is overly permissive in
+// other years.
+constexpr base::TimeDelta kMaxRevocationIntermediateUpdateAge =
+    base::TimeDelta::FromDays(366);
+
 // RevocationPolicy describes how revocation should be carried out for a
 // particular chain.
 struct NET_EXPORT_PRIVATE RevocationPolicy {
diff --git a/chromium/net/cert/internal/system_trust_store.cc b/chromium/net/cert/internal/system_trust_store.cc
index ada022f2a91..e8b1e31b9fb 100644
--- a/chromium/net/cert/internal/system_trust_store.cc
+++ b/chromium/net/cert/internal/system_trust_store.cc
@@ -5,6 +5,10 @@
 #include "net/cert/internal/system_trust_store.h"
 
 #if defined(USE_NSS_CERTS)
+#include "net/cert/internal/system_trust_store_nss.h"
+#endif  // defined(USE_NSS_CERTS)
+
+#if defined(USE_NSS_CERTS)
 #include <cert.h>
 #include <pk11pub.h>
 #elif defined(OS_MACOSX) && !defined(OS_IOS)
@@ -15,6 +19,7 @@
 
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
+#include "base/no_destructor.h"
 #include "build/build_config.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/parsed_certificate.h"
@@ -31,7 +36,6 @@
 #include "net/cert/scoped_nss_types.h"
 #elif defined(OS_MACOSX) && !defined(OS_IOS)
 #include "net/cert/internal/trust_store_mac.h"
-#include "net/cert/known_roots_mac.h"
 #include "net/cert/x509_util_mac.h"
 #elif defined(OS_FUCHSIA)
 #include "third_party/boringssl/src/include/openssl/pool.h"
@@ -73,8 +77,9 @@ namespace {
 
 class SystemTrustStoreNSS : public BaseSystemTrustStore {
  public:
-  explicit SystemTrustStoreNSS() : trust_store_nss_(trustSSL) {
-    trust_store_.AddTrustStore(&trust_store_nss_);
+  explicit SystemTrustStoreNSS(std::unique_ptr<TrustStoreNSS> trust_store_nss)
+      : trust_store_nss_(std::move(trust_store_nss)) {
+    trust_store_.AddTrustStore(trust_store_nss_.get());
 
     // When running in test mode, also layer in the test-only root certificates.
     //
@@ -112,22 +117,35 @@ class SystemTrustStoreNSS : public BaseSystemTrustStore {
   }
 
  private:
-  TrustStoreNSS trust_store_nss_;
+  std::unique_ptr<TrustStoreNSS> trust_store_nss_;
 };
 
 }  // namespace
 
 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() {
-  return std::make_unique<SystemTrustStoreNSS>();
+  return std::make_unique<SystemTrustStoreNSS>(
+      std::make_unique<TrustStoreNSS>(trustSSL));
+}
+
+std::unique_ptr<SystemTrustStore>
+CreateSslSystemTrustStoreNSSWithUserSlotRestriction(
+    crypto::ScopedPK11Slot user_slot) {
+  return std::make_unique<SystemTrustStoreNSS>(
+      std::make_unique<TrustStoreNSS>(trustSSL, std::move(user_slot)));
+}
+
+std::unique_ptr<SystemTrustStore>
+CreateSslSystemTrustStoreNSSWithNoUserSlots() {
+  return std::make_unique<SystemTrustStoreNSS>(std::make_unique<TrustStoreNSS>(
+      trustSSL, TrustStoreNSS::DisallowTrustForCertsOnUserSlots()));
 }
 
 #elif defined(OS_MACOSX) && !defined(OS_IOS)
 
 class SystemTrustStoreMac : public BaseSystemTrustStore {
  public:
-  explicit SystemTrustStoreMac() : trust_store_mac_(kSecPolicyAppleSSL) {
-    InitializeKnownRoots();
-    trust_store_.AddTrustStore(&trust_store_mac_);
+  SystemTrustStoreMac() {
+    trust_store_.AddTrustStore(GetGlobalTrustStoreMac());
 
     // When running in test mode, also layer in the test-only root certificates.
     //
@@ -145,18 +163,15 @@ class SystemTrustStoreMac : public BaseSystemTrustStore {
   // IsKnownRoot returns true if the given trust anchor is a standard one (as
   // opposed to a user-installed root)
   bool IsKnownRoot(const ParsedCertificate* trust_anchor) const override {
-    der::Input bytes = trust_anchor->der_cert();
-    base::ScopedCFTypeRef<SecCertificateRef> cert_ref =
-        x509_util::CreateSecCertificateFromBytes(bytes.UnsafeData(),
-                                                 bytes.Length());
-    if (!cert_ref)
-      return false;
-
-    return net::IsKnownRoot(cert_ref);
+    return GetGlobalTrustStoreMac()->IsKnownRoot(trust_anchor);
   }
 
  private:
-  TrustStoreMac trust_store_mac_;
+  TrustStoreMac* GetGlobalTrustStoreMac() const {
+    static base::NoDestructor<TrustStoreMac> static_trust_store_mac(
+        kSecPolicyAppleSSL);
+    return static_trust_store_mac.get();
+  }
 };
 
 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() {
diff --git a/chromium/net/cert/internal/system_trust_store_nss.h b/chromium/net/cert/internal/system_trust_store_nss.h
new file mode 100644
index 00000000000..b7037d52e5e
--- /dev/null
+++ b/chromium/net/cert/internal/system_trust_store_nss.h
@@ -0,0 +1,33 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_NSS_H_
+#define NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_NSS_H_
+
+#include "crypto/scoped_nss_types.h"
+#include "net/base/net_export.h"
+#include "net/cert/internal/system_trust_store.h"
+
+namespace net {
+
+// Create a SystemTrustStore that will accept trust for:
+// (*) built-in certificates
+// (*) test root certificates
+// (*) additional trust anchors (added through SystemTrustStore::AddTrustAnchor)
+// (*) certificates stored on the |user_slot|.
+NET_EXPORT std::unique_ptr<SystemTrustStore>
+CreateSslSystemTrustStoreNSSWithUserSlotRestriction(
+    crypto::ScopedPK11Slot user_slot);
+
+// Create a SystemTrustStore that will accept trust for:
+// (*) built-in certificates
+// (*) test root certificates
+// (*) additional trust anchors (added through SystemTrustStore::AddTrustAnchor)
+// It will not accept trust for certificates stored on other slots.
+NET_EXPORT std::unique_ptr<SystemTrustStore>
+CreateSslSystemTrustStoreNSSWithNoUserSlots();
+
+}  // namespace net
+
+#endif  // NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_NSS_H_
diff --git a/chromium/net/cert/internal/system_trust_store_nss_unittest.cc b/chromium/net/cert/internal/system_trust_store_nss_unittest.cc
new file mode 100644
index 00000000000..9e3e581baa9
--- /dev/null
+++ b/chromium/net/cert/internal/system_trust_store_nss_unittest.cc
@@ -0,0 +1,163 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/internal/system_trust_store.h"
+
+#include <cert.h>
+#include <certdb.h>
+
+#include <memory>
+
+#include "base/macros.h"
+#include "crypto/scoped_nss_types.h"
+#include "crypto/scoped_test_nss_db.h"
+#include "net/cert/internal/cert_errors.h"
+#include "net/cert/internal/parsed_certificate.h"
+#include "net/cert/internal/system_trust_store_nss.h"
+#include "net/cert/test_root_certs.h"
+#include "net/cert/x509_certificate.h"
+#include "net/cert/x509_util.h"
+#include "net/cert/x509_util_nss.h"
+#include "net/test/cert_test_util.h"
+#include "net/test/test_data_directory.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/boringssl/src/include/openssl/evp.h"
+
+namespace net {
+
+namespace {
+
+// Parses |x509_cert| as a ParsedCertificate and stores the output in
+// *|out_parsed_cert|. Wrap in ASSERT_NO_FATAL_FAILURE on callsites.
+::testing::AssertionResult ParseX509Certificate(
+    const scoped_refptr<X509Certificate>& x509_cert,
+    scoped_refptr<ParsedCertificate>* out_parsed_cert) {
+  CertErrors parsing_errors;
+  *out_parsed_cert = ParsedCertificate::Create(
+      bssl::UpRef(x509_cert->cert_buffer()),
+      x509_util::DefaultParseCertificateOptions(), &parsing_errors);
+  if (!*out_parsed_cert) {
+    return ::testing::AssertionFailure()
+           << "ParseCertificate::Create() failed:\n"
+           << parsing_errors.ToDebugString();
+  }
+  return ::testing::AssertionSuccess();
+}
+
+class SystemTrustStoreNSSTest : public ::testing::Test {
+ public:
+  SystemTrustStoreNSSTest() : test_root_certs_(TestRootCerts::GetInstance()) {}
+  ~SystemTrustStoreNSSTest() override = default;
+
+  void SetUp() override {
+    ::testing::Test::SetUp();
+
+    root_cert_ =
+        ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
+    ASSERT_TRUE(root_cert_);
+    ASSERT_NO_FATAL_FAILURE(
+        ParseX509Certificate(root_cert_, &parsed_root_cert_));
+    nss_root_cert_ =
+        x509_util::CreateCERTCertificateFromX509Certificate(root_cert_.get());
+    ASSERT_TRUE(nss_root_cert_);
+
+    ASSERT_TRUE(test_nssdb_.is_open());
+    ASSERT_TRUE(other_test_nssdb_.is_open());
+  }
+
+ protected:
+  // Imports |nss_root_cert_| into |slot| and sets trust flags so that it is a
+  // trusted CA for SSL.
+  void ImportRootCertAsTrusted(PK11SlotInfo* slot) {
+    SECStatus srv = PK11_ImportCert(slot, nss_root_cert_.get(),
+                                    CK_INVALID_HANDLE, "nickname_root_cert",
+                                    PR_FALSE /* includeTrust (unused) */);
+    ASSERT_EQ(SECSuccess, srv);
+
+    CERTCertTrust trust = {0};
+    trust.sslFlags = CERTDB_TRUSTED_CA | CERTDB_VALID_CA;
+    srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nss_root_cert_.get(),
+                               &trust);
+    ASSERT_EQ(SECSuccess, srv);
+  }
+
+  crypto::ScopedTestNSSDB test_nssdb_;
+  crypto::ScopedTestNSSDB other_test_nssdb_;
+
+  TestRootCerts* test_root_certs_;
+
+  scoped_refptr<X509Certificate> root_cert_;
+  scoped_refptr<ParsedCertificate> parsed_root_cert_;
+  ScopedCERTCertificate nss_root_cert_;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(SystemTrustStoreNSSTest);
+};
+
+// Tests that SystemTrustStore respects TestRootCerts.
+TEST_F(SystemTrustStoreNSSTest, TrustTestRootCerts) {
+  std::unique_ptr<SystemTrustStore> system_trust_store =
+      CreateSslSystemTrustStore();
+
+  EXPECT_TRUE(test_root_certs_->Add(root_cert_.get()));
+  CertificateTrust trust;
+  system_trust_store->GetTrustStore()->GetTrust(parsed_root_cert_.get(),
+                                                &trust);
+  EXPECT_EQ(CertificateTrustType::TRUSTED_ANCHOR, trust.type);
+
+  test_root_certs_->Clear();
+  system_trust_store->GetTrustStore()->GetTrust(parsed_root_cert_.get(),
+                                                &trust);
+  EXPECT_EQ(CertificateTrustType::UNSPECIFIED, trust.type);
+}
+
+// Tests that SystemTrustStore created for NSS with a user-slot restriction
+// allows certificates stored on the specified user slot to be trusted.
+TEST_F(SystemTrustStoreNSSTest, UserSlotRestrictionAllows) {
+  std::unique_ptr<SystemTrustStore> system_trust_store =
+      CreateSslSystemTrustStoreNSSWithUserSlotRestriction(
+          crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())));
+
+  ASSERT_NO_FATAL_FAILURE(ImportRootCertAsTrusted(test_nssdb_.slot()));
+
+  CertificateTrust trust;
+  system_trust_store->GetTrustStore()->GetTrust(parsed_root_cert_.get(),
+                                                &trust);
+  EXPECT_EQ(CertificateTrustType::TRUSTED_ANCHOR, trust.type);
+}
+
+// Tests that SystemTrustStore created for NSS with a user-slot restriction
+// does not allows certificates stored only on user slots different from the one
+// specified to be trusted.
+TEST_F(SystemTrustStoreNSSTest, UserSlotRestrictionDisallows) {
+  std::unique_ptr<SystemTrustStore> system_trust_store =
+      CreateSslSystemTrustStoreNSSWithUserSlotRestriction(
+          crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())));
+
+  ASSERT_NO_FATAL_FAILURE(ImportRootCertAsTrusted(other_test_nssdb_.slot()));
+
+  CertificateTrust trust;
+  system_trust_store->GetTrustStore()->GetTrust(parsed_root_cert_.get(),
+                                                &trust);
+  EXPECT_EQ(CertificateTrustType::UNSPECIFIED, trust.type);
+}
+
+// Tests that SystemTrustStore created for NSS without allowing trust for
+// certificate stored on user slots.
+TEST_F(SystemTrustStoreNSSTest, NoUserSlots) {
+  std::unique_ptr<SystemTrustStore> system_trust_store =
+      CreateSslSystemTrustStoreNSSWithNoUserSlots();
+
+  ASSERT_NO_FATAL_FAILURE(ImportRootCertAsTrusted(test_nssdb_.slot()));
+
+  CertificateTrust trust;
+  system_trust_store->GetTrustStore()->GetTrust(parsed_root_cert_.get(),
+                                                &trust);
+  EXPECT_EQ(CertificateTrustType::UNSPECIFIED, trust.type);
+}
+
+}  // namespace
+
+}  // namespace net
diff --git a/chromium/net/cert/internal/trust_store_mac.cc b/chromium/net/cert/internal/trust_store_mac.cc
index 9c8217c5379..e1ce10c219d 100644
--- a/chromium/net/cert/internal/trust_store_mac.cc
+++ b/chromium/net/cert/internal/trust_store_mac.cc
@@ -6,17 +6,25 @@
 
 #include <Security/Security.h>
 
+#include "base/atomicops.h"
+#include "base/bind.h"
+#include "base/callback_list.h"
+#include "base/containers/flat_map.h"
 #include "base/logging.h"
 #include "base/mac/foundation_util.h"
 #include "base/mac/mac_logging.h"
+#include "base/no_destructor.h"
 #include "base/synchronization/lock.h"
 #include "crypto/mac_security_services_lock.h"
+#include "net/base/hash_value.h"
+#include "net/base/network_notification_thread_mac.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/parse_name.h"
 #include "net/cert/internal/parsed_certificate.h"
 #include "net/cert/test_keychain_search_list_mac.h"
 #include "net/cert/x509_util.h"
 #include "net/cert/x509_util_mac.h"
+#include "third_party/boringssl/src/include/openssl/sha.h"
 
 namespace net {
 
@@ -27,6 +35,8 @@ namespace {
 
 // Indicates the trust status of a certificate.
 enum class TrustStatus {
+  // Trust status is unknown / uninitialized.
+  UNKNOWN,
   // Certificate inherits trust value from its issuer. If the certificate is the
   // root of the chain, this implies distrust.
   UNSPECIFIED,
@@ -151,54 +161,313 @@ TrustStatus IsTrustSettingsTrustedForPolicy(CFArrayRef trust_settings,
   return TrustStatus::UNSPECIFIED;
 }
 
-// Returns true if the certificate |cert_handle| is trusted for the policy
-// |policy_oid|.
-TrustStatus IsSecCertificateTrustedForPolicy(
+// Returns the trust status for |cert_handle| for the policy |policy_oid| in
+// |trust_domain|.
+TrustStatus IsCertificateTrustedForPolicyInDomain(
     const scoped_refptr<ParsedCertificate>& cert,
-    SecCertificateRef cert_handle,
-    const CFStringRef policy_oid) {
+    const CFStringRef policy_oid,
+    SecTrustSettingsDomain trust_domain) {
+  // TODO(eroman): Inefficient -- path building will convert between
+  // SecCertificateRef and ParsedCertificate representations multiple times
+  // (when getting the issuers, and again here).
+  //
+  // This conversion will also be done for each domain the cert policy is
+  // checked, but the TrustDomainCache ensures this function is only called on
+  // domains that actually have settings for the cert. The common case is that
+  // a cert will have trust settings in only zero or one domains, and when in
+  // more than one domain it would generally be because one domain is
+  // overriding the setting in the next, so it would only get done once anyway.
+  base::ScopedCFTypeRef<SecCertificateRef> cert_handle =
+      x509_util::CreateSecCertificateFromBytes(cert->der_cert().UnsafeData(),
+                                               cert->der_cert().Length());
+  if (!cert_handle)
+    return TrustStatus::UNSPECIFIED;
+
   const bool is_self_issued =
       cert->normalized_subject() == cert->normalized_issuer();
-  // Evaluate trust domains in user, admin, system order. Admin settings can
-  // override system ones, and user settings can override both admin and system.
-  for (const auto& trust_domain :
-       {kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin,
-        kSecTrustSettingsDomainSystem}) {
-    base::ScopedCFTypeRef<CFArrayRef> trust_settings;
-    OSStatus err;
+
+  base::ScopedCFTypeRef<CFArrayRef> trust_settings;
+  OSStatus err;
+  {
+    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
+    err = SecTrustSettingsCopyTrustSettings(cert_handle, trust_domain,
+                                            trust_settings.InitializeInto());
+  }
+  if (err == errSecItemNotFound) {
+    // No trust settings for that domain.. try the next.
+    return TrustStatus::UNSPECIFIED;
+  }
+  if (err) {
+    OSSTATUS_LOG(ERROR, err) << "SecTrustSettingsCopyTrustSettings error";
+    return TrustStatus::UNSPECIFIED;
+  }
+  TrustStatus trust = IsTrustSettingsTrustedForPolicy(
+      trust_settings, is_self_issued, policy_oid);
+  return trust;
+}
+
+// Caches calculated trust status for certificates present in a single trust
+// domain.
+class TrustDomainCache {
+ public:
+  TrustDomainCache(SecTrustSettingsDomain domain, CFStringRef policy_oid)
+      : domain_(domain), policy_oid_(policy_oid) {
+    DCHECK(policy_oid_);
+  }
+
+  // (Re-)Initializes the cache with the certs in |domain_| set to UNKNOWN trust
+  // status.
+  void Initialize() {
+    trust_status_cache_.clear();
+
+    base::ScopedCFTypeRef<CFArrayRef> cert_array;
+    OSStatus rv;
     {
       base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-      err = SecTrustSettingsCopyTrustSettings(cert_handle, trust_domain,
-                                              trust_settings.InitializeInto());
+      rv = SecTrustSettingsCopyCertificates(domain_,
+                                            cert_array.InitializeInto());
     }
-    if (err == errSecItemNotFound) {
-      // No trust settings for that domain.. try the next.
-      continue;
+    if (rv != noErr) {
+      // Note: SecTrustSettingsCopyCertificates can legitimately return
+      // errSecNoTrustSettings if there are no trust settings in |domain_|.
+      return;
     }
-    if (err) {
-      OSSTATUS_LOG(ERROR, err) << "SecTrustSettingsCopyTrustSettings error";
-      continue;
+    std::vector<std::pair<SHA256HashValue, TrustStatus>> trust_status_vector;
+    for (CFIndex i = 0, size = CFArrayGetCount(cert_array); i < size; ++i) {
+      SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
+          const_cast<void*>(CFArrayGetValueAtIndex(cert_array, i)));
+      trust_status_vector.emplace_back(x509_util::CalculateFingerprint256(cert),
+                                       TrustStatus::UNKNOWN);
     }
-    TrustStatus trust = IsTrustSettingsTrustedForPolicy(
-        trust_settings, is_self_issued, policy_oid);
-    if (trust != TrustStatus::UNSPECIFIED)
-      return trust;
+    trust_status_cache_ = base::flat_map<SHA256HashValue, TrustStatus>(
+        std::move(trust_status_vector));
   }
 
-  // No trust settings, or none of the settings were for the correct policy, or
-  // had the correct trust result.
-  return TrustStatus::UNSPECIFIED;
+  // Returns the trust status for |cert| in |domain_|.
+  TrustStatus IsCertTrusted(const scoped_refptr<ParsedCertificate>& cert,
+                            const SHA256HashValue& cert_hash) {
+    auto cache_iter = trust_status_cache_.find(cert_hash);
+    if (cache_iter == trust_status_cache_.end()) {
+      // Cert does not have trust settings in this domain, return UNSPECIFIED.
+      return TrustStatus::UNSPECIFIED;
+    }
+
+    if (cache_iter->second != TrustStatus::UNKNOWN) {
+      // Cert has trust settings and trust has already been calculated, return
+      // the cached value.
+      return cache_iter->second;
+    }
+
+    // Cert has trust settings but trust has not been calculated yet.
+    // Calculate it now, insert into cache, and return.
+    TrustStatus cert_trust =
+        IsCertificateTrustedForPolicyInDomain(cert, policy_oid_, domain_);
+    cache_iter->second = cert_trust;
+    return cert_trust;
+  }
+
+  // Returns true if the certificate with |cert_hash| is present in |domain_|.
+  bool ContainsCert(const SHA256HashValue& cert_hash) const {
+    return trust_status_cache_.find(cert_hash) != trust_status_cache_.end();
+  }
+
+ private:
+  const SecTrustSettingsDomain domain_;
+  const CFStringRef policy_oid_;
+  base::flat_map<SHA256HashValue, TrustStatus> trust_status_cache_;
+
+  DISALLOW_COPY_AND_ASSIGN(TrustDomainCache);
+};
+
+SHA256HashValue CalculateFingerprint256(const der::Input& buffer) {
+  SHA256HashValue sha256;
+  SHA256(buffer.UnsafeData(), buffer.Length(), sha256.data);
+  return sha256;
 }
 
+// Watches macOS keychain for trust setting changes, and notifies any
+// registered callbacks. This is necessary as the keychain callback API is
+// keyed only on the callback function pointer rather than function pointer +
+// context, so it cannot be safely registered multiple callbacks with the same
+// function pointer and different contexts.
+class KeychainTrustSettingsChangedNotifier {
+ public:
+  // Registers |callback| to be run when the keychain trust settings change.
+  // Must be called on the network notification thread.  |callback| will be run
+  // on the network notification thread. The returned Subscription must be
+  // destroyed on the network notification thread.
+  static std::unique_ptr<base::CallbackList<void()>::Subscription> AddCallback(
+      base::RepeatingClosure callback) {
+    DCHECK(GetNetworkNotificationThreadMac()->RunsTasksInCurrentSequence());
+    return Get()->callback_list_.Add(std::move(callback));
+  }
+
+ private:
+  friend base::NoDestructor<KeychainTrustSettingsChangedNotifier>;
+
+  KeychainTrustSettingsChangedNotifier() {
+    DCHECK(GetNetworkNotificationThreadMac()->RunsTasksInCurrentSequence());
+    OSStatus status = SecKeychainAddCallback(
+        &KeychainTrustSettingsChangedNotifier::KeychainCallback,
+        kSecTrustSettingsChangedEventMask, this);
+    if (status != noErr)
+      OSSTATUS_LOG(ERROR, status) << "SecKeychainAddCallback failed";
+  }
+
+  ~KeychainTrustSettingsChangedNotifier() = delete;
+
+  static OSStatus KeychainCallback(SecKeychainEvent keychain_event,
+                                   SecKeychainCallbackInfo* info,
+                                   void* context) {
+    KeychainTrustSettingsChangedNotifier* notifier =
+        reinterpret_cast<KeychainTrustSettingsChangedNotifier*>(context);
+    notifier->callback_list_.Notify();
+    return errSecSuccess;
+  }
+
+  static KeychainTrustSettingsChangedNotifier* Get() {
+    static base::NoDestructor<KeychainTrustSettingsChangedNotifier> notifier;
+    return notifier.get();
+  }
+
+  base::CallbackList<void()> callback_list_;
+
+  DISALLOW_COPY_AND_ASSIGN(KeychainTrustSettingsChangedNotifier);
+};
+
+// Observes keychain events and increments the value returned by Iteration()
+// each time the trust settings change.
+class KeychainTrustObserver {
+ public:
+  KeychainTrustObserver() {
+    GetNetworkNotificationThreadMac()->PostTask(
+        FROM_HERE,
+        base::BindOnce(
+            &KeychainTrustObserver::RegisterCallbackOnNotificationThread,
+            base::Unretained(this)));
+  }
+
+  // Destroying the observer unregisters the callback. Must be destroyed on the
+  // notification thread in order to safely release |subscription_|.
+  ~KeychainTrustObserver() {
+    DCHECK(GetNetworkNotificationThreadMac()->RunsTasksInCurrentSequence());
+  }
+
+  // Returns the current iteration count, which is incremented every time
+  // keychain trust settings change. This may be called from any thread.
+  int64_t Iteration() const { return base::subtle::Acquire_Load(&iteration_); }
+
+ private:
+  void RegisterCallbackOnNotificationThread() {
+    DCHECK(GetNetworkNotificationThreadMac()->RunsTasksInCurrentSequence());
+    subscription_ =
+        KeychainTrustSettingsChangedNotifier::AddCallback(base::BindRepeating(
+            &KeychainTrustObserver::Increment, base::Unretained(this)));
+  }
+
+  void Increment() { base::subtle::Barrier_AtomicIncrement(&iteration_, 1); }
+
+  // Only accessed on the notification thread.
+  std::unique_ptr<base::CallbackList<void()>::Subscription> subscription_;
+
+  base::subtle::Atomic64 iteration_ = 0;
+
+  DISALLOW_COPY_AND_ASSIGN(KeychainTrustObserver);
+};
+
 }  // namespace
 
+// TrustCache caches the calculated trust status of certificates with trust
+// settings in each of the three trust domains, and ensures the cache is reset
+// if trust settings are modified.
+class TrustStoreMac::TrustCache {
+ public:
+  explicit TrustCache(CFStringRef policy_oid)
+      : system_domain_cache_(kSecTrustSettingsDomainSystem, policy_oid),
+        admin_domain_cache_(kSecTrustSettingsDomainAdmin, policy_oid),
+        user_domain_cache_(kSecTrustSettingsDomainUser, policy_oid) {
+    keychain_observer_ = std::make_unique<KeychainTrustObserver>();
+  }
+
+  ~TrustCache() {
+    GetNetworkNotificationThreadMac()->DeleteSoon(
+        FROM_HERE, std::move(keychain_observer_));
+  }
+
+  // Returns true if |cert| is present in kSecTrustSettingsDomainSystem.
+  bool IsKnownRoot(const ParsedCertificate* cert) {
+    SHA256HashValue cert_hash = CalculateFingerprint256(cert->der_cert());
+
+    base::AutoLock lock(cache_lock_);
+    MaybeInitializeCache();
+    return system_domain_cache_.ContainsCert(cert_hash);
+  }
+
+  // Returns the trust status for |cert|.
+  TrustStatus IsCertTrusted(const scoped_refptr<ParsedCertificate>& cert) {
+    SHA256HashValue cert_hash = CalculateFingerprint256(cert->der_cert());
+
+    base::AutoLock lock(cache_lock_);
+    MaybeInitializeCache();
+
+    // Evaluate trust domains in user, admin, system order. Admin settings can
+    // override system ones, and user settings can override both admin and
+    // system.
+    for (TrustDomainCache* trust_domain_cache :
+         {&user_domain_cache_, &admin_domain_cache_, &system_domain_cache_}) {
+      TrustStatus ts = trust_domain_cache->IsCertTrusted(cert, cert_hash);
+      if (ts != TrustStatus::UNSPECIFIED)
+        return ts;
+    }
+
+    // Cert did not have trust settings in any domain.
+    return TrustStatus::UNSPECIFIED;
+  }
+
+ private:
+  // (Re-)Initialize the cache if necessary. Must be called after acquiring
+  // |cache_lock_| and before accessing any of the |*_domain_cache_| members.
+  void MaybeInitializeCache() {
+    cache_lock_.AssertAcquired();
+    int64_t keychain_iteration = keychain_observer_->Iteration();
+    if (iteration_ == keychain_iteration)
+      return;
+
+    iteration_ = keychain_iteration;
+    user_domain_cache_.Initialize();
+    admin_domain_cache_.Initialize();
+    if (!system_domain_initialized_) {
+      // In practice, the system trust domain does not change during runtime,
+      // and SecTrustSettingsCopyCertificates on the system domain is quite
+      // slow, so the system domain cache is not reset on keychain changes.
+      system_domain_cache_.Initialize();
+      system_domain_initialized_ = true;
+    }
+  }
+
+  std::unique_ptr<KeychainTrustObserver> keychain_observer_;
+
+  base::Lock cache_lock_;
+  // |cache_lock_| must be held while accessing any following members.
+  int64_t iteration_ = -1;
+  bool system_domain_initialized_ = false;
+  TrustDomainCache system_domain_cache_;
+  TrustDomainCache admin_domain_cache_;
+  TrustDomainCache user_domain_cache_;
+
+  DISALLOW_COPY_AND_ASSIGN(TrustCache);
+};
+
 TrustStoreMac::TrustStoreMac(CFTypeRef policy_oid)
-    : policy_oid_(base::mac::CFCastStrict<CFStringRef>(policy_oid)) {
-  DCHECK(policy_oid_);
-}
+    : trust_cache_(std::make_unique<TrustCache>(
+          base::mac::CFCastStrict<CFStringRef>(policy_oid))) {}
 
 TrustStoreMac::~TrustStoreMac() = default;
 
+bool TrustStoreMac::IsKnownRoot(const ParsedCertificate* cert) const {
+  return trust_cache_->IsKnownRoot(cert);
+}
+
 void TrustStoreMac::SyncGetIssuersOf(const ParsedCertificate* cert,
                                      ParsedCertificateList* issuers) {
   base::ScopedCFTypeRef<CFDataRef> name_data = GetMacNormalizedIssuer(cert);
@@ -243,19 +512,7 @@ void TrustStoreMac::SyncGetIssuersOf(const ParsedCertificate* cert,
 
 void TrustStoreMac::GetTrust(const scoped_refptr<ParsedCertificate>& cert,
                              CertificateTrust* trust) const {
-  // TODO(eroman): Inefficient -- path building will convert between
-  // SecCertificateRef and ParsedCertificate representations multiple times
-  // (when getting the issuers, and again here).
-  base::ScopedCFTypeRef<SecCertificateRef> cert_handle =
-      x509_util::CreateSecCertificateFromBytes(cert->der_cert().UnsafeData(),
-                                               cert->der_cert().Length());
-  if (!cert_handle) {
-    *trust = CertificateTrust::ForUnspecified();
-    return;
-  }
-
-  TrustStatus trust_status =
-      IsSecCertificateTrustedForPolicy(cert, cert_handle, policy_oid_);
+  TrustStatus trust_status = trust_cache_->IsCertTrusted(cert);
   switch (trust_status) {
     case TrustStatus::TRUSTED:
       *trust = CertificateTrust::ForTrustAnchor();
@@ -266,6 +523,11 @@ void TrustStoreMac::GetTrust(const scoped_refptr<ParsedCertificate>& cert,
     case TrustStatus::UNSPECIFIED:
       *trust = CertificateTrust::ForUnspecified();
       return;
+    case TrustStatus::UNKNOWN:
+      // UNKNOWN is an implementation detail of TrustCache and should never be
+      // returned.
+      NOTREACHED();
+      break;
   }
 
   *trust = CertificateTrust::ForUnspecified();
diff --git a/chromium/net/cert/internal/trust_store_mac.h b/chromium/net/cert/internal/trust_store_mac.h
index b0b56a9ba9c..b2f54407284 100644
--- a/chromium/net/cert/internal/trust_store_mac.h
+++ b/chromium/net/cert/internal/trust_store_mac.h
@@ -16,7 +16,12 @@
 namespace net {
 
 // TrustStoreMac is an implementation of TrustStore which uses macOS keychain
-// to find trust anchors for path building.
+// to find trust anchors for path building. Trust state is cached, so a single
+// TrustStoreMac instance should be created and used for all verifications of a
+// given policy.
+// TrustStoreMac objects are threadsafe and methods may be called from multiple
+// threads simultaneously. It is the owner's responsibility to ensure the
+// TrustStoreMac object outlives any threads accessing it.
 class NET_EXPORT TrustStoreMac : public TrustStore {
  public:
   // Creates a TrustStoreMac which will find anchors that are trusted for
@@ -29,6 +34,10 @@ class NET_EXPORT TrustStoreMac : public TrustStore {
   explicit TrustStoreMac(CFTypeRef policy_oid);
   ~TrustStoreMac() override;
 
+  // Returns true if the given certificate is present in the system trust
+  // domain.
+  bool IsKnownRoot(const ParsedCertificate* cert) const;
+
   // TrustStore implementation:
   void SyncGetIssuersOf(const ParsedCertificate* cert,
                         ParsedCertificateList* issuers) override;
@@ -39,6 +48,8 @@ class NET_EXPORT TrustStoreMac : public TrustStore {
   FRIEND_TEST_ALL_PREFIXES(TrustStoreMacTest, MultiRootNotTrusted);
   FRIEND_TEST_ALL_PREFIXES(TrustStoreMacTest, SystemCerts);
 
+  class TrustCache;
+
   // Finds certificates in the OS keychains whose Subject matches |name_data|.
   // The result is an array of SecCertificateRef.
   static base::ScopedCFTypeRef<CFArrayRef>
@@ -51,7 +62,7 @@ class NET_EXPORT TrustStoreMac : public TrustStore {
   static base::ScopedCFTypeRef<CFDataRef> GetMacNormalizedIssuer(
       const ParsedCertificate* cert);
 
-  const CFStringRef policy_oid_;
+  std::unique_ptr<TrustCache> trust_cache_;
 
   DISALLOW_COPY_AND_ASSIGN(TrustStoreMac);
 };
diff --git a/chromium/net/cert/internal/trust_store_nss.cc b/chromium/net/cert/internal/trust_store_nss.cc
index 3ab6343027e..6725971e369 100644
--- a/chromium/net/cert/internal/trust_store_nss.cc
+++ b/chromium/net/cert/internal/trust_store_nss.cc
@@ -11,17 +11,27 @@
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/parsed_certificate.h"
 #include "net/cert/scoped_nss_types.h"
+#include "net/cert/test_root_certs.h"
 #include "net/cert/x509_util.h"
 #include "net/cert/x509_util_nss.h"
 
-// TODO(mattm): structure so that supporting ChromeOS multi-profile stuff is
-// doable (Have a TrustStoreChromeOS which uses net::NSSProfileFilterChromeOS,
-// similar to CertVerifyProcChromeOS.)
-
 namespace net {
 
 TrustStoreNSS::TrustStoreNSS(SECTrustType trust_type)
-    : trust_type_(trust_type) {}
+    : trust_type_(trust_type), filter_trusted_certs_by_slot_(false) {}
+
+TrustStoreNSS::TrustStoreNSS(SECTrustType trust_type,
+                             crypto::ScopedPK11Slot user_slot)
+    : trust_type_(trust_type),
+      filter_trusted_certs_by_slot_(true),
+      user_slot_(std::move(user_slot)) {
+  DCHECK(user_slot_);
+}
+
+TrustStoreNSS::TrustStoreNSS(
+    SECTrustType trust_type,
+    DisallowTrustForCertsOnUserSlots disallow_trust_for_certs_on_user_slots)
+    : trust_type_(trust_type), filter_trusted_certs_by_slot_(true) {}
 
 TrustStoreNSS::~TrustStoreNSS() = default;
 
@@ -46,16 +56,24 @@ void TrustStoreNSS::SyncGetIssuersOf(const ParsedCertificate* cert,
 
   for (CERTCertListNode* node = CERT_LIST_HEAD(found_certs);
        !CERT_LIST_END(node, found_certs); node = CERT_LIST_NEXT(node)) {
+#if !defined(OS_CHROMEOS)
     // TODO(mattm): use CERT_GetCertIsTemp when minimum NSS version is >= 3.31.
     if (node->cert->istemp) {
-      // Ignore temporary NSS certs. This ensures that during the trial when
-      // CertVerifyProcNSS and CertVerifyProcBuiltin are being used
-      // simultaneously, the builtin verifier does not get to "cheat" by using
-      // AIA fetched certs from CertVerifyProcNSS.
+      // Ignore temporary NSS certs on platforms other than Chrome OS. This
+      // ensures that during the trial when CertVerifyProcNSS and
+      // CertVerifyProcBuiltin are being used simultaneously, the builtin
+      // verifier does not get to "cheat" by using AIA fetched certs from
+      // CertVerifyProcNSS.
       // TODO(https://crbug.com/951479): remove this when CertVerifyProcBuiltin
       // becomes the default.
+      // This is not done for Chrome OS because temporary NSS certs are
+      // currently used there to implement policy-provided untrusted authority
+      // certificates, and no trials are being done on Chrome OS.
+      // TODO(https://crbug.com/978854): remove the Chrome OS exception when
+      // certificates are passed.
       continue;
     }
+#endif  // !defined(OS_CHROMEOS)
 
     CertErrors parse_errors;
     scoped_refptr<ParsedCertificate> cur_cert = ParsedCertificate::Create(
@@ -95,6 +113,11 @@ void TrustStoreNSS::GetTrust(const scoped_refptr<ParsedCertificate>& cert,
     return;
   }
 
+  if (!IsCertAllowedForTrust(nss_cert.get())) {
+    *out_trust = CertificateTrust::ForUnspecified();
+    return;
+  }
+
   // Determine the trustedness of the matched certificate.
   CERTCertTrust trust;
   if (CERT_GetCertTrust(nss_cert.get(), &trust) != SECSuccess) {
@@ -124,4 +147,38 @@ void TrustStoreNSS::GetTrust(const scoped_refptr<ParsedCertificate>& cert,
   return;
 }
 
+bool TrustStoreNSS::IsCertAllowedForTrust(CERTCertificate* cert) const {
+  // If |filter_trusted_certs_by_slot_| is false, allow trust for any
+  // certificate, no matter which slot it is stored on.
+  if (!filter_trusted_certs_by_slot_)
+    return true;
+
+  crypto::ScopedPK11SlotList slots_for_cert(
+      PK11_GetAllSlotsForCert(cert, nullptr));
+  if (!slots_for_cert)
+    return false;
+
+  for (PK11SlotListElement* slot_element =
+           PK11_GetFirstSafe(slots_for_cert.get());
+       slot_element;
+       slot_element = PK11_GetNextSafe(slots_for_cert.get(), slot_element,
+                                       /*restart=*/PR_FALSE)) {
+    PK11SlotInfo* slot = slot_element->slot;
+    bool allow_slot =
+        // Allow the root certs module.
+        PK11_HasRootCerts(slot) ||
+        // Allow read-only internal slots.
+        (PK11_IsInternal(slot) && !PK11_IsRemovable(slot)) ||
+        // Allow |user_slot_| if specified.
+        (user_slot_ && slot == user_slot_.get());
+
+    if (allow_slot) {
+      PK11_FreeSlotListElement(slots_for_cert.get(), slot_element);
+      return true;
+    }
+  }
+
+  return false;
+}
+
 }  // namespace net
diff --git a/chromium/net/cert/internal/trust_store_nss.h b/chromium/net/cert/internal/trust_store_nss.h
index fd66b45d4ee..9c44093391e 100644
--- a/chromium/net/cert/internal/trust_store_nss.h
+++ b/chromium/net/cert/internal/trust_store_nss.h
@@ -5,9 +5,11 @@
 #ifndef NET_CERT_INTERNAL_TRUST_STORE_NSS_H_
 #define NET_CERT_INTERNAL_TRUST_STORE_NSS_H_
 
+#include <cert.h>
 #include <certt.h>
 
 #include "base/memory/ref_counted.h"
+#include "crypto/scoped_nss_types.h"
 #include "net/base/net_export.h"
 #include "net/cert/internal/trust_store.h"
 
@@ -17,9 +19,31 @@ namespace net {
 // anchors for path building.
 class NET_EXPORT TrustStoreNSS : public TrustStore {
  public:
+  struct DisallowTrustForCertsOnUserSlots {};
+
   // Creates a TrustStoreNSS which will find anchors that are trusted for
   // |trust_type|.
+  // The created TrustStoreNSS will not perform any filtering based on the slot
+  // certificates are stored on.
   explicit TrustStoreNSS(SECTrustType trust_type);
+
+  // Creates a TrustStoreNSS which will find anchors that are trusted for
+  // |trust_type|.
+  // The created TrustStoreNSS will allow trust for certificates that:
+  // (*) are built-in certificates
+  // (*) are stored on a read-only internal slot
+  // (*) are stored on the |user_slot|.
+  TrustStoreNSS(SECTrustType trust_type, crypto::ScopedPK11Slot user_slot);
+
+  // Creates a TrustStoreNSS which will find anchors that are trusted for
+  // |trust_type|.
+  // The created TrustStoreNSS will allow trust for certificates that:
+  // (*) are built-in certificates
+  // (*) are stored on a read-only internal slot
+  TrustStoreNSS(
+      SECTrustType trust_type,
+      DisallowTrustForCertsOnUserSlots disallow_trust_for_certs_on_user_slots);
+
   ~TrustStoreNSS() override;
 
   // CertIssuerSource implementation:
@@ -31,8 +55,30 @@ class NET_EXPORT TrustStoreNSS : public TrustStore {
                 CertificateTrust* trust) const override;
 
  private:
+  bool IsCertAllowedForTrust(CERTCertificate* cert) const;
+
   SECTrustType trust_type_;
 
+  // |filter_trusted_certs_by_slot_| and |user_slot_| together specify which
+  // slots certificates must be stored on to be allowed to be trusted. The
+  // possible combinations are:
+  //
+  // |filter_trusted_certs_by_slot_| == false: Allow any certificate to be
+  // trusted, don't filter by slot. |user_slot_| is ignored in this case.
+  //
+  // |filter_trusted_certs_by_slot_| == true and |user_slot_| = nullptr: Allow
+  // certificates to be trusted if they
+  // (*) are built-in certificates or
+  // (*) are stored on a read-only internal slot.
+  //
+  // |filter_trusted_certs_by_slot_| == true and |user_slot_| != nullptr: Allow
+  // certificates to be trusted if they
+  // (*) are built-in certificates or
+  // (*) are stored on a read-only internal slot or
+  // (*) are stored on |user_slot_|.
+  const bool filter_trusted_certs_by_slot_;
+  crypto::ScopedPK11Slot user_slot_;
+
   DISALLOW_COPY_AND_ASSIGN(TrustStoreNSS);
 };
 
diff --git a/chromium/net/cert/internal/trust_store_nss_unittest.cc b/chromium/net/cert/internal/trust_store_nss_unittest.cc
index 1a7a94cb1cb..d22a0360e82 100644
--- a/chromium/net/cert/internal/trust_store_nss_unittest.cc
+++ b/chromium/net/cert/internal/trust_store_nss_unittest.cc
@@ -6,25 +6,82 @@
 
 #include <cert.h>
 #include <certdb.h>
+#include <secmod.h>
 
 #include <memory>
 
 #include "base/strings/string_number_conversions.h"
+#include "crypto/nss_util_internal.h"
 #include "crypto/scoped_test_nss_db.h"
 #include "net/cert/internal/cert_issuer_source_sync_unittest.h"
+#include "net/cert/internal/parsed_certificate.h"
 #include "net/cert/internal/test_helpers.h"
 #include "net/cert/scoped_nss_types.h"
+#include "net/cert/test_root_certs.h"
+#include "net/cert/x509_util.h"
 #include "net/cert/x509_util_nss.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/boringssl/src/include/openssl/pool.h"
 
 namespace net {
 
 namespace {
 
-class TrustStoreNSSTest : public testing::Test {
+// Returns the slot which holds the built-in root certificates.
+crypto::ScopedPK11Slot GetRootCertsSlot() {
+  crypto::AutoSECMODListReadLock auto_lock;
+  SECMODModuleList* head = SECMOD_GetDefaultModuleList();
+  for (SECMODModuleList* item = head; item != NULL; item = item->next) {
+    int slot_count = item->module->loaded ? item->module->slotCount : 0;
+    for (int i = 0; i < slot_count; i++) {
+      PK11SlotInfo* slot = item->module->slots[i];
+      if (!PK11_IsPresent(slot))
+        continue;
+      if (PK11_HasRootCerts(slot))
+        return crypto::ScopedPK11Slot(PK11_ReferenceSlot(slot));
+    }
+  }
+  return crypto::ScopedPK11Slot();
+}
+
+// Returns a built-in trusted root certificte. If multiple ones are available,
+// it is not specified which one is returned. If none are available, returns
+// nullptr.
+scoped_refptr<ParsedCertificate> GetASSLTrustedBuiltinRoot() {
+  crypto::ScopedPK11Slot root_certs_slot = GetRootCertsSlot();
+  if (!root_certs_slot)
+    return nullptr;
+
+  scoped_refptr<X509Certificate> ssl_trusted_root;
+
+  CERTCertList* cert_list = PK11_ListCertsInSlot(root_certs_slot.get());
+  for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
+       !CERT_LIST_END(node, cert_list); node = CERT_LIST_NEXT(node)) {
+    CERTCertTrust trust;
+    if (CERT_GetCertTrust(node->cert, &trust) != SECSuccess)
+      continue;
+    int trust_flags = SEC_GET_TRUST_FLAGS(&trust, trustSSL);
+    if ((trust_flags & CERTDB_TRUSTED_CA) == CERTDB_TRUSTED_CA) {
+      ssl_trusted_root =
+          x509_util::CreateX509CertificateFromCERTCertificate(node->cert);
+      break;
+    }
+  }
+  CERT_DestroyCertList(cert_list);
+  if (!ssl_trusted_root)
+    return nullptr;
+
+  CertErrors parsing_errors;
+  return ParsedCertificate::Create(bssl::UpRef(ssl_trusted_root->cert_buffer()),
+                                   x509_util::DefaultParseCertificateOptions(),
+                                   &parsing_errors);
+}
+
+class TrustStoreNSSTestBase : public ::testing::Test {
  public:
   void SetUp() override {
     ASSERT_TRUE(test_nssdb_.is_open());
+    ASSERT_TRUE(other_test_nssdb_.is_open());
     ParsedCertificateList chain;
     ReadCertChainFromFile(
         "net/data/verify_certificate_chain_unittest/key-rollover/oldchain.pem",
@@ -51,31 +108,35 @@ class TrustStoreNSSTest : public testing::Test {
     ASSERT_TRUE(newroot_);
     ASSERT_TRUE(newrootrollover_);
 
-    trust_store_nss_.reset(new TrustStoreNSS(trustSSL));
+    trust_store_nss_ = CreateTrustStoreNSS();
   }
 
+  // Creates the TrustStoreNSS instance. Subclasses will customize the slot
+  // filtering behavior here.
+  virtual std::unique_ptr<TrustStoreNSS> CreateTrustStoreNSS() = 0;
+
   std::string GetUniqueNickname() {
     return "trust_store_nss_unittest" +
            base::NumberToString(nickname_counter_++);
   }
 
-  void AddCertToNSS(const ParsedCertificate* cert) {
+  void AddCertToNSSSlot(const ParsedCertificate* cert, PK11SlotInfo* slot) {
     ScopedCERTCertificate nss_cert(x509_util::CreateCERTCertificateFromBytes(
         cert->der_cert().UnsafeData(), cert->der_cert().Length()));
     ASSERT_TRUE(nss_cert);
-    SECStatus srv = PK11_ImportCert(
-        test_nssdb_.slot(), nss_cert.get(), CK_INVALID_HANDLE,
-        GetUniqueNickname().c_str(), PR_FALSE /* includeTrust (unused) */);
+    SECStatus srv = PK11_ImportCert(slot, nss_cert.get(), CK_INVALID_HANDLE,
+                                    GetUniqueNickname().c_str(),
+                                    PR_FALSE /* includeTrust (unused) */);
     ASSERT_EQ(SECSuccess, srv);
   }
 
   void AddCertsToNSS() {
-    AddCertToNSS(target_.get());
-    AddCertToNSS(oldintermediate_.get());
-    AddCertToNSS(newintermediate_.get());
-    AddCertToNSS(oldroot_.get());
-    AddCertToNSS(newroot_.get());
-    AddCertToNSS(newrootrollover_.get());
+    AddCertToNSSSlot(target_.get(), test_nssdb_.slot());
+    AddCertToNSSSlot(oldintermediate_.get(), test_nssdb_.slot());
+    AddCertToNSSSlot(newintermediate_.get(), test_nssdb_.slot());
+    AddCertToNSSSlot(oldroot_.get(), test_nssdb_.slot());
+    AddCertToNSSSlot(newroot_.get(), test_nssdb_.slot());
+    AddCertToNSSSlot(newrootrollover_.get(), test_nssdb_.slot());
 
     // Check that the certificates can be retrieved as expected.
     EXPECT_TRUE(
@@ -192,30 +253,102 @@ class TrustStoreNSSTest : public testing::Test {
   scoped_refptr<ParsedCertificate> newintermediate_;
   scoped_refptr<ParsedCertificate> newrootrollover_;
   crypto::ScopedTestNSSDB test_nssdb_;
+  crypto::ScopedTestNSSDB other_test_nssdb_;
   std::unique_ptr<TrustStoreNSS> trust_store_nss_;
   unsigned nickname_counter_ = 0;
 };
 
-// Without adding any certs to the NSS DB, should get no anchor results for any
-// of the test certs.
-TEST_F(TrustStoreNSSTest, CertsNotPresent) {
+// Specifies which kind of per-slot filtering the TrustStoreNSS is supposed to
+// perform in the parametrized TrustStoreNSSTestWithSlotFilterType.
+enum class SlotFilterType {
+  kDontFilter,
+  kDoNotAllowUserSlots,
+  kAllowSpecifiedUserSlot
+};
+
+// Used for testing a TrustStoreNSS with the slot filter type specified by the
+// test parameter.
+class TrustStoreNSSTestWithSlotFilterType
+    : public TrustStoreNSSTestBase,
+      public testing::WithParamInterface<SlotFilterType> {
+ public:
+  TrustStoreNSSTestWithSlotFilterType() = default;
+  ~TrustStoreNSSTestWithSlotFilterType() override = default;
+
+  std::unique_ptr<TrustStoreNSS> CreateTrustStoreNSS() override {
+    switch (GetParam()) {
+      case SlotFilterType::kDontFilter:
+        return std::make_unique<TrustStoreNSS>(trustSSL);
+      case SlotFilterType::kDoNotAllowUserSlots:
+        return std::make_unique<TrustStoreNSS>(
+            trustSSL, TrustStoreNSS::DisallowTrustForCertsOnUserSlots());
+      case SlotFilterType::kAllowSpecifiedUserSlot:
+        return std::make_unique<TrustStoreNSS>(
+            trustSSL,
+            crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())));
+    }
+  }
+};
+
+// Without adding any certs to the NSS DB, should get no anchor results for
+// any of the test certs.
+TEST_P(TrustStoreNSSTestWithSlotFilterType, CertsNotPresent) {
   EXPECT_TRUE(TrustStoreContains(target_, ParsedCertificateList()));
   EXPECT_TRUE(TrustStoreContains(newintermediate_, ParsedCertificateList()));
   EXPECT_TRUE(TrustStoreContains(newroot_, ParsedCertificateList()));
 }
 
+#if !defined(OS_CHROMEOS)
 // TrustStoreNSS should not return temporary certs. (See
 // https://crbug.com/951166)
-TEST_F(TrustStoreNSSTest, TempCertNotPresent) {
+TEST_P(TrustStoreNSSTestWithSlotFilterType, TempCertNotPresent) {
   ScopedCERTCertificate temp_nss_cert(x509_util::CreateCERTCertificateFromBytes(
       newintermediate_->der_cert().UnsafeData(),
       newintermediate_->der_cert().Length()));
   EXPECT_TRUE(TrustStoreContains(target_, ParsedCertificateList()));
 }
+#else   // !defined(OS_CHROMEOS)
+// TrustStoreNSS should return temporary certs on Chrome OS, because on Chrome
+// OS temporary certs are used to supply policy-provided untrusted authority
+// certs. (See https://crbug.com/978854)
+TEST_P(TrustStoreNSSTestWithSlotFilterType, TempCertPresent) {
+  ScopedCERTCertificate temp_nss_cert(x509_util::CreateCERTCertificateFromBytes(
+      newintermediate_->der_cert().UnsafeData(),
+      newintermediate_->der_cert().Length()));
+  EXPECT_TRUE(TrustStoreContains(target_, {newintermediate_}));
+}
+#endif  // !defined(OS_CHROMEOS)
+
+// Independent of the specified slot-based filtering mode, built-in root certs
+// should always be trusted.
+TEST_P(TrustStoreNSSTestWithSlotFilterType, TrustAllowedForBuiltinRootCerts) {
+  auto builtin_root_cert = GetASSLTrustedBuiltinRoot();
+  ASSERT_TRUE(builtin_root_cert);
+  EXPECT_TRUE(
+      HasTrust({builtin_root_cert}, CertificateTrustType::TRUSTED_ANCHOR));
+}
+
+INSTANTIATE_TEST_SUITE_P(
+    TrustStoreNSSTest_AllSlotFilterTypes,
+    TrustStoreNSSTestWithSlotFilterType,
+    ::testing::Values(SlotFilterType::kDontFilter,
+                      SlotFilterType::kDoNotAllowUserSlots,
+                      SlotFilterType::kAllowSpecifiedUserSlot));
+
+// Tests a TrustStoreNSS that does not filter which certificates
+class TrustStoreNSSTestWithoutSlotFilter : public TrustStoreNSSTestBase {
+ public:
+  TrustStoreNSSTestWithoutSlotFilter() = default;
+  ~TrustStoreNSSTestWithoutSlotFilter() override = default;
+
+  std::unique_ptr<TrustStoreNSS> CreateTrustStoreNSS() override {
+    return std::make_unique<TrustStoreNSS>(trustSSL);
+  }
+};
 
 // If certs are present in NSS DB but aren't marked as trusted, should get no
 // anchor results for any of the test certs.
-TEST_F(TrustStoreNSSTest, CertsPresentButNotTrusted) {
+TEST_F(TrustStoreNSSTestWithoutSlotFilter, CertsPresentButNotTrusted) {
   AddCertsToNSS();
 
   // None of the certificates are trusted.
@@ -225,7 +358,7 @@ TEST_F(TrustStoreNSSTest, CertsPresentButNotTrusted) {
 }
 
 // Trust a single self-signed CA certificate.
-TEST_F(TrustStoreNSSTest, TrustedCA) {
+TEST_F(TrustStoreNSSTestWithoutSlotFilter, TrustedCA) {
   AddCertsToNSS();
   TrustCert(newroot_.get());
 
@@ -238,7 +371,7 @@ TEST_F(TrustStoreNSSTest, TrustedCA) {
 }
 
 // Distrust a single self-signed CA certificate.
-TEST_F(TrustStoreNSSTest, DistrustedCA) {
+TEST_F(TrustStoreNSSTestWithoutSlotFilter, DistrustedCA) {
   AddCertsToNSS();
   DistrustCert(newroot_.get());
 
@@ -251,7 +384,7 @@ TEST_F(TrustStoreNSSTest, DistrustedCA) {
 }
 
 // Trust a single intermediate certificate.
-TEST_F(TrustStoreNSSTest, TrustedIntermediate) {
+TEST_F(TrustStoreNSSTestWithoutSlotFilter, TrustedIntermediate) {
   AddCertsToNSS();
   TrustCert(newintermediate_.get());
 
@@ -263,7 +396,7 @@ TEST_F(TrustStoreNSSTest, TrustedIntermediate) {
 }
 
 // Distrust a single intermediate certificate.
-TEST_F(TrustStoreNSSTest, DistrustedIntermediate) {
+TEST_F(TrustStoreNSSTestWithoutSlotFilter, DistrustedIntermediate) {
   AddCertsToNSS();
   DistrustCert(newintermediate_.get());
 
@@ -274,7 +407,7 @@ TEST_F(TrustStoreNSSTest, DistrustedIntermediate) {
 }
 
 // Trust a single server certificate.
-TEST_F(TrustStoreNSSTest, TrustedServer) {
+TEST_F(TrustStoreNSSTestWithoutSlotFilter, TrustedServer) {
   AddCertsToNSS();
   TrustServerCert(target_.get());
 
@@ -287,7 +420,7 @@ TEST_F(TrustStoreNSSTest, TrustedServer) {
 }
 
 // Trust multiple self-signed CA certificates with the same name.
-TEST_F(TrustStoreNSSTest, MultipleTrustedCAWithSameSubject) {
+TEST_F(TrustStoreNSSTestWithoutSlotFilter, MultipleTrustedCAWithSameSubject) {
   AddCertsToNSS();
   TrustCert(oldroot_.get());
   TrustCert(newroot_.get());
@@ -301,7 +434,7 @@ TEST_F(TrustStoreNSSTest, MultipleTrustedCAWithSameSubject) {
 
 // Different trust settings for multiple self-signed CA certificates with the
 // same name.
-TEST_F(TrustStoreNSSTest, DifferingTrustCAWithSameSubject) {
+TEST_F(TrustStoreNSSTestWithoutSlotFilter, DifferingTrustCAWithSameSubject) {
   AddCertsToNSS();
   DistrustCert(oldroot_.get());
   TrustCert(newroot_.get());
@@ -313,6 +446,62 @@ TEST_F(TrustStoreNSSTest, DifferingTrustCAWithSameSubject) {
   EXPECT_TRUE(HasTrust({newroot_}, CertificateTrustType::TRUSTED_ANCHOR));
 }
 
+// Tests for a TrustStoreNSS which does not allow certificates on user slots
+// to be trusted.
+class TrustStoreNSSTestDoNotAllowUserSlots : public TrustStoreNSSTestBase {
+ public:
+  TrustStoreNSSTestDoNotAllowUserSlots() = default;
+  ~TrustStoreNSSTestDoNotAllowUserSlots() override = default;
+
+  std::unique_ptr<TrustStoreNSS> CreateTrustStoreNSS() override {
+    return std::make_unique<TrustStoreNSS>(
+        trustSSL, TrustStoreNSS::DisallowTrustForCertsOnUserSlots());
+  }
+};
+
+// A certificate that is stored on a "user slot" is not trusted if the
+// TrustStoreNSS is not allowed to trust certificates on user slots.
+TEST_F(TrustStoreNSSTestDoNotAllowUserSlots, CertOnUserSlot) {
+  AddCertToNSSSlot(newroot_.get(), test_nssdb_.slot());
+  TrustCert(newroot_.get());
+  EXPECT_TRUE(HasTrust({newroot_}, CertificateTrustType::UNSPECIFIED));
+}
+
+// Tests for a TrustStoreNSS which does allows certificates on user slots to
+// be only trusted if they are on a specific user slot.
+class TrustStoreNSSTestAllowSpecifiedUserSlot : public TrustStoreNSSTestBase {
+ public:
+  TrustStoreNSSTestAllowSpecifiedUserSlot() = default;
+  ~TrustStoreNSSTestAllowSpecifiedUserSlot() override = default;
+
+  std::unique_ptr<TrustStoreNSS> CreateTrustStoreNSS() override {
+    return std::make_unique<TrustStoreNSS>(
+        trustSSL,
+        crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())));
+  }
+};
+
+// A certificate that is stored on a "user slot" is trusted if the
+// TrustStoreNSS is allowed to trust that user slot.
+TEST_F(TrustStoreNSSTestAllowSpecifiedUserSlot, CertOnUserSlot) {
+  AddCertToNSSSlot(newroot_.get(), test_nssdb_.slot());
+  TrustCert(newroot_.get());
+  EXPECT_TRUE(HasTrust({newroot_}, CertificateTrustType::TRUSTED_ANCHOR));
+}
+
+// A certificate that is stored on a "user slot" is not trusted if the
+// TrustStoreNSS is allowed to trust a user slot, but the certificate is
+// stored on another user slot.
+TEST_F(TrustStoreNSSTestAllowSpecifiedUserSlot, CertOnOtherUserSlot) {
+  AddCertToNSSSlot(newroot_.get(), other_test_nssdb_.slot());
+  TrustCert(newroot_.get());
+  EXPECT_TRUE(HasTrust({newroot_}, CertificateTrustType::UNSPECIFIED));
+}
+
+// TODO(https://crbug.com/980443): If the internal non-removable slot is
+// relevant on Chrome OS, add a test for allowing trust for certificates
+// stored on that slot.
+
 class TrustStoreNSSTestDelegate {
  public:
   TrustStoreNSSTestDelegate() : trust_store_nss_(trustSSL) {}
@@ -345,8 +534,8 @@ INSTANTIATE_TYPED_TEST_SUITE_P(TrustStoreNSSTest2,
                                CertIssuerSourceSyncTest,
                                TrustStoreNSSTestDelegate);
 
-// NSS doesn't normalize UTF8String values, so use the not-normalized version of
-// those tests.
+// NSS doesn't normalize UTF8String values, so use the not-normalized version
+// of those tests.
 INSTANTIATE_TYPED_TEST_SUITE_P(TrustStoreNSSNotNormalizedTest,
                                CertIssuerSourceSyncNotNormalizedTest,
                                TrustStoreNSSTestDelegate);
diff --git a/chromium/net/cert/internal/verify_certificate_chain_pkits_unittest.cc b/chromium/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
index 2c8bf0be2b3..f262f51eb1e 100644
--- a/chromium/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
+++ b/chromium/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
@@ -10,7 +10,8 @@
 #include "net/der/input.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
 
-// TODO(mattm): these require CRL support:
+// These require CRL support, which is not implemented at the
+// VerifyCertificateChain level.
 #define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \
   DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4
 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \
@@ -119,7 +120,9 @@ INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
                                PkitsTest16PrivateCertificateExtensions,
                                VerifyCertificateChainPkitsTestDelegate);
 
-// TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests,
+// These require CRL support, which is not implemented at the
+// VerifyCertificateChain level:
+// PkitsTest04BasicCertificateRevocationTests,
 // PkitsTest05VerifyingPathswithSelfIssuedCertificates,
 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs
 
diff --git a/chromium/net/cert/internal/verify_name_match_fuzzer.cc b/chromium/net/cert/internal/verify_name_match_fuzzer.cc
index 03c7e9cda12..a22d3f907a0 100644
--- a/chromium/net/cert/internal/verify_name_match_fuzzer.cc
+++ b/chromium/net/cert/internal/verify_name_match_fuzzer.cc
@@ -9,17 +9,19 @@
 
 #include <vector>
 
-#include "base/test/fuzzed_data_provider.h"
 #include "net/der/input.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 // Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  base::FuzzedDataProvider fuzzed_data(data, size);
+  FuzzedDataProvider fuzzed_data(data, size);
 
   // Intentionally using uint16_t here to avoid empty |second_part|.
   size_t first_part_size = fuzzed_data.ConsumeIntegral<uint16_t>();
-  std::vector<uint8_t> first_part = fuzzed_data.ConsumeBytes(first_part_size);
-  std::vector<uint8_t> second_part = fuzzed_data.ConsumeRemainingBytes();
+  std::vector<uint8_t> first_part =
+      fuzzed_data.ConsumeBytes<uint8_t>(first_part_size);
+  std::vector<uint8_t> second_part =
+      fuzzed_data.ConsumeRemainingBytes<uint8_t>();
 
   net::der::Input in1(first_part.data(), first_part.size());
   net::der::Input in2(second_part.data(), second_part.size());
diff --git a/chromium/net/cert/internal/verify_name_match_verifynameinsubtree_fuzzer.cc b/chromium/net/cert/internal/verify_name_match_verifynameinsubtree_fuzzer.cc
index d948e59fb6c..a289c7f190b 100644
--- a/chromium/net/cert/internal/verify_name_match_verifynameinsubtree_fuzzer.cc
+++ b/chromium/net/cert/internal/verify_name_match_verifynameinsubtree_fuzzer.cc
@@ -9,17 +9,19 @@
 
 #include <vector>
 
-#include "base/test/fuzzed_data_provider.h"
 #include "net/der/input.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 // Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  base::FuzzedDataProvider fuzzed_data(data, size);
+  FuzzedDataProvider fuzzed_data(data, size);
 
   // Intentionally using uint16_t here to avoid empty |second_part|.
   size_t first_part_size = fuzzed_data.ConsumeIntegral<uint16_t>();
-  std::vector<uint8_t> first_part = fuzzed_data.ConsumeBytes(first_part_size);
-  std::vector<uint8_t> second_part = fuzzed_data.ConsumeRemainingBytes();
+  std::vector<uint8_t> first_part =
+      fuzzed_data.ConsumeBytes<uint8_t>(first_part_size);
+  std::vector<uint8_t> second_part =
+      fuzzed_data.ConsumeRemainingBytes<uint8_t>();
 
   net::der::Input in1(first_part.data(), first_part.size());
   net::der::Input in2(second_part.data(), second_part.size());
diff --git a/chromium/net/cert/mock_cert_verifier.cc b/chromium/net/cert/mock_cert_verifier.cc
index 3a5161ff64b..e65dadb7e7f 100644
--- a/chromium/net/cert/mock_cert_verifier.cc
+++ b/chromium/net/cert/mock_cert_verifier.cc
@@ -43,7 +43,7 @@ struct MockCertVerifier::Rule {
 class MockCertVerifier::MockRequest : public CertVerifier::Request {
  public:
   MockRequest(CertVerifyResult* result, CompletionOnceCallback callback)
-      : result_(result), callback_(std::move(callback)), weak_factory_(this) {}
+      : result_(result), callback_(std::move(callback)) {}
 
   void ReturnResultLater(int rv, const CertVerifyResult& result) {
     base::ThreadTaskRunnerHandle::Get()->PostTask(
@@ -59,7 +59,7 @@ class MockCertVerifier::MockRequest : public CertVerifier::Request {
 
   CertVerifyResult* result_;
   CompletionOnceCallback callback_;
-  base::WeakPtrFactory<MockRequest> weak_factory_;
+  base::WeakPtrFactory<MockRequest> weak_factory_{this};
 };
 
 MockCertVerifier::MockCertVerifier()
diff --git a/chromium/net/cert/multi_log_ct_verifier.cc b/chromium/net/cert/multi_log_ct_verifier.cc
index cd473fb96ee..a541cec6d89 100644
--- a/chromium/net/cert/multi_log_ct_verifier.cc
+++ b/chromium/net/cert/multi_log_ct_verifier.cc
@@ -6,8 +6,6 @@
 
 #include <vector>
 
-#include "base/bind.h"
-#include "base/callback_helpers.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/values.h"
 #include "net/base/net_errors.h"
@@ -19,7 +17,6 @@
 #include "net/cert/signed_certificate_timestamp_and_status.h"
 #include "net/cert/x509_certificate.h"
 #include "net/log/net_log_event_type.h"
-#include "net/log/net_log_parameters_callback.h"
 #include "net/log/net_log_with_source.h"
 
 namespace net {
@@ -103,12 +100,11 @@ void MultiLogCTVerifier::Verify(
 
   // Log to Net Log, after extracting SCTs but before possibly failing on
   // X.509 entry creation.
-  NetLogParametersCallback net_log_callback =
-      base::Bind(&NetLogRawSignedCertificateTimestampCallback, embedded_scts,
-                 sct_list_from_ocsp, sct_list_from_tls_extension);
-
-  net_log.AddEvent(NetLogEventType::SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED,
-                   net_log_callback);
+  net_log.AddEvent(
+      NetLogEventType::SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED, [&] {
+        return NetLogRawSignedCertificateTimestampParams(
+            embedded_scts, sct_list_from_ocsp, sct_list_from_tls_extension);
+      });
 
   ct::SignedEntryData x509_entry;
   if (ct::GetX509SignedEntry(cert->cert_buffer(), &x509_entry)) {
@@ -130,11 +126,9 @@ void MultiLogCTVerifier::Verify(
         base::TimeDelta::FromMilliseconds(100), 50);
   }
 
-  NetLogParametersCallback net_log_checked_callback =
-      base::Bind(&NetLogSignedCertificateTimestampCallback, output_scts);
-
-  net_log.AddEvent(NetLogEventType::SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED,
-                   net_log_checked_callback);
+  net_log.AddEvent(NetLogEventType::SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED, [&] {
+    return NetLogSignedCertificateTimestampParams(output_scts);
+  });
 }
 
 void MultiLogCTVerifier::VerifySCTs(
diff --git a/chromium/net/cert/multi_log_ct_verifier_unittest.cc b/chromium/net/cert/multi_log_ct_verifier_unittest.cc
index d935767f7bb..d171a465b33 100644
--- a/chromium/net/cert/multi_log_ct_verifier_unittest.cc
+++ b/chromium/net/cert/multi_log_ct_verifier_unittest.cc
@@ -24,7 +24,7 @@
 #include "net/log/net_log_source_type.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
+#include "net/log/test_net_log_util.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/ct_test_util.h"
 #include "net/test/test_data_directory.h"
@@ -65,25 +65,23 @@ class MultiLogCTVerifierTest : public ::testing::Test {
   }
 
   bool CheckForEmbeddedSCTInNetLog(const TestNetLog& net_log) {
-    TestNetLogEntry::List entries;
-    net_log.GetEntries(&entries);
+    auto entries = net_log.GetEntries();
     if (entries.size() != 2)
       return false;
 
-    const TestNetLogEntry& received = entries[0];
-    std::string embedded_scts;
-    if (!received.GetStringValue("embedded_scts", &embedded_scts))
-      return false;
-    if (embedded_scts.empty())
+    auto embedded_scts =
+        GetOptionalStringValueFromParams(entries[0], "embedded_scts");
+    if (!embedded_scts || embedded_scts->empty())
       return false;
 
-    const TestNetLogEntry& parsed = entries[1];
-    base::ListValue* scts;
-    if (!parsed.GetListValue("scts", &scts) || scts->GetSize() != 1) {
+    const NetLogEntry& parsed = entries[1];
+    const base::ListValue* scts;
+    if (!GetListValueFromParams(parsed, "scts", &scts) ||
+        scts->GetSize() != 1) {
       return false;
     }
 
-    base::DictionaryValue* the_sct;
+    const base::DictionaryValue* the_sct;
     if (!scts->GetDictionary(0, &the_sct))
       return false;
 
diff --git a/chromium/net/cert/multi_threaded_cert_verifier.cc b/chromium/net/cert/multi_threaded_cert_verifier.cc
index 531aa0e9cbb..912090d85a8 100644
--- a/chromium/net/cert/multi_threaded_cert_verifier.cc
+++ b/chromium/net/cert/multi_threaded_cert_verifier.cc
@@ -35,8 +35,6 @@
 
 namespace net {
 
-class NetLogCaptureMode;
-
 // Allows DoVerifyOnWorkerThread to wait on a base::WaitableEvent.
 // DoVerifyOnWorkerThread may wait on network operations done on a separate
 // sequence. For instance when using the NSS-based implementation of certificate
@@ -83,8 +81,7 @@ class MultiThreadedCertVerifierScopedAllowBaseSyncPrimitives
 
 namespace {
 
-base::Value CertVerifyResultCallback(const CertVerifyResult& verify_result,
-                                     NetLogCaptureMode capture_mode) {
+base::Value CertVerifyResultParams(const CertVerifyResult& verify_result) {
   base::DictionaryValue results;
   results.SetBoolean("has_md5", verify_result.has_md5);
   results.SetBoolean("has_md2", verify_result.has_md2);
@@ -94,9 +91,8 @@ base::Value CertVerifyResultCallback(const CertVerifyResult& verify_result,
   results.SetBoolean("is_issued_by_additional_trust_anchor",
                      verify_result.is_issued_by_additional_trust_anchor);
   results.SetInteger("cert_status", verify_result.cert_status);
-  results.SetKey("verified_cert",
-                 NetLogX509CertificateCallback(
-                     verify_result.verified_cert.get(), capture_mode));
+  results.SetKey("verified_cert", NetLogX509CertificateParams(
+                                      verify_result.verified_cert.get()));
 
   std::unique_ptr<base::ListValue> hashes(new base::ListValue());
   for (auto it = verify_result.public_key_hashes.begin();
@@ -221,11 +217,10 @@ class CertVerifierJob {
         net_log_(NetLogWithSource::Make(net_log,
                                         NetLogSourceType::CERT_VERIFIER_JOB)),
         cert_verifier_(cert_verifier),
-        is_first_job_(false),
-        weak_ptr_factory_(this) {
-    net_log_.BeginEvent(NetLogEventType::CERT_VERIFIER_JOB,
-                        base::Bind(&NetLogX509CertificateCallback,
-                                   base::Unretained(key.certificate().get())));
+        is_first_job_(false) {
+    net_log_.BeginEvent(NetLogEventType::CERT_VERIFIER_JOB, [&] {
+      return NetLogX509CertificateParams(key.certificate().get());
+    });
   }
 
   // Indicates whether this was the first job started by the CertVerifier. This
@@ -279,9 +274,8 @@ class CertVerifierJob {
     std::unique_ptr<CertVerifierRequest> request(new CertVerifierRequest(
         this, std::move(callback), verify_result, net_log));
 
-    request->net_log().AddEvent(
-        NetLogEventType::CERT_VERIFIER_REQUEST_BOUND_TO_JOB,
-        net_log_.source().ToEventParametersCallback());
+    request->net_log().AddEventReferencingSource(
+        NetLogEventType::CERT_VERIFIER_REQUEST_BOUND_TO_JOB, net_log_.source());
 
     requests_.Append(request.get());
     return request;
@@ -292,9 +286,9 @@ class CertVerifierJob {
 
   // Called on completion of the Job to log UMA metrics and NetLog events.
   void LogMetrics(const ResultHelper& verify_result) {
-    net_log_.EndEvent(
-        NetLogEventType::CERT_VERIFIER_JOB,
-        base::Bind(&CertVerifyResultCallback, verify_result.result));
+    net_log_.EndEvent(NetLogEventType::CERT_VERIFIER_JOB, [&] {
+      return CertVerifyResultParams(verify_result.result);
+    });
     base::TimeDelta latency = base::TimeTicks::Now() - start_time_;
     if (cert_verifier_->should_record_histograms_) {
       UMA_HISTOGRAM_CUSTOM_TIMES("Net.CertVerifier_Job_Latency", latency,
@@ -345,7 +339,7 @@ class CertVerifierJob {
   MultiThreadedCertVerifier* cert_verifier_;  // Non-owned.
 
   bool is_first_job_;
-  base::WeakPtrFactory<CertVerifierJob> weak_ptr_factory_;
+  base::WeakPtrFactory<CertVerifierJob> weak_ptr_factory_{this};
 };
 
 MultiThreadedCertVerifier::MultiThreadedCertVerifier(
diff --git a/chromium/net/cert/nss_cert_database.cc b/chromium/net/cert/nss_cert_database.cc
index bc966fbe0d6..56dd1272052 100644
--- a/chromium/net/cert/nss_cert_database.cc
+++ b/chromium/net/cert/nss_cert_database.cc
@@ -70,8 +70,7 @@ NSSCertDatabase::NSSCertDatabase(crypto::ScopedPK11Slot public_slot,
                                  crypto::ScopedPK11Slot private_slot)
     : public_slot_(std::move(public_slot)),
       private_slot_(std::move(private_slot)),
-      observer_list_(new base::ObserverListThreadSafe<Observer>),
-      weak_factory_(this) {
+      observer_list_(new base::ObserverListThreadSafe<Observer>) {
   CHECK(public_slot_);
 
   CertDatabase* cert_db = CertDatabase::GetInstance();
diff --git a/chromium/net/cert/nss_cert_database.h b/chromium/net/cert/nss_cert_database.h
index cee2f01b492..97be8c45eb3 100644
--- a/chromium/net/cert/nss_cert_database.h
+++ b/chromium/net/cert/nss_cert_database.h
@@ -282,7 +282,7 @@ class NET_EXPORT NSSCertDatabase {
 
   const scoped_refptr<base::ObserverListThreadSafe<Observer>> observer_list_;
 
-  base::WeakPtrFactory<NSSCertDatabase> weak_factory_;
+  base::WeakPtrFactory<NSSCertDatabase> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(NSSCertDatabase);
 };
diff --git a/chromium/net/cert/test_root_certs.cc b/chromium/net/cert/test_root_certs.cc
index f455d18f001..2790669081c 100644
--- a/chromium/net/cert/test_root_certs.cc
+++ b/chromium/net/cert/test_root_certs.cc
@@ -60,19 +60,23 @@ TestRootCerts::TestRootCerts() {
 ScopedTestRoot::ScopedTestRoot() = default;
 
 ScopedTestRoot::ScopedTestRoot(X509Certificate* cert) {
-  Reset(cert);
+  Reset({cert});
+}
+
+ScopedTestRoot::ScopedTestRoot(CertificateList certs) {
+  Reset(std::move(certs));
 }
 
 ScopedTestRoot::~ScopedTestRoot() {
-  Reset(nullptr);
+  Reset({});
 }
 
-void ScopedTestRoot::Reset(X509Certificate* cert) {
-  if (cert_.get())
+void ScopedTestRoot::Reset(CertificateList certs) {
+  if (!certs_.empty())
     TestRootCerts::GetInstance()->Clear();
-  if (cert)
-    TestRootCerts::GetInstance()->Add(cert);
-  cert_ = cert;
+  for (const auto& cert : certs)
+    TestRootCerts::GetInstance()->Add(cert.get());
+  certs_ = certs;
 }
 
 }  // namespace net
diff --git a/chromium/net/cert/test_root_certs.h b/chromium/net/cert/test_root_certs.h
index 53157181b4c..c0be7b78328 100644
--- a/chromium/net/cert/test_root_certs.h
+++ b/chromium/net/cert/test_root_certs.h
@@ -32,6 +32,7 @@ class FilePath;
 namespace net {
 
 class X509Certificate;
+typedef std::vector<scoped_refptr<X509Certificate>> CertificateList;
 
 // TestRootCerts is a helper class for unit tests that is used to
 // artificially mark a certificate as trusted, independent of the local
@@ -149,17 +150,21 @@ class NET_EXPORT_PRIVATE ScopedTestRoot {
   // TestRootCerts store (if there were existing roots they are
   // cleared).
   explicit ScopedTestRoot(X509Certificate* cert);
+  // Creates a ScopedTestRoot that sets |certs| as the only roots in the
+  // TestRootCerts store (if there were existing roots they are
+  // cleared).
+  explicit ScopedTestRoot(CertificateList certs);
   ~ScopedTestRoot();
 
-  // Assigns |cert| to be the new test root cert. If |cert| is NULL, undoes
+  // Assigns |certs| to be the new test root certs. If |certs| is empty, undoes
   // any work the ScopedTestRoot may have previously done.
-  // If |cert_| contains a certificate (due to a prior call to Reset or due to
-  // a cert being passed at construction), the existing TestRootCerts store is
+  // If |certs_| contains certificates (due to a prior call to Reset or due to
+  // certs being passed at construction), the existing TestRootCerts store is
   // cleared.
-  void Reset(X509Certificate* cert);
+  void Reset(CertificateList certs);
 
  private:
-  scoped_refptr<X509Certificate> cert_;
+  CertificateList certs_;
 
   DISALLOW_COPY_AND_ASSIGN(ScopedTestRoot);
 };
diff --git a/chromium/net/cert/trial_comparison_cert_verifier.cc b/chromium/net/cert/trial_comparison_cert_verifier.cc
index 7f96f2978f9..f3bd119c80d 100644
--- a/chromium/net/cert/trial_comparison_cert_verifier.cc
+++ b/chromium/net/cert/trial_comparison_cert_verifier.cc
@@ -31,8 +31,7 @@ namespace net {
 
 namespace {
 
-base::Value TrialVerificationJobResultCallback(bool trial_success,
-                                               NetLogCaptureMode capture_mode) {
+base::Value TrialVerificationJobResultParams(bool trial_success) {
   base::Value results(base::Value::Type::DICTIONARY);
   results.SetBoolKey("trial_success", trial_success);
   return results;
@@ -139,9 +138,9 @@ class TrialComparisonCertVerifier::TrialVerificationJob {
         primary_error_(primary_error),
         primary_result_(primary_result) {
     net_log_.BeginEvent(NetLogEventType::TRIAL_CERT_VERIFIER_JOB);
-    source_net_log.AddEvent(
+    source_net_log.AddEventReferencingSource(
         NetLogEventType::TRIAL_CERT_VERIFIER_JOB_COMPARISON_STARTED,
-        net_log_.source().ToEventParametersCallback());
+        net_log_.source());
   }
 
   ~TrialVerificationJob() {
@@ -172,9 +171,9 @@ class TrialComparisonCertVerifier::TrialVerificationJob {
     UMA_HISTOGRAM_ENUMERATION("Net.CertVerifier_TrialComparisonResult",
                               result_code);
 
-    net_log_.EndEvent(
-        NetLogEventType::TRIAL_CERT_VERIFIER_JOB,
-        base::BindRepeating(&TrialVerificationJobResultCallback, is_success));
+    net_log_.EndEvent(NetLogEventType::TRIAL_CERT_VERIFIER_JOB, [&] {
+      return TrialVerificationJobResultParams(is_success);
+    });
 
     if (!is_success) {
       cert_verifier->report_callback_.Run(
diff --git a/chromium/net/cert/x509_certificate.cc b/chromium/net/cert/x509_certificate.cc
index f196769dff3..6973f4a01fa 100644
--- a/chromium/net/cert/x509_certificate.cc
+++ b/chromium/net/cert/x509_certificate.cc
@@ -37,6 +37,7 @@
 #include "net/cert/x509_util.h"
 #include "net/der/encode_values.h"
 #include "net/der/parser.h"
+#include "net/dns/dns_util.h"
 #include "third_party/boringssl/src/include/openssl/evp.h"
 #include "third_party/boringssl/src/include/openssl/pkcs7.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
@@ -439,13 +440,13 @@ bool X509Certificate::IsIssuedByEncoded(
   std::string normalized_cert_issuer;
   if (!GetNormalizedCertIssuer(cert_buffer_.get(), &normalized_cert_issuer))
     return false;
-  if (base::ContainsValue(normalized_issuers, normalized_cert_issuer))
+  if (base::Contains(normalized_issuers, normalized_cert_issuer))
     return true;
 
   for (const auto& intermediate : intermediate_ca_certs_) {
     if (!GetNormalizedCertIssuer(intermediate.get(), &normalized_cert_issuer))
       return false;
-    if (base::ContainsValue(normalized_issuers, normalized_cert_issuer))
+    if (base::Contains(normalized_issuers, normalized_cert_issuer))
       return true;
   }
   return false;
@@ -475,11 +476,8 @@ bool X509Certificate::VerifyHostname(
       "[" + hostname + "]" : hostname;
   url::CanonHostInfo host_info;
   std::string reference_name = CanonicalizeHost(host_or_ip, &host_info);
-  // CanonicalizeHost does not normalize absolute vs relative DNS names. If
-  // the input name was absolute (included trailing .), normalize it as if it
-  // was relative.
-  if (!reference_name.empty() && *reference_name.rbegin() == '.')
-    reference_name.resize(reference_name.size() - 1);
+
+  // If the host cannot be canonicalized, fail fast.
   if (reference_name.empty())
     return false;
 
@@ -488,9 +486,24 @@ bool X509Certificate::VerifyHostname(
     base::StringPiece ip_addr_string(
         reinterpret_cast<const char*>(host_info.address),
         host_info.AddressLength());
-    return base::ContainsValue(cert_san_ip_addrs, ip_addr_string);
+    return base::Contains(cert_san_ip_addrs, ip_addr_string);
   }
 
+  // The host portion of a URL may support a variety of name resolution formats
+  // and services. However, the only supported name types in this code are IP
+  // addresses, which have been handled above via iPAddress subjectAltNames,
+  // and DNS names, via dNSName subjectAltNames.
+  // Validate that the host conforms to the DNS preferred name syntax, in
+  // either relative or absolute form, and exclude the "root" label for DNS.
+  if (reference_name == "." || !IsValidDNSDomain(reference_name))
+    return false;
+
+  // CanonicalizeHost does not normalize absolute vs relative DNS names. If
+  // the input name was absolute (included trailing .), normalize it as if it
+  // was relative.
+  if (reference_name.back() == '.')
+    reference_name.pop_back();
+
   // |reference_domain| is the remainder of |host| after the leading host
   // component is stripped off, but includes the leading dot e.g.
   // "www.f.com" -> ".f.com".
diff --git a/chromium/net/cert/x509_certificate_net_log_param.cc b/chromium/net/cert/x509_certificate_net_log_param.cc
index d2ddf074a5c..aaacd0a5fe0 100644
--- a/chromium/net/cert/x509_certificate_net_log_param.cc
+++ b/chromium/net/cert/x509_certificate_net_log_param.cc
@@ -15,8 +15,7 @@
 
 namespace net {
 
-base::Value NetLogX509CertificateCallback(const X509Certificate* certificate,
-                                          NetLogCaptureMode capture_mode) {
+base::Value NetLogX509CertificateParams(const X509Certificate* certificate) {
   base::Value dict(base::Value::Type::DICTIONARY);
   base::Value certs(base::Value::Type::LIST);
   std::vector<std::string> encoded_chain;
diff --git a/chromium/net/cert/x509_certificate_net_log_param.h b/chromium/net/cert/x509_certificate_net_log_param.h
index c328189763c..986a508a03e 100644
--- a/chromium/net/cert/x509_certificate_net_log_param.h
+++ b/chromium/net/cert/x509_certificate_net_log_param.h
@@ -15,13 +15,11 @@ class Value;
 
 namespace net {
 
-class NetLogCaptureMode;
 class X509Certificate;
 
 // Creates NetLog parameter to describe an X509Certificate.
-NET_EXPORT base::Value NetLogX509CertificateCallback(
-    const X509Certificate* certificate,
-    NetLogCaptureMode capture_mode);
+NET_EXPORT base::Value NetLogX509CertificateParams(
+    const X509Certificate* certificate);
 
 }  // namespace net
 
diff --git a/chromium/net/cert/x509_certificate_unittest.cc b/chromium/net/cert/x509_certificate_unittest.cc
index bd422925a3f..6fd11721d68 100644
--- a/chromium/net/cert/x509_certificate_unittest.cc
+++ b/chromium/net/cert/x509_certificate_unittest.cc
@@ -1202,8 +1202,14 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
     {false, "wwww.bar.foo.com", "w*w.bar.foo.c0m"},
     {false, "WALLY.bar.foo.com", "wa*.bar.foo.com"},
     {false, "wally.bar.foo.com", "*Ly.bar.foo.com"},
+    // Hostname escaping tests
     {true, "ww%57.foo.com", "www.foo.com"},
-    {true, "www&.foo.com", "www%26.foo.com"},
+    {true, "www%2Efoo.com", "www.foo.com"},
+    {false, "www%00.foo.com", "www,foo.com,www.foo.com"},
+    {false, "www%0D.foo.com", "www.foo.com,www\r.foo.com"},
+    {false, "www%40foo.com", "www@foo.com"},
+    {false, "www%2E%2Efoo.com", "www.foo.com,www..foo.com"},
+    {false, "www%252Efoo.com", "www.foo.com"},
     // IDN tests
     {true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"},
     {true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br"},
@@ -1287,6 +1293,16 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
     {false, "1.2.3.4.5.6", "*.2.3.4.5.6"},
     {true, "1.2.3.4.5", "1.2.3.4.5"},
     // Invalid host names.
+    {false, ".", ""},
+    {false, ".", "."},
+    {false, "1.2.3.4..", "", "1.2.3.4"},
+    {false, "www..domain.example", "www.domain.example"},
+    {false, "www^domain.example", "www^domain.example"},
+    {false, "www%20.domain.example", "www .domain.example"},
+    {false, "www%2520.domain.example", "www .domain.example"},
+    {false, "www%5E.domain.example", "www^domain.example"},
+    {false, "www,domain.example", "www,domain.example"},
+    {false, "0x000000002200037955161..", "0x000000002200037955161"},
     {false, "junk)(£)$*!@~#", "junk)(£)$*!@~#"},
     {false, "www.*.com", "www.*.com"},
     {false, "w$w.f.com", "w$w.f.com"},
diff --git a/chromium/net/cert/x509_util_android.cc b/chromium/net/cert/x509_util_android.cc
index 3ad4bdf65f9..d607d5bc83d 100644
--- a/chromium/net/cert/x509_util_android.cc
+++ b/chromium/net/cert/x509_util_android.cc
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "jni/X509Util_jni.h"
 #include "net/cert/cert_database.h"
+#include "net/net_jni_headers/X509Util_jni.h"
 
 using base::android::JavaParamRef;
 
diff --git a/chromium/net/cert_net/cert_net_fetcher_impl.cc b/chromium/net/cert_net/cert_net_fetcher_impl.cc
index 11a1166a23a..349c6562153 100644
--- a/chromium/net/cert_net/cert_net_fetcher_impl.cc
+++ b/chromium/net/cert_net/cert_net_fetcher_impl.cc
@@ -135,21 +135,19 @@ class CertNetFetcherImpl::AsyncCertNetFetcherImpl {
   void Fetch(std::unique_ptr<RequestParams> request_params,
              scoped_refptr<RequestCore> request);
 
+  // Removes |job| from the in progress jobs and transfers ownership to the
+  // caller.
+  std::unique_ptr<Job> RemoveJob(Job* job);
+
   // Cancels outstanding jobs, which stops network requests and signals the
   // corresponding RequestCores that the requests have completed.
   void Shutdown();
 
  private:
-  friend class Job;
-
   // Finds a job with a matching RequestPararms or returns nullptr if there was
   // no match.
   Job* FindJob(const RequestParams& params);
 
-  // Removes |job| from the in progress jobs and transfers ownership to the
-  // caller.
-  std::unique_ptr<Job> RemoveJob(Job* job);
-
   // The in-progress jobs. This set does not contain the job which is actively
   // invoking callbacks (OnJobCompleted).
   JobSet jobs_;
diff --git a/chromium/net/cert_net/nss_ocsp.cc b/chromium/net/cert_net/nss_ocsp.cc
index 9fa92efecc2..826d297fb80 100644
--- a/chromium/net/cert_net/nss_ocsp.cc
+++ b/chromium/net/cert_net/nss_ocsp.cc
@@ -519,12 +519,12 @@ void OCSPIOLoop::PostTaskToIOLoop(const base::Location& from_here,
 }
 
 void OCSPIOLoop::AddRequest(OCSPRequestSession* request) {
-  DCHECK(!base::ContainsKey(requests_, request));
+  DCHECK(!base::Contains(requests_, request));
   requests_.insert(request);
 }
 
 void OCSPIOLoop::RemoveRequest(OCSPRequestSession* request) {
-  DCHECK(base::ContainsKey(requests_, request));
+  DCHECK(base::Contains(requests_, request));
   requests_.erase(request);
 }
 
diff --git a/chromium/net/cookies/canonical_cookie.cc b/chromium/net/cookies/canonical_cookie.cc
index 4b2fd725631..c63b2d836db 100644
--- a/chromium/net/cookies/canonical_cookie.cc
+++ b/chromium/net/cookies/canonical_cookie.cc
@@ -283,11 +283,18 @@ std::unique_ptr<CanonicalCookie> CanonicalCookie::CreateSanitizedCookie(
   // Validate consistency of passed arguments.
   if (ParsedCookie::ParseTokenString(name) != name ||
       ParsedCookie::ParseValueString(value) != value ||
+      !ParsedCookie::IsValidCookieAttributeValue(name) ||
+      !ParsedCookie::IsValidCookieAttributeValue(value) ||
       ParsedCookie::ParseValueString(domain) != domain ||
       ParsedCookie::ParseValueString(path) != path) {
     return nullptr;
   }
 
+  // This validation step must happen before GetCookieDomainWithString, so it
+  // doesn't fail DCHECKs.
+  if (!cookie_util::DomainIsHostOnly(url.host()))
+    return nullptr;
+
   std::string cookie_domain;
   if (!cookie_util::GetCookieDomainWithString(url, domain, &cookie_domain))
     return nullptr;
@@ -299,6 +306,11 @@ std::unique_ptr<CanonicalCookie> CanonicalCookie::CreateSanitizedCookie(
   if (!path.empty() && cookie_path != path)
     return nullptr;
 
+  if (!IsCookiePrefixValid(GetCookiePrefix(name), url, secure, domain,
+                           cookie_path)) {
+    return nullptr;
+  }
+
   if (!last_access_time.is_null() && creation_time.is_null())
     return nullptr;
 
@@ -327,7 +339,6 @@ bool CanonicalCookie::IsEquivalentForSecureCookieMatching(
 }
 
 bool CanonicalCookie::IsOnPath(const std::string& url_path) const {
-
   // A zero length would be unsafe for our trailing '/' checks, and
   // would also make no sense for our prefix match.  The code that
   // creates a CanonicalCookie should make sure the path is never zero length,
@@ -492,39 +503,6 @@ bool CanonicalCookie::PartialCompare(const CanonicalCookie& other) const {
   return PartialCookieOrdering(*this, other) < 0;
 }
 
-bool CanonicalCookie::FullCompare(const CanonicalCookie& other) const {
-  // Do the partial comparison first.
-  int diff = PartialCookieOrdering(*this, other);
-  if (diff != 0)
-    return diff < 0;
-
-  DCHECK(IsEquivalent(other));
-
-  // Compare other fields.
-  diff = Value().compare(other.Value());
-  if (diff != 0)
-    return diff < 0;
-
-  if (CreationDate() != other.CreationDate())
-    return CreationDate() < other.CreationDate();
-
-  if (ExpiryDate() != other.ExpiryDate())
-    return ExpiryDate() < other.ExpiryDate();
-
-  if (LastAccessDate() != other.LastAccessDate())
-    return LastAccessDate() < other.LastAccessDate();
-
-  if (IsSecure() != other.IsSecure())
-    return IsSecure();
-
-  if (IsHttpOnly() != other.IsHttpOnly())
-    return IsHttpOnly();
-
-  // TODO(chlily): This should also compare the SameSite attribute.
-
-  return Priority() < other.Priority();
-}
-
 bool CanonicalCookie::IsCanonical() const {
   // Not checking domain or path against ParsedCookie as it may have
   // come purely from the URL.
@@ -619,11 +597,23 @@ void CanonicalCookie::RecordCookiePrefixMetrics(
 bool CanonicalCookie::IsCookiePrefixValid(CanonicalCookie::CookiePrefix prefix,
                                           const GURL& url,
                                           const ParsedCookie& parsed_cookie) {
+  return CanonicalCookie::IsCookiePrefixValid(
+      prefix, url, parsed_cookie.IsSecure(),
+      parsed_cookie.HasDomain() ? parsed_cookie.Domain() : "",
+      parsed_cookie.HasPath() ? parsed_cookie.Path() : "");
+}
+
+bool CanonicalCookie::IsCookiePrefixValid(CanonicalCookie::CookiePrefix prefix,
+                                          const GURL& url,
+                                          bool secure,
+                                          const std::string& domain,
+                                          const std::string& path) {
   if (prefix == CanonicalCookie::COOKIE_PREFIX_SECURE)
-    return parsed_cookie.IsSecure() && url.SchemeIsCryptographic();
+    return secure && url.SchemeIsCryptographic();
   if (prefix == CanonicalCookie::COOKIE_PREFIX_HOST) {
-    return parsed_cookie.IsSecure() && url.SchemeIsCryptographic() &&
-           !parsed_cookie.HasDomain() && parsed_cookie.Path() == "/";
+    const bool domain_valid =
+        domain.empty() || (url.HostIsIPAddress() && url.host() == domain);
+    return secure && url.SchemeIsCryptographic() && domain_valid && path == "/";
   }
   return true;
 }
diff --git a/chromium/net/cookies/canonical_cookie.h b/chromium/net/cookies/canonical_cookie.h
index 71f61bf8c85..163efdd1fcc 100644
--- a/chromium/net/cookies/canonical_cookie.h
+++ b/chromium/net/cookies/canonical_cookie.h
@@ -83,9 +83,10 @@ class NET_EXPORT CanonicalCookie {
   };
 
   // Creates a new |CanonicalCookie| from the |cookie_line| and the
-  // |creation_time|.  Canonicalizes and validates inputs. May return NULL if
-  // an attribute value is invalid.  |creation_time| may not be null. Sets
-  // optional |status| to the relevent CookieInclusionStatus if provided
+  // |creation_time|.  Canonicalizes and validates inputs.  May return NULL if
+  // an attribute value is invalid.  |url| must be valid.  |creation_time| may
+  // not be null. Sets optional |status| to the relevant CookieInclusionStatus
+  // if provided
   static std::unique_ptr<CanonicalCookie> Create(
       const GURL& url,
       const std::string& cookie_line,
@@ -221,13 +222,6 @@ class NET_EXPORT CanonicalCookie {
   // are identical for PartialCompare().
   bool PartialCompare(const CanonicalCookie& other) const;
 
-  // TODO(chlily): Remove this. There should not be multiple cookies for which
-  // PartialCompare disagrees. This is only used in tests.
-  // Returns true if the cookie is less than |other|, considering all fields.
-  // FullCompare() is consistent with PartialCompare(): cookies sorted using
-  // FullCompare() are also sorted with respect to PartialCompare().
-  bool FullCompare(const CanonicalCookie& other) const;
-
   // Return whether this object is a valid CanonicalCookie().  Invalid
   // cookies may be constructed by the detailed constructor.
   // A cookie is considered canonical if-and-only-if:
@@ -274,6 +268,11 @@ class NET_EXPORT CanonicalCookie {
   static bool IsCookiePrefixValid(CookiePrefix prefix,
                                   const GURL& url,
                                   const ParsedCookie& parsed_cookie);
+  static bool IsCookiePrefixValid(CookiePrefix prefix,
+                                  const GURL& url,
+                                  bool secure,
+                                  const std::string& domain,
+                                  const std::string& path);
 
   // Returns the cookie's domain, with the leading dot removed, if present.
   std::string DomainWithoutDot() const;
diff --git a/chromium/net/cookies/canonical_cookie_fuzzer.cc b/chromium/net/cookies/canonical_cookie_fuzzer.cc
new file mode 100644
index 00000000000..816b0a9b4f1
--- /dev/null
+++ b/chromium/net/cookies/canonical_cookie_fuzzer.cc
@@ -0,0 +1,58 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <limits>
+#include <memory>
+
+#include "net/cookies/canonical_cookie.h"
+#include "net/cookies/cookie_constants.h"
+#include "net/cookies/cookie_util.h"
+#include "net/cookies/parsed_cookie.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
+
+namespace net {
+const base::Time getRandomTime(FuzzedDataProvider* data_provider) {
+  const uint64_t max = std::numeric_limits<uint64_t>::max();
+  return base::Time::FromTimeT(
+      data_provider->ConsumeIntegralInRange<uint64_t>(0, max));
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  FuzzedDataProvider data_provider(data, size);
+
+  const std::string name = data_provider.ConsumeRandomLengthString(800);
+  const std::string value = data_provider.ConsumeRandomLengthString(800);
+  const std::string domain = data_provider.ConsumeRandomLengthString(800);
+  const std::string path = data_provider.ConsumeRandomLengthString(800);
+
+  const GURL url(data_provider.ConsumeRandomLengthString(800));
+  if (!url.is_valid())
+    return 0;
+
+  const base::Time creation = getRandomTime(&data_provider);
+  const base::Time expiration = getRandomTime(&data_provider);
+  const base::Time last_access = getRandomTime(&data_provider);
+
+  const std::unique_ptr<const CanonicalCookie> sanitized_cookie =
+      CanonicalCookie::CreateSanitizedCookie(
+          url, name, value, domain, path, creation, expiration, last_access,
+          data_provider.ConsumeBool(), data_provider.ConsumeBool(),
+          CookieSameSite::UNSPECIFIED, CookiePriority::COOKIE_PRIORITY_DEFAULT);
+
+  if (sanitized_cookie) {
+    CHECK(sanitized_cookie->IsCanonical());
+
+    // Check identity property of various comparison functions
+    const CanonicalCookie copied_cookie = *sanitized_cookie;
+    CHECK(sanitized_cookie->IsEquivalent(copied_cookie));
+    CHECK(sanitized_cookie->IsEquivalentForSecureCookieMatching(copied_cookie));
+    CHECK(!sanitized_cookie->PartialCompare(copied_cookie));
+  }
+
+  return 0;
+}
+}  // namespace net
diff --git a/chromium/net/cookies/canonical_cookie_unittest.cc b/chromium/net/cookies/canonical_cookie_unittest.cc
index 3f3c57c7724..c78be99cd3b 100644
--- a/chromium/net/cookies/canonical_cookie_unittest.cc
+++ b/chromium/net/cookies/canonical_cookie_unittest.cc
@@ -784,42 +784,6 @@ TEST(CanonicalCookieTest, PartialCompare) {
   EXPECT_TRUE(cookie->IsEquivalent(*cookie));
 }
 
-TEST(CanonicalCookieTest, FullCompare) {
-  GURL url("http://www.example.com");
-  base::Time creation_time = base::Time::Now();
-  CookieOptions options;
-  std::unique_ptr<CanonicalCookie> cookie(
-      CanonicalCookie::Create(url, "a=b", creation_time, options));
-  std::unique_ptr<CanonicalCookie> cookie_different_path(
-      CanonicalCookie::Create(url, "a=b; path=/foo", creation_time, options));
-  std::unique_ptr<CanonicalCookie> cookie_different_value(
-      CanonicalCookie::Create(url, "a=c", creation_time, options));
-
-  // Cookie is equivalent to itself.
-  EXPECT_FALSE(cookie->FullCompare(*cookie));
-
-  // Changing the path affects the ordering.
-  EXPECT_TRUE(cookie->FullCompare(*cookie_different_path));
-  EXPECT_FALSE(cookie_different_path->FullCompare(*cookie));
-
-  // Changing the value affects the ordering.
-  EXPECT_TRUE(cookie->FullCompare(*cookie_different_value));
-  EXPECT_FALSE(cookie_different_value->FullCompare(*cookie));
-
-  // FullCompare() implies PartialCompare().
-  auto check_consistency =
-      [](const CanonicalCookie& a, const CanonicalCookie& b) {
-        if (a.FullCompare(b))
-          EXPECT_FALSE(b.PartialCompare(a));
-        else if (b.FullCompare(a))
-          EXPECT_FALSE(a.PartialCompare(b));
-      };
-
-  check_consistency(*cookie, *cookie_different_path);
-  check_consistency(*cookie, *cookie_different_value);
-  check_consistency(*cookie_different_path, *cookie_different_value);
-}
-
 TEST(CanonicalCookieTest, SecureCookiePrefix) {
   GURL https_url("https://www.example.test");
   GURL http_url("http://www.example.test");
@@ -897,6 +861,18 @@ TEST(CanonicalCookieTest, HostCookiePrefix) {
   EXPECT_EQ(CanonicalCookie::CookieInclusionStatus::EXCLUDE_INVALID_PREFIX,
             status);
 
+  // A __Host- cookie may have a domain if it's an IP address that matches the
+  // URL.
+  EXPECT_TRUE(
+      CanonicalCookie::Create(GURL("https://127.0.0.1"),
+                              "__Host-A=B; Domain=127.0.0.1; Path=/; Secure;",
+                              creation_time, options, &status));
+  // A __Host- cookie with an IP address domain does not need the domain
+  // attribute specified explicitly (just like a normal domain).
+  EXPECT_TRUE(CanonicalCookie::Create(GURL("https://127.0.0.1"),
+                                      "__Host-A=B; Domain=; Path=/; Secure;",
+                                      creation_time, options, &status));
+
   // A __Host- cookie must have a Path of "/".
   EXPECT_FALSE(CanonicalCookie::Create(https_url,
                                        "__Host-A=B; Path=/foo; Secure;",
@@ -1392,6 +1368,21 @@ TEST(CanonicalCookieTest, CreateSanitizedCookie_Logic) {
       false /*httponly*/, CookieSameSite::NO_RESTRICTION,
       COOKIE_PRIORITY_DEFAULT));
 
+  // Test the file:// protocol.
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("file:///"), "A", "B", std::string(), "/foo", one_hour_ago,
+      one_hour_from_now, base::Time(), false /*secure*/, false /*httponly*/,
+      CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT));
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("file:///home/user/foo.txt"), "A", "B", std::string(), "/foo",
+      one_hour_ago, one_hour_from_now, base::Time(), false /*secure*/,
+      false /*httponly*/, CookieSameSite::NO_RESTRICTION,
+      COOKIE_PRIORITY_DEFAULT));
+  EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("file:///home/user/foo.txt"), "A", "B", "home", "/foo", one_hour_ago,
+      one_hour_from_now, base::Time(), false /*secure*/, false /*httponly*/,
+      CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT));
+
   // Test that malformed attributes fail to set the cookie.
   EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
       GURL("http://www.foo.com/foo"), " A", "B", std::string(), "/foo",
@@ -1409,11 +1400,21 @@ TEST(CanonicalCookieTest, CreateSanitizedCookie_Logic) {
       false /*httponly*/, CookieSameSite::NO_RESTRICTION,
       COOKIE_PRIORITY_DEFAULT));
   EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("http://www.foo.com/foo"), "A\x07", "B", std::string(), "/foo",
+      one_hour_ago, one_hour_from_now, base::Time(), false /*secure*/,
+      false /*httponly*/, CookieSameSite::NO_RESTRICTION,
+      COOKIE_PRIORITY_DEFAULT));
+  EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
       GURL("http://www.foo.com"), "A", " B", std::string(), "/foo",
       base::Time(), base::Time(), base::Time(), false /*secure*/,
       false /*httponly*/, CookieSameSite::NO_RESTRICTION,
       COOKIE_PRIORITY_DEFAULT));
   EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("http://www.foo.com"), "A", "\x0fZ", std::string(), "/foo",
+      base::Time(), base::Time(), base::Time(), false /*secure*/,
+      false /*httponly*/, CookieSameSite::NO_RESTRICTION,
+      COOKIE_PRIORITY_DEFAULT));
+  EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
       GURL("http://www.foo.com"), "A", "B", "www.foo.com ", "/foo",
       base::Time(), base::Time(), base::Time(), false /*secure*/,
       false /*httponly*/, CookieSameSite::NO_RESTRICTION,
@@ -1509,6 +1510,97 @@ TEST(CanonicalCookieTest, CreateSanitizedCookie_Logic) {
       COOKIE_PRIORITY_DEFAULT);
   ASSERT_TRUE(cc);
   EXPECT_EQ("/foo%7F", cc->Path());
+
+  // A __Secure- cookie must be Secure.
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://www.foo.com"), "__Secure-A", "B", ".www.foo.com", "/",
+      two_hours_ago, one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+  EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://www.foo.com"), "__Secure-A", "B", ".www.foo.com", "/",
+      two_hours_ago, one_hour_from_now, one_hour_ago, false, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+
+  // A __Host- cookie must be Secure.
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://www.foo.com"), "__Host-A", "B", std::string(), "/",
+      two_hours_ago, one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+  EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://www.foo.com"), "__Host-A", "B", std::string(), "/",
+      two_hours_ago, one_hour_from_now, one_hour_ago, false, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+
+  // A __Host- cookie must have path "/".
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://www.foo.com"), "__Host-A", "B", std::string(), "/",
+      two_hours_ago, one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+  EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://www.foo.com"), "__Host-A", "B", std::string(), "/foo",
+      two_hours_ago, one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+
+  // A __Host- cookie must not specify a domain.
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://www.foo.com"), "__Host-A", "B", std::string(), "/",
+      two_hours_ago, one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+  EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://www.foo.com"), "__Host-A", "B", ".www.foo.com", "/",
+      two_hours_ago, one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+  // Without __Host- prefix, this is a valid host cookie because it does not
+  // specify a domain.
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://www.foo.com"), "A", "B", std::string(), "/", two_hours_ago,
+      one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+  // Without __Host- prefix, this is a valid domain (not host) cookie.
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://www.foo.com"), "A", "B", ".www.foo.com", "/", two_hours_ago,
+      one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+
+  // The __Host- prefix should not prevent otherwise-valid host cookies from
+  // being accepted.
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://127.0.0.1"), "A", "B", std::string(), "/", two_hours_ago,
+      one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://127.0.0.1"), "__Host-A", "B", std::string(), "/",
+      two_hours_ago, one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+  // Host cookies should not specify domain unless it is an IP address that
+  // matches the URL.
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://127.0.0.1"), "A", "B", "127.0.0.1", "/", two_hours_ago,
+      one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://127.0.0.1"), "__Host-A", "B", "127.0.0.1", "/",
+      two_hours_ago, one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT));
+
+  // Check that CreateSanitizedCookie can gracefully fail on inputs that would
+  // crash cookie_util::GetCookieDomainWithString due to failing
+  // DCHECKs. Specifically, GetCookieDomainWithString requires that if the
+  // domain is empty or the URL's host matches the domain, then the URL's host
+  // must pass DomainIsHostOnly; it must not begin with a period.
+  EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("http://..."), "A", "B", "...", "/", base::Time(), base::Time(),
+      base::Time(), false /*secure*/, false /*httponly*/,
+      CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT));
+  EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("http://."), "A", "B", std::string(), "/", base::Time(),
+      base::Time(), base::Time(), false /*secure*/, false /*httponly*/,
+      CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT));
+  EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("http://.chromium.org"), "A", "B", ".chromium.org", "/",
+      base::Time(), base::Time(), base::Time(), false /*secure*/,
+      false /*httponly*/, CookieSameSite::NO_RESTRICTION,
+      COOKIE_PRIORITY_DEFAULT));
 }
 
 TEST(CanonicalCookieTest, IsSetPermittedInContext) {
diff --git a/chromium/net/cookies/cookie_monster.cc b/chromium/net/cookies/cookie_monster.cc
index 5772e2ac6eb..83a309d40b1 100644
--- a/chromium/net/cookies/cookie_monster.cc
+++ b/chromium/net/cookies/cookie_monster.cc
@@ -71,6 +71,7 @@
 #include "net/cookies/cookie_util.h"
 #include "net/cookies/parsed_cookie.h"
 #include "net/log/net_log.h"
+#include "net/log/net_log_values.h"
 #include "url/origin.h"
 
 using base::Time;
@@ -355,16 +356,14 @@ CookieMonster::CookieMonster(scoped_refptr<PersistentCookieStore> store,
       store_(std::move(store)),
       last_access_threshold_(last_access_threshold),
       last_statistic_record_time_(base::Time::Now()),
-      persist_session_cookies_(false),
-      weak_ptr_factory_(this) {
+      persist_session_cookies_(false) {
   InitializeHistograms();
   cookieable_schemes_.insert(
       cookieable_schemes_.begin(), kDefaultCookieableSchemes,
       kDefaultCookieableSchemes + kDefaultCookieableSchemesCount);
-  net_log_.BeginEvent(
-      NetLogEventType::COOKIE_STORE_ALIVE,
-      base::BindRepeating(&NetLogCookieMonsterConstructorCallback,
-                          store != nullptr));
+  net_log_.BeginEvent(NetLogEventType::COOKIE_STORE_ALIVE, [&] {
+    return NetLogCookieMonsterConstructorParams(store != nullptr);
+  });
 }
 
 // Asynchronous CookieMonster API
@@ -514,16 +513,16 @@ void CookieMonster::SetCookieableSchemes(
 void CookieMonster::SetPersistSessionCookies(bool persist_session_cookies) {
   DCHECK(thread_checker_.CalledOnValidThread());
   DCHECK(!initialized_);
-  net_log_.AddEvent(
-      NetLogEventType::COOKIE_STORE_SESSION_PERSISTENCE,
-      NetLog::BoolCallback("persistence", persist_session_cookies));
+  net_log_.AddEntryWithBoolParams(
+      NetLogEventType::COOKIE_STORE_SESSION_PERSISTENCE, NetLogEventPhase::NONE,
+      "persistence", persist_session_cookies);
   persist_session_cookies_ = persist_session_cookies;
 }
 
 bool CookieMonster::IsCookieableScheme(const std::string& scheme) {
   DCHECK(thread_checker_.CalledOnValidThread());
 
-  return base::ContainsValue(cookieable_schemes_, scheme);
+  return base::Contains(cookieable_schemes_, scheme);
 }
 
 const char* const CookieMonster::kDefaultCookieableSchemes[] = {"http", "https",
@@ -1076,10 +1075,11 @@ CanonicalCookie::CookieInclusionStatus CookieMonster::DeleteAnyEquivalentCookie(
       cc_skipped_secure = cc;
       histogram_cookie_delete_equivalent_->Add(
           COOKIE_DELETE_EQUIVALENT_SKIPPING_SECURE);
-      net_log_.AddEvent(
-          NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_SECURE,
-          base::BindRepeating(&NetLogCookieMonsterCookieRejectedSecure, cc,
-                              &ecc));
+      net_log_.AddEvent(NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_SECURE,
+                        [&](NetLogCaptureMode capture_mode) {
+                          return NetLogCookieMonsterCookieRejectedSecure(
+                              cc, &ecc, capture_mode);
+                        });
       // If the cookie is equivalent to the new cookie and wouldn't have been
       // skipped for being HTTP-only, record that it is a skipped secure cookie
       // that would have been deleted otherwise.
@@ -1103,8 +1103,10 @@ CanonicalCookie::CookieInclusionStatus CookieMonster::DeleteAnyEquivalentCookie(
         skipped_httponly = true;
         net_log_.AddEvent(
             NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_HTTPONLY,
-            base::BindRepeating(&NetLogCookieMonsterCookieRejectedHttponly, cc,
-                                &ecc));
+            [&](NetLogCaptureMode capture_mode) {
+              return NetLogCookieMonsterCookieRejectedHttponly(cc, &ecc,
+                                                               capture_mode);
+            });
       } else {
         cookie_it_to_possibly_delete = curit;
       }
@@ -1133,8 +1135,10 @@ CanonicalCookie::CookieInclusionStatus CookieMonster::DeleteAnyEquivalentCookie(
       DCHECK(cc_skipped_secure);
       net_log_.AddEvent(
           NetLogEventType::COOKIE_STORE_COOKIE_PRESERVED_SKIPPED_SECURE,
-          base::BindRepeating(&NetLogCookieMonsterCookiePreservedSkippedSecure,
-                              cc_skipped_secure, cc_to_possibly_delete, &ecc));
+          [&](NetLogCaptureMode capture_mode) {
+            return NetLogCookieMonsterCookiePreservedSkippedSecure(
+                cc_skipped_secure, cc_to_possibly_delete, &ecc, capture_mode);
+          });
     }
   }
 
@@ -1155,8 +1159,10 @@ CookieMonster::CookieMap::iterator CookieMonster::InternalInsertCookie(
   CanonicalCookie* cc_ptr = cc.get();
 
   net_log_.AddEvent(NetLogEventType::COOKIE_STORE_COOKIE_ADDED,
-                    base::BindRepeating(&NetLogCookieMonsterCookieAdded,
-                                        cc.get(), sync_to_store));
+                    [&](NetLogCaptureMode capture_mode) {
+                      return NetLogCookieMonsterCookieAdded(
+                          cc.get(), sync_to_store, capture_mode);
+                    });
   if ((cc_ptr->IsPersistent() || persist_session_cookies_) && store_.get() &&
       sync_to_store) {
     store_->AddCookie(*cc_ptr);
@@ -1369,8 +1375,10 @@ void CookieMonster::InternalDeleteCookie(CookieMap::iterator it,
   ChangeCausePair mapping = kChangeCauseMapping[deletion_cause];
   if (deletion_cause != DELETE_COOKIE_DONT_RECORD) {
     net_log_.AddEvent(NetLogEventType::COOKIE_STORE_COOKIE_DELETED,
-                      base::BindRepeating(&NetLogCookieMonsterCookieDeleted, cc,
-                                          mapping.cause, sync_to_store));
+                      [&](NetLogCaptureMode capture_mode) {
+                        return NetLogCookieMonsterCookieDeleted(
+                            cc, mapping.cause, sync_to_store, capture_mode);
+                      });
   }
 
   if ((cc->IsPersistent() || persist_session_cookies_) && store_.get() &&
diff --git a/chromium/net/cookies/cookie_monster.h b/chromium/net/cookies/cookie_monster.h
index 9b7dbbe4f64..913737e7819 100644
--- a/chromium/net/cookies/cookie_monster.h
+++ b/chromium/net/cookies/cookie_monster.h
@@ -126,6 +126,10 @@ class NET_EXPORT CookieMonster : public CookieStore {
   static const size_t kDomainCookiesQuotaMedium;
   static const size_t kDomainCookiesQuotaHigh;
 
+  // The number of days since last access that cookies will not be subject
+  // to global garbage collection.
+  static const int kSafeFromGlobalPurgeDays;
+
   // The store passed in should not have had Init() called on it yet. This
   // class will take care of initializing it. The backing store is NOT owned by
   // this class, but it must remain valid for the duration of the cookie
@@ -202,7 +206,6 @@ class NET_EXPORT CookieMonster : public CookieStore {
  private:
   // For garbage collection constants.
   FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, TestHostGarbageCollection);
-  FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, GarbageCollectionTriggers);
   FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest,
                            GarbageCollectWithSecureCookiesOnly);
   FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, TestGCTimes);
@@ -336,10 +339,6 @@ class NET_EXPORT CookieMonster : public CookieStore {
     COOKIE_DELETE_EQUIVALENT_LAST_ENTRY
   };
 
-  // The number of days since last access that cookies will not be subject
-  // to global garbage collection.
-  static const int kSafeFromGlobalPurgeDays;
-
   // Record statistics every kRecordStatisticsIntervalSeconds of uptime.
   static const int kRecordStatisticsIntervalSeconds = 10 * 60;
 
@@ -624,7 +623,7 @@ class NET_EXPORT CookieMonster : public CookieStore {
 
   base::ThreadChecker thread_checker_;
 
-  base::WeakPtrFactory<CookieMonster> weak_ptr_factory_;
+  base::WeakPtrFactory<CookieMonster> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(CookieMonster);
 };
diff --git a/chromium/net/cookies/cookie_monster_change_dispatcher.cc b/chromium/net/cookies/cookie_monster_change_dispatcher.cc
index 39ccf3b25f4..7d09ea4bae0 100644
--- a/chromium/net/cookies/cookie_monster_change_dispatcher.cc
+++ b/chromium/net/cookies/cookie_monster_change_dispatcher.cc
@@ -35,8 +35,7 @@ CookieMonsterChangeDispatcher::Subscription::Subscription(
       name_key_(std::move(name_key)),
       url_(std::move(url)),
       callback_(std::move(callback)),
-      task_runner_(base::ThreadTaskRunnerHandle::Get()),
-      weak_ptr_factory_(this) {
+      task_runner_(base::ThreadTaskRunnerHandle::Get()) {
   DCHECK(url_.is_valid() || url_.is_empty());
   DCHECK_EQ(url_.is_empty(), domain_key_ == kGlobalDomainKey);
 
@@ -80,8 +79,7 @@ void CookieMonsterChangeDispatcher::Subscription::DoDispatchChange(
   callback_.Run(cookie, change_cause);
 }
 
-CookieMonsterChangeDispatcher::CookieMonsterChangeDispatcher()
-    : weak_ptr_factory_(this) {}
+CookieMonsterChangeDispatcher::CookieMonsterChangeDispatcher() {}
 
 CookieMonsterChangeDispatcher::~CookieMonsterChangeDispatcher() {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
diff --git a/chromium/net/cookies/cookie_monster_change_dispatcher.h b/chromium/net/cookies/cookie_monster_change_dispatcher.h
index caf35e8d91e..b1d7c51fadb 100644
--- a/chromium/net/cookies/cookie_monster_change_dispatcher.h
+++ b/chromium/net/cookies/cookie_monster_change_dispatcher.h
@@ -105,7 +105,7 @@ class CookieMonsterChangeDispatcher : public CookieChangeDispatcher {
 
     // Used to cancel delayed calls to DoDispatchChange() when the subscription
     // gets destroyed.
-    base::WeakPtrFactory<Subscription> weak_ptr_factory_;
+    base::WeakPtrFactory<Subscription> weak_ptr_factory_{this};
 
     DISALLOW_COPY_AND_ASSIGN(Subscription);
   };
@@ -149,7 +149,7 @@ class CookieMonsterChangeDispatcher : public CookieChangeDispatcher {
   THREAD_CHECKER(thread_checker_);
 
   // Vends weak pointers to subscriptions.
-  base::WeakPtrFactory<CookieMonsterChangeDispatcher> weak_ptr_factory_;
+  base::WeakPtrFactory<CookieMonsterChangeDispatcher> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(CookieMonsterChangeDispatcher);
 };
diff --git a/chromium/net/cookies/cookie_monster_netlog_params.cc b/chromium/net/cookies/cookie_monster_netlog_params.cc
index f7a58843d4c..89b38d4170d 100644
--- a/chromium/net/cookies/cookie_monster_netlog_params.cc
+++ b/chromium/net/cookies/cookie_monster_netlog_params.cc
@@ -9,9 +9,7 @@
 
 namespace net {
 
-base::Value NetLogCookieMonsterConstructorCallback(
-    bool persistent_store,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogCookieMonsterConstructorParams(bool persistent_store) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetBoolKey("persistent_store", persistent_store);
   return dict;
@@ -20,7 +18,7 @@ base::Value NetLogCookieMonsterConstructorCallback(
 base::Value NetLogCookieMonsterCookieAdded(const CanonicalCookie* cookie,
                                            bool sync_requested,
                                            NetLogCaptureMode capture_mode) {
-  if (!capture_mode.include_cookies_and_credentials())
+  if (!NetLogCaptureIncludesSensitive(capture_mode))
     return base::Value();
 
   base::Value dict(base::Value::Type::DICTIONARY);
@@ -41,7 +39,7 @@ base::Value NetLogCookieMonsterCookieDeleted(const CanonicalCookie* cookie,
                                              CookieChangeCause cause,
                                              bool sync_requested,
                                              NetLogCaptureMode capture_mode) {
-  if (!capture_mode.include_cookies_and_credentials())
+  if (!NetLogCaptureIncludesSensitive(capture_mode))
     return base::Value();
 
   base::Value dict(base::Value::Type::DICTIONARY);
@@ -59,7 +57,7 @@ base::Value NetLogCookieMonsterCookieRejectedSecure(
     const CanonicalCookie* old_cookie,
     const CanonicalCookie* new_cookie,
     NetLogCaptureMode capture_mode) {
-  if (!capture_mode.include_cookies_and_credentials())
+  if (!NetLogCaptureIncludesSensitive(capture_mode))
     return base::Value();
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetStringKey("name", old_cookie->Name());
@@ -75,7 +73,7 @@ base::Value NetLogCookieMonsterCookieRejectedHttponly(
     const CanonicalCookie* old_cookie,
     const CanonicalCookie* new_cookie,
     NetLogCaptureMode capture_mode) {
-  if (!capture_mode.include_cookies_and_credentials())
+  if (!NetLogCaptureIncludesSensitive(capture_mode))
     return base::Value();
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetStringKey("name", old_cookie->Name());
@@ -91,7 +89,7 @@ base::Value NetLogCookieMonsterCookiePreservedSkippedSecure(
     const CanonicalCookie* preserved,
     const CanonicalCookie* new_cookie,
     NetLogCaptureMode capture_mode) {
-  if (!capture_mode.include_cookies_and_credentials())
+  if (!NetLogCaptureIncludesSensitive(capture_mode))
     return base::Value();
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetStringKey("name", preserved->Name());
diff --git a/chromium/net/cookies/cookie_monster_netlog_params.h b/chromium/net/cookies/cookie_monster_netlog_params.h
index a00e65b2604..28135a94d2d 100644
--- a/chromium/net/cookies/cookie_monster_netlog_params.h
+++ b/chromium/net/cookies/cookie_monster_netlog_params.h
@@ -18,9 +18,7 @@ namespace net {
 
 // Returns a Value containing NetLog parameters for constructing
 // a CookieMonster.
-base::Value NetLogCookieMonsterConstructorCallback(
-    bool persistent_store,
-    NetLogCaptureMode capture_mode);
+base::Value NetLogCookieMonsterConstructorParams(bool persistent_store);
 
 // Returns a Value containing NetLog parameters for adding a cookie.
 base::Value NetLogCookieMonsterCookieAdded(const CanonicalCookie* cookie,
diff --git a/chromium/net/cookies/cookie_monster_unittest.cc b/chromium/net/cookies/cookie_monster_unittest.cc
index 88505a38514..6846e014e4f 100644
--- a/chromium/net/cookies/cookie_monster_unittest.cc
+++ b/chromium/net/cookies/cookie_monster_unittest.cc
@@ -806,8 +806,16 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
   // no store (and hence no ability to affect access time).
   CookieMonster* CreateMonsterForGC(int num_cookies) {
     CookieMonster* cm(new CookieMonster(nullptr, &net_log_));
+    base::Time creation_time = base::Time::Now();
     for (int i = 0; i < num_cookies; i++) {
-      SetCookie(cm, GURL(base::StringPrintf("http://h%05d.izzle", i)), "a=1");
+      std::unique_ptr<CanonicalCookie> cc(std::make_unique<CanonicalCookie>(
+          "a", "1", base::StringPrintf("h%05d.izzle", i), "/" /* path */,
+          creation_time, base::Time() /* expiration_time */,
+          creation_time /* last_access */, false /* secure */,
+          false /* http_only */, CookieSameSite::NO_RESTRICTION,
+          COOKIE_PRIORITY_DEFAULT));
+      cm->SetCanonicalCookieAsync(std::move(cc), "http", CookieOptions(),
+                                  CookieStore::SetCookiesCallback());
     }
     return cm;
   }
@@ -2084,75 +2092,78 @@ TEST_F(CookieMonsterTest, CookieListOrdering) {
   }
 }
 
-// This test and CookieMonstertest.TestGCTimes (in cookie_monster_perftest.cc)
-// are somewhat complementary twins.  This test is probing for whether
-// garbage collection always happens when it should (i.e. that we actually
-// get rid of cookies when we should).  The perftest is probing for
+// These garbage collection tests and CookieMonstertest.TestGCTimes (in
+// cookie_monster_perftest.cc) are somewhat complementary.  These tests probe
+// for whether garbage collection always happens when it should (i.e. that we
+// actually get rid of cookies when we should).  The perftest is probing for
 // whether garbage collection happens when it shouldn't.  See comments
 // before that test for more details.
 
-// Disabled on Windows, see crbug.com/126095
-#if defined(OS_WIN)
-#define MAYBE_GarbageCollectionTriggers DISABLED_GarbageCollectionTriggers
-#else
-#define MAYBE_GarbageCollectionTriggers GarbageCollectionTriggers
-#endif
+// Check to make sure that a whole lot of recent cookies doesn't get rid of
+// anything after garbage collection is checked for.
+TEST_F(CookieMonsterTest, GarbageCollectionKeepsRecentEphemeralCookies) {
+  std::unique_ptr<CookieMonster> cm(
+      CreateMonsterForGC(CookieMonster::kMaxCookies * 2 /* num_cookies */));
+  EXPECT_EQ(CookieMonster::kMaxCookies * 2, GetAllCookies(cm.get()).size());
+  // Will trigger GC.
+  SetCookie(cm.get(), GURL("http://newdomain.com"), "b=2");
+  EXPECT_EQ(CookieMonster::kMaxCookies * 2 + 1, GetAllCookies(cm.get()).size());
+}
 
-TEST_F(CookieMonsterTest, MAYBE_GarbageCollectionTriggers) {
-  // First we check to make sure that a whole lot of recent cookies
-  // doesn't get rid of anything after garbage collection is checked for.
-  {
-    std::unique_ptr<CookieMonster> cm(
-        CreateMonsterForGC(CookieMonster::kMaxCookies * 2));
-    EXPECT_EQ(CookieMonster::kMaxCookies * 2, GetAllCookies(cm.get()).size());
-    SetCookie(cm.get(), GURL("http://newdomain.com"), "b=2");
-    EXPECT_EQ(CookieMonster::kMaxCookies * 2 + 1,
-              GetAllCookies(cm.get()).size());
-  }
+// A whole lot of recent cookies; GC shouldn't happen.
+TEST_F(CookieMonsterTest, GarbageCollectionKeepsRecentCookies) {
+  std::unique_ptr<CookieMonster> cm = CreateMonsterFromStoreForGC(
+      CookieMonster::kMaxCookies * 2 /* num_cookies */, 0 /* num_old_cookies */,
+      0, 0, CookieMonster::kSafeFromGlobalPurgeDays * 2);
+  EXPECT_EQ(CookieMonster::kMaxCookies * 2, GetAllCookies(cm.get()).size());
+  // Will trigger GC.
+  SetCookie(cm.get(), GURL("http://newdomain.com"), "b=2");
+  EXPECT_EQ(CookieMonster::kMaxCookies * 2 + 1, GetAllCookies(cm.get()).size());
+}
 
-  // Now we explore a series of relationships between cookie last access
-  // time and size of store to make sure we only get rid of cookies when
-  // we really should.
-  const struct TestCase {
-    size_t num_cookies;
-    size_t num_old_cookies;
-    size_t expected_initial_cookies;
-    // Indexed by ExpiryAndKeyScheme
-    size_t expected_cookies_after_set;
-  } test_cases[] = {
-      {// A whole lot of recent cookies; gc shouldn't happen.
-       CookieMonster::kMaxCookies * 2,
-       0,
-       CookieMonster::kMaxCookies * 2,
-       CookieMonster::kMaxCookies * 2 + 1},
-      {// Some old cookies, but still overflowing max.
-       CookieMonster::kMaxCookies * 2,
-       CookieMonster::kMaxCookies / 2,
-       CookieMonster::kMaxCookies * 2,
-       CookieMonster::kMaxCookies * 2 - CookieMonster::kMaxCookies / 2 + 1},
-      {// Old cookies enough to bring us right down to our purge line.
-       CookieMonster::kMaxCookies * 2,
-       CookieMonster::kMaxCookies + CookieMonster::kPurgeCookies + 1,
-       CookieMonster::kMaxCookies * 2,
-       CookieMonster::kMaxCookies - CookieMonster::kPurgeCookies},
-      {// Old cookies enough to bring below our purge line (which we
-       // shouldn't do).
-       CookieMonster::kMaxCookies * 2,
-       CookieMonster::kMaxCookies * 3 / 2,
-       CookieMonster::kMaxCookies * 2,
-       CookieMonster::kMaxCookies - CookieMonster::kPurgeCookies}};
-
-  for (const auto& test_case : test_cases) {
-    std::unique_ptr<CookieMonster> cm = CreateMonsterFromStoreForGC(
-        test_case.num_cookies, test_case.num_old_cookies, 0, 0,
-        CookieMonster::kSafeFromGlobalPurgeDays * 2);
-    EXPECT_EQ(test_case.expected_initial_cookies,
-              GetAllCookies(cm.get()).size());
-    // Will trigger GC
-    SetCookie(cm.get(), GURL("http://newdomain.com"), "b=2");
-    EXPECT_EQ(test_case.expected_cookies_after_set,
-              GetAllCookies(cm.get()).size());
-  }
+// Test case where there are more than kMaxCookies - kPurgeCookies recent
+// cookies. All old cookies should be garbage collected, all recent cookies
+// kept.
+TEST_F(CookieMonsterTest, GarbageCollectionKeepsOnlyRecentCookies) {
+  std::unique_ptr<CookieMonster> cm = CreateMonsterFromStoreForGC(
+      CookieMonster::kMaxCookies * 2 /* num_cookies */,
+      CookieMonster::kMaxCookies / 2 /* num_old_cookies */, 0, 0,
+      CookieMonster::kSafeFromGlobalPurgeDays * 2);
+  EXPECT_EQ(CookieMonster::kMaxCookies * 2, GetAllCookies(cm.get()).size());
+  // Will trigger GC.
+  SetCookie(cm.get(), GURL("http://newdomain.com"), "b=2");
+  EXPECT_EQ(CookieMonster::kMaxCookies * 2 - CookieMonster::kMaxCookies / 2 + 1,
+            GetAllCookies(cm.get()).size());
+}
+
+// Test case where there are exactly kMaxCookies - kPurgeCookies recent cookies.
+// All old cookies should be deleted.
+TEST_F(CookieMonsterTest, GarbageCollectionExactlyAllOldCookiesDeleted) {
+  std::unique_ptr<CookieMonster> cm = CreateMonsterFromStoreForGC(
+      CookieMonster::kMaxCookies * 2 /* num_cookies */,
+      CookieMonster::kMaxCookies + CookieMonster::kPurgeCookies +
+          1 /* num_old_cookies */,
+      0, 0, CookieMonster::kSafeFromGlobalPurgeDays * 2);
+  EXPECT_EQ(CookieMonster::kMaxCookies * 2, GetAllCookies(cm.get()).size());
+  // Will trigger GC.
+  SetCookie(cm.get(), GURL("http://newdomain.com"), "b=2");
+  EXPECT_EQ(CookieMonster::kMaxCookies - CookieMonster::kPurgeCookies,
+            GetAllCookies(cm.get()).size());
+}
+
+// Test case where there are less than kMaxCookies - kPurgeCookies recent
+// cookies. Enough old cookies should be deleted to reach kMaxCookies -
+// kPurgeCookies total cookies, but no more. Some old cookies should be kept.
+TEST_F(CookieMonsterTest, GarbageCollectionTriggers5) {
+  std::unique_ptr<CookieMonster> cm = CreateMonsterFromStoreForGC(
+      CookieMonster::kMaxCookies * 2 /* num_cookies */,
+      CookieMonster::kMaxCookies * 3 / 2 /* num_old_cookies */, 0, 0,
+      CookieMonster::kSafeFromGlobalPurgeDays * 2);
+  EXPECT_EQ(CookieMonster::kMaxCookies * 2, GetAllCookies(cm.get()).size());
+  // Will trigger GC.
+  SetCookie(cm.get(), GURL("http://newdomain.com"), "b=2");
+  EXPECT_EQ(CookieMonster::kMaxCookies - CookieMonster::kPurgeCookies,
+            GetAllCookies(cm.get()).size());
 }
 
 // Tests garbage collection when there are only secure cookies.
@@ -2452,8 +2463,7 @@ TEST_F(CookieMonsterTest, SetAllCookies) {
   EXPECT_EQ("Z", it->Value());
 
   cm = nullptr;
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::COOKIE_STORE_ALIVE, NetLogEventPhase::BEGIN);
   pos = ExpectLogContainsSomewhere(
@@ -2480,8 +2490,7 @@ TEST_F(CookieMonsterTest, DeleteAll) {
   EXPECT_EQ(1, store->flush_count());
 
   cm = nullptr;
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::COOKIE_STORE_ALIVE, NetLogEventPhase::BEGIN);
   pos = ExpectLogContainsSomewhere(
@@ -2760,8 +2769,7 @@ TEST_F(CookieMonsterTest, CookieDeleteEquivalentHistogramTest) {
       cookie_source_histogram,
       CookieMonster::COOKIE_DELETE_EQUIVALENT_WOULD_HAVE_DELETED, 1);
 
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
   ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_SECURE,
       NetLogEventPhase::NONE);
@@ -2956,8 +2964,7 @@ TEST_F(CookieMonsterTest, SetSecureCookies) {
   EXPECT_EQ(CanonicalCookie::CookieInclusionStatus::EXCLUDE_OVERWRITE_HTTP_ONLY,
             SetCookieReturnStatus(cm.get(), https_url, "C=E; Secure"));
 
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
   ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_HTTPONLY,
       NetLogEventPhase::NONE);
diff --git a/chromium/net/cookies/cookie_util.cc b/chromium/net/cookies/cookie_util.cc
index a9b98aba99a..874cb613a1d 100644
--- a/chromium/net/cookies/cookie_util.cc
+++ b/chromium/net/cookies/cookie_util.cc
@@ -467,6 +467,17 @@ CookieOptions::SameSiteCookieContext ComputeSameSiteContextForScriptSet(
     return CookieOptions::SameSiteCookieContext::CROSS_SITE;
 }
 
+NET_EXPORT CookieOptions::SameSiteCookieContext
+ComputeSameSiteContextForSubresource(const GURL& url,
+                                     const GURL& site_for_cookies) {
+  // If the URL is same-site as site_for_cookies it's same-site as all frames
+  // in the tree from the initiator frame up --- including the initiator frame.
+  if (MatchesSiteForCookies(url, site_for_cookies))
+    return CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT;
+  else
+    return CookieOptions::SameSiteCookieContext::CROSS_SITE;
+}
+
 CanonicalCookie::CookieInclusionStatus CookieWouldBeExcludedDueToSameSite(
     const CanonicalCookie& cookie,
     const CookieOptions& options) {
diff --git a/chromium/net/cookies/cookie_util.h b/chromium/net/cookies/cookie_util.h
index 89a9c2584d5..8154c19de26 100644
--- a/chromium/net/cookies/cookie_util.h
+++ b/chromium/net/cookies/cookie_util.h
@@ -37,6 +37,8 @@ NET_EXPORT std::string GetEffectiveDomain(const std::string& scheme,
 // On success returns true, and sets cookie_domain to either a
 //   -host cookie domain (ex: "google.com")
 //   -domain cookie domain (ex: ".google.com")
+// On success, DomainIsHostOnly(url.host()) is DCHECKed. The URL's host must not
+// begin with a '.' character.
 NET_EXPORT bool GetCookieDomainWithString(const GURL& url,
                                           const std::string& domain_string,
                                           std::string* result);
@@ -135,6 +137,13 @@ NET_EXPORT CookieOptions::SameSiteCookieContext
 ComputeSameSiteContextForScriptSet(const GURL& url,
                                    const GURL& site_for_cookies);
 
+// Determines which of the cookies for |url| can be accessed when fetching a
+// subresources. This is either CROSS_SITE or SAME_SITE_STRICT,
+// since the initiator for a subresource is the frame loading it.
+NET_EXPORT CookieOptions::SameSiteCookieContext
+ComputeSameSiteContextForSubresource(const GURL& url,
+                                     const GURL& site_for_cookies);
+
 // Checks whether a cookie would be excluded due to SameSite restrictions,
 // assuming SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure
 // were turned on. This should be called on a cookie that is in fact included,
diff --git a/chromium/net/cookies/cookie_util_unittest.cc b/chromium/net/cookies/cookie_util_unittest.cc
index 664f009f78a..2c8a4f3a65b 100644
--- a/chromium/net/cookies/cookie_util_unittest.cc
+++ b/chromium/net/cookies/cookie_util_unittest.cc
@@ -379,6 +379,33 @@ TEST(CookieUtilTest, ComputeSameSiteContextForSet) {
           GURL("http://example.com/dir"), GURL("https://sub.example.com")));
 }
 
+TEST(CookieUtilTest, TestComputeSameSiteContextForSubresource) {
+  // |site_for_cookies| not matching the URL -> it's cross-site.
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::CROSS_SITE,
+            cookie_util::ComputeSameSiteContextForSubresource(
+                GURL("http://example.com"), GURL("http://notexample.com")));
+
+  // This isn't a full on origin check --- subdomains and different schema are
+  // accepted.
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
+            cookie_util::ComputeSameSiteContextForSubresource(
+                GURL("https://example.com"), GURL("http://example.com")));
+
+  EXPECT_EQ(
+      CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
+      cookie_util::ComputeSameSiteContextForSubresource(
+          GURL("http://sub.example.com"), GURL("http://sub2.example.com")));
+
+  EXPECT_EQ(
+      CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
+      cookie_util::ComputeSameSiteContextForSubresource(
+          GURL("http://sub.example.com"), GURL("http://sub.example.com:8080")));
+
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
+            cookie_util::ComputeSameSiteContextForSubresource(
+                GURL("http://example.com"), GURL("http://example.com")));
+}
+
 TEST(CookieUtilTest, IgnoreCookieStatusList) {
   CookieList cookie_list_out;
   base::OnceCallback<void(const CookieList&)> callback =
diff --git a/chromium/net/cookies/parse_cookie_line_fuzzer.cc b/chromium/net/cookies/parse_cookie_line_fuzzer.cc
index 997839841ba..a8aaf007e6b 100644
--- a/chromium/net/cookies/parse_cookie_line_fuzzer.cc
+++ b/chromium/net/cookies/parse_cookie_line_fuzzer.cc
@@ -5,11 +5,82 @@
 #include <stddef.h>
 #include <stdint.h>
 
+#include "base/logging.h"
 #include "net/cookies/parsed_cookie.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
+
+const std::string GetArbitraryString(FuzzedDataProvider* data_provider) {
+  // Adding a fudge factor to kMaxCookieSize so that both branches of the bounds
+  // detection code will be tested.
+  return data_provider->ConsumeRandomLengthString(
+      net::ParsedCookie::kMaxCookieSize + 10);
+}
 
 // Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  std::string input(data, data + size);
-  net::ParsedCookie parsed_cookie(input);
+  FuzzedDataProvider data_provider(data, size);
+  const std::string cookie_line = GetArbitraryString(&data_provider);
+  net::ParsedCookie parsed_cookie(cookie_line);
+
+  // Call zero or one of ParsedCookie's mutator methods.  Should not call
+  // anything other than SetName/SetValue when !IsValid().
+  const uint8_t action = data_provider.ConsumeIntegralInRange(0, 10);
+  switch (action) {
+    case 1:
+      parsed_cookie.SetName(GetArbitraryString(&data_provider));
+      break;
+    case 2:
+      parsed_cookie.SetValue(GetArbitraryString(&data_provider));
+      break;
+  }
+
+  if (parsed_cookie.IsValid()) {
+    switch (action) {
+      case 3:
+        if (parsed_cookie.IsValid())
+          parsed_cookie.SetPath(GetArbitraryString(&data_provider));
+        break;
+      case 4:
+        parsed_cookie.SetDomain(GetArbitraryString(&data_provider));
+        break;
+      case 5:
+        parsed_cookie.SetExpires(GetArbitraryString(&data_provider));
+        break;
+      case 6:
+        parsed_cookie.SetMaxAge(GetArbitraryString(&data_provider));
+        break;
+      case 7:
+        parsed_cookie.SetIsSecure(data_provider.ConsumeBool());
+        break;
+      case 8:
+        parsed_cookie.SetIsHttpOnly(data_provider.ConsumeBool());
+        break;
+      case 9:
+        parsed_cookie.SetSameSite(GetArbitraryString(&data_provider));
+        break;
+      case 10:
+        parsed_cookie.SetPriority(GetArbitraryString(&data_provider));
+        break;
+    }
+  }
+
+  // Check that serialize/deserialize inverse property holds for valid cookies.
+  if (parsed_cookie.IsValid()) {
+    const std::string serialized = parsed_cookie.ToCookieLine();
+    net::ParsedCookie reparsed_cookie(serialized);
+    const std::string reserialized = reparsed_cookie.ToCookieLine();
+
+    // RFC6265 requires semicolons to be followed by spaces. Because our parser
+    // permits this rule to be broken, but follows the rule in ToCookieLine(),
+    // it's possible to serialize a string that's longer than the original
+    // input. If the serialized string exceeds kMaxCookieSize, the parser will
+    // reject it. For this fuzzer, we are considering this situation a false
+    // positive.
+    if (serialized.size() <= net::ParsedCookie::kMaxCookieSize) {
+      CHECK(reparsed_cookie.IsValid());
+      CHECK_EQ(serialized, reserialized);
+    }
+  }
+
   return 0;
 }
diff --git a/chromium/net/cookies/parsed_cookie.cc b/chromium/net/cookies/parsed_cookie.cc
index 520f33e453f..b3053327942 100644
--- a/chromium/net/cookies/parsed_cookie.cc
+++ b/chromium/net/cookies/parsed_cookie.cc
@@ -221,7 +221,11 @@ std::string ParsedCookie::ToCookieLine() const {
     if (!out.empty())
       out.append("; ");
     out.append(it->first);
-    if (it->first != kSecureTokenName && it->first != kHttpOnlyTokenName) {
+    // Determine whether to emit the pair's value component. We should always
+    // print it for the first pair(see crbug.com/977619). After the first pair,
+    // we need to consider whether the name component is a special token.
+    if (it == pairs_.begin() ||
+        (it->first != kSecureTokenName && it->first != kHttpOnlyTokenName)) {
       out.append("=");
       out.append(it->second);
     }
@@ -448,12 +452,28 @@ void ParsedCookie::SetupAttributes() {
 
 bool ParsedCookie::SetString(size_t* index,
                              const std::string& key,
-                             const std::string& value) {
-  if (value.empty()) {
+                             const std::string& untrusted_value) {
+  // This function should do equivalent input validation to the
+  // constructor. Otherwise, the Set* functions can put this ParsedCookie in a
+  // state where parsing the output of ToCookieLine() produces a different
+  // ParsedCookie.
+  //
+  // Without input validation, invoking pc.SetPath(" baz ") would result in
+  // pc.ToCookieLine() == "path= baz ". Parsing the "path= baz " string would
+  // produce a cookie with "path" attribute equal to "baz" (no spaces). We
+  // should not produce cookie lines that parse to different key/value pairs!
+
+  // Inputs containing invalid characters should be ignored.
+  if (!IsValidCookieAttributeValue(untrusted_value))
+    return false;
+
+  // Use the same whitespace trimming code as the constructor.
+  const std::string parsed_value = ParseValueString(untrusted_value);
+  if (parsed_value.empty()) {
     ClearAttributePair(*index);
     return true;
   } else {
-    return SetAttributePair(index, key, value);
+    return SetAttributePair(index, key, parsed_value);
   }
 }
 
@@ -469,7 +489,7 @@ bool ParsedCookie::SetBool(size_t* index, const std::string& key, bool value) {
 bool ParsedCookie::SetAttributePair(size_t* index,
                                     const std::string& key,
                                     const std::string& value) {
-  if (!(HttpUtil::IsToken(key) && IsValidCookieAttributeValue(value)))
+  if (!HttpUtil::IsToken(key))
     return false;
   if (!IsValid())
     return false;
diff --git a/chromium/net/cookies/parsed_cookie_unittest.cc b/chromium/net/cookies/parsed_cookie_unittest.cc
index 535ae075e90..eb038f688ad 100644
--- a/chromium/net/cookies/parsed_cookie_unittest.cc
+++ b/chromium/net/cookies/parsed_cookie_unittest.cc
@@ -505,6 +505,87 @@ TEST(ParsedCookieTest, SetSameSite) {
   EXPECT_TRUE(pc.IsValid());
 }
 
+TEST(ParsedCookieTest, SettersInputValidation) {
+  ParsedCookie pc("name=foobar");
+  EXPECT_TRUE(pc.SetPath("baz"));
+  EXPECT_EQ(pc.ToCookieLine(), "name=foobar; path=baz");
+
+  EXPECT_TRUE(pc.SetPath("  baz "));
+  EXPECT_EQ(pc.ToCookieLine(), "name=foobar; path=baz");
+
+  EXPECT_TRUE(pc.SetPath("     "));
+  EXPECT_EQ(pc.ToCookieLine(), "name=foobar");
+
+  EXPECT_TRUE(pc.SetDomain("  baz "));
+  EXPECT_EQ(pc.ToCookieLine(), "name=foobar; domain=baz");
+
+  // Invalid characters
+  EXPECT_FALSE(pc.SetPath("  baz\n "));
+  EXPECT_FALSE(pc.SetPath("f;oo"));
+  EXPECT_FALSE(pc.SetPath("\r"));
+  EXPECT_FALSE(pc.SetPath("\a"));
+  EXPECT_FALSE(pc.SetPath("\t"));
+  EXPECT_FALSE(pc.SetSameSite("\r"));
+}
+
+TEST(ParsedCookieTest, ToCookieLineSpecialTokens) {
+  // Special tokens "secure" and "httponly" should be treated as any other name
+  // when they are in the first position.
+  {
+    ParsedCookie pc("");
+    pc.SetName("secure");
+    EXPECT_EQ(pc.ToCookieLine(), "secure=");
+  }
+  {
+    ParsedCookie pc("secure");
+    EXPECT_EQ(pc.ToCookieLine(), "=secure");
+  }
+  {
+    ParsedCookie pc("secure=foo");
+    EXPECT_EQ(pc.ToCookieLine(), "secure=foo");
+  }
+  {
+    ParsedCookie pc("foo=secure");
+    EXPECT_EQ(pc.ToCookieLine(), "foo=secure");
+  }
+  {
+    ParsedCookie pc("httponly=foo");
+    EXPECT_EQ(pc.ToCookieLine(), "httponly=foo");
+  }
+  {
+    ParsedCookie pc("foo");
+    pc.SetName("secure");
+    EXPECT_EQ(pc.ToCookieLine(), "secure=foo");
+  }
+  {
+    ParsedCookie pc("bar");
+    pc.SetName("httponly");
+    EXPECT_EQ(pc.ToCookieLine(), "httponly=bar");
+  }
+  {
+    ParsedCookie pc("foo=bar; baz=bob");
+    EXPECT_EQ(pc.ToCookieLine(), "foo=bar; baz=bob");
+  }
+  // Outside of the first position, the value associated with a special name
+  // should not be printed.
+  {
+    ParsedCookie pc("name=foo; secure");
+    EXPECT_EQ(pc.ToCookieLine(), "name=foo; secure");
+  }
+  {
+    ParsedCookie pc("name=foo; secure=bar");
+    EXPECT_EQ(pc.ToCookieLine(), "name=foo; secure");
+  }
+  {
+    ParsedCookie pc("name=foo; httponly=baz");
+    EXPECT_EQ(pc.ToCookieLine(), "name=foo; httponly");
+  }
+  {
+    ParsedCookie pc("name=foo; bar=secure");
+    EXPECT_EQ(pc.ToCookieLine(), "name=foo; bar=secure");
+  }
+}
+
 TEST(ParsedCookieTest, SameSiteValues) {
   struct TestCase {
     const char* cookie;
diff --git a/chromium/net/data/ssl/blacklist/3ae699d94e8febdacb86d4f90d40903333478e65e0655c432451197e33fa07f2.pem b/chromium/net/data/ssl/blacklist/3ae699d94e8febdacb86d4f90d40903333478e65e0655c432451197e33fa07f2.pem
new file mode 100644
index 00000000000..ddd2df8a7eb
--- /dev/null
+++ b/chromium/net/data/ssl/blacklist/3ae699d94e8febdacb86d4f90d40903333478e65e0655c432451197e33fa07f2.pem
@@ -0,0 +1,151 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            14:ed:7e:90:75:b6:ae:86:8e:1a:3b:02:4f:8a:94:af:c8:f5:db:ba
+        Signature Algorithm: sha384WithRSAEncryption
+        Issuer: C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
+        Validity
+            Not Before: Apr 19 18:20:31 2017 GMT
+            Not After : Apr 19 18:20:31 2025 GMT
+        Subject: C = AE, O = DarkMatter LLC, CN = DarkMatter High Assurance CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:84:e0:4e:84:58:b4:e5:9a:f5:a9:2f:d3:34:10:
+                    72:47:7e:d8:6c:7a:ef:74:3d:04:6d:c8:25:fc:7e:
+                    21:c4:9d:77:17:f0:3d:68:5c:93:3d:f9:8c:15:cd:
+                    44:22:fb:ca:44:9e:35:37:6d:a4:ed:92:c0:0b:48:
+                    50:0e:48:c0:6c:90:50:eb:d3:54:6b:21:97:1f:04:
+                    44:c8:fb:f8:fc:71:1c:e4:58:90:74:0c:48:c6:33:
+                    94:78:9e:61:3b:f7:25:9e:2a:a3:96:1f:93:6b:60:
+                    04:c9:aa:13:70:95:fa:76:2a:00:fd:9c:d3:75:ac:
+                    01:1a:b4:5e:43:f2:10:ec:70:b7:a1:03:fa:3c:b9:
+                    5a:45:64:e4:a4:3d:25:2d:96:85:2d:49:ce:74:39:
+                    39:3b:28:0a:12:a0:16:6d:92:dd:85:da:e5:1d:ec:
+                    3e:69:fc:8a:2a:83:3a:ad:60:b8:08:d1:6b:69:c8:
+                    c0:85:4c:a0:6e:6d:83:a5:36:df:fd:ff:86:7b:e3:
+                    7b:63:da:55:a7:45:96:05:0a:93:39:41:03:53:37:
+                    52:83:36:92:e2:d4:f0:7e:b9:4c:5e:b3:db:0e:4d:
+                    2c:66:f9:98:b6:6d:d9:5e:a1:bd:f8:de:b2:9f:f9:
+                    95:94:a8:35:29:30:bd:63:c7:b4:2f:18:d7:02:ee:
+                    09:03:c7:e8:85:68:03:57:ae:2a:fc:04:7c:2c:e5:
+                    35:98:a5:78:fe:a0:94:da:6c:0e:a0:93:e6:f1:5e:
+                    5e:25:8d:eb:9c:db:bf:96:4b:bf:ae:19:02:7c:7f:
+                    d2:27:8d:ba:a0:f7:7b:c8:98:d6:39:23:bb:8f:7e:
+                    33:2c:7e:62:60:55:7f:89:54:a1:9b:3e:00:a0:6e:
+                    fc:36:c1:bd:e0:5f:f3:77:3f:22:6e:32:d3:f2:38:
+                    ee:f5:fb:13:de:5e:91:b4:d1:66:cf:5c:71:7d:28:
+                    94:ee:2a:59:89:fb:54:75:6b:08:7c:8c:c1:b2:db:
+                    dc:53:17:0a:ed:1f:07:26:fe:24:0d:1e:45:49:24:
+                    58:13:ee:df:02:6c:5d:e4:bc:32:b5:65:20:4a:4b:
+                    84:53:86:ba:ed:76:94:a9:87:13:cb:ce:cd:b5:83:
+                    3e:9b:ac:2a:53:6b:c0:6a:34:cb:13:4e:8b:cb:8c:
+                    d3:11:86:d4:bd:7d:58:54:aa:05:a9:95:b0:8c:0e:
+                    70:f2:45:bb:39:ee:cf:26:74:f8:4c:0d:70:9f:92:
+                    63:e7:10:6b:05:41:8f:3a:3a:7d:73:ea:18:1a:06:
+                    fc:92:b6:c3:f1:e7:6d:a9:d4:d9:90:a4:e9:ed:e7:
+                    8d:9d:d4:25:f2:4e:30:b1:91:63:19:2c:a8:52:9c:
+                    09:3e:9b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Certificate Policies: 
+                Policy: 1.3.6.1.4.1.8024.0.2.100.1.2
+                  CPS: https://ca.darkmatter.ae/iCPS
+                Policy: 2.23.140.1.1
+                Policy: 2.16.784.1.1.7.35.2.2.1.1
+
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.quovadisglobal.com
+                CA Issuers - URI:http://cacerts.darkmatter.ae/qvrca2g3.crt
+
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication, OCSP Signing
+            X509v3 Authority Key Identifier: 
+                keyid:ED:E7:6F:76:5A:BF:60:EC:49:5B:C6:A5:77:BB:72:16:71:9B:C4:3D
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://crl1.darkmatter.ae/qvrca2g3.crl
+
+                Full Name:
+                  URI:http://crl2.darkmatter.ae/qvrca2g3.crl
+
+            X509v3 Subject Key Identifier: 
+                5D:F1:FB:6A:67:81:E6:84:5B:57:37:5C:0F:99:B5:DC:9D:44:3B:55
+    Signature Algorithm: sha384WithRSAEncryption
+         7a:e5:0b:18:d1:70:38:9b:26:5e:a0:ad:4b:ce:9d:d0:7e:83:
+         30:e4:0f:af:88:01:51:cd:ed:bc:b8:f6:e0:5c:5b:6c:81:19:
+         76:86:1e:9b:fe:04:d4:85:47:07:6b:7e:5b:af:b0:88:b6:aa:
+         9a:11:d6:f1:c2:f6:fb:0e:70:3e:fa:79:b3:ab:d2:c8:23:a9:
+         5d:24:0b:22:27:25:a2:05:a0:7e:b3:0e:9b:40:dd:84:85:6d:
+         0f:f1:6e:7e:a9:25:aa:04:16:3f:04:77:0c:f3:2c:e2:c3:f4:
+         d0:72:71:69:83:f0:42:70:86:35:51:02:50:42:ea:f8:bc:c2:
+         3b:fd:ea:52:57:6a:bd:bf:0c:16:7b:1b:c1:3d:91:c1:cf:b9:
+         b5:b1:18:13:4a:9f:88:b3:37:79:49:cf:91:95:c4:5f:3d:db:
+         82:a0:83:d9:75:0b:da:d9:7d:76:bc:5b:c7:f1:7a:bd:9f:b5:
+         f6:0a:fd:fd:8a:e6:1c:7e:d4:9b:c9:95:50:30:73:f3:50:dd:
+         b2:2e:e4:57:c1:02:4f:8f:e4:fd:13:0a:ab:8c:e4:ca:5d:e6:
+         8b:ca:63:21:f4:d0:44:19:46:c4:05:db:44:37:ee:e3:d2:06:
+         24:18:07:5d:7c:ee:79:c4:7f:9f:ba:de:52:92:82:76:00:e8:
+         03:e2:c0:69:4f:42:1b:ca:d2:52:09:54:8e:88:c3:4a:17:66:
+         65:fd:78:14:bc:ec:5c:42:88:16:89:d4:ca:05:eb:2d:a1:2c:
+         52:ca:a8:86:49:ae:e0:24:1d:2f:ce:03:75:e2:54:bc:78:b6:
+         c2:4b:41:1a:47:e6:3e:5f:b3:40:7a:e8:67:5f:a1:67:8d:07:
+         09:53:87:35:74:f2:33:a3:0b:f8:d1:e7:6f:57:b6:da:45:2a:
+         94:46:80:89:45:32:1f:11:26:2a:19:be:1f:45:ec:e2:c2:df:
+         a4:5c:df:fb:9f:e9:75:18:52:dc:b9:e1:5c:b7:14:5a:62:31:
+         bd:6b:37:6d:3b:06:36:1f:76:ab:ec:8f:32:25:f5:cf:2b:e2:
+         12:f1:3b:3e:f5:13:16:e8:a6:cb:a7:f9:94:96:5e:88:51:fb:
+         e9:4b:24:8f:8c:41:dd:b6:15:ee:44:cf:8f:b6:4e:a7:9e:77:
+         ab:27:cb:14:86:61:eb:54:ab:c5:f4:16:42:47:1a:e4:9f:fb:
+         35:2c:7f:38:82:c2:17:11:ed:7c:83:49:1c:ba:46:3d:28:8d:
+         67:0d:79:59:fb:43:7f:4b:de:2f:f4:ea:d2:b7:49:32:fe:4b:
+         73:86:de:57:5b:7a:fa:86:9e:01:01:c7:47:16:6f:d3:22:fa:
+         2c:c3:51:22:e9:fa:1b:0d
+-----BEGIN CERTIFICATE-----
+MIIG8DCCBNigAwIBAgIUFO1+kHW2roaOGjsCT4qUr8j127owDQYJKoZIhvcNAQEM
+BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc
+BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMiBHMzAeFw0xNzA0MTkxODIwMzFaFw0y
+NTA0MTkxODIwMzFaME0xCzAJBgNVBAYTAkFFMRcwFQYDVQQKDA5EYXJrTWF0dGVy
+IExMQzElMCMGA1UEAwwcRGFya01hdHRlciBIaWdoIEFzc3VyYW5jZSBDQTCCAiIw
+DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAITgToRYtOWa9akv0zQQckd+2Gx6
+73Q9BG3IJfx+IcSddxfwPWhckz35jBXNRCL7ykSeNTdtpO2SwAtIUA5IwGyQUOvT
+VGshlx8ERMj7+PxxHORYkHQMSMYzlHieYTv3JZ4qo5Yfk2tgBMmqE3CV+nYqAP2c
+03WsARq0XkPyEOxwt6ED+jy5WkVk5KQ9JS2WhS1JznQ5OTsoChKgFm2S3YXa5R3s
+Pmn8iiqDOq1guAjRa2nIwIVMoG5tg6U23/3/hnvje2PaVadFlgUKkzlBA1M3UoM2
+kuLU8H65TF6z2w5NLGb5mLZt2V6hvfjesp/5lZSoNSkwvWPHtC8Y1wLuCQPH6IVo
+A1euKvwEfCzlNZileP6glNpsDqCT5vFeXiWN65zbv5ZLv64ZAnx/0ieNuqD3e8iY
+1jkju49+Myx+YmBVf4lUoZs+AKBu/DbBveBf83c/Im4y0/I47vX7E95ekbTRZs9c
+cX0olO4qWYn7VHVrCHyMwbLb3FMXCu0fByb+JA0eRUkkWBPu3wJsXeS8MrVlIEpL
+hFOGuu12lKmHE8vOzbWDPpusKlNrwGo0yxNOi8uM0xGG1L19WFSqBamVsIwOcPJF
+uznuzyZ0+EwNcJ+SY+cQawVBjzo6fXPqGBoG/JK2w/HnbanU2ZCk6e3njZ3UJfJO
+MLGRYxksqFKcCT6bAgMBAAGjggHLMIIBxzASBgNVHRMBAf8ECDAGAQH/AgEAMF4G
+A1UdIARXMFUwOwYMKwYBBAG+WAACZAECMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8v
+Y2EuZGFya21hdHRlci5hZS9pQ1BTMAcGBWeBDAEBMA0GC2CGEAEBByMCAgEBMHEG
+CCsGAQUFBwEBBGUwYzAqBggrBgEFBQcwAYYeaHR0cDovL29jc3AucXVvdmFkaXNn
+bG9iYWwuY29tMDUGCCsGAQUFBzAChilodHRwOi8vY2FjZXJ0cy5kYXJrbWF0dGVy
+LmFlL3F2cmNhMmczLmNydDAOBgNVHQ8BAf8EBAMCAYYwJwYDVR0lBCAwHgYIKwYB
+BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDCTAfBgNVHSMEGDAWgBTt5292Wr9g7Elb
+xqV3u3IWcZvEPTBlBgNVHR8EXjBcMCygKqAohiZodHRwOi8vY3JsMS5kYXJrbWF0
+dGVyLmFlL3F2cmNhMmczLmNybDAsoCqgKIYmaHR0cDovL2NybDIuZGFya21hdHRl
+ci5hZS9xdnJjYTJnMy5jcmwwHQYDVR0OBBYEFF3x+2pngeaEW1c3XA+ZtdydRDtV
+MA0GCSqGSIb3DQEBDAUAA4ICAQB65QsY0XA4myZeoK1Lzp3QfoMw5A+viAFRze28
+uPbgXFtsgRl2hh6b/gTUhUcHa35br7CItqqaEdbxwvb7DnA++nmzq9LII6ldJAsi
+JyWiBaB+sw6bQN2EhW0P8W5+qSWqBBY/BHcM8yziw/TQcnFpg/BCcIY1UQJQQur4
+vMI7/epSV2q9vwwWexvBPZHBz7m1sRgTSp+Iszd5Sc+RlcRfPduCoIPZdQva2X12
+vFvH8Xq9n7X2Cv39iuYcftSbyZVQMHPzUN2yLuRXwQJPj+T9EwqrjOTKXeaLymMh
+9NBEGUbEBdtEN+7j0gYkGAddfO55xH+fut5SkoJ2AOgD4sBpT0IbytJSCVSOiMNK
+F2Zl/XgUvOxcQogWidTKBestoSxSyqiGSa7gJB0vzgN14lS8eLbCS0EaR+Y+X7NA
+euhnX6FnjQcJU4c1dPIzowv40edvV7baRSqURoCJRTIfESYqGb4fReziwt+kXN/7
+n+l1GFLcueFctxRaYjG9azdtOwY2H3ar7I8yJfXPK+IS8Ts+9RMW6KbLp/mUll6I
+UfvpSySPjEHdthXuRM+Ptk6nnnerJ8sUhmHrVKvF9BZCRxrkn/s1LH84gsIXEe18
+g0kcukY9KI1nDXlZ+0N/S94v9OrSt0ky/ktzht5XW3r6hp4BAcdHFm/TIvosw1Ei
+6fobDQ==
+-----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/blacklist/a25a19546819d048000ef9c6577c4bcd8d2155b1e4346a4599d6c8b79799d4a1.pem b/chromium/net/data/ssl/blacklist/a25a19546819d048000ef9c6577c4bcd8d2155b1e4346a4599d6c8b79799d4a1.pem
new file mode 100644
index 00000000000..9057e67e88e
--- /dev/null
+++ b/chromium/net/data/ssl/blacklist/a25a19546819d048000ef9c6577c4bcd8d2155b1e4346a4599d6c8b79799d4a1.pem
@@ -0,0 +1,150 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            62:7a:61:b1:0e:7f:5f:27:be:3b:eb:5e:94:cf:7f:f4:48:de:e1:c5
+        Signature Algorithm: sha384WithRSAEncryption
+        Issuer: C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
+        Validity
+            Not Before: Apr 19 18:27:31 2017 GMT
+            Not After : Apr 19 18:27:31 2025 GMT
+        Subject: C = AE, O = DarkMatter LLC, CN = DarkMatter Secure CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:93:2f:2e:6d:82:b3:37:53:c3:d7:80:53:bc:01:
+                    ab:4c:3a:ce:a9:d9:0e:73:8e:e7:d6:8c:25:91:08:
+                    49:3f:f5:c8:35:51:a0:e2:1e:62:75:da:e3:44:f5:
+                    f9:e1:20:67:54:eb:20:85:b5:be:ef:f4:11:cb:0b:
+                    4b:18:47:53:c6:66:fa:60:dc:74:13:dc:92:7e:4f:
+                    73:d7:ec:99:f6:42:38:e9:be:1f:b7:d6:00:c4:6e:
+                    8f:46:0c:4c:f8:1f:f5:d9:e7:b1:6f:10:f9:f1:e0:
+                    9d:46:e5:04:e3:a0:bd:a5:84:32:dc:be:89:6e:71:
+                    11:29:88:d3:24:1d:51:e0:ea:cc:e7:4b:50:5e:a7:
+                    92:f8:ed:99:1b:f2:b1:28:89:19:45:79:db:2c:0b:
+                    5b:3b:87:53:15:74:c4:02:16:13:7d:cd:47:29:fc:
+                    b5:4a:2b:93:f9:d0:7a:92:f6:cc:da:8b:e9:95:65:
+                    7d:1d:3a:15:3c:7a:ca:be:90:4a:ca:00:8f:f9:34:
+                    3c:d4:ff:86:5d:4b:ac:3e:00:27:c5:94:e5:11:ad:
+                    4c:e6:94:0a:83:17:89:7e:61:09:a1:55:2c:87:11:
+                    4f:cf:bc:1a:ae:f3:33:3d:fb:8f:94:19:45:b1:c3:
+                    33:90:22:a9:19:87:52:db:a8:60:33:72:92:d1:4e:
+                    75:be:e3:c5:e8:87:73:a5:ea:dd:91:ae:63:07:a7:
+                    e5:b6:df:30:51:60:bc:66:e6:50:11:2a:eb:65:b3:
+                    24:33:e1:7a:7d:15:20:45:50:df:8e:ff:01:31:b2:
+                    f7:86:a3:a9:ff:fa:aa:3a:d8:ea:e4:af:89:58:57:
+                    6a:22:47:29:7b:68:1b:45:a1:89:db:34:ac:f9:aa:
+                    31:d7:b5:3f:4a:64:77:e9:c4:0c:75:5f:92:a4:72:
+                    54:3a:44:10:bc:eb:e9:e9:8a:27:33:12:cd:8f:b5:
+                    9f:2a:14:4e:d4:1f:36:71:0d:e6:29:60:7e:03:32:
+                    39:fd:03:0c:d2:68:c1:5b:77:84:c6:be:a2:5d:1f:
+                    b0:c2:43:8e:82:fc:fd:8a:27:f2:59:dc:a3:cb:ba:
+                    92:59:2f:d3:48:65:2e:c1:d5:c2:77:07:87:5e:d8:
+                    b4:a4:29:c5:dd:b3:ef:f6:c5:c8:ea:36:1e:94:e5:
+                    bd:08:9c:04:0e:2b:1f:f1:df:7e:68:41:c2:aa:05:
+                    94:0d:d3:40:b4:a5:66:7f:b3:7b:24:fc:b2:89:e3:
+                    19:83:98:d3:90:06:8d:78:10:d9:be:73:62:5e:46:
+                    bb:27:dd:f2:0b:ac:db:38:b1:96:35:3f:33:ea:fb:
+                    eb:25:97:ef:41:b3:c0:f9:64:9d:62:07:02:71:82:
+                    88:95:29
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Certificate Policies: 
+                Policy: 2.16.784.1.1.7.35.2.2.1.2
+                  CPS: https://ca.darkmatter.ae/iCPS
+                Policy: 2.23.140.1.2.2
+                Policy: 2.23.140.1.2.3
+
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.quovadisglobal.com
+                CA Issuers - URI:http://cacerts.darkmatter.ae/qvrca2g3.crt
+
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication, OCSP Signing
+            X509v3 Authority Key Identifier: 
+                keyid:ED:E7:6F:76:5A:BF:60:EC:49:5B:C6:A5:77:BB:72:16:71:9B:C4:3D
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://crl1.darkmatter.ae/qvrca2g3.crl
+
+                Full Name:
+                  URI:http://crl2.darkmatter.ae/qvrca2g3.crl
+
+            X509v3 Subject Key Identifier: 
+                A2:50:A4:70:CB:3B:B5:CA:61:94:27:13:96:3A:74:76:AA:9D:EC:34
+    Signature Algorithm: sha384WithRSAEncryption
+         72:e3:c5:33:02:2b:cd:b4:91:bc:65:ca:95:ad:b5:90:fe:ee:
+         ac:f1:95:92:12:1e:85:fb:58:64:bf:43:a8:49:ad:56:3c:85:
+         65:d5:40:7d:09:83:d5:67:bf:b4:d3:62:72:d3:7e:c7:9e:d4:
+         ac:1d:62:95:c6:f2:06:5d:b9:36:2f:b5:d0:06:73:f6:78:17:
+         3d:34:56:76:fa:a5:15:77:89:af:40:c5:c0:56:34:02:f9:80:
+         45:e2:a5:49:40:84:6f:7e:fc:22:d7:f4:12:53:e7:1c:b2:f1:
+         e0:84:92:76:0b:54:e5:1b:5c:9f:c2:54:6e:09:8c:17:b8:f1:
+         14:0b:16:dc:e0:ed:17:00:66:6f:ea:26:cf:9c:07:c7:86:46:
+         9a:b4:85:ca:2d:18:4f:c0:a7:81:2b:89:54:81:f3:e1:a1:7b:
+         60:67:fc:8b:02:e3:2f:92:85:de:e0:c9:0e:1b:f1:4c:f0:3f:
+         7b:8d:b4:f1:32:9a:2f:64:24:81:b9:46:4b:1d:da:c3:a1:ac:
+         19:93:92:85:95:f8:98:88:b4:52:21:3b:f4:50:35:50:fb:86:
+         81:52:9e:81:a5:43:db:a9:ac:38:53:c3:28:e0:b9:e0:6e:4c:
+         49:b2:18:cf:53:44:cc:ab:10:89:7b:c6:55:55:6d:44:91:1b:
+         8c:61:4b:f8:78:93:9e:7a:3d:72:e2:d2:e8:5e:2d:e5:fb:09:
+         0f:a3:3b:1a:d9:22:34:75:da:1b:2e:c7:e7:44:2e:10:b7:25:
+         b1:10:9a:ea:73:8b:b9:87:41:5b:3f:43:a7:e2:50:a6:28:98:
+         67:92:74:f8:35:67:41:d8:b2:84:cc:72:d6:99:45:20:96:05:
+         c2:8a:da:72:72:42:2f:47:e1:7f:b5:22:11:50:40:6d:d9:1b:
+         c1:5a:21:67:a0:18:7a:9a:6c:72:50:42:6c:bb:f9:6f:eb:9a:
+         f9:e6:b0:4c:76:6f:9f:9f:db:68:05:fc:63:95:58:ef:f4:1c:
+         94:33:b1:dc:6d:73:1d:92:f3:00:19:65:36:fc:fa:69:1d:d0:
+         42:98:e4:c1:3d:d9:d5:67:02:3a:99:a0:4c:52:2f:03:d6:4c:
+         6b:fd:80:b3:7f:31:66:ad:50:1d:ba:fa:17:14:cf:b2:43:be:
+         8d:2a:bc:74:7f:f4:9c:22:f2:a9:8b:1e:cf:07:89:df:8d:1e:
+         59:28:96:25:2c:09:7c:9f:81:0e:d5:56:fa:fa:57:a8:5f:3a:
+         40:e8:55:4b:31:0e:8c:37:61:17:3f:aa:62:79:5a:70:4b:9d:
+         97:a1:d8:19:e3:ca:75:aa:20:c1:7c:80:b0:37:b6:8f:99:5a:
+         48:97:cb:d4:d5:80:98:c7
+-----BEGIN CERTIFICATE-----
+MIIG4zCCBMugAwIBAgIUYnphsQ5/Xye+O+telM9/9Eje4cUwDQYJKoZIhvcNAQEM
+BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc
+BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMiBHMzAeFw0xNzA0MTkxODI3MzFaFw0y
+NTA0MTkxODI3MzFaMEUxCzAJBgNVBAYTAkFFMRcwFQYDVQQKDA5EYXJrTWF0dGVy
+IExMQzEdMBsGA1UEAwwURGFya01hdHRlciBTZWN1cmUgQ0EwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQCTLy5tgrM3U8PXgFO8AatMOs6p2Q5zjufWjCWR
+CEk/9cg1UaDiHmJ12uNE9fnhIGdU6yCFtb7v9BHLC0sYR1PGZvpg3HQT3JJ+T3PX
+7Jn2Qjjpvh+31gDEbo9GDEz4H/XZ57FvEPnx4J1G5QTjoL2lhDLcvolucREpiNMk
+HVHg6sznS1Bep5L47Zkb8rEoiRlFedssC1s7h1MVdMQCFhN9zUcp/LVKK5P50HqS
+9szai+mVZX0dOhU8esq+kErKAI/5NDzU/4ZdS6w+ACfFlOURrUzmlAqDF4l+YQmh
+VSyHEU/PvBqu8zM9+4+UGUWxwzOQIqkZh1LbqGAzcpLRTnW+48Xoh3Ol6t2RrmMH
+p+W23zBRYLxm5lARKutlsyQz4Xp9FSBFUN+O/wExsveGo6n/+qo62Orkr4lYV2oi
+Ryl7aBtFoYnbNKz5qjHXtT9KZHfpxAx1X5KkclQ6RBC86+npiiczEs2PtZ8qFE7U
+HzZxDeYpYH4DMjn9AwzSaMFbd4TGvqJdH7DCQ46C/P2KJ/JZ3KPLupJZL9NIZS7B
+1cJ3B4de2LSkKcXds+/2xcjqNh6U5b0InAQOKx/x335oQcKqBZQN00C0pWZ/s3sk
+/LKJ4xmDmNOQBo14ENm+c2JeRrsn3fILrNs4sZY1PzPq++sll+9Bs8D5ZJ1iBwJx
+goiVKQIDAQABo4IBxjCCAcIwEgYDVR0TAQH/BAgwBgEB/wIBADBZBgNVHSAEUjBQ
+MDoGC2CGEAEBByMCAgECMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vY2EuZGFya21h
+dHRlci5hZS9pQ1BTMAgGBmeBDAECAjAIBgZngQwBAgMwcQYIKwYBBQUHAQEEZTBj
+MCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5xdW92YWRpc2dsb2JhbC5jb20wNQYI
+KwYBBQUHMAKGKWh0dHA6Ly9jYWNlcnRzLmRhcmttYXR0ZXIuYWUvcXZyY2EyZzMu
+Y3J0MA4GA1UdDwEB/wQEAwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUH
+AwIGCCsGAQUFBwMJMB8GA1UdIwQYMBaAFO3nb3Zav2DsSVvGpXe7chZxm8Q9MGUG
+A1UdHwReMFwwLKAqoCiGJmh0dHA6Ly9jcmwxLmRhcmttYXR0ZXIuYWUvcXZyY2Ey
+ZzMuY3JsMCygKqAohiZodHRwOi8vY3JsMi5kYXJrbWF0dGVyLmFlL3F2cmNhMmcz
+LmNybDAdBgNVHQ4EFgQUolCkcMs7tcphlCcTljp0dqqd7DQwDQYJKoZIhvcNAQEM
+BQADggIBAHLjxTMCK820kbxlypWttZD+7qzxlZISHoX7WGS/Q6hJrVY8hWXVQH0J
+g9Vnv7TTYnLTfsee1KwdYpXG8gZduTYvtdAGc/Z4Fz00Vnb6pRV3ia9AxcBWNAL5
+gEXipUlAhG9+/CLX9BJT5xyy8eCEknYLVOUbXJ/CVG4JjBe48RQLFtzg7RcAZm/q
+Js+cB8eGRpq0hcotGE/Ap4EriVSB8+Ghe2Bn/IsC4y+Shd7gyQ4b8UzwP3uNtPEy
+mi9kJIG5Rksd2sOhrBmTkoWV+JiItFIhO/RQNVD7hoFSnoGlQ9uprDhTwyjgueBu
+TEmyGM9TRMyrEIl7xlVVbUSRG4xhS/h4k556PXLi0uheLeX7CQ+jOxrZIjR12hsu
+x+dELhC3JbEQmupzi7mHQVs/Q6fiUKYomGeSdPg1Z0HYsoTMctaZRSCWBcKK2nJy
+Qi9H4X+1IhFQQG3ZG8FaIWegGHqabHJQQmy7+W/rmvnmsEx2b5+f22gF/GOVWO/0
+HJQzsdxtcx2S8wAZZTb8+mkd0EKY5ME92dVnAjqZoExSLwPWTGv9gLN/MWatUB26
++hcUz7JDvo0qvHR/9Jwi8qmLHs8Hid+NHlkoliUsCXyfgQ7VVvr6V6hfOkDoVUsx
+Dow3YRc/qmJ5WnBLnZeh2BnjynWqIMF8gLA3to+ZWkiXy9TVgJjH
+-----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/blacklist/d8888f4a84f74c974dffb573a1bf5bbbacd1713b905096f8eb015062bf396c4d.pem b/chromium/net/data/ssl/blacklist/d8888f4a84f74c974dffb573a1bf5bbbacd1713b905096f8eb015062bf396c4d.pem
new file mode 100644
index 00000000000..0ee82451ce4
--- /dev/null
+++ b/chromium/net/data/ssl/blacklist/d8888f4a84f74c974dffb573a1bf5bbbacd1713b905096f8eb015062bf396c4d.pem
@@ -0,0 +1,149 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            19:ff:34:56:9d:36:6b:a1:f6:6e:8d:95:32:ee:05:d0:55:b9:dd:1d
+        Signature Algorithm: sha384WithRSAEncryption
+        Issuer: C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 3 G3
+        Validity
+            Not Before: Apr 19 18:38:50 2017 GMT
+            Not After : Apr 19 18:38:50 2025 GMT
+        Subject: C = AE, O = DarkMatter LLC, CN = DarkMatter Assured CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:89:14:f9:94:77:15:68:79:c0:1b:95:4c:72:c0:
+                    f7:40:b1:01:c8:f6:90:f8:1d:d4:8a:47:23:4e:7c:
+                    4b:7e:73:3f:e1:65:16:db:42:c4:0e:ec:ec:d0:99:
+                    ef:27:5d:f3:b1:fc:4c:3e:bb:48:2c:e8:1e:81:94:
+                    dd:a7:3e:66:eb:0f:66:2b:89:22:62:af:1d:da:82:
+                    82:1b:8b:35:34:35:46:19:73:23:27:95:67:72:b1:
+                    e6:59:02:7d:cb:02:7c:e8:51:b2:0b:be:48:31:03:
+                    86:ef:e9:bf:fd:99:b4:00:2d:57:2e:49:b0:a1:fd:
+                    67:65:a7:90:ee:7a:3a:93:33:e8:f3:fb:26:4c:8c:
+                    12:4d:8f:0b:d1:04:c9:7a:47:28:f5:48:9d:4d:6d:
+                    6e:0b:03:9b:b1:23:86:c8:de:e8:73:fc:53:23:be:
+                    50:33:0c:77:37:57:89:88:30:57:75:f3:03:8c:cc:
+                    fe:4c:be:14:3a:1f:1a:e3:6e:57:14:7b:12:b7:96:
+                    ea:b3:8b:ed:88:05:d5:75:f2:f6:0a:2d:2b:e7:14:
+                    44:9a:ea:17:04:fb:4b:b2:84:10:68:5e:a0:e3:c5:
+                    88:17:f4:4f:c4:1d:c1:b6:c4:f3:50:58:81:8d:a7:
+                    d5:19:9a:dc:f6:1f:54:0a:87:7d:19:a8:17:68:89:
+                    9d:41:ef:5f:71:7f:52:fb:11:c7:ba:88:a7:5e:79:
+                    2a:93:96:22:41:36:8d:41:4b:52:76:b8:d6:d6:41:
+                    32:47:aa:a7:ef:81:07:12:d1:9a:0b:99:06:ca:9c:
+                    5e:ce:e4:5f:8d:2d:82:a9:cf:0d:59:b7:26:11:ae:
+                    4c:c8:d7:e2:b8:70:d0:a1:46:1f:1d:c8:17:c8:a1:
+                    ff:1a:a9:25:59:1a:48:dd:69:72:9a:59:e0:e3:74:
+                    4b:0d:63:85:2a:6d:b7:45:05:92:6d:cd:30:5b:5e:
+                    fa:0c:12:96:42:d1:f7:46:ee:d5:6b:5c:b5:3e:5d:
+                    2f:dc:ac:c8:e4:ba:f2:5c:d9:6d:49:09:ee:ba:b3:
+                    6e:ed:c4:86:11:59:25:f8:9b:98:83:c5:21:1b:de:
+                    78:94:5f:19:40:18:40:7e:40:3a:54:cf:39:6c:ef:
+                    8a:aa:80:17:b4:20:8a:64:f5:a2:73:0c:f4:47:67:
+                    68:a4:ee:da:08:84:bd:c4:a4:4e:a4:8f:db:c4:ae:
+                    5c:d5:39:88:ab:b9:10:61:1f:54:54:7f:69:24:32:
+                    5f:fd:51:98:fb:39:44:0e:16:d4:7e:79:3b:a9:40:
+                    00:e0:0c:74:ca:a5:e9:de:22:78:83:d9:f9:35:04:
+                    43:fd:27:97:8e:14:e3:62:7c:7b:ee:33:1c:e2:c1:
+                    c0:ab:73
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Certificate Policies: 
+                Policy: 2.16.784.1.1.7.35.2.2.2
+                  CPS: https://ca.darkmatter.ae/iCPS
+                Policy: 1.3.6.1.4.1.8024.1.300
+
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.quovadisglobal.com
+                CA Issuers - URI:http://cacerts.darkmatter.ae/qvrca3g3.crt
+
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, OCSP Signing, E-mail Protection, 1.3.6.1.4.1.311.10.3.12
+            X509v3 Authority Key Identifier: 
+                keyid:C6:17:D0:BC:A8:EA:02:43:F2:1B:06:99:5D:2B:90:20:B9:D7:9C:E4
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://crl1.darkmatter.ae/qvrca3g3.crl
+
+                Full Name:
+                  URI:http://crl2.darkmatter.ae/qvrca3g3.crl
+
+            X509v3 Subject Key Identifier: 
+                05:61:41:C6:3D:0D:28:BE:62:9F:98:F3:AF:A3:33:EA:C0:FD:F0:E9
+    Signature Algorithm: sha384WithRSAEncryption
+         7e:30:5a:ca:6c:5d:00:d9:94:38:c3:ca:b7:ca:50:c1:d1:c5:
+         45:93:f7:76:1b:bb:26:d8:63:f2:a0:3e:44:97:60:d1:be:04:
+         ba:a3:77:9f:f5:57:cb:be:e6:57:72:20:5c:81:5d:39:68:e5:
+         b7:e4:1d:ac:43:c3:48:37:45:f4:f1:f4:cd:e0:ca:f1:3c:65:
+         3a:af:e6:3e:ce:cd:28:47:ed:d1:e7:24:fd:08:32:e4:89:15:
+         fd:30:d7:48:84:eb:75:7c:3e:e4:55:42:b4:b8:1b:98:7b:6b:
+         cb:91:ff:34:f9:d3:ec:d4:3b:a2:e4:5b:4c:34:e6:6a:ec:ca:
+         46:a5:47:e1:fa:b6:1b:1e:95:f2:d7:a1:eb:8d:40:38:c3:d2:
+         f7:07:63:31:2d:93:cc:71:a6:e1:41:a3:f6:31:22:67:c8:3b:
+         65:fd:4d:c8:4b:07:2a:52:f6:51:9a:2d:9f:b3:94:e9:a2:35:
+         70:08:a2:a7:b2:ab:c6:fd:e9:62:74:07:5c:eb:2d:19:c4:8d:
+         10:10:d1:f5:f4:80:b2:2f:00:ff:c4:94:30:b2:b5:db:be:e0:
+         9c:b9:ff:2f:7c:dc:96:ae:06:c0:0a:93:2e:19:7c:f8:28:79:
+         02:ac:c5:59:14:cd:63:24:f3:6e:c4:87:80:19:ce:ea:00:72:
+         9e:87:7d:02:5c:34:01:74:f7:a8:6e:66:b4:d3:99:4e:57:d7:
+         43:32:3b:c1:9d:08:65:06:f7:e2:e0:35:22:88:2f:9c:fd:5e:
+         95:ee:d9:38:90:17:0b:ee:87:81:47:13:de:42:8e:48:1a:c1:
+         0f:93:f3:b4:3a:28:5a:8d:66:6c:1d:9f:95:b7:75:41:d0:cf:
+         9d:30:2e:5d:a6:af:3b:05:e1:0c:ff:1f:a1:c1:e7:3e:3e:14:
+         6d:01:52:e0:b8:40:12:fe:c4:4c:48:88:0f:ad:43:c9:06:54:
+         b1:76:a4:3f:24:16:62:08:bb:51:ff:81:86:b4:af:eb:d3:62:
+         ad:df:41:bb:58:85:42:cf:1b:6d:a9:32:8b:39:fb:7d:e9:2e:
+         cc:58:fb:bb:e5:da:35:89:38:7e:18:85:dd:80:2a:08:d6:0d:
+         8b:25:b4:34:9f:c3:46:bf:ad:af:87:89:59:26:8d:17:f4:7f:
+         42:dd:54:b2:40:1d:82:95:a1:40:bb:33:57:fa:c1:c4:fb:e6:
+         4c:4b:ef:e8:03:dc:09:d4:83:17:97:67:ad:f3:e3:31:1b:19:
+         28:3e:63:4d:1e:9c:de:be:0f:0d:cd:72:9c:0f:5f:2c:7d:0d:
+         67:14:aa:a5:8b:37:da:c0:66:a6:2a:05:16:3d:f7:3c:42:cf:
+         99:50:d9:06:15:23:3b:2a
+-----BEGIN CERTIFICATE-----
+MIIG6TCCBNGgAwIBAgIUGf80Vp02a6H2bo2VMu4F0FW53R0wDQYJKoZIhvcNAQEM
+BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc
+BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMyBHMzAeFw0xNzA0MTkxODM4NTBaFw0y
+NTA0MTkxODM4NTBaMEYxCzAJBgNVBAYTAkFFMRcwFQYDVQQKDA5EYXJrTWF0dGVy
+IExMQzEeMBwGA1UEAwwVRGFya01hdHRlciBBc3N1cmVkIENBMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAiRT5lHcVaHnAG5VMcsD3QLEByPaQ+B3Uikcj
+TnxLfnM/4WUW20LEDuzs0JnvJ13zsfxMPrtILOgegZTdpz5m6w9mK4kiYq8d2oKC
+G4s1NDVGGXMjJ5VncrHmWQJ9ywJ86FGyC75IMQOG7+m//Zm0AC1XLkmwof1nZaeQ
+7no6kzPo8/smTIwSTY8L0QTJekco9UidTW1uCwObsSOGyN7oc/xTI75QMwx3N1eJ
+iDBXdfMDjMz+TL4UOh8a425XFHsSt5bqs4vtiAXVdfL2Ci0r5xREmuoXBPtLsoQQ
+aF6g48WIF/RPxB3BtsTzUFiBjafVGZrc9h9UCod9GagXaImdQe9fcX9S+xHHuoin
+Xnkqk5YiQTaNQUtSdrjW1kEyR6qn74EHEtGaC5kGypxezuRfjS2Cqc8NWbcmEa5M
+yNfiuHDQoUYfHcgXyKH/GqklWRpI3Wlymlng43RLDWOFKm23RQWSbc0wW176DBKW
+QtH3Ru7Va1y1Pl0v3KzI5LryXNltSQnuurNu7cSGEVkl+JuYg8UhG954lF8ZQBhA
+fkA6VM85bO+KqoAXtCCKZPWicwz0R2dopO7aCIS9xKROpI/bxK5c1TmIq7kQYR9U
+VH9pJDJf/VGY+zlEDhbUfnk7qUAA4Ax0yqXp3iJ4g9n5NQRD/SeXjhTjYnx77jMc
+4sHAq3MCAwEAAaOCAcswggHHMBIGA1UdEwEB/wQIMAYBAf8CAQAwUgYDVR0gBEsw
+STA5BgpghhABAQcjAgICMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vY2EuZGFya21h
+dHRlci5hZS9pQ1BTMAwGCisGAQQBvlgBgiwwcQYIKwYBBQUHAQEEZTBjMCoGCCsG
+AQUFBzABhh5odHRwOi8vb2NzcC5xdW92YWRpc2dsb2JhbC5jb20wNQYIKwYBBQUH
+MAKGKWh0dHA6Ly9jYWNlcnRzLmRhcmttYXR0ZXIuYWUvcXZyY2EzZzMuY3J0MA4G
+A1UdDwEB/wQEAwIBhjAzBgNVHSUELDAqBggrBgEFBQcDAgYIKwYBBQUHAwkGCCsG
+AQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFMYX0Lyo6gJD8hsGmV0rkCC5
+15zkMGUGA1UdHwReMFwwLKAqoCiGJmh0dHA6Ly9jcmwxLmRhcmttYXR0ZXIuYWUv
+cXZyY2EzZzMuY3JsMCygKqAohiZodHRwOi8vY3JsMi5kYXJrbWF0dGVyLmFlL3F2
+cmNhM2czLmNybDAdBgNVHQ4EFgQUBWFBxj0NKL5in5jzr6Mz6sD98OkwDQYJKoZI
+hvcNAQEMBQADggIBAH4wWspsXQDZlDjDyrfKUMHRxUWT93YbuybYY/KgPkSXYNG+
+BLqjd5/1V8u+5ldyIFyBXTlo5bfkHaxDw0g3RfTx9M3gyvE8ZTqv5j7OzShH7dHn
+JP0IMuSJFf0w10iE63V8PuRVQrS4G5h7a8uR/zT50+zUO6LkW0w05mrsykalR+H6
+thselfLXoeuNQDjD0vcHYzEtk8xxpuFBo/YxImfIO2X9TchLBypS9lGaLZ+zlOmi
+NXAIoqeyq8b96WJ0B1zrLRnEjRAQ0fX0gLIvAP/ElDCytdu+4Jy5/y983JauBsAK
+ky4ZfPgoeQKsxVkUzWMk827Eh4AZzuoAcp6HfQJcNAF096huZrTTmU5X10MyO8Gd
+CGUG9+LgNSKIL5z9XpXu2TiQFwvuh4FHE95CjkgawQ+T87Q6KFqNZmwdn5W3dUHQ
+z50wLl2mrzsF4Qz/H6HB5z4+FG0BUuC4QBL+xExIiA+tQ8kGVLF2pD8kFmIIu1H/
+gYa0r+vTYq3fQbtYhULPG22pMos5+33pLsxY+7vl2jWJOH4Yhd2AKgjWDYsltDSf
+w0a/ra+HiVkmjRf0f0LdVLJAHYKVoUC7M1f6wcT75kxL7+gD3AnUgxeXZ63z4zEb
+GSg+Y00enN6+Dw3NcpwPXyx9DWcUqqWLN9rAZqYqBRY99zxCz5lQ2QYVIzsq
+-----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/README b/chromium/net/data/ssl/certificates/README
index 32c7d287b1f..9f9714f6321 100644
--- a/chromium/net/data/ssl/certificates/README
+++ b/chromium/net/data/ssl/certificates/README
@@ -95,10 +95,6 @@ unit tests.
 
 - unittest.key.bin : private key stored unencrypted.
 
-- unittest.originbound.der: A test origin-bound certificate for
-     https://www.google.com:443.
-- unittest.originbound.key.der: matching PrivateKeyInfo.
-
 - multivalue_rdn.pem : A regression test for http://crbug.com/101009. A
      certificate with all of the AttributeTypeAndValues stored within a single
      RelativeDistinguishedName, rather than one AVA per RDN as normally seen.
diff --git a/chromium/net/data/ssl/certificates/unittest.originbound.der b/chromium/net/data/ssl/certificates/unittest.originbound.der
deleted file mode 100644
index b37f59396e2..00000000000
--- a/chromium/net/data/ssl/certificates/unittest.originbound.der
+++ /dev/null
diff --git a/chromium/net/data/ssl/certificates/unittest.originbound.key.der b/chromium/net/data/ssl/certificates/unittest.originbound.key.der
deleted file mode 100644
index 1ecdd1ebc10..00000000000
--- a/chromium/net/data/ssl/certificates/unittest.originbound.key.der
+++ /dev/null
@@ -1,2 +0,0 @@
-0�¸0#
-*†H†÷


0ÇÙº§‚çưy©mµwÄq

��#úO'³0ˆf¬vm*ÇLà̃u[Âçó�}:�xª¿̃øOf²½₫7­V�u{)Ôç¯Hî†A‘Œöt£<ª̀\Û‘eđNes�e�jÅû¢‹)ÄÔ
=iÀ÷ÀP:đlJ(8dïv×�Å´›¨Ư6$kÁt"M¿Î+êeç]—¸¥4\&vI–]rå)&|ÈSÀ³
\ No newline at end of file
diff --git a/chromium/net/der/parser.cc b/chromium/net/der/parser.cc
index 4a43c2f275b..df7f11888c0 100644
--- a/chromium/net/der/parser.cc
+++ b/chromium/net/der/parser.cc
@@ -61,9 +61,9 @@ bool Parser::ReadTagAndValue(Tag* tag, Input* out) {
   return true;
 }
 
-bool Parser::ReadOptionalTag(Tag tag, Input* out, bool* present) {
+bool Parser::ReadOptionalTag(Tag tag, base::Optional<Input>* out) {
   if (!HasMore()) {
-    *present = false;
+    *out = base::nullopt;
     return true;
   }
   Tag actual_tag;
@@ -73,15 +73,23 @@ bool Parser::ReadOptionalTag(Tag tag, Input* out, bool* present) {
   }
   if (actual_tag == tag) {
     CHECK(Advance());
-    *present = true;
     *out = value;
   } else {
     advance_len_ = 0;
-    *present = false;
+    *out = base::nullopt;
   }
   return true;
 }
 
+bool Parser::ReadOptionalTag(Tag tag, Input* out, bool* present) {
+  base::Optional<Input> tmp_out;
+  if (!ReadOptionalTag(tag, &tmp_out))
+    return false;
+  *present = tmp_out.has_value();
+  *out = tmp_out.value_or(der::Input());
+  return true;
+}
+
 bool Parser::SkipOptionalTag(Tag tag, bool* present) {
   Input out;
   return ReadOptionalTag(tag, &out, present);
diff --git a/chromium/net/der/parser.h b/chromium/net/der/parser.h
index fa96ba907e0..410a5aeb3d1 100644
--- a/chromium/net/der/parser.h
+++ b/chromium/net/der/parser.h
@@ -9,6 +9,7 @@
 
 #include "base/compiler_specific.h"
 #include "base/macros.h"
+#include "base/optional.h"
 #include "net/base/net_export.h"
 #include "net/der/input.h"
 #include "net/der/tag.h"
@@ -117,10 +118,19 @@ class NET_EXPORT Parser {
   // provided to make some cases easier.
 
   // If the current tag in the input is |tag|, it puts the corresponding value
+  // in |out| and advances the input to the next TLV. If the current tag is
+  // something else, then |out| is set to nullopt and the input is not
+  // advanced. Like ReadTagAndValue, it returns false if the encoding is
+  // invalid and does not advance the input.
+  bool ReadOptionalTag(Tag tag, base::Optional<Input>* out) WARN_UNUSED_RESULT;
+
+  // If the current tag in the input is |tag|, it puts the corresponding value
   // in |out|, sets |was_present| to true, and advances the input to the next
   // TLV. If the current tag is something else, then |was_present| is set to
   // false and the input is not advanced. Like ReadTagAndValue, it returns
   // false if the encoding is invalid and does not advance the input.
+  // DEPRECATED: use the base::Optional version above in new code.
+  // TODO(mattm): convert the existing callers and remove this override.
   bool ReadOptionalTag(Tag tag,
                        Input* out,
                        bool* was_present) WARN_UNUSED_RESULT;
diff --git a/chromium/net/der/parser_unittest.cc b/chromium/net/der/parser_unittest.cc
index 781bd34f3b2..7c51b0e0f1e 100644
--- a/chromium/net/der/parser_unittest.cc
+++ b/chromium/net/der/parser_unittest.cc
@@ -65,6 +65,92 @@ TEST(ParserTest, FailsIfLengthOverlapsAnotherTLV) {
   ASSERT_FALSE(inner_sequence.ReadTagAndValue(&tag, &value));
 }
 
+TEST(ParserTest, ReadOptionalTagPresent) {
+  // DER encoding of 2 top-level TLV values:
+  // INTEGER { 1 }
+  // OCTET_STRING { `02` }
+  const uint8_t der[] = {0x02, 0x01, 0x01, 0x04, 0x01, 0x02};
+  Parser parser((Input(der)));
+
+  Input value;
+  bool present;
+  ASSERT_TRUE(parser.ReadOptionalTag(kInteger, &value, &present));
+  ASSERT_TRUE(present);
+  const uint8_t expected_int_value[] = {0x01};
+  ASSERT_EQ(Input(expected_int_value), value);
+
+  Tag tag;
+  ASSERT_TRUE(parser.ReadTagAndValue(&tag, &value));
+  ASSERT_EQ(kOctetString, tag);
+  const uint8_t expected_octet_string_value[] = {0x02};
+  ASSERT_EQ(Input(expected_octet_string_value), value);
+
+  ASSERT_FALSE(parser.HasMore());
+}
+
+TEST(ParserTest, ReadOptionalTag2Present) {
+  // DER encoding of 2 top-level TLV values:
+  // INTEGER { 1 }
+  // OCTET_STRING { `02` }
+  const uint8_t der[] = {0x02, 0x01, 0x01, 0x04, 0x01, 0x02};
+  Parser parser((Input(der)));
+
+  base::Optional<Input> optional_value;
+  ASSERT_TRUE(parser.ReadOptionalTag(kInteger, &optional_value));
+  ASSERT_TRUE(optional_value.has_value());
+  const uint8_t expected_int_value[] = {0x01};
+  ASSERT_EQ(Input(expected_int_value), *optional_value);
+
+  Tag tag;
+  Input value;
+  ASSERT_TRUE(parser.ReadTagAndValue(&tag, &value));
+  ASSERT_EQ(kOctetString, tag);
+  const uint8_t expected_octet_string_value[] = {0x02};
+  ASSERT_EQ(Input(expected_octet_string_value), value);
+
+  ASSERT_FALSE(parser.HasMore());
+}
+
+TEST(ParserTest, ReadOptionalTagNotPresent) {
+  // DER encoding of 1 top-level TLV value:
+  // OCTET_STRING { `02` }
+  const uint8_t der[] = {0x04, 0x01, 0x02};
+  Parser parser((Input(der)));
+
+  Input value;
+  bool present;
+  ASSERT_TRUE(parser.ReadOptionalTag(kInteger, &value, &present));
+  ASSERT_FALSE(present);
+
+  Tag tag;
+  ASSERT_TRUE(parser.ReadTagAndValue(&tag, &value));
+  ASSERT_EQ(kOctetString, tag);
+  const uint8_t expected_octet_string_value[] = {0x02};
+  ASSERT_EQ(Input(expected_octet_string_value), value);
+
+  ASSERT_FALSE(parser.HasMore());
+}
+
+TEST(ParserTest, ReadOptionalTag2NotPresent) {
+  // DER encoding of 1 top-level TLV value:
+  // OCTET_STRING { `02` }
+  const uint8_t der[] = {0x04, 0x01, 0x02};
+  Parser parser((Input(der)));
+
+  base::Optional<Input> optional_value;
+  ASSERT_TRUE(parser.ReadOptionalTag(kInteger, &optional_value));
+  ASSERT_FALSE(optional_value.has_value());
+
+  Tag tag;
+  Input value;
+  ASSERT_TRUE(parser.ReadTagAndValue(&tag, &value));
+  ASSERT_EQ(kOctetString, tag);
+  const uint8_t expected_octet_string_value[] = {0x02};
+  ASSERT_EQ(Input(expected_octet_string_value), value);
+
+  ASSERT_FALSE(parser.HasMore());
+}
+
 TEST(ParserTest, CanSkipOptionalTagAtEndOfInput) {
   const uint8_t der[] = {0x02 /* INTEGER */, 0x01, 0x01};
   Parser parser((Input(der)));
diff --git a/chromium/net/disk_cache/backend_unittest.cc b/chromium/net/disk_cache/backend_unittest.cc
index ac46244b366..b7bba50b9bf 100644
--- a/chromium/net/disk_cache/backend_unittest.cc
+++ b/chromium/net/disk_cache/backend_unittest.cc
@@ -4992,12 +4992,26 @@ TEST_F(DiskCacheBackendTest, MAYBE_NonEmptyCorruptSimpleCacheDoesNotRecover) {
 }
 
 TEST_F(DiskCacheBackendTest, SimpleOwnershipTransferBackendDestroyRace) {
+  struct CleanupContext {
+    explicit CleanupContext(bool* ran_ptr) : ran_ptr(ran_ptr) {}
+    ~CleanupContext() {
+      *ran_ptr = true;
+      // A realistic CleanupContext would call Close on non-null,
+      // which would be a double-Close when what this is testing was broken.
+      // Here, just check for expected case.
+      EXPECT_EQ(owned_entry, nullptr);
+    }
+
+    bool* ran_ptr;
+    disk_cache::Entry* owned_entry = nullptr;
+  };
+
   const char kKey[] = "skeleton";
 
   // See https://crbug.com/946349
   // This tests that if the SimpleBackendImpl is destroyed after SimpleEntryImpl
   // decides to return an entry to the caller, but before the callback is run
-  // that no entry is leaked.
+  // that no entry is leaked, and that the out pointer is not written to.
   SetSimpleCacheMode();
   InitCache();
 
@@ -5006,11 +5020,30 @@ TEST_F(DiskCacheBackendTest, SimpleOwnershipTransferBackendDestroyRace) {
   // Make sure create actually succeeds, not just optimistically.
   RunUntilIdle();
 
-  disk_cache::Entry* alias = nullptr;
-  // This is relying on the alias code resulting in synchronous posting of async
-  // result, so that backend destruction can be neatly slotted in between.
+  bool cleanup_context_ran = false;
+  auto cleanup_context = std::make_unique<CleanupContext>(&cleanup_context_ran);
+  disk_cache::Entry** dest = &cleanup_context->owned_entry;
+
+  // The OpenEntry code below will find a pre-existing entry in a READY state,
+  // so it will immediately post a task to return a result. Destroying the
+  // backend before running the event loop again will run that callback in the
+  // dead-backend state, while OpenEntry completion was still with it alive.
+
   EXPECT_EQ(net::ERR_IO_PENDING,
-            cache_->OpenEntry(kKey, net::HIGHEST, &alias, base::DoNothing()));
+            cache_->OpenEntry(
+                kKey, net::HIGHEST, dest,
+                base::BindOnce(
+                    [](std::unique_ptr<CleanupContext>, int net_status) {
+                      // The callback is here for ownership of CleanupContext,
+                      // and it shouldn't get invoked in this test.
+                      ADD_FAILURE() << "This should not actually run";
+                    },
+                    std::move(cleanup_context))));
   cache_.reset();
+
+  // Give CleanupContext a chance to do its thing.
+  RunUntilIdle();
+  EXPECT_TRUE(cleanup_context_ran);
+
   entry->Close();
 }
diff --git a/chromium/net/disk_cache/blockfile/backend_impl.cc b/chromium/net/disk_cache/blockfile/backend_impl.cc
index bc53189510f..b231b7caa42 100644
--- a/chromium/net/disk_cache/blockfile/backend_impl.cc
+++ b/chromium/net/disk_cache/blockfile/backend_impl.cc
@@ -173,8 +173,7 @@ BackendImpl::BackendImpl(
       consider_evicting_at_op_end_(false),
       net_log_(net_log),
       done_(base::WaitableEvent::ResetPolicy::MANUAL,
-            base::WaitableEvent::InitialState::NOT_SIGNALED),
-      ptr_factory_(this) {}
+            base::WaitableEvent::InitialState::NOT_SIGNALED) {}
 
 BackendImpl::BackendImpl(
     const base::FilePath& path,
@@ -202,8 +201,7 @@ BackendImpl::BackendImpl(
       consider_evicting_at_op_end_(false),
       net_log_(net_log),
       done_(base::WaitableEvent::ResetPolicy::MANUAL,
-            base::WaitableEvent::InitialState::NOT_SIGNALED),
-      ptr_factory_(this) {}
+            base::WaitableEvent::InitialState::NOT_SIGNALED) {}
 
 BackendImpl::~BackendImpl() {
   if (user_flags_ & kNoRandom) {
@@ -1937,11 +1935,6 @@ void BackendImpl::ReportStats() {
   stats_.SetCounter(Stats::DOOM_CACHE, 0);
   stats_.SetCounter(Stats::DOOM_RECENT, 0);
 
-  int age = (Time::Now() -
-             Time::FromInternalValue(data_->header.create_time)).InHours();
-  if (age)
-    CACHE_UMA(HOURS, "FilesAge", 0, age);
-
   int64_t total_hours = stats_.GetCounter(Stats::TIMER) / 120;
   if (!data_->header.create_time || !data_->header.lru.filled) {
     int cause = data_->header.create_time ? 0 : 1;
diff --git a/chromium/net/disk_cache/blockfile/backend_impl.h b/chromium/net/disk_cache/blockfile/backend_impl.h
index 99d28d7b966..16a492ba739 100644
--- a/chromium/net/disk_cache/blockfile/backend_impl.h
+++ b/chromium/net/disk_cache/blockfile/backend_impl.h
@@ -430,7 +430,7 @@ class NET_EXPORT_PRIVATE BackendImpl : public Backend {
   std::unique_ptr<base::RepeatingTimer> timer_;  // Usage timer.
   base::WaitableEvent done_;  // Signals the end of background work.
   scoped_refptr<TraceObject> trace_object_;  // Initializes internal tracing.
-  base::WeakPtrFactory<BackendImpl> ptr_factory_;
+  base::WeakPtrFactory<BackendImpl> ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(BackendImpl);
 };
diff --git a/chromium/net/disk_cache/blockfile/entry_impl.cc b/chromium/net/disk_cache/blockfile/entry_impl.cc
index 7323333edc7..8e5fc81b4f8 100644
--- a/chromium/net/disk_cache/blockfile/entry_impl.cc
+++ b/chromium/net/disk_cache/blockfile/entry_impl.cc
@@ -71,9 +71,9 @@ void SyncCallback::OnFileIOComplete(int bytes_copied) {
   entry_->DecrementIoCount();
   if (!callback_.is_null()) {
     if (entry_->net_log().IsCapturing()) {
-      entry_->net_log().EndEvent(
-          end_event_type_,
-          disk_cache::CreateNetLogReadWriteCompleteCallback(bytes_copied));
+      disk_cache::NetLogReadWriteComplete(entry_->net_log(), end_event_type_,
+                                          net::NetLogEventPhase::END,
+                                          bytes_copied);
     }
     entry_->ReportIOTime(disk_cache::EntryImpl::kAsyncIO, start_);
     buf_ = nullptr;  // Release the buffer before invoking the callback.
@@ -335,17 +335,17 @@ int EntryImpl::ReadDataImpl(int index,
                             int buf_len,
                             CompletionOnceCallback callback) {
   if (net_log_.IsCapturing()) {
-    net_log_.BeginEvent(
-        net::NetLogEventType::ENTRY_READ_DATA,
-        CreateNetLogReadWriteDataCallback(index, offset, buf_len, false));
+    NetLogReadWriteData(net_log_, net::NetLogEventType::ENTRY_READ_DATA,
+                        net::NetLogEventPhase::BEGIN, index, offset, buf_len,
+                        false);
   }
 
   int result =
       InternalReadData(index, offset, buf, buf_len, std::move(callback));
 
   if (result != net::ERR_IO_PENDING && net_log_.IsCapturing()) {
-    net_log_.EndEvent(net::NetLogEventType::ENTRY_READ_DATA,
-                      CreateNetLogReadWriteCompleteCallback(result));
+    NetLogReadWriteComplete(net_log_, net::NetLogEventType::ENTRY_READ_DATA,
+                            net::NetLogEventPhase::END, result);
   }
   return result;
 }
@@ -357,17 +357,17 @@ int EntryImpl::WriteDataImpl(int index,
                              CompletionOnceCallback callback,
                              bool truncate) {
   if (net_log_.IsCapturing()) {
-    net_log_.BeginEvent(
-        net::NetLogEventType::ENTRY_WRITE_DATA,
-        CreateNetLogReadWriteDataCallback(index, offset, buf_len, truncate));
+    NetLogReadWriteData(net_log_, net::NetLogEventType::ENTRY_WRITE_DATA,
+                        net::NetLogEventPhase::BEGIN, index, offset, buf_len,
+                        truncate);
   }
 
   int result = InternalWriteData(index, offset, buf, buf_len,
                                  std::move(callback), truncate);
 
   if (result != net::ERR_IO_PENDING && net_log_.IsCapturing()) {
-    net_log_.EndEvent(net::NetLogEventType::ENTRY_WRITE_DATA,
-                      CreateNetLogReadWriteCompleteCallback(result));
+    NetLogReadWriteComplete(net_log_, net::NetLogEventType::ENTRY_WRITE_DATA,
+                            net::NetLogEventPhase::END, result);
   }
   return result;
 }
@@ -752,9 +752,9 @@ void EntryImpl::BeginLogging(net::NetLog* net_log, bool created) {
   DCHECK(!net_log_.net_log());
   net_log_ = net::NetLogWithSource::Make(
       net_log, net::NetLogSourceType::DISK_CACHE_ENTRY);
-  net_log_.BeginEvent(
-      net::NetLogEventType::DISK_CACHE_ENTRY_IMPL,
-      CreateNetLogParametersEntryCreationCallback(this, created));
+  net_log_.BeginEvent(net::NetLogEventType::DISK_CACHE_ENTRY_IMPL, [&] {
+    return CreateNetLogParametersEntryCreationParams(this, created);
+  });
 }
 
 const net::NetLogWithSource& EntryImpl::net_log() const {
diff --git a/chromium/net/disk_cache/blockfile/eviction.cc b/chromium/net/disk_cache/blockfile/eviction.cc
index 2608c7a1b4f..489f5494f10 100644
--- a/chromium/net/disk_cache/blockfile/eviction.cc
+++ b/chromium/net/disk_cache/blockfile/eviction.cc
@@ -79,7 +79,7 @@ namespace disk_cache {
 
 // The real initialization happens during Init(), init_ is the only member that
 // has to be initialized here.
-Eviction::Eviction() : backend_(nullptr), init_(false), ptr_factory_(this) {}
+Eviction::Eviction() : backend_(nullptr), init_(false) {}
 
 Eviction::~Eviction() = default;
 
diff --git a/chromium/net/disk_cache/blockfile/eviction.h b/chromium/net/disk_cache/blockfile/eviction.h
index baea659e247..283463f5808 100644
--- a/chromium/net/disk_cache/blockfile/eviction.h
+++ b/chromium/net/disk_cache/blockfile/eviction.h
@@ -81,7 +81,7 @@ class Eviction {
   bool delay_trim_;
   bool init_;
   bool test_mode_;
-  base::WeakPtrFactory<Eviction> ptr_factory_;
+  base::WeakPtrFactory<Eviction> ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(Eviction);
 };
diff --git a/chromium/net/disk_cache/blockfile/histogram_macros.h b/chromium/net/disk_cache/blockfile/histogram_macros.h
index a2204b0eaa0..3a681779df0 100644
--- a/chromium/net/disk_cache/blockfile/histogram_macros.h
+++ b/chromium/net/disk_cache/blockfile/histogram_macros.h
@@ -102,7 +102,8 @@
       case net::PNACL_CACHE:                                         \
         CACHE_HISTOGRAM_##type(my_name.data(), sample);              \
         break;                                                       \
-      case net::GENERATED_CODE_CACHE:                                \
+      case net::GENERATED_BYTE_CODE_CACHE:                           \
+      case net::GENERATED_NATIVE_CODE_CACHE:                         \
         break;                                                       \
     }                                                                \
   }
diff --git a/chromium/net/disk_cache/blockfile/in_flight_backend_io.cc b/chromium/net/disk_cache/blockfile/in_flight_backend_io.cc
index 32895a59047..c4922955b42 100644
--- a/chromium/net/disk_cache/blockfile/in_flight_backend_io.cc
+++ b/chromium/net/disk_cache/blockfile/in_flight_backend_io.cc
@@ -396,10 +396,7 @@ void BackendIO::ExecuteEntryOperation() {
 InFlightBackendIO::InFlightBackendIO(
     BackendImpl* backend,
     const scoped_refptr<base::SingleThreadTaskRunner>& background_thread)
-    : backend_(backend),
-      background_thread_(background_thread),
-      ptr_factory_(this) {
-}
+    : backend_(backend), background_thread_(background_thread) {}
 
 InFlightBackendIO::~InFlightBackendIO() = default;
 
diff --git a/chromium/net/disk_cache/blockfile/in_flight_backend_io.h b/chromium/net/disk_cache/blockfile/in_flight_backend_io.h
index 7d0502192fe..724cc338323 100644
--- a/chromium/net/disk_cache/blockfile/in_flight_backend_io.h
+++ b/chromium/net/disk_cache/blockfile/in_flight_backend_io.h
@@ -251,7 +251,7 @@ class InFlightBackendIO : public InFlightIO {
   void PostOperation(const base::Location& from_here, BackendIO* operation);
   BackendImpl* backend_;
   scoped_refptr<base::SingleThreadTaskRunner> background_thread_;
-  base::WeakPtrFactory<InFlightBackendIO> ptr_factory_;
+  base::WeakPtrFactory<InFlightBackendIO> ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(InFlightBackendIO);
 };
diff --git a/chromium/net/disk_cache/blockfile/sparse_control.cc b/chromium/net/disk_cache/blockfile/sparse_control.cc
index f06489014a7..cdde574433b 100644
--- a/chromium/net/disk_cache/blockfile/sparse_control.cc
+++ b/chromium/net/disk_cache/blockfile/sparse_control.cc
@@ -290,9 +290,8 @@ int SparseControl::StartIO(SparseOperation op,
   abort_ = false;
 
   if (entry_->net_log().IsCapturing()) {
-    entry_->net_log().BeginEvent(
-        GetSparseEventType(operation_),
-        CreateNetLogSparseOperationCallback(offset_, buf_len_));
+    NetLogSparseOperation(entry_->net_log(), GetSparseEventType(operation_),
+                          net::NetLogEventPhase::BEGIN, offset_, buf_len_);
   }
   DoChildrenIO();
 
@@ -690,9 +689,9 @@ void SparseControl::DoChildrenIO() {
   // Range operations are finished synchronously, often without setting
   // |finished_| to true.
   if (kGetRangeOperation == operation_ && entry_->net_log().IsCapturing()) {
-    entry_->net_log().EndEvent(
-        net::NetLogEventType::SPARSE_GET_RANGE,
-        CreateNetLogGetAvailableRangeResultCallback(offset_, result_));
+    entry_->net_log().EndEvent(net::NetLogEventType::SPARSE_GET_RANGE, [&] {
+      return CreateNetLogGetAvailableRangeResultParams(offset_, result_);
+    });
   }
   if (finished_) {
     if (kGetRangeOperation != operation_ && entry_->net_log().IsCapturing()) {
@@ -726,20 +725,20 @@ bool SparseControl::DoChildIO() {
   switch (operation_) {
     case kReadOperation:
       if (entry_->net_log().IsCapturing()) {
-        entry_->net_log().BeginEvent(
-            net::NetLogEventType::SPARSE_READ_CHILD_DATA,
-            CreateNetLogSparseReadWriteCallback(child_->net_log().source(),
-                                                child_len_));
+        NetLogSparseReadWrite(entry_->net_log(),
+                              net::NetLogEventType::SPARSE_READ_CHILD_DATA,
+                              net::NetLogEventPhase::BEGIN,
+                              child_->net_log().source(), child_len_);
       }
       rv = child_->ReadDataImpl(kSparseData, child_offset_, user_buf_.get(),
                                 child_len_, std::move(callback));
       break;
     case kWriteOperation:
       if (entry_->net_log().IsCapturing()) {
-        entry_->net_log().BeginEvent(
-            net::NetLogEventType::SPARSE_WRITE_CHILD_DATA,
-            CreateNetLogSparseReadWriteCallback(child_->net_log().source(),
-                                                child_len_));
+        NetLogSparseReadWrite(entry_->net_log(),
+                              net::NetLogEventType::SPARSE_WRITE_CHILD_DATA,
+                              net::NetLogEventPhase::BEGIN,
+                              child_->net_log().source(), child_len_);
       }
       rv = child_->WriteDataImpl(kSparseData, child_offset_, user_buf_.get(),
                                  child_len_, std::move(callback), false);
diff --git a/chromium/net/disk_cache/blockfile/stats.cc b/chromium/net/disk_cache/blockfile/stats.cc
index 161e0135142..43c6758ccfe 100644
--- a/chromium/net/disk_cache/blockfile/stats.cc
+++ b/chromium/net/disk_cache/blockfile/stats.cc
@@ -139,26 +139,12 @@ void Stats::InitSizeHistogram() {
     return;
 
   first_time = false;
-  int min = 1;
-  int max = 64 * 1024;
-  int num_buckets = 75;
-  base::BucketRanges ranges(num_buckets + 1);
-  base::Histogram::InitializeBucketRanges(min, max, &ranges);
-
-  base::HistogramBase* stats_histogram = base::Histogram::FactoryGet(
-      "DiskCache.SizeStats2", min, max, num_buckets,
-      base::HistogramBase::kUmaTargetedHistogramFlag);
-
-  base::SampleVector samples(&ranges);
   for (int i = 0; i < kDataSizesLength; i++) {
     // This is a good time to fix any inconsistent data. The count should be
     // always positive, but if it's not, reset the value now.
     if (data_sizes_[i] < 0)
       data_sizes_[i] = 0;
-
-    samples.Accumulate(GetBucketRange(i) / 1024, data_sizes_[i]);
   }
-  stats_histogram->AddSamples(samples);
 }
 
 int Stats::StorageSize() {
diff --git a/chromium/net/disk_cache/disk_cache_fuzzer.cc b/chromium/net/disk_cache/disk_cache_fuzzer.cc
index e0d6561fd37..a840879548a 100644
--- a/chromium/net/disk_cache/disk_cache_fuzzer.cc
+++ b/chromium/net/disk_cache/disk_cache_fuzzer.cc
@@ -82,18 +82,12 @@ struct InitGlobals {
 
     print_comms_ = ::getenv("LPM_DUMP_NATIVE_INPUT");
 
-    // Mark this thread as an IO_THREAD with MOCK_TIME, and ensure that every
-    // other thread's time is driven from this thread's MOCK_TIME.
-    scoped_task_environment_ = std::make_unique<
-        base::test::ScopedTaskEnvironment>(
-        base::test::ScopedTaskEnvironment::MainThreadType::IO_MOCK_TIME,
-        base::test::ScopedTaskEnvironment::NowSource::MAIN_THREAD_MOCK_TIME);
-
-    // Work around for a DCHECK issue: DCHECK(!TimeTicks::Now().is_null())
-    // Since MOCK_TIME starts at 0 the starting time is considered null.
-    // So make it non-zero.
-    scoped_task_environment_->FastForwardBy(
-        base::TimeDelta::FromMilliseconds(1));
+    // Mark this thread as an IO_THREAD with MOCK_TIME, and ensure that Now()
+    // is driven from the same mock clock.
+    scoped_task_environment_ =
+        std::make_unique<base::test::ScopedTaskEnvironment>(
+            base::test::ScopedTaskEnvironment::MainThreadType::IO,
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME_AND_NOW);
 
     // Disable noisy logging as per "libFuzzer in Chrome" documentation:
     // testing/libfuzzer/getting_started.md#Disable-noisy-error-message-logging.
@@ -270,9 +264,13 @@ net::CacheType GetCacheTypeAndPrint(
       MAYBE_PRINT << "Cache type = PNACL_CACHE." << std::endl;
       return net::CacheType::PNACL_CACHE;
       break;
-    case disk_cache_fuzzer::FuzzCommands::GENERATED_CODE_CACHE:
-      MAYBE_PRINT << "Cache type = GENERATED_CODE_CACHE." << std::endl;
-      return net::CacheType::GENERATED_CODE_CACHE;
+    case disk_cache_fuzzer::FuzzCommands::GENERATED_BYTE_CODE_CACHE:
+      MAYBE_PRINT << "Cache type = GENERATED_BYTE_CODE_CACHE." << std::endl;
+      return net::CacheType::GENERATED_BYTE_CODE_CACHE;
+      break;
+    case disk_cache_fuzzer::FuzzCommands::GENERATED_NATIVE_CODE_CACHE:
+      MAYBE_PRINT << "Cache type = GENERATED_NATIVE_CODE_CACHE." << std::endl;
+      return net::CacheType::GENERATED_NATIVE_CODE_CACHE;
       break;
     case disk_cache_fuzzer::FuzzCommands::DISK_CACHE:
       MAYBE_PRINT << "Cache type = DISK_CACHE." << std::endl;
diff --git a/chromium/net/disk_cache/disk_cache_fuzzer.proto b/chromium/net/disk_cache/disk_cache_fuzzer.proto
index 2918d9f7c00..779bdb59af3 100644
--- a/chromium/net/disk_cache/disk_cache_fuzzer.proto
+++ b/chromium/net/disk_cache/disk_cache_fuzzer.proto
@@ -28,8 +28,9 @@ message FuzzCommands {
     MEDIA_CACHE = 2;
     SHADER_CACHE = 3;
     PNACL_CACHE = 4;
-    GENERATED_CODE_CACHE = 5;
+    GENERATED_BYTE_CODE_CACHE = 5;
     DISK_CACHE = 6;
+    GENERATED_NATIVE_CODE_CACHE = 7;
   }
   required CacheType cache_type = 4;
 
diff --git a/chromium/net/disk_cache/entry_unittest.cc b/chromium/net/disk_cache/entry_unittest.cc
index d70451aefb4..f39812a5287 100644
--- a/chromium/net/disk_cache/entry_unittest.cc
+++ b/chromium/net/disk_cache/entry_unittest.cc
@@ -81,6 +81,7 @@ class DiskCacheEntryTest : public DiskCacheTestWithCache {
   void DoomSparseEntry();
   void PartialSparseEntry();
   void SparseInvalidArg();
+  void SparseClipEnd(bool expected_unsupported);
   bool SimpleCacheMakeBadChecksumEntry(const std::string& key, int data_size);
   bool SimpleCacheThirdStreamFileExists(const char* key);
   void SyncDoomEntry(const char* key);
@@ -2430,6 +2431,14 @@ void DiskCacheEntryTest::SparseInvalidArg() {
   EXPECT_EQ(net::ERR_INVALID_ARGUMENT,
             GetAvailableRange(entry, 0, -1, &start_out));
 
+  int rv = WriteSparseData(
+      entry, std::numeric_limits<int64_t>::max() - kSize + 1, buf.get(), kSize);
+  // Blockfile rejects anything over 64GiB with
+  // net::ERR_CACHE_OPERATION_NOT_SUPPORTED, which is also OK here, as it's not
+  // an overflow or something else nonsensical.
+  EXPECT_TRUE(rv == net::ERR_INVALID_ARGUMENT ||
+              rv == net::ERR_CACHE_OPERATION_NOT_SUPPORTED);
+
   entry->Close();
 }
 
@@ -2450,6 +2459,67 @@ TEST_F(DiskCacheEntryTest, SimpleSparseInvalidArg) {
   SparseInvalidArg();
 }
 
+void DiskCacheEntryTest::SparseClipEnd(bool expect_unsupported) {
+  std::string key("key");
+  disk_cache::Entry* entry = nullptr;
+  ASSERT_THAT(CreateEntry(key, &entry), IsOk());
+
+  const int kSize = 1024;
+  scoped_refptr<net::IOBuffer> buf = base::MakeRefCounted<net::IOBuffer>(kSize);
+  CacheTestFillBuffer(buf->data(), kSize, false);
+
+  scoped_refptr<net::IOBuffer> read_buf =
+      base::MakeRefCounted<net::IOBuffer>(kSize * 2);
+  CacheTestFillBuffer(read_buf->data(), kSize * 2, false);
+
+  const int64_t kOffset = std::numeric_limits<int64_t>::max() - kSize;
+  int rv = WriteSparseData(entry, kOffset, buf.get(), kSize);
+  EXPECT_EQ(
+      rv, expect_unsupported ? net::ERR_CACHE_OPERATION_NOT_SUPPORTED : kSize);
+
+  // Try to read further than offset range, should get clipped (if supported).
+  rv = ReadSparseData(entry, kOffset, read_buf.get(), kSize * 2);
+  if (expect_unsupported) {
+    EXPECT_EQ(rv, net::ERR_CACHE_OPERATION_NOT_SUPPORTED);
+  } else {
+    EXPECT_EQ(kSize, rv);
+    EXPECT_EQ(0, memcmp(buf->data(), read_buf->data(), kSize));
+  }
+
+  int64_t out_start = 0;
+  net::TestCompletionCallback cb;
+  rv = entry->GetAvailableRange(kOffset - kSize, kSize * 3, &out_start,
+                                cb.callback());
+  rv = cb.GetResult(rv);
+  if (expect_unsupported) {
+    EXPECT_EQ(rv, net::ERR_CACHE_OPERATION_NOT_SUPPORTED);
+  } else {
+    EXPECT_EQ(kSize, rv);
+    EXPECT_EQ(kOffset, out_start);
+  }
+
+  entry->Close();
+}
+
+TEST_F(DiskCacheEntryTest, SparseClipEnd) {
+  InitCache();
+
+  // Blockfile refuses to deal with sparse indices over 64GiB.
+  SparseClipEnd(/* expect_unsupported = */ true);
+}
+
+TEST_F(DiskCacheEntryTest, MemoryOnlySparseClipEnd) {
+  SetMemoryOnlyMode();
+  InitCache();
+  SparseClipEnd(/* expect_unsupported = */ false);
+}
+
+TEST_F(DiskCacheEntryTest, SimpleSparseClipEnd) {
+  SetSimpleCacheMode();
+  InitCache();
+  SparseClipEnd(/* expect_unsupported = */ false);
+}
+
 // Tests that corrupt sparse children are removed automatically.
 TEST_F(DiskCacheEntryTest, CleanupSparseEntry) {
   InitCache();
diff --git a/chromium/net/disk_cache/memory/mem_backend_impl.cc b/chromium/net/disk_cache/memory/mem_backend_impl.cc
index a03c53d1321..bddd885827e 100644
--- a/chromium/net/disk_cache/memory/mem_backend_impl.cc
+++ b/chromium/net/disk_cache/memory/mem_backend_impl.cc
@@ -63,8 +63,7 @@ MemBackendImpl::MemBackendImpl(net::NetLog* net_log)
       net_log_(net_log),
       memory_pressure_listener_(
           base::BindRepeating(&MemBackendImpl::OnMemoryPressure,
-                              base::Unretained(this))),
-      weak_factory_(this) {}
+                              base::Unretained(this))) {}
 
 MemBackendImpl::~MemBackendImpl() {
   DCHECK(CheckLRUListOrder(lru_list_));
diff --git a/chromium/net/disk_cache/memory/mem_backend_impl.h b/chromium/net/disk_cache/memory/mem_backend_impl.h
index f79ef33207a..046fed2a222 100644
--- a/chromium/net/disk_cache/memory/mem_backend_impl.h
+++ b/chromium/net/disk_cache/memory/mem_backend_impl.h
@@ -149,7 +149,7 @@ class NET_EXPORT_PRIVATE MemBackendImpl final : public Backend {
 
   base::MemoryPressureListener memory_pressure_listener_;
 
-  base::WeakPtrFactory<MemBackendImpl> weak_factory_;
+  base::WeakPtrFactory<MemBackendImpl> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(MemBackendImpl);
 };
diff --git a/chromium/net/disk_cache/memory/mem_entry_impl.cc b/chromium/net/disk_cache/memory/mem_entry_impl.cc
index 61845b9a801..bb9affc918b 100644
--- a/chromium/net/disk_cache/memory/mem_entry_impl.cc
+++ b/chromium/net/disk_cache/memory/mem_entry_impl.cc
@@ -36,20 +36,6 @@ const int kMaxChildEntryBits = 12;
 // Sparse entry children have maximum size of 4KB.
 const int kMaxChildEntrySize = 1 << kMaxChildEntryBits;
 
-// This enum is used for histograms, so only append to the end.
-enum MemEntryWriteResult {
-  MEM_ENTRY_WRITE_RESULT_SUCCESS = 0,
-  MEM_ENTRY_WRITE_RESULT_INVALID_ARGUMENT = 1,
-  MEM_ENTRY_WRITE_RESULT_OVER_MAX_ENTRY_SIZE = 2,
-  MEM_ENTRY_WRITE_RESULT_EXCEEDED_CACHE_STORAGE_SIZE = 3,
-  MEM_ENTRY_WRITE_RESULT_MAX = 4,
-};
-
-void RecordWriteResult(MemEntryWriteResult result) {
-  UMA_HISTOGRAM_ENUMERATION("MemCache.WriteResult", result,
-                            MEM_ENTRY_WRITE_RESULT_MAX);
-}
-
 // Convert global offset to child index.
 int64_t ToChildIndex(int64_t offset) {
   return offset >> kMaxChildEntryBits;
@@ -70,9 +56,7 @@ std::string GenerateChildName(const std::string& base_name, int64_t child_id) {
 
 // Returns NetLog parameters for the creation of a MemEntryImpl. A separate
 // function is needed because child entries don't store their key().
-base::Value NetLogEntryCreationCallback(
-    const MemEntryImpl* entry,
-    net::NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogEntryCreationParams(const MemEntryImpl* entry) {
   base::Value dict(base::Value::Type::DICTIONARY);
   std::string key;
   switch (entry->type()) {
@@ -203,16 +187,16 @@ int MemEntryImpl::ReadData(int index,
                            int buf_len,
                            CompletionOnceCallback callback) {
   if (net_log_.IsCapturing()) {
-    net_log_.BeginEvent(
-        net::NetLogEventType::ENTRY_READ_DATA,
-        CreateNetLogReadWriteDataCallback(index, offset, buf_len, false));
+    NetLogReadWriteData(net_log_, net::NetLogEventType::ENTRY_READ_DATA,
+                        net::NetLogEventPhase::BEGIN, index, offset, buf_len,
+                        false);
   }
 
   int result = InternalReadData(index, offset, buf, buf_len);
 
   if (net_log_.IsCapturing()) {
-    net_log_.EndEvent(net::NetLogEventType::ENTRY_READ_DATA,
-                      CreateNetLogReadWriteCompleteCallback(result));
+    NetLogReadWriteComplete(net_log_, net::NetLogEventType::ENTRY_READ_DATA,
+                            net::NetLogEventPhase::END, result);
   }
   return result;
 }
@@ -224,17 +208,18 @@ int MemEntryImpl::WriteData(int index,
                             CompletionOnceCallback callback,
                             bool truncate) {
   if (net_log_.IsCapturing()) {
-    net_log_.BeginEvent(
-        net::NetLogEventType::ENTRY_WRITE_DATA,
-        CreateNetLogReadWriteDataCallback(index, offset, buf_len, truncate));
+    NetLogReadWriteData(net_log_, net::NetLogEventType::ENTRY_WRITE_DATA,
+                        net::NetLogEventPhase::BEGIN, index, offset, buf_len,
+                        truncate);
   }
 
   int result = InternalWriteData(index, offset, buf, buf_len, truncate);
 
   if (net_log_.IsCapturing()) {
-    net_log_.EndEvent(net::NetLogEventType::ENTRY_WRITE_DATA,
-                      CreateNetLogReadWriteCompleteCallback(result));
+    NetLogReadWriteComplete(net_log_, net::NetLogEventType::ENTRY_WRITE_DATA,
+                            net::NetLogEventPhase::END, result);
   }
+
   return result;
 }
 
@@ -243,8 +228,8 @@ int MemEntryImpl::ReadSparseData(int64_t offset,
                                  int buf_len,
                                  CompletionOnceCallback callback) {
   if (net_log_.IsCapturing()) {
-    net_log_.BeginEvent(net::NetLogEventType::SPARSE_READ,
-                        CreateNetLogSparseOperationCallback(offset, buf_len));
+    NetLogSparseOperation(net_log_, net::NetLogEventType::SPARSE_READ,
+                          net::NetLogEventPhase::BEGIN, offset, buf_len);
   }
   int result = InternalReadSparseData(offset, buf, buf_len);
   if (net_log_.IsCapturing())
@@ -257,8 +242,8 @@ int MemEntryImpl::WriteSparseData(int64_t offset,
                                   int buf_len,
                                   CompletionOnceCallback callback) {
   if (net_log_.IsCapturing()) {
-    net_log_.BeginEvent(net::NetLogEventType::SPARSE_WRITE,
-                        CreateNetLogSparseOperationCallback(offset, buf_len));
+    NetLogSparseOperation(net_log_, net::NetLogEventType::SPARSE_WRITE,
+                          net::NetLogEventPhase::BEGIN, offset, buf_len);
   }
   int result = InternalWriteSparseData(offset, buf, buf_len);
   if (net_log_.IsCapturing())
@@ -271,14 +256,14 @@ int MemEntryImpl::GetAvailableRange(int64_t offset,
                                     int64_t* start,
                                     CompletionOnceCallback callback) {
   if (net_log_.IsCapturing()) {
-    net_log_.BeginEvent(net::NetLogEventType::SPARSE_GET_RANGE,
-                        CreateNetLogSparseOperationCallback(offset, len));
+    NetLogSparseOperation(net_log_, net::NetLogEventType::SPARSE_GET_RANGE,
+                          net::NetLogEventPhase::BEGIN, offset, len);
   }
   int result = InternalGetAvailableRange(offset, len, start);
   if (net_log_.IsCapturing()) {
-    net_log_.EndEvent(
-        net::NetLogEventType::SPARSE_GET_RANGE,
-        CreateNetLogGetAvailableRangeResultCallback(*start, result));
+    net_log_.EndEvent(net::NetLogEventType::SPARSE_GET_RANGE, [&] {
+      return CreateNetLogGetAvailableRangeResultParams(*start, result);
+    });
   }
   return result;
 }
@@ -324,7 +309,7 @@ MemEntryImpl::MemEntryImpl(base::WeakPtr<MemBackendImpl> backend,
   net_log_ = net::NetLogWithSource::Make(
       net_log, net::NetLogSourceType::MEMORY_CACHE_ENTRY);
   net_log_.BeginEvent(net::NetLogEventType::DISK_CACHE_MEM_ENTRY_IMPL,
-                      base::Bind(&NetLogEntryCreationCallback, this));
+                      [&] { return NetLogEntryCreationParams(this); });
 }
 
 MemEntryImpl::~MemEntryImpl() {
@@ -374,22 +359,14 @@ int MemEntryImpl::InternalReadData(int index, int offset, IOBuffer* buf,
 int MemEntryImpl::InternalWriteData(int index, int offset, IOBuffer* buf,
                                     int buf_len, bool truncate) {
   DCHECK(type() == PARENT_ENTRY || index == kSparseData);
-  if (!backend_) {
-    // We have to fail writes after the backend is destroyed since we can't
-    // ensure we wouldn't use too much memory if it's gone.
-    RecordWriteResult(MEM_ENTRY_WRITE_RESULT_EXCEEDED_CACHE_STORAGE_SIZE);
+  if (!backend_)
     return net::ERR_INSUFFICIENT_RESOURCES;
-  }
 
-  if (index < 0 || index >= kNumStreams) {
-    RecordWriteResult(MEM_ENTRY_WRITE_RESULT_INVALID_ARGUMENT);
+  if (index < 0 || index >= kNumStreams)
     return net::ERR_INVALID_ARGUMENT;
-  }
 
-  if (offset < 0 || buf_len < 0) {
-    RecordWriteResult(MEM_ENTRY_WRITE_RESULT_INVALID_ARGUMENT);
+  if (offset < 0 || buf_len < 0)
     return net::ERR_INVALID_ARGUMENT;
-  }
 
   int max_file_size = backend_->MaxFileSize();
 
@@ -397,7 +374,6 @@ int MemEntryImpl::InternalWriteData(int index, int offset, IOBuffer* buf,
   if (offset > max_file_size || buf_len > max_file_size ||
       !base::CheckAdd(offset, buf_len).AssignIfValid(&end_offset) ||
       end_offset > max_file_size) {
-    RecordWriteResult(MEM_ENTRY_WRITE_RESULT_OVER_MAX_ENTRY_SIZE);
     return net::ERR_FAILED;
   }
 
@@ -407,7 +383,6 @@ int MemEntryImpl::InternalWriteData(int index, int offset, IOBuffer* buf,
     backend_->ModifyStorageSize(delta);
     if (backend_->HasExceededStorageSize()) {
       backend_->ModifyStorageSize(-delta);
-      RecordWriteResult(MEM_ENTRY_WRITE_RESULT_EXCEEDED_CACHE_STORAGE_SIZE);
       return net::ERR_INSUFFICIENT_RESOURCES;
     }
 
@@ -421,7 +396,6 @@ int MemEntryImpl::InternalWriteData(int index, int offset, IOBuffer* buf,
   }
 
   UpdateStateOnUse(ENTRY_WAS_MODIFIED);
-  RecordWriteResult(MEM_ENTRY_WRITE_RESULT_SUCCESS);
 
   if (!buf_len)
     return 0;
@@ -438,11 +412,15 @@ int MemEntryImpl::InternalReadSparseData(int64_t offset,
   if (!InitSparseInfo())
     return net::ERR_CACHE_OPERATION_NOT_SUPPORTED;
 
-  // Check that offset + buf_len does not overflow. This ensures that
-  // offset + io_buf->BytesConsumed() never overflows below.
-  if (offset < 0 || buf_len < 0 || !base::CheckAdd(offset, buf_len).IsValid())
+  if (offset < 0 || buf_len < 0)
     return net::ERR_INVALID_ARGUMENT;
 
+  // Ensure that offset + buf_len does not overflow. This ensures that
+  // offset + io_buf->BytesConsumed() never overflows below.
+  // The result of std::min is guaranteed to fit into int since buf_len did.
+  buf_len = std::min(static_cast<int64_t>(buf_len),
+                     std::numeric_limits<int64_t>::max() - offset);
+
   // We will keep using this buffer and adjust the offset in this buffer.
   scoped_refptr<net::DrainableIOBuffer> io_buf =
       base::MakeRefCounted<net::DrainableIOBuffer>(buf, buf_len);
@@ -463,10 +441,10 @@ int MemEntryImpl::InternalReadSparseData(int64_t offset,
     if (child_offset < child->child_first_pos_)
       break;
     if (net_log_.IsCapturing()) {
-      net_log_.BeginEvent(
-          net::NetLogEventType::SPARSE_READ_CHILD_DATA,
-          CreateNetLogSparseReadWriteCallback(child->net_log_.source(),
-                                              io_buf->BytesRemaining()));
+      NetLogSparseReadWrite(net_log_,
+                            net::NetLogEventType::SPARSE_READ_CHILD_DATA,
+                            net::NetLogEventPhase::BEGIN,
+                            child->net_log_.source(), io_buf->BytesRemaining());
     }
     int ret =
         child->ReadData(kSparseData, child_offset, io_buf.get(),
@@ -528,9 +506,9 @@ int MemEntryImpl::InternalWriteSparseData(int64_t offset,
     int data_size = child->GetDataSize(kSparseData);
 
     if (net_log_.IsCapturing()) {
-      net_log_.BeginEvent(net::NetLogEventType::SPARSE_WRITE_CHILD_DATA,
-                          CreateNetLogSparseReadWriteCallback(
-                              child->net_log_.source(), write_len));
+      NetLogSparseReadWrite(
+          net_log_, net::NetLogEventType::SPARSE_WRITE_CHILD_DATA,
+          net::NetLogEventPhase::BEGIN, child->net_log_.source(), write_len);
     }
 
     // Always writes to the child entry. This operation may overwrite data
@@ -574,7 +552,12 @@ int MemEntryImpl::InternalGetAvailableRange(int64_t offset,
   if (offset < 0 || len < 0 || !start)
     return net::ERR_INVALID_ARGUMENT;
 
-  // If offset + len overflows, this will just be the empty interval.
+  // Truncate |len| to make sure that |offset + len| does not overflow.
+  // This is OK since one can't write that far anyway.
+  // The result of std::min is guaranteed to fit into int since |len| did.
+  len = std::min(static_cast<int64_t>(len),
+                 std::numeric_limits<int64_t>::max() - offset);
+
   net::Interval<int64_t> requested(offset, offset + len);
 
   // Find the first relevant child, if any --- may have to skip over
diff --git a/chromium/net/disk_cache/net_log_parameters.cc b/chromium/net/disk_cache/net_log_parameters.cc
index b3e1bbbaaa8..96e99bb0b0e 100644
--- a/chromium/net/disk_cache/net_log_parameters.cc
+++ b/chromium/net/disk_cache/net_log_parameters.cc
@@ -6,34 +6,19 @@
 
 #include <utility>
 
-#include "base/bind.h"
 #include "base/logging.h"
-#include "base/strings/string_number_conversions.h"
 #include "base/values.h"
 #include "net/base/net_errors.h"
 #include "net/disk_cache/disk_cache.h"
-#include "net/log/net_log.h"
-#include "net/log/net_log_capture_mode.h"
 #include "net/log/net_log_source.h"
+#include "net/log/net_log_values.h"
 
 namespace {
 
-base::Value NetLogParametersEntryCreationCallback(
-    const disk_cache::Entry* entry,
-    bool created,
-    net::NetLogCaptureMode /* capture_mode */) {
-  base::Value dict(base::Value::Type::DICTIONARY);
-  dict.SetStringKey("key", entry->GetKey());
-  dict.SetBoolKey("created", created);
-  return dict;
-}
-
-base::Value NetLogReadWriteDataCallback(
-    int index,
-    int offset,
-    int buf_len,
-    bool truncate,
-    net::NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogReadWriteDataParams(int index,
+                                      int offset,
+                                      int buf_len,
+                                      bool truncate) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("index", index);
   dict.SetIntKey("offset", offset);
@@ -43,9 +28,7 @@ base::Value NetLogReadWriteDataCallback(
   return dict;
 }
 
-base::Value NetLogReadWriteCompleteCallback(
-    int bytes_copied,
-    net::NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogReadWriteCompleteParams(int bytes_copied) {
   DCHECK_NE(bytes_copied, net::ERR_IO_PENDING);
   base::Value dict(base::Value::Type::DICTIONARY);
   if (bytes_copied < 0) {
@@ -56,80 +39,84 @@ base::Value NetLogReadWriteCompleteCallback(
   return dict;
 }
 
-base::Value NetLogSparseOperationCallback(
-    int64_t offset,
-    int buf_len,
-    net::NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSparseOperationParams(int64_t offset, int buf_len) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetKey("offset", net::NetLogNumberValue(offset));
   dict.SetIntKey("buf_len", buf_len);
   return dict;
 }
 
-base::Value NetLogSparseReadWriteCallback(
-    const net::NetLogSource& source,
-    int child_len,
-    net::NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSparseReadWriteParams(const net::NetLogSource& source,
+                                        int child_len) {
   base::Value dict(base::Value::Type::DICTIONARY);
   source.AddToEventParameters(&dict);
   dict.SetIntKey("child_len", child_len);
   return dict;
 }
 
-base::Value NetLogGetAvailableRangeResultCallback(
-    int64_t start,
-    int result,
-    net::NetLogCaptureMode /* capture_mode */) {
-  base::Value dict(base::Value::Type::DICTIONARY);
-  if (result > 0) {
-    dict.SetIntKey("length", result);
-    dict.SetKey("start", net::NetLogNumberValue(start));
-  } else {
-    dict.SetIntKey("net_error", result);
-  }
-  return dict;
-}
-
 }  // namespace
 
 namespace disk_cache {
 
-net::NetLogParametersCallback CreateNetLogParametersEntryCreationCallback(
-    const Entry* entry,
-    bool created) {
+base::Value CreateNetLogParametersEntryCreationParams(const Entry* entry,
+                                                      bool created) {
   DCHECK(entry);
-  return base::Bind(&NetLogParametersEntryCreationCallback, entry, created);
+  base::Value dict(base::Value::Type::DICTIONARY);
+  dict.SetStringKey("key", entry->GetKey());
+  dict.SetBoolKey("created", created);
+  return dict;
 }
 
-net::NetLogParametersCallback CreateNetLogReadWriteDataCallback(int index,
-                                                                int offset,
-                                                                int buf_len,
-                                                                bool truncate) {
-  return base::Bind(&NetLogReadWriteDataCallback,
-                    index, offset, buf_len, truncate);
+void NetLogReadWriteData(const net::NetLogWithSource& net_log,
+                         net::NetLogEventType type,
+                         net::NetLogEventPhase phase,
+                         int index,
+                         int offset,
+                         int buf_len,
+                         bool truncate) {
+  net_log.AddEntry(type, phase, [&] {
+    return NetLogReadWriteDataParams(index, offset, buf_len, truncate);
+  });
 }
 
-net::NetLogParametersCallback CreateNetLogReadWriteCompleteCallback(
-    int bytes_copied) {
-  return base::Bind(&NetLogReadWriteCompleteCallback, bytes_copied);
+void NetLogReadWriteComplete(const net::NetLogWithSource& net_log,
+                             net::NetLogEventType type,
+                             net::NetLogEventPhase phase,
+                             int bytes_copied) {
+  net_log.AddEntry(type, phase,
+                   [&] { return NetLogReadWriteCompleteParams(bytes_copied); });
 }
 
-net::NetLogParametersCallback CreateNetLogSparseOperationCallback(
-    int64_t offset,
-    int buf_len) {
-  return base::Bind(&NetLogSparseOperationCallback, offset, buf_len);
+void NetLogSparseOperation(const net::NetLogWithSource& net_log,
+                           net::NetLogEventType type,
+                           net::NetLogEventPhase phase,
+                           int64_t offset,
+                           int buf_len) {
+  net_log.AddEntry(type, phase, [&] {
+    return NetLogSparseOperationParams(offset, buf_len);
+  });
 }
 
-net::NetLogParametersCallback CreateNetLogSparseReadWriteCallback(
-    const net::NetLogSource& source,
-    int child_len) {
-  return base::Bind(&NetLogSparseReadWriteCallback, source, child_len);
+void NetLogSparseReadWrite(const net::NetLogWithSource& net_log,
+                           net::NetLogEventType type,
+                           net::NetLogEventPhase phase,
+                           const net::NetLogSource& source,
+                           int child_len) {
+  net_log.AddEntry(type, phase, [&] {
+    return NetLogSparseReadWriteParams(source, child_len);
+  });
 }
 
-net::NetLogParametersCallback CreateNetLogGetAvailableRangeResultCallback(
-    int64_t start,
-    int result) {
-  return base::Bind(&NetLogGetAvailableRangeResultCallback, start, result);
+base::Value CreateNetLogGetAvailableRangeResultParams(int64_t start,
+                                                      int result) {
+  base::Value dict(base::Value::Type::DICTIONARY);
+  if (result > 0) {
+    dict.SetIntKey("length", result);
+    dict.SetKey("start", net::NetLogNumberValue(start));
+  } else {
+    dict.SetIntKey("net_error", result);
+  }
+  return dict;
 }
 
 }  // namespace disk_cache
diff --git a/chromium/net/disk_cache/net_log_parameters.h b/chromium/net/disk_cache/net_log_parameters.h
index 4df22f7fa2f..e753f9225fa 100644
--- a/chromium/net/disk_cache/net_log_parameters.h
+++ b/chromium/net/disk_cache/net_log_parameters.h
@@ -9,58 +9,64 @@
 
 #include <string>
 
-#include "net/log/net_log_parameters_callback.h"
+#include "net/log/net_log_with_source.h"
 
 namespace net {
 struct NetLogSource;
 }
 
+namespace base {
+class Value;
+}
+
 // This file contains a set of functions to create NetLogParametersCallbacks
 // shared by EntryImpls and MemEntryImpls.
 namespace disk_cache {
 
 class Entry;
 
-// Creates a NetLog callback that returns parameters for the creation of an
-// Entry.  Contains the Entry's key and whether it was created or opened.
-// |entry| can't be NULL, must support GetKey(), and must outlive the returned
-// callback.
-net::NetLogParametersCallback CreateNetLogParametersEntryCreationCallback(
-    const Entry* entry,
-    bool created);
-
-// Creates a NetLog callback that returns parameters for start of a non-sparse
-// read or write of an Entry.  For reads, |truncate| must be false.
-net::NetLogParametersCallback CreateNetLogReadWriteDataCallback(int index,
-                                                                int offset,
-                                                                int buf_len,
-                                                                bool truncate);
-
-// Creates a NetLog callback that returns parameters for when a non-sparse
-// read or write completes.  For reads, |truncate| must be false.
-// |bytes_copied| is either the number of bytes copied or a network error
-// code.  |bytes_copied| must not be ERR_IO_PENDING, as it's not a valid
-// result for an operation.
-net::NetLogParametersCallback CreateNetLogReadWriteCompleteCallback(
-    int bytes_copied);
-
-// Creates a NetLog callback that returns parameters for when a sparse
-// operation is started.
-net::NetLogParametersCallback CreateNetLogSparseOperationCallback(
-    int64_t offset,
-    int buf_len);
-
-// Creates a NetLog callback that returns parameters for when a read or write
-// for a sparse entry's child is started.
-net::NetLogParametersCallback CreateNetLogSparseReadWriteCallback(
-    const net::NetLogSource& source,
-    int child_len);
-
-// Creates a NetLog callback that returns parameters for when a call to
-// GetAvailableRange returns.
-net::NetLogParametersCallback CreateNetLogGetAvailableRangeResultCallback(
-    int64_t start,
-    int result);
+// Creates NetLog parameters for the creation of an Entry.  Contains the Entry's
+// key and whether it was created or opened. |entry| can't be nullptr, must
+// support GetKey().
+base::Value CreateNetLogParametersEntryCreationParams(const Entry* entry,
+                                                      bool created);
+
+// Logs an event for the start of a non-sparse read or write of an Entry. For
+// reads, |truncate| must be false.
+void NetLogReadWriteData(const net::NetLogWithSource& net_log,
+                         net::NetLogEventType type,
+                         net::NetLogEventPhase phase,
+                         int index,
+                         int offset,
+                         int buf_len,
+                         bool truncate);
+
+// Logs an event for when a non-sparse read or write completes.  For reads,
+// |truncate| must be false. |bytes_copied| is either the number of bytes copied
+// or a network error code.  |bytes_copied| must not be ERR_IO_PENDING, as it's
+// not a valid result for an operation.
+void NetLogReadWriteComplete(const net::NetLogWithSource& net_log,
+                             net::NetLogEventType type,
+                             net::NetLogEventPhase phase,
+                             int bytes_copied);
+
+// Logs an event for when a sparse operation is started.
+void NetLogSparseOperation(const net::NetLogWithSource& net_log,
+                           net::NetLogEventType type,
+                           net::NetLogEventPhase phase,
+                           int64_t offset,
+                           int buf_len);
+
+// Logs an event for when a read or write for a sparse entry's child is started.
+void NetLogSparseReadWrite(const net::NetLogWithSource& net_log,
+                           net::NetLogEventType type,
+                           net::NetLogEventPhase phase,
+                           const net::NetLogSource& source,
+                           int child_len);
+
+// Creates NetLog parameters for when a call to GetAvailableRange returns.
+base::Value CreateNetLogGetAvailableRangeResultParams(int64_t start,
+                                                      int result);
 
 }  // namespace disk_cache
 
diff --git a/chromium/net/disk_cache/simple/simple_backend_impl.cc b/chromium/net/disk_cache/simple/simple_backend_impl.cc
index 7235fefbddb..018d6ae4d96 100644
--- a/chromium/net/disk_cache/simple/simple_backend_impl.cc
+++ b/chromium/net/disk_cache/simple/simple_backend_impl.cc
@@ -23,12 +23,12 @@
 #include "base/metrics/field_trial_params.h"
 #include "base/metrics/histogram_functions.h"
 #include "base/metrics/histogram_macros.h"
-#include "base/single_thread_task_runner.h"
+#include "base/sequenced_task_runner.h"
 #include "base/system/sys_info.h"
 #include "base/task/post_task.h"
 #include "base/task/thread_pool/thread_pool.h"
 #include "base/task_runner_util.h"
-#include "base/threading/thread_task_runner_handle.h"
+#include "base/threading/sequenced_task_runner_handle.h"
 #include "base/time/time.h"
 #include "base/trace_event/memory_usage_estimator.h"
 #include "base/trace_event/process_memory_dump.h"
@@ -61,49 +61,13 @@ namespace {
 // Maximum fraction of the cache that one entry can consume.
 const int kMaxFileRatio = 8;
 
+// Native code entries can be large. Rather than increasing the overall cache
+// size, allow an individual entry to occupy up to half of the cache.
+const int kMaxNativeCodeFileRatio = 2;
+
 // Overrides the above.
 const int64_t kMinFileSizeLimit = 5 * 1024 * 1024;
 
-bool g_fd_limit_histogram_has_been_populated = false;
-
-void MaybeHistogramFdLimit() {
-  if (g_fd_limit_histogram_has_been_populated)
-    return;
-
-  // Used in histograms; add new entries at end.
-  enum FdLimitStatus {
-    FD_LIMIT_STATUS_UNSUPPORTED = 0,
-    FD_LIMIT_STATUS_FAILED      = 1,
-    FD_LIMIT_STATUS_SUCCEEDED   = 2,
-    FD_LIMIT_STATUS_MAX         = 3
-  };
-  FdLimitStatus fd_limit_status = FD_LIMIT_STATUS_UNSUPPORTED;
-  int soft_fd_limit = 0;
-  int hard_fd_limit = 0;
-
-#if defined(OS_POSIX)
-  struct rlimit nofile;
-  if (!getrlimit(RLIMIT_NOFILE, &nofile)) {
-    soft_fd_limit = nofile.rlim_cur;
-    hard_fd_limit = nofile.rlim_max;
-    fd_limit_status = FD_LIMIT_STATUS_SUCCEEDED;
-  } else {
-    fd_limit_status = FD_LIMIT_STATUS_FAILED;
-  }
-#endif
-
-  UMA_HISTOGRAM_ENUMERATION("SimpleCache.FileDescriptorLimitStatus",
-                            fd_limit_status, FD_LIMIT_STATUS_MAX);
-  if (fd_limit_status == FD_LIMIT_STATUS_SUCCEEDED) {
-    base::UmaHistogramSparse("SimpleCache.FileDescriptorLimitSoft",
-                             soft_fd_limit);
-    base::UmaHistogramSparse("SimpleCache.FileDescriptorLimitHard",
-                             hard_fd_limit);
-  }
-
-  g_fd_limit_histogram_has_been_populated = true;
-}
-
 // Global context of all the files we have open --- this permits some to be
 // closed on demand if too many FDs are being used, to avoid running out.
 base::LazyInstance<SimpleFileTracker>::Leaky g_simple_file_tracker =
@@ -247,7 +211,8 @@ SimpleBackendImpl::SimpleBackendImpl(
            base::TaskShutdownBehavior::BLOCK_SHUTDOWN})),
       orig_max_size_(max_bytes),
       entry_operations_mode_((cache_type == net::DISK_CACHE ||
-                              cache_type == net::GENERATED_CODE_CACHE)
+                              cache_type == net::GENERATED_BYTE_CODE_CACHE ||
+                              cache_type == net::GENERATED_NATIVE_CODE_CACHE)
                                  ? SimpleEntryImpl::OPTIMISTIC_OPERATIONS
                                  : SimpleEntryImpl::NON_OPTIMISTIC_OPERATIONS),
       net_log_(net_log) {
@@ -255,7 +220,6 @@ SimpleBackendImpl::SimpleBackendImpl(
   // backends, as default (if first call).
   if (orig_max_size_ < 0)
     orig_max_size_ = 0;
-  MaybeHistogramFdLimit();
 }
 
 SimpleBackendImpl::~SimpleBackendImpl() {
@@ -281,7 +245,7 @@ net::Error SimpleBackendImpl::Init(CompletionOnceCallback completion_callback) {
       base::MakeRefCounted<net::PrioritizedTaskRunner>(worker_pool);
 
   index_ = std::make_unique<SimpleIndex>(
-      base::ThreadTaskRunnerHandle::Get(), cleanup_tracker_.get(), this,
+      base::SequencedTaskRunnerHandle::Get(), cleanup_tracker_.get(), this,
       GetCacheType(),
       std::make_unique<SimpleIndexFile>(cache_runner_, worker_pool.get(),
                                         GetCacheType(), path_));
@@ -306,8 +270,11 @@ bool SimpleBackendImpl::SetMaxSize(int64_t max_bytes) {
 }
 
 int64_t SimpleBackendImpl::MaxFileSize() const {
+  uint64_t file_size_ratio = GetCacheType() == net::GENERATED_NATIVE_CODE_CACHE
+                                 ? kMaxNativeCodeFileRatio
+                                 : kMaxFileRatio;
   return std::max(
-      base::saturated_cast<int64_t>(index_->max_size() / kMaxFileRatio),
+      base::saturated_cast<int64_t>(index_->max_size() / file_size_ratio),
       kMinFileSizeLimit);
 }
 
@@ -591,9 +558,7 @@ int64_t SimpleBackendImpl::CalculateSizeOfEntriesBetween(
 class SimpleBackendImpl::SimpleIterator final : public Iterator {
  public:
   explicit SimpleIterator(base::WeakPtr<SimpleBackendImpl> backend)
-      : backend_(backend),
-        weak_factory_(this) {
-  }
+      : backend_(backend) {}
 
   // From Backend::Iterator:
   net::Error OpenNextEntry(Entry** next_entry,
@@ -657,7 +622,7 @@ class SimpleBackendImpl::SimpleIterator final : public Iterator {
  private:
   base::WeakPtr<SimpleBackendImpl> backend_;
   std::unique_ptr<std::vector<uint64_t>> hashes_to_enumerate_;
-  base::WeakPtrFactory<SimpleIterator> weak_factory_;
+  base::WeakPtrFactory<SimpleIterator> weak_factory_{this};
 };
 
 std::unique_ptr<Backend::Iterator> SimpleBackendImpl::CreateIterator() {
@@ -811,12 +776,19 @@ SimpleBackendImpl::DiskStatResult SimpleBackendImpl::InitCacheStructureOnDisk(
   } else {
     bool mtime_result =
         disk_cache::simple_util::GetMTime(path, &result.cache_dir_mtime);
-    DCHECK(mtime_result);
-    if (!result.max_size) {
+    if (!mtime_result) {
+      // Something deleted the directory between when we set it up and the
+      // mstat; this is not uncommon on some test fixtures which erase their
+      // tempdir while some worker threads may still be running.
+      LOG(ERROR) << "Simple Cache Backend: cache directory inaccessible right "
+                    "after creation; path: "
+                 << path.LossyDisplayName();
+      result.net_error = net::ERR_FAILED;
+    } else if (!result.max_size) {
       int64_t available = base::SysInfo::AmountOfFreeDiskSpace(path);
       result.max_size = disk_cache::PreferredCacheSize(available);
+      DCHECK(result.max_size);
     }
-    DCHECK(result.max_size);
   }
   return result;
 }
diff --git a/chromium/net/disk_cache/simple/simple_backend_impl.h b/chromium/net/disk_cache/simple/simple_backend_impl.h
index 4237f85c98b..ccf99434050 100644
--- a/chromium/net/disk_cache/simple/simple_backend_impl.h
+++ b/chromium/net/disk_cache/simple/simple_backend_impl.h
@@ -41,15 +41,17 @@ namespace disk_cache {
 
 // SimpleBackendImpl is a new cache backend that stores entries in individual
 // files.
-// See http://www.chromium.org/developers/design-documents/network-stack/disk-cache/very-simple-backend
+// See
+// http://www.chromium.org/developers/design-documents/network-stack/disk-cache/very-simple-backend
 //
 // The SimpleBackendImpl provides safe iteration; mutating entries during
 // iteration cannot cause a crash. It is undefined whether entries created or
 // destroyed during the iteration will be included in any pre-existing
 // iterations.
 //
-// The non-static functions below must be called on the IO thread unless
-// otherwise stated.
+// The non-static functions below must be called on the source creation sequence
+// unless otherwise stated.  Historically the source creation sequence has been
+// the IO thread, but the simple backend may now be used from other sequences.
 
 class BackendCleanupTracker;
 class SimpleEntryImpl;
@@ -204,8 +206,8 @@ class NET_EXPORT_PRIVATE SimpleBackendImpl : public Backend,
                                            Int64CompletionOnceCallback callback,
                                            int result);
 
-  // Try to create the directory if it doesn't exist. This must run on the IO
-  // thread.
+  // Try to create the directory if it doesn't exist. This must run on the
+  // source creation sequence.
   static DiskStatResult InitCacheStructureOnDisk(const base::FilePath& path,
                                                  uint64_t suggested_max_size,
                                                  net::CacheType cache_type);
diff --git a/chromium/net/disk_cache/simple/simple_entry_impl.cc b/chromium/net/disk_cache/simple/simple_entry_impl.cc
index 4828fcfeb80..c147a4bdb3b 100644
--- a/chromium/net/disk_cache/simple/simple_entry_impl.cc
+++ b/chromium/net/disk_cache/simple/simple_entry_impl.cc
@@ -15,11 +15,10 @@
 #include "base/callback.h"
 #include "base/location.h"
 #include "base/logging.h"
-#include "base/single_thread_task_runner.h"
 #include "base/stl_util.h"
 #include "base/task_runner.h"
 #include "base/task_runner_util.h"
-#include "base/threading/thread_task_runner_handle.h"
+#include "base/threading/sequenced_task_runner_handle.h"
 #include "base/time/time.h"
 #include "base/trace_event/memory_usage_estimator.h"
 #include "net/base/io_buffer.h"
@@ -86,14 +85,6 @@ void RecordHeaderSize(net::CacheType cache_type, int size) {
   SIMPLE_CACHE_UMA(COUNTS_10000, "HeaderSize", cache_type, size);
 }
 
-int g_open_entry_count = 0;
-
-void AdjustOpenEntryCountBy(net::CacheType cache_type, int offset) {
-  g_open_entry_count += offset;
-  SIMPLE_CACHE_UMA(COUNTS_10000,
-                   "GlobalOpenEntryCount", cache_type, g_open_entry_count);
-}
-
 void InvokeCallbackIfBackendIsAlive(
     const base::WeakPtr<SimpleBackendImpl>& backend,
     net::CompletionOnceCallback completion_callback,
@@ -104,28 +95,13 @@ void InvokeCallbackIfBackendIsAlive(
   std::move(completion_callback).Run(result);
 }
 
-void InvokeCallbackIfBackendIsAliveOrCloseEntry(
-    const base::WeakPtr<SimpleBackendImpl>& backend,
-    SimpleEntryImpl* entry,
-    net::CompletionOnceCallback completion_callback) {
-  DCHECK(!completion_callback.is_null());
-  if (!backend.get()) {
-    // Backend got destroyed while |entry| was in process of being transferred
-    // to client ownership. Give up on that.
-    entry->Close();
-    return;
-  }
-
-  std::move(completion_callback).Run(net::OK);
-}
-
 // If |sync_possible| is false, and callback is available, posts rv to it and
 // return net::ERR_IO_PENDING; otherwise just passes through rv.
 int PostToCallbackIfNeeded(bool sync_possible,
                            net::CompletionOnceCallback callback,
                            int rv) {
   if (!sync_possible && !callback.is_null()) {
-    base::ThreadTaskRunnerHandle::Get()->PostTask(
+    base::SequencedTaskRunnerHandle::Get()->PostTask(
         FROM_HERE, base::BindOnce(std::move(callback), rv));
     return net::ERR_IO_PENDING;
   } else {
@@ -203,8 +179,9 @@ SimpleEntryImpl::SimpleEntryImpl(
                     std::extent<decltype(crc_check_state_)>(),
                 "arrays should be the same size");
   ResetEntry();
-  net_log_.BeginEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY,
-                      CreateNetLogSimpleEntryConstructionCallback(this));
+  NetLogSimpleEntryConstruction(net_log_,
+                                net::NetLogEventType::SIMPLE_CACHE_ENTRY,
+                                net::NetLogEventPhase::BEGIN, this);
 }
 
 void SimpleEntryImpl::SetActiveEntryProxy(
@@ -374,8 +351,8 @@ void SimpleEntryImpl::NotifyDoomBeforeCreateComplete() {
 
 void SimpleEntryImpl::SetKey(const std::string& key) {
   key_ = key;
-  net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_SET_KEY,
-                    net::NetLog::StringCallback("key", &key));
+  net_log_.AddEventWithStringParams(
+      net::NetLogEventType::SIMPLE_CACHE_ENTRY_SET_KEY, "key", key);
 }
 
 void SimpleEntryImpl::Doom() {
@@ -383,8 +360,8 @@ void SimpleEntryImpl::Doom() {
 }
 
 void SimpleEntryImpl::Close() {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
-  DCHECK_LT(0, open_count_);
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  CHECK_LT(0, open_count_);
 
   net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_CLOSE_CALL);
 
@@ -401,23 +378,23 @@ void SimpleEntryImpl::Close() {
 }
 
 std::string SimpleEntryImpl::GetKey() const {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   return key_;
 }
 
 Time SimpleEntryImpl::GetLastUsed() const {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK(cache_type_ != net::APP_CACHE);
   return last_used_;
 }
 
 Time SimpleEntryImpl::GetLastModified() const {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   return last_modified_;
 }
 
 int32_t SimpleEntryImpl::GetDataSize(int stream_index) const {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK_LE(0, data_size_[stream_index]);
   return data_size_[stream_index];
 }
@@ -427,20 +404,20 @@ int SimpleEntryImpl::ReadData(int stream_index,
                               net::IOBuffer* buf,
                               int buf_len,
                               CompletionOnceCallback callback) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_CALL,
-                      CreateNetLogReadWriteDataCallback(stream_index, offset,
-                                                        buf_len, false));
+    NetLogReadWriteData(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_CALL,
+        net::NetLogEventPhase::NONE, stream_index, offset, buf_len, false);
   }
 
   if (stream_index < 0 || stream_index >= kSimpleEntryStreamCount ||
       buf_len < 0) {
     if (net_log_.IsCapturing()) {
-      net_log_.AddEvent(
-          net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_END,
-          CreateNetLogReadWriteCompleteCallback(net::ERR_INVALID_ARGUMENT));
+      NetLogReadWriteComplete(
+          net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_END,
+          net::NetLogEventPhase::NONE, net::ERR_INVALID_ARGUMENT);
     }
 
     RecordReadResult(cache_type_, READ_RESULT_INVALID_ARGUMENT);
@@ -471,20 +448,20 @@ int SimpleEntryImpl::WriteData(int stream_index,
                                int buf_len,
                                CompletionOnceCallback callback,
                                bool truncate) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_CALL,
-                      CreateNetLogReadWriteDataCallback(stream_index, offset,
-                                                        buf_len, truncate));
+    NetLogReadWriteData(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_CALL,
+        net::NetLogEventPhase::NONE, stream_index, offset, buf_len, truncate);
   }
 
   if (stream_index < 0 || stream_index >= kSimpleEntryStreamCount ||
       offset < 0 || buf_len < 0) {
     if (net_log_.IsCapturing()) {
-      net_log_.AddEvent(
-          net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_END,
-          CreateNetLogReadWriteCompleteCallback(net::ERR_INVALID_ARGUMENT));
+      NetLogReadWriteComplete(
+          net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_END,
+          net::NetLogEventPhase::NONE, net::ERR_INVALID_ARGUMENT);
     }
     RecordWriteResult(cache_type_, SIMPLE_ENTRY_WRITE_RESULT_INVALID_ARGUMENT);
     return net::ERR_INVALID_ARGUMENT;
@@ -493,8 +470,9 @@ int SimpleEntryImpl::WriteData(int stream_index,
   if (!base::CheckAdd(offset, buf_len).AssignIfValid(&end_offset) ||
       (backend_.get() && end_offset > backend_->MaxFileSize())) {
     if (net_log_.IsCapturing()) {
-      net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_END,
-                        CreateNetLogReadWriteCompleteCallback(net::ERR_FAILED));
+      NetLogReadWriteComplete(
+          net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_END,
+          net::NetLogEventPhase::NONE, net::ERR_FAILED);
     }
     RecordWriteResult(cache_type_, SIMPLE_ENTRY_WRITE_RESULT_OVER_MAX_SIZE);
     return net::ERR_FAILED;
@@ -535,9 +513,9 @@ int SimpleEntryImpl::WriteData(int stream_index,
     op_callback = CompletionOnceCallback();
     ret_value = buf_len;
     if (net_log_.IsCapturing()) {
-      net_log_.AddEvent(
-          net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_OPTIMISTIC,
-          CreateNetLogReadWriteCompleteCallback(buf_len));
+      NetLogReadWriteComplete(
+          net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_OPTIMISTIC,
+          net::NetLogEventPhase::NONE, buf_len);
     }
   }
 
@@ -551,22 +529,29 @@ int SimpleEntryImpl::ReadSparseData(int64_t offset,
                                     net::IOBuffer* buf,
                                     int buf_len,
                                     CompletionOnceCallback callback) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_SPARSE_CALL,
-                      CreateNetLogSparseOperationCallback(offset, buf_len));
+    NetLogSparseOperation(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_SPARSE_CALL,
+        net::NetLogEventPhase::NONE, offset, buf_len);
   }
 
   if (offset < 0 || buf_len < 0) {
     if (net_log_.IsCapturing()) {
-      net_log_.AddEvent(
-          net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_SPARSE_END,
-          CreateNetLogReadWriteCompleteCallback(net::ERR_INVALID_ARGUMENT));
+      NetLogReadWriteComplete(
+          net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_SPARSE_END,
+          net::NetLogEventPhase::NONE, net::ERR_INVALID_ARGUMENT);
     }
     return net::ERR_INVALID_ARGUMENT;
   }
 
+  // Truncate |buf_len| to make sure that |offset + buf_len| does not overflow.
+  // This is OK since one can't write that far anyway.
+  // The result of std::min is guaranteed to fit into int since |buf_len| did.
+  buf_len = std::min(static_cast<int64_t>(buf_len),
+                     std::numeric_limits<int64_t>::max() - offset);
+
   ScopedOperationRunner operation_runner(this);
   pending_operations_.push(SimpleEntryOperation::ReadSparseOperation(
       this, offset, buf_len, buf, std::move(callback)));
@@ -577,19 +562,19 @@ int SimpleEntryImpl::WriteSparseData(int64_t offset,
                                      net::IOBuffer* buf,
                                      int buf_len,
                                      CompletionOnceCallback callback) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(
-        net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_SPARSE_CALL,
-        CreateNetLogSparseOperationCallback(offset, buf_len));
+    NetLogSparseOperation(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_SPARSE_CALL,
+        net::NetLogEventPhase::NONE, offset, buf_len);
   }
 
-  if (offset < 0 || buf_len < 0) {
+  if (offset < 0 || buf_len < 0 || !base::CheckAdd(offset, buf_len).IsValid()) {
     if (net_log_.IsCapturing()) {
-      net_log_.AddEvent(
-          net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_SPARSE_END,
-          CreateNetLogReadWriteCompleteCallback(net::ERR_INVALID_ARGUMENT));
+      NetLogReadWriteComplete(
+          net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_SPARSE_END,
+          net::NetLogEventPhase::NONE, net::ERR_INVALID_ARGUMENT);
     }
     return net::ERR_INVALID_ARGUMENT;
   }
@@ -604,10 +589,16 @@ int SimpleEntryImpl::GetAvailableRange(int64_t offset,
                                        int len,
                                        int64_t* start,
                                        CompletionOnceCallback callback) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   if (offset < 0 || len < 0)
     return net::ERR_INVALID_ARGUMENT;
 
+  // Truncate |len| to make sure that |offset + len| does not overflow.
+  // This is OK since one can't write that far anyway.
+  // The result of std::min is guaranteed to fit into int since |len| did.
+  len = std::min(static_cast<int64_t>(len),
+                 std::numeric_limits<int64_t>::max() - offset);
+
   ScopedOperationRunner operation_runner(this);
   pending_operations_.push(SimpleEntryOperation::GetAvailableRangeOperation(
       this, offset, len, start, std::move(callback)));
@@ -615,20 +606,20 @@ int SimpleEntryImpl::GetAvailableRange(int64_t offset,
 }
 
 bool SimpleEntryImpl::CouldBeSparse() const {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   // TODO(morlovich): Actually check.
   return true;
 }
 
 void SimpleEntryImpl::CancelSparseIO() {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   // The Simple Cache does not return distinct objects for the same non-doomed
   // entry, so there's no need to coordinate which object is performing sparse
   // I/O.  Therefore, CancelSparseIO and ReadyForSparseIO succeed instantly.
 }
 
 net::Error SimpleEntryImpl::ReadyForSparseIO(CompletionOnceCallback callback) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   // The simple Cache does not return distinct objects for the same non-doomed
   // entry, so there's no need to coordinate which object is performing sparse
   // I/O.  Therefore, CancelSparseIO and ReadyForSparseIO succeed instantly.
@@ -654,7 +645,7 @@ void SimpleEntryImpl::SetPriority(uint32_t entry_priority) {
 }
 
 SimpleEntryImpl::~SimpleEntryImpl() {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK_EQ(0U, pending_operations_.size());
 
   // STATE_IO_PENDING is possible here in one corner case: the entry had
@@ -675,7 +666,7 @@ void SimpleEntryImpl::PostClientCallback(net::CompletionOnceCallback callback,
     return;
   // Note that the callback is posted rather than directly invoked to avoid
   // reentrancy issues.
-  base::ThreadTaskRunnerHandle::Get()->PostTask(
+  base::SequencedTaskRunnerHandle::Get()->PostTask(
       FROM_HERE, base::BindOnce(&InvokeCallbackIfBackendIsAlive, backend_,
                                 std::move(callback), result));
 }
@@ -695,39 +686,52 @@ void SimpleEntryImpl::ResetEntry() {
 }
 
 void SimpleEntryImpl::ReturnEntryToCaller(Entry** out_entry) {
+  DCHECK(backend_);
   DCHECK(out_entry);
   ++open_count_;
   AddRef();  // Balanced in Close()
-  if (!backend_.get()) {
-    // This method can be called when an asynchronous operation completed.
-    // If the backend no longer exists, the callback won't be invoked, and so we
-    // must close ourselves to avoid leaking. As well, there's no guarantee the
-    // client-provided pointer (|out_entry|) hasn't been freed, and no point
-    // dereferencing it, either.
-    Close();
-    return;
-  }
   *out_entry = this;
 }
 
-void SimpleEntryImpl::ReturnEntryToCallerAndPostCallback(
+void SimpleEntryImpl::ReturnEntryToCallerAsync(
     Entry** out_entry,
+    bool* out_opened,
+    bool opened,
     CompletionOnceCallback callback) {
   DCHECK(!callback.is_null());
-  ReturnEntryToCaller(out_entry);
-  if (!backend_.get())
-    return;  // ReturnEntryToCaller takes care of case of already-dead backend_.
+  DCHECK(out_entry);
+
+  // |open_count_| must be incremented immediately, so that a Close on an alias
+  // doesn't try to wrap things up.
+  ++open_count_;
 
   // Note that the callback is posted rather than directly invoked to avoid
-  // reentrancy issues. Unretained(this) is safe since ReturnEntryToCaller
-  // increments the reference count; this effect is also why this chooses to
-  // potentially call ReturnEntryToCaller and then roll it back rather than
-  // delay ReturnEntryToCaller: it protects |this| till any potential ownership
-  // share transfer is sorted out.
-  base::ThreadTaskRunnerHandle::Get()->PostTask(
+  // reentrancy issues.
+  base::SequencedTaskRunnerHandle::Get()->PostTask(
       FROM_HERE,
-      base::BindOnce(&InvokeCallbackIfBackendIsAliveOrCloseEntry, backend_,
-                     base::Unretained(this), std::move(callback)));
+      base::BindOnce(&SimpleEntryImpl::FinishReturnEntryToCallerAsync, this,
+                     out_entry, out_opened, opened, std::move(callback)));
+}
+
+void SimpleEntryImpl::FinishReturnEntryToCallerAsync(
+    Entry** out_entry,
+    bool* out_opened,
+    bool opened,
+    CompletionOnceCallback callback) {
+  AddRef();  // Balanced in Close()
+  if (!backend_.get()) {
+    // With backend dead, Open/Create operations are responsible for cleaning up
+    // the entry --- the ownership is never transferred to the caller, and their
+    // callback isn't invoked.
+    Close();
+    return;
+  }
+
+  *out_entry = this;
+  if (out_opened)
+    *out_opened = opened;
+
+  std::move(callback).Run(net::OK);
 }
 
 void SimpleEntryImpl::MarkAsDoomed(DoomState new_state) {
@@ -740,7 +744,7 @@ void SimpleEntryImpl::MarkAsDoomed(DoomState new_state) {
 }
 
 void SimpleEntryImpl::RunNextOperationIfNeeded() {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   if (!pending_operations_.empty() && state_ != STATE_IO_PENDING) {
     SimpleEntryOperation operation = std::move(pending_operations_.front());
     pending_operations_.pop();
@@ -800,16 +804,18 @@ void SimpleEntryImpl::OpenEntryInternal(net::CompletionOnceCallback callback,
   net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_OPEN_BEGIN);
 
   if (state_ == STATE_READY) {
-    ReturnEntryToCallerAndPostCallback(out_entry, std::move(callback));
-    net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_OPEN_END,
-                      CreateNetLogSimpleEntryCreationCallback(this, net::OK));
+    ReturnEntryToCallerAsync(out_entry, /* out_opened = */ nullptr,
+                             /* opened = */ true, std::move(callback));
+    NetLogSimpleEntryCreation(net_log_,
+                              net::NetLogEventType::SIMPLE_CACHE_ENTRY_OPEN_END,
+                              net::NetLogEventPhase::NONE, this, net::OK);
     return;
   }
   if (state_ == STATE_FAILURE) {
     PostClientCallback(std::move(callback), net::ERR_FAILED);
-    net_log_.AddEvent(
-        net::NetLogEventType::SIMPLE_CACHE_ENTRY_OPEN_END,
-        CreateNetLogSimpleEntryCreationCallback(this, net::ERR_FAILED));
+    NetLogSimpleEntryCreation(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_OPEN_END,
+        net::NetLogEventPhase::NONE, this, net::ERR_FAILED);
     return;
   }
 
@@ -854,9 +860,9 @@ void SimpleEntryImpl::CreateEntryInternal(net::CompletionOnceCallback callback,
 
   if (state_ != STATE_UNINITIALIZED) {
     // There is already an active normal entry.
-    net_log_.AddEvent(
-        net::NetLogEventType::SIMPLE_CACHE_ENTRY_CREATE_END,
-        CreateNetLogSimpleEntryCreationCallback(this, net::ERR_FAILED));
+    NetLogSimpleEntryCreation(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_CREATE_END,
+        net::NetLogEventPhase::NONE, this, net::ERR_FAILED);
     PostClientCallback(std::move(callback), net::ERR_FAILED);
     return;
   }
@@ -900,19 +906,18 @@ void SimpleEntryImpl::OpenOrCreateEntryInternal(
   DCHECK(entry_struct != nullptr || state_ == STATE_UNINITIALIZED);
 
   if (state_ == STATE_READY) {
-    entry_struct->opened = true;
-    ReturnEntryToCallerAndPostCallback(&entry_struct->entry,
-                                       std::move(callback));
-    net_log_.AddEvent(
-        net::NetLogEventType::SIMPLE_CACHE_ENTRY_OPEN_OR_CREATE_END,
-        CreateNetLogSimpleEntryCreationCallback(this, net::OK));
+    ReturnEntryToCallerAsync(&entry_struct->entry, &entry_struct->opened,
+                             /* opened = */ true, std::move(callback));
+    NetLogSimpleEntryCreation(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_OPEN_OR_CREATE_END,
+        net::NetLogEventPhase::NONE, this, net::OK);
     return;
   }
   if (state_ == STATE_FAILURE) {
     PostClientCallback(std::move(callback), net::ERR_FAILED);
-    net_log_.AddEvent(
-        net::NetLogEventType::SIMPLE_CACHE_ENTRY_OPEN_OR_CREATE_END,
-        CreateNetLogSimpleEntryCreationCallback(this, net::ERR_FAILED));
+    NetLogSimpleEntryCreation(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_OPEN_OR_CREATE_END,
+        net::NetLogEventPhase::NONE, this, net::ERR_FAILED);
     return;
   }
 
@@ -953,7 +958,7 @@ void SimpleEntryImpl::OpenOrCreateEntryInternal(
 }
 
 void SimpleEntryImpl::CloseInternal() {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   if (open_count_ != 0) {
     // Entry got resurrected in between Close and CloseInternal, nothing to do
@@ -1017,20 +1022,21 @@ int SimpleEntryImpl::ReadDataInternal(bool sync_possible,
                                       net::IOBuffer* buf,
                                       int buf_len,
                                       net::CompletionOnceCallback callback) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   ScopedOperationRunner operation_runner(this);
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_BEGIN,
-                      CreateNetLogReadWriteDataCallback(stream_index, offset,
-                                                        buf_len, false));
+    NetLogReadWriteData(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_BEGIN,
+        net::NetLogEventPhase::NONE, stream_index, offset, buf_len, false);
   }
 
   if (state_ == STATE_FAILURE || state_ == STATE_UNINITIALIZED) {
     RecordReadResult(cache_type_, READ_RESULT_BAD_STATE);
     if (net_log_.IsCapturing()) {
-      net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_END,
-                        CreateNetLogReadWriteCompleteCallback(net::ERR_FAILED));
+      NetLogReadWriteComplete(net_log_,
+                              net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_END,
+                              net::NetLogEventPhase::NONE, net::ERR_FAILED);
     }
     // Note that the API states that client-provided callbacks for entry-level
     // (i.e. non-backend) operations (e.g. read, write) are invoked even if
@@ -1049,6 +1055,7 @@ int SimpleEntryImpl::ReadDataInternal(bool sync_possible,
     return PostToCallbackIfNeeded(sync_possible, std::move(callback), 0);
   }
 
+  // Truncate read to not go past end of stream.
   buf_len = std::min(buf_len, GetDataSize(stream_index) - offset);
 
   // Since stream 0 data is kept in memory, it is read immediately.
@@ -1111,23 +1118,24 @@ void SimpleEntryImpl::WriteDataInternal(int stream_index,
                                         int buf_len,
                                         net::CompletionOnceCallback callback,
                                         bool truncate) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   ScopedOperationRunner operation_runner(this);
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_BEGIN,
-                      CreateNetLogReadWriteDataCallback(stream_index, offset,
-                                                        buf_len, truncate));
+    NetLogReadWriteData(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_BEGIN,
+        net::NetLogEventPhase::NONE, stream_index, offset, buf_len, truncate);
   }
 
   if (state_ == STATE_FAILURE || state_ == STATE_UNINITIALIZED) {
     RecordWriteResult(cache_type_, SIMPLE_ENTRY_WRITE_RESULT_BAD_STATE);
     if (net_log_.IsCapturing()) {
-      net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_END,
-                        CreateNetLogReadWriteCompleteCallback(net::ERR_FAILED));
+      NetLogReadWriteComplete(
+          net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_END,
+          net::NetLogEventPhase::NONE, net::ERR_FAILED);
     }
     if (!callback.is_null()) {
-      base::ThreadTaskRunnerHandle::Get()->PostTask(
+      base::SequencedTaskRunnerHandle::Get()->PostTask(
           FROM_HERE, base::BindOnce(std::move(callback), net::ERR_FAILED));
     }
     // |this| may be destroyed after return here.
@@ -1140,7 +1148,7 @@ void SimpleEntryImpl::WriteDataInternal(int stream_index,
   if (stream_index == 0) {
     int ret_value = SetStream0Data(buf, offset, buf_len, truncate);
     if (!callback.is_null()) {
-      base::ThreadTaskRunnerHandle::Get()->PostTask(
+      base::SequencedTaskRunnerHandle::Get()->PostTask(
           FROM_HERE, base::BindOnce(std::move(callback), ret_value));
     }
     return;
@@ -1153,7 +1161,7 @@ void SimpleEntryImpl::WriteDataInternal(int stream_index,
       RecordWriteResult(cache_type_,
                         SIMPLE_ENTRY_WRITE_RESULT_FAST_EMPTY_RETURN);
       if (!callback.is_null()) {
-        base::ThreadTaskRunnerHandle::Get()->PostTask(
+        base::SequencedTaskRunnerHandle::Get()->PostTask(
             FROM_HERE, base::BindOnce(std::move(callback), 0));
       }
       return;
@@ -1229,23 +1237,23 @@ void SimpleEntryImpl::ReadSparseDataInternal(
     net::IOBuffer* buf,
     int buf_len,
     net::CompletionOnceCallback callback) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   ScopedOperationRunner operation_runner(this);
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(
-        net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_SPARSE_BEGIN,
-        CreateNetLogSparseOperationCallback(sparse_offset, buf_len));
+    NetLogSparseOperation(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_SPARSE_BEGIN,
+        net::NetLogEventPhase::NONE, sparse_offset, buf_len);
   }
 
   if (state_ == STATE_FAILURE || state_ == STATE_UNINITIALIZED) {
     if (net_log_.IsCapturing()) {
-      net_log_.AddEvent(
-          net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_SPARSE_END,
-          CreateNetLogReadWriteCompleteCallback(net::ERR_FAILED));
+      NetLogReadWriteComplete(
+          net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_SPARSE_END,
+          net::NetLogEventPhase::NONE, net::ERR_FAILED);
     }
     if (!callback.is_null()) {
-      base::ThreadTaskRunnerHandle::Get()->PostTask(
+      base::SequencedTaskRunnerHandle::Get()->PostTask(
           FROM_HERE, base::BindOnce(std::move(callback), net::ERR_FAILED));
     }
     // |this| may be destroyed after return here.
@@ -1274,23 +1282,23 @@ void SimpleEntryImpl::WriteSparseDataInternal(
     net::IOBuffer* buf,
     int buf_len,
     net::CompletionOnceCallback callback) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   ScopedOperationRunner operation_runner(this);
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(
-        net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_SPARSE_BEGIN,
-        CreateNetLogSparseOperationCallback(sparse_offset, buf_len));
+    NetLogSparseOperation(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_SPARSE_BEGIN,
+        net::NetLogEventPhase::NONE, sparse_offset, buf_len);
   }
 
   if (state_ == STATE_FAILURE || state_ == STATE_UNINITIALIZED) {
     if (net_log_.IsCapturing()) {
-      net_log_.AddEvent(
-          net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_SPARSE_END,
-          CreateNetLogReadWriteCompleteCallback(net::ERR_FAILED));
+      NetLogReadWriteComplete(
+          net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_SPARSE_END,
+          net::NetLogEventPhase::NONE, net::ERR_FAILED);
     }
     if (!callback.is_null()) {
-      base::ThreadTaskRunnerHandle::Get()->PostTask(
+      base::SequencedTaskRunnerHandle::Get()->PostTask(
           FROM_HERE, base::BindOnce(std::move(callback), net::ERR_FAILED));
     }
     // |this| may be destroyed after return here.
@@ -1330,12 +1338,12 @@ void SimpleEntryImpl::GetAvailableRangeInternal(
     int len,
     int64_t* out_start,
     net::CompletionOnceCallback callback) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   ScopedOperationRunner operation_runner(this);
 
   if (state_ == STATE_FAILURE || state_ == STATE_UNINITIALIZED) {
     if (!callback.is_null()) {
-      base::ThreadTaskRunnerHandle::Get()->PostTask(
+      base::SequencedTaskRunnerHandle::Get()->PostTask(
           FROM_HERE, base::BindOnce(std::move(callback), net::ERR_FAILED));
     }
     // |this| may be destroyed after return here.
@@ -1424,7 +1432,7 @@ void SimpleEntryImpl::CreationOperationComplete(
     Entry** out_entry,
     bool* out_opened,
     net::NetLogEventType end_event_type) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK_EQ(state_, STATE_IO_PENDING);
   DCHECK(in_results);
   ScopedOperationRunner operation_runner(this);
@@ -1462,12 +1470,6 @@ void SimpleEntryImpl::CreationOperationComplete(
   if (backend_ && doom_state_ == DOOM_NONE)
     backend_->index()->Insert(entry_hash_);
 
-  // Access to out_opened must be guarded by backend_ check since there is no
-  // requirement to keep this alive past backend destruction, as the callback
-  // will not be invoked.
-  if (backend_ && out_opened)
-    *out_opened = !in_results->created;
-
   state_ = STATE_READY;
   synchronous_entry_ = in_results->sync_entry;
 
@@ -1511,7 +1513,6 @@ void SimpleEntryImpl::CreationOperationComplete(
   SIMPLE_CACHE_UMA(TIMES,
                    "EntryCreationTime", cache_type_,
                    (base::TimeTicks::Now() - start_time));
-  AdjustOpenEntryCountBy(cache_type_, 1);
 
   net_log_.AddEvent(end_event_type);
 
@@ -1519,16 +1520,17 @@ void SimpleEntryImpl::CreationOperationComplete(
   // out_entry is nullptr and there is no callback, or should be returned
   // to out_entry with callback invoked.
   DCHECK_EQ(out_entry == nullptr, completion_callback.is_null());
-  if (out_entry)
-    ReturnEntryToCallerAndPostCallback(out_entry,
-                                       std::move(completion_callback));
+  if (out_entry) {
+    ReturnEntryToCallerAsync(out_entry, out_opened, !in_results->created,
+                             std::move(completion_callback));
+  }
 }
 
 void SimpleEntryImpl::EntryOperationComplete(
     net::CompletionOnceCallback completion_callback,
     const SimpleEntryStat& entry_stat,
     int result) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK(synchronous_entry_);
   DCHECK_EQ(STATE_IO_PENDING, state_);
   if (result < 0) {
@@ -1540,7 +1542,7 @@ void SimpleEntryImpl::EntryOperationComplete(
   }
 
   if (!completion_callback.is_null()) {
-    base::ThreadTaskRunnerHandle::Get()->PostTask(
+    base::SequencedTaskRunnerHandle::Get()->PostTask(
         FROM_HERE, base::BindOnce(std::move(completion_callback), result));
   }
   RunNextOperationIfNeeded();
@@ -1552,7 +1554,7 @@ void SimpleEntryImpl::ReadOperationComplete(
     net::CompletionOnceCallback completion_callback,
     std::unique_ptr<SimpleEntryStat> entry_stat,
     std::unique_ptr<SimpleSynchronousEntry::ReadResult> read_result) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK(synchronous_entry_);
   DCHECK_EQ(STATE_IO_PENDING, state_);
   DCHECK(read_result);
@@ -1584,8 +1586,9 @@ void SimpleEntryImpl::ReadOperationComplete(
   }
   RecordReadResultConsideringChecksum(read_result);
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_END,
-                      CreateNetLogReadWriteCompleteCallback(result));
+    NetLogReadWriteComplete(net_log_,
+                            net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_END,
+                            net::NetLogEventPhase::NONE, result);
   }
 
   EntryOperationComplete(std::move(completion_callback), *entry_stat, result);
@@ -1604,8 +1607,9 @@ void SimpleEntryImpl::WriteOperationComplete(
     RecordWriteResult(cache_type_,
                       SIMPLE_ENTRY_WRITE_RESULT_SYNC_WRITE_FAILURE);
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_END,
-                      CreateNetLogReadWriteCompleteCallback(result));
+    NetLogReadWriteComplete(net_log_,
+                            net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_END,
+                            net::NetLogEventPhase::NONE, result);
   }
 
   if (result < 0)
@@ -1623,13 +1627,14 @@ void SimpleEntryImpl::ReadSparseOperationComplete(
     net::CompletionOnceCallback completion_callback,
     std::unique_ptr<base::Time> last_used,
     std::unique_ptr<int> result) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK(synchronous_entry_);
   DCHECK(result);
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_SPARSE_END,
-                      CreateNetLogReadWriteCompleteCallback(*result));
+    NetLogReadWriteComplete(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_READ_SPARSE_END,
+        net::NetLogEventPhase::NONE, *result);
   }
 
   SimpleEntryStat entry_stat(*last_used, last_modified_, data_size_,
@@ -1641,13 +1646,14 @@ void SimpleEntryImpl::WriteSparseOperationComplete(
     net::CompletionOnceCallback completion_callback,
     std::unique_ptr<SimpleEntryStat> entry_stat,
     std::unique_ptr<int> result) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK(synchronous_entry_);
   DCHECK(result);
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_SPARSE_END,
-                      CreateNetLogReadWriteCompleteCallback(*result));
+    NetLogReadWriteComplete(
+        net_log_, net::NetLogEventType::SIMPLE_CACHE_ENTRY_WRITE_SPARSE_END,
+        net::NetLogEventPhase::NONE, *result);
   }
 
   EntryOperationComplete(std::move(completion_callback), *entry_stat, *result);
@@ -1656,7 +1662,7 @@ void SimpleEntryImpl::WriteSparseOperationComplete(
 void SimpleEntryImpl::GetAvailableRangeOperationComplete(
     net::CompletionOnceCallback completion_callback,
     std::unique_ptr<int> result) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK(synchronous_entry_);
   DCHECK(result);
 
@@ -1681,7 +1687,7 @@ void SimpleEntryImpl::DoomOperationComplete(
 void SimpleEntryImpl::RecordReadResultConsideringChecksum(
     const std::unique_ptr<SimpleSynchronousEntry::ReadResult>& read_result)
     const {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK(synchronous_entry_);
   DCHECK_EQ(STATE_IO_PENDING, state_);
 
@@ -1703,7 +1709,6 @@ void SimpleEntryImpl::CloseOperationComplete(
   DCHECK(STATE_IO_PENDING == state_ || STATE_FAILURE == state_ ||
          STATE_UNINITIALIZED == state_);
   net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_CLOSE_END);
-  AdjustOpenEntryCountBy(cache_type_, -1);
   if (cache_type_ == net::APP_CACHE &&
       in_results->estimated_trailer_prefetch_size > 0 && backend_.get() &&
       backend_->index()) {
@@ -1716,7 +1721,7 @@ void SimpleEntryImpl::CloseOperationComplete(
 
 void SimpleEntryImpl::UpdateDataFromEntryStat(
     const SimpleEntryStat& entry_stat) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK(synchronous_entry_);
   DCHECK_EQ(STATE_READY, state_);
 
@@ -1787,7 +1792,7 @@ int SimpleEntryImpl::SetStream0Data(net::IOBuffer* buf,
   base::Time modification_time = base::Time::Now();
 
   // Reset checksum; SimpleSynchronousEntry::Close will compute it for us,
-  // and do it off the I/O thread.
+  // and do it off the source creation sequence.
   crc32s_end_offset_[0] = 0;
 
   UpdateDataFromEntryStat(
diff --git a/chromium/net/disk_cache/simple/simple_entry_impl.h b/chromium/net/disk_cache/simple/simple_entry_impl.h
index dbf6098b59c..271746cbd12 100644
--- a/chromium/net/disk_cache/simple/simple_entry_impl.h
+++ b/chromium/net/disk_cache/simple/simple_entry_impl.h
@@ -13,7 +13,7 @@
 #include "base/containers/queue.h"
 #include "base/files/file_path.h"
 #include "base/memory/ref_counted.h"
-#include "base/threading/thread_checker.h"
+#include "base/sequence_checker.h"
 #include "net/base/cache_type.h"
 #include "net/base/net_export.h"
 #include "net/base/request_priority.h"
@@ -44,9 +44,9 @@ class SimpleFileTracker;
 class SimpleSynchronousEntry;
 struct SimpleEntryCreationResults;
 
-// SimpleEntryImpl is the IO thread interface to an entry in the very simple
-// disk cache. It proxies for the SimpleSynchronousEntry, which performs IO
-// on the worker thread.
+// SimpleEntryImpl is the source task_runner interface to an entry in the very
+// simple disk cache. It proxies for the SimpleSynchronousEntry, which performs
+// IO on the worker thread.
 class NET_EXPORT_PRIVATE SimpleEntryImpl : public Entry,
     public base::RefCounted<SimpleEntryImpl> {
   friend class base::RefCounted<SimpleEntryImpl>;
@@ -214,10 +214,21 @@ class NET_EXPORT_PRIVATE SimpleEntryImpl : public Entry,
   // count.
   void ReturnEntryToCaller(Entry** out_entry);
 
-  // Like above, but also invokes the result callback (with net::OK), making
-  // sure to handle the backend being deleted in the interim.
-  void ReturnEntryToCallerAndPostCallback(Entry** out_entry,
-                                          CompletionOnceCallback callback);
+  // Like above, but for asynchronous return after the event loop runs again,
+  // also invoking the callback per the usual net convention.
+  // The return is cancelled if the backend is deleted in the interim.
+  //
+  // |out_opened| may be null.
+  void ReturnEntryToCallerAsync(Entry** out_entry,
+                                bool* out_opened,
+                                bool opened,
+                                CompletionOnceCallback callback);
+
+  // Portion of the above that runs off the event loop.
+  void FinishReturnEntryToCallerAsync(Entry** out_entry,
+                                      bool* out_opened,
+                                      bool opened,
+                                      CompletionOnceCallback callback);
 
   // Remove |this| from the Backend and the index, either because
   // SimpleSynchronousEntry has detected an error or because we are about to
@@ -307,7 +318,7 @@ class NET_EXPORT_PRIVATE SimpleEntryImpl : public Entry,
 
   // Called after an asynchronous write completes.
   // |buf| parameter brings back a reference to net::IOBuffer to the original
-  // thread, so that we can reduce cross thread malloc/free pair.
+  // sequence, so that we can reduce cross thread malloc/free pair.
   // See http://crbug.com/708644 for details.
   void WriteOperationComplete(
       int stream_index,
@@ -367,9 +378,10 @@ class NET_EXPORT_PRIVATE SimpleEntryImpl : public Entry,
 
   std::unique_ptr<ActiveEntryProxy> active_entry_proxy_;
 
-  // All nonstatic SimpleEntryImpl methods should always be called on the IO
-  // thread, in all cases. |io_thread_checker_| documents and enforces this.
-  base::ThreadChecker io_thread_checker_;
+  // All nonstatic SimpleEntryImpl methods should always be called on the
+  // source creation sequence, in all cases. |sequence_checker_| documents and
+  // enforces this.
+  SEQUENCE_CHECKER(sequence_checker_);
 
   const base::WeakPtr<SimpleBackendImpl> backend_;
   SimpleFileTracker* const file_tracker_;
diff --git a/chromium/net/disk_cache/simple/simple_histogram_macros.h b/chromium/net/disk_cache/simple/simple_histogram_macros.h
index d530d528dee..e10764d5dd3 100644
--- a/chromium/net/disk_cache/simple/simple_histogram_macros.h
+++ b/chromium/net/disk_cache/simple/simple_histogram_macros.h
@@ -35,7 +35,8 @@
         SIMPLE_CACHE_THUNK(uma_type,                                        \
                            ("SimpleCache.Media." uma_name, ##__VA_ARGS__)); \
         break;                                                              \
-      case net::GENERATED_CODE_CACHE:                                       \
+      case net::GENERATED_BYTE_CODE_CACHE:                                  \
+      case net::GENERATED_NATIVE_CODE_CACHE:                                \
       case net::SHADER_CACHE:                                               \
         break;                                                              \
       default:                                                              \
diff --git a/chromium/net/disk_cache/simple/simple_index.cc b/chromium/net/disk_cache/simple/simple_index.cc
index cd12bb201b9..a4ee6f7f27d 100644
--- a/chromium/net/disk_cache/simple/simple_index.cc
+++ b/chromium/net/disk_cache/simple/simple_index.cc
@@ -177,7 +177,7 @@ bool EntryMetadata::Deserialize(net::CacheType cache_type,
 }
 
 SimpleIndex::SimpleIndex(
-    const scoped_refptr<base::SingleThreadTaskRunner>& io_thread,
+    const scoped_refptr<base::SequencedTaskRunner>& task_runner,
     scoped_refptr<BackendCleanupTracker> cleanup_tracker,
     SimpleIndexDelegate* delegate,
     net::CacheType cache_type,
@@ -186,7 +186,7 @@ SimpleIndex::SimpleIndex(
       delegate_(delegate),
       cache_type_(cache_type),
       index_file_(std::move(index_file)),
-      io_thread_(io_thread),
+      task_runner_(task_runner),
       // Creating the callback once so it is reused every time
       // write_to_disk_timer_.Start() is called.
       write_to_disk_cb_(base::Bind(&SimpleIndex::WriteToDisk,
@@ -194,7 +194,7 @@ SimpleIndex::SimpleIndex(
                                    INDEX_WRITE_REASON_IDLE)) {}
 
 SimpleIndex::~SimpleIndex() {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   // Fail all callbacks waiting for the index to come up.
   for (auto it = to_run_when_initialized_.begin(),
@@ -205,7 +205,7 @@ SimpleIndex::~SimpleIndex() {
 }
 
 void SimpleIndex::Initialize(base::Time cache_mtime) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
 #if defined(OS_ANDROID)
   if (app_status_listener_) {
@@ -238,9 +238,9 @@ void SimpleIndex::SetMaxSize(uint64_t max_bytes) {
 }
 
 net::Error SimpleIndex::ExecuteWhenReady(net::CompletionOnceCallback task) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   if (initialized_)
-    io_thread_->PostTask(FROM_HERE, base::BindOnce(std::move(task), net::OK));
+    task_runner_->PostTask(FROM_HERE, base::BindOnce(std::move(task), net::OK));
   else
     to_run_when_initialized_.push_back(std::move(task));
   return net::ERR_IO_PENDING;
@@ -316,7 +316,7 @@ size_t SimpleIndex::EstimateMemoryUsage() const {
 }
 
 base::Time SimpleIndex::GetLastUsedTime(uint64_t entry_hash) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK_NE(cache_type_, net::APP_CACHE);
   auto it = entries_set_.find(entry_hash);
   if (it == entries_set_.end())
@@ -336,7 +336,7 @@ bool SimpleIndex::HasPendingWrite() const {
 }
 
 void SimpleIndex::Insert(uint64_t entry_hash) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   // Upon insert we don't know yet the size of the entry.
   // It will be updated later when the SimpleEntryImpl finishes opening or
   // creating the new entry, and then UpdateEntrySize will be called.
@@ -355,7 +355,7 @@ void SimpleIndex::Insert(uint64_t entry_hash) {
 }
 
 void SimpleIndex::Remove(uint64_t entry_hash) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   bool need_write = false;
   auto it = entries_set_.find(entry_hash);
   if (it != entries_set_.end()) {
@@ -372,13 +372,13 @@ void SimpleIndex::Remove(uint64_t entry_hash) {
 }
 
 bool SimpleIndex::Has(uint64_t hash) const {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   // If not initialized, always return true, forcing it to go to the disk.
   return !initialized_ || entries_set_.count(hash) > 0;
 }
 
 uint8_t SimpleIndex::GetEntryInMemoryData(uint64_t entry_hash) const {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   auto it = entries_set_.find(entry_hash);
   if (it == entries_set_.end())
     return 0;
@@ -386,7 +386,7 @@ uint8_t SimpleIndex::GetEntryInMemoryData(uint64_t entry_hash) const {
 }
 
 void SimpleIndex::SetEntryInMemoryData(uint64_t entry_hash, uint8_t value) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   auto it = entries_set_.find(entry_hash);
   if (it == entries_set_.end())
     return;
@@ -394,7 +394,7 @@ void SimpleIndex::SetEntryInMemoryData(uint64_t entry_hash, uint8_t value) {
 }
 
 bool SimpleIndex::UseIfExists(uint64_t entry_hash) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   // Always update the last used time, even if it is during initialization.
   // It will be merged later.
   auto it = entries_set_.find(entry_hash);
@@ -410,7 +410,7 @@ bool SimpleIndex::UseIfExists(uint64_t entry_hash) {
 }
 
 void SimpleIndex::StartEvictionIfNeeded() {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   if (eviction_in_progress_ || cache_size_ <= high_watermark_)
     return;
   // Take all live key hashes from the index and sort them by time.
@@ -467,7 +467,7 @@ void SimpleIndex::StartEvictionIfNeeded() {
 }
 
 int32_t SimpleIndex::GetTrailerPrefetchSize(uint64_t entry_hash) const {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK_EQ(cache_type_, net::APP_CACHE);
   auto it = entries_set_.find(entry_hash);
   if (it == entries_set_.end())
@@ -476,7 +476,7 @@ int32_t SimpleIndex::GetTrailerPrefetchSize(uint64_t entry_hash) const {
 }
 
 void SimpleIndex::SetTrailerPrefetchSize(uint64_t entry_hash, int32_t size) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK_EQ(cache_type_, net::APP_CACHE);
   auto it = entries_set_.find(entry_hash);
   if (it == entries_set_.end())
@@ -489,7 +489,7 @@ void SimpleIndex::SetTrailerPrefetchSize(uint64_t entry_hash, int32_t size) {
 
 bool SimpleIndex::UpdateEntrySize(uint64_t entry_hash,
                                   base::StrictNumeric<uint32_t> entry_size) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   auto it = entries_set_.find(entry_hash);
   if (it == entries_set_.end())
     return false;
@@ -505,7 +505,7 @@ bool SimpleIndex::UpdateEntrySize(uint64_t entry_hash,
 }
 
 void SimpleIndex::EvictionDone(int result) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   // Ignore the result of eviction. We did our best.
   eviction_in_progress_ = false;
@@ -549,7 +549,7 @@ bool SimpleIndex::UpdateEntryIteratorSize(
     EntrySet::iterator* it,
     base::StrictNumeric<uint32_t> entry_size) {
   // Update the total cache size with the new entry size.
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK_GE(cache_size_, (*it)->second.GetEntrySize());
   uint32_t original_size = (*it)->second.GetEntrySize();
   cache_size_ -= (*it)->second.GetEntrySize();
@@ -563,7 +563,7 @@ bool SimpleIndex::UpdateEntryIteratorSize(
 
 void SimpleIndex::MergeInitializingSet(
     std::unique_ptr<SimpleIndexLoadResult> load_result) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   EntrySet* index_file_entries = &load_result->entries;
 
@@ -619,7 +619,7 @@ void SimpleIndex::MergeInitializingSet(
   for (auto it = to_run_when_initialized_.begin(),
             end = to_run_when_initialized_.end();
        it != end; ++it) {
-    io_thread_->PostTask(FROM_HERE, base::BindOnce(std::move(*it), net::OK));
+    task_runner_->PostTask(FROM_HERE, base::BindOnce(std::move(*it), net::OK));
   }
   to_run_when_initialized_.clear();
 }
@@ -627,7 +627,7 @@ void SimpleIndex::MergeInitializingSet(
 #if defined(OS_ANDROID)
 void SimpleIndex::OnApplicationStateChange(
     base::android::ApplicationState state) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   // For more info about android activities, see:
   // developer.android.com/training/basics/activity-lifecycle/pausing.html
   if (state == base::android::APPLICATION_STATE_HAS_RUNNING_ACTIVITIES) {
@@ -641,7 +641,7 @@ void SimpleIndex::OnApplicationStateChange(
 #endif
 
 void SimpleIndex::WriteToDisk(IndexWriteToDiskReason reason) {
-  DCHECK(io_thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   if (!initialized_)
     return;
 
diff --git a/chromium/net/disk_cache/simple/simple_index.h b/chromium/net/disk_cache/simple/simple_index.h
index c3e3e028f34..f021cf1e382 100644
--- a/chromium/net/disk_cache/simple/simple_index.h
+++ b/chromium/net/disk_cache/simple/simple_index.h
@@ -20,8 +20,8 @@
 #include "base/memory/ref_counted.h"
 #include "base/memory/weak_ptr.h"
 #include "base/numerics/safe_conversions.h"
-#include "base/single_thread_task_runner.h"
-#include "base/threading/thread_checker.h"
+#include "base/sequence_checker.h"
+#include "base/sequenced_task_runner.h"
 #include "base/time/time.h"
 #include "base/timer/timer.h"
 #include "build/build_config.h"
@@ -134,7 +134,7 @@ class NET_EXPORT_PRIVATE SimpleIndex
 
   typedef std::vector<uint64_t> HashList;
 
-  SimpleIndex(const scoped_refptr<base::SingleThreadTaskRunner>& io_thread,
+  SimpleIndex(const scoped_refptr<base::SequencedTaskRunner>& task_runner,
               scoped_refptr<BackendCleanupTracker> cleanup_tracker,
               SimpleIndexDelegate* delegate,
               net::CacheType cache_type,
@@ -289,11 +289,12 @@ class NET_EXPORT_PRIVATE SimpleIndex
 
   std::unique_ptr<SimpleIndexFile> index_file_;
 
-  scoped_refptr<base::SingleThreadTaskRunner> io_thread_;
+  scoped_refptr<base::SequencedTaskRunner> task_runner_;
 
-  // All nonstatic SimpleEntryImpl methods should always be called on the IO
-  // thread, in all cases. |io_thread_checker_| documents and enforces this.
-  base::ThreadChecker io_thread_checker_;
+  // All nonstatic SimpleEntryImpl methods should always be called on its
+  // creation sequance, in all cases. |sequence_checker_| documents and
+  // enforces this.
+  SEQUENCE_CHECKER(sequence_checker_);
 
   // Timestamp of the last time we wrote the index to disk.
   // PostponeWritingToDisk() may give up postponing and allow the write if it
diff --git a/chromium/net/disk_cache/simple/simple_index_file.h b/chromium/net/disk_cache/simple/simple_index_file.h
index b8272fb596e..14e2da49c33 100644
--- a/chromium/net/disk_cache/simple/simple_index_file.h
+++ b/chromium/net/disk_cache/simple/simple_index_file.h
@@ -48,7 +48,7 @@ struct NET_EXPORT_PRIVATE SimpleIndexLoadResult {
 // the format see |SimpleIndexFile::Serialize()| and
 // |SimpleIndexFile::LoadFromDisk()|.
 //
-// The non-static methods must run on the IO thread. All the real
+// The non-static methods must run on the source creation sequence. All the real
 // work is done in the static methods, which are run on the cache thread
 // or in worker threads. Synchronization between methods is the
 // responsibility of the caller.
@@ -121,7 +121,8 @@ class NET_EXPORT_PRIVATE SimpleIndexFile {
                                                 int64_t size)>;
 
   // When loading the entries from disk, add this many extra hash buckets to
-  // prevent reallocation on the IO thread when merging in new live entries.
+  // prevent reallocation on the creation sequence when merging in new live
+  // entries.
   static const int kExtraSizeForMerge = 512;
 
   // Synchronous (IO performing) implementation of LoadIndexEntries.
diff --git a/chromium/net/disk_cache/simple/simple_net_log_parameters.cc b/chromium/net/disk_cache/simple/simple_net_log_parameters.cc
index 63f1c14b853..ce4889b81a0 100644
--- a/chromium/net/disk_cache/simple/simple_net_log_parameters.cc
+++ b/chromium/net/disk_cache/simple/simple_net_log_parameters.cc
@@ -18,19 +18,17 @@
 
 namespace {
 
-base::Value NetLogSimpleEntryConstructionCallback(
-    const disk_cache::SimpleEntryImpl* entry,
-    net::NetLogCaptureMode capture_mode) {
+base::Value NetLogSimpleEntryConstructionParams(
+    const disk_cache::SimpleEntryImpl* entry) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetStringKey("entry_hash",
                     base::StringPrintf("%#016" PRIx64, entry->entry_hash()));
   return dict;
 }
 
-base::Value NetLogSimpleEntryCreationCallback(
+base::Value NetLogSimpleEntryCreationParams(
     const disk_cache::SimpleEntryImpl* entry,
-    int net_error,
-    net::NetLogCaptureMode /* capture_mode */) {
+    int net_error) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("net_error", net_error);
   if (net_error == net::OK)
@@ -42,19 +40,24 @@ base::Value NetLogSimpleEntryCreationCallback(
 
 namespace disk_cache {
 
-net::NetLogParametersCallback CreateNetLogSimpleEntryConstructionCallback(
-    const SimpleEntryImpl* entry) {
+void NetLogSimpleEntryConstruction(const net::NetLogWithSource& net_log,
+                                   net::NetLogEventType type,
+                                   net::NetLogEventPhase phase,
+                                   const SimpleEntryImpl* entry) {
   DCHECK(entry);
-  return base::Bind(&NetLogSimpleEntryConstructionCallback,
-                    base::Unretained(entry));
+  net_log.AddEntry(type, phase,
+                   [&] { return NetLogSimpleEntryConstructionParams(entry); });
 }
 
-net::NetLogParametersCallback CreateNetLogSimpleEntryCreationCallback(
-    const SimpleEntryImpl* entry,
-    int net_error) {
+void NetLogSimpleEntryCreation(const net::NetLogWithSource& net_log,
+                               net::NetLogEventType type,
+                               net::NetLogEventPhase phase,
+                               const SimpleEntryImpl* entry,
+                               int net_error) {
   DCHECK(entry);
-  return base::Bind(&NetLogSimpleEntryCreationCallback, base::Unretained(entry),
-                    net_error);
+  net_log.AddEntry(type, phase, [&] {
+    return NetLogSimpleEntryCreationParams(entry, net_error);
+  });
 }
 
 }  // namespace disk_cache
diff --git a/chromium/net/disk_cache/simple/simple_net_log_parameters.h b/chromium/net/disk_cache/simple/simple_net_log_parameters.h
index 39b105a4408..443edb30377 100644
--- a/chromium/net/disk_cache/simple/simple_net_log_parameters.h
+++ b/chromium/net/disk_cache/simple/simple_net_log_parameters.h
@@ -5,7 +5,7 @@
 #ifndef NET_DISK_CACHE_SIMPLE_SIMPLE_NET_LOG_PARAMETERS_H_
 #define NET_DISK_CACHE_SIMPLE_SIMPLE_NET_LOG_PARAMETERS_H_
 
-#include "net/log/net_log_parameters_callback.h"
+#include "net/log/net_log_with_source.h"
 
 // This file augments the functions in net/disk_cache/net_log_parameters.h to
 // include ones that deal with specifics of the Simple Cache backend.
@@ -13,19 +13,21 @@ namespace disk_cache {
 
 class SimpleEntryImpl;
 
-// Creates a NetLog callback that returns parameters for the construction of a
-// SimpleEntryImpl. Contains the entry's hash. |entry| can't be NULL and must
-// outlive the returned callback.
-net::NetLogParametersCallback CreateNetLogSimpleEntryConstructionCallback(
-    const SimpleEntryImpl* entry);
-
-// Creates a NetLog callback that returns parameters for the result of calling
-// |CreateEntry| or |OpenEntry| on a SimpleEntryImpl. Contains the |net_error|
-// and, if successful, the entry's key. |entry| can't be NULL and must outlive
-// the returned callback.
-net::NetLogParametersCallback CreateNetLogSimpleEntryCreationCallback(
-    const SimpleEntryImpl* entry,
-    int net_error);
+// Logs the construction of a SimpleEntryImpl. Contains the entry's hash.
+// |entry| can't be nullptr.
+void NetLogSimpleEntryConstruction(const net::NetLogWithSource& net_log,
+                                   net::NetLogEventType type,
+                                   net::NetLogEventPhase phase,
+                                   const SimpleEntryImpl* entry);
+
+// Logs a call to |CreateEntry| or |OpenEntry| on a SimpleEntryImpl. Contains
+// the |net_error| and, if successful, the entry's key. |entry| can't be
+// nullptr.
+void NetLogSimpleEntryCreation(const net::NetLogWithSource& net_log,
+                               net::NetLogEventType type,
+                               net::NetLogEventPhase phase,
+                               const SimpleEntryImpl* entry,
+                               int net_error);
 
 }  // namespace disk_cache
 
diff --git a/chromium/net/dns/BUILD.gn b/chromium/net/dns/BUILD.gn
index 472bbf37c74..efca16752d9 100644
--- a/chromium/net/dns/BUILD.gn
+++ b/chromium/net/dns/BUILD.gn
@@ -5,7 +5,7 @@
 import("//net/features.gni")
 import("//testing/libfuzzer/fuzzer_test.gni")
 
-enable_built_in_dns = !is_ios && !is_proto_quic
+enable_built_in_dns = !is_ios
 
 source_set("dns") {
   # Due to circular dependencies, should only be depended on through //net.
@@ -73,6 +73,8 @@ source_set("dns") {
       "record_rdata.cc",
       "serial_worker.cc",
       "serial_worker.h",
+      "system_dns_config_change_notifier.cc",
+      "system_dns_config_change_notifier.h",
     ]
 
     if (is_fuchsia) {
@@ -386,6 +388,7 @@ source_set("tests") {
     "record_parsed_unittest.cc",
     "record_rdata_unittest.cc",
     "serial_worker_unittest.cc",
+    "system_dns_config_change_notifier_unittest.cc",
   ]
 
   if (is_posix) {
@@ -420,10 +423,12 @@ source_set("test_support") {
   sources = [
     "dns_test_util.cc",
     "mock_host_resolver.cc",
+    "test_dns_config_service.cc",
   ]
   public = [
     "dns_test_util.h",
     "mock_host_resolver.h",
+    "test_dns_config_service.h",
   ]
 
   if (enable_mdns) {
@@ -456,6 +461,9 @@ source_set("fuzzer_test_support") {
     "//base/test:test_support",
     "//net",
   ]
+  public_deps = [
+    "//third_party/libFuzzer:fuzzed_data_provider",
+  ]
 }
 
 fuzzer_test("net_dns_hosts_parse_fuzzer") {
diff --git a/chromium/net/dns/address_sorter_posix_unittest.cc b/chromium/net/dns/address_sorter_posix_unittest.cc
index 9597a80603b..3a411b276c3 100644
--- a/chromium/net/dns/address_sorter_posix_unittest.cc
+++ b/chromium/net/dns/address_sorter_posix_unittest.cc
@@ -159,12 +159,12 @@ class TestSocketFactory : public ClientSocketFactory {
     return nullptr;
   }
   std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
+      SSLClientContext*,
       std::unique_ptr<StreamSocket>,
       const HostPortPair&,
-      const SSLConfig&,
-      const SSLClientSocketContext&) override {
+      const SSLConfig&) override {
     NOTIMPLEMENTED();
-    return std::unique_ptr<SSLClientSocket>();
+    return nullptr;
   }
   std::unique_ptr<ProxyClientSocket> CreateProxyClientSocket(
       std::unique_ptr<StreamSocket> stream_socket,
diff --git a/chromium/net/dns/context_host_resolver_unittest.cc b/chromium/net/dns/context_host_resolver_unittest.cc
index 240b1273bd0..7f00e241411 100644
--- a/chromium/net/dns/context_host_resolver_unittest.cc
+++ b/chromium/net/dns/context_host_resolver_unittest.cc
@@ -71,13 +71,11 @@ TEST_F(ContextHostResolverTest, Resolve) {
   URLRequestContext context;
 
   MockDnsClientRuleList rules;
-  rules.emplace_back("example.com", dns_protocol::kTypeA,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("example.com", dns_protocol::kTypeA, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsResponse(
                          "example.com", kEndpoint.address())),
                      false /* delay */, &context);
-  rules.emplace_back("example.com", dns_protocol::kTypeAAAA,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("example.com", dns_protocol::kTypeAAAA, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::EMPTY),
                      false /* delay */, &context);
   SetMockDnsRules(std::move(rules));
@@ -100,13 +98,11 @@ TEST_F(ContextHostResolverTest, Resolve) {
 TEST_F(ContextHostResolverTest, DestroyRequest) {
   // Setup delayed results for "example.com".
   MockDnsClientRuleList rules;
-  rules.emplace_back("example.com", dns_protocol::kTypeA,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("example.com", dns_protocol::kTypeA, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsResponse(
                          "example.com", IPAddress(1, 2, 3, 4))),
                      true /* delay */);
-  rules.emplace_back("example.com", dns_protocol::kTypeAAAA,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("example.com", dns_protocol::kTypeAAAA, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::EMPTY),
                      false /* delay */);
   SetMockDnsRules(std::move(rules));
@@ -136,22 +132,18 @@ TEST_F(ContextHostResolverTest, DestroyRequest) {
 TEST_F(ContextHostResolverTest, DestroyResolver) {
   // Setup delayed results for "example.com" and "google.com".
   MockDnsClientRuleList rules;
-  rules.emplace_back("example.com", dns_protocol::kTypeA,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("example.com", dns_protocol::kTypeA, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsResponse(
                          "example.com", IPAddress(2, 3, 4, 5))),
                      true /* delay */);
-  rules.emplace_back("example.com", dns_protocol::kTypeAAAA,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("example.com", dns_protocol::kTypeAAAA, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::EMPTY),
                      false /* delay */);
-  rules.emplace_back("google.com", dns_protocol::kTypeA,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("google.com", dns_protocol::kTypeA, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsResponse(
                          "google.com", kEndpoint.address())),
                      true /* delay */);
-  rules.emplace_back("google.com", dns_protocol::kTypeAAAA,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("google.com", dns_protocol::kTypeAAAA, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::EMPTY),
                      false /* delay */);
   SetMockDnsRules(std::move(rules));
@@ -193,13 +185,11 @@ TEST_F(ContextHostResolverTest, DestroyResolver) {
 TEST_F(ContextHostResolverTest, DestroyResolver_RemainingRequests) {
   // Setup delayed results for "example.com".
   MockDnsClientRuleList rules;
-  rules.emplace_back("example.com", dns_protocol::kTypeA,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("example.com", dns_protocol::kTypeA, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsResponse(
                          "example.com", kEndpoint.address())),
                      true /* delay */);
-  rules.emplace_back("example.com", dns_protocol::kTypeAAAA,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("example.com", dns_protocol::kTypeAAAA, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::EMPTY),
                      false /* delay */);
   SetMockDnsRules(std::move(rules));
@@ -240,13 +230,11 @@ TEST_F(ContextHostResolverTest, DestroyResolver_RemainingRequests) {
 
 TEST_F(ContextHostResolverTest, DestroyResolver_CompletedRequests) {
   MockDnsClientRuleList rules;
-  rules.emplace_back("example.com", dns_protocol::kTypeA,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("example.com", dns_protocol::kTypeA, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsResponse(
                          "example.com", kEndpoint.address())),
                      false /* delay */);
-  rules.emplace_back("example.com", dns_protocol::kTypeAAAA,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("example.com", dns_protocol::kTypeAAAA, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::EMPTY),
                      false /* delay */);
   SetMockDnsRules(std::move(rules));
@@ -300,13 +288,11 @@ TEST_F(ContextHostResolverTest, ResolveFromCache) {
 
 TEST_F(ContextHostResolverTest, ResultsAddedToCache) {
   MockDnsClientRuleList rules;
-  rules.emplace_back("example.com", dns_protocol::kTypeA,
-                     DnsConfig::DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("example.com", dns_protocol::kTypeA, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsResponse(
                          "example.com", kEndpoint.address())),
                      false /* delay */);
-  rules.emplace_back("example.com", dns_protocol::kTypeAAAA,
-                     DnsConfig::DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("example.com", dns_protocol::kTypeAAAA, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::EMPTY),
                      false /* delay */);
   SetMockDnsRules(std::move(rules));
diff --git a/chromium/net/dns/dns_config.cc b/chromium/net/dns/dns_config.cc
index 8853d5b54f6..71e912f5d88 100644
--- a/chromium/net/dns/dns_config.cc
+++ b/chromium/net/dns/dns_config.cc
@@ -12,8 +12,15 @@ namespace net {
 
 // Default values are taken from glibc resolv.h except timeout which is set to
 // |kDnsDefaultTimeoutMs|.
-DnsConfig::DnsConfig()
-    : unhandled_options(false),
+DnsConfig::DnsConfig() : DnsConfig(std::vector<IPEndPoint>()) {}
+
+DnsConfig::DnsConfig(const DnsConfig& other) = default;
+
+DnsConfig::DnsConfig(DnsConfig&& other) = default;
+
+DnsConfig::DnsConfig(std::vector<IPEndPoint> nameservers)
+    : nameservers(std::move(nameservers)),
+      unhandled_options(false),
       append_to_multi_label_name(true),
       randomize_ports(false),
       ndots(1),
@@ -23,10 +30,6 @@ DnsConfig::DnsConfig()
       use_local_ipv6(false),
       secure_dns_mode(SecureDnsMode::OFF) {}
 
-DnsConfig::DnsConfig(const DnsConfig& other) = default;
-
-DnsConfig::DnsConfig(DnsConfig&& other) = default;
-
 DnsConfig::~DnsConfig() = default;
 
 DnsConfig& DnsConfig::operator=(const DnsConfig& other) = default;
@@ -37,6 +40,10 @@ bool DnsConfig::Equals(const DnsConfig& d) const {
   return EqualsIgnoreHosts(d) && (hosts == d.hosts);
 }
 
+bool DnsConfig::operator==(const DnsConfig& d) const {
+  return Equals(d);
+}
+
 bool DnsConfig::EqualsIgnoreHosts(const DnsConfig& d) const {
   return (nameservers == d.nameservers) && (search == d.search) &&
          (unhandled_options == d.unhandled_options) &&
diff --git a/chromium/net/dns/dns_config.h b/chromium/net/dns/dns_config.h
index 3f2a85ce849..a8dbf813a80 100644
--- a/chromium/net/dns/dns_config.h
+++ b/chromium/net/dns/dns_config.h
@@ -28,12 +28,14 @@ struct NET_EXPORT DnsConfig {
   DnsConfig();
   DnsConfig(const DnsConfig& other);
   DnsConfig(DnsConfig&& other);
+  explicit DnsConfig(std::vector<IPEndPoint> nameservers);
   ~DnsConfig();
 
   DnsConfig& operator=(const DnsConfig& other);
   DnsConfig& operator=(DnsConfig&& other);
 
   bool Equals(const DnsConfig& d) const;
+  bool operator==(const DnsConfig& d) const;
 
   bool EqualsIgnoreHosts(const DnsConfig& d) const;
 
diff --git a/chromium/net/dns/dns_config_service.cc b/chromium/net/dns/dns_config_service.cc
index 25060e68be6..1d7d0cc510a 100644
--- a/chromium/net/dns/dns_config_service.cc
+++ b/chromium/net/dns/dns_config_service.cc
@@ -16,7 +16,9 @@ DnsConfigService::DnsConfigService()
       have_config_(false),
       have_hosts_(false),
       need_update_(false),
-      last_sent_empty_(true) {}
+      last_sent_empty_(true) {
+  DETACH_FROM_SEQUENCE(sequence_checker_);
+}
 
 DnsConfigService::~DnsConfigService() {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
@@ -39,6 +41,11 @@ void DnsConfigService::WatchConfig(const CallbackType& callback) {
   ReadNow();
 }
 
+void DnsConfigService::RefreshConfig() {
+  // Overridden on supported platforms.
+  NOTREACHED();
+}
+
 void DnsConfigService::InvalidateConfig() {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   base::TimeTicks now = base::TimeTicks::Now();
diff --git a/chromium/net/dns/dns_config_service.h b/chromium/net/dns/dns_config_service.h
index 97a211ee8aa..f00466ea03a 100644
--- a/chromium/net/dns/dns_config_service.h
+++ b/chromium/net/dns/dns_config_service.h
@@ -29,7 +29,8 @@ class NET_EXPORT_PRIVATE DnsConfigService {
   // ReadConfig() and WatchConfig().
   typedef base::Callback<void(const DnsConfig& config)> CallbackType;
 
-  // Creates the platform-specific DnsConfigService.
+  // Creates the platform-specific DnsConfigService. May return |nullptr| if
+  // reading system DNS settings is not supported on the current platform.
   static std::unique_ptr<DnsConfigService> CreateSystemService();
 
   DnsConfigService();
@@ -45,6 +46,11 @@ class NET_EXPORT_PRIVATE DnsConfigService {
   // Might require MessageLoopForIO.
   void WatchConfig(const CallbackType& callback);
 
+  // Triggers invalidation and re-read of the current configuration (followed by
+  // invocation of the callback). For use only on platforms expecting
+  // network-stack-external notifications of DNS config changes.
+  virtual void RefreshConfig();
+
  protected:
   enum WatchStatus {
     DNS_CONFIG_WATCH_STARTED = 0,
diff --git a/chromium/net/dns/dns_config_service_fuchsia.cc b/chromium/net/dns/dns_config_service_fuchsia.cc
index 21d4e5526a7..1673b6d5411 100644
--- a/chromium/net/dns/dns_config_service_fuchsia.cc
+++ b/chromium/net/dns/dns_config_service_fuchsia.cc
@@ -17,8 +17,6 @@ DnsConfigServiceFuchsia::~DnsConfigServiceFuchsia() = default;
 
 void DnsConfigServiceFuchsia::ReadNow() {
   // TODO(crbug.com/950717): Implement this method.
-  OnConfigRead(DnsConfig());
-  OnHostsRead(DnsHosts());
 }
 
 bool DnsConfigServiceFuchsia::StartWatching() {
diff --git a/chromium/net/dns/dns_config_service_posix.cc b/chromium/net/dns/dns_config_service_posix.cc
index 48ee9253d64..ee2d5721425 100644
--- a/chromium/net/dns/dns_config_service_posix.cc
+++ b/chromium/net/dns/dns_config_service_posix.cc
@@ -239,8 +239,7 @@ ConfigParsePosixResult ReadDnsConfig(DnsConfig* dns_config) {
 
 class DnsConfigServicePosix::Watcher {
  public:
-  explicit Watcher(DnsConfigServicePosix* service)
-      : service_(service), weak_factory_(this) {}
+  explicit Watcher(DnsConfigServicePosix* service) : service_(service) {}
   ~Watcher() = default;
 
   bool Watch() {
@@ -294,7 +293,7 @@ class DnsConfigServicePosix::Watcher {
   base::FilePathWatcher hosts_watcher_;
 #endif  // !defined(OS_ANDROID) && !defined(OS_IOS)
 
-  base::WeakPtrFactory<Watcher> weak_factory_;
+  base::WeakPtrFactory<Watcher> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(Watcher);
 };
@@ -412,6 +411,12 @@ DnsConfigServicePosix::~DnsConfigServicePosix() {
   hosts_reader_->Cancel();
 }
 
+void DnsConfigServicePosix::RefreshConfig() {
+  InvalidateConfig();
+  InvalidateHosts();
+  ReadNow();
+}
+
 void DnsConfigServicePosix::ReadNow() {
   config_reader_->WorkNow();
   hosts_reader_->WorkNow();
@@ -571,8 +576,15 @@ ConfigParsePosixResult ConvertResStateToDnsConfig(const struct __res_state& res,
 
 // static
 std::unique_ptr<DnsConfigService> DnsConfigService::CreateSystemService() {
+  // DnsConfigService on iOS doesn't watch the config so its result can become
+  // inaccurate at any time.  Disable it to prevent promulgation of inaccurate
+  // DnsConfigs.
+#ifdef OS_IOS
+  return nullptr;
+#else   // defined(OS_IOS)
   return std::unique_ptr<DnsConfigService>(
       new internal::DnsConfigServicePosix());
+#endif  // defined(OS_IOS)
 }
 
 }  // namespace net
diff --git a/chromium/net/dns/dns_config_service_posix.h b/chromium/net/dns/dns_config_service_posix.h
index 9a8e1ba5634..342b108d02e 100644
--- a/chromium/net/dns/dns_config_service_posix.h
+++ b/chromium/net/dns/dns_config_service_posix.h
@@ -5,6 +5,8 @@
 #ifndef NET_DNS_DNS_CONFIG_SERVICE_POSIX_H_
 #define NET_DNS_DNS_CONFIG_SERVICE_POSIX_H_
 
+#include <memory>
+
 #if !defined(OS_ANDROID)
 #include <sys/types.h>
 #include <netinet/in.h>
@@ -34,6 +36,8 @@ class NET_EXPORT_PRIVATE DnsConfigServicePosix : public DnsConfigService {
   DnsConfigServicePosix();
   ~DnsConfigServicePosix() override;
 
+  void RefreshConfig() override;
+
  protected:
   // DnsConfigService:
   void ReadNow() override;
diff --git a/chromium/net/dns/dns_config_service_posix_unittest.cc b/chromium/net/dns/dns_config_service_posix_unittest.cc
index 346fe531284..c8d09d968b4 100644
--- a/chromium/net/dns/dns_config_service_posix_unittest.cc
+++ b/chromium/net/dns/dns_config_service_posix_unittest.cc
@@ -256,7 +256,7 @@ TEST_F(DnsConfigServicePosixTest, ChangeConfigMultipleTimes) {
   scoped_task_environment_.RunUntilIdle();
 
   for (int i = 0; i < 5; i++) {
-    service_->OnConfigChanged(true);
+    service_->RefreshConfig();
     // Wait for config read after the change. OnConfigChanged() will only be
     // called if the new config is different from the old one, so this can't be
     // ExpectChange().
diff --git a/chromium/net/dns/dns_config_service_unittest.cc b/chromium/net/dns/dns_config_service_unittest.cc
index 2fff61608e9..39c63de11e3 100644
--- a/chromium/net/dns/dns_config_service_unittest.cc
+++ b/chromium/net/dns/dns_config_service_unittest.cc
@@ -15,6 +15,7 @@
 #include "base/test/test_timeouts.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/dns/public/dns_protocol.h"
+#include "net/dns/test_dns_config_service.h"
 #include "net/test/test_with_scoped_task_environment.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -31,33 +32,6 @@ class DnsConfigServiceTest : public TestWithScopedTaskEnvironment {
   }
 
  protected:
-  class TestDnsConfigService : public DnsConfigService {
-   public:
-    void ReadNow() override {}
-    bool StartWatching() override { return true; }
-
-    // Expose the protected methods to this test suite.
-    void InvalidateConfig() {
-      DnsConfigService::InvalidateConfig();
-    }
-
-    void InvalidateHosts() {
-      DnsConfigService::InvalidateHosts();
-    }
-
-    void OnConfigRead(const DnsConfig& config) {
-      DnsConfigService::OnConfigRead(config);
-    }
-
-    void OnHostsRead(const DnsHosts& hosts) {
-      DnsConfigService::OnHostsRead(hosts);
-    }
-
-    void set_watch_failed(bool value) {
-      DnsConfigService::set_watch_failed(value);
-    }
-  };
-
   void WaitForConfig(base::TimeDelta timeout) {
     base::RunLoop run_loop;
     base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
diff --git a/chromium/net/dns/dns_query.cc b/chromium/net/dns/dns_query.cc
index 797b8fe2dcd..90176623c05 100644
--- a/chromium/net/dns/dns_query.cc
+++ b/chromium/net/dns/dns_query.cc
@@ -4,10 +4,13 @@
 
 #include "net/dns/dns_query.h"
 
+#include <utility>
+
 #include "base/big_endian.h"
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "base/numerics/safe_conversions.h"
+#include "base/optional.h"
 #include "base/sys_byteorder.h"
 #include "net/base/io_buffer.h"
 #include "net/dns/dns_util.h"
@@ -28,10 +31,63 @@ static const size_t kOptRRFixedSize = 11;
 // TODO(robpercival): Determine a good value for this programmatically.
 const uint16_t kMaxUdpPayloadSize = 4096;
 
+size_t QuestionSize(size_t qname_size) {
+  // QNAME + QTYPE + QCLASS
+  return qname_size + sizeof(uint16_t) + sizeof(uint16_t);
+}
+
+// Buffer size of Opt record for |rdata| (does not include Opt record or RData
+// added for padding).
 size_t OptRecordSize(const OptRecordRdata* rdata) {
   return rdata == nullptr ? 0 : kOptRRFixedSize + rdata->buf().size();
 }
 
+// Padding size includes Opt header for the padding.  Does not include OptRecord
+// header (kOptRRFixedSize) even when added just for padding.
+size_t DeterminePaddingSize(size_t unpadded_size,
+                            DnsQuery::PaddingStrategy padding_strategy) {
+  switch (padding_strategy) {
+    case DnsQuery::PaddingStrategy::NONE:
+      return 0;
+    case DnsQuery::PaddingStrategy::BLOCK_LENGTH_128:
+      size_t padding_size = OptRecordRdata::Opt::kHeaderSize;
+      size_t remainder = (padding_size + unpadded_size) % 128;
+      padding_size += (128 - remainder) % 128;
+      DCHECK_EQ((unpadded_size + padding_size) % 128, 0u);
+      return padding_size;
+  }
+}
+
+base::Optional<OptRecordRdata> AddPaddingIfNecessary(
+    const OptRecordRdata* opt_rdata,
+    DnsQuery::PaddingStrategy padding_strategy,
+    size_t no_opt_buffer_size) {
+  // If no input OPT record rdata and no padding, no OPT record rdata needed.
+  if (!opt_rdata && padding_strategy == DnsQuery::PaddingStrategy::NONE)
+    return base::nullopt;
+
+  OptRecordRdata merged_opt_rdata;
+  if (opt_rdata)
+    merged_opt_rdata.AddOpts(*opt_rdata);
+
+  size_t unpadded_size = no_opt_buffer_size + OptRecordSize(&merged_opt_rdata);
+  size_t padding_size = DeterminePaddingSize(unpadded_size, padding_strategy);
+
+  if (padding_size > 0) {
+    // |opt_rdata| must not already contain padding if DnsQuery is to add
+    // padding.
+    DCHECK(!merged_opt_rdata.ContainsOptCode(dns_protocol::kEdnsPadding));
+    // OPT header is the minimum amount of padding.
+    DCHECK(padding_size >= OptRecordRdata::Opt::kHeaderSize);
+
+    merged_opt_rdata.AddOpt(OptRecordRdata::Opt(
+        dns_protocol::kEdnsPadding,
+        std::string(padding_size - OptRecordRdata::Opt::kHeaderSize, 0)));
+  }
+
+  return merged_opt_rdata;
+}
+
 }  // namespace
 
 // DNS query consists of a 12-byte header followed by a question section.
@@ -41,12 +97,20 @@ size_t OptRecordSize(const OptRecordRdata* rdata) {
 DnsQuery::DnsQuery(uint16_t id,
                    const base::StringPiece& qname,
                    uint16_t qtype,
-                   const OptRecordRdata* opt_rdata)
-    : qname_size_(qname.size()),
-      io_buffer_(base::MakeRefCounted<IOBufferWithSize>(
-          kHeaderSize + question_size() + OptRecordSize(opt_rdata))),
-      header_(reinterpret_cast<dns_protocol::Header*>(io_buffer_->data())) {
+                   const OptRecordRdata* opt_rdata,
+                   PaddingStrategy padding_strategy)
+    : qname_size_(qname.size()) {
   DCHECK(!DNSDomainToString(qname).empty());
+
+  size_t buffer_size = kHeaderSize + QuestionSize(qname_size_);
+  base::Optional<OptRecordRdata> merged_opt_rdata =
+      AddPaddingIfNecessary(opt_rdata, padding_strategy, buffer_size);
+  if (merged_opt_rdata)
+    buffer_size += OptRecordSize(&merged_opt_rdata.value());
+
+  io_buffer_ = base::MakeRefCounted<IOBufferWithSize>(buffer_size);
+
+  header_ = reinterpret_cast<dns_protocol::Header*>(io_buffer_->data());
   *header_ = {};
   header_->id = base::HostToNet16(id);
   header_->flags = base::HostToNet16(dns_protocol::kFlagRD);
@@ -59,7 +123,9 @@ DnsQuery::DnsQuery(uint16_t id,
   writer.WriteU16(qtype);
   writer.WriteU16(dns_protocol::kClassIN);
 
-  if (opt_rdata != nullptr) {
+  if (merged_opt_rdata) {
+    DCHECK(!merged_opt_rdata.value().opts().empty());
+
     header_->arcount = base::HostToNet16(1);
     // Write OPT pseudo-resource record.
     writer.WriteU8(0);                       // empty domain name (root domain)
@@ -71,9 +137,11 @@ DnsQuery::DnsQuery(uint16_t id,
     // TODO(robpercival): Set "DNSSEC OK" flag if/when DNSSEC is supported:
     // https://tools.ietf.org/html/rfc3225#section-3
     writer.WriteU16(0);  // flags
+
     // rdata
-    writer.WriteU16(opt_rdata->buf().size());  // rdata length
-    writer.WriteBytes(opt_rdata->buf().data(), opt_rdata->buf().size());
+    writer.WriteU16(merged_opt_rdata.value().buf().size());  // rdata length
+    writer.WriteBytes(merged_opt_rdata.value().buf().data(),
+                      merged_opt_rdata.value().buf().size());
   }
 }
 
@@ -140,7 +208,12 @@ uint16_t DnsQuery::qtype() const {
 }
 
 base::StringPiece DnsQuery::question() const {
-  return base::StringPiece(io_buffer_->data() + kHeaderSize, question_size());
+  return base::StringPiece(io_buffer_->data() + kHeaderSize,
+                           QuestionSize(qname_size_));
+}
+
+size_t DnsQuery::question_size() const {
+  return QuestionSize(qname_size_);
 }
 
 void DnsQuery::set_flags(uint16_t flags) {
diff --git a/chromium/net/dns/dns_query.h b/chromium/net/dns/dns_query.h
index 981cc9e8293..6ca6a1e93f0 100644
--- a/chromium/net/dns/dns_query.h
+++ b/chromium/net/dns/dns_query.h
@@ -9,6 +9,7 @@
 #include <stdint.h>
 
 #include <memory>
+#include <string>
 
 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
@@ -32,19 +33,31 @@ class IOBufferWithSize;
 // Represents on-the-wire DNS query message as an object.
 class NET_EXPORT_PRIVATE DnsQuery {
  public:
+  enum class PaddingStrategy {
+    // Query will not be padded. Recommended strategy when query will not be
+    // encrypted.
+    NONE,
+
+    // Query will be padded to the next multiple of 128 octets. Recommended
+    // strategy (per RFC 8467) when query will be encrypted, e.g. through
+    // DNS-over-HTTPS.
+    BLOCK_LENGTH_128,
+  };
+
   // Constructs a query message from |qname| which *MUST* be in a valid
   // DNS name format, and |qtype|. The qclass is set to IN.
-  // If opt_rdata is not null, an OPT record will be added to the "Additional"
+  // If |opt_rdata| is not null, an OPT record will be added to the "Additional"
   // section of the query.
   DnsQuery(uint16_t id,
            const base::StringPiece& qname,
            uint16_t qtype,
-           const OptRecordRdata* opt_rdata = nullptr);
+           const OptRecordRdata* opt_rdata = nullptr,
+           PaddingStrategy padding_strategy = PaddingStrategy::NONE);
 
   // Constructs an empty query from a raw packet in |buffer|. If the raw packet
   // represents a valid DNS query in the wire format (RFC 1035), Parse() will
   // populate the empty query.
-  DnsQuery(scoped_refptr<IOBufferWithSize> buffer);
+  explicit DnsQuery(scoped_refptr<IOBufferWithSize> buffer);
 
   ~DnsQuery();
 
@@ -72,10 +85,7 @@ class NET_EXPORT_PRIVATE DnsQuery {
   base::StringPiece question() const;
 
   // Returns the size of the question section.
-  size_t question_size() const {
-    // QNAME + QTYPE + QCLASS
-    return qname_size_ + sizeof(uint16_t) + sizeof(uint16_t);
-  }
+  size_t question_size() const;
 
   // IOBuffer accessor to be used for writing out the query. The buffer has
   // the same byte layout as the DNS query wire format.
diff --git a/chromium/net/dns/dns_query_unittest.cc b/chromium/net/dns/dns_query_unittest.cc
index 40009e6e08d..3e5990887c0 100644
--- a/chromium/net/dns/dns_query_unittest.cc
+++ b/chromium/net/dns/dns_query_unittest.cc
@@ -4,8 +4,11 @@
 
 #include "net/dns/dns_query.h"
 
+#include <tuple>
+
 #include "base/stl_util.h"
 #include "net/base/io_buffer.h"
+#include "net/dns/dns_util.h"
 #include "net/dns/public/dns_protocol.h"
 #include "net/dns/record_rdata.h"
 #include "testing/gmock/include/gmock/gmock.h"
@@ -38,6 +41,7 @@ const char kQNameData[] =
     "example"
     "\x03"
     "com";
+const base::StringPiece kQName(kQNameData, sizeof(kQNameData));
 
 TEST(DnsQueryTest, Constructor) {
   // This includes \0 at the end.
@@ -56,11 +60,10 @@ TEST(DnsQueryTest, Constructor) {
       0x00, 0x01,  // QCLASS: IN class.
   };
 
-  base::StringPiece qname(kQNameData, sizeof(kQNameData));
-  DnsQuery q1(0xbeef, qname, dns_protocol::kTypeA);
+  DnsQuery q1(0xbeef, kQName, dns_protocol::kTypeA);
   EXPECT_EQ(dns_protocol::kTypeA, q1.qtype());
   EXPECT_THAT(AsTuple(q1.io_buffer()), ElementsAreArray(query_data));
-  EXPECT_EQ(qname, q1.qname());
+  EXPECT_EQ(kQName, q1.qname());
 
   base::StringPiece question(reinterpret_cast<const char*>(query_data) + 12,
                              21);
@@ -117,6 +120,42 @@ TEST(DnsQueryTest, EDNS0) {
   EXPECT_EQ(question, q1.question());
 }
 
+TEST(DnsQueryTest, Block128Padding) {
+  DnsQuery query(46 /* id */, kQName, dns_protocol::kTypeAAAA,
+                 nullptr /* opt_rdata */,
+                 DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+
+  // Query is expected to be short and fit in a single 128-byte padded block.
+  EXPECT_EQ(128, query.io_buffer()->size());
+
+  // Ensure created query still parses as expected.
+  DnsQuery parsed_query(query.io_buffer());
+  ASSERT_TRUE(parsed_query.Parse(query.io_buffer()->size()));
+  EXPECT_EQ(kQName, parsed_query.qname());
+  EXPECT_EQ(dns_protocol::kTypeAAAA, parsed_query.qtype());
+}
+
+TEST(DnsQueryTest, Block128Padding_LongName) {
+  std::string qname;
+  DNSDomainFromDot(
+      "really.long.domain.name.that.will.push.us.past.the.128.byte.block.size."
+      "because.it.would.be.nice.to.test.something.realy.long.like.that.com",
+      &qname);
+  DnsQuery query(112 /* id */, qname, dns_protocol::kTypeAAAA,
+                 nullptr /* opt_rdata */,
+                 DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+
+  // Query is expected to pad into a second 128-byte block.
+  EXPECT_EQ(256, query.io_buffer()->size());
+  EXPECT_EQ(qname, query.qname());
+
+  // Ensure created query still parses as expected.
+  DnsQuery parsed_query(query.io_buffer());
+  ASSERT_TRUE(parsed_query.Parse(query.io_buffer()->size()));
+  EXPECT_EQ(qname, parsed_query.qname());
+  EXPECT_EQ(dns_protocol::kTypeAAAA, parsed_query.qtype());
+}
+
 TEST(DnsQueryParseTest, SingleQuestionForTypeARecord) {
   const uint8_t query_data[] = {
       0x12, 0x34,  // ID
diff --git a/chromium/net/dns/dns_response.cc b/chromium/net/dns/dns_response.cc
index 2e7fab29f74..1f461017f45 100644
--- a/chromium/net/dns/dns_response.cc
+++ b/chromium/net/dns/dns_response.cc
@@ -32,10 +32,6 @@ const size_t kHeaderSize = sizeof(dns_protocol::Header);
 
 const uint8_t kRcodeMask = 0xf;
 
-// RFC 1035, Section 4.1.3.
-// TYPE (2 bytes) + CLASS (2 bytes) + TTL (4 bytes) + RDLENGTH (2 bytes)
-const size_t kResourceRecordSizeInBytesWithoutNameAndRData = 10;
-
 }  // namespace
 
 DnsResourceRecord::DnsResourceRecord() = default;
@@ -109,7 +105,7 @@ size_t DnsResourceRecord::CalculateRecordSize() const {
   // 1 byte (with dot) or 2 bytes larger in size. See RFC 1035, Section 3.1 and
   // DNSDomainFromDot.
   return name.size() + (has_final_dot ? 1 : 2) +
-         kResourceRecordSizeInBytesWithoutNameAndRData +
+         net::dns_protocol::kResourceRecordSizeInBytesWithoutNameAndRData +
          (owned_rdata.empty() ? rdata.size() : owned_rdata.size());
 }
 
@@ -363,9 +359,10 @@ DnsResponse::DnsResponse(const void* data, size_t length, size_t answer_offset)
 DnsResponse::~DnsResponse() = default;
 
 bool DnsResponse::InitParse(size_t nbytes, const DnsQuery& query) {
-  // Response includes query, it should be at least that size.
-  if (nbytes < base::checked_cast<size_t>(query.io_buffer()->size()) ||
-      nbytes > io_buffer_size_) {
+  const base::StringPiece question = query.question();
+
+  // Response includes question, it should be at least that size.
+  if (nbytes < kHeaderSize + question.size() || nbytes > io_buffer_size_) {
     return false;
   }
 
@@ -382,7 +379,6 @@ bool DnsResponse::InitParse(size_t nbytes, const DnsQuery& query) {
     return false;
 
   // Match the question section.
-  const base::StringPiece question = query.question();
   if (question !=
       base::StringPiece(io_buffer_->data() + kHeaderSize, question.size())) {
     return false;
diff --git a/chromium/net/dns/dns_session.cc b/chromium/net/dns/dns_session.cc
index 7ac72703f56..6164f313199 100644
--- a/chromium/net/dns/dns_session.cc
+++ b/chromium/net/dns/dns_session.cc
@@ -295,8 +295,8 @@ std::unique_ptr<DnsSession::SocketLease> DnsSession::AllocateSocket(
   if (!socket.get())
     return std::unique_ptr<SocketLease>();
 
-  socket->NetLog().BeginEvent(NetLogEventType::SOCKET_IN_USE,
-                              source.ToEventParametersCallback());
+  socket->NetLog().BeginEventReferencingSource(NetLogEventType::SOCKET_IN_USE,
+                                               source);
 
   SocketLease* lease = new SocketLease(this, server_index, std::move(socket));
   return std::unique_ptr<SocketLease>(lease);
diff --git a/chromium/net/dns/dns_session_unittest.cc b/chromium/net/dns/dns_session_unittest.cc
index a3bc61d600b..4a6ae5668ce 100644
--- a/chromium/net/dns/dns_session_unittest.cc
+++ b/chromium/net/dns/dns_session_unittest.cc
@@ -45,12 +45,12 @@ class TestClientSocketFactory : public ClientSocketFactory {
   }
 
   std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
+      SSLClientContext* context,
       std::unique_ptr<StreamSocket> stream_socket,
       const HostPortPair& host_and_port,
-      const SSLConfig& ssl_config,
-      const SSLClientSocketContext& context) override {
+      const SSLConfig& ssl_config) override {
     NOTIMPLEMENTED();
-    return std::unique_ptr<SSLClientSocket>();
+    return nullptr;
   }
 
   std::unique_ptr<ProxyClientSocket> CreateProxyClientSocket(
diff --git a/chromium/net/dns/dns_socket_pool_unittest.cc b/chromium/net/dns/dns_socket_pool_unittest.cc
index eba97494267..2138518e5a1 100644
--- a/chromium/net/dns/dns_socket_pool_unittest.cc
+++ b/chromium/net/dns/dns_socket_pool_unittest.cc
@@ -16,14 +16,14 @@ namespace {
 
 class DummyObject {
  public:
-  DummyObject() : weak_factory_(this) {}
+  DummyObject() {}
 
   base::WeakPtr<DummyObject> GetWeakPtr() { return weak_factory_.GetWeakPtr(); }
 
   bool HasWeakPtrs() const { return weak_factory_.HasWeakPtrs(); }
 
  private:
-  base::WeakPtrFactory<DummyObject> weak_factory_;
+  base::WeakPtrFactory<DummyObject> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(DummyObject);
 };
diff --git a/chromium/net/dns/dns_test_util.cc b/chromium/net/dns/dns_test_util.cc
index 8394244aeaa..1910a8000cd 100644
--- a/chromium/net/dns/dns_test_util.cc
+++ b/chromium/net/dns/dns_test_util.cc
@@ -186,29 +186,26 @@ class MockTransaction : public DnsTransaction,
   MockTransaction(const MockDnsClientRuleList& rules,
                   const std::string& hostname,
                   uint16_t qtype,
-                  DnsConfig::SecureDnsMode secure_dns_mode,
+                  bool secure,
                   URLRequestContext* url_request_context,
                   DnsTransactionFactory::CallbackType callback)
       : result_(MockDnsClientRule::FAIL),
         hostname_(hostname),
         qtype_(qtype),
         callback_(std::move(callback)),
-        secure_(false),
         started_(false),
         delayed_(false) {
-    // Find the relevant rule which matches |qtype|, |secure_dns_mode|, prefix
-    // of |hostname|, and |url_request_context| (iff the rule context is not
+    // Find the relevant rule which matches |qtype|, |secure|, prefix of
+    // |hostname|, and |url_request_context| (iff the rule context is not
     // null).
     for (size_t i = 0; i < rules.size(); ++i) {
       const std::string& prefix = rules[i].prefix;
-      if ((rules[i].qtype == qtype) &&
-          rules[i].secure_dns_mode == secure_dns_mode &&
+      if ((rules[i].qtype == qtype) && (rules[i].secure == secure) &&
           (hostname.size() >= prefix.size()) &&
           (hostname.compare(0, prefix.size(), prefix) == 0) &&
           (!rules[i].context || rules[i].context == url_request_context)) {
         const MockDnsClientRule::Result* result = &rules[i].result;
         result_ = MockDnsClientRule::Result(result->type);
-        secure_ = result->secure;
         delayed_ = rules[i].delay;
 
         // Generate a DnsResponse when not provided with the rule.
@@ -294,15 +291,15 @@ class MockTransaction : public DnsTransaction,
       case MockDnsClientRule::NODOMAIN:
       case MockDnsClientRule::FAIL:
         std::move(callback_).Run(this, ERR_NAME_NOT_RESOLVED,
-                                 result_.response.get(), secure_);
+                                 result_.response.get());
         break;
       case MockDnsClientRule::EMPTY:
       case MockDnsClientRule::OK:
       case MockDnsClientRule::MALFORMED:
-        std::move(callback_).Run(this, OK, result_.response.get(), secure_);
+        std::move(callback_).Run(this, OK, result_.response.get());
         break;
       case MockDnsClientRule::TIMEOUT:
-        std::move(callback_).Run(this, ERR_DNS_TIMED_OUT, nullptr, secure_);
+        std::move(callback_).Run(this, ERR_DNS_TIMED_OUT, nullptr);
         break;
     }
   }
@@ -313,7 +310,6 @@ class MockTransaction : public DnsTransaction,
   const std::string hostname_;
   const uint16_t qtype_;
   DnsTransactionFactory::CallbackType callback_;
-  bool secure_;
   bool started_;
   bool delayed_;
 };
@@ -439,24 +435,16 @@ MockDnsClientRule::Result::~Result() = default;
 MockDnsClientRule::Result& MockDnsClientRule::Result::operator=(
     Result&& result) = default;
 
-// static
-MockDnsClientRule::Result MockDnsClientRule::CreateSecureResult(
-    std::unique_ptr<DnsResponse> response) {
-  auto result = Result(std::move(response));
-  result.secure = true;
-  return result;
-}
-
 MockDnsClientRule::MockDnsClientRule(const std::string& prefix,
                                      uint16_t qtype,
-                                     DnsConfig::SecureDnsMode secure_dns_mode,
+                                     bool secure,
                                      Result result,
                                      bool delay,
                                      URLRequestContext* context)
     : result(std::move(result)),
       prefix(prefix),
       qtype(qtype),
-      secure_dns_mode(secure_dns_mode),
+      secure(secure),
       delay(delay),
       context(context) {}
 
@@ -475,11 +463,11 @@ class MockDnsClient::MockTransactionFactory : public DnsTransactionFactory {
       uint16_t qtype,
       DnsTransactionFactory::CallbackType callback,
       const NetLogWithSource&,
-      DnsConfig::SecureDnsMode secure_dns_mode,
+      bool secure,
       URLRequestContext* url_request_context) override {
     std::unique_ptr<MockTransaction> transaction =
-        std::make_unique<MockTransaction>(rules_, hostname, qtype,
-                                          secure_dns_mode, url_request_context,
+        std::make_unique<MockTransaction>(rules_, hostname, qtype, secure,
+                                          url_request_context,
                                           std::move(callback));
     if (transaction->delayed())
       delayed_transactions_.push_back(transaction->AsWeakPtr());
diff --git a/chromium/net/dns/dns_test_util.h b/chromium/net/dns/dns_test_util.h
index 179a679ed6f..b5f73d4d53a 100644
--- a/chromium/net/dns/dns_test_util.h
+++ b/chromium/net/dns/dns_test_util.h
@@ -216,18 +216,14 @@ struct MockDnsClientRule {
 
     ResultType type;
     std::unique_ptr<DnsResponse> response;
-    // Whether the mock result was obtained securely or not.
-    bool secure = false;
   };
 
-  static Result CreateSecureResult(std::unique_ptr<DnsResponse> response);
-
   // If |delay| is true, matching transactions will be delayed until triggered
   // by the consumer. If |context| is non-null, it will only match transactions
   // with the same context.
   MockDnsClientRule(const std::string& prefix,
                     uint16_t qtype,
-                    DnsConfig::SecureDnsMode secure_dns_mode,
+                    bool secure,
                     Result result,
                     bool delay,
                     URLRequestContext* context = nullptr);
@@ -236,7 +232,7 @@ struct MockDnsClientRule {
   Result result;
   std::string prefix;
   uint16_t qtype;
-  DnsConfig::SecureDnsMode secure_dns_mode;
+  bool secure;
   bool delay;
   URLRequestContext* context;
 };
diff --git a/chromium/net/dns/dns_transaction.cc b/chromium/net/dns/dns_transaction.cc
index 3003df2b79e..97d6b8501e8 100644
--- a/chromium/net/dns/dns_transaction.cc
+++ b/chromium/net/dns/dns_transaction.cc
@@ -46,6 +46,7 @@
 #include "net/dns/dns_session.h"
 #include "net/dns/dns_util.h"
 #include "net/dns/public/dns_protocol.h"
+#include "net/http/http_request_headers.h"
 #include "net/log/net_log.h"
 #include "net/log/net_log_capture_mode.h"
 #include "net/log/net_log_event_type.h"
@@ -107,11 +108,9 @@ bool IsIPLiteral(const std::string& hostname) {
   return ip.AssignFromIPLiteral(hostname);
 }
 
-base::Value NetLogStartCallback(const std::string* hostname,
-                                uint16_t qtype,
-                                NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogStartParams(const std::string& hostname, uint16_t qtype) {
   base::DictionaryValue dict;
-  dict.SetString("hostname", *hostname);
+  dict.SetString("hostname", hostname);
   dict.SetInteger("query_type", qtype);
   return std::move(dict);
 }
@@ -141,17 +140,13 @@ class DnsAttempt {
   // Returns the net log bound to the source of the socket.
   virtual const NetLogWithSource& GetSocketNetLog() const = 0;
 
-  // Returns true if a secure transport was used for the attempt. This method
-  // should be overridden for subclasses using a secure transport.
-  virtual bool secure() const { return false; }
-
   // Returns the index of the destination server within DnsConfig::nameservers.
   unsigned server_index() const { return server_index_; }
 
   // Returns a Value representing the received response, along with a reference
   // to the NetLog source source of the UDP socket used.  The request must have
   // completed before this is called.
-  base::Value NetLogResponseCallback(NetLogCaptureMode capture_mode) const {
+  base::Value NetLogResponseParams() const {
     DCHECK(GetResponse()->IsValid());
 
     base::DictionaryValue dict;
@@ -333,9 +328,7 @@ class DnsHTTPAttempt : public DnsAttempt, public URLRequest::Delegate {
                  bool use_post,
                  URLRequestContext* url_request_context,
                  RequestPriority request_priority_)
-      : DnsAttempt(server_index),
-        query_(std::move(query)),
-        weak_factory_(this) {
+      : DnsAttempt(server_index), query_(std::move(query)) {
     GURL url;
     if (use_post) {
       // Set url for a POST request
@@ -356,6 +349,9 @@ class DnsHTTPAttempt : public DnsAttempt, public URLRequest::Delegate {
 
     HttpRequestHeaders extra_request_headers;
     extra_request_headers.SetHeader("Accept", kDnsOverHttpResponseContentType);
+    // Send minimal request headers where possible.
+    extra_request_headers.SetHeader(HttpRequestHeaders::kAcceptLanguage, "*");
+    extra_request_headers.SetHeader(HttpRequestHeaders::kUserAgent, "Chrome");
 
     DCHECK(url_request_context);
     request_ = url_request_context->CreateRequest(
@@ -416,7 +412,6 @@ class DnsHTTPAttempt : public DnsAttempt, public URLRequest::Delegate {
     return (resp != nullptr && resp->IsValid()) ? resp : nullptr;
   }
   const NetLogWithSource& GetSocketNetLog() const override { return net_log_; }
-  bool secure() const override { return true; }
 
   // URLRequest::Delegate overrides
 
@@ -536,7 +531,7 @@ class DnsHTTPAttempt : public DnsAttempt, public URLRequest::Delegate {
   std::unique_ptr<URLRequest> request_;
   NetLogWithSource net_log_;
 
-  base::WeakPtrFactory<DnsHTTPAttempt> weak_factory_;
+  base::WeakPtrFactory<DnsHTTPAttempt> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(DnsHTTPAttempt);
 };
@@ -795,13 +790,13 @@ class DnsTransactionImpl : public DnsTransaction,
                      DnsTransactionFactory::CallbackType callback,
                      const NetLogWithSource& net_log,
                      const OptRecordRdata* opt_rdata,
-                     DnsConfig::SecureDnsMode secure_dns_mode,
+                     bool secure,
                      URLRequestContext* url_request_context)
       : session_(session),
         hostname_(hostname),
         qtype_(qtype),
         opt_rdata_(opt_rdata),
-        secure_dns_mode_(secure_dns_mode),
+        secure_(secure),
         callback_(std::move(callback)),
         net_log_(net_log),
         qnames_initial_size_(0),
@@ -840,7 +835,7 @@ class DnsTransactionImpl : public DnsTransaction,
     DCHECK(!callback_.is_null());
     DCHECK(attempts_.empty());
     net_log_.BeginEvent(NetLogEventType::DNS_TRANSACTION,
-                        base::Bind(&NetLogStartCallback, &hostname_, qtype_));
+                        [&] { return NetLogStartParams(hostname_, qtype_); });
     AttemptResult result(PrepareSearch(), nullptr);
     if (result.rv == OK) {
       qnames_initial_size_ = qnames_.size();
@@ -932,28 +927,21 @@ class DnsTransactionImpl : public DnsTransaction,
         result.attempt ? result.attempt->GetResponse() : nullptr;
     CHECK(result.rv != OK || response != nullptr);
 
-    bool secure = result.attempt ? result.attempt->secure() : false;
-
     timer_.Stop();
 
     net_log_.EndEventWithNetErrorCode(NetLogEventType::DNS_TRANSACTION,
                                       result.rv);
 
-    std::move(callback_).Run(this, result.rv, response, secure);
+    std::move(callback_).Run(this, result.rv, response);
   }
 
   AttemptResult MakeAttempt() {
     DnsConfig config = session_->config();
-    // In AUTOMATIC and SECURE mode, make an HTTP attempt unless we have already
-    // made more attempts than we have configured servers.
-    if (secure_dns_mode_ != DnsConfig::SecureDnsMode::OFF &&
-        doh_attempts_ < config.dns_over_https_servers.size()) {
+    if (secure_) {
+      DCHECK_GT(config.dns_over_https_servers.size(), 0u);
       return MakeHTTPAttempt(config.dns_over_https_servers);
     }
-    // In AUTOMATIC mode, insecure attempts are allowed after HTTP attempts are
-    // exhausted. In OFF mode, only insecure attempts are allowed. It should
-    // not be possible to reach this point in SECURE mode.
-    DCHECK_NE(secure_dns_mode_, DnsConfig::SecureDnsMode::SECURE);
+
     DCHECK_GT(config.nameservers.size(), 0u);
     return MakeUDPAttempt();
   }
@@ -961,6 +949,7 @@ class DnsTransactionImpl : public DnsTransaction,
   // Makes another attempt at the current name, |qnames_.front()|, using the
   // next nameserver.
   AttemptResult MakeUDPAttempt() {
+    DCHECK(!secure_);
     doh_attempt_ = false;
     unsigned attempt_number = attempts_.size();
 
@@ -975,8 +964,7 @@ class DnsTransactionImpl : public DnsTransaction,
     const DnsConfig& config = session_->config();
 
     unsigned non_doh_server_index =
-        (first_server_index_ + attempt_number - doh_attempts_) %
-        config.nameservers.size();
+        (first_server_index_ + attempt_number) % config.nameservers.size();
     // Skip over known failed servers.
     non_doh_server_index = session_->NextGoodServerIndex(non_doh_server_index);
 
@@ -994,9 +982,8 @@ class DnsTransactionImpl : public DnsTransaction,
     if (!got_socket)
       return AttemptResult(ERR_CONNECTION_REFUSED, nullptr);
 
-    net_log_.AddEvent(
-        NetLogEventType::DNS_TRANSACTION_ATTEMPT,
-        attempt->GetSocketNetLog().source().ToEventParametersCallback());
+    net_log_.AddEventReferencingSource(NetLogEventType::DNS_TRANSACTION_ATTEMPT,
+                                       attempt->GetSocketNetLog().source());
 
     int rv = attempt->Start(base::Bind(
         &DnsTransactionImpl::OnUdpAttemptComplete, base::Unretained(this),
@@ -1011,12 +998,14 @@ class DnsTransactionImpl : public DnsTransaction,
 
   AttemptResult MakeHTTPAttempt(
       const std::vector<DnsConfig::DnsOverHttpsServerConfig>& servers) {
+    DCHECK(secure_);
     doh_attempt_ = true;
     unsigned attempt_number = attempts_.size();
     uint16_t id = session_->NextQueryId();
     std::unique_ptr<DnsQuery> query;
     if (attempts_.empty()) {
-      query.reset(new DnsQuery(id, qnames_.front(), qtype_, opt_rdata_));
+      query.reset(new DnsQuery(id, qnames_.front(), qtype_, opt_rdata_,
+                               DnsQuery::PaddingStrategy::BLOCK_LENGTH_128));
     } else {
       query = attempts_[0]->GetQuery()->CloneWithNewId(id);
     }
@@ -1048,6 +1037,7 @@ class DnsTransactionImpl : public DnsTransaction,
   }
 
   AttemptResult MakeTCPAttempt(const DnsAttempt* previous_attempt) {
+    DCHECK(!secure_);
     DCHECK(previous_attempt);
     DCHECK(!had_tcp_attempt_);
 
@@ -1074,9 +1064,9 @@ class DnsTransactionImpl : public DnsTransaction,
     ++attempts_count_;
     had_tcp_attempt_ = true;
 
-    net_log_.AddEvent(
+    net_log_.AddEventReferencingSource(
         NetLogEventType::DNS_TRANSACTION_TCP_ATTEMPT,
-        attempt->GetSocketNetLog().source().ToEventParametersCallback());
+        attempt->GetSocketNetLog().source());
 
     int rv = attempt->Start(base::Bind(&DnsTransactionImpl::OnAttemptComplete,
                                        base::Unretained(this), attempt_number));
@@ -1091,8 +1081,8 @@ class DnsTransactionImpl : public DnsTransaction,
   // Begins query for the current name. Makes the first attempt.
   AttemptResult StartQuery() {
     std::string dotted_qname = DNSDomainToString(qnames_.front());
-    net_log_.BeginEvent(NetLogEventType::DNS_TRANSACTION_QUERY,
-                        NetLog::StringCallback("qname", &dotted_qname));
+    net_log_.BeginEventWithStringParams(NetLogEventType::DNS_TRANSACTION_QUERY,
+                                        "qname", dotted_qname);
 
     first_server_index_ = session_->config().nameservers.empty()
                               ? 0
@@ -1127,28 +1117,19 @@ class DnsTransactionImpl : public DnsTransaction,
   void LogResponse(const DnsAttempt* attempt) {
     if (attempt && attempt->GetResponse()) {
       net_log_.AddEvent(NetLogEventType::DNS_TRANSACTION_RESPONSE,
-                        base::Bind(&DnsAttempt::NetLogResponseCallback,
-                                   base::Unretained(attempt)));
+                        [&] { return attempt->NetLogResponseParams(); });
     }
   }
 
   bool MoreAttemptsAllowed() const {
     if (had_tcp_attempt_)
       return false;
+
     const DnsConfig& config = session_->config();
-    unsigned insecure_attempts_possible =
-        config.attempts * config.nameservers.size();
-    unsigned secure_attempts_possible = config.dns_over_https_servers.size();
-
-    switch (secure_dns_mode_) {
-      case DnsConfig::SecureDnsMode::SECURE:
-        return attempts_.size() < secure_attempts_possible;
-      case DnsConfig::SecureDnsMode::AUTOMATIC:
-        return attempts_.size() <
-               secure_attempts_possible + insecure_attempts_possible;
-      case DnsConfig::SecureDnsMode::OFF:
-        return attempts_.size() < insecure_attempts_possible;
-    }
+    if (secure_)
+      return attempts_.size() < config.dns_over_https_servers.size();
+
+    return attempts_.size() < config.attempts * config.nameservers.size();
   }
 
   // Resolves the result of a DnsAttempt until a terminal result is reached
@@ -1239,7 +1220,7 @@ class DnsTransactionImpl : public DnsTransaction,
   std::string hostname_;
   uint16_t qtype_;
   const OptRecordRdata* opt_rdata_;
-  const DnsConfig::SecureDnsMode secure_dns_mode_;
+  const bool secure_;
   // Cleared in DoCallback.
   DnsTransactionFactory::CallbackType callback_;
 
@@ -1285,11 +1266,11 @@ class DnsTransactionFactoryImpl : public DnsTransactionFactory {
       uint16_t qtype,
       CallbackType callback,
       const NetLogWithSource& net_log,
-      DnsConfig::SecureDnsMode secure_dns_mode,
+      bool secure,
       URLRequestContext* url_request_context) override {
     return std::make_unique<DnsTransactionImpl>(
         session_.get(), hostname, qtype, std::move(callback), net_log,
-        opt_rdata_.get(), secure_dns_mode, url_request_context);
+        opt_rdata_.get(), secure, url_request_context);
   }
 
   void AddEDNSOption(const OptRecordRdata::Opt& opt) override {
diff --git a/chromium/net/dns/dns_transaction.h b/chromium/net/dns/dns_transaction.h
index 446d1fdd9d5..ec6a3bbe8c3 100644
--- a/chromium/net/dns/dns_transaction.h
+++ b/chromium/net/dns/dns_transaction.h
@@ -53,12 +53,10 @@ class NET_EXPORT_PRIVATE DnsTransactionFactory {
  public:
   // Called with the response or NULL if no matching response was received.
   // Note that the |GetDottedName()| of the response may be different than the
-  // original |hostname| as a result of suffix search. |secure| is true if the
-  // response was obtained using secure DNS.
+  // original |hostname| as a result of suffix search.
   typedef base::OnceCallback<void(DnsTransaction* transaction,
                                   int neterror,
-                                  const DnsResponse* response,
-                                  bool secure)>
+                                  const DnsResponse* response)>
       CallbackType;
 
   virtual ~DnsTransactionFactory() {}
@@ -71,17 +69,14 @@ class NET_EXPORT_PRIVATE DnsTransactionFactory {
   // The transaction will run |callback| upon asynchronous completion.
   // The |net_log| is used as the parent log.
   //
-  // The |secure_dns_mode| specifies the order in which secure and/or insecure
-  // DNS lookups will be performed. In SECURE mode, only secure lookups will be
-  // perfomed. In AUTOMATIC mode, secure lookups will be performed first when
-  // possible, and insecure lookups will be performed as a fallback. In OFF
-  // mode, only insecure lookups will be performed.
+  // |secure| specifies whether DNS lookups should be performed using DNS-over-
+  // HTTPS (DoH) or using plaintext DNS.
   virtual std::unique_ptr<DnsTransaction> CreateTransaction(
       const std::string& hostname,
       uint16_t qtype,
       CallbackType callback,
       const NetLogWithSource& net_log,
-      DnsConfig::SecureDnsMode secure_dns_mode,
+      bool secure,
       URLRequestContext* url_request_context) WARN_UNUSED_RESULT = 0;
 
   // The given EDNS0 option will be included in all DNS queries performed by
diff --git a/chromium/net/dns/dns_transaction_unittest.cc b/chromium/net/dns/dns_transaction_unittest.cc
index 368e0385871..250d32d8518 100644
--- a/chromium/net/dns/dns_transaction_unittest.cc
+++ b/chromium/net/dns/dns_transaction_unittest.cc
@@ -77,8 +77,14 @@ class DnsSocketData {
                 uint16_t qtype,
                 IoMode mode,
                 Transport transport,
-                const OptRecordRdata* opt_rdata = nullptr)
-      : query_(new DnsQuery(id, DomainFromDot(dotted_name), qtype, opt_rdata)),
+                const OptRecordRdata* opt_rdata = nullptr,
+                DnsQuery::PaddingStrategy padding_strategy =
+                    DnsQuery::PaddingStrategy::NONE)
+      : query_(new DnsQuery(id,
+                            DomainFromDot(dotted_name),
+                            qtype,
+                            opt_rdata,
+                            padding_strategy)),
         transport_(transport) {
     if (Transport::TCP == transport_) {
       std::unique_ptr<uint16_t> length(new uint16_t);
@@ -277,33 +283,27 @@ class TransactionHelper {
   // If |expected_answer_count| < 0 then it is the expected net error.
   TransactionHelper(const char* hostname,
                     uint16_t qtype,
-                    int expected_answer_count,
-                    bool expected_secure)
+                    bool secure,
+                    int expected_answer_count)
       : hostname_(hostname),
         qtype_(qtype),
-        secure_dns_mode_(DnsConfig::SecureDnsMode::AUTOMATIC),
+        secure_(secure),
         response_(nullptr),
         expected_answer_count_(expected_answer_count),
-        expected_secure_(expected_secure),
         cancel_in_callback_(false),
         completed_(false) {}
 
   // Mark that the transaction shall be destroyed immediately upon callback.
   void set_cancel_in_callback() { cancel_in_callback_ = true; }
 
-  // Set the secure DNS mode for the transaction.
-  void set_secure_dns_mode(DnsConfig::SecureDnsMode secure_dns_mode) {
-    secure_dns_mode_ = secure_dns_mode;
-  }
-
   void StartTransaction(DnsTransactionFactory* factory) {
     EXPECT_EQ(NULL, transaction_.get());
     transaction_ = factory->CreateTransaction(
         hostname_, qtype_,
         base::Bind(&TransactionHelper::OnTransactionComplete,
                    base::Unretained(this)),
-        NetLogWithSource::Make(&net_log_, net::NetLogSourceType::NONE),
-        secure_dns_mode_, &request_context_);
+        NetLogWithSource::Make(&net_log_, net::NetLogSourceType::NONE), secure_,
+        &request_context_);
     transaction_->SetRequestPriority(DEFAULT_PRIORITY);
     EXPECT_EQ(hostname_, transaction_->GetHostname());
     EXPECT_EQ(qtype_, transaction_->GetType());
@@ -317,8 +317,7 @@ class TransactionHelper {
 
   void OnTransactionComplete(DnsTransaction* t,
                              int rv,
-                             const DnsResponse* response,
-                             bool secure) {
+                             const DnsResponse* response) {
     EXPECT_FALSE(completed_);
     EXPECT_EQ(transaction_.get(), t);
 
@@ -351,8 +350,6 @@ class TransactionHelper {
     } else {
       EXPECT_EQ(expected_answer_count_, rv);
     }
-
-    EXPECT_EQ(expected_secure_, secure);
   }
 
   bool has_completed() const { return completed_; }
@@ -382,11 +379,10 @@ class TransactionHelper {
  private:
   std::string hostname_;
   uint16_t qtype_;
-  DnsConfig::SecureDnsMode secure_dns_mode_;
+  bool secure_;
   std::unique_ptr<DnsTransaction> transaction_;
   const DnsResponse* response_;
   int expected_answer_count_;
-  bool expected_secure_;
   bool cancel_in_callback_;
   TestURLRequestContext request_context_;
   std::unique_ptr<base::RunLoop> transaction_complete_run_loop_;
@@ -422,8 +418,7 @@ class URLRequestMockDohJob : public URLRequestJob, public AsyncSocket {
         content_length_(0),
         leftover_data_len_(0),
         data_provider_(data_provider),
-        response_modifier_(response_modifier),
-        weak_factory_(this) {
+        response_modifier_(response_modifier) {
     data_provider_->Initialize(this);
     MatchQueryData(request, data_provider);
   }
@@ -563,7 +558,7 @@ class URLRequestMockDohJob : public URLRequestJob, public AsyncSocket {
   IOBuffer* pending_buf_;
   int pending_buf_size_;
 
-  base::WeakPtrFactory<URLRequestMockDohJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestMockDohJob> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(URLRequestMockDohJob);
 };
@@ -612,10 +607,12 @@ class DnsTransactionTestBase : public testing::Test {
                            size_t response_length,
                            IoMode mode,
                            Transport transport,
-                           const OptRecordRdata* opt_rdata = nullptr) {
+                           const OptRecordRdata* opt_rdata = nullptr,
+                           DnsQuery::PaddingStrategy padding_strategy =
+                               DnsQuery::PaddingStrategy::NONE) {
     CHECK(socket_factory_.get());
-    std::unique_ptr<DnsSocketData> data(
-        new DnsSocketData(id, dotted_name, qtype, mode, transport, opt_rdata));
+    std::unique_ptr<DnsSocketData> data(new DnsSocketData(
+        id, dotted_name, qtype, mode, transport, opt_rdata, padding_strategy));
     data->AddResponseData(response_data, response_length, mode);
     AddSocketData(std::move(data));
   }
@@ -625,10 +622,13 @@ class DnsTransactionTestBase : public testing::Test {
                                 uint16_t qtype,
                                 int error,
                                 IoMode mode,
-                                Transport transport) {
+                                Transport transport,
+                                const OptRecordRdata* opt_rdata = nullptr,
+                                DnsQuery::PaddingStrategy padding_strategy =
+                                    DnsQuery::PaddingStrategy::NONE) {
     CHECK(socket_factory_.get());
-    std::unique_ptr<DnsSocketData> data(
-        new DnsSocketData(id, dotted_name, qtype, mode, transport));
+    std::unique_ptr<DnsSocketData> data(new DnsSocketData(
+        id, dotted_name, qtype, mode, transport, opt_rdata, padding_strategy));
     data->AddReadError(error, mode);
     AddSocketData(std::move(data));
   }
@@ -654,10 +654,14 @@ class DnsTransactionTestBase : public testing::Test {
   }
 
   // Add expected query of |dotted_name| and |qtype| and no response.
-  void AddQueryAndTimeout(const char* dotted_name, uint16_t qtype) {
+  void AddQueryAndTimeout(const char* dotted_name,
+                          uint16_t qtype,
+                          DnsQuery::PaddingStrategy padding_strategy =
+                              DnsQuery::PaddingStrategy::NONE) {
     uint16_t id = base::RandInt(0, std::numeric_limits<uint16_t>::max());
     std::unique_ptr<DnsSocketData> data(
-        new DnsSocketData(id, dotted_name, qtype, ASYNC, Transport::UDP));
+        new DnsSocketData(id, dotted_name, qtype, ASYNC, Transport::UDP,
+                          nullptr /* opt_rdata */, padding_strategy));
     AddSocketData(std::move(data));
   }
 
@@ -667,11 +671,14 @@ class DnsTransactionTestBase : public testing::Test {
                         uint16_t qtype,
                         int rcode,
                         IoMode mode,
-                        Transport trans) {
+                        Transport trans,
+                        DnsQuery::PaddingStrategy padding_strategy =
+                            DnsQuery::PaddingStrategy::NONE) {
     CHECK_NE(dns_protocol::kRcodeNOERROR, rcode);
     uint16_t id = base::RandInt(0, std::numeric_limits<uint16_t>::max());
     std::unique_ptr<DnsSocketData> data(
-        new DnsSocketData(id, dotted_name, qtype, mode, trans));
+        new DnsSocketData(id, dotted_name, qtype, mode, trans,
+                          nullptr /* opt_rdata */, padding_strategy));
     data->AddRcode(rcode, mode);
     AddSocketData(std::move(data));
   }
@@ -765,15 +772,10 @@ class DnsTransactionTest : public DnsTransactionTestBase,
   }
 
   // Configures the DnsConfig with one dns over https server, which either
-  // accepts GET or POST requests based on use_post. If |clear_udp| is true,
-  // existing IP name servers are removed from the DnsConfig. If a
+  // accepts GET or POST requests based on use_post. If a
   // ResponseModifierCallback is provided it will be called to contruct the
   // HTTPResponse.
-  void ConfigDohServers(bool clear_udp,
-                        bool use_post,
-                        int num_doh_servers = 1) {
-    if (clear_udp)
-      ConfigureNumServers(0);
+  void ConfigDohServers(bool use_post, int num_doh_servers = 1) {
     GURL url(URLRequestMockDohJob::GetMockHttpsUrl("doh_test"));
     URLRequestFilter* filter = URLRequestFilter::GetInstance();
     filter->AddHostnameInterceptor(url.scheme(), url.host(),
@@ -821,6 +823,16 @@ class DnsTransactionTest : public DnsTransactionTestBase,
     EXPECT_TRUE(request->extra_request_headers().GetHeader("Accept", &accept));
     EXPECT_EQ(accept, "application/dns-message");
 
+    std::string language;
+    EXPECT_TRUE(request->extra_request_headers().GetHeader("Accept-Language",
+                                                           &language));
+    EXPECT_EQ(language, "*");
+
+    std::string user_agent;
+    EXPECT_TRUE(
+        request->extra_request_headers().GetHeader("User-Agent", &user_agent));
+    EXPECT_EQ(user_agent, "Chrome");
+
     SocketDataProvider* provider = socket_factory_->mock_data().GetNext();
 
     if (doh_job_maker_)
@@ -871,7 +883,7 @@ class DnsTransactionTestWithMockTime : public DnsTransactionTestBase,
  protected:
   DnsTransactionTestWithMockTime()
       : WithScopedTaskEnvironment(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME) {}
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME) {}
   ~DnsTransactionTestWithMockTime() override = default;
 };
 
@@ -880,8 +892,8 @@ TEST_F(DnsTransactionTest, Lookup) {
                            kT0ResponseDatagram,
                            base::size(kT0ResponseDatagram));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -896,8 +908,8 @@ TEST_F(DnsTransactionTest, LookupWithEDNSOption) {
                            kT0ResponseDatagram, base::size(kT0ResponseDatagram),
                            &expected_opt_rdata);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -919,8 +931,8 @@ TEST_F(DnsTransactionTest, LookupWithMultipleEDNSOptions) {
                            kT0ResponseDatagram, base::size(kT0ResponseDatagram),
                            &expected_opt_rdata);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -934,11 +946,11 @@ TEST_F(DnsTransactionTest, ConcurrentLookup) {
                            kT1ResponseDatagram,
                            base::size(kT1ResponseDatagram));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   helper0.StartTransaction(transaction_factory_.get());
-  TransactionHelper helper1(kT1HostName, kT1Qtype, kT1RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper1(kT1HostName, kT1Qtype, false /* secure */,
+                            kT1RecordCount);
   helper1.StartTransaction(transaction_factory_.get());
 
   base::RunLoop().RunUntilIdle();
@@ -955,11 +967,11 @@ TEST_F(DnsTransactionTest, CancelLookup) {
                            kT1ResponseDatagram,
                            base::size(kT1ResponseDatagram));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   helper0.StartTransaction(transaction_factory_.get());
-  TransactionHelper helper1(kT1HostName, kT1Qtype, kT1RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper1(kT1HostName, kT1Qtype, false /* secure */,
+                            kT1RecordCount);
   helper1.StartTransaction(transaction_factory_.get());
 
   helper0.Cancel();
@@ -975,8 +987,8 @@ TEST_F(DnsTransactionTest, DestroyFactory) {
                            kT0ResponseDatagram,
                            base::size(kT0ResponseDatagram));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   helper0.StartTransaction(transaction_factory_.get());
 
   // Destroying the client does not affect running requests.
@@ -992,8 +1004,8 @@ TEST_F(DnsTransactionTest, CancelFromCallback) {
                            kT0ResponseDatagram,
                            base::size(kT0ResponseDatagram));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   helper0.set_cancel_in_callback();
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
@@ -1016,8 +1028,8 @@ TEST_F(DnsTransactionTest, MismatchedResponseSync) {
                          SYNCHRONOUS);
   AddSocketData(std::move(data1));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -1039,8 +1051,8 @@ TEST_F(DnsTransactionTest, MismatchedResponseAsync) {
                          ASYNC);
   AddSocketData(std::move(data1));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -1053,8 +1065,8 @@ TEST_F(DnsTransactionTest, MismatchedResponseFail) {
                            kT0ResponseDatagram,
                            base::size(kT0ResponseDatagram));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_MALFORMED_RESPONSE,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_DNS_MALFORMED_RESPONSE);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -1073,16 +1085,16 @@ TEST_F(DnsTransactionTest, MismatchedResponseNxdomain) {
   AddSocketData(std::move(data));
   AddSyncQueryAndRcode(kT0HostName, kT0Qtype, dns_protocol::kRcodeNXDOMAIN);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_NAME_NOT_RESOLVED,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, ServerFail) {
   AddAsyncQueryAndRcode(kT0HostName, kT0Qtype, dns_protocol::kRcodeSERVFAIL);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_SERVER_FAILED,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_DNS_SERVER_FAILED);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
   ASSERT_NE(helper0.response(), nullptr);
   EXPECT_EQ(helper0.response()->rcode(), dns_protocol::kRcodeSERVFAIL);
@@ -1091,8 +1103,8 @@ TEST_F(DnsTransactionTest, ServerFail) {
 TEST_F(DnsTransactionTest, NoDomain) {
   AddAsyncQueryAndRcode(kT0HostName, kT0Qtype, dns_protocol::kRcodeNXDOMAIN);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_NAME_NOT_RESOLVED,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -1104,8 +1116,8 @@ TEST_F(DnsTransactionTestWithMockTime, Timeout) {
   AddQueryAndTimeout(kT0HostName, kT0Qtype);
   AddQueryAndTimeout(kT0HostName, kT0Qtype);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_TIMED_OUT,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_DNS_TIMED_OUT);
 
   // Finish when the third attempt times out.
   EXPECT_FALSE(helper0.Run(transaction_factory_.get()));
@@ -1136,10 +1148,10 @@ TEST_F(DnsTransactionTestWithMockTime, ServerFallbackAndRotate) {
   AddAsyncQueryAndRcode(kT1HostName, kT1Qtype, dns_protocol::kRcodeSERVFAIL);
   AddAsyncQueryAndRcode(kT1HostName, kT1Qtype, dns_protocol::kRcodeNXDOMAIN);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_NAME_NOT_RESOLVED,
-                            false /* expected_secure */);
-  TransactionHelper helper1(kT1HostName, kT1Qtype, ERR_NAME_NOT_RESOLVED,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
+  TransactionHelper helper1(kT1HostName, kT1Qtype, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
 
   EXPECT_FALSE(helper0.Run(transaction_factory_.get()));
   FastForwardUntilNoTasksRemain();
@@ -1171,8 +1183,8 @@ TEST_F(DnsTransactionTest, SuffixSearchAboveNdots) {
   AddAsyncQueryAndRcode("x.y.z.c", dns_protocol::kTypeA,
                         dns_protocol::kRcodeNXDOMAIN);
 
-  TransactionHelper helper0("x.y.z", dns_protocol::kTypeA,
-                            ERR_NAME_NOT_RESOLVED, false /* expected_secure */);
+  TransactionHelper helper0("x.y.z", dns_protocol::kTypeA, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
 
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 
@@ -1208,20 +1220,20 @@ TEST_F(DnsTransactionTest, SuffixSearchBelowNdots) {
   AddAsyncQueryAndRcode("x", dns_protocol::kTypeAAAA,
                         dns_protocol::kRcodeNXDOMAIN);
 
-  TransactionHelper helper0("x.y", dns_protocol::kTypeA, ERR_NAME_NOT_RESOLVED,
-                            false /* expected_secure */);
+  TransactionHelper helper0("x.y", dns_protocol::kTypeA, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
 
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 
   // A single-label name.
-  TransactionHelper helper1("x", dns_protocol::kTypeA, ERR_NAME_NOT_RESOLVED,
-                            false /* expected_secure */);
+  TransactionHelper helper1("x", dns_protocol::kTypeA, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
 
   EXPECT_TRUE(helper1.Run(transaction_factory_.get()));
 
   // A fully-qualified name.
-  TransactionHelper helper2("x.", dns_protocol::kTypeAAAA,
-                            ERR_NAME_NOT_RESOLVED, false /* expected_secure */);
+  TransactionHelper helper2("x.", dns_protocol::kTypeAAAA, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
 
   EXPECT_TRUE(helper2.Run(transaction_factory_.get()));
 }
@@ -1232,14 +1244,14 @@ TEST_F(DnsTransactionTest, EmptySuffixSearch) {
                         dns_protocol::kRcodeNXDOMAIN);
 
   // A fully-qualified name.
-  TransactionHelper helper0("x.", dns_protocol::kTypeA, ERR_NAME_NOT_RESOLVED,
-                            false /* expected_secure */);
+  TransactionHelper helper0("x.", dns_protocol::kTypeA, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
 
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 
   // A single label name is not even attempted.
   TransactionHelper helper1("singlelabel", dns_protocol::kTypeA,
-                            ERR_DNS_SEARCH_EMPTY, false /* expected_secure */);
+                            false /* secure */, ERR_DNS_SEARCH_EMPTY);
 
   helper1.Run(transaction_factory_.get());
   EXPECT_TRUE(helper1.has_completed());
@@ -1266,16 +1278,16 @@ TEST_F(DnsTransactionTest, DontAppendToMultiLabelName) {
   AddAsyncQueryAndRcode("x.c", dns_protocol::kTypeA,
                         dns_protocol::kRcodeNXDOMAIN);
 
-  TransactionHelper helper0("x.y.z", dns_protocol::kTypeA,
-                            ERR_NAME_NOT_RESOLVED, false /* expected_secure */);
+  TransactionHelper helper0("x.y.z", dns_protocol::kTypeA, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 
-  TransactionHelper helper1("x.y", dns_protocol::kTypeA, ERR_NAME_NOT_RESOLVED,
-                            false /* expected_secure */);
+  TransactionHelper helper1("x.y", dns_protocol::kTypeA, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
   EXPECT_TRUE(helper1.Run(transaction_factory_.get()));
 
-  TransactionHelper helper2("x", dns_protocol::kTypeA, ERR_NAME_NOT_RESOLVED,
-                            false /* expected_secure */);
+  TransactionHelper helper2("x", dns_protocol::kTypeA, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
   EXPECT_TRUE(helper2.Run(transaction_factory_.get()));
 }
 
@@ -1304,8 +1316,8 @@ TEST_F(DnsTransactionTest, SuffixSearchStop) {
   AddAsyncQueryAndResponse(0 /* id */, "x.y.z.b", dns_protocol::kTypeA,
                            kResponseNoData, base::size(kResponseNoData));
 
-  TransactionHelper helper0("x.y.z", dns_protocol::kTypeA, 0 /* answers */,
-                            false /* expected_secure */);
+  TransactionHelper helper0("x.y.z", dns_protocol::kTypeA, false /* secure */,
+                            0 /* answers */);
 
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
@@ -1318,8 +1330,8 @@ TEST_F(DnsTransactionTest, SyncFirstQuery) {
   AddSyncQueryAndResponse(0 /* id */, kT0HostName, kT0Qtype,
                           kT0ResponseDatagram, base::size(kT0ResponseDatagram));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -1335,8 +1347,8 @@ TEST_F(DnsTransactionTest, SyncFirstQueryWithSearch) {
                            kT2ResponseDatagram,
                            base::size(kT2ResponseDatagram));
 
-  TransactionHelper helper0("www", kT2Qtype, kT2RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0("www", kT2Qtype, false /* secure */,
+                            kT2RecordCount);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -1350,8 +1362,8 @@ TEST_F(DnsTransactionTest, SyncSearchQuery) {
   AddSyncQueryAndResponse(2 /* id */, kT2HostName, kT2Qtype,
                           kT2ResponseDatagram, base::size(kT2ResponseDatagram));
 
-  TransactionHelper helper0("www", kT2Qtype, kT2RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0("www", kT2Qtype, false /* secure */,
+                            kT2RecordCount);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -1359,8 +1371,7 @@ TEST_F(DnsTransactionTest, ConnectFailure) {
   socket_factory_->fail_next_socket_ = true;
   transaction_ids_.push_back(0);  // Needed to make a DnsUDPAttempt.
   TransactionHelper helper0("www.chromium.org", dns_protocol::kTypeA,
-                            ERR_CONNECTION_REFUSED,
-                            false /* expected_secure */);
+                            false /* secure */, ERR_CONNECTION_REFUSED);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -1375,82 +1386,90 @@ TEST_F(DnsTransactionTest, ConnectFailureFollowedBySuccess) {
   AddAsyncQueryAndResponse(0 /* id */, kT0HostName, kT0Qtype,
                            kT0ResponseDatagram,
                            base::size(kT0ResponseDatagram));
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsGetLookup) {
-  ConfigDohServers(true /* clear_udp */, false /* use_post */);
+  ConfigDohServers(false /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsGetFailure) {
-  ConfigDohServers(true /* clear_udp */, false /* use_post */);
+  ConfigDohServers(false /* use_post */);
   AddQueryAndRcode(kT0HostName, kT0Qtype, dns_protocol::kRcodeSERVFAIL,
-                   SYNCHRONOUS, Transport::HTTPS);
+                   SYNCHRONOUS, Transport::HTTPS,
+                   DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_SERVER_FAILED,
-                            true /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_DNS_SERVER_FAILED);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
   ASSERT_NE(helper0.response(), nullptr);
   EXPECT_EQ(helper0.response()->rcode(), dns_protocol::kRcodeSERVFAIL);
 }
 
 TEST_F(DnsTransactionTest, HttpsGetMalformed) {
-  ConfigDohServers(true /* clear_udp */, false /* use_post */);
+  ConfigDohServers(false /* use_post */);
   AddQueryAndResponse(1 /* id */, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_MALFORMED_RESPONSE,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_DNS_MALFORMED_RESPONSE);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookup) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostFailure) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndRcode(kT0HostName, kT0Qtype, dns_protocol::kRcodeSERVFAIL,
-                   SYNCHRONOUS, Transport::HTTPS);
+                   SYNCHRONOUS, Transport::HTTPS,
+                   DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_SERVER_FAILED,
-                            true /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_DNS_SERVER_FAILED);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
   ASSERT_NE(helper0.response(), nullptr);
   EXPECT_EQ(helper0.response()->rcode(), dns_protocol::kRcodeSERVFAIL);
 }
 
 TEST_F(DnsTransactionTest, HttpsPostMalformed) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndResponse(1 /* id */, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_MALFORMED_RESPONSE,
-                            true /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_DNS_MALFORMED_RESPONSE);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookupAsync) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
-                      base::size(kT0ResponseDatagram), ASYNC, Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
+                      base::size(kT0ResponseDatagram), ASYNC, Transport::HTTPS,
+                      nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
@@ -1463,12 +1482,13 @@ URLRequestJob* DohJobMakerCallbackFailStart(URLRequest* request,
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookupFailStart) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_FAILED,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_FAILED);
   SetDohJobMakerCallback(base::BindRepeating(DohJobMakerCallbackFailStart));
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
@@ -1482,13 +1502,14 @@ URLRequestJob* DohJobMakerCallbackFailSync(URLRequest* request,
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookupFailSync) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   std::unique_ptr<DnsSocketData> data(new DnsSocketData(
-      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS));
+      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS,
+      nullptr /* opt_rdata */, DnsQuery::PaddingStrategy::BLOCK_LENGTH_128));
   data->AddResponseWithLength(std::make_unique<DnsResponse>(), SYNCHRONOUS, 0);
   AddSocketData(std::move(data));
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_MALFORMED_RESPONSE,
-                            true /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_DNS_MALFORMED_RESPONSE);
   SetDohJobMakerCallback(base::BindRepeating(DohJobMakerCallbackFailSync));
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
@@ -1502,273 +1523,170 @@ URLRequestJob* DohJobMakerCallbackFailAsync(URLRequest* request,
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookupFailAsync) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_MALFORMED_RESPONSE,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_DNS_MALFORMED_RESPONSE);
   SetDohJobMakerCallback(base::BindRepeating(DohJobMakerCallbackFailAsync));
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookup2Sync) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   std::unique_ptr<DnsSocketData> data(new DnsSocketData(
-      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS));
+      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS,
+      nullptr /* opt_rdata */, DnsQuery::PaddingStrategy::BLOCK_LENGTH_128));
   data->AddResponseData(kT0ResponseDatagram, 20, SYNCHRONOUS);
   data->AddResponseData(kT0ResponseDatagram + 20,
                         base::size(kT0ResponseDatagram) - 20, SYNCHRONOUS);
   AddSocketData(std::move(data));
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookup2Async) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   std::unique_ptr<DnsSocketData> data(new DnsSocketData(
-      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS));
+      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS,
+      nullptr /* opt_rdata */, DnsQuery::PaddingStrategy::BLOCK_LENGTH_128));
   data->AddResponseData(kT0ResponseDatagram, 20, ASYNC);
   data->AddResponseData(kT0ResponseDatagram + 20,
                         base::size(kT0ResponseDatagram) - 20, ASYNC);
   AddSocketData(std::move(data));
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookupAsyncWithAsyncZeroRead) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   std::unique_ptr<DnsSocketData> data(new DnsSocketData(
-      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS));
+      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS,
+      nullptr /* opt_rdata */, DnsQuery::PaddingStrategy::BLOCK_LENGTH_128));
   data->AddResponseData(kT0ResponseDatagram, base::size(kT0ResponseDatagram),
                         ASYNC);
   data->AddResponseData(kT0ResponseDatagram, 0, ASYNC);
   AddSocketData(std::move(data));
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookupSyncWithAsyncZeroRead) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   std::unique_ptr<DnsSocketData> data(new DnsSocketData(
-      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS));
+      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS,
+      nullptr /* opt_rdata */, DnsQuery::PaddingStrategy::BLOCK_LENGTH_128));
   data->AddResponseData(kT0ResponseDatagram, base::size(kT0ResponseDatagram),
                         SYNCHRONOUS);
   data->AddResponseData(kT0ResponseDatagram, 0, ASYNC);
   AddSocketData(std::move(data));
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookupAsyncThenSync) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   std::unique_ptr<DnsSocketData> data(new DnsSocketData(
-      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS));
+      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS,
+      nullptr /* opt_rdata */, DnsQuery::PaddingStrategy::BLOCK_LENGTH_128));
   data->AddResponseData(kT0ResponseDatagram, 20, ASYNC);
   data->AddResponseData(kT0ResponseDatagram + 20,
                         base::size(kT0ResponseDatagram) - 20, SYNCHRONOUS);
   AddSocketData(std::move(data));
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookupAsyncThenSyncError) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   std::unique_ptr<DnsSocketData> data(new DnsSocketData(
-      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS));
+      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS,
+      nullptr /* opt_rdata */, DnsQuery::PaddingStrategy::BLOCK_LENGTH_128));
   data->AddResponseData(kT0ResponseDatagram, 20, ASYNC);
   data->AddReadError(ERR_FAILED, SYNCHRONOUS);
   AddSocketData(std::move(data));
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_FAILED,
-                            true /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_FAILED);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookupAsyncThenAsyncError) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   std::unique_ptr<DnsSocketData> data(new DnsSocketData(
-      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS));
+      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS,
+      nullptr /* opt_rdata */, DnsQuery::PaddingStrategy::BLOCK_LENGTH_128));
   data->AddResponseData(kT0ResponseDatagram, 20, ASYNC);
   data->AddReadError(ERR_FAILED, ASYNC);
   AddSocketData(std::move(data));
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_FAILED,
-                            true /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_FAILED);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookupSyncThenAsyncError) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   std::unique_ptr<DnsSocketData> data(new DnsSocketData(
-      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS));
+      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS,
+      nullptr /* opt_rdata */, DnsQuery::PaddingStrategy::BLOCK_LENGTH_128));
   data->AddResponseData(kT0ResponseDatagram, 20, SYNCHRONOUS);
   data->AddReadError(ERR_FAILED, ASYNC);
   AddSocketData(std::move(data));
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_FAILED,
-                            true /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_FAILED);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostLookupSyncThenSyncError) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   std::unique_ptr<DnsSocketData> data(new DnsSocketData(
-      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS));
+      0, kT0HostName, kT0Qtype, SYNCHRONOUS, Transport::HTTPS,
+      nullptr /* opt_rdata */, DnsQuery::PaddingStrategy::BLOCK_LENGTH_128));
   data->AddResponseData(kT0ResponseDatagram, 20, SYNCHRONOUS);
   data->AddReadError(ERR_FAILED, SYNCHRONOUS);
   AddSocketData(std::move(data));
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_FAILED,
-                            true /* expected_secure */);
-  EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
-}
-
-TEST_F(DnsTransactionTest, HttpsPostFailThenUDPFallback) {
-  config_.attempts = 2;
-  ConfigDohServers(false /* clear_udp */, true /* use_post */);
-  AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
-                      base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
-                      base::size(kT0ResponseDatagram), ASYNC, Transport::UDP);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
-  SetDohJobMakerCallback(base::BindRepeating(DohJobMakerCallbackFailStart));
-  EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
-  unsigned kOrder0[] = {1, 0};
-  CheckServerOrder(kOrder0, base::size(kOrder0));
-}
-
-TEST_F(DnsTransactionTest, HttpsPostFailNoUDPFallbackInSecureMode) {
-  config_.attempts = 1;
-  ConfigureNumServers(2);
-  ConfigDohServers(false /* clear_udp */, true /* use_post */, 2);
-  AddQueryAndErrorResponse(0, kT0HostName, kT0Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::HTTPS);
-  AddQueryAndErrorResponse(0, kT0HostName, kT0Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_FAILED,
-                            true /* expected_secure */);
-  helper0.set_secure_dns_mode(DnsConfig::SecureDnsMode::SECURE);
-  SetDohJobMakerCallback(base::BindRepeating(DohJobMakerCallbackFailStart));
-  EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
-  unsigned kOrder0[] = {2, 3};
-  CheckServerOrder(kOrder0, base::size(kOrder0));
-}
-
-TEST_F(DnsTransactionTest, NoHttpsAttemptInOffMode) {
-  config_.attempts = 2;
-  ConfigureNumServers(2);
-  ConfigDohServers(false /* clear_udp */, true /* use_post */, 2);
-  AddQueryAndErrorResponse(0, kT0HostName, kT0Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::UDP);
-  AddQueryAndErrorResponse(0, kT0HostName, kT0Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::UDP);
-  AddQueryAndErrorResponse(0, kT0HostName, kT0Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::UDP);
-  AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
-                      base::size(kT0ResponseDatagram), ASYNC, Transport::UDP);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
-  helper0.set_secure_dns_mode(DnsConfig::SecureDnsMode::OFF);
-  EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
-  unsigned kOrder0[] = {0, 1, 0, 1};
-  CheckServerOrder(kOrder0, base::size(kOrder0));
-}
-
-TEST_F(DnsTransactionTest, HttpsPostFailThenUDPFailThenUDPFallback) {
-  ConfigureNumServers(3);
-  ConfigDohServers(false /* clear_udp */, true /* use_post */);
-  SetDohJobMakerCallback(base::BindRepeating(DohJobMakerCallbackFailStart));
-
-  AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
-                      base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  AddQueryAndTimeout(kT0HostName, kT0Qtype);
-  AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
-                      base::size(kT0ResponseDatagram), ASYNC, Transport::UDP);
-
-  transaction_ids_.push_back(0);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_FAILED);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
-
-  // Servers 3 (HTTP) and 0 (UDP) should be marked as bad. 1 and 2 should be
-  // good.
-  EXPECT_EQ(session_->NextGoodServerIndex(0), 1u);
-  EXPECT_EQ(session_->NextGoodServerIndex(1), 1u);
-  EXPECT_EQ(session_->NextGoodServerIndex(2), 2u);
-  unsigned kOrder0[] = {3, 0, 1};
-  CheckServerOrder(kOrder0, base::size(kOrder0));
-}
-
-TEST_F(DnsTransactionTest, HttpsMarkUdpBad) {
-  config_.attempts = 1;
-  ConfigureNumServers(2);
-  ConfigDohServers(false /* clear_udp */, true /* use_post */);
-  AddQueryAndErrorResponse(0, kT0HostName, kT0Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::HTTPS);
-  AddQueryAndErrorResponse(0, kT0HostName, kT0Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::UDP);
-  AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
-                      base::size(kT0ResponseDatagram), ASYNC, Transport::UDP);
-
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
-  EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
-  // Server 0 (UDP) should be marked bad. Server 1 (UDP) should be good
-  // and since 2 is our only Doh server, it will be good.
-  EXPECT_EQ(session_->NextGoodServerIndex(0), 1u);
-  EXPECT_EQ(session_->NextGoodServerIndex(1), 1u);
-  EXPECT_EQ(session_->NextGoodDnsOverHttpsServerIndex(2), 2u);
-  unsigned kOrder0[] = {2, 0, 1};
-  CheckServerOrder(kOrder0, base::size(kOrder0));
-
-  AddQueryAndErrorResponse(1, kT1HostName, kT1Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::HTTPS);
-  AddQueryAndErrorResponse(1, kT1HostName, kT1Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::UDP);
-
-  AddQueryAndResponse(1, kT1HostName, kT1Qtype, kT1ResponseDatagram,
-                      base::size(kT1ResponseDatagram), ASYNC, Transport::UDP);
-
-  TransactionHelper helper1(kT1HostName, kT1Qtype, kT1RecordCount,
-                            false /* expected_secure */);
-  EXPECT_TRUE(helper1.RunUntilDone(transaction_factory_.get()));
-  // Since 0 was bad to start, we started with 1 which will now be the
-  // most recent failure, so Server 1 (UDP) should be marked bad.
-  // Server 0 (UDP) should be good and since 2 is our only Doh server.
-  EXPECT_EQ(session_->NextGoodServerIndex(0), 0u);
-  EXPECT_EQ(session_->NextGoodServerIndex(1), 0u);
-  EXPECT_EQ(session_->NextGoodDnsOverHttpsServerIndex(2), 2u);
-  unsigned kOrder1[] = {
-      2, 0, 1, /* transaction0 */
-      2, 1, 0  /* transaction1 */
-  };
-  CheckServerOrder(kOrder1, base::size(kOrder1));
 }
 
 TEST_F(DnsTransactionTest, HttpsMarkHttpsBad) {
   config_.attempts = 1;
-  ConfigDohServers(false /* clear_udp */, true /* use_post */, 3);
+  ConfigDohServers(true /* use_post */, 3);
   AddQueryAndErrorResponse(0, kT0HostName, kT0Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::HTTPS);
+                           SYNCHRONOUS, Transport::HTTPS,
+                           nullptr /* opt_rdata */,
+                           DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
   AddQueryAndErrorResponse(0, kT0HostName, kT0Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::HTTPS);
+                           SYNCHRONOUS, Transport::HTTPS,
+                           nullptr /* opt_rdata */,
+                           DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
-                      base::size(kT0ResponseDatagram), ASYNC, Transport::HTTPS);
+                      base::size(kT0ResponseDatagram), ASYNC, Transport::HTTPS,
+                      nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
   AddQueryAndErrorResponse(1, kT1HostName, kT1Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::HTTPS);
+                           SYNCHRONOUS, Transport::HTTPS,
+                           nullptr /* opt_rdata */,
+                           DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
   AddQueryAndErrorResponse(1, kT1HostName, kT1Qtype, ERR_CONNECTION_REFUSED,
-                           SYNCHRONOUS, Transport::HTTPS);
+                           SYNCHRONOUS, Transport::HTTPS,
+                           nullptr /* opt_rdata */,
+                           DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
   AddQueryAndResponse(1, kT1HostName, kT1Qtype, kT1ResponseDatagram,
-                      base::size(kT1ResponseDatagram), ASYNC, Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
-  TransactionHelper helper1(kT1HostName, kT1Qtype, kT1RecordCount,
-                            true /* expected_secure */);
+                      base::size(kT1ResponseDatagram), ASYNC, Transport::HTTPS,
+                      nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
+  TransactionHelper helper1(kT1HostName, kT1Qtype, true /* secure */,
+                            kT1RecordCount);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
   // Server 0 is our only UDP server, so it will be good. HTTPS
   // servers 1 and 2 failed and will be marked bad. Server 3 succeeded
@@ -1798,52 +1716,37 @@ TEST_F(DnsTransactionTest, HttpsMarkHttpsBad) {
 }
 
 TEST_F(DnsTransactionTest, HttpsPostFailThenHTTPFallback) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */, 2);
+  ConfigDohServers(true /* use_post */, 2);
   AddQueryAndRcode(kT0HostName, kT0Qtype, dns_protocol::kRcodeSERVFAIL, ASYNC,
-                   Transport::HTTPS);
+                   Transport::HTTPS,
+                   DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
-  unsigned kOrder0[] = {0, 1};
-  CheckServerOrder(kOrder0, base::size(kOrder0));
-}
-
-TEST_F(DnsTransactionTest, HttpsPostFailTwiceThenUDPFallback) {
-  config_.attempts = 3;
-  ConfigDohServers(false /* clear_udp */, true /* use_post */, 2);
-  AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
-                      base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
-                      base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
-                      base::size(kT0ResponseDatagram), ASYNC, Transport::UDP);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
-  SetDohJobMakerCallback(base::BindRepeating(DohJobMakerCallbackFailStart));
-  EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
-  unsigned kOrder0[] = {1, 2, 0};
+  unsigned kOrder0[] = {1, 2};
   CheckServerOrder(kOrder0, base::size(kOrder0));
 }
 
 TEST_F(DnsTransactionTest, HttpsPostFailTwice) {
-  config_.attempts = 2;
-  ConfigDohServers(true /* clear_udp */, true /* use_post */, 2);
+  config_.attempts = 3;
+  ConfigDohServers(true /* use_post */, 2);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_FAILED,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_FAILED);
   SetDohJobMakerCallback(base::BindRepeating(DohJobMakerCallbackFailStart));
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
-  unsigned kOrder0[] = {0, 1};
+  unsigned kOrder0[] = {1, 2};
   CheckServerOrder(kOrder0, base::size(kOrder0));
 }
 
@@ -1881,17 +1784,19 @@ class CookieCallback {
 };
 
 TEST_F(DnsTransactionTest, HttpsPostTestNoCookies) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
   AddQueryAndResponse(1, kT1HostName, kT1Qtype, kT1ResponseDatagram,
                       base::size(kT1ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
-  TransactionHelper helper1(kT1HostName, kT1Qtype, kT1RecordCount,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
+  TransactionHelper helper1(kT1HostName, kT1Qtype, true /* secure */,
+                            kT1RecordCount);
   SetResponseModifierCallback(base::BindRepeating(MakeResponseWithCookie));
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 
@@ -1919,12 +1824,13 @@ void MakeResponseWithoutLength(URLRequest* request, HttpResponseInfo* info) {
 }
 
 TEST_F(DnsTransactionTest, HttpsPostNoContentLength) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
   SetResponseModifierCallback(base::BindRepeating(MakeResponseWithoutLength));
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
@@ -1935,12 +1841,13 @@ void MakeResponseWithBadRequestResponse(URLRequest* request,
 }
 
 TEST_F(DnsTransactionTest, HttpsPostWithBadRequestResponse) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_MALFORMED_RESPONSE,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_DNS_MALFORMED_RESPONSE);
   SetResponseModifierCallback(
       base::BindRepeating(MakeResponseWithBadRequestResponse));
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
@@ -1952,12 +1859,13 @@ void MakeResponseWrongType(URLRequest* request, HttpResponseInfo* info) {
 }
 
 TEST_F(DnsTransactionTest, HttpsPostWithWrongType) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_MALFORMED_RESPONSE,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_DNS_MALFORMED_RESPONSE);
   SetResponseModifierCallback(base::BindRepeating(MakeResponseWrongType));
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
@@ -1971,15 +1879,17 @@ void MakeResponseRedirect(URLRequest* request, HttpResponseInfo* info) {
 }
 
 TEST_F(DnsTransactionTest, HttpsGetRedirect) {
-  ConfigDohServers(true /* clear_udp */, false /* use_post */);
+  ConfigDohServers(false /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
   SetResponseModifierCallback(base::BindRepeating(MakeResponseRedirect));
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
@@ -1989,24 +1899,26 @@ void MakeResponseNoType(URLRequest* request, HttpResponseInfo* info) {
 }
 
 TEST_F(DnsTransactionTest, HttpsPostWithNoType) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_MALFORMED_RESPONSE,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_DNS_MALFORMED_RESPONSE);
   SetResponseModifierCallback(base::BindRepeating(MakeResponseNoType));
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, CanLookupDohServerName) {
   config_.search.push_back("http");
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndErrorResponse(0, kMockHostname, dns_protocol::kTypeA,
-                           ERR_NAME_NOT_RESOLVED, SYNCHRONOUS,
-                           Transport::HTTPS);
-  TransactionHelper helper0("mock", dns_protocol::kTypeA, ERR_NAME_NOT_RESOLVED,
-                            true /* expected_secure */);
+                           ERR_NAME_NOT_RESOLVED, SYNCHRONOUS, Transport::HTTPS,
+                           nullptr /* opt_rdata */,
+                           DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0("mock", dns_protocol::kTypeA, true /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
@@ -2021,8 +1933,7 @@ class CountingObserver : public net::NetLog::ThreadSafeObserver {
 
   void OnAddEntry(const NetLogEntry& entry) override {
     ++count_;
-    base::Value value = entry.ParametersToValue();
-    if (!value.is_none() && value.is_dict())
+    if (!entry.params.is_none() && entry.params.is_dict())
       dict_count_++;
   }
 
@@ -2036,15 +1947,15 @@ class CountingObserver : public net::NetLog::ThreadSafeObserver {
 };
 
 TEST_F(DnsTransactionTest, HttpsPostLookupWithLog) {
-  ConfigDohServers(true /* clear_udp */, true /* use_post */);
+  ConfigDohServers(true /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), SYNCHRONOUS,
-                      Transport::HTTPS);
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            true /* expected_secure */);
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            kT0RecordCount);
   CountingObserver observer;
-  helper0.net_log()->AddObserver(&observer,
-                                 NetLogCaptureMode::IncludeSocketBytes());
+  helper0.net_log()->AddObserver(&observer, NetLogCaptureMode::kEverything);
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
   base::RunLoop().RunUntilIdle();
   EXPECT_EQ(observer.count(), 5);
@@ -2057,8 +1968,8 @@ TEST_F(DnsTransactionTest, TCPLookup) {
   AddQueryAndResponse(0 /* id */, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       base::size(kT0ResponseDatagram), ASYNC, Transport::TCP);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -2068,8 +1979,8 @@ TEST_F(DnsTransactionTest, TCPFailure) {
   AddQueryAndRcode(kT0HostName, kT0Qtype, dns_protocol::kRcodeSERVFAIL, ASYNC,
                    Transport::TCP);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_SERVER_FAILED,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_DNS_SERVER_FAILED);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
   ASSERT_NE(helper0.response(), nullptr);
   EXPECT_EQ(helper0.response()->rcode(), dns_protocol::kRcodeSERVFAIL);
@@ -2091,8 +2002,8 @@ TEST_F(DnsTransactionTest, TCPMalformed) {
       ASYNC, static_cast<uint16_t>(kT0QuerySize - 1));
   AddSocketData(std::move(data));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_MALFORMED_RESPONSE,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_DNS_MALFORMED_RESPONSE);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -2103,8 +2014,8 @@ TEST_F(DnsTransactionTestWithMockTime, TCPTimeout) {
   AddSocketData(std::make_unique<DnsSocketData>(
       1 /* id */, kT0HostName, kT0Qtype, ASYNC, Transport::TCP));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_DNS_TIMED_OUT,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_DNS_TIMED_OUT);
   EXPECT_FALSE(helper0.Run(transaction_factory_.get()));
   FastForwardUntilNoTasksRemain();
   EXPECT_TRUE(helper0.has_completed());
@@ -2125,8 +2036,8 @@ TEST_F(DnsTransactionTest, TCPReadReturnsZeroAsync) {
   data->AddReadError(0, ASYNC);
   AddSocketData(std::move(data));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_CONNECTION_CLOSED,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_CONNECTION_CLOSED);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -2145,8 +2056,8 @@ TEST_F(DnsTransactionTest, TCPReadReturnsZeroSynchronous) {
   data->AddReadError(0, SYNCHRONOUS);
   AddSocketData(std::move(data));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_CONNECTION_CLOSED,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_CONNECTION_CLOSED);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -2158,8 +2069,8 @@ TEST_F(DnsTransactionTest, TCPConnectionClosedAsync) {
   data->AddReadError(ERR_CONNECTION_CLOSED, ASYNC);
   AddSocketData(std::move(data));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_CONNECTION_CLOSED,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_CONNECTION_CLOSED);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -2171,8 +2082,8 @@ TEST_F(DnsTransactionTest, TCPConnectionClosedSynchronous) {
   data->AddReadError(ERR_CONNECTION_CLOSED, SYNCHRONOUS);
   AddSocketData(std::move(data));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_CONNECTION_CLOSED,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_CONNECTION_CLOSED);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -2194,8 +2105,8 @@ TEST_F(DnsTransactionTest, MismatchedThenNxdomainThenTCP) {
   tcp_data->AddReadError(ERR_CONNECTION_CLOSED, SYNCHRONOUS);
   AddSocketData(std::move(tcp_data));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_NAME_NOT_RESOLVED,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_NAME_NOT_RESOLVED);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -2219,8 +2130,8 @@ TEST_F(DnsTransactionTest, MismatchedThenOkThenTCP) {
   tcp_data->AddReadError(ERR_CONNECTION_CLOSED, SYNCHRONOUS);
   AddSocketData(std::move(tcp_data));
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, kT0RecordCount,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            kT0RecordCount);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
@@ -2261,20 +2172,20 @@ TEST_F(DnsTransactionTest, MismatchedThenRefusedThenTCP) {
   AddQueryAndErrorResponse(0 /* id */, kT0HostName, kT0Qtype,
                            ERR_CONNECTION_REFUSED, SYNCHRONOUS, Transport::UDP);
 
-  TransactionHelper helper0(kT0HostName, kT0Qtype, ERR_CONNECTION_REFUSED,
-                            false /* expected_secure */);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, false /* secure */,
+                            ERR_CONNECTION_REFUSED);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 }
 
 TEST_F(DnsTransactionTest, InvalidQuery) {
   ConfigureFactory();
 
-  TransactionHelper helper0(".", dns_protocol::kTypeA, ERR_INVALID_ARGUMENT,
-                            false /* expected_secure */);
+  TransactionHelper helper0(".", dns_protocol::kTypeA, false /* secure */,
+                            ERR_INVALID_ARGUMENT);
   EXPECT_TRUE(helper0.Run(transaction_factory_.get()));
 
   TransactionHelper helper1("foo,bar.com", dns_protocol::kTypeA,
-                            ERR_INVALID_ARGUMENT, false /* expected_secure */);
+                            false /* secure */, ERR_INVALID_ARGUMENT);
   EXPECT_TRUE(helper1.Run(transaction_factory_.get()));
 }
 
diff --git a/chromium/net/dns/fuzzed_host_resolver_util.cc b/chromium/net/dns/fuzzed_host_resolver_util.cc
index ab59eef49a5..c384abf4ead 100644
--- a/chromium/net/dns/fuzzed_host_resolver_util.cc
+++ b/chromium/net/dns/fuzzed_host_resolver_util.cc
@@ -18,7 +18,6 @@
 #include "base/memory/ref_counted.h"
 #include "base/memory/weak_ptr.h"
 #include "base/single_thread_task_runner.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/address_list.h"
 #include "net/base/completion_once_callback.h"
@@ -39,18 +38,19 @@
 #include "net/log/net_log_with_source.h"
 #include "net/socket/datagram_server_socket.h"
 #include "net/socket/fuzzed_socket_factory.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 namespace net {
 
 namespace {
 
 // Returns a fuzzed non-zero port number.
-uint16_t FuzzPort(base::FuzzedDataProvider* data_provider) {
+uint16_t FuzzPort(FuzzedDataProvider* data_provider) {
   return data_provider->ConsumeIntegral<uint16_t>();
 }
 
 // Returns a fuzzed IPv4 address.  Can return invalid / reserved addresses.
-IPAddress FuzzIPv4Address(base::FuzzedDataProvider* data_provider) {
+IPAddress FuzzIPv4Address(FuzzedDataProvider* data_provider) {
   return IPAddress(data_provider->ConsumeIntegral<uint8_t>(),
                    data_provider->ConsumeIntegral<uint8_t>(),
                    data_provider->ConsumeIntegral<uint8_t>(),
@@ -58,7 +58,7 @@ IPAddress FuzzIPv4Address(base::FuzzedDataProvider* data_provider) {
 }
 
 // Returns a fuzzed IPv6 address.  Can return invalid / reserved addresses.
-IPAddress FuzzIPv6Address(base::FuzzedDataProvider* data_provider) {
+IPAddress FuzzIPv6Address(FuzzedDataProvider* data_provider) {
   return IPAddress(data_provider->ConsumeIntegral<uint8_t>(),
                    data_provider->ConsumeIntegral<uint8_t>(),
                    data_provider->ConsumeIntegral<uint8_t>(),
@@ -79,7 +79,7 @@ IPAddress FuzzIPv6Address(base::FuzzedDataProvider* data_provider) {
 
 // Returns a fuzzed address, which can be either IPv4 or IPv6.  Can return
 // invalid / reserved addresses.
-IPAddress FuzzIPAddress(base::FuzzedDataProvider* data_provider) {
+IPAddress FuzzIPAddress(FuzzedDataProvider* data_provider) {
   if (data_provider->ConsumeBool())
     return FuzzIPv4Address(data_provider);
   return FuzzIPv6Address(data_provider);
@@ -93,7 +93,7 @@ class FuzzedHostResolverProc : public HostResolverProc {
   // happen if a request is issued but the code never waits for the result
   // before the test ends.
   explicit FuzzedHostResolverProc(
-      base::WeakPtr<base::FuzzedDataProvider> data_provider)
+      base::WeakPtr<FuzzedDataProvider> data_provider)
       : HostResolverProc(nullptr),
         data_provider_(data_provider),
         network_task_runner_(base::ThreadTaskRunnerHandle::Get()) {}
@@ -151,7 +151,7 @@ class FuzzedHostResolverProc : public HostResolverProc {
  private:
   ~FuzzedHostResolverProc() override = default;
 
-  base::WeakPtr<base::FuzzedDataProvider> data_provider_;
+  base::WeakPtr<FuzzedDataProvider> data_provider_;
 
   // Just used for thread-safety checks.
   scoped_refptr<base::SingleThreadTaskRunner> network_task_runner_;
@@ -172,10 +172,9 @@ const Error kMdnsErrors[] = {ERR_FAILED,
 // RecvFrom calls.
 class FuzzedMdnsSocket : public DatagramServerSocket {
  public:
-  explicit FuzzedMdnsSocket(base::FuzzedDataProvider* data_provider)
+  explicit FuzzedMdnsSocket(FuzzedDataProvider* data_provider)
       : data_provider_(data_provider),
-        local_address_(FuzzIPAddress(data_provider_), 5353),
-        weak_factory_(this) {}
+        local_address_(FuzzIPAddress(data_provider_), 5353) {}
 
   int Listen(const IPEndPoint& address) override { return OK; }
 
@@ -277,16 +276,16 @@ class FuzzedMdnsSocket : public DatagramServerSocket {
       std::move(callback).Run(data_provider_->PickValueInArray(kMdnsErrors));
   }
 
-  base::FuzzedDataProvider* const data_provider_;
+  FuzzedDataProvider* const data_provider_;
   const IPEndPoint local_address_;
   const NetLogWithSource net_log_;
 
-  base::WeakPtrFactory<FuzzedMdnsSocket> weak_factory_;
+  base::WeakPtrFactory<FuzzedMdnsSocket> weak_factory_{this};
 };
 
 class FuzzedMdnsSocketFactory : public MDnsSocketFactory {
  public:
-  explicit FuzzedMdnsSocketFactory(base::FuzzedDataProvider* data_provider)
+  explicit FuzzedMdnsSocketFactory(FuzzedDataProvider* data_provider)
       : data_provider_(data_provider) {}
 
   void CreateSockets(
@@ -297,7 +296,7 @@ class FuzzedMdnsSocketFactory : public MDnsSocketFactory {
   }
 
  private:
-  base::FuzzedDataProvider* const data_provider_;
+  FuzzedDataProvider* const data_provider_;
 };
 
 class FuzzedHostResolverManager : public HostResolverManager {
@@ -305,7 +304,7 @@ class FuzzedHostResolverManager : public HostResolverManager {
   // |data_provider| and |net_log| must outlive the FuzzedHostResolver.
   FuzzedHostResolverManager(const HostResolver::ManagerOptions& options,
                             NetLog* net_log,
-                            base::FuzzedDataProvider* data_provider)
+                            FuzzedDataProvider* data_provider)
       : HostResolverManager(options, net_log),
         data_provider_(data_provider),
         is_ipv6_reachable_(data_provider->ConsumeBool()),
@@ -348,7 +347,7 @@ class FuzzedHostResolverManager : public HostResolverManager {
     SetHaveOnlyLoopbackAddresses(data_provider_->ConsumeBool());
   }
 
-  base::FuzzedDataProvider* const data_provider_;
+  FuzzedDataProvider* const data_provider_;
 
   // Fixed value to be returned by IsIPv6Reachable.
   const bool is_ipv6_reachable_;
@@ -358,7 +357,7 @@ class FuzzedHostResolverManager : public HostResolverManager {
 
   NetLog* const net_log_;
 
-  base::WeakPtrFactory<base::FuzzedDataProvider> data_provider_weak_factory_;
+  base::WeakPtrFactory<FuzzedDataProvider> data_provider_weak_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(FuzzedHostResolverManager);
 };
@@ -424,7 +423,7 @@ void FuzzedHostResolverManager::SetDnsClientEnabled(bool enabled) {
 
   std::unique_ptr<DnsClient> dns_client = DnsClient::CreateClientForTesting(
       net_log_, &socket_factory_,
-      base::Bind(&base::FuzzedDataProvider::ConsumeIntegralInRange<int32_t>,
+      base::Bind(&FuzzedDataProvider::ConsumeIntegralInRange<int32_t>,
                  base::Unretained(data_provider_)));
   dns_client->SetConfig(config);
   HostResolverManager::SetDnsClientForTesting(std::move(dns_client));
@@ -435,7 +434,7 @@ void FuzzedHostResolverManager::SetDnsClientEnabled(bool enabled) {
 std::unique_ptr<ContextHostResolver> CreateFuzzedContextHostResolver(
     const HostResolver::ManagerOptions& options,
     NetLog* net_log,
-    base::FuzzedDataProvider* data_provider,
+    FuzzedDataProvider* data_provider,
     bool enable_caching) {
   // FuzzedHostResolverManager only handles fuzzing DnsClient when enabled
   // through SetDnsClientEnabled().
diff --git a/chromium/net/dns/fuzzed_host_resolver_util.h b/chromium/net/dns/fuzzed_host_resolver_util.h
index 5f6fbb12738..11ac006f040 100644
--- a/chromium/net/dns/fuzzed_host_resolver_util.h
+++ b/chromium/net/dns/fuzzed_host_resolver_util.h
@@ -9,9 +9,7 @@
 
 #include "net/dns/host_resolver.h"
 
-namespace base {
 class FuzzedDataProvider;
-}
 
 namespace net {
 
@@ -38,7 +36,7 @@ class NetLog;
 std::unique_ptr<ContextHostResolver> CreateFuzzedContextHostResolver(
     const HostResolver::ManagerOptions& options,
     NetLog* net_log,
-    base::FuzzedDataProvider* data_provider,
+    FuzzedDataProvider* data_provider,
     bool enable_caching);
 
 }  // namespace net
diff --git a/chromium/net/dns/host_cache.cc b/chromium/net/dns/host_cache.cc
index 1c33f8232cd..69b2be5d523 100644
--- a/chromium/net/dns/host_cache.cc
+++ b/chromium/net/dns/host_cache.cc
@@ -201,11 +201,6 @@ HostCache::Entry HostCache::Entry::MergeEntries(Entry front, Entry back) {
   return front;
 }
 
-NetLogParametersCallback HostCache::Entry::CreateNetLogCallback() const {
-  return base::BindRepeating(&HostCache::Entry::NetLogCallback,
-                             base::Unretained(this));
-}
-
 HostCache::Entry HostCache::Entry::CopyWithDefaultPort(uint16_t port) const {
   Entry copy(*this);
 
@@ -295,8 +290,7 @@ void HostCache::Entry::GetStaleness(base::TimeTicks now,
   out->stale_hits = stale_hits_;
 }
 
-base::Value HostCache::Entry::NetLogCallback(
-    NetLogCaptureMode capture_mode) const {
+base::Value HostCache::Entry::NetLogParams() const {
   return GetAsValue(false /* include_staleness */);
 }
 
diff --git a/chromium/net/dns/host_cache.h b/chromium/net/dns/host_cache.h
index e6616521277..6ab3f2bbdf3 100644
--- a/chromium/net/dns/host_cache.h
+++ b/chromium/net/dns/host_cache.h
@@ -34,7 +34,6 @@
 #include "net/dns/host_resolver_source.h"
 #include "net/dns/public/dns_query_type.h"
 #include "net/log/net_log_capture_mode.h"
-#include "net/log/net_log_parameters_callback.h"
 
 namespace base {
 class ListValue;
@@ -142,6 +141,10 @@ class NET_EXPORT HostCache {
     Entry& operator=(Entry&& entry);
 
     int error() const { return error_; }
+    bool did_complete() const {
+      return error_ != ERR_NETWORK_CHANGED &&
+             error_ != ERR_HOST_RESOLVER_QUEUE_TOO_LARGE;
+    }
     void set_error(int error) { error_ = error; }
     const base::Optional<AddressList>& addresses() const { return addresses_; }
     void set_addresses(const base::Optional<AddressList>& addresses) {
@@ -177,10 +180,8 @@ class NET_EXPORT HostCache {
     // from |back|. Fields that cannot be merged take precedence from |front|.
     static Entry MergeEntries(Entry front, Entry back);
 
-    // Creates a callback for use with the NetLog that returns a Value
-    // representation of the entry.  The callback must be destroyed before
-    // |this| is.
-    NetLogParametersCallback CreateNetLogCallback() const;
+    // Creates a value representation of the entry for use with NetLog.
+    base::Value NetLogParams() const;
 
     // Creates a copy of |this| with the port of all address and hostname values
     // set to |port| if the current port is 0. Preserves any non-zero ports.
@@ -219,7 +220,6 @@ class NET_EXPORT HostCache {
                       int network_changes,
                       EntryStaleness* out) const;
 
-    base::Value NetLogCallback(NetLogCaptureMode capture_mode) const;
     base::DictionaryValue GetAsValue(bool include_staleness) const;
 
     // The resolve results for this entry.
diff --git a/chromium/net/dns/host_resolver.cc b/chromium/net/dns/host_resolver.cc
index d09904be480..9eb7b2c1aa1 100644
--- a/chromium/net/dns/host_resolver.cc
+++ b/chromium/net/dns/host_resolver.cc
@@ -22,6 +22,9 @@
 
 namespace net {
 
+const size_t HostResolver::ManagerOptions::kDefaultRetryAttempts =
+    static_cast<size_t>(-1);
+
 std::unique_ptr<HostResolver> HostResolver::Factory::CreateResolver(
     HostResolverManager* manager,
     base::StringPiece host_mapping_rules,
diff --git a/chromium/net/dns/host_resolver.h b/chromium/net/dns/host_resolver.h
index f4cd24f2fdc..46550c38013 100644
--- a/chromium/net/dns/host_resolver.h
+++ b/chromium/net/dns/host_resolver.h
@@ -120,7 +120,7 @@ class NET_EXPORT HostResolver {
     static const size_t kDefaultParallelism = 0;
 
     // Set |max_system_retry_attempts| to this to select a default retry value.
-    static const size_t kDefaultRetryAttempts = static_cast<size_t>(-1);
+    static const size_t kDefaultRetryAttempts;
 
     // How many resolve requests will be allowed to run in parallel.
     // |kDefaultParallelism| for the resolver to choose a default value.
@@ -192,7 +192,9 @@ class NET_EXPORT HostResolver {
       ALLOWED,
 
       // Results may come from the host cache even if stale (by expiration or
-      // network changes).
+      // network changes). In secure dns AUTOMATIC mode, the cache is checked
+      // for both secure and insecure results prior to any secure DNS lookups to
+      // minimize response time.
       STALE_ALLOWED,
 
       // Results will not come from the host cache.
diff --git a/chromium/net/dns/host_resolver_manager.cc b/chromium/net/dns/host_resolver_manager.cc
index bfccb8b0041..b629c8b9663 100644
--- a/chromium/net/dns/host_resolver_manager.cc
+++ b/chromium/net/dns/host_resolver_manager.cc
@@ -80,7 +80,6 @@
 #include "net/log/net_log.h"
 #include "net/log/net_log_capture_mode.h"
 #include "net/log/net_log_event_type.h"
-#include "net/log/net_log_parameters_callback.h"
 #include "net/log/net_log_source.h"
 #include "net/log/net_log_source_type.h"
 #include "net/log/net_log_with_source.h"
@@ -271,10 +270,9 @@ bool HaveOnlyLoopbackAddresses() {
 }
 
 // Creates NetLog parameters when the resolve failed.
-base::Value NetLogProcTaskFailedCallback(uint32_t attempt_number,
-                                         int net_error,
-                                         int os_error,
-                                         NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogProcTaskFailedParams(uint32_t attempt_number,
+                                       int net_error,
+                                       int os_error) {
   base::DictionaryValue dict;
   if (attempt_number)
     dict.SetInteger("attempt_number", attempt_number);
@@ -304,24 +302,19 @@ base::Value NetLogProcTaskFailedCallback(uint32_t attempt_number,
 }
 
 // Creates NetLog parameters when the DnsTask failed.
-base::Value NetLogDnsTaskFailedCallback(
-    int net_error,
-    int dns_error,
-    NetLogParametersCallback results_callback,
-    NetLogCaptureMode capture_mode) {
+base::Value NetLogDnsTaskFailedParams(const HostCache::Entry& results,
+                                      int dns_error) {
   base::DictionaryValue dict;
-  dict.SetInteger("net_error", net_error);
+  dict.SetInteger("net_error", results.error());
   if (dns_error)
     dict.SetInteger("dns_error", dns_error);
-  if (results_callback)
-    dict.SetKey("resolve_results", results_callback.Run(capture_mode));
+  dict.SetKey("resolve_results", results.NetLogParams());
   return std::move(dict);
 }
 
 // Creates NetLog parameters containing the information of the request. Use
 // NetLogRequestInfoCallback if the request is specified via RequestInfo.
-base::Value NetLogRequestCallback(const HostPortPair& host,
-                                  NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogRequestParams(const HostPortPair& host) {
   base::DictionaryValue dict;
 
   dict.SetString("host", host.ToString());
@@ -333,19 +326,17 @@ base::Value NetLogRequestCallback(const HostPortPair& host,
 }
 
 // Creates NetLog parameters for the creation of a HostResolverManager::Job.
-base::Value NetLogJobCreationCallback(const NetLogSource& source,
-                                      const std::string* host,
-                                      NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogJobCreationParams(const NetLogSource& source,
+                                    const std::string& host) {
   base::DictionaryValue dict;
   source.AddToEventParameters(&dict);
-  dict.SetString("host", *host);
+  dict.SetString("host", host);
   return std::move(dict);
 }
 
 // Creates NetLog parameters for HOST_RESOLVER_IMPL_JOB_ATTACH/DETACH events.
-base::Value NetLogJobAttachCallback(const NetLogSource& source,
-                                    RequestPriority priority,
-                                    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogJobAttachParams(const NetLogSource& source,
+                                  RequestPriority priority) {
   base::DictionaryValue dict;
   source.AddToEventParameters(&dict);
   dict.SetString("priority", RequestPriorityToString(priority));
@@ -353,14 +344,11 @@ base::Value NetLogJobAttachCallback(const NetLogSource& source,
 }
 
 // Creates NetLog parameters for the DNS_CONFIG_CHANGED event.
-base::Value NetLogDnsConfigCallback(const DnsConfig* config,
-                                    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogDnsConfigParams(const DnsConfig* config) {
   return base::Value::FromUniquePtrValue(config->ToValue());
 }
 
-base::Value NetLogIPv6AvailableCallback(bool ipv6_available,
-                                        bool cached,
-                                        NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogIPv6AvailableParams(bool ipv6_available, bool cached) {
   base::DictionaryValue dict;
   dict.SetBoolean("ipv6_available", ipv6_available);
   dict.SetBoolean("cached", cached);
@@ -375,7 +363,7 @@ base::Value NetLogIPv6AvailableCallback(bool ipv6_available,
 void LogStartRequest(const NetLogWithSource& source_net_log,
                      const HostPortPair& host) {
   source_net_log.BeginEvent(NetLogEventType::HOST_RESOLVER_IMPL_REQUEST,
-                            base::BindRepeating(&NetLogRequestCallback, host));
+                            [&] { return NetLogRequestParams(host); });
 }
 
 // Logs when a request has just completed (before its callback is run).
@@ -521,6 +509,13 @@ bool DnsServerSupportsDoh(const IPAddress& dns_server) {
          upgradable_servers->end();
 }
 
+void NetLogHostCacheEntry(const NetLogWithSource& net_log,
+                          NetLogEventType type,
+                          NetLogEventPhase phase,
+                          const HostCache::Entry& results) {
+  net_log.AddEntry(type, phase, [&] { return results.NetLogParams(); });
+}
+
 }  // namespace
 
 //-----------------------------------------------------------------------------
@@ -573,7 +568,30 @@ class HostResolverManager::RequestImpl
         priority_(parameters_.initial_priority),
         job_(nullptr),
         resolver_(resolver),
-        complete_(false) {}
+        complete_(false) {
+    // If the query name matches one of the DoH server names, set the
+    // secure_dns_mode_override field in ResolveHostParameters to OFF to avoid
+    // infinite recursion.
+    // TODO(crbug.com/878582): Add a URLRequest-level parameter to skip DoH that
+    // can be set when a URLRequest to a DoH server is built. This will avoid
+    // unnecessarily skipping DoH when a connection to the DoH server has been
+    // established but the query happens to be for a DoH server hostname.
+    DCHECK(resolver_);
+    if (resolver_->HaveDnsConfig()) {
+      std::unique_ptr<base::Value> dns_config =
+          resolver_->GetDnsConfigAsValue();
+      for (const base::Value& doh_server :
+           dns_config->FindKey("doh_servers")->GetList()) {
+        if (request_host_.host().compare(
+                GURL(GetURLFromTemplateWithoutParameters(
+                         doh_server.FindKey("server_template")->GetString()))
+                    .host()) == 0) {
+          parameters_.secure_dns_mode_override = DnsConfig::SecureDnsMode::OFF;
+          break;
+        }
+      }
+    }
+  }
 
   ~RequestImpl() override {
     DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
@@ -722,7 +740,7 @@ class HostResolverManager::RequestImpl
   const NetLogWithSource source_net_log_;
 
   const HostPortPair request_host_;
-  const ResolveHostParameters parameters_;
+  ResolveHostParameters parameters_;
   URLRequestContext* const request_context_;
   HostCache* const host_cache_;
   const HostResolverFlags host_resolver_flags_;
@@ -784,8 +802,7 @@ class HostResolverManager::ProcTask {
         proc_task_runner_(std::move(proc_task_runner)),
         attempt_number_(0),
         net_log_(job_net_log),
-        tick_clock_(tick_clock),
-        weak_ptr_factory_(this) {
+        tick_clock_(tick_clock) {
     DCHECK(callback_);
     if (!params_.resolver_proc.get())
       params_.resolver_proc = HostResolverProc::GetDefault();
@@ -837,8 +854,9 @@ class HostResolverManager::ProcTask {
                        params_.resolver_proc, network_task_runner_,
                        std::move(completion_callback)));
 
-    net_log_.AddEvent(NetLogEventType::HOST_RESOLVER_IMPL_ATTEMPT_STARTED,
-                      NetLog::IntCallback("attempt_number", attempt_number_));
+    net_log_.AddEventWithIntParams(
+        NetLogEventType::HOST_RESOLVER_IMPL_ATTEMPT_STARTED, "attempt_number",
+        attempt_number_);
 
     // If the results aren't received within a given time, RetryIfNotComplete
     // will start a new attempt if none of the outstanding attempts have
@@ -918,22 +936,21 @@ class HostResolverManager::ProcTask {
     // and retries.
     weak_ptr_factory_.InvalidateWeakPtrs();
 
-    NetLogParametersCallback net_log_callback;
-    NetLogParametersCallback attempt_net_log_callback;
     if (error != OK) {
-      net_log_callback = base::BindRepeating(&NetLogProcTaskFailedCallback, 0,
-                                             error, os_error);
-      attempt_net_log_callback = base::BindRepeating(
-          &NetLogProcTaskFailedCallback, attempt_number, error, os_error);
+      net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_IMPL_PROC_TASK, [&] {
+        return NetLogProcTaskFailedParams(0, error, os_error);
+      });
+      net_log_.AddEvent(
+          NetLogEventType::HOST_RESOLVER_IMPL_ATTEMPT_FINISHED, [&] {
+            return NetLogProcTaskFailedParams(attempt_number, error, os_error);
+          });
     } else {
-      net_log_callback = results.CreateNetLogCallback();
-      attempt_net_log_callback =
-          NetLog::IntCallback("attempt_number", attempt_number);
+      net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_IMPL_PROC_TASK,
+                        [&] { return results.NetLogParams(); });
+      net_log_.AddEventWithIntParams(
+          NetLogEventType::HOST_RESOLVER_IMPL_ATTEMPT_FINISHED,
+          "attempt_number", attempt_number);
     }
-    net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_IMPL_PROC_TASK,
-                      net_log_callback);
-    net_log_.AddEvent(NetLogEventType::HOST_RESOLVER_IMPL_ATTEMPT_FINISHED,
-                      attempt_net_log_callback);
 
     std::move(callback_).Run(error, results);
   }
@@ -968,7 +985,7 @@ class HostResolverManager::ProcTask {
   // Used to loop back from the blocking lookup attempt tasks as well as from
   // delayed retry tasks. Invalidate WeakPtrs on completion and cancellation to
   // cancel handling of such posted tasks.
-  base::WeakPtrFactory<ProcTask> weak_ptr_factory_;
+  base::WeakPtrFactory<ProcTask> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(ProcTask);
 };
@@ -1005,7 +1022,7 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
           base::StringPiece hostname,
           DnsQueryType query_type,
           URLRequestContext* request_context,
-          bool allow_fallback_resolution,
+          bool secure,
           Delegate* delegate,
           const NetLogWithSource& job_net_log,
           const base::TickClock* tick_clock)
@@ -1013,7 +1030,7 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
         hostname_(hostname),
         query_type_(query_type),
         request_context_(request_context),
-        allow_fallback_resolution_(allow_fallback_resolution),
+        secure_(secure),
         delegate_(delegate),
         net_log_(job_net_log),
         num_completed_transactions_(0),
@@ -1022,8 +1039,6 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
     DCHECK(delegate_);
   }
 
-  bool allow_fallback_resolution() const { return allow_fallback_resolution_; }
-
   bool needs_two_transactions() const {
     return query_type_ == DnsQueryType::UNSPECIFIED;
   }
@@ -1038,11 +1053,9 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
     DCHECK(!transaction1_);
 
     net_log_.BeginEvent(NetLogEventType::HOST_RESOLVER_IMPL_DNS_TASK);
-    if (query_type_ == DnsQueryType::UNSPECIFIED) {
-      transaction1_ = CreateTransaction(DnsQueryType::A);
-    } else {
-      transaction1_ = CreateTransaction(query_type_);
-    }
+    transaction1_ = CreateTransaction(query_type_ == DnsQueryType::UNSPECIFIED
+                                          ? DnsQueryType::A
+                                          : query_type_);
     transaction1_->Start();
   }
 
@@ -1064,25 +1077,13 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
       DnsQueryType dns_query_type) {
     DCHECK(client_);
     DCHECK_NE(DnsQueryType::UNSPECIFIED, dns_query_type);
-    DnsConfig::SecureDnsMode secure_dns_mode =
-        DnsConfig::SecureDnsMode::AUTOMATIC;
-    // Downgrade to OFF mode if the query name for this attempt matches one of
-    // the DoH server names. This is needed to prevent infinite recursion.
-    DCHECK(client_->GetConfig());
-    for (auto& doh_server : client_->GetConfig()->dns_over_https_servers) {
-      if (hostname_.compare(GURL(GetURLFromTemplateWithoutParameters(
-                                     doh_server.server_template))
-                                .host()) == 0) {
-        secure_dns_mode = DnsConfig::SecureDnsMode::OFF;
-      }
-    }
     std::unique_ptr<DnsTransaction> trans =
         client_->GetTransactionFactory()->CreateTransaction(
             hostname_, DnsQueryTypeToQtype(dns_query_type),
             base::BindOnce(&DnsTask::OnTransactionComplete,
                            base::Unretained(this), tick_clock_->NowTicks(),
                            dns_query_type),
-            net_log_, secure_dns_mode, request_context_);
+            net_log_, secure_, request_context_);
     trans->SetRequestPriority(delegate_->priority());
     return trans;
   }
@@ -1091,12 +1092,11 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
                              DnsQueryType dns_query_type,
                              DnsTransaction* transaction,
                              int net_error,
-                             const DnsResponse* response,
-                             bool secure) {
+                             const DnsResponse* response) {
     DCHECK(transaction);
     if (net_error != OK && !(net_error == ERR_NAME_NOT_RESOLVED && response &&
                              response->IsValid())) {
-      OnFailure(net_error, DnsResponse::DNS_PARSE_OK, base::nullopt, secure);
+      OnFailure(net_error, DnsResponse::DNS_PARSE_OK, base::nullopt);
       return;
     }
 
@@ -1124,13 +1124,11 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
     DCHECK_LT(parse_result, DnsResponse::DNS_PARSE_RESULT_MAX);
 
     if (results.error() != OK && results.error() != ERR_NAME_NOT_RESOLVED) {
-      OnFailure(results.error(), parse_result, results.GetOptionalTtl(),
-                secure);
+      OnFailure(results.error(), parse_result, results.GetOptionalTtl());
       return;
     }
 
     // Merge results with saved results from previous transactions.
-    DCHECK_EQ(saved_results_.has_value(), saved_secure_.has_value());
     if (saved_results_) {
       DCHECK(needs_two_transactions());
       DCHECK_GE(1u, num_completed_transactions_);
@@ -1152,10 +1150,6 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
           // Only expect address query types with multiple transactions.
           NOTREACHED();
       }
-      // If the earlier result was retrieved insecurely, the merged result
-      // should be stored accordingly.
-      if (!saved_secure_.value())
-        secure = false;
     }
 
     // If not all transactions are complete, the task cannot yet be completed
@@ -1163,7 +1157,6 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
     ++num_completed_transactions_;
     if (needs_two_transactions() && num_completed_transactions_ == 1) {
       saved_results_ = std::move(results);
-      saved_secure_ = secure;
       delegate_->OnFirstDnsTransactionComplete();
       return;
     }
@@ -1177,11 +1170,11 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
       client_->GetAddressSorter()->Sort(
           results.addresses().value(),
           base::BindOnce(&DnsTask::OnSortComplete, AsWeakPtr(),
-                         tick_clock_->NowTicks(), std::move(results), secure));
+                         tick_clock_->NowTicks(), std::move(results), secure_));
       return;
     }
 
-    OnSuccess(results, secure);
+    OnSuccess(results);
   }
 
   DnsResponse::Result ParseAddressDnsResponse(const DnsResponse* response,
@@ -1392,7 +1385,7 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
 
     if (!success) {
       OnFailure(ERR_DNS_SORT_ERROR, DnsResponse::DNS_PARSE_OK,
-                results.GetOptionalTtl(), secure);
+                results.GetOptionalTtl());
       return;
     }
 
@@ -1402,27 +1395,24 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
         results.hostnames().value_or(std::vector<HostPortPair>()).empty()) {
       LOG(WARNING) << "Address list empty after RFC3484 sort";
       OnFailure(ERR_NAME_NOT_RESOLVED, DnsResponse::DNS_PARSE_OK,
-                results.GetOptionalTtl(), secure);
+                results.GetOptionalTtl());
       return;
     }
 
-    OnSuccess(results, secure);
+    OnSuccess(results);
   }
 
   void OnFailure(int net_error,
                  DnsResponse::Result parse_result,
-                 base::Optional<base::TimeDelta> ttl,
-                 bool secure) {
+                 base::Optional<base::TimeDelta> ttl) {
     DCHECK_NE(OK, net_error);
-
     HostCache::Entry results(net_error, HostCache::Entry::SOURCE_UNKNOWN);
 
-    net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_IMPL_DNS_TASK,
-                      base::Bind(&NetLogDnsTaskFailedCallback, results.error(),
-                                 parse_result, results.CreateNetLogCallback()));
+    net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_IMPL_DNS_TASK, [&] {
+      return NetLogDnsTaskFailedParams(results, parse_result);
+    });
 
     // If we have a TTL from a previously completed transaction, use it.
-    DCHECK_EQ(saved_results_.has_value(), saved_secure_.has_value());
     base::TimeDelta previous_transaction_ttl;
     if (saved_results_ && saved_results_.value().has_ttl() &&
         saved_results_.value().ttl() <
@@ -1436,18 +1426,14 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
     } else if (ttl) {
       results.set_ttl(ttl.value());
     }
-    // If the earlier result was retrieved insecurely, any entry stored in the
-    // cache for this transaction should be stored with an insecure key.
-    if (saved_secure_ && !saved_secure_.value())
-      secure = false;
 
-    delegate_->OnDnsTaskComplete(task_start_time_, results, secure);
+    delegate_->OnDnsTaskComplete(task_start_time_, results, secure_);
   }
 
-  void OnSuccess(const HostCache::Entry& results, bool secure) {
-    net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_IMPL_DNS_TASK,
-                      results.CreateNetLogCallback());
-    delegate_->OnDnsTaskComplete(task_start_time_, results, secure);
+  void OnSuccess(const HostCache::Entry& results) {
+    NetLogHostCacheEntry(net_log_, NetLogEventType::HOST_RESOLVER_IMPL_DNS_TASK,
+                         NetLogEventPhase::END, results);
+    delegate_->OnDnsTaskComplete(task_start_time_, results, secure_);
   }
 
   DnsClient* client_;
@@ -1455,9 +1441,8 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
   const DnsQueryType query_type_;
   URLRequestContext* const request_context_;
 
-  // Whether resolution may fallback to other task types (e.g. ProcTask) on
-  // failure of this task.
-  bool allow_fallback_resolution_;
+  // Whether lookups in this DnsTask should occur using DoH or plaintext.
+  const bool secure_;
 
   // The listener to the results of this DnsTask.
   Delegate* delegate_;
@@ -1471,10 +1456,6 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
   // Result from previously completed transactions. Only set if a transaction
   // has completed while others are still in progress.
   base::Optional<HostCache::Entry> saved_results_;
-  // Whether the result from the previously completed transaction was retrieved
-  // securely. Only set if a transaction has completed while others are still
-  // in progress.
-  base::Optional<bool> saved_secure_;
 
   const base::TickClock* tick_clock_;
   base::TimeTicks task_start_time_;
@@ -1509,7 +1490,10 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       DnsQueryType query_type,
       HostResolverFlags host_resolver_flags,
       HostResolverSource requested_source,
+      ResolveHostParameters::CacheUsage cache_usage,
       URLRequestContext* request_context,
+      HostCache* host_cache,
+      std::deque<TaskType> tasks,
       RequestPriority priority,
       scoped_refptr<base::TaskRunner> proc_task_runner,
       const NetLogWithSource& source_net_log,
@@ -1519,7 +1503,11 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
         query_type_(query_type),
         host_resolver_flags_(host_resolver_flags),
         requested_source_(requested_source),
+        cache_usage_(cache_usage),
         request_context_(request_context),
+        host_cache_(host_cache),
+        tasks_(tasks),
+        job_running_(false),
         priority_tracker_(priority),
         proc_task_runner_(std::move(proc_task_runner)),
         had_non_speculative_request_(false),
@@ -1528,13 +1516,12 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
         tick_clock_(tick_clock),
         net_log_(
             NetLogWithSource::Make(source_net_log.net_log(),
-                                   NetLogSourceType::HOST_RESOLVER_IMPL_JOB)),
-        weak_ptr_factory_(this) {
+                                   NetLogSourceType::HOST_RESOLVER_IMPL_JOB)) {
     source_net_log.AddEvent(NetLogEventType::HOST_RESOLVER_IMPL_CREATE_JOB);
 
-    net_log_.BeginEvent(NetLogEventType::HOST_RESOLVER_IMPL_JOB,
-                        base::Bind(&NetLogJobCreationCallback,
-                                   source_net_log.source(), &hostname_));
+    net_log_.BeginEvent(NetLogEventType::HOST_RESOLVER_IMPL_JOB, [&] {
+      return NetLogJobCreationParams(source_net_log.source(), hostname_);
+    });
   }
 
   ~Job() override {
@@ -1583,20 +1570,24 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   }
 
   void AddRequest(RequestImpl* request) {
+    // Job currently assumes a 1:1 correspondence between URLRequestContext and
+    // HostCache. Since the URLRequestContext is part of the JobKey, any request
+    // added to any existing Job should share the same HostCache.
+    DCHECK_EQ(host_cache_, request->host_cache());
     DCHECK_EQ(hostname_, request->request_host().host());
 
     request->AssignJob(this);
 
     priority_tracker_.Add(request->priority());
 
-    request->source_net_log().AddEvent(
-        NetLogEventType::HOST_RESOLVER_IMPL_JOB_ATTACH,
-        net_log_.source().ToEventParametersCallback());
+    request->source_net_log().AddEventReferencingSource(
+        NetLogEventType::HOST_RESOLVER_IMPL_JOB_ATTACH, net_log_.source());
 
-    net_log_.AddEvent(
-        NetLogEventType::HOST_RESOLVER_IMPL_JOB_REQUEST_ATTACH,
-        base::Bind(&NetLogJobAttachCallback, request->source_net_log().source(),
-                   priority()));
+    net_log_.AddEvent(NetLogEventType::HOST_RESOLVER_IMPL_JOB_REQUEST_ATTACH,
+                      [&] {
+                        return NetLogJobAttachParams(
+                            request->source_net_log().source(), priority());
+                      });
 
     if (!request->parameters().is_speculative)
       had_non_speculative_request_ = true;
@@ -1624,10 +1615,11 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
     LogCancelRequest(request->source_net_log());
 
     priority_tracker_.Remove(request->priority());
-    net_log_.AddEvent(
-        NetLogEventType::HOST_RESOLVER_IMPL_JOB_REQUEST_DETACH,
-        base::Bind(&NetLogJobAttachCallback, request->source_net_log().source(),
-                   priority()));
+    net_log_.AddEvent(NetLogEventType::HOST_RESOLVER_IMPL_JOB_REQUEST_DETACH,
+                      [&] {
+                        return NetLogJobAttachParams(
+                            request->source_net_log().source(), priority());
+                      });
 
     if (num_active_requests() > 0) {
       UpdatePriority();
@@ -1640,11 +1632,10 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
     }
   }
 
-  // Called from AbortAllInProgressJobs. Completes all requests and destroys
+  // Called from AbortAllJobs. Completes all requests and destroys
   // the job. This currently assumes the abort is due to a network change.
   // TODO This should not delete |this|.
   void Abort() {
-    DCHECK(is_running());
     CompleteRequestsWithError(ERR_NETWORK_CHANGED);
   }
 
@@ -1656,19 +1647,26 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
                           error, fallback_only);
   }
 
-  // If DnsTask present, abort it. Depending on task settings, either fall back
-  // to ProcTask or abort the job entirely. Warning, aborting a job may cause
-  // other jobs to be aborted, thus |jobs_| may be unpredictably changed by
-  // calling this method.
-  //
-  // |error| is the net error that will be returned to requests if this method
-  // results in completely aborting the job.
+  // Aborts or removes any current/future DnsTasks if a ProcTask is available
+  // for fallback. If no fallback is available and |fallback_only| is false, a
+  // job that is currently running a DnsTask will be completed with |error|.
   void AbortDnsTask(int error, bool fallback_only) {
+    bool has_proc_fallback =
+        std::find(tasks_.begin(), tasks_.end(), TaskType::PROC) != tasks_.end();
+    if (has_proc_fallback) {
+      for (auto it = tasks_.begin(); it != tasks_.end();) {
+        if (*it == TaskType::DNS || *it == TaskType::SECURE_DNS)
+          it = tasks_.erase(it);
+        else
+          ++it;
+      }
+    }
+
     if (dns_task_) {
-      if (dns_task_->allow_fallback_resolution()) {
+      if (has_proc_fallback) {
         KillDnsTask();
         dns_task_error_ = OK;
-        StartProcTask();
+        RunNextTask();
       } else if (!fallback_only) {
         CompleteRequestsWithError(error);
       }
@@ -1732,9 +1730,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
 
   bool is_queued() const { return !handle_.is_null(); }
 
-  bool is_running() const {
-    return is_dns_running() || is_mdns_running() || is_proc_running();
-  }
+  bool is_running() const { return job_running_; }
 
  private:
   HostCache::Key GenerateCacheKey(bool secure) const {
@@ -1772,6 +1768,58 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       handle_ = resolver_->dispatcher_->ChangePriority(handle_, priority());
   }
 
+  void RunNextTask() {
+    // If there are no tasks left to try, cache any stored results and complete
+    // the request with the last stored result. All stored results should be
+    // errors.
+    if (tasks_.empty()) {
+      // If there are no stored results, complete with an error.
+      if (completion_results_.size() == 0) {
+        CompleteRequestsWithError(ERR_NAME_NOT_RESOLVED);
+        return;
+      }
+
+      // Cache all but the last result here. The last result will be cached
+      // as part of CompleteRequests.
+      for (size_t i = 0; i < completion_results_.size() - 1; ++i) {
+        const auto& result = completion_results_[i];
+        DCHECK_NE(OK, result.entry.error());
+        MaybeCacheResult(result.entry, result.ttl, result.secure);
+      }
+      const auto& last_result = completion_results_.back();
+      DCHECK_NE(OK, last_result.entry.error());
+      CompleteRequests(last_result.entry, last_result.ttl,
+                       true /* allow_cache */, last_result.secure);
+      return;
+    }
+
+    TaskType next_task = tasks_.front();
+    tasks_.pop_front();
+    switch (next_task) {
+      case TaskType::PROC:
+        StartProcTask();
+        break;
+      case TaskType::DNS:
+        StartDnsTask(false /* secure */);
+        break;
+      case TaskType::SECURE_DNS:
+        StartDnsTask(true /* secure */);
+        break;
+      case TaskType::MDNS:
+        StartMdnsTask();
+        break;
+      case TaskType::INSECURE_CACHE_LOOKUP:
+        InsecureCacheLookup();
+        break;
+      case TaskType::SECURE_CACHE_LOOKUP:
+      case TaskType::CACHE_LOOKUP:
+        // These task types should have been handled synchronously in
+        // ResolveLocally() prior to Job creation.
+        NOTREACHED();
+        break;
+    }
+  }
+
   // PriorityDispatch::Job:
   void Start() override {
     DCHECK_LE(num_occupied_job_slots_, 1u);
@@ -1785,47 +1833,12 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
     }
 
     DCHECK(!is_running());
+    job_running_ = true;
 
     net_log_.AddEvent(NetLogEventType::HOST_RESOLVER_IMPL_JOB_STARTED);
-
     start_time_ = tick_clock_->NowTicks();
-
-    switch (requested_source_) {
-      case HostResolverSource::ANY:
-        // Force address queries with canonname to use ProcTask to counter poor
-        // CNAME support in DnsTask. See https://crbug.com/872665
-        //
-        // Otherwise, default to DnsTask (with allowed fallback to ProcTask for
-        // address queries). But if hostname appears to be an MDNS name (ends in
-        // *.local), go with ProcTask for address queries and MdnsTask for non-
-        // address queries.
-        if ((host_resolver_flags_ & HOST_RESOLVER_CANONNAME) &&
-            IsAddressType(query_type_)) {
-          StartProcTask();
-        } else if (!ResemblesMulticastDNSName(hostname_)) {
-          StartDnsTask(
-              IsAddressType(query_type_) /* allow_fallback_resolution */);
-        } else if (IsAddressType(query_type_)) {
-          StartProcTask();
-        } else {
-          StartMdnsTask();
-        }
-        break;
-      case HostResolverSource::SYSTEM:
-        StartProcTask();
-        break;
-      case HostResolverSource::DNS:
-        StartDnsTask(false /* allow_fallback_resolution */);
-        break;
-      case HostResolverSource::MULTICAST_DNS:
-        StartMdnsTask();
-        break;
-      case HostResolverSource::LOCAL_ONLY:
-        // If no external source allowed, a job should not be created or started
-        NOTREACHED();
-        break;
-    }
-
+    DCHECK(!tasks_.empty());
+    RunNextTask();
     // Caution: Job::Start must not complete synchronously.
   }
 
@@ -1834,7 +1847,6 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   // ThreadPool threads low, we will need to use an "inner"
   // PrioritizedDispatcher with tighter limits.
   void StartProcTask() {
-    DCHECK(!is_running());
     DCHECK(IsAddressType(query_type_));
 
     proc_task_ = std::make_unique<ProcTask>(
@@ -1853,7 +1865,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   void OnProcTaskComplete(base::TimeTicks start_time,
                           int net_error,
                           const AddressList& addr_list) {
-    DCHECK(is_proc_running());
+    DCHECK(proc_task_);
 
     if (dns_task_error_ != OK) {
       // This ProcTask was a fallback resolution after a failed DnsTask.
@@ -1882,20 +1894,31 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
         ttl, true /* allow_cache */, false /* secure */);
   }
 
-  void StartDnsTask(bool allow_fallback_resolution) {
-    if ((!resolver_->HaveDnsConfig() || resolver_->use_proctask_by_default_) &&
-        allow_fallback_resolution) {
-      // DnsClient or config is not available, but we're allowed to switch to
-      // ProcTask instead.
-      StartProcTask();
-      return;
+  void InsecureCacheLookup() {
+    // Insecure cache lookups for requests allowing stale results should have
+    // occurred prior to Job creation.
+    DCHECK(cache_usage_ != ResolveHostParameters::CacheUsage::STALE_ALLOWED);
+    base::Optional<HostCache::EntryStaleness> stale_info;
+    base::Optional<HostCache::Entry> resolved = resolver_->MaybeServeFromCache(
+        host_cache_, GenerateCacheKey(false), cache_usage_,
+        false /* ignore_secure */, net_log_, &stale_info);
+
+    if (resolved) {
+      DCHECK(stale_info);
+      DCHECK(!stale_info.value().is_stale());
+      CompleteRequestsWithoutCache(resolved.value(), std::move(stale_info));
+    } else {
+      RunNextTask();
     }
+  }
 
+  void StartDnsTask(bool secure) {
+    DCHECK_EQ(1u, num_occupied_job_slots_);
     // Need to create the task even if we're going to post a failure instead of
     // running it, as a "started" job needs a task to be properly cleaned up.
-    dns_task_.reset(new DnsTask(
-        resolver_->dns_client_.get(), hostname_, query_type_, request_context_,
-        allow_fallback_resolution, this, net_log_, tick_clock_));
+    dns_task_.reset(new DnsTask(resolver_->dns_client_.get(), hostname_,
+                                query_type_, request_context_, secure, this,
+                                net_log_, tick_clock_));
 
     if (resolver_->HaveDnsConfig()) {
       dns_task_->StartFirstTransaction();
@@ -1911,11 +1934,12 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
               &Job::OnDnsTaskFailure, weak_ptr_factory_.GetWeakPtr(),
               dns_task_->AsWeakPtr(), base::TimeDelta(),
               HostCache::Entry(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN),
-              false /* secure */));
+              secure));
     }
   }
 
   void StartSecondDnsTransaction() {
+    DCHECK(dns_task_);
     DCHECK(dns_task_->needs_two_transactions());
     dns_task_->StartSecondTransaction();
   }
@@ -1935,29 +1959,27 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       return;
 
     if (duration < base::TimeDelta::FromMilliseconds(10)) {
-      base::UmaHistogramSparse("Net.DNS.DnsTask.ErrorBeforeFallback.Fast",
-                               std::abs(failure_results.error()));
+      base::UmaHistogramSparse(
+          secure ? "Net.DNS.SecureDnsTask.ErrorBeforeFallback.Fast"
+                 : "Net.DNS.DnsTask.ErrorBeforeFallback.Fast",
+          std::abs(failure_results.error()));
     } else {
-      base::UmaHistogramSparse("Net.DNS.DnsTask.ErrorBeforeFallback.Slow",
-                               std::abs(failure_results.error()));
+      base::UmaHistogramSparse(
+          secure ? "Net.DNS.SecureDnsTask.ErrorBeforeFallback.Slow"
+                 : "Net.DNS.DnsTask.ErrorBeforeFallback.Slow",
+          std::abs(failure_results.error()));
     }
-    dns_task_error_ = failure_results.error();
 
-    // TODO(szym): Run ServeFromHosts now if nsswitch.conf says so.
-    // http://crbug.com/117655
+    // If one of the fallback tasks doesn't complete the request, store a result
+    // to use during request completion.
+    base::TimeDelta ttl = failure_results.has_ttl()
+                              ? failure_results.ttl()
+                              : base::TimeDelta::FromSeconds(0);
+    completion_results_.push_back({failure_results, ttl, secure});
 
-    // TODO(szym): Some net errors indicate lack of connectivity. Starting
-    // ProcTask in that case is a waste of time.
-    if (resolver_->allow_fallback_to_proctask_ &&
-        dns_task->allow_fallback_resolution()) {
-      KillDnsTask();
-      StartProcTask();
-    } else {
-      base::TimeDelta ttl = failure_results.has_ttl()
-                                ? failure_results.ttl()
-                                : base::TimeDelta::FromSeconds(0);
-      CompleteRequests(failure_results, ttl, true /* allow_cache */, secure);
-    }
+    dns_task_error_ = failure_results.error();
+    KillDnsTask();
+    RunNextTask();
   }
 
   // HostResolverManager::DnsTask::Delegate implementation:
@@ -1965,7 +1987,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   void OnDnsTaskComplete(base::TimeTicks start_time,
                          const HostCache::Entry& results,
                          bool secure) override {
-    DCHECK(is_dns_running());
+    DCHECK(dns_task_);
 
     base::TimeDelta duration = tick_clock_->NowTicks() - start_time;
     if (results.error() != OK) {
@@ -2003,8 +2025,6 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   }
 
   void StartMdnsTask() {
-    DCHECK(!is_running());
-
     // No flags are supported for MDNS except
     // HOST_RESOLVER_DEFAULT_FAMILY_SET_DUE_TO_NO_IPV6 (which is not actually an
     // input flag).
@@ -2037,7 +2057,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   }
 
   void OnMdnsTaskComplete() {
-    DCHECK(is_mdns_running());
+    DCHECK(mdns_task_);
     // TODO(crbug.com/846423): Consider adding MDNS-specific logging.
 
     HostCache::Entry results = mdns_task_->GetResults();
@@ -2047,12 +2067,12 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
     } else {
       // MDNS uses a separate cache, so skip saving result to cache.
       // TODO(crbug.com/926300): Consider merging caches.
-      CompleteRequestsWithoutCache(results);
+      CompleteRequestsWithoutCache(results, base::nullopt /* stale_info */);
     }
   }
 
   void OnMdnsImmediateFailure(int rv) {
-    DCHECK(is_mdns_running());
+    DCHECK(mdns_task_);
     DCHECK_NE(OK, rv);
 
     CompleteRequestsWithError(rv);
@@ -2138,6 +2158,16 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
     }
   }
 
+  void MaybeCacheResult(const HostCache::Entry& results,
+                        base::TimeDelta ttl,
+                        bool secure) {
+    // If the request did not complete, don't cache it.
+    if (!results.did_complete())
+      return;
+    HostCache::Key cache_key = GenerateCacheKey(secure);
+    resolver_->CacheResult(host_cache_, cache_key, results, ttl);
+  }
+
   // Performs Job's last rites. Completes all Requests. Deletes this.
   //
   // If not |allow_cache|, result will not be stored in the host cache, even if
@@ -2163,6 +2193,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       mdns_task_ = nullptr;
 
       // Signal dispatcher that a slot has opened.
+      DCHECK_EQ(1u, num_occupied_job_slots_);
       resolver_->dispatcher_->OnJobFinished();
     } else if (is_queued()) {
       resolver_->dispatcher_->Cancel(handle_);
@@ -2181,24 +2212,10 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
 
     DCHECK(!requests_.empty());
 
-    bool did_complete = (results.error() != ERR_NETWORK_CHANGED) &&
-                        (results.error() != ERR_HOST_RESOLVER_QUEUE_TOO_LARGE);
-
     // Handle all caching before completing requests as completing requests may
     // start new requests that rely on cached results.
-    if (did_complete && allow_cache) {
-      // Multiple requests will usually share caches, so avoid duplicate cache
-      // adds.
-      std::set<HostCache*> caches;
-      for (auto* node = requests_.head(); node != requests_.end();
-           node = node->next()) {
-        if (node->value()->host_cache())
-          caches.insert(node->value()->host_cache());
-      }
-      HostCache::Key cache_key = GenerateCacheKey(secure);
-      for (HostCache* cache : caches)
-        resolver_->CacheResult(cache, cache_key, results, ttl);
-    }
+    if (allow_cache)
+      MaybeCacheResult(results, ttl, secure);
 
     RecordJobHistograms(results.error());
 
@@ -2210,7 +2227,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       DCHECK_EQ(this, req->job());
       // Update the net log and notify registered observers.
       LogFinishRequest(req->source_net_log(), results.error());
-      if (did_complete) {
+      if (results.did_complete()) {
         // Record effective total time from creation to completion.
         resolver_->RecordTotalTime(
             req->parameters().is_speculative, false /* from_cache */,
@@ -2229,7 +2246,17 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
     }
   }
 
-  void CompleteRequestsWithoutCache(const HostCache::Entry& results) {
+  void CompleteRequestsWithoutCache(
+      const HostCache::Entry& results,
+      base::Optional<HostCache::EntryStaleness> stale_info) {
+    // Record the stale_info for all non-speculative requests, if it exists.
+    if (stale_info) {
+      for (auto* node = requests_.head(); node != requests_.end();
+           node = node->next()) {
+        if (!node->value()->parameters().is_speculative)
+          node->value()->set_stale_info(std::move(stale_info).value());
+      }
+    }
     CompleteRequests(results, base::TimeDelta(), false /* allow_cache */,
                      false /* secure */);
   }
@@ -2249,19 +2276,34 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   // Number of non-canceled requests in |requests_|.
   size_t num_active_requests() const { return priority_tracker_.total_count(); }
 
-  bool is_dns_running() const { return !!dns_task_; }
-
-  bool is_mdns_running() const { return !!mdns_task_; }
-
-  bool is_proc_running() const { return !!proc_task_; }
-
   base::WeakPtr<HostResolverManager> resolver_;
 
   const std::string hostname_;
   const DnsQueryType query_type_;
   const HostResolverFlags host_resolver_flags_;
   const HostResolverSource requested_source_;
+  const ResolveHostParameters::CacheUsage cache_usage_;
   URLRequestContext* const request_context_;
+  // TODO(crbug.com/969847): Consider allowing requests within a single Job to
+  // have different HostCaches.
+  HostCache* const host_cache_;
+
+  struct CompletionResult {
+    const HostCache::Entry entry;
+    base::TimeDelta ttl;
+    bool secure;
+  };
+
+  // Results to use in last-ditch attempt to complete request.
+  std::vector<CompletionResult> completion_results_;
+
+  // The sequence of tasks to run in this Job. Tasks may be aborted and removed
+  // from the sequence, but otherwise the tasks will run in order until a
+  // successful result is found.
+  std::deque<TaskType> tasks_;
+
+  // Whether the job is running.
+  bool job_running_;
 
   // Tracks the highest priority across |requests_|.
   PriorityTracker priority_tracker_;
@@ -2300,7 +2342,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   // Iterator to |this| in the JobMap. |nullopt| if not owned by the JobMap.
   base::Optional<JobMap::iterator> self_iterator_;
 
-  base::WeakPtrFactory<Job> weak_ptr_factory_;
+  base::WeakPtrFactory<Job> weak_ptr_factory_{this};
 };
 
 //-----------------------------------------------------------------------------
@@ -2324,9 +2366,7 @@ HostResolverManager::HostResolverManager(
       use_proctask_by_default_(false),
       allow_fallback_to_proctask_(true),
       tick_clock_(base::DefaultTickClock::GetInstance()),
-      invalidation_in_progress_(false),
-      weak_ptr_factory_(this),
-      probe_weak_ptr_factory_(this) {
+      invalidation_in_progress_(false) {
   PrioritizedDispatcher::Limits job_limits = GetDispatcherLimits(options);
   dispatcher_.reset(new PrioritizedDispatcher(job_limits));
   max_queued_jobs_ = job_limits.total_jobs * 100u;
@@ -2556,13 +2596,15 @@ int HostResolverManager::Resolve(RequestImpl* request) {
 
   DnsQueryType effective_query_type;
   HostResolverFlags effective_host_resolver_flags;
+  std::deque<TaskType> tasks;
   base::Optional<HostCache::EntryStaleness> stale_info;
   HostCache::Entry results = ResolveLocally(
       request->request_host().host(), request->parameters().dns_query_type,
       request->parameters().source, request->host_resolver_flags(),
+      request->parameters().secure_dns_mode_override,
       request->parameters().cache_usage, request->source_net_log(),
       request->host_cache(), &effective_query_type,
-      &effective_host_resolver_flags, &stale_info);
+      &effective_host_resolver_flags, &tasks, &stale_info);
   if (results.error() != ERR_DNS_CACHE_MISS ||
       request->parameters().source == HostResolverSource::LOCAL_ONLY) {
     if (results.error() == OK && !request->parameters().is_speculative) {
@@ -2577,8 +2619,9 @@ int HostResolverManager::Resolve(RequestImpl* request) {
     return results.error();
   }
 
-  int rv = CreateAndStartJob(effective_query_type,
-                             effective_host_resolver_flags, request);
+  int rv =
+      CreateAndStartJob(effective_query_type, effective_host_resolver_flags,
+                        std::move(tasks), request);
   // At this point, expect only async or errors.
   DCHECK_NE(OK, rv);
 
@@ -2590,11 +2633,13 @@ HostCache::Entry HostResolverManager::ResolveLocally(
     DnsQueryType dns_query_type,
     HostResolverSource source,
     HostResolverFlags flags,
+    base::Optional<DnsConfig::SecureDnsMode> secure_dns_mode_override,
     ResolveHostParameters::CacheUsage cache_usage,
     const NetLogWithSource& source_net_log,
     HostCache* cache,
     DnsQueryType* out_effective_query_type,
     HostResolverFlags* out_effective_host_resolver_flags,
+    std::deque<TaskType>* out_tasks,
     base::Optional<HostCache::EntryStaleness>* out_stale_info) {
   DCHECK(out_stale_info);
   *out_stale_info = base::nullopt;
@@ -2617,9 +2662,11 @@ HostCache::Entry HostResolverManager::ResolveLocally(
     }
   }
 
-  GetEffectiveParametersForRequest(dns_query_type, flags, ip_address_ptr,
-                                   source_net_log, out_effective_query_type,
-                                   out_effective_host_resolver_flags);
+  GetEffectiveParametersForRequest(
+      hostname, dns_query_type, source, flags, secure_dns_mode_override,
+      cache_usage, ip_address_ptr, source_net_log, out_effective_query_type,
+      out_effective_host_resolver_flags, out_tasks);
+
   bool resolve_canonname =
       *out_effective_host_resolver_flags & HOST_RESOLVER_CANONNAME;
   bool default_family_due_to_no_ipv6 =
@@ -2646,19 +2693,32 @@ HostCache::Entry HostResolverManager::ResolveLocally(
   if (resolved)
     return resolved.value();
 
-  if (cache_usage == ResolveHostParameters::CacheUsage::ALLOWED ||
-      cache_usage == ResolveHostParameters::CacheUsage::STALE_ALLOWED) {
+  // Do initial cache lookup.
+  if (!out_tasks->empty() &&
+      (out_tasks->front() == TaskType::SECURE_CACHE_LOOKUP ||
+       out_tasks->front() == TaskType::INSECURE_CACHE_LOOKUP ||
+       out_tasks->front() == TaskType::CACHE_LOOKUP)) {
     HostCache::Key key(hostname, *out_effective_query_type,
                        *out_effective_host_resolver_flags, source);
-    resolved = ServeFromCache(
-        cache, key,
-        cache_usage == ResolveHostParameters::CacheUsage::STALE_ALLOWED,
-        out_stale_info);
+
+    if (out_tasks->front() == TaskType::SECURE_CACHE_LOOKUP)
+      key.secure = true;
+
+    bool ignore_secure = false;
+    if (out_tasks->front() == TaskType::CACHE_LOOKUP)
+      ignore_secure = true;
+
+    out_tasks->pop_front();
+
+    resolved = MaybeServeFromCache(cache, key, cache_usage, ignore_secure,
+                                   source_net_log, out_stale_info);
     if (resolved) {
+      // |MaybeServeFromCache()| will update |*out_stale_info| as needed.
       DCHECK(out_stale_info->has_value());
-      source_net_log.AddEvent(NetLogEventType::HOST_RESOLVER_IMPL_CACHE_HIT,
-                              resolved.value().CreateNetLogCallback());
-      // |ServeFromCache()| will update |*stale_info| as needed.
+      NetLogHostCacheEntry(source_net_log,
+                           NetLogEventType::HOST_RESOLVER_IMPL_CACHE_HIT,
+                           NetLogEventPhase::NONE, resolved.value());
+
       return resolved.value();
     }
     DCHECK(!out_stale_info->has_value());
@@ -2669,8 +2729,9 @@ HostCache::Entry HostResolverManager::ResolveLocally(
   resolved = ServeFromHosts(hostname, *out_effective_query_type,
                             default_family_due_to_no_ipv6);
   if (resolved) {
-    source_net_log.AddEvent(NetLogEventType::HOST_RESOLVER_IMPL_HOSTS_HIT,
-                            resolved.value().CreateNetLogCallback());
+    NetLogHostCacheEntry(source_net_log,
+                         NetLogEventType::HOST_RESOLVER_IMPL_HOSTS_HIT,
+                         NetLogEventPhase::NONE, resolved.value());
     return resolved.value();
   }
 
@@ -2680,7 +2741,9 @@ HostCache::Entry HostResolverManager::ResolveLocally(
 int HostResolverManager::CreateAndStartJob(
     DnsQueryType effective_query_type,
     HostResolverFlags effective_host_resolver_flags,
+    std::deque<TaskType> tasks,
     RequestImpl* request) {
+  DCHECK(!tasks.empty());
   JobKey key = {request->request_host().host(), effective_query_type,
                 effective_host_resolver_flags, request->parameters().source,
                 request->request_context()};
@@ -2691,7 +2754,8 @@ int HostResolverManager::CreateAndStartJob(
     auto new_job = std::make_unique<Job>(
         weak_ptr_factory_.GetWeakPtr(), request->request_host().host(),
         effective_query_type, effective_host_resolver_flags,
-        request->parameters().source, request->request_context(),
+        request->parameters().source, request->parameters().cache_usage,
+        request->request_context(), request->host_cache(), std::move(tasks),
         request->priority(), proc_task_runner_, request->source_net_log(),
         tick_clock_);
     job = new_job.get();
@@ -2749,10 +2813,12 @@ base::Optional<HostCache::Entry> HostResolverManager::ResolveAsIP(
                           HostCache::Entry::SOURCE_UNKNOWN);
 }
 
-base::Optional<HostCache::Entry> HostResolverManager::ServeFromCache(
+base::Optional<HostCache::Entry> HostResolverManager::MaybeServeFromCache(
     HostCache* cache,
     const HostCache::Key& key,
-    bool allow_stale,
+    ResolveHostParameters::CacheUsage cache_usage,
+    bool ignore_secure,
+    const NetLogWithSource& source_net_log,
     base::Optional<HostCache::EntryStaleness>* out_stale_info) {
   DCHECK(out_stale_info);
   *out_stale_info = base::nullopt;
@@ -2760,6 +2826,9 @@ base::Optional<HostCache::Entry> HostResolverManager::ServeFromCache(
   if (!cache)
     return base::nullopt;
 
+  if (cache_usage == ResolveHostParameters::CacheUsage::DISALLOWED)
+    return base::nullopt;
+
   // Local-only requests search the cache for non-local-only results.
   HostCache::Key effective_key = key;
   if (effective_key.host_resolver_source == HostResolverSource::LOCAL_ONLY)
@@ -2767,19 +2836,23 @@ base::Optional<HostCache::Entry> HostResolverManager::ServeFromCache(
 
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result;
   HostCache::EntryStaleness staleness;
-  if (allow_stale) {
+  if (cache_usage == ResolveHostParameters::CacheUsage::STALE_ALLOWED) {
     cache_result = cache->LookupStale(effective_key, tick_clock_->NowTicks(),
-                                      &staleness, true /* ignore_secure */);
+                                      &staleness, ignore_secure);
   } else {
-    cache_result = cache->Lookup(effective_key, tick_clock_->NowTicks(),
-                                 true /* ignore_secure */);
+    DCHECK(cache_usage == ResolveHostParameters::CacheUsage::ALLOWED);
+    cache_result =
+        cache->Lookup(effective_key, tick_clock_->NowTicks(), ignore_secure);
     staleness = HostCache::kNotStale;
   }
-  if (!cache_result)
-    return base::nullopt;
-
-  *out_stale_info = std::move(staleness);
-  return cache_result->second;
+  if (cache_result) {
+    *out_stale_info = std::move(staleness);
+    NetLogHostCacheEntry(source_net_log,
+                         NetLogEventType::HOST_RESOLVER_IMPL_CACHE_HIT,
+                         NetLogEventPhase::NONE, cache_result->second);
+    return cache_result->second;
+  }
+  return base::nullopt;
 }
 
 base::Optional<HostCache::Entry> HostResolverManager::ServeFromHosts(
@@ -2915,17 +2988,166 @@ std::unique_ptr<HostResolverManager::Job> HostResolverManager::RemoveJob(
   return job;
 }
 
+bool HostResolverManager::HasAvailableDohServer() {
+  // TODO(crbug.com/878582): Once DoH probes are sent, update this such that a
+  // DoH server is considered successful if it has a successful probe state.
+  return dns_client_->GetConfig()->dns_over_https_servers.size() > 0;
+}
+
+DnsConfig::SecureDnsMode HostResolverManager::GetEffectiveSecureDnsMode(
+    base::Optional<DnsConfig::SecureDnsMode> secure_dns_mode_override) {
+  DnsConfig::SecureDnsMode secure_dns_mode = DnsConfig::SecureDnsMode::OFF;
+  if (secure_dns_mode_override) {
+    secure_dns_mode = secure_dns_mode_override.value();
+  } else if (HaveDnsConfig()) {
+    secure_dns_mode = dns_client_->GetConfig()->secure_dns_mode;
+  }
+  return secure_dns_mode;
+}
+
+void HostResolverManager::PushDnsTasks(
+    bool allow_proc_fallback,
+    DnsConfig::SecureDnsMode secure_dns_mode,
+    ResolveHostParameters::CacheUsage cache_usage,
+    std::deque<TaskType>* out_tasks) {
+  bool allow_cache =
+      cache_usage != ResolveHostParameters::CacheUsage::DISALLOWED;
+  // Upgrade the insecure DnsTask depending on the secure dns mode.
+  switch (secure_dns_mode) {
+    case DnsConfig::SecureDnsMode::SECURE:
+      DCHECK(dns_client_->GetConfig()->dns_over_https_servers.size() != 0);
+      // Replace the insecure DnsTask with a secure cache lookup followed
+      // by a secure DnsTask.
+      if (allow_cache)
+        out_tasks->push_back(TaskType::SECURE_CACHE_LOOKUP);
+      out_tasks->push_back(TaskType::SECURE_DNS);
+      break;
+    case DnsConfig::SecureDnsMode::AUTOMATIC:
+      // TODO(crbug.com/878582): For a DnsTask in AUTOMATIC mode, the async
+      // resolver should only send insecure requests if it is enabled on this
+      // platform.
+      if (!HasAvailableDohServer()) {
+        // Don't run a secure DnsTask if there are no available DoH servers.
+        if (allow_cache)
+          out_tasks->push_back(TaskType::CACHE_LOOKUP);
+        out_tasks->push_back(TaskType::DNS);
+      } else if (cache_usage == HostResolver::ResolveHostParameters::
+                                    CacheUsage::STALE_ALLOWED) {
+        // If stale results are allowed, the cache should be checked for both
+        // secure and insecure results prior to running a secure DnsTask.
+        out_tasks->push_back(TaskType::CACHE_LOOKUP);
+        out_tasks->push_back(TaskType::SECURE_DNS);
+        out_tasks->push_back(TaskType::DNS);
+      } else {
+        if (allow_cache)
+          out_tasks->push_back(TaskType::SECURE_CACHE_LOOKUP);
+        out_tasks->push_back(TaskType::SECURE_DNS);
+        if (allow_cache)
+          out_tasks->push_back(TaskType::INSECURE_CACHE_LOOKUP);
+        out_tasks->push_back(TaskType::DNS);
+      }
+      break;
+    case DnsConfig::SecureDnsMode::OFF:
+      if (allow_cache)
+        out_tasks->push_back(TaskType::CACHE_LOOKUP);
+      out_tasks->push_back(TaskType::DNS);
+      break;
+    default:
+      NOTREACHED();
+      break;
+  }
+
+  // The system resolver can be used as a fallback if allowed by the request
+  // parameters.
+  if (allow_proc_fallback && allow_fallback_to_proctask_)
+    out_tasks->push_back(TaskType::PROC);
+}
+
+void HostResolverManager::CreateTaskSequence(
+    const std::string& hostname,
+    DnsQueryType dns_query_type,
+    HostResolverSource source,
+    HostResolverFlags flags,
+    base::Optional<DnsConfig::SecureDnsMode> secure_dns_mode_override,
+    ResolveHostParameters::CacheUsage cache_usage,
+    std::deque<TaskType>* out_tasks) {
+  DCHECK(out_tasks->empty());
+  DnsConfig::SecureDnsMode secure_dns_mode =
+      GetEffectiveSecureDnsMode(secure_dns_mode_override);
+
+  // A cache lookup should generally be performed first. For jobs involving a
+  // DnsTask, this task will be removed before DnsTasks and other related tasks
+  // are added to the sequence.
+  if (cache_usage != ResolveHostParameters::CacheUsage::DISALLOWED)
+    out_tasks->push_front(TaskType::CACHE_LOOKUP);
+
+  // Determine what type of task a future Job should start.
+  switch (source) {
+    case HostResolverSource::ANY:
+      // Force address queries with canonname to use ProcTask to counter poor
+      // CNAME support in DnsTask. See https://crbug.com/872665
+      //
+      // Otherwise, default to DnsTask (with allowed fallback to ProcTask for
+      // address queries). But if hostname appears to be an MDNS name (ends in
+      // *.local), go with ProcTask for address queries and MdnsTask for non-
+      // address queries.
+      if ((flags & HOST_RESOLVER_CANONNAME) && IsAddressType(dns_query_type)) {
+        out_tasks->push_back(TaskType::PROC);
+      } else if (!ResemblesMulticastDNSName(hostname)) {
+        bool allow_proc_fallback =
+            IsAddressType(dns_query_type) &&
+            secure_dns_mode != DnsConfig::SecureDnsMode::SECURE;
+        // DnsClient or config is not available, but we're allowed to switch to
+        // ProcTask instead.
+        if ((!HaveDnsConfig() || use_proctask_by_default_) &&
+            allow_proc_fallback) {
+          out_tasks->push_back(TaskType::PROC);
+        } else {
+          // Remove the initial cache lookup task.
+          if (!out_tasks->empty())
+            out_tasks->pop_front();
+          PushDnsTasks(allow_proc_fallback, secure_dns_mode, cache_usage,
+                       out_tasks);
+        }
+      } else if (IsAddressType(dns_query_type)) {
+        out_tasks->push_back(TaskType::PROC);
+      } else {
+        out_tasks->push_back(TaskType::MDNS);
+      }
+      break;
+    case HostResolverSource::SYSTEM:
+      out_tasks->push_back(TaskType::PROC);
+      break;
+    case HostResolverSource::DNS:
+      // Remove the initial cache lookup task.
+      if (!out_tasks->empty())
+        out_tasks->pop_front();
+      PushDnsTasks(false /* allow_proc_fallback */, secure_dns_mode,
+                   cache_usage, out_tasks);
+      break;
+    case HostResolverSource::MULTICAST_DNS:
+      out_tasks->push_back(TaskType::MDNS);
+      break;
+    case HostResolverSource::LOCAL_ONLY:
+      // If no external source allowed, a job should not be created or started
+      break;
+  }
+}
+
 void HostResolverManager::GetEffectiveParametersForRequest(
+    const std::string& hostname,
     DnsQueryType dns_query_type,
+    HostResolverSource source,
     HostResolverFlags flags,
+    base::Optional<DnsConfig::SecureDnsMode> secure_dns_mode_override,
+    ResolveHostParameters::CacheUsage cache_usage,
     const IPAddress* ip_address,
     const NetLogWithSource& net_log,
     DnsQueryType* out_effective_type,
-    HostResolverFlags* out_effective_flags) {
+    HostResolverFlags* out_effective_flags,
+    std::deque<TaskType>* out_tasks) {
   *out_effective_flags = flags | additional_resolver_flags_;
-
   *out_effective_type = dns_query_type;
-
   if (*out_effective_type == DnsQueryType::UNSPECIFIED &&
       // When resolving IPv4 literals, there's no need to probe for IPv6.
       // When resolving IPv6 literals, there's no benefit to artificially
@@ -2937,6 +3159,10 @@ void HostResolverManager::GetEffectiveParametersForRequest(
     *out_effective_type = DnsQueryType::A;
     *out_effective_flags |= HOST_RESOLVER_DEFAULT_FAMILY_SET_DUE_TO_NO_IPV6;
   }
+
+  CreateTaskSequence(hostname, *out_effective_type, source,
+                     *out_effective_flags, secure_dns_mode_override,
+                     cache_usage, out_tasks);
 }
 
 bool HostResolverManager::IsIPv6Reachable(const NetLogWithSource& net_log) {
@@ -2957,9 +3183,10 @@ bool HostResolverManager::IsIPv6Reachable(const NetLogWithSource& net_log) {
     last_ipv6_probe_time_ = tick_clock_->NowTicks();
     cached = false;
   }
-  net_log.AddEvent(NetLogEventType::HOST_RESOLVER_IMPL_IPV6_REACHABILITY_CHECK,
-                   base::Bind(&NetLogIPv6AvailableCallback,
-                              last_ipv6_probe_result_, cached));
+  net_log.AddEvent(
+      NetLogEventType::HOST_RESOLVER_IMPL_IPV6_REACHABILITY_CHECK, [&] {
+        return NetLogIPv6AvailableParams(last_ipv6_probe_result_, cached);
+      });
   return last_ipv6_probe_result_;
 }
 
@@ -3001,16 +3228,15 @@ void HostResolverManager::RunLoopbackProbeJob() {
                      weak_ptr_factory_.GetWeakPtr()));
 }
 
-void HostResolverManager::AbortAllInProgressJobs() {
+void HostResolverManager::AbortAllJobs(bool in_progress_only) {
   // In Abort, a Request callback could spawn new Jobs with matching keys, so
   // first collect and remove all running jobs from |jobs_|.
   std::vector<std::unique_ptr<Job>> jobs_to_abort;
   for (auto it = jobs_.begin(); it != jobs_.end();) {
     Job* job = it->second.get();
-    if (job->is_running()) {
+    if (!in_progress_only || job->is_running()) {
       jobs_to_abort.push_back(RemoveJob(it++));
     } else {
-      DCHECK(job->is_queued());
       ++it;
     }
   }
@@ -3106,8 +3332,8 @@ void HostResolverManager::OnIPAddressChanged() {
     defined(OS_FUCHSIA)
   RunLoopbackProbeJob();
 #endif
-  AbortAllInProgressJobs();
-  // |this| may be deleted inside AbortAllInProgressJobs().
+  AbortAllJobs(true /* in_progress_only */);
+  // |this| may be deleted inside AbortAllJobs().
 }
 
 void HostResolverManager::OnConnectionTypeChanged(
@@ -3143,9 +3369,9 @@ DnsConfig HostResolverManager::GetBaseDnsConfig(bool log_to_net_log) {
     }
 
     if (log_to_net_log && net_log_) {
-      net_log_->AddGlobalEntry(
-          NetLogEventType::DNS_CONFIG_CHANGED,
-          base::BindRepeating(&NetLogDnsConfigCallback, &dns_config));
+      net_log_->AddGlobalEntry(NetLogEventType::DNS_CONFIG_CHANGED, [&] {
+        return NetLogDnsConfigParams(&dns_config);
+      });
     }
 
     // TODO(szym): Remove once http://crbug.com/137914 is resolved.
@@ -3180,11 +3406,11 @@ void HostResolverManager::UpdateDNSConfig(bool config_changed) {
     // Life check to bail once |this| is deleted.
     base::WeakPtr<HostResolverManager> self = weak_ptr_factory_.GetWeakPtr();
 
-    // Existing jobs will have been sent to the original server so they need to
-    // be aborted.
-    AbortAllInProgressJobs();
+    // Existing jobs that were set up using the nameservers and secure dns mode
+    // from the original config need to be aborted.
+    AbortAllJobs(false /* in_progress_only */);
 
-    // |this| may be deleted inside AbortAllInProgressJobs().
+    // |this| may be deleted inside AbortAllJobs().
     if (self.get())
       TryServingAllJobsFromHosts();
   }
diff --git a/chromium/net/dns/host_resolver_manager.h b/chromium/net/dns/host_resolver_manager.h
index 15828f70f12..8f9044912bd 100644
--- a/chromium/net/dns/host_resolver_manager.h
+++ b/chromium/net/dns/host_resolver_manager.h
@@ -91,6 +91,7 @@ class NET_EXPORT HostResolverManager
   using ResolveHostParameters = HostResolver::ResolveHostParameters;
   using DnsClientFactory =
       base::RepeatingCallback<std::unique_ptr<DnsClient>(NetLog*)>;
+  using SecureDnsMode = DnsConfig::SecureDnsMode;
 
   class CancellableRequest : public ResolveHostRequest {
    public:
@@ -126,7 +127,10 @@ class NET_EXPORT HostResolverManager
   ~HostResolverManager() override;
 
   // If |host_cache| is non-null, its HostCache::Invalidator must have already
-  // been added (via AddHostCacheInvalidator()).
+  // been added (via AddHostCacheInvalidator()). If |optional_parameters|
+  // specifies any cache usage other than LOCAL_ONLY, there must be a 1:1
+  // correspondence between |request_context| and |host_cache|, and both should
+  // come from the same ContextHostResolver.
   std::unique_ptr<CancellableRequest> CreateRequest(
       const HostPortPair& host,
       const NetLogWithSource& net_log,
@@ -238,6 +242,17 @@ class NET_EXPORT HostResolverManager
     MODE_FOR_HISTOGRAM_ASYNC_DNS_PRIVATE_SUPPORTS_DOH,
   };
 
+  // Task types that a Job might run.
+  enum class TaskType {
+    PROC,
+    DNS,
+    SECURE_DNS,
+    MDNS,
+    CACHE_LOOKUP,
+    INSECURE_CACHE_LOOKUP,
+    SECURE_CACHE_LOOKUP,
+  };
+
   // Number of consecutive failures of DnsTask (with successful fallback to
   // ProcTask) before the DnsClient is disabled until the next DNS change.
   static const unsigned kMaximumDnsFailures;
@@ -254,6 +269,8 @@ class NET_EXPORT HostResolverManager
   //
   // On ERR_DNS_CACHE_MISS and OK, effective request parameters are written to
   // |out_effective_query_type| and |out_effective_host_resolver_flags|.
+  // |out_tasks| contains the tentative sequence of tasks that a future job
+  // should run.
   //
   // If results are returned from the host cache, |out_stale_info| will be
   // filled in with information on how stale or fresh the result is. Otherwise,
@@ -266,11 +283,13 @@ class NET_EXPORT HostResolverManager
       DnsQueryType requested_address_family,
       HostResolverSource source,
       HostResolverFlags flags,
+      base::Optional<SecureDnsMode> secure_dns_mode_override,
       ResolveHostParameters::CacheUsage cache_usage,
       const NetLogWithSource& request_net_log,
       HostCache* cache,
       DnsQueryType* out_effective_query_type,
       HostResolverFlags* out_effective_host_resolver_flags,
+      std::deque<TaskType>* out_tasks,
       base::Optional<HostCache::EntryStaleness>* out_stale_info);
 
   // Attempts to create and start a Job to asynchronously attempt to resolve
@@ -278,6 +297,7 @@ class NET_EXPORT HostResolverManager
   // |request|. On error, marks |request| completed and returns the error.
   int CreateAndStartJob(DnsQueryType effective_query_type,
                         HostResolverFlags effective_host_resolver_flags,
+                        std::deque<TaskType> tasks,
                         RequestImpl* request);
 
   // Tries to resolve |key| and its possible IP address representation,
@@ -286,16 +306,16 @@ class NET_EXPORT HostResolverManager
                                                bool resolve_canonname,
                                                const IPAddress* ip_address);
 
-  // Returns the result iff a positive match is found for |key| in the cache.
-  // |out_stale_info| must be non-null, and will be filled in with details of
-  // the entry's staleness if an entry is returned, otherwise it will be set to
-  // |base::nullopt|.
-  //
-  // If |allow_stale| is true, then stale cache entries can be returned.
-  base::Optional<HostCache::Entry> ServeFromCache(
+  // Returns the result iff |cache_usage| permits cache lookups and a positive
+  // match is found for |key| in |cache|. |out_stale_info| must be non-null, and
+  // will be filled in with details of the entry's staleness if an entry is
+  // returned, otherwise it will be set to |base::nullopt|.
+  base::Optional<HostCache::Entry> MaybeServeFromCache(
       HostCache* cache,
       const HostCache::Key& key,
-      bool allow_stale,
+      ResolveHostParameters::CacheUsage cache_usage,
+      bool ignore_secure,
+      const NetLogWithSource& source_net_log,
       base::Optional<HostCache::EntryStaleness>* out_stale_info);
 
   // Iff we have a DnsClient with a valid DnsConfig, and |key| can be resolved
@@ -312,14 +332,47 @@ class NET_EXPORT HostResolverManager
       DnsQueryType query_type,
       bool default_family_due_to_no_ipv6);
 
+  // When no DoH servers are in an "available" state, no DoH requests should
+  // be sent.
+  bool HasAvailableDohServer();
+
+  // Returns the secure dns mode to use for a job, taking into account the
+  // global DnsConfig mode and any per-request override.
+  SecureDnsMode GetEffectiveSecureDnsMode(
+      base::Optional<SecureDnsMode> secure_dns_mode_override);
+
+  // Helper method to add DnsTasks and related tasks based on the SecureDnsMode
+  // and fallback parameters.
+  void PushDnsTasks(bool allow_proc_fallback,
+                    SecureDnsMode secure_dns_mode,
+                    ResolveHostParameters::CacheUsage cache_usage,
+                    std::deque<TaskType>* out_tasks);
+
+  // Initialized the sequence of tasks to run to resolve a request. The sequence
+  // may be adjusted later and not all tasks need to be run.
+  void CreateTaskSequence(
+      const std::string& hostname,
+      DnsQueryType dns_query_type,
+      HostResolverSource source,
+      HostResolverFlags flags,
+      base::Optional<SecureDnsMode> secure_dns_mode_override,
+      ResolveHostParameters::CacheUsage cache_usage,
+      std::deque<TaskType>* out_tasks);
+
   // Determines "effective" request parameters using manager properties and IPv6
   // reachability.
-  void GetEffectiveParametersForRequest(DnsQueryType dns_query_type,
-                                        HostResolverFlags flags,
-                                        const IPAddress* ip_address,
-                                        const NetLogWithSource& net_log,
-                                        DnsQueryType* out_effective_type,
-                                        HostResolverFlags* out_effective_flags);
+  void GetEffectiveParametersForRequest(
+      const std::string& hostname,
+      DnsQueryType dns_query_type,
+      HostResolverSource source,
+      HostResolverFlags flags,
+      base::Optional<SecureDnsMode> secure_dns_mode_override,
+      ResolveHostParameters::CacheUsage cache_usage,
+      const IPAddress* ip_address,
+      const NetLogWithSource& net_log,
+      DnsQueryType* out_effective_type,
+      HostResolverFlags* out_effective_flags,
+      std::deque<TaskType>* out_tasks);
 
   // Probes IPv6 support and returns true if IPv6 support is enabled.
   // Results are cached, i.e. when called repeatedly this method returns result
@@ -347,9 +400,10 @@ class NET_EXPORT HostResolverManager
   // Removes |job_it| from |jobs_| and return.
   std::unique_ptr<Job> RemoveJob(JobMap::iterator job_it);
 
-  // Aborts all in progress jobs with ERR_NETWORK_CHANGED and notifies their
-  // requests. Might start new jobs.
-  void AbortAllInProgressJobs();
+  // Aborts both scheduled and running jobs with ERR_NETWORK_CHANGED and
+  // notifies their requests. Aborts only running jobs if |in_progress_only| is
+  // true. Might start new jobs.
+  void AbortAllJobs(bool in_progress_only);
 
   void SetDnsClient(std::unique_ptr<DnsClient> dns_client);
 
@@ -480,9 +534,9 @@ class NET_EXPORT HostResolverManager
 
   THREAD_CHECKER(thread_checker_);
 
-  base::WeakPtrFactory<HostResolverManager> weak_ptr_factory_;
+  base::WeakPtrFactory<HostResolverManager> weak_ptr_factory_{this};
 
-  base::WeakPtrFactory<HostResolverManager> probe_weak_ptr_factory_;
+  base::WeakPtrFactory<HostResolverManager> probe_weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(HostResolverManager);
 };
diff --git a/chromium/net/dns/host_resolver_manager_fuzzer.cc b/chromium/net/dns/host_resolver_manager_fuzzer.cc
index ca19d4fa310..0606e0aac8c 100644
--- a/chromium/net/dns/host_resolver_manager_fuzzer.cc
+++ b/chromium/net/dns/host_resolver_manager_fuzzer.cc
@@ -11,7 +11,6 @@
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/run_loop.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "base/test/scoped_task_environment.h"
 #include "net/base/address_family.h"
 #include "net/base/address_list.h"
@@ -23,6 +22,7 @@
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
 #include "net/net_buildflags.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 namespace {
 
@@ -32,7 +32,7 @@ const char* kHostNames[] = {"foo", "foo.com",   "a.foo.com",
 class DnsRequest {
  public:
   DnsRequest(net::HostResolver* host_resolver,
-             base::FuzzedDataProvider* data_provider,
+             FuzzedDataProvider* data_provider,
              std::vector<std::unique_ptr<DnsRequest>>* dns_requests)
       : host_resolver_(host_resolver),
         data_provider_(data_provider),
@@ -44,7 +44,7 @@ class DnsRequest {
   // doesn't complete synchronously, adds it to |dns_requests|.
   static void CreateRequest(
       net::HostResolver* host_resolver,
-      base::FuzzedDataProvider* data_provider,
+      FuzzedDataProvider* data_provider,
       std::vector<std::unique_ptr<DnsRequest>>* dns_requests) {
     std::unique_ptr<DnsRequest> dns_request(
         new DnsRequest(host_resolver, data_provider, dns_requests));
@@ -56,7 +56,7 @@ class DnsRequest {
   // If |dns_requests| is non-empty, waits for a randomly chosen one of the
   // requests to complete and removes it from |dns_requests|.
   static void WaitForRequestComplete(
-      base::FuzzedDataProvider* data_provider,
+      FuzzedDataProvider* data_provider,
       std::vector<std::unique_ptr<DnsRequest>>* dns_requests) {
     if (dns_requests->empty())
       return;
@@ -75,7 +75,7 @@ class DnsRequest {
   // complete, just removes it from the list.
   static void CancelRequest(
       net::HostResolver* host_resolver,
-      base::FuzzedDataProvider* data_provider,
+      FuzzedDataProvider* data_provider,
       std::vector<std::unique_ptr<DnsRequest>>* dns_requests) {
     if (dns_requests->empty())
       return;
@@ -176,7 +176,7 @@ class DnsRequest {
   void Cancel() { request_.reset(); }
 
   net::HostResolver* host_resolver_;
-  base::FuzzedDataProvider* data_provider_;
+  FuzzedDataProvider* data_provider_;
   std::vector<std::unique_ptr<DnsRequest>>* dns_requests_;
 
   // Non-null only while running.
@@ -199,7 +199,7 @@ class DnsRequest {
 //     async resolver while lookups are active as a result of the change.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   {
-    base::FuzzedDataProvider data_provider(data, size);
+    FuzzedDataProvider data_provider(data, size);
     net::TestNetLog net_log;
 
     net::HostResolver::ManagerOptions options;
diff --git a/chromium/net/dns/host_resolver_manager_unittest.cc b/chromium/net/dns/host_resolver_manager_unittest.cc
index 3b78948d367..f332b9c630b 100644
--- a/chromium/net/dns/host_resolver_manager_unittest.cc
+++ b/chromium/net/dns/host_resolver_manager_unittest.cc
@@ -5,6 +5,7 @@
 #include "net/dns/host_resolver_manager.h"
 
 #include <algorithm>
+#include <limits>
 #include <string>
 #include <tuple>
 #include <utility>
@@ -23,6 +24,7 @@
 #include "base/strings/stringprintf.h"
 #include "base/synchronization/condition_variable.h"
 #include "base/synchronization/lock.h"
+#include "base/task/thread_pool/thread_pool.h"
 #include "base/test/bind_test_util.h"
 #include "base/test/simple_test_clock.h"
 #include "base/test/test_mock_time_task_runner.h"
@@ -50,6 +52,7 @@
 #include "net/log/net_log_source_type.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
+#include "net/log/test_net_log_util.h"
 #include "net/test/gtest_util.h"
 #include "net/test/test_with_scoped_task_environment.h"
 #include "net/url_request/url_request_context.h"
@@ -338,13 +341,19 @@ class LookupAttemptHostResolverProc : public HostResolverProc {
   }
 
   // Returns the number of attempts that have finished the Resolve() method.
-  int total_attempts_resolved() { return total_attempts_resolved_; }
-
-  // Returns the first attempt that that has resolved the host.
-  int resolved_attempt_number() { return resolved_attempt_number_; }
+  int GetTotalAttemptsResolved() {
+    base::AutoLock auto_lock(lock_);
+    return total_attempts_resolved_;
+  }
 
-  // Returns the current number of blocked attempts.
-  int num_attempts_waiting() { return num_attempts_waiting_; }
+  // Sets the resolved attempt number and unblocks waiting
+  // attempts.
+  void SetResolvedAttemptNumber(int n) {
+    base::AutoLock auto_lock(lock_);
+    EXPECT_EQ(0, resolved_attempt_number_);
+    resolved_attempt_number_ = n;
+    all_done_.Broadcast();
+  }
 
   // HostResolverProc methods.
   int Resolve(const std::string& host,
@@ -563,6 +572,13 @@ class HostResolverManagerTest : public TestWithScopedTaskEnvironment {
     return resolver_->IsIPv6Reachable(net_log);
   }
 
+  void PopulateCache(HostCache::Key& key, IPEndPoint endpoint) {
+    resolver_->CacheResult(host_cache_.get(), key,
+                           HostCache::Entry(OK, AddressList(endpoint),
+                                            HostCache::Entry::SOURCE_UNKNOWN),
+                           base::TimeDelta::FromSeconds(1));
+  }
+
   const std::pair<const HostCache::Key, HostCache::Entry>* GetCacheHit(
       const HostCache::Key& key) {
     DCHECK(host_cache_);
@@ -2175,8 +2191,69 @@ TEST_F(HostResolverManagerTest, MultipleAttempts) {
   // We should be done with retries, but make sure none erroneously happen.
   test_task_runner->FastForwardUntilNoTasksRemain();
 
-  EXPECT_EQ(resolver_proc->total_attempts_resolved(), kTotalAttempts);
-  EXPECT_EQ(resolver_proc->resolved_attempt_number(), kAttemptNumberToResolve);
+  EXPECT_EQ(resolver_proc->GetTotalAttemptsResolved(), kTotalAttempts);
+}
+
+// Regression test for https://crbug.com/976948.
+//
+// Tests that when the maximum number of retries is set to
+// |HostResolver::ManagerOptions::kDefaultRetryAttempts| the
+// number of retries used is 4 rather than something higher.
+TEST_F(HostResolverManagerTest, DefaultMaxRetryAttempts) {
+  auto test_task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
+  base::ScopedClosureRunner task_runner_override_scoped_cleanup =
+      base::ThreadTaskRunnerHandle::OverrideForTesting(test_task_runner);
+
+  // Instantiate a ResolverProc that will block all incoming requests.
+  auto resolver_proc = base::MakeRefCounted<LookupAttemptHostResolverProc>(
+      nullptr, std::numeric_limits<size_t>::max(),
+      std::numeric_limits<size_t>::max());
+
+  // This corresponds to kDefaultMaxRetryAttempts in
+  // ProcTaskParams::ProcTaskParams(). The correspondence is verified below,
+  // since that symbol is not exported.
+  const size_t expected_max_retries = 4;
+
+  // Use the special value |ManagerOptions::kDefaultRetryAttempts|, which is
+  // expected to translate into |expected_num_retries|.
+  ASSERT_NE(HostResolver::ManagerOptions::kDefaultRetryAttempts,
+            expected_max_retries);
+  ProcTaskParams params(resolver_proc.get(),
+                        HostResolver::ManagerOptions::kDefaultRetryAttempts);
+  ASSERT_EQ(params.max_retry_attempts, expected_max_retries);
+
+  CreateResolverWithLimitsAndParams(kMaxJobs, params,
+                                    false /* ipv6_reachable */,
+                                    false /* check_ipv6_on_wifi */);
+
+  // Resolve "host1". The resolver proc will hang all requests so this
+  // resolution should remain stalled until calling SetResolvedAttemptNumber().
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host1", 70), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  EXPECT_FALSE(response.complete());
+
+  // Simulate running the main thread (network task runner) for a long
+  // time. Because none of the attempts posted to worker pool can complete, this
+  // should cause all of the retry attempts to get posted, according to the
+  // exponential backoff schedule.
+  test_task_runner->FastForwardBy(base::TimeDelta::FromMinutes(20));
+
+  // Unblock the resolver proc, then wait for all the worker pool and main
+  // thread tasks to complete. Note that the call to SetResolvedAttemptNumber(1)
+  // will cause all the blocked resolver procs tasks fail with -2.
+  resolver_proc->SetResolvedAttemptNumber(1);
+  const int kExpectedError = -2;
+  base::ThreadPoolInstance::Get()->FlushForTesting();
+  test_task_runner->RunUntilIdle();
+
+  ASSERT_TRUE(response.complete());
+  EXPECT_EQ(kExpectedError, response.result_error());
+
+  // Ensure that the original attempt was executed on the worker pool, as well
+  // as the maximum number of allowed retries, and no more.
+  EXPECT_EQ(static_cast<int>(expected_max_retries + 1),
+            resolver_proc->GetTotalAttemptsResolved());
 }
 
 // If a host resolves to a list that includes 127.0.53.53, this is treated as
@@ -2261,23 +2338,13 @@ TEST_F(HostResolverManagerTest, IsIPv6Reachable) {
   EXPECT_EQ(result1, result2);
 
   // Filter reachability check events and verify that there are two of them.
-  TestNetLogEntry::List event_list;
-  test_net_log.GetEntries(&event_list);
-  TestNetLogEntry::List probe_event_list;
-  for (const auto& event : event_list) {
-    if (event.type ==
-        NetLogEventType::HOST_RESOLVER_IMPL_IPV6_REACHABILITY_CHECK) {
-      probe_event_list.push_back(event);
-    }
-  }
+  auto probe_event_list = test_net_log.GetEntriesWithType(
+      NetLogEventType::HOST_RESOLVER_IMPL_IPV6_REACHABILITY_CHECK);
   ASSERT_EQ(2U, probe_event_list.size());
 
   // Verify that the first request was not cached and the second one was.
-  bool cached;
-  EXPECT_TRUE(probe_event_list[0].GetBooleanValue("cached", &cached));
-  EXPECT_FALSE(cached);
-  EXPECT_TRUE(probe_event_list[1].GetBooleanValue("cached", &cached));
-  EXPECT_TRUE(cached);
+  EXPECT_FALSE(GetBooleanValueFromParams(probe_event_list[0], "cached"));
+  EXPECT_TRUE(GetBooleanValueFromParams(probe_event_list[1], "cached"));
 }
 
 TEST_F(HostResolverManagerTest, IncludeCanonicalName) {
@@ -2355,52 +2422,6 @@ TEST_F(HostResolverManagerTest, IsSpeculative) {
   EXPECT_EQ(1u, proc_->GetCaptureList().size());  // No increase.
 }
 
-// Test that if a Job with multiple requests, each with its own different
-// HostCache, completes, the result is cached in all request HostCaches.
-TEST_F(HostResolverManagerTest, MultipleCachesForMultipleRequests) {
-  proc_->AddRuleForAllFamilies("just.testing", "192.168.1.42");
-
-  std::unique_ptr<HostCache> cache2 = HostCache::CreateDefaultCache();
-  resolver_->AddHostCacheInvalidator(cache2->invalidator());
-
-  ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
-  ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("just.testing", 85), NetLogWithSource(), base::nullopt,
-      request_context_.get(), cache2.get()));
-  ASSERT_EQ(1u, resolver_->num_jobs_for_testing());
-
-  proc_->SignalMultiple(1u);
-  EXPECT_THAT(response1.result_error(), IsOk());
-  EXPECT_THAT(response2.result_error(), IsOk());
-
-  HostResolver::ResolveHostParameters local_resolve_parameters;
-  local_resolve_parameters.source = HostResolverSource::LOCAL_ONLY;
-
-  // Confirm |host_cache_| contains the result.
-  ResolveHostResponseHelper cached_response1(resolver_->CreateRequest(
-      HostPortPair("just.testing", 81), NetLogWithSource(),
-      local_resolve_parameters, request_context_.get(), host_cache_.get()));
-  EXPECT_THAT(cached_response1.result_error(), IsOk());
-  EXPECT_THAT(
-      cached_response1.request()->GetAddressResults().value().endpoints(),
-      testing::ElementsAre(CreateExpected("192.168.1.42", 81)));
-  EXPECT_TRUE(cached_response1.request()->GetStaleInfo());
-
-  // Confirm |cache2| contains the result.
-  ResolveHostResponseHelper cached_response2(resolver_->CreateRequest(
-      HostPortPair("just.testing", 82), NetLogWithSource(),
-      local_resolve_parameters, request_context_.get(), cache2.get()));
-  EXPECT_THAT(cached_response2.result_error(), IsOk());
-  EXPECT_THAT(
-      cached_response2.request()->GetAddressResults().value().endpoints(),
-      testing::ElementsAre(CreateExpected("192.168.1.42", 82)));
-  EXPECT_TRUE(cached_response2.request()->GetStaleInfo());
-
-  resolver_->RemoveHostCacheInvalidator(cache2->invalidator());
-}
-
 #if BUILDFLAG(ENABLE_MDNS)
 const uint8_t kMdnsResponseA[] = {
     // Header
@@ -3363,6 +3384,9 @@ DnsConfig CreateValidDnsConfig() {
   IPAddress dns_ip(192, 168, 1, 0);
   DnsConfig config;
   config.nameservers.push_back(IPEndPoint(dns_ip, dns_protocol::kDefaultPort));
+  config.dns_over_https_servers.push_back({DnsConfig::DnsOverHttpsServerConfig(
+      "https://dns.example.com/", true /* use_post */)});
+  config.secure_dns_mode = DnsConfig::SecureDnsMode::OFF;
   EXPECT_TRUE(config.IsValid());
   return config;
 }
@@ -3492,6 +3516,27 @@ class HostResolverManagerDnsTest : public HostResolverManagerTest {
                IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 127, 0, 53, 53),
                false /* delay */);
 
+    AddSecureDnsRule(&rules, "automatic_nodomain", dns_protocol::kTypeA,
+                     MockDnsClientRule::NODOMAIN, false /* delay */);
+    AddSecureDnsRule(&rules, "automatic_nodomain", dns_protocol::kTypeAAAA,
+                     MockDnsClientRule::NODOMAIN, false /* delay */);
+    AddDnsRule(&rules, "automatic_nodomain", dns_protocol::kTypeA,
+               MockDnsClientRule::NODOMAIN, false /* delay */);
+    AddDnsRule(&rules, "automatic_nodomain", dns_protocol::kTypeAAAA,
+               MockDnsClientRule::NODOMAIN, false /* delay */);
+    AddSecureDnsRule(&rules, "automatic", dns_protocol::kTypeA,
+                     MockDnsClientRule::OK, false /* delay */);
+    AddSecureDnsRule(&rules, "automatic", dns_protocol::kTypeAAAA,
+                     MockDnsClientRule::OK, false /* delay */);
+    AddDnsRule(&rules, "automatic", dns_protocol::kTypeA, MockDnsClientRule::OK,
+               false /* delay */);
+    AddDnsRule(&rules, "automatic", dns_protocol::kTypeAAAA,
+               MockDnsClientRule::OK, false /* delay */);
+    AddDnsRule(&rules, "insecure_automatic", dns_protocol::kTypeA,
+               MockDnsClientRule::OK, false /* delay */);
+    AddDnsRule(&rules, "insecure_automatic", dns_protocol::kTypeAAAA,
+               MockDnsClientRule::OK, false /* delay */);
+
     return rules;
   }
 
@@ -3501,7 +3546,7 @@ class HostResolverManagerDnsTest : public HostResolverManagerTest {
                          uint16_t qtype,
                          MockDnsClientRule::ResultType result_type,
                          bool delay) {
-    rules->emplace_back(prefix, qtype, DnsConfig::SecureDnsMode::AUTOMATIC,
+    rules->emplace_back(prefix, qtype, false /* secure */,
                         MockDnsClientRule::Result(result_type), delay);
   }
 
@@ -3510,7 +3555,7 @@ class HostResolverManagerDnsTest : public HostResolverManagerTest {
                          uint16_t qtype,
                          const IPAddress& result_ip,
                          bool delay) {
-    rules->emplace_back(prefix, qtype, DnsConfig::SecureDnsMode::AUTOMATIC,
+    rules->emplace_back(prefix, qtype, false /* secure */,
                         MockDnsClientRule::Result(
                             BuildTestDnsResponse(prefix, std::move(result_ip))),
                         delay);
@@ -3523,7 +3568,7 @@ class HostResolverManagerDnsTest : public HostResolverManagerTest {
                          std::string cannonname,
                          bool delay) {
     rules->emplace_back(
-        prefix, qtype, DnsConfig::SecureDnsMode::AUTOMATIC,
+        prefix, qtype, false /* secure */,
         MockDnsClientRule::Result(BuildTestDnsResponseWithCname(
             prefix, std::move(result_ip), std::move(cannonname))),
         delay);
@@ -3534,21 +3579,19 @@ class HostResolverManagerDnsTest : public HostResolverManagerTest {
                                uint16_t qtype,
                                MockDnsClientRule::ResultType result_type,
                                bool delay) {
-    MockDnsClientRule::Result result(result_type);
-    result.secure = true;
-    rules->emplace_back(prefix, qtype, DnsConfig::SecureDnsMode::AUTOMATIC,
-                        std::move(result), delay);
+    rules->emplace_back(prefix, qtype, true /* secure */,
+                        MockDnsClientRule::Result(result_type), delay);
   }
 
   void ChangeDnsConfig(const DnsConfig& config) {
-    NetworkChangeNotifier::SetDnsConfig(config);
+    NetworkChangeNotifier::SetDnsConfigForTesting(config);
     // Notification is delivered asynchronously.
     base::RunLoop().RunUntilIdle();
   }
 
   void SetInitialDnsConfig(const DnsConfig& config) {
     NetworkChangeNotifier::ClearDnsConfigForTesting();
-    NetworkChangeNotifier::SetDnsConfig(config);
+    NetworkChangeNotifier::SetDnsConfigForTesting(config);
     // Notification is delivered asynchronously.
     base::RunLoop().RunUntilIdle();
   }
@@ -4034,53 +4077,6 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
               testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
 }
 
-TEST_F(HostResolverManagerDnsTest, CacheHostsLookupOnConfigChange) {
-  // Only allow 1 resolution at a time, so that the second lookup is queued and
-  // occurs when the DNS config changes.
-  CreateResolverWithLimitsAndParams(1u, DefaultParams(proc_.get()),
-                                    true /* ipv6_reachable */,
-                                    true /* check_ipv6_on_wifi */);
-  DnsConfig config = CreateValidDnsConfig();
-  ChangeDnsConfig(config);
-
-  proc_->AddRuleForAllFamilies(std::string(),
-                               std::string());  // Default to failures.
-  proc_->SignalMultiple(1u);  // For the first request which fails.
-
-  ResolveHostResponseHelper failure_response(resolver_->CreateRequest(
-      HostPortPair("nx_ipv4", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
-  ResolveHostResponseHelper queued_response(resolver_->CreateRequest(
-      HostPortPair("nx_ipv6", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
-
-  DnsHosts hosts;
-  hosts[DnsHostsKey("nx_ipv4", ADDRESS_FAMILY_IPV4)] =
-      IPAddress::IPv4Localhost();
-  hosts[DnsHostsKey("nx_ipv6", ADDRESS_FAMILY_IPV6)] =
-      IPAddress::IPv6Localhost();
-
-  config.hosts = hosts;
-  ChangeDnsConfig(config);
-
-  EXPECT_THAT(failure_response.result_error(), IsError(ERR_NETWORK_CHANGED));
-  EXPECT_THAT(queued_response.result_error(), IsOk());
-  EXPECT_THAT(
-      queued_response.request()->GetAddressResults().value().endpoints(),
-      testing::ElementsAre(CreateExpected("::1", 80)));
-
-  // Resolutions done by consulting the HOSTS file when the DNS config changes
-  // should result in a secure cache entry with SOURCE_HOSTS.
-  HostCache::Key key =
-      HostCache::Key("nx_ipv6", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
-  key.secure = true;
-  const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
-      GetCacheHit(key);
-  ASSERT_THAT(cache_result, NotNull());
-  EXPECT_EQ(HostCache::Entry::SOURCE_HOSTS, cache_result->second.source());
-}
-
 // Test that hosts ending in ".local" or ".local." are resolved using the system
 // resolver.
 TEST_F(HostResolverManagerDnsTest, BypassDnsTask) {
@@ -4127,10 +4123,9 @@ TEST_F(HostResolverManagerDnsTest, BypassDnsTask) {
 TEST_F(HostResolverManagerDnsTest, BypassDnsToMdnsWithNonAddress) {
   // Ensure DNS task and system (proc) requests will fail.
   MockDnsClientRuleList rules;
-  rules.emplace_back("myhello.local", dns_protocol::kTypeTXT,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
-                     MockDnsClientRule::Result(MockDnsClientRule::FAIL),
-                     false /* delay */);
+  rules.emplace_back(
+      "myhello.local", dns_protocol::kTypeTXT, false /* secure */,
+      MockDnsClientRule::Result(MockDnsClientRule::FAIL), false /* delay */);
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
   proc_->AddRuleForAllFamilies(std::string(), std::string());
@@ -4516,6 +4511,73 @@ TEST_F(HostResolverManagerDnsTest, CancelWithIPv4TransactionPending) {
   EXPECT_FALSE(response.complete());
 }
 
+TEST_F(HostResolverManagerDnsTest, CancelWithAutomaticModeTransactionPending) {
+  MockDnsClientRuleList rules;
+  rules.emplace_back("secure_6slow_6nx_insecure_6slow_ok", dns_protocol::kTypeA,
+                     true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+  rules.emplace_back("secure_6slow_6nx_insecure_6slow_ok",
+                     dns_protocol::kTypeAAAA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::FAIL),
+                     true /* delay */);
+  rules.emplace_back("secure_6slow_6nx_insecure_6slow_ok", dns_protocol::kTypeA,
+                     false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+  rules.emplace_back("secure_6slow_6nx_insecure_6slow_ok",
+                     dns_protocol::kTypeAAAA, false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     true /* delay */);
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  ResolveHostResponseHelper response0(resolver_->CreateRequest(
+      HostPortPair("secure_6slow_6nx_insecure_6slow_ok", 80),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
+  EXPECT_EQ(2u, num_running_dispatcher_jobs());
+
+  // The secure IPv4 request should complete, the secure IPv6 request is still
+  // pending.
+  base::RunLoop().RunUntilIdle();
+  EXPECT_EQ(1u, num_running_dispatcher_jobs());
+
+  response0.CancelRequest();
+  base::RunLoop().RunUntilIdle();
+  EXPECT_FALSE(response0.complete());
+  EXPECT_EQ(0u, num_running_dispatcher_jobs());
+
+  ResolveHostResponseHelper response1(resolver_->CreateRequest(
+      HostPortPair("secure_6slow_6nx_insecure_6slow_ok", 80),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
+  EXPECT_EQ(2u, num_running_dispatcher_jobs());
+
+  // The secure IPv4 request should complete, the secure IPv6 request is still
+  // pending.
+  base::RunLoop().RunUntilIdle();
+  EXPECT_EQ(1u, num_running_dispatcher_jobs());
+
+  // Let the secure IPv6 request complete and start the insecure requests.
+  dns_client_->CompleteDelayedTransactions();
+  EXPECT_EQ(2u, num_running_dispatcher_jobs());
+
+  // The insecure IPv4 request should complete, the insecure IPv6 request is
+  // still pending.
+  base::RunLoop().RunUntilIdle();
+  EXPECT_EQ(1u, num_running_dispatcher_jobs());
+
+  response1.CancelRequest();
+  base::RunLoop().RunUntilIdle();
+  EXPECT_FALSE(response1.complete());
+
+  // Dispatcher state checked in TearDown.
+}
+
 // Test cases where AAAA completes first.
 TEST_F(HostResolverManagerDnsTest, AAAACompletesFirst) {
   set_allow_fallback_to_proctask(false);
@@ -4561,133 +4623,289 @@ TEST_F(HostResolverManagerDnsTest, AAAACompletesFirst) {
   EXPECT_THAT(responses[2]->result_error(), IsError(ERR_DNS_TIMED_OUT));
 }
 
-// Test cases where transactions return secure or mixed secure/insecure results.
-TEST_F(HostResolverManagerDnsTest, SecureOrMixedSecurityResults) {
+TEST_F(HostResolverManagerDnsTest, AAAACompletesFirst_AutomaticMode) {
   MockDnsClientRuleList rules;
-  AddSecureDnsRule(&rules, "secure", dns_protocol::kTypeA,
-                   MockDnsClientRule::OK, false /* delay */);
-  AddSecureDnsRule(&rules, "secure", dns_protocol::kTypeAAAA,
-                   MockDnsClientRule::OK, false /* delay */);
-  AddDnsRule(&rules, "4insecure_6slowsecure", dns_protocol::kTypeA,
-             MockDnsClientRule::OK, false /* delay */);
-  AddSecureDnsRule(&rules, "4insecure_6slowsecure", dns_protocol::kTypeAAAA,
-                   MockDnsClientRule::OK, true /* delay */);
-  AddDnsRule(&rules, "4insecure_6slowemptysecure", dns_protocol::kTypeA,
-             MockDnsClientRule::OK, false /* delay */);
-  AddSecureDnsRule(&rules, "4insecure_6slowemptysecure",
-                   dns_protocol::kTypeAAAA, MockDnsClientRule::EMPTY,
-                   true /* delay */);
-  AddDnsRule(&rules, "4insecureempty_6slowsecure", dns_protocol::kTypeA,
-             MockDnsClientRule::EMPTY, false /* delay */);
-  AddSecureDnsRule(&rules, "4insecureempty_6slowsecure",
-                   dns_protocol::kTypeAAAA, MockDnsClientRule::OK,
-                   true /* delay */);
-  AddDnsRule(&rules, "4insecure_6slowfailsecure", dns_protocol::kTypeA,
-             MockDnsClientRule::OK, false /* delay */);
-  AddSecureDnsRule(&rules, "4insecure_6slowfailsecure", dns_protocol::kTypeAAAA,
-                   MockDnsClientRule::FAIL, true /* delay */);
-  AddSecureDnsRule(&rules, "4secure_6slowinsecure", dns_protocol::kTypeA,
-                   MockDnsClientRule::OK, false /* delay */);
-  AddDnsRule(&rules, "4secure_6slowinsecure", dns_protocol::kTypeAAAA,
-             MockDnsClientRule::OK, true /* delay */);
-
-  CreateResolver();
+  rules.emplace_back("secure_slow_nx_insecure_4slow_ok", dns_protocol::kTypeA,
+                     true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::FAIL),
+                     true /* delay */);
+  rules.emplace_back("secure_slow_nx_insecure_4slow_ok",
+                     dns_protocol::kTypeAAAA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::FAIL),
+                     true /* delay */);
+  rules.emplace_back("secure_slow_nx_insecure_4slow_ok", dns_protocol::kTypeA,
+                     false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     true /* delay */);
+  rules.emplace_back("secure_slow_nx_insecure_4slow_ok",
+                     dns_protocol::kTypeAAAA, false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::EMPTY),
+                     false /* delay */);
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  set_allow_fallback_to_proctask(false);
-
-  std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
-  responses.emplace_back(
-      std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("secure", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
-  responses.emplace_back(
-      std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4insecure_6slowsecure", 80), NetLogWithSource(),
-          base::nullopt, request_context_.get(), host_cache_.get())));
-  responses.emplace_back(
-      std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4insecure_6slowemptysecure", 80), NetLogWithSource(),
-          base::nullopt, request_context_.get(), host_cache_.get())));
-  responses.emplace_back(
-      std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4insecureempty_6slowsecure", 80), NetLogWithSource(),
-          base::nullopt, request_context_.get(), host_cache_.get())));
-  responses.emplace_back(
-      std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4insecure_6slowfailsecure", 80), NetLogWithSource(),
-          base::nullopt, request_context_.get(), host_cache_.get())));
-  responses.emplace_back(
-      std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4secure_6slowinsecure", 80), NetLogWithSource(),
-          base::nullopt, request_context_.get(), host_cache_.get())));
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
 
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("secure_slow_nx_insecure_4slow_ok", 80), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   base::RunLoop().RunUntilIdle();
-  EXPECT_TRUE(responses[0]->complete());
-  EXPECT_FALSE(responses[1]->complete());
-  EXPECT_FALSE(responses[2]->complete());
-  EXPECT_FALSE(responses[3]->complete());
-  EXPECT_FALSE(responses[4]->complete());
-  EXPECT_FALSE(responses[5]->complete());
-
+  EXPECT_FALSE(response.complete());
+  // Complete the secure transactions.
+  dns_client_->CompleteDelayedTransactions();
+  base::RunLoop().RunUntilIdle();
+  EXPECT_FALSE(response.complete());
+  // Complete the insecure transactions.
   dns_client_->CompleteDelayedTransactions();
+  ASSERT_THAT(response.result_error(), IsOk());
+  EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
+              testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
+  HostCache::Key insecure_key = HostCache::Key(
+      "secure_slow_nx_insecure_4slow_ok", DnsQueryType::UNSPECIFIED,
+      0 /* host_resolver_flags */, HostResolverSource::ANY);
+  const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
+      GetCacheHit(insecure_key);
+  EXPECT_TRUE(!!cache_result);
+}
+
+TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic) {
+  proc_->AddRuleForAllFamilies("nx_succeed", "192.168.1.100");
+  set_allow_fallback_to_proctask(true);
+
+  ChangeDnsConfig(CreateValidDnsConfig());
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result;
 
-  EXPECT_THAT(responses[0]->result_error(), IsOk());
-  EXPECT_THAT(responses[0]->request()->GetAddressResults().value().endpoints(),
+  // A successful DoH request should result in a secure cache entry.
+  ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
+      HostPortPair("automatic", 80), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  ASSERT_THAT(response_secure.result_error(), IsOk());
+  EXPECT_THAT(
+      response_secure.request()->GetAddressResults().value().endpoints(),
+      testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
+                                    CreateExpected("::1", 80)));
+  HostCache::Key secure_key =
+      HostCache::Key("automatic", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  secure_key.secure = true;
+  cache_result = GetCacheHit(secure_key);
+  EXPECT_TRUE(!!cache_result);
+
+  // A successful plaintext DNS request should result in an insecure cache
+  // entry.
+  ResolveHostResponseHelper response_insecure(resolver_->CreateRequest(
+      HostPortPair("insecure_automatic", 80), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  ASSERT_THAT(response_insecure.result_error(), IsOk());
+  EXPECT_THAT(
+      response_insecure.request()->GetAddressResults().value().endpoints(),
+      testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
+                                    CreateExpected("::1", 80)));
+  HostCache::Key insecure_key =
+      HostCache::Key("insecure_automatic", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  cache_result = GetCacheHit(insecure_key);
+  EXPECT_TRUE(!!cache_result);
+
+  // Fallback to ProcTask allowed in AUTOMATIC mode.
+  ResolveHostResponseHelper response_proc(resolver_->CreateRequest(
+      HostPortPair("nx_succeed", 80), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  proc_->SignalMultiple(1u);
+  EXPECT_THAT(response_proc.result_error(), IsOk());
+  EXPECT_THAT(response_proc.request()->GetAddressResults().value().endpoints(),
+              testing::ElementsAre(CreateExpected("192.168.1.100", 80)));
+}
+
+TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_SecureCache) {
+  ChangeDnsConfig(CreateValidDnsConfig());
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  // Populate cache with a secure entry.
+  HostCache::Key cached_secure_key =
+      HostCache::Key("automatic_cached", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  cached_secure_key.secure = true;
+  IPEndPoint kExpectedSecureIP = CreateExpected("192.168.1.102", 80);
+  PopulateCache(cached_secure_key, kExpectedSecureIP);
+
+  // The secure cache should be checked prior to any DoH request being sent.
+  ResolveHostResponseHelper response_secure_cached(resolver_->CreateRequest(
+      HostPortPair("automatic_cached", 80), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response_secure_cached.result_error(), IsOk());
+  EXPECT_THAT(
+      response_secure_cached.request()->GetAddressResults().value().endpoints(),
+      testing::ElementsAre(kExpectedSecureIP));
+  EXPECT_FALSE(
+      response_secure_cached.request()->GetStaleInfo().value().is_stale());
+}
+
+TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_InsecureCache) {
+  ChangeDnsConfig(CreateValidDnsConfig());
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  // Populate cache with an insecure entry.
+  HostCache::Key cached_insecure_key =
+      HostCache::Key("insecure_automatic_cached", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  IPEndPoint kExpectedInsecureIP = CreateExpected("192.168.1.103", 80);
+  PopulateCache(cached_insecure_key, kExpectedInsecureIP);
+
+  // The insecure cache should be checked after DoH requests fail.
+  ResolveHostResponseHelper response_insecure_cached(resolver_->CreateRequest(
+      HostPortPair("insecure_automatic_cached", 80), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response_insecure_cached.result_error(), IsOk());
+  EXPECT_THAT(response_insecure_cached.request()
+                  ->GetAddressResults()
+                  .value()
+                  .endpoints(),
+              testing::ElementsAre(kExpectedInsecureIP));
+  EXPECT_FALSE(
+      response_insecure_cached.request()->GetStaleInfo().value().is_stale());
+}
+
+TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Downgrade) {
+  ChangeDnsConfig(CreateValidDnsConfig());
+  // Remove all DoH servers from the config so there is no DoH server available.
+  DnsConfigOverrides overrides;
+  std::vector<DnsConfig::DnsOverHttpsServerConfig> doh_servers;
+  overrides.dns_over_https_servers = doh_servers;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+  const std::pair<const HostCache::Key, HostCache::Entry>* cache_result;
+
+  // Populate cache with both secure and insecure entries.
+  HostCache::Key cached_secure_key =
+      HostCache::Key("automatic_cached", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  cached_secure_key.secure = true;
+  IPEndPoint kExpectedSecureIP = CreateExpected("192.168.1.102", 80);
+  PopulateCache(cached_secure_key, kExpectedSecureIP);
+  HostCache::Key cached_insecure_key =
+      HostCache::Key("insecure_automatic_cached", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  IPEndPoint kExpectedInsecureIP = CreateExpected("192.168.1.103", 80);
+  PopulateCache(cached_insecure_key, kExpectedInsecureIP);
+
+  // The secure cache should still be checked first.
+  ResolveHostResponseHelper response_cached(resolver_->CreateRequest(
+      HostPortPair("automatic_cached", 80), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response_cached.result_error(), IsOk());
+  EXPECT_THAT(
+      response_cached.request()->GetAddressResults().value().endpoints(),
+      testing::ElementsAre(kExpectedSecureIP));
+
+  // The insecure cache should be checked before any insecure requests are sent.
+  ResolveHostResponseHelper insecure_response_cached(resolver_->CreateRequest(
+      HostPortPair("insecure_automatic_cached", 80), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(insecure_response_cached.result_error(), IsOk());
+  EXPECT_THAT(insecure_response_cached.request()
+                  ->GetAddressResults()
+                  .value()
+                  .endpoints(),
+              testing::ElementsAre(kExpectedInsecureIP));
+
+  // The DnsConfig doesn't contain DoH servers so AUTOMATIC mode will be
+  // downgraded to OFF. A successful plaintext DNS request should result in an
+  // insecure cache entry.
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("automatic", 80), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  ASSERT_THAT(response.result_error(), IsOk());
+  EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
                                             CreateExpected("::1", 80)));
   HostCache::Key key =
-      HostCache::Key("secure", DnsQueryType::UNSPECIFIED,
+      HostCache::Key("automatic", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY);
-  key.secure = true;
   cache_result = GetCacheHit(key);
   EXPECT_TRUE(!!cache_result);
+}
 
-  EXPECT_TRUE(responses[1]->complete());
-  EXPECT_THAT(responses[1]->result_error(), IsOk());
-  EXPECT_THAT(responses[1]->request()->GetAddressResults().value().endpoints(),
-              testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
-                                            CreateExpected("::1", 80)));
-  cache_result = GetCacheHit(
-      HostCache::Key("4insecure_6slowsecure", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY));
-  EXPECT_TRUE(!!cache_result);
+TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Stale) {
+  ChangeDnsConfig(CreateValidDnsConfig());
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
 
-  EXPECT_TRUE(responses[2]->complete());
-  EXPECT_THAT(responses[2]->result_error(), IsOk());
-  EXPECT_THAT(responses[2]->request()->GetAddressResults().value().endpoints(),
-              testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
-  cache_result = GetCacheHit(
-      HostCache::Key("4insecure_6slowemptysecure", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY));
-  EXPECT_TRUE(!!cache_result);
+  // Populate cache with insecure entry.
+  HostCache::Key cached_stale_key =
+      HostCache::Key("automatic_stale", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  IPEndPoint kExpectedStaleIP = CreateExpected("192.168.1.102", 80);
+  PopulateCache(cached_stale_key, kExpectedStaleIP);
+  MakeCacheStale();
 
-  EXPECT_TRUE(responses[3]->complete());
-  EXPECT_THAT(responses[3]->result_error(), IsOk());
-  EXPECT_THAT(responses[3]->request()->GetAddressResults().value().endpoints(),
-              testing::ElementsAre(CreateExpected("::1", 80)));
-  cache_result = GetCacheHit(
-      HostCache::Key("4insecureempty_6slowsecure", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY));
-  EXPECT_TRUE(!!cache_result);
+  HostResolver::ResolveHostParameters stale_allowed_parameters;
+  stale_allowed_parameters.cache_usage =
+      HostResolver::ResolveHostParameters::CacheUsage::STALE_ALLOWED;
 
-  EXPECT_TRUE(responses[4]->complete());
-  EXPECT_THAT(responses[4]->result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(responses[4]->request()->GetAddressResults());
-  cache_result = GetCacheHit(
-      HostCache::Key("4insecure_6slowfailsecure", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY));
-  EXPECT_TRUE(!!cache_result);
+  // The insecure cache should be checked before secure requests are made since
+  // stale results are allowed.
+  ResolveHostResponseHelper response_stale(resolver_->CreateRequest(
+      HostPortPair("automatic_stale", 80), NetLogWithSource(),
+      stale_allowed_parameters, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response_stale.result_error(), IsOk());
+  EXPECT_THAT(response_stale.request()->GetAddressResults().value().endpoints(),
+              testing::ElementsAre(kExpectedStaleIP));
+  EXPECT_TRUE(response_stale.request()->GetStaleInfo()->is_stale());
+}
 
-  EXPECT_TRUE(responses[5]->complete());
-  EXPECT_THAT(responses[5]->result_error(), IsOk());
-  EXPECT_THAT(responses[5]->request()->GetAddressResults().value().endpoints(),
-              testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
-                                            CreateExpected("::1", 80)));
-  cache_result = GetCacheHit(
-      HostCache::Key("4secure_6slowinsecure", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY));
+TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure) {
+  proc_->AddRuleForAllFamilies("nx_succeed", "192.168.1.100");
+  set_allow_fallback_to_proctask(true);
+
+  MockDnsClientRuleList rules;
+  rules.emplace_back("secure", dns_protocol::kTypeA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+  rules.emplace_back("secure", dns_protocol::kTypeAAAA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::SECURE;
+  resolver_->SetDnsConfigOverrides(overrides);
+  const std::pair<const HostCache::Key, HostCache::Entry>* cache_result;
+
+  ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
+      HostPortPair("secure", 80), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  ASSERT_THAT(response_secure.result_error(), IsOk());
+  HostCache::Key secure_key =
+      HostCache::Key("secure", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  secure_key.secure = true;
+  cache_result = GetCacheHit(secure_key);
   EXPECT_TRUE(!!cache_result);
+
+  ResolveHostResponseHelper response_insecure(resolver_->CreateRequest(
+      HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  ASSERT_THAT(response_insecure.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
+  HostCache::Key insecure_key =
+      HostCache::Key("ok", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  cache_result = GetCacheHit(insecure_key);
+  EXPECT_FALSE(!!cache_result);
+
+  // Fallback to ProcTask not allowed in SECURE mode.
+  ResolveHostResponseHelper response_proc(resolver_->CreateRequest(
+      HostPortPair("nx_succeed", 80), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  proc_->SignalMultiple(1u);
+  EXPECT_THAT(response_proc.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 }
 
 // Test the case where only a single transaction slot is available.
@@ -4710,6 +4928,33 @@ TEST_F(HostResolverManagerDnsTest, SerialResolver) {
                                             CreateExpected("::1", 80)));
 }
 
+TEST_F(HostResolverManagerDnsTest, SerialResolver_AutomaticMode) {
+  CreateSerialResolver();
+  ChangeDnsConfig(CreateValidDnsConfig());
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("insecure_automatic", 80), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  EXPECT_FALSE(response.complete());
+  EXPECT_EQ(1u, num_running_dispatcher_jobs());
+
+  base::RunLoop().RunUntilIdle();
+  EXPECT_TRUE(response.complete());
+  EXPECT_THAT(response.result_error(), IsOk());
+  EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
+              testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
+                                            CreateExpected("::1", 80)));
+  HostCache::Key insecure_key =
+      HostCache::Key("insecure_automatic", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
+      GetCacheHit(insecure_key);
+  EXPECT_TRUE(!!cache_result);
+}
+
 // Test the case where subsequent transactions are handled on transaction
 // completion when only part of a multi-transaction request could be initially
 // started.
@@ -4819,21 +5064,12 @@ TEST_F(HostResolverManagerDnsTest, InvalidDnsConfigWithPendingRequests) {
     EXPECT_FALSE(response->complete());
   }
 
-  // Clear DNS config.  Request:
-  // 0 fully in-progress should be aborted.
-  // 1 partially in-progress should be fully aborted.
-  // 2 queued up should run using ProcTask.
+  // Clear DNS config. Fully in-progress, partially in-progress, and queued
+  // requests should all be aborted.
   ChangeDnsConfig(DnsConfig());
-  EXPECT_THAT(responses[0]->result_error(), IsError(ERR_NETWORK_CHANGED));
-  EXPECT_THAT(responses[1]->result_error(), IsError(ERR_NETWORK_CHANGED));
-  EXPECT_FALSE(responses[2]->complete());
-
-  // Finish up the third job.  Should bypass the DnsClient, and get its
-  // results from MockHostResolverProc.
-  proc_->SignalMultiple(1u);
-  EXPECT_THAT(responses[2]->result_error(), IsOk());
-  EXPECT_THAT(responses[2]->request()->GetAddressResults().value().endpoints(),
-              testing::ElementsAre(CreateExpected("192.168.0.3", 80)));
+  for (auto& response : responses) {
+    EXPECT_THAT(response->result_error(), IsError(ERR_NETWORK_CHANGED));
+  }
 }
 
 // Test that initial DNS config read signals do not abort pending requests
@@ -5178,19 +5414,42 @@ TEST_F(HostResolverManagerDnsTest, NotFoundTTL) {
 }
 
 TEST_F(HostResolverManagerDnsTest, CachedError) {
+  proc_->AddRuleForAllFamilies(std::string(),
+                               "0.0.0.0");  // Default to failures.
+  proc_->SignalMultiple(1u);
+
   CreateResolver();
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_proctask(true);
   ChangeDnsConfig(CreateValidDnsConfig());
 
   HostResolver::ResolveHostParameters cache_only_parameters;
   cache_only_parameters.source = HostResolverSource::LOCAL_ONLY;
 
   // Expect cache initially empty.
-  ResolveHostResponseHelper cache_miss_response(resolver_->CreateRequest(
+  ResolveHostResponseHelper cache_miss_response0(resolver_->CreateRequest(
       HostPortPair("nodomain", 80), NetLogWithSource(), cache_only_parameters,
       request_context_.get(), host_cache_.get()));
-  EXPECT_THAT(cache_miss_response.result_error(), IsError(ERR_DNS_CACHE_MISS));
-  EXPECT_FALSE(cache_miss_response.request()->GetStaleInfo());
+  EXPECT_THAT(cache_miss_response0.result_error(), IsError(ERR_DNS_CACHE_MISS));
+  EXPECT_FALSE(cache_miss_response0.request()->GetStaleInfo());
+
+  // The cache should not be populate with an error because fallback to ProcTask
+  // was available.
+  ResolveHostResponseHelper no_domain_response_with_fallback(
+      resolver_->CreateRequest(HostPortPair("nodomain", 80), NetLogWithSource(),
+                               base::nullopt, request_context_.get(),
+                               host_cache_.get()));
+  EXPECT_THAT(no_domain_response_with_fallback.result_error(),
+              IsError(ERR_NAME_NOT_RESOLVED));
+
+  // Expect cache still empty.
+  ResolveHostResponseHelper cache_miss_response1(resolver_->CreateRequest(
+      HostPortPair("nodomain", 80), NetLogWithSource(), cache_only_parameters,
+      request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(cache_miss_response1.result_error(), IsError(ERR_DNS_CACHE_MISS));
+  EXPECT_FALSE(cache_miss_response1.request()->GetStaleInfo());
+
+  // Disable fallback to proctask
+  set_allow_fallback_to_proctask(false);
 
   // Populate cache with an error.
   ResolveHostResponseHelper no_domain_response(resolver_->CreateRequest(
@@ -5208,6 +5467,84 @@ TEST_F(HostResolverManagerDnsTest, CachedError) {
   EXPECT_FALSE(cache_hit_response.request()->GetStaleInfo().value().is_stale());
 }
 
+TEST_F(HostResolverManagerDnsTest, CachedError_AutomaticMode) {
+  CreateResolver();
+  set_allow_fallback_to_proctask(false);
+  ChangeDnsConfig(CreateValidDnsConfig());
+
+  // Switch to automatic mode.
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  HostCache::Key insecure_key =
+      HostCache::Key("automatic_nodomain", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key secure_key =
+      HostCache::Key("automatic_nodomain", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  secure_key.secure = true;
+
+  // Expect cache initially empty.
+  const std::pair<const HostCache::Key, HostCache::Entry>* cache_result;
+  cache_result = GetCacheHit(secure_key);
+  EXPECT_FALSE(!!cache_result);
+  cache_result = GetCacheHit(insecure_key);
+  EXPECT_FALSE(!!cache_result);
+
+  // Populate both secure and insecure caches with an error.
+  ResolveHostResponseHelper no_domain_response(resolver_->CreateRequest(
+      HostPortPair("automatic_nodomain", 80), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(no_domain_response.result_error(),
+              IsError(ERR_NAME_NOT_RESOLVED));
+
+  // Expect both secure and insecure caches to have the error result.
+  cache_result = GetCacheHit(secure_key);
+  EXPECT_TRUE(!!cache_result);
+  cache_result = GetCacheHit(insecure_key);
+  EXPECT_TRUE(!!cache_result);
+}
+
+TEST_F(HostResolverManagerDnsTest, CachedError_SecureMode) {
+  CreateResolver();
+  set_allow_fallback_to_proctask(false);
+  ChangeDnsConfig(CreateValidDnsConfig());
+
+  // Switch to secure mode.
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::SECURE;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  HostCache::Key insecure_key =
+      HostCache::Key("automatic_nodomain", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key secure_key =
+      HostCache::Key("automatic_nodomain", DnsQueryType::UNSPECIFIED,
+                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  secure_key.secure = true;
+
+  // Expect cache initially empty.
+  const std::pair<const HostCache::Key, HostCache::Entry>* cache_result;
+  cache_result = GetCacheHit(secure_key);
+  EXPECT_FALSE(!!cache_result);
+  cache_result = GetCacheHit(insecure_key);
+  EXPECT_FALSE(!!cache_result);
+
+  // Populate secure cache with an error.
+  ResolveHostResponseHelper no_domain_response(resolver_->CreateRequest(
+      HostPortPair("automatic_nodomain", 80), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(no_domain_response.result_error(),
+              IsError(ERR_NAME_NOT_RESOLVED));
+
+  // Expect only the secure cache to have the error result.
+  cache_result = GetCacheHit(secure_key);
+  EXPECT_TRUE(!!cache_result);
+  cache_result = GetCacheHit(insecure_key);
+  EXPECT_FALSE(!!cache_result);
+}
+
 TEST_F(HostResolverManagerDnsTest, NoCanonicalName) {
   MockDnsClientRuleList rules;
   AddDnsRule(&rules, "alias", dns_protocol::kTypeA, IPAddress::IPv4Localhost(),
@@ -5368,20 +5705,22 @@ TEST_F(HostResolverManagerTest, ResolveLocalHostname) {
 TEST_F(HostResolverManagerDnsTest, ResolveDnsOverHttpsServerName) {
   MockDnsClientRuleList rules;
   rules.emplace_back(
-      "dns.example2.com", dns_protocol::kTypeA, DnsConfig::SecureDnsMode::OFF,
+      "dns.example2.com", dns_protocol::kTypeA, false /* secure */,
+      MockDnsClientRule::Result(MockDnsClientRule::OK), false /* delay */);
+  rules.emplace_back(
+      "dns.example2.com", dns_protocol::kTypeAAAA, false /* secure */,
       MockDnsClientRule::Result(MockDnsClientRule::OK), false /* delay */);
-  rules.emplace_back("dns.example2.com", dns_protocol::kTypeAAAA,
-                     DnsConfig::SecureDnsMode::OFF,
-                     MockDnsClientRule::Result(MockDnsClientRule::OK),
-                     false /* delay */);
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   DnsConfigOverrides overrides;
-  overrides.dns_over_https_servers.emplace({DnsConfig::DnsOverHttpsServerConfig(
-      "https://dns.example.com/", true /*  use_post */)});
-  overrides.dns_over_https_servers.emplace({DnsConfig::DnsOverHttpsServerConfig(
-      "https://dns.example2.com/dns-query{?dns}", false /* use_post */)});
+  std::vector<DnsConfig::DnsOverHttpsServerConfig> doh_servers = {
+      DnsConfig::DnsOverHttpsServerConfig("https://dns.example.com/",
+                                          true /*  use_post */),
+      DnsConfig::DnsOverHttpsServerConfig(
+          "https://dns.example2.com/dns-query{?dns}", false /* use_post */)};
+  overrides.dns_over_https_servers = doh_servers;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::SECURE;
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
@@ -5398,7 +5737,6 @@ TEST_F(HostResolverManagerDnsTest, AddDnsOverHttpsServerAfterConfig) {
       NetworkChangeNotifier::CONNECTION_WIFI);
   ChangeDnsConfig(CreateValidDnsConfig());
 
-  resolver_->SetDnsClientEnabled(true);
   std::string server("https://dnsserver.example.net/dns-query{?dns}");
   DnsConfigOverrides overrides;
   overrides.dns_over_https_servers.emplace(
@@ -5431,7 +5769,6 @@ TEST_F(HostResolverManagerDnsTest, AddDnsOverHttpsServerBeforeConfig) {
   DestroyResolver();
   test::ScopedMockNetworkChangeNotifier notifier;
   CreateSerialResolver();  // To guarantee order of resolutions.
-  resolver_->SetDnsClientEnabled(true);
   std::string server("https://dnsserver.example.net/dns-query{?dns}");
   DnsConfigOverrides overrides;
   overrides.dns_over_https_servers.emplace(
@@ -5478,8 +5815,6 @@ TEST_F(HostResolverManagerDnsTest, AddDnsOverHttpsServerBeforeClient) {
       NetworkChangeNotifier::CONNECTION_WIFI);
   ChangeDnsConfig(CreateValidDnsConfig());
 
-  resolver_->SetDnsClientEnabled(true);
-
   base::DictionaryValue* config;
   auto value = resolver_->GetDnsConfigAsValue();
   EXPECT_TRUE(value);
@@ -5514,9 +5849,9 @@ TEST_F(HostResolverManagerDnsTest, AddDnsOverHttpsServerAndThenRemove) {
 
   notifier.mock_network_change_notifier()->SetConnectionType(
       NetworkChangeNotifier::CONNECTION_WIFI);
-  ChangeDnsConfig(CreateValidDnsConfig());
-
-  resolver_->SetDnsClientEnabled(true);
+  DnsConfig network_dns_config = CreateValidDnsConfig();
+  network_dns_config.dns_over_https_servers.clear();
+  ChangeDnsConfig(network_dns_config);
 
   base::DictionaryValue* config;
   auto value = resolver_->GetDnsConfigAsValue();
@@ -5908,8 +6243,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery) {
                                                         bar_records};
 
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeTXT,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeTXT, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsTextResponse(
                          "host", std::move(text_records))),
                      false /* delay */);
@@ -5947,8 +6281,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_NonexistentDomain) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeTXT,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeTXT, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::NODOMAIN),
                      false /* delay */);
 
@@ -5974,9 +6307,9 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Failure) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back(
-      "host", dns_protocol::kTypeTXT, DnsConfig::SecureDnsMode::AUTOMATIC,
-      MockDnsClientRule::Result(MockDnsClientRule::FAIL), false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeTXT, false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::FAIL),
+                     false /* delay */);
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
@@ -6000,9 +6333,9 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Timeout) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back(
-      "host", dns_protocol::kTypeTXT, DnsConfig::SecureDnsMode::AUTOMATIC,
-      MockDnsClientRule::Result(MockDnsClientRule::TIMEOUT), false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeTXT, false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::TIMEOUT),
+                     false /* delay */);
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
@@ -6026,9 +6359,9 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Empty) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back(
-      "host", dns_protocol::kTypeTXT, DnsConfig::SecureDnsMode::AUTOMATIC,
-      MockDnsClientRule::Result(MockDnsClientRule::EMPTY), false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeTXT, false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::EMPTY),
+                     false /* delay */);
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
@@ -6052,8 +6385,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Malformed) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeTXT,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeTXT, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::MALFORMED),
                      false /* delay */);
 
@@ -6075,8 +6407,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Malformed) {
 TEST_F(HostResolverManagerDnsTest, TxtQuery_MismatchedName) {
   std::vector<std::vector<std::string>> text_records = {{"text"}};
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeTXT,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeTXT, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsTextResponse(
                          "host", std::move(text_records), "not.host")),
                      false /* delay */);
@@ -6099,8 +6430,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_MismatchedName) {
 TEST_F(HostResolverManagerDnsTest, TxtQuery_WrongType) {
   // Respond to a TXT query with an A response.
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeTXT,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeTXT, false /* secure */,
                      MockDnsClientRule::Result(
                          BuildTestDnsResponse("host", IPAddress(1, 2, 3, 4))),
                      false /* delay */);
@@ -6133,8 +6463,7 @@ TEST_F(HostResolverManagerDnsTest, TxtDnsQuery) {
                                                         bar_records};
 
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeTXT,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeTXT, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsTextResponse(
                          "host", std::move(text_records))),
                      false /* delay */);
@@ -6168,8 +6497,7 @@ TEST_F(HostResolverManagerDnsTest, TxtDnsQuery) {
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery) {
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypePTR,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypePTR, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsPointerResponse(
                          "host", {"foo.com", "bar.com"})),
                      false /* delay */);
@@ -6195,8 +6523,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery) {
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery_Ip) {
   MockDnsClientRuleList rules;
-  rules.emplace_back("8.8.8.8", dns_protocol::kTypePTR,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("8.8.8.8", dns_protocol::kTypePTR, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsPointerResponse(
                          "8.8.8.8", {"foo.com", "bar.com"})),
                      false /* delay */);
@@ -6227,8 +6554,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_NonexistentDomain) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypePTR,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypePTR, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::NODOMAIN),
                      false /* delay */);
 
@@ -6254,9 +6580,9 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Failure) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back(
-      "host", dns_protocol::kTypePTR, DnsConfig::SecureDnsMode::AUTOMATIC,
-      MockDnsClientRule::Result(MockDnsClientRule::FAIL), false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypePTR, false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::FAIL),
+                     false /* delay */);
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
@@ -6280,9 +6606,9 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Timeout) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back(
-      "host", dns_protocol::kTypePTR, DnsConfig::SecureDnsMode::AUTOMATIC,
-      MockDnsClientRule::Result(MockDnsClientRule::TIMEOUT), false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypePTR, false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::TIMEOUT),
+                     false /* delay */);
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
@@ -6306,9 +6632,9 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Empty) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back(
-      "host", dns_protocol::kTypePTR, DnsConfig::SecureDnsMode::AUTOMATIC,
-      MockDnsClientRule::Result(MockDnsClientRule::EMPTY), false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypePTR, false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::EMPTY),
+                     false /* delay */);
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
@@ -6332,8 +6658,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Malformed) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypePTR,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypePTR, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::MALFORMED),
                      false /* delay */);
 
@@ -6355,8 +6680,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Malformed) {
 TEST_F(HostResolverManagerDnsTest, PtrQuery_MismatchedName) {
   std::vector<std::string> ptr_records = {{"foo.com"}};
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypePTR,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypePTR, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsPointerResponse(
                          "host", std::move(ptr_records), "not.host")),
                      false /* delay */);
@@ -6379,8 +6703,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_MismatchedName) {
 TEST_F(HostResolverManagerDnsTest, PtrQuery_WrongType) {
   // Respond to a TXT query with an A response.
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypePTR,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypePTR, false /* secure */,
                      MockDnsClientRule::Result(
                          BuildTestDnsResponse("host", IPAddress(1, 2, 3, 4))),
                      false /* delay */);
@@ -6407,8 +6730,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_WrongType) {
 // involved.
 TEST_F(HostResolverManagerDnsTest, PtrDnsQuery) {
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypePTR,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypePTR, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsPointerResponse(
                          "host", {"foo.com", "bar.com"})),
                      false /* delay */);
@@ -6439,8 +6761,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery) {
   const TestServiceRecord kRecord3 = {5, 1, 5, "google.com"};
   const TestServiceRecord kRecord4 = {2, 100, 12345, "chromium.org"};
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeSRV,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeSRV, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsServiceResponse(
                          "host", {kRecord1, kRecord2, kRecord3, kRecord4})),
                      false /* delay */);
@@ -6484,8 +6805,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_ZeroWeight) {
   const TestServiceRecord kRecord1 = {5, 0, 80, "bar.com"};
   const TestServiceRecord kRecord2 = {5, 0, 5, "google.com"};
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeSRV,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeSRV, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsServiceResponse(
                          "host", {kRecord1, kRecord2})),
                      false /* delay */);
@@ -6516,8 +6836,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_NonexistentDomain) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeSRV,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeSRV, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::NODOMAIN),
                      false /* delay */);
 
@@ -6543,9 +6862,9 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Failure) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back(
-      "host", dns_protocol::kTypeSRV, DnsConfig::SecureDnsMode::AUTOMATIC,
-      MockDnsClientRule::Result(MockDnsClientRule::FAIL), false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeSRV, false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::FAIL),
+                     false /* delay */);
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
@@ -6569,9 +6888,9 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Timeout) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back(
-      "host", dns_protocol::kTypeSRV, DnsConfig::SecureDnsMode::AUTOMATIC,
-      MockDnsClientRule::Result(MockDnsClientRule::TIMEOUT), false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeSRV, false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::TIMEOUT),
+                     false /* delay */);
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
@@ -6595,9 +6914,9 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Empty) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back(
-      "host", dns_protocol::kTypeSRV, DnsConfig::SecureDnsMode::AUTOMATIC,
-      MockDnsClientRule::Result(MockDnsClientRule::EMPTY), false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeSRV, false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::EMPTY),
+                     false /* delay */);
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
@@ -6621,8 +6940,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Malformed) {
   proc_->SignalMultiple(1u);
 
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeSRV,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeSRV, false /* secure */,
                      MockDnsClientRule::Result(MockDnsClientRule::MALFORMED),
                      false /* delay */);
 
@@ -6644,8 +6962,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Malformed) {
 TEST_F(HostResolverManagerDnsTest, SrvQuery_MismatchedName) {
   std::vector<TestServiceRecord> srv_records = {{1, 2, 3, "foo.com"}};
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeSRV,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeSRV, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsServiceResponse(
                          "host", std::move(srv_records), "not.host")),
                      false /* delay */);
@@ -6668,8 +6985,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_MismatchedName) {
 TEST_F(HostResolverManagerDnsTest, SrvQuery_WrongType) {
   // Respond to a SRV query with an A response.
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeSRV,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeSRV, false /* secure */,
                      MockDnsClientRule::Result(
                          BuildTestDnsResponse("host", IPAddress(1, 2, 3, 4))),
                      false /* delay */);
@@ -6700,8 +7016,7 @@ TEST_F(HostResolverManagerDnsTest, SrvDnsQuery) {
   const TestServiceRecord kRecord3 = {5, 1, 5, "google.com"};
   const TestServiceRecord kRecord4 = {2, 100, 12345, "chromium.org"};
   MockDnsClientRuleList rules;
-  rules.emplace_back("host", dns_protocol::kTypeSRV,
-                     DnsConfig::SecureDnsMode::AUTOMATIC,
+  rules.emplace_back("host", dns_protocol::kTypeSRV, false /* secure */,
                      MockDnsClientRule::Result(BuildTestDnsServiceResponse(
                          "host", {kRecord1, kRecord2, kRecord3, kRecord4})),
                      false /* delay */);
diff --git a/chromium/net/dns/host_resolver_mdns_task.cc b/chromium/net/dns/host_resolver_mdns_task.cc
index cc5c3647101..356278b5721 100644
--- a/chromium/net/dns/host_resolver_mdns_task.cc
+++ b/chromium/net/dns/host_resolver_mdns_task.cc
@@ -128,7 +128,7 @@ HostResolverMdnsTask::HostResolverMdnsTask(
     MDnsClient* mdns_client,
     const std::string& hostname,
     const std::vector<DnsQueryType>& query_types)
-    : mdns_client_(mdns_client), hostname_(hostname), weak_ptr_factory_(this) {
+    : mdns_client_(mdns_client), hostname_(hostname) {
   DCHECK(!query_types.empty());
   for (DnsQueryType query_type : query_types) {
     transactions_.emplace_back(query_type, this);
diff --git a/chromium/net/dns/host_resolver_mdns_task.h b/chromium/net/dns/host_resolver_mdns_task.h
index 5a1c8294176..e0e408afdf0 100644
--- a/chromium/net/dns/host_resolver_mdns_task.h
+++ b/chromium/net/dns/host_resolver_mdns_task.h
@@ -63,7 +63,7 @@ class HostResolverMdnsTask {
 
   SEQUENCE_CHECKER(sequence_checker_);
 
-  base::WeakPtrFactory<HostResolverMdnsTask> weak_ptr_factory_;
+  base::WeakPtrFactory<HostResolverMdnsTask> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(HostResolverMdnsTask);
 };
diff --git a/chromium/net/dns/host_resolver_proc.cc b/chromium/net/dns/host_resolver_proc.cc
index 4f4bce2f04e..0824540a63a 100644
--- a/chromium/net/dns/host_resolver_proc.cc
+++ b/chromium/net/dns/host_resolver_proc.cc
@@ -280,9 +280,9 @@ const base::TimeDelta ProcTaskParams::kDnsDefaultUnresponsiveDelay =
     base::TimeDelta::FromSeconds(6);
 
 ProcTaskParams::ProcTaskParams(HostResolverProc* resolver_proc,
-                               size_t max_retry_attempts)
+                               size_t in_max_retry_attempts)
     : resolver_proc(resolver_proc),
-      max_retry_attempts(max_retry_attempts),
+      max_retry_attempts(in_max_retry_attempts),
       unresponsive_delay(kDnsDefaultUnresponsiveDelay),
       retry_factor(2) {
   // Maximum of 4 retry attempts for host resolution.
diff --git a/chromium/net/dns/mdns_client_impl.cc b/chromium/net/dns/mdns_client_impl.cc
index 4d3ce6c53f2..9ac0592fdcf 100644
--- a/chromium/net/dns/mdns_client_impl.cc
+++ b/chromium/net/dns/mdns_client_impl.cc
@@ -131,8 +131,7 @@ void MDnsConnection::SocketHandler::SendDone(int rv) {
 }
 
 MDnsConnection::MDnsConnection(MDnsConnection::Delegate* delegate)
-    : delegate_(delegate), weak_ptr_factory_(this) {
-}
+    : delegate_(delegate) {}
 
 MDnsConnection::~MDnsConnection() = default;
 
diff --git a/chromium/net/dns/mdns_client_impl.h b/chromium/net/dns/mdns_client_impl.h
index fd911dcd12f..0efda0b9a42 100644
--- a/chromium/net/dns/mdns_client_impl.h
+++ b/chromium/net/dns/mdns_client_impl.h
@@ -111,7 +111,7 @@ class NET_EXPORT_PRIVATE MDnsConnection {
 
   Delegate* delegate_;
 
-  base::WeakPtrFactory<MDnsConnection> weak_ptr_factory_;
+  base::WeakPtrFactory<MDnsConnection> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(MDnsConnection);
 };
diff --git a/chromium/net/dns/public/dns_protocol.h b/chromium/net/dns/public/dns_protocol.h
index 401dd92a2c1..29582d7b50a 100644
--- a/chromium/net/dns/public/dns_protocol.h
+++ b/chromium/net/dns/public/dns_protocol.h
@@ -122,10 +122,20 @@ static const int kMaxUDPSize = 512;
 // medium's MTU, and must be under 9000 bytes
 static const int kMaxMulticastSize = 9000;
 
+// RFC 1035, Section 4.1.3.
+// TYPE (2 bytes) + CLASS (2 bytes) + TTL (4 bytes) + RDLENGTH (2 bytes)
+static const int kResourceRecordSizeInBytesWithoutNameAndRData = 10;
+
 // DNS class types.
 //
 // https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-2
 static const uint16_t kClassIN = 1;
+// RFC 6762, Section 10.2.
+//
+// For resource records sent through mDNS, the top bit of the class field in a
+// resource record is repurposed to the cache-flush bit. This bit should only be
+// used in mDNS transactions.
+static const uint16_t kFlagCacheFlush = 0x8000;
 
 // DNS resource record types.
 //
@@ -151,6 +161,11 @@ static const uint8_t kRcodeNXDOMAIN = 3;
 static const uint8_t kRcodeNOTIMP = 4;
 static const uint8_t kRcodeREFUSED = 5;
 
+// DNS EDNS(0) option codes (OPT)
+//
+// https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-11
+static const uint16_t kEdnsPadding = 12;
+
 // DNS header flags.
 //
 // https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-12
diff --git a/chromium/net/dns/record_rdata.cc b/chromium/net/dns/record_rdata.cc
index 87c707ef3f8..e6366702b7e 100644
--- a/chromium/net/dns/record_rdata.cc
+++ b/chromium/net/dns/record_rdata.cc
@@ -4,6 +4,7 @@
 
 #include "net/dns/record_rdata.h"
 
+#include <algorithm>
 #include <numeric>
 
 #include "base/big_endian.h"
@@ -14,8 +15,6 @@ namespace net {
 
 static const size_t kSrvRecordMinimumSize = 6;
 
-RecordRdata::RecordRdata() = default;
-
 bool RecordRdata::HasValidSize(const base::StringPiece& data, uint16_t type) {
   switch (type) {
     case dns_protocol::kTypeSRV:
@@ -288,8 +287,12 @@ bool NsecRecordRdata::GetBit(unsigned i) const {
 
 OptRecordRdata::OptRecordRdata() = default;
 
+OptRecordRdata::OptRecordRdata(OptRecordRdata&& other) = default;
+
 OptRecordRdata::~OptRecordRdata() = default;
 
+OptRecordRdata& OptRecordRdata::operator=(OptRecordRdata&& other) = default;
+
 // static
 std::unique_ptr<OptRecordRdata> OptRecordRdata::Create(
     const base::StringPiece& data,
@@ -340,6 +343,17 @@ void OptRecordRdata::AddOpt(const Opt& opt) {
   opts_.push_back(opt);
 }
 
+void OptRecordRdata::AddOpts(const OptRecordRdata& other) {
+  buf_.insert(buf_.end(), other.buf_.begin(), other.buf_.end());
+  opts_.insert(opts_.end(), other.opts_.begin(), other.opts_.end());
+}
+
+bool OptRecordRdata::ContainsOptCode(uint16_t opt_code) const {
+  return std::any_of(
+      opts_.begin(), opts_.end(),
+      [=](const OptRecordRdata::Opt& opt) { return opt.code() == opt_code; });
+}
+
 OptRecordRdata::Opt::Opt(uint16_t code, base::StringPiece data) : code_(code) {
   data.CopyToString(&data_);
 }
diff --git a/chromium/net/dns/record_rdata.h b/chromium/net/dns/record_rdata.h
index 8347d8adf12..e6864ae4fc5 100644
--- a/chromium/net/dns/record_rdata.h
+++ b/chromium/net/dns/record_rdata.h
@@ -36,11 +36,6 @@ class NET_EXPORT RecordRdata {
 
   virtual bool IsEqual(const RecordRdata* other) const = 0;
   virtual uint16_t Type() const = 0;
-
- protected:
-  RecordRdata();
-
-  DISALLOW_COPY_AND_ASSIGN(RecordRdata);
 };
 
 // SRV record format (http://www.ietf.org/rfc/rfc2782.txt):
@@ -228,7 +223,7 @@ class NET_EXPORT_PRIVATE OptRecordRdata : public RecordRdata {
  public:
   class NET_EXPORT_PRIVATE Opt {
    public:
-    static const size_t kHeaderSize = 4;  // sizeof(code) + sizeof(size)
+    static constexpr size_t kHeaderSize = 4;  // sizeof(code) + sizeof(size)
 
     Opt(uint16_t code, base::StringPiece data);
 
@@ -245,7 +240,11 @@ class NET_EXPORT_PRIVATE OptRecordRdata : public RecordRdata {
   static const uint16_t kType = dns_protocol::kTypeOPT;
 
   OptRecordRdata();
+  OptRecordRdata(OptRecordRdata&& other);
   ~OptRecordRdata() override;
+
+  OptRecordRdata& operator=(OptRecordRdata&& other);
+
   static std::unique_ptr<OptRecordRdata> Create(const base::StringPiece& data,
                                                 const DnsRecordParser& parser);
   bool IsEqual(const RecordRdata* other) const override;
@@ -256,6 +255,11 @@ class NET_EXPORT_PRIVATE OptRecordRdata : public RecordRdata {
   const std::vector<Opt>& opts() const { return opts_; }
   void AddOpt(const Opt& opt);
 
+  // Add all Opts from |other| to |this|.
+  void AddOpts(const OptRecordRdata& other);
+
+  bool ContainsOptCode(uint16_t opt_code) const;
+
  private:
   std::vector<Opt> opts_;
   std::vector<char> buf_;
diff --git a/chromium/net/dns/serial_worker.cc b/chromium/net/dns/serial_worker.cc
index 520bd3a64b9..f66abb17207 100644
--- a/chromium/net/dns/serial_worker.cc
+++ b/chromium/net/dns/serial_worker.cc
@@ -15,8 +15,7 @@ namespace net {
 SerialWorker::SerialWorker()
     : base::RefCountedDeleteOnSequence<SerialWorker>(
           base::SequencedTaskRunnerHandle::Get()),
-      state_(IDLE),
-      weak_factory_(this) {}
+      state_(IDLE) {}
 
 SerialWorker::~SerialWorker() = default;
 
diff --git a/chromium/net/dns/serial_worker.h b/chromium/net/dns/serial_worker.h
index b647b69e599..a16e8461291 100644
--- a/chromium/net/dns/serial_worker.h
+++ b/chromium/net/dns/serial_worker.h
@@ -76,7 +76,7 @@ class NET_EXPORT_PRIVATE SerialWorker
 
   State state_;
 
-  base::WeakPtrFactory<SerialWorker> weak_factory_;
+  base::WeakPtrFactory<SerialWorker> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(SerialWorker);
 };
diff --git a/chromium/net/dns/system_dns_config_change_notifier.cc b/chromium/net/dns/system_dns_config_change_notifier.cc
new file mode 100644
index 00000000000..c636f54c313
--- /dev/null
+++ b/chromium/net/dns/system_dns_config_change_notifier.cc
@@ -0,0 +1,225 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/dns/system_dns_config_change_notifier.h"
+
+#include <map>
+#include <utility>
+
+#include "base/bind.h"
+#include "base/location.h"
+#include "base/logging.h"
+#include "base/memory/weak_ptr.h"
+#include "base/sequence_checker.h"
+#include "base/sequenced_task_runner.h"
+#include "base/synchronization/lock.h"
+#include "base/task/post_task.h"
+#include "base/task/task_traits.h"
+#include "base/threading/sequenced_task_runner_handle.h"
+#include "net/dns/dns_config_service.h"
+
+namespace net {
+
+namespace {
+
+// Internal information and handling for a registered Observer. Handles
+// posting to and DCHECKing the correct sequence for the Observer.
+class WrappedObserver {
+ public:
+  explicit WrappedObserver(SystemDnsConfigChangeNotifier::Observer* observer)
+      : task_runner_(base::SequencedTaskRunnerHandle::Get()),
+        observer_(observer) {}
+
+  ~WrappedObserver() { DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); }
+
+  void OnNotifyThreadsafe(base::Optional<DnsConfig> config) {
+    task_runner_->PostTask(
+        FROM_HERE,
+        base::BindOnce(&WrappedObserver::OnNotify,
+                       weak_ptr_factory_.GetWeakPtr(), std::move(config)));
+  }
+
+  void OnNotify(base::Optional<DnsConfig> config) {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+    DCHECK(!config || config.value().IsValid());
+
+    observer_->OnSystemDnsConfigChanged(std::move(config));
+  }
+
+ private:
+  scoped_refptr<base::SequencedTaskRunner> task_runner_;
+  SystemDnsConfigChangeNotifier::Observer* const observer_;
+
+  SEQUENCE_CHECKER(sequence_checker_);
+  base::WeakPtrFactory<WrappedObserver> weak_ptr_factory_{this};
+
+  DISALLOW_COPY_AND_ASSIGN(WrappedObserver);
+};
+
+}  // namespace
+
+// Internal core to be destroyed via base::OnTaskRunnerDeleter to ensure
+// sequence safety.
+class SystemDnsConfigChangeNotifier::Core {
+ public:
+  Core(scoped_refptr<base::SequencedTaskRunner> task_runner,
+       std::unique_ptr<DnsConfigService> dns_config_service)
+      : task_runner_(std::move(task_runner)) {
+    DCHECK(task_runner_);
+    DCHECK(dns_config_service);
+
+    DETACH_FROM_SEQUENCE(sequence_checker_);
+
+    task_runner_->PostTask(FROM_HERE,
+                           base::BindOnce(&Core::SetAndStartDnsConfigService,
+                                          weak_ptr_factory_.GetWeakPtr(),
+                                          std::move(dns_config_service)));
+  }
+
+  ~Core() {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+    DCHECK(wrapped_observers_.empty());
+  }
+
+  void AddObserver(Observer* observer) {
+    // Create wrapped observer outside locking in case construction requires
+    // complex side effects.
+    auto wrapped_observer = std::make_unique<WrappedObserver>(observer);
+
+    {
+      base::AutoLock lock(lock_);
+
+      if (config_) {
+        // Even though this is the same sequence as the observer, use the
+        // threadsafe OnNotify to post the notification for both lock and
+        // reentrancy safety.
+        wrapped_observer->OnNotifyThreadsafe(config_);
+      }
+
+      DCHECK_EQ(0u, wrapped_observers_.count(observer));
+      wrapped_observers_.emplace(observer, std::move(wrapped_observer));
+    }
+  }
+
+  void RemoveObserver(Observer* observer) {
+    // Destroy wrapped observer outside locking in case destruction requires
+    // complex side effects.
+    std::unique_ptr<WrappedObserver> removed_wrapped_observer;
+
+    {
+      base::AutoLock lock(lock_);
+      auto it = wrapped_observers_.find(observer);
+      DCHECK(it != wrapped_observers_.end());
+      removed_wrapped_observer = std::move(it->second);
+      wrapped_observers_.erase(it);
+    }
+  }
+
+  void RefreshConfig() {
+    task_runner_->PostTask(FROM_HERE,
+                           base::BindOnce(&Core::TriggerRefreshConfig,
+                                          weak_ptr_factory_.GetWeakPtr()));
+  }
+
+  void SetDnsConfigServiceForTesting(
+      std::unique_ptr<DnsConfigService> dns_config_service) {
+    DCHECK(dns_config_service);
+    task_runner_->PostTask(FROM_HERE,
+                           base::BindOnce(&Core::SetAndStartDnsConfigService,
+                                          weak_ptr_factory_.GetWeakPtr(),
+                                          std::move(dns_config_service)));
+  }
+
+ private:
+  void SetAndStartDnsConfigService(
+      std::unique_ptr<DnsConfigService> dns_config_service) {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+    dns_config_service_ = std::move(dns_config_service);
+    dns_config_service_->WatchConfig(base::BindRepeating(
+        &Core::OnConfigChanged, weak_ptr_factory_.GetWeakPtr()));
+  }
+
+  void OnConfigChanged(const DnsConfig& config) {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+    base::AutoLock lock(lock_);
+
+    // |config_| is |base::nullopt| if most recent config was invalid (or no
+    // valid config has yet been read), so convert |config| to a similar form
+    // before comparing for change.
+    base::Optional<DnsConfig> new_config;
+    if (config.IsValid())
+      new_config = config;
+
+    if (config_ == new_config)
+      return;
+
+    config_ = std::move(new_config);
+
+    for (auto& wrapped_observer : wrapped_observers_) {
+      wrapped_observer.second->OnNotifyThreadsafe(config_);
+    }
+  }
+
+  void TriggerRefreshConfig() {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+    dns_config_service_->RefreshConfig();
+  }
+
+  // Fields that may be accessed from any sequence. Must protect access using
+  // |lock_|.
+  mutable base::Lock lock_;
+  // Only stores valid configs. |base::nullopt| if most recent config was
+  // invalid (or no valid config has yet been read).
+  base::Optional<DnsConfig> config_;
+  std::map<Observer*, std::unique_ptr<WrappedObserver>> wrapped_observers_;
+
+  // Fields valid only on |task_runner_|.
+  scoped_refptr<base::SequencedTaskRunner> task_runner_;
+  SEQUENCE_CHECKER(sequence_checker_);
+  std::unique_ptr<DnsConfigService> dns_config_service_;
+  base::WeakPtrFactory<Core> weak_ptr_factory_{this};
+
+  DISALLOW_COPY_AND_ASSIGN(Core);
+};
+
+SystemDnsConfigChangeNotifier::SystemDnsConfigChangeNotifier()
+    : SystemDnsConfigChangeNotifier(
+          base::CreateSequencedTaskRunnerWithTraits({base::MayBlock()}),
+          DnsConfigService::CreateSystemService()) {}
+
+SystemDnsConfigChangeNotifier::SystemDnsConfigChangeNotifier(
+    scoped_refptr<base::SequencedTaskRunner> task_runner,
+    std::unique_ptr<DnsConfigService> dns_config_service)
+    : core_(nullptr, base::OnTaskRunnerDeleter(task_runner)) {
+  if (dns_config_service)
+    core_.reset(new Core(task_runner, std::move(dns_config_service)));
+}
+
+SystemDnsConfigChangeNotifier::~SystemDnsConfigChangeNotifier() = default;
+
+void SystemDnsConfigChangeNotifier::AddObserver(Observer* observer) {
+  if (core_)
+    core_->AddObserver(observer);
+}
+
+void SystemDnsConfigChangeNotifier::RemoveObserver(Observer* observer) {
+  if (core_)
+    core_->RemoveObserver(observer);
+}
+
+void SystemDnsConfigChangeNotifier::RefreshConfig() {
+  if (core_)
+    core_->RefreshConfig();
+}
+
+void SystemDnsConfigChangeNotifier::SetDnsConfigServiceForTesting(
+    std::unique_ptr<DnsConfigService> dns_config_service) {
+  DCHECK(core_);
+  DCHECK(dns_config_service);
+
+  core_->SetDnsConfigServiceForTesting(std::move(dns_config_service));
+}
+
+}  // namespace net
diff --git a/chromium/net/dns/system_dns_config_change_notifier.h b/chromium/net/dns/system_dns_config_change_notifier.h
new file mode 100644
index 00000000000..447a8d8c244
--- /dev/null
+++ b/chromium/net/dns/system_dns_config_change_notifier.h
@@ -0,0 +1,86 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_DNS_SYSTEM_DNS_CONFIG_CHANGE_NOTIFIER_H_
+#define NET_DNS_SYSTEM_DNS_CONFIG_CHANGE_NOTIFIER_H_
+
+#include <memory>
+
+#include "base/macros.h"
+#include "base/memory/scoped_refptr.h"
+#include "base/optional.h"
+#include "base/sequenced_task_runner.h"
+#include "net/base/net_export.h"
+#include "net/dns/dns_config.h"
+
+namespace net {
+
+class DnsConfigService;
+
+// Notifier that can be subscribed to to listen for changes to system DNS
+// configuration. Expected to only be used internally to HostResolverManager and
+// NetworkChangeNotifier. Other classes are expected to subscribe to
+// NetworkChangeNotifier::AddDNSObserver() to subscribe to listen to both system
+// config changes and configuration applied on top by Chrome.
+//
+// This class is thread and sequence safe except that RemoveObserver() must be
+// called on the same sequence as the matched AddObserver() call.
+//
+// TODO(crbug.com/971411): Use this class in HostResolverManager.
+class NET_EXPORT_PRIVATE SystemDnsConfigChangeNotifier {
+ public:
+  class Observer {
+   public:
+    // Called on loading new config, including the initial read once the first
+    // valid config has been read. If a config read encounters errors or an
+    // invalid config is read, will be invoked with |base::nullopt|. Only
+    // invoked when |config| changes.
+    virtual void OnSystemDnsConfigChanged(base::Optional<DnsConfig> config) = 0;
+  };
+
+  SystemDnsConfigChangeNotifier();
+  // Alternate constructor allowing specifying the underlying DnsConfigService.
+  // |dns_config_service| will only be interacted with and destroyed using
+  // |task_runner|. As required by DnsConfigService, blocking I/O may be
+  // performed on |task_runner|, so it must support blocking (i.e.
+  // base::MayBlock).
+  //
+  // |dns_config_service| may be null if system DNS config is disabled for the
+  // current platform. Calls against the created object will noop, and no
+  // notifications will ever be sent.
+  SystemDnsConfigChangeNotifier(
+      scoped_refptr<base::SequencedTaskRunner> task_runner,
+      std::unique_ptr<DnsConfigService> dns_config_service);
+  ~SystemDnsConfigChangeNotifier();
+
+  // An added Observer will receive notifications on the sequence where
+  // AddObserver() was called. If the config has been successfully read before
+  // calling this method, a notification will be sent for that current config
+  // before any other notifications.
+  void AddObserver(Observer* observer);
+
+  // In order to ensure notifications immediately stop on calling
+  // RemoveObserver(), must be called on the same sequence where the associated
+  // AddObserver() was called.
+  void RemoveObserver(Observer* observer);
+
+  // Triggers invalidation and re-read of the current configuration (followed by
+  // notifications to registered Observers). For use only on platforms
+  // expecting network-stack-external notifications of DNS config changes.
+  void RefreshConfig();
+
+  void SetDnsConfigServiceForTesting(
+      std::unique_ptr<DnsConfigService> dns_config_service);
+
+ private:
+  class Core;
+
+  std::unique_ptr<Core, base::OnTaskRunnerDeleter> core_;
+
+  DISALLOW_COPY_AND_ASSIGN(SystemDnsConfigChangeNotifier);
+};
+
+}  // namespace net
+
+#endif  // NET_DNS_SYSTEM_DNS_CONFIG_CHANGE_NOTIFIER_H_
diff --git a/chromium/net/dns/system_dns_config_change_notifier_unittest.cc b/chromium/net/dns/system_dns_config_change_notifier_unittest.cc
new file mode 100644
index 00000000000..9c3c705025b
--- /dev/null
+++ b/chromium/net/dns/system_dns_config_change_notifier_unittest.cc
@@ -0,0 +1,327 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/dns/system_dns_config_change_notifier.h"
+
+#include <utility>
+#include <vector>
+
+#include "base/bind.h"
+#include "base/run_loop.h"
+#include "base/task/post_task.h"
+#include "base/task/task_traits.h"
+#include "net/base/ip_address.h"
+#include "net/base/ip_endpoint.h"
+#include "net/dns/dns_hosts.h"
+#include "net/dns/test_dns_config_service.h"
+#include "net/test/test_with_scoped_task_environment.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+namespace {
+const std::vector<IPEndPoint> kNameservers = {
+    IPEndPoint(IPAddress(1, 2, 3, 4), 95)};
+const std::vector<IPEndPoint> kNameservers2 = {
+    IPEndPoint(IPAddress(2, 3, 4, 5), 195)};
+const DnsConfig kConfig(kNameservers);
+const DnsConfig kConfig2(kNameservers2);
+}  // namespace
+
+class SystemDnsConfigChangeNotifierTest : public TestWithScopedTaskEnvironment {
+ public:
+  // Set up a change notifier, owned on a dedicated blockable task runner, with
+  // a faked underlying DnsConfigService.
+  SystemDnsConfigChangeNotifierTest()
+      : notifier_task_runner_(
+            base::CreateSequencedTaskRunnerWithTraits({base::MayBlock()})) {
+    auto test_service = std::make_unique<TestDnsConfigService>();
+    notifier_task_runner_->PostTask(
+        FROM_HERE,
+        base::BindOnce(&TestDnsConfigService::OnHostsRead,
+                       base::Unretained(test_service.get()), DnsHosts()));
+    test_config_service_ = test_service.get();
+
+    notifier_ = std::make_unique<SystemDnsConfigChangeNotifier>(
+        notifier_task_runner_, std::move(test_service));
+  }
+
+ protected:
+  // Test observer implementation that records all notifications received in a
+  // vector, and also validates that all notifications are received on the
+  // expected sequence.
+  class TestObserver : public SystemDnsConfigChangeNotifier::Observer {
+   public:
+    void OnSystemDnsConfigChanged(base::Optional<DnsConfig> config) override {
+      DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+      configs_received_.push_back(std::move(config));
+
+      DCHECK_GT(notifications_remaining_, 0);
+      if (--notifications_remaining_ == 0)
+        run_loop_->Quit();
+    }
+
+    void WaitForNotification() { WaitForNotifications(1); }
+    void WaitForNotifications(int num_notifications) {
+      DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+      notifications_remaining_ = num_notifications;
+      run_loop_->Run();
+      run_loop_ = std::make_unique<base::RunLoop>();
+    }
+
+    void ExpectNoMoreNotifications() {
+      DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+      configs_received_.clear();
+      base::RunLoop().RunUntilIdle();
+      EXPECT_TRUE(configs_received_.empty());
+    }
+
+    std::vector<base::Optional<DnsConfig>>& configs_received() {
+      return configs_received_;
+    }
+
+   private:
+    int notifications_remaining_ = 0;
+    std::unique_ptr<base::RunLoop> run_loop_ =
+        std::make_unique<base::RunLoop>();
+    std::vector<base::Optional<DnsConfig>> configs_received_;
+    SEQUENCE_CHECKER(sequence_checker_);
+  };
+
+  // Load a config and wait for it to be received by the notifier.
+  void LoadConfig(const DnsConfig& config, bool already_loaded = false) {
+    TestObserver observer;
+    notifier_->AddObserver(&observer);
+
+    // If |notifier_| already has a config loaded, |observer| will first get a
+    // notification for that initial config.
+    if (already_loaded)
+      observer.WaitForNotification();
+
+    notifier_task_runner_->PostTask(
+        FROM_HERE,
+        base::BindOnce(&TestDnsConfigService::OnConfigRead,
+                       base::Unretained(test_config_service_), config));
+    observer.WaitForNotification();
+
+    notifier_->RemoveObserver(&observer);
+  }
+
+  scoped_refptr<base::SequencedTaskRunner> notifier_task_runner_;
+  std::unique_ptr<SystemDnsConfigChangeNotifier> notifier_;
+  // Owned by |notifier_|.
+  TestDnsConfigService* test_config_service_;
+};
+
+TEST_F(SystemDnsConfigChangeNotifierTest, ReceiveNotification) {
+  TestObserver observer;
+
+  notifier_->AddObserver(&observer);
+  notifier_task_runner_->PostTask(
+      FROM_HERE,
+      base::BindOnce(&TestDnsConfigService::OnConfigRead,
+                     base::Unretained(test_config_service_), kConfig));
+  observer.WaitForNotification();
+
+  EXPECT_THAT(observer.configs_received(),
+              testing::ElementsAre(testing::Optional(kConfig)));
+  observer.ExpectNoMoreNotifications();
+
+  notifier_->RemoveObserver(&observer);
+}
+
+TEST_F(SystemDnsConfigChangeNotifierTest, ReceiveNotification_Multiple) {
+  TestObserver observer;
+
+  notifier_->AddObserver(&observer);
+  notifier_task_runner_->PostTask(
+      FROM_HERE,
+      base::BindOnce(&TestDnsConfigService::OnConfigRead,
+                     base::Unretained(test_config_service_), kConfig));
+  notifier_task_runner_->PostTask(
+      FROM_HERE,
+      base::BindOnce(&TestDnsConfigService::OnConfigRead,
+                     base::Unretained(test_config_service_), kConfig2));
+  observer.WaitForNotifications(2);
+
+  EXPECT_THAT(observer.configs_received(),
+              testing::ElementsAre(testing::Optional(kConfig),
+                                   testing::Optional(kConfig2)));
+  observer.ExpectNoMoreNotifications();
+
+  notifier_->RemoveObserver(&observer);
+}
+
+// If the notifier already has a config loaded, a new observer should receive an
+// initial notification for that config.
+TEST_F(SystemDnsConfigChangeNotifierTest, ReceiveInitialNotification) {
+  LoadConfig(kConfig);
+
+  TestObserver observer;
+  notifier_->AddObserver(&observer);
+  observer.WaitForNotification();
+
+  EXPECT_THAT(observer.configs_received(),
+              testing::ElementsAre(testing::Optional(kConfig)));
+  observer.ExpectNoMoreNotifications();
+
+  notifier_->RemoveObserver(&observer);
+}
+
+// If multiple configs have been read before adding an Observer, should notify
+// it only of the most recent.
+TEST_F(SystemDnsConfigChangeNotifierTest, ReceiveInitialNotification_Multiple) {
+  LoadConfig(kConfig);
+  LoadConfig(kConfig2, true /* already_loaded */);
+
+  TestObserver observer;
+  notifier_->AddObserver(&observer);
+  observer.WaitForNotification();
+
+  EXPECT_THAT(observer.configs_received(),
+              testing::ElementsAre(testing::Optional(kConfig2)));
+  observer.ExpectNoMoreNotifications();
+
+  notifier_->RemoveObserver(&observer);
+}
+
+TEST_F(SystemDnsConfigChangeNotifierTest, NotificationsStopAfterRemoval) {
+  TestObserver observer;
+  notifier_->AddObserver(&observer);
+  notifier_->RemoveObserver(&observer);
+
+  LoadConfig(kConfig);
+  LoadConfig(kConfig2, true /* already_loaded */);
+
+  EXPECT_TRUE(observer.configs_received().empty());
+  observer.ExpectNoMoreNotifications();
+}
+
+TEST_F(SystemDnsConfigChangeNotifierTest, UnchangedConfigs) {
+  LoadConfig(kConfig);
+
+  TestObserver observer;
+  notifier_->AddObserver(&observer);
+  observer.WaitForNotification();
+
+  // Expect no notifications from duplicate configs.
+  notifier_task_runner_->PostTask(
+      FROM_HERE,
+      base::BindOnce(&TestDnsConfigService::OnConfigRead,
+                     base::Unretained(test_config_service_), kConfig));
+  notifier_task_runner_->PostTask(
+      FROM_HERE,
+      base::BindOnce(&TestDnsConfigService::OnConfigRead,
+                     base::Unretained(test_config_service_), kConfig));
+  observer.ExpectNoMoreNotifications();
+
+  // Notification on new config.
+  notifier_task_runner_->PostTask(
+      FROM_HERE,
+      base::BindOnce(&TestDnsConfigService::OnConfigRead,
+                     base::Unretained(test_config_service_), kConfig2));
+  observer.WaitForNotification();
+  EXPECT_THAT(observer.configs_received(),
+              testing::ElementsAre(testing::Optional(kConfig2)));
+  observer.ExpectNoMoreNotifications();
+
+  notifier_->RemoveObserver(&observer);
+}
+
+TEST_F(SystemDnsConfigChangeNotifierTest, UnloadedConfig) {
+  LoadConfig(kConfig);
+
+  TestObserver observer;
+  notifier_->AddObserver(&observer);
+  // Initial config.
+  observer.WaitForNotification();
+
+  notifier_task_runner_->PostTask(
+      FROM_HERE, base::BindOnce(&TestDnsConfigService::InvalidateConfig,
+                                base::Unretained(test_config_service_)));
+  observer.WaitForNotification();
+
+  EXPECT_THAT(observer.configs_received(),
+              testing::ElementsAre(testing::Optional(kConfig), base::nullopt));
+  observer.ExpectNoMoreNotifications();
+
+  notifier_->RemoveObserver(&observer);
+}
+
+// All invalid configs are considered the same for notifications, so only expect
+// a single notification on multiple config invalidations.
+TEST_F(SystemDnsConfigChangeNotifierTest, UnloadedConfig_Multiple) {
+  LoadConfig(kConfig);
+
+  TestObserver observer;
+  notifier_->AddObserver(&observer);
+  // Initial config.
+  observer.WaitForNotification();
+
+  notifier_task_runner_->PostTask(
+      FROM_HERE, base::BindOnce(&TestDnsConfigService::InvalidateConfig,
+                                base::Unretained(test_config_service_)));
+  notifier_task_runner_->PostTask(
+      FROM_HERE, base::BindOnce(&TestDnsConfigService::InvalidateConfig,
+                                base::Unretained(test_config_service_)));
+  observer.WaitForNotification();  // Only 1 notification expected.
+
+  EXPECT_THAT(observer.configs_received(),
+              testing::ElementsAre(testing::Optional(kConfig), base::nullopt));
+  observer.ExpectNoMoreNotifications();
+
+  notifier_->RemoveObserver(&observer);
+}
+
+TEST_F(SystemDnsConfigChangeNotifierTest, InitialConfigInvalid) {
+  // Add and invalidate a config (using an extra observer to wait for
+  // invalidation to complete).
+  LoadConfig(kConfig);
+  TestObserver setup_observer;
+  notifier_->AddObserver(&setup_observer);
+  setup_observer.WaitForNotification();
+  notifier_task_runner_->PostTask(
+      FROM_HERE, base::BindOnce(&TestDnsConfigService::InvalidateConfig,
+                                base::Unretained(test_config_service_)));
+  setup_observer.WaitForNotification();
+  notifier_->RemoveObserver(&setup_observer);
+
+  TestObserver observer;
+  notifier_->AddObserver(&observer);
+
+  // No notification expected until first valid config.
+  observer.ExpectNoMoreNotifications();
+
+  // Notification on new config.
+  notifier_task_runner_->PostTask(
+      FROM_HERE,
+      base::BindOnce(&TestDnsConfigService::OnConfigRead,
+                     base::Unretained(test_config_service_), kConfig));
+  observer.WaitForNotification();
+  EXPECT_THAT(observer.configs_received(),
+              testing::ElementsAre(testing::Optional(kConfig)));
+  observer.ExpectNoMoreNotifications();
+
+  notifier_->RemoveObserver(&observer);
+}
+
+TEST_F(SystemDnsConfigChangeNotifierTest, RefreshConfig) {
+  test_config_service_->SetConfigForRefresh(kConfig);
+
+  TestObserver observer;
+  notifier_->AddObserver(&observer);
+
+  notifier_->RefreshConfig();
+  observer.WaitForNotification();
+
+  EXPECT_THAT(observer.configs_received(),
+              testing::ElementsAre(testing::Optional(kConfig)));
+  observer.ExpectNoMoreNotifications();
+
+  notifier_->RemoveObserver(&observer);
+}
+
+}  // namespace net
diff --git a/chromium/net/dns/test_dns_config_service.cc b/chromium/net/dns/test_dns_config_service.cc
new file mode 100644
index 00000000000..af928627f4d
--- /dev/null
+++ b/chromium/net/dns/test_dns_config_service.cc
@@ -0,0 +1,26 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/dns/test_dns_config_service.h"
+
+namespace net {
+
+TestDnsConfigService::TestDnsConfigService() = default;
+
+TestDnsConfigService::~TestDnsConfigService() = default;
+
+bool TestDnsConfigService::StartWatching() {
+  return true;
+}
+
+void TestDnsConfigService::RefreshConfig() {
+  DCHECK(config_for_refresh_);
+  InvalidateConfig();
+  InvalidateHosts();
+  OnConfigRead(config_for_refresh_.value());
+  OnHostsRead(config_for_refresh_.value().hosts);
+  config_for_refresh_ = base::nullopt;
+}
+
+}  // namespace net
diff --git a/chromium/net/dns/test_dns_config_service.h b/chromium/net/dns/test_dns_config_service.h
new file mode 100644
index 00000000000..3b61c361c6c
--- /dev/null
+++ b/chromium/net/dns/test_dns_config_service.h
@@ -0,0 +1,56 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_DNS_TEST_DNS_CONFIG_SERVICE_H_
+#define NET_DNS_TEST_DNS_CONFIG_SERVICE_H_
+
+#include <utility>
+
+#include "base/logging.h"
+#include "base/optional.h"
+#include "net/dns/dns_config_service.h"
+
+namespace net {
+
+// Simple test implementation of DnsConfigService that will trigger
+// notifications only on explicitly calling On...() methods.
+class TestDnsConfigService : public DnsConfigService {
+ public:
+  TestDnsConfigService();
+  ~TestDnsConfigService() override;
+
+  void ReadNow() override {}
+  bool StartWatching() override;
+
+  // Expose the protected methods to this test suite.
+  void InvalidateConfig() { DnsConfigService::InvalidateConfig(); }
+
+  void InvalidateHosts() { DnsConfigService::InvalidateHosts(); }
+
+  void OnConfigRead(const DnsConfig& config) {
+    DnsConfigService::OnConfigRead(config);
+  }
+
+  void OnHostsRead(const DnsHosts& hosts) {
+    DnsConfigService::OnHostsRead(hosts);
+  }
+
+  void set_watch_failed(bool value) {
+    DnsConfigService::set_watch_failed(value);
+  }
+
+  void RefreshConfig() override;
+
+  void SetConfigForRefresh(DnsConfig config) {
+    DCHECK(!config_for_refresh_);
+    config_for_refresh_ = std::move(config);
+  }
+
+ private:
+  base::Optional<DnsConfig> config_for_refresh_;
+};
+
+}  // namespace net
+
+#endif  // NET_DNS_TEST_DNS_CONFIG_SERVICE_H_
diff --git a/chromium/net/docs/crash-course-in-net-internals.md b/chromium/net/docs/crash-course-in-net-internals.md
index 8c1fbbb392e..1a120fb0381 100644
--- a/chromium/net/docs/crash-course-in-net-internals.md
+++ b/chromium/net/docs/crash-course-in-net-internals.md
@@ -19,7 +19,7 @@ Events view, which will be all this document covers.
 
 The top level network stack object is the URLRequestContext.  The Events view
 has information for all Chrome URLRequestContexts that are hooked up to the
-single, global, ChromeNetLog object.  This includes both incognito and
+single, global, NetLog object.  This includes both incognito and
 non-incognito profiles, among other things.  The Events view only shows events
 for the period that net-internals was open and running, and is incrementally
 updated as events occur.  The code attempts to add a top level event for
diff --git a/chromium/net/docs/proxy.md b/chromium/net/docs/proxy.md
index 9524db0d41e..967f79aa894 100644
--- a/chromium/net/docs/proxy.md
+++ b/chromium/net/docs/proxy.md
@@ -1,45 +1,47 @@
 # Proxy support in Chrome
 
-This document establishes basic proxy terminology, as well as describing
-behaviors specific to Chrome.
+This document establishes basic proxy terminology and describes Chrome-specific
+proxy behaviors.
 
-## Proxy Server
+[TOC]
 
-A proxy server is an intermediary used for network requests. It can be
-identified by the 3-tuple (scheme, host, port) where:
+## Proxy server identifiers
 
-* scheme - protocol used to communicate with the proxy (ex: SOCKSv5, HTTPS).
-* host - IP or hostname of the proxy server (ex: 192.168.0.1)
-* port - TCP/UDP port number (ex: 443)
+A proxy server is an intermediary used for network requests. A proxy server can
+be described by its address, along with the proxy scheme that should be used to
+communicate with it.
 
-There are a variety of proxy server schemes supported by Chrome. When using an
-explicit proxy in the browser, multiple layers of the network request are
-impacted.
+This can be written as a string using either the "PAC format" or the "URI
+format".
 
-Difference between proxy server schemes include:
+The PAC format is how one names a proxy server in [Proxy
+auto-config](https://en.wikipedia.org/wiki/Proxy_auto-config) scripts. For
+example:
+* `PROXY foo:2138`
+* `SOCKS5 foo:1080`
+* `DIRECT`
 
-* Is communication to the proxy done over a secure channel?
-* Is name resolution (ex: DNS) done client side, or proxy side?
-* What authentication schemes to the proxy server are supported?
-* What network traffic can be sent through the proxy?
-
-Identifiers for proxy servers are often written as strings, using either the
-PAC format (ex: `PROXY foo`) or Chrome's URI format (ex: `http://foo`).
+The "URI format" instead encodes the information as a URL. For example:
+* `foo:2138`
+* `http://foo:2138`
+* `socks5://foo:1080`
+* `direct://`
 
-When a proxy server's scheme is not stated, it's assumed to be HTTP in most
-contexts.
+The port number is optional in both formats. When omitted, a per-scheme default
+is used.
 
-This can lead to some confusion, particularly when discussing system proxy
-settings. Major platform UIs have converged on the term "Secure proxy" to mean
-the host:port for an (insecure) HTTP proxy to use for proxying https:// URLs.
+See the [Proxy server schemes](#Proxy-server-schemes) section for details on
+what schemes Chrome supports, and how to write them in the PAC and URI formats.
 
-So when someone refers to their "HTTPS proxy" be aware of this ambiguity. The
-intended meaning could be either "an HTTP proxy for https:// URLs", or "a proxy
-using the HTTPS scheme".
+Most UI surfaces in Chrome (including command lines and policy) expect URI
+formatted proxy server identifiers. However outside of Chrome, proxy servers
+are generally identified less precisely by just an address -- the proxy
+scheme is assumed based on context.
 
-In this document when we say "an HTTPS proxy", we always mean "a proxy
-that the browser speaks HTTPS to", and not "an (HTTP) proxy used to proxy
-https:// URLs".
+In Windows' proxy settings there are host and port fields for the
+"HTTP", "Secure", "FTP", and "SOCKS" proxy. With the exception of "SOCKS",
+those are all identifiers for insecure HTTP proxy servers (proxy scheme is
+assumed as HTTP).
 
 ## Proxy resolution
 
@@ -49,31 +51,42 @@ When the browser is asked to fetch a URL, it needs to decide which IP endpoint
 to send the request to. This can be either a proxy server, or the target host.
 
 This is called proxy resolution. The input to proxy resolution is a URL, and
-the output is an ordered list of proxy server options.
+the output is an ordered list of [proxy server
+identifiers](#Proxy-server-identifiers).
 
 What proxies to use can be described using either:
 
-* Manual proxy settings - proxy resolution is defined using a declarative set
-  of rules. These rules are expressed as a mapping from URL scheme to proxy
-  server(s), and a list of proxy bypass rules for when to go DIRECT instead of
-  using the mapped proxy.
+* [Manual proxy settings](#Manual-proxy-settings) - proxy resolution is defined
+  using a declarative set of rules. These rules are expressed as a mapping from
+  URL scheme to proxy server identifier(s), and a list of proxy bypass rules for
+  when to go DIRECT instead of using the mapped proxy.
 
 * PAC script - proxy resolution is defined using a JavaScript program, that is
-  invoked whenever fetching a URL to get the list of proxy servers to use.
+  invoked whenever fetching a URL to get the list of proxy server identifiers
+  to use.
 
 * Auto-detect - the WPAD protocol is used to probe the network (using DHCP/DNS)
   and possibly discover the URL of a PAC script.
 
 ## Proxy server schemes
 
-Chrome supports the following proxy server schemes:
+When using an explicit proxy in the browser, multiple layers of the network
+request are impacted, depending on the scheme that is used. Some implications
+of the proxy scheme are:
+
+* Is communication to the proxy done over a secure channel?
+* Is name resolution (ex: DNS) done client side, or proxy side?
+* What authentication schemes to the proxy server are supported?
+* What network traffic can be sent through the proxy?
+
+Chrome supports these proxy server schemes:
 
-* DIRECT
-* HTTP
-* HTTPS
-* SOCKSv4
-* SOCKSv5
-* QUIC
+* [DIRECT](#DIRECT-proxy-scheme)
+* [HTTP](#HTTP-proxy-scheme)
+* [HTTPS](#HTTPS-proxy-scheme)
+* [SOCKSv4](#SOCKSv4-proxy-scheme)
+* [SOCKSv5](#SOCKSv5-proxy-scheme)
+* [QUIC](#QUIC-proxy-scheme)
 
 ### DIRECT proxy scheme
 
@@ -107,7 +120,7 @@ tunnel, the hostname of the target URL is sent to the proxy server in the
 clear.
 
 HTTP proxies in Chrome support the same HTTP authentiation schemes as for
-target servers: Basic, Digest, Negotiate/NTLM.
+target servers: Basic, Digest, Negotiate, NTLM.
 
 ### HTTPS proxy scheme
 
@@ -115,12 +128,32 @@ target servers: Basic, Digest, Negotiate/NTLM.
 * Example identifier (PAC): `HTTPS proxy:8080`
 * Example identifier (URI): `https://proxy:8080`
 
-This works exactly like an HTTP proxy, except the communication to the proxy
-server is protected by TLS. Hence `http://` requests, and hostnames for
-`https://` requests are not sent in the clear as with HTTP proxies.
+This works like an [HTTP proxy](#HTTP-proxy-scheme), except the
+communication to the proxy server is protected by TLS, and may negotiate
+HTTP/2 (but not QUIC).
 
-In addition to HTTP authentication methods, one can also use client
-certificates to authenticate to HTTPS proxies.
+Because the connection to the proxy server is secure, https:// requests
+sent through the proxy are not sent in the clear as with an HTTP proxy.
+Similarly, since CONNECT requests are sent over a protected channel, the
+hostnames for proxied https:// URLs is also not revealed.
+
+In addition to the usual HTTP authentication methods, HTTPS proxies also
+support client certificates.
+
+HTTPS proxies using HTTP/2 can offer better performance in Chrome than a
+regular HTTP proxy due to higher connection limits (HTTP/1.1 proxies in Chrome
+are limited to 32 simultaneous connections across all domains).
+
+Chrome, Firefox, and Opera support HTTPS proxies; however, most older HTTP
+stacks do not.
+
+Specifying an HTTPS proxy is generally not possible through system proxy
+settings. Instead, one must use either a PAC script or a Chrome proxy setting
+(command line, extension, or policy).
+
+See the dev.chromium.org document on [secure web
+proxies](http://dev.chromium.org/developers/design-documents/secure-web-proxy)
+for tips on how to run and test against an HTTPS proxy.
 
 ### SOCKSv4 proxy scheme
 
@@ -176,25 +209,37 @@ used to relay UDP traffic.
 * Example identifier (PAC): `QUIC proxy:8080`
 * Example identifier (URI): `quic://proxy:8080`
 
-TODO
+A QUIC proxy uses QUIC (UDP) as the underlying transport, but otherwise
+behaves as an HTTP proxy. It has similar properties to an [HTTPS
+proxy](#HTTPS-proxy-scheme), in that the connection to the proxy server
+is secure, and connection limits are less restrictive.
+
+Support for QUIC proxies in Chrome is currently experimental and not
+ready for production use. In particular, sending https:// and wss://
+URLs through a QUIC proxy is [disabled by
+default](https://bugs.chromium.org/p/chromium/issues/detail?id=969859).
+
+Another caveat is that QUIC does not currently support
+client certificates since it does not use a TLS
+handshake. This may change in future versions.
 
 ## Manual proxy settings
 
 The simplest way to configure proxy resolution is by providing a static list of
 rules comprised of:
 
-1. A mapping of URL schemes to proxy servers
-2. A list of proxy bypass rules
+1. A mapping of URL schemes to [proxy server identifiers](#Proxy-server-identifiers).
+2. A list of [proxy bypass rules](#Proxy-bypass-rules)
 
 We refer to this mode of configuration as "manual proxy settings".
 
 Manual proxy settings can succinctly describe setups like:
 
-* Use HTTPS proxy `foo:8080` for all requests
-* Use HTTP proxy `foo:8080` for all requests except those to a `google.com`
+* Use proxy `http://foo:8080` for all requests
+* Use proxy `http://foo:8080` for all requests except those to a `google.com`
   subdomain.
-* Use HTTP proxy `foo:8080` for all `https://` requests, and the SOCKSv5 proxy
-  `mysocks:90` for everything else
+* Use proxy `http://foo:8080` for all `https://` requests, and proxy
+  `socsk5://mysocks:90` for everything else
 
 Although manual proxy settings are a ubiquituous way to configure proxies
 across platforms, there is no standard representation or feature set.
@@ -205,14 +250,14 @@ reversing the bypass list, or Gnome's interpretation of bypass patterns as
 suffix matches.
 
 When defining manual proxy settings in Chrome, we specify three (possibly
-empty) lists of proxy servers:
+empty) lists of [proxy server identifiers](#Proxy-server-identifiers).
 
-  * proxies for HTTP - A list of proxy servers to use for `http://` requests,
-    if non-empty.
-  * proxies for HTTPS - A list of proxy servers to use for `https://` requests,
-    if non-empty.
-  * other proxies - A list of proxy servers to use for everything else
-    (whatever isn't matched by the other two lists)
+  * proxies for HTTP - A list of proxy server identifiers to use for `http://`
+    requests, if non-empty.
+  * proxies for HTTPS - A list of proxy server identifiers to use for
+    `https://` requests, if non-empty.
+  * other proxies - A list of proxy server identifiers to use for everything
+    else (whatever isn't matched by the other two lists)
 
 There are a lot of ways to end up with manual proxy settings in Chrome
 (discussed in other sections).
@@ -220,8 +265,8 @@ There are a lot of ways to end up with manual proxy settings in Chrome
 The following examples will use the command line method. Launching Chrome with
 `--proxy-server=XXX` (and optionally `--proxy-bypass-list=YYY`)
 
-Example: To use the HTTP proxy `foo:8080` for all requests we can launch
-Chrome with `--proxy-server="http://foo:8080"`. This translates into:
+Example: To use proxy `http://foo:8080` for all requests we can launch
+Chrome with `--proxy-server="http://foo:8080"`. This translates to:
 
   * proxies for HTTP - *empty*
   * proxies for HTTPS - *empty*
@@ -238,8 +283,8 @@ This command line means:
   * other proxies - `http://foo:8080`, `direct://`
 
 If instead we wanted to proxy only `http://` URLs through the
-HTTPS proxy `foo:443`, and have everything else use the SOCKSv5 proxy
-`mysocks:1080` we could launch Chrome with
+HTTPS proxy `https://foo:443`, and have everything else use the SOCKSv5 proxy
+`socks5://mysocks:1080` we could launch Chrome with
 `--proxy-server="http=https://foo:443;socks=socks5://mysocks:1080"`. This now
 expands to:
 
@@ -247,18 +292,20 @@ expands to:
   * proxies for HTTPS - *empty*
   * other proxies - `socks5://mysocks:1080`
 
-The command line above uses WinInet's proxy map format, with two modifications:
+The command line above uses WinInet's proxy map format, with some additional
+features:
 
-* Proxy servers can be optionally prefixed with a scheme (i.e. Chrome's "URI
-  format" for proxy server identifiers)
-* The `socks=` mapping is understood as "other proxies". The subsequent proxy
-  list can include proxies of any scheme, however if the scheme is unspecified
-  it is understood to be `socks4://`.
+* Instead of naming proxy servers by just a hostname:port, you can use Chrome's
+  URI format for proxy server identifiers. In other words, you can prefix the
+  proxy scheme so it doesn't default to HTTP.
+* The `socks=` mapping is understood more broadly as "other proxies". The
+  subsequent proxy list can include proxies of any scheme, however if the
+  scheme is omitted it will be understood as SOCKSv4 rather than HTTP.
 
-## Mapping WebSockets URLs to a proxy
+### Mapping WebSockets URLs to a proxy
 
-Manual proxy settings don't have mappings for `ws://` or `wss://` URLs - you
-can't specify a separate proxy to use for those schemes.
+[Manual proxy settings](#Manual-proxy-settings) don't have mappings for `ws://`
+or `wss://` URLs.
 
 Selecting a proxy for these URL schemes is a bit different from other URL
 schemes. The algorithm that Chrome uses is:
@@ -272,19 +319,22 @@ This is per the recommendation in section 4.1.3 of [RFC
 
 It is possible to route `ws://` and `wss://` separately using a PAC script.
 
-## Proxy credentials in manual proxy settings
+### Proxy credentials in manual proxy settings
 
-Most platforms' manual proxy settings allow specifying a cleartext
-username/password for proxy sign in. Chrome does not implement this, and will
-not use any credentials embedded in the proxy settings.
+Most platforms' [manual proxy settings](#Manual-proxy-settings) allow
+specifying a cleartext username/password for proxy sign in. Chrome does not
+implement this, and will not use any credentials embedded in the proxy
+settings.
 
 Proxy authentication will instead go through the ordinary flow to find
 credentials.
 
 ## Proxy bypass rules
 
-In addition to specifying three lists of proxy servers, Chrome's manual proxy
-settings also lets you specify a list of "proxy bypass rules".
+In addition to specifying three lists of [proxy server
+identifiers](#proxy-server-identifiers), Chrome's [manual proxy
+settings](#Manual-proxy-settings) lets you specify a list of "proxy bypass
+rules".
 
 This ruleset determines whether a given URL should skip use of a proxy all
 together, even when a proxy is otherwise defined for it.
@@ -369,8 +419,8 @@ IPV4_LITERAL "/" PREFIX_LENGTH_IN_BITS
 Matches any URL whose hostname is an IPv4 literal, and falls between the given
 address range.
 
-Only applies to URLs that are IP literals - see "Meaning of IP address range
-bypass rules".
+Note this [only applies to URLs that are IP
+literals](#Meaning-of-IP-address-range-bypass-rules).
 
 Examples:
 
@@ -385,8 +435,8 @@ IPV6_LITERAL "/" PREFIX_LENGTH_IN_BITS
 Matches any URL that is an IPv6 literal that falls between the given range.
 Note that IPv6 literals must *not* be bracketed.
 
-Only applies to URLs that are IP literals - see "Meaning of IP address range
-bypass rules".
+Note this [only applies to URLs that are IP
+literals](#Meaning-of-IP-address-range-bypass-rules).
 
 Examples:
 
@@ -408,8 +458,8 @@ the "Don't use proxy server for local (intranet) addresses" on Windows.
 
 The rule name comes from WinInet, and can easily be confused with the concept
 of localhost. However the two concepts are completely orthogonal. In practice
-one wouldn't add rules to bypass localhost, as it is already done implicitly
-(see "Implicit bypass rules").
+one wouldn't add rules to bypass localhost, as it is [already done
+implicitly](#Implicit-bypass-rules).
 
 ### Bypass rule: Subtract implicit rules
 
@@ -417,10 +467,9 @@ one wouldn't add rules to bypass localhost, as it is already done implicitly
 <-loopback>
 ```
 
-*Subtracts* the implicit proxy bypass rules (localhost and link local
-addresses). See the "Implicit bypass rules" section for details on when/why to
-use this, and the security caveats to doing so. Generally this is used for test
-setups.
+*Subtracts* the [implicit proxy bypass rules](#Implicit-bypass-rules)
+(localhost and link local addresses). This is generally only needed for test
+setupe. Beware of the security implications to proxying localhost.
 
 Whereas regular bypass rules instruct the browser about URLs that should *not*
 use the proxy, this rule has the opposite effect and tells the browser to
@@ -432,8 +481,8 @@ than `127.0.0.1;<-loopback>`.
 
 ### Meaning of IP address range bypass rules
 
-The IP address range bypass rules in manual proxy settings applies ONLY TO URL
-LITERALS. This is not what one would intuitively expect!
+The IP address range bypass rules in manual proxy settings applies only to URL
+literals. This is not what one would intuitively expect.
 
 Example:
 
@@ -497,7 +546,7 @@ Historical support in Chrome:
 * In M72 Chrome generalized the implicit proxy bypass rules to manually
   configured proxies
 
-## Overriding the implicit bypass rules
+### Overriding the implicit bypass rules
 
 If you want traffic to `localhost` to be sent through a proxy despite the
 security concerns, it can be done by adding the special proxy bypass rule
@@ -516,8 +565,9 @@ proxy for localhost URLs.
 
 ## Evaluating proxy lists (proxy fallback)
 
-Proxy resolution results in a _list_ of proxy servers to use for a given
-request, not just a single proxy server.
+Proxy resolution results in a _list_ of [proxy server
+identifiers](#Proxy-server-identifiers) to use for a
+given request, not just a single proxy server identifier.
 
 For instance, consider this PAC script:
 
@@ -532,12 +582,13 @@ function FindProxyForURL(url, host) {
 ```
 
 What proxy will Chrome use for connections to `www.example.com`, given that
-we have a choice of 3 separate proxies, each of different type?
+we have a choice of three separate proxy server identifiers to choose from
+{`http://proxy1:80`, `https://proxy2:443`, `socks5://proxy3:1080`}?
 
-Initially, Chrome will try the proxies in order. This means first attempting the
-request through the HTTP WebProxy `proxy1`. If that "fails", the request is
-next attempted through the HTTPS proxy `proxy2`. Lastly if that fails, the
-request is attempted through the SOCKSv5 proxy `proxy3`.
+Initially, Chrome will try the proxies in order. This means first attempting
+the request through `http://proxy1:80`. If that "fails", the request is
+next attempted through `https://proxy2:443`. Lastly if that fails, the
+request is attempted through `socks5://proxy3:1080`.
 
 This process is referred to as _proxy fallback_. What constitutes a
 "failure" is described later.
@@ -546,26 +597,24 @@ Proxy fallback is stateful. The actual order of proxy attempts made be Chrome
 is influenced by the past responsiveness of proxy servers.
 
 Let's say we request `http://www.example.com/`. Per the PAC script this
-resolves to:
+resolves to a list of three proxy server identifiers:
 
-```
-"PROXY proxy1; HTTPS proxy2; SOCKS5 proxy3"
-```
+{`http://proxy1:80`, `https://proxy2:443`, `socks5://proxy3:1080`}
 
 Chrome will first attempt to issue the request through these proxies in the
-left-to-right order (`proxy1`, `proxy2`, `proxy3`).
+left-to-right order.
 
-Let's say that the attempt through `proxy1` fails, but then the attempt through
-`proxy2` succeeds. Chrome will mark `proxy1` as _bad_ for the next 5 minutes.
-Being marked as _bad_ means that `proxy1` is de-prioritized with respect to
-other proxies options (including DIRECT) that are not marked as bad.
+Let's say that the attempt through `http://proxy1:80` fails, but then the
+attempt through `https://proxy2:443` succeeds. Chrome will mark
+`http://proxy1:80` as _bad_ for the next 5 minutes. Being marked as _bad_
+means that `http://proxy1:80` is de-prioritized with respect to
+other proxy server identifiers (including `direct://`) that are not marked as
+bad.
 
 That means the next time `http://www.example.com/` is requested, the effective
 order for proxies to attempt will be:
 
-```
-HTTPS proxy2; SOCKS5 proxy3; "PROXY proxy1"
-```
+{`https://proxy2:443`, `socks5://proxy3:1080`, `http://proxy1:80`}
 
 Conceptually, _bad_ proxies are moved to the end of the list, rather than being
 removed from consideration all together.
@@ -615,7 +664,7 @@ button on
 will not give feedback that the bad proxies were cleared, however capturing a
 new NetLog dump can confirm it was cleared.
 
-## Arguments passed to `FindProxyForURL(url, host)` in PAC scripts
+## Arguments passed to FindProxyForURL() in PAC scripts
 
 PAC scripts in Chrome are expected to define a JavaScript function
 `FindProxyForURL`.
@@ -668,7 +717,7 @@ type, since future versions of Chrome may [deprecate that
 capability](https://bugs.chromium.org/p/chromium/issues/detail?id=882536) in
 favor of a consistent policy.
 
-## Resolving client's IP address within a PAC script using `myIpAddress()`
+## Resolving client's IP address within a PAC script using myIpAddress()
 
 PAC scripts can invoke `myIpAddress()` to obtain the client's IP address. This
 function returns a single IP literal, or `"127.0.0.1"` on failure.
@@ -705,10 +754,10 @@ This sequence of steps explicitly favors IPv4 over IPv6 results.
 *Historical note*: Prior to M72, Chrome's implementation of `myIpAddress()` was
 effectively just `getaddrinfo(gethostname)`. This is now step 2 of the heuristic.
 
-### What about `var pacUseMultihomedDNS`?
+### What about pacUseMultihomedDNS?
 
-In Firefox, if you define a global named `pacUseMultihomedDNS` in your PAC
-script, it causes `myIpAddress()` to report the IP address of the interface
+In Firefox, if you define a global variable named `pacUseMultihomedDNS` in your
+PAC script, it causes `myIpAddress()` to report the IP address of the interface
 that would (likely) have been used had we connected to it DIRECT.
 
 In particular, it will do a DNS resolution of the target host (the hostname of
@@ -720,7 +769,7 @@ meaning. A PAC script is free to define such a global, and it won't have
 side-effects. Chrome has no APIs or settings to change `myIpAddress()`'s
 algorithm.
 
-## Resolving client's IP address within a PAC script using `myIpAddressEx()`
+## Resolving client's IP address within a PAC script using myIpAddressEx()
 
 Chrome supports the [Microsoft PAC
 extension](https://docs.microsoft.com/en-us/windows/desktop/winhttp/myipaddressex)
diff --git a/chromium/net/extras/preload_data/decoder.cc b/chromium/net/extras/preload_data/decoder.cc
index b91cc48e4c5..75b48249ddc 100644
--- a/chromium/net/extras/preload_data/decoder.cc
+++ b/chromium/net/extras/preload_data/decoder.cc
@@ -51,13 +51,73 @@ bool PreloadDecoder::BitReader::Read(unsigned num_bits, uint32_t* out) {
   return true;
 }
 
-// Unary sets |*out| to the result of decoding a unary value from the input.
-// It returns false if there were insufficient bits in the input and true
-// otherwise.
-bool PreloadDecoder::BitReader::Unary(size_t* out) {
-  size_t ret = 0;
+namespace {
 
-  for (;;) {
+// Reads one bit from |reader|, shifts |*bits| left by 1, and adds the read bit
+// to the end of |*bits|.
+bool ReadBit(PreloadDecoder::BitReader* reader, uint8_t* bits) {
+  bool bit;
+  if (!reader->Next(&bit)) {
+    return false;
+  }
+  *bits <<= 1;
+  if (bit) {
+    (*bits)++;
+  }
+  return true;
+}
+
+}  // namespace
+
+bool PreloadDecoder::BitReader::DecodeSize(size_t* out) {
+  uint8_t bits = 0;
+  if (!ReadBit(this, &bits) || !ReadBit(this, &bits)) {
+    return false;
+  }
+  if (bits == 0) {
+    *out = 0;
+    return true;
+  }
+  if (!ReadBit(this, &bits)) {
+    return false;
+  }
+  // We've parsed 3 bits so far. Check all possible combinations:
+  bool is_even;
+  switch (bits) {
+    case 0b000:
+    case 0b001:
+      // This should have been handled in the if (bits == 0) check.
+      NOTREACHED();
+      return false;
+    case 0b010:
+      // A specialization of the 0b01 prefix for unary-like even numbers.
+      *out = 4;
+      return true;
+    case 0b011:
+      // This will be handled with the prefixes for unary-like encoding below.
+      is_even = true;
+      break;
+    case 0b100:
+      *out = 1;
+      return true;
+    case 0b101:
+      *out = 2;
+      return true;
+    case 0b110:
+      *out = 3;
+      return true;
+    case 0b111:
+      // This will be handled with the prefixes for unary-like encoding below.
+      is_even = false;
+      break;
+    default:
+      // All cases should be covered above.
+      NOTREACHED();
+      return false;
+  }
+  size_t bit_length = 3;
+  while (true) {
+    bit_length++;
     bool bit;
     if (!Next(&bit)) {
       return false;
@@ -65,9 +125,11 @@ bool PreloadDecoder::BitReader::Unary(size_t* out) {
     if (!bit) {
       break;
     }
-    ret++;
   }
-
+  size_t ret = (bit_length - 2) * 2;
+  if (!is_even) {
+    ret--;
+  }
   *out = ret;
   return true;
 }
@@ -142,9 +204,9 @@ bool PreloadDecoder::Decode(const std::string& search, bool* out_found) {
       return false;
     }
 
-    // Decode the unary length of the common prefix.
+    // Decode the length of the common prefix.
     size_t prefix_length;
-    if (!bit_reader_.Unary(&prefix_length)) {
+    if (!bit_reader_.DecodeSize(&prefix_length)) {
       return false;
     }
 
diff --git a/chromium/net/extras/preload_data/decoder.h b/chromium/net/extras/preload_data/decoder.h
index 6afa7a7eaa7..68d7ea686d9 100644
--- a/chromium/net/extras/preload_data/decoder.h
+++ b/chromium/net/extras/preload_data/decoder.h
@@ -37,10 +37,36 @@ class PreloadDecoder {
     // insufficient bits in the input or true otherwise.
     bool Read(unsigned num_bits, uint32_t* out);
 
-    // Unary sets |*out| to the result of decoding a unary value from the input.
-    // It returns false if there were insufficient bits in the input and true
-    // otherwise.
-    bool Unary(size_t* out);
+    // Decodes a size_t from the reader, putting the resulting value in |*out|.
+    // Returns false if there are insufficient bits to read and true otherwise.
+    //
+    // This function's inverse is TrieBitBuffer::WriteSize.
+    //
+    // The encoding is a prefix code optimized for small values (less than 4).
+    // It is designed for the lengths of prefixes in the HSTS Preload list trie.
+    // Compared to the unary encoding that was previously used (where the number
+    // of bits used is one plus the value being encoded), this uses one more bit
+    // for encoding 0 and 1, and the same number of bits for encoding 2, and
+    // fewer bits for encoding values greater than 2. At the time of writing,
+    // 35% of the lengths encoded in the trie were 0 or 1, 11% were 2, and the
+    // remaining 54% were greater than 2.
+    //
+    // This encoding scheme uses a variable number of bits to encode each value.
+    // There are fixed values for 0, 1, 2, and 3, and then a simple rule is used
+    // for 4 and greater. 0 uses 2 bits; 1 through 3 use 3 bits. The fixed
+    // values are as follows:
+    //
+    //   0: 0b00
+    //   1: 0b100
+    //   2: 0b101
+    //   3: 0b110
+    //
+    // Note that none of the fixed values are prefixed with 0b01 or 0b111. These
+    // prefixes are used with a unary-like encoding for values 4 and above.
+    // Zero or more 1s, followed by a 0, are appended to one of those prefixes.
+    // Even values use the prefix 0b01, and odd values use the prefix 0b111. The
+    // number of 1s to append is half the value (rounded down) minus 1.
+    bool DecodeSize(size_t* out);
 
     // Seek sets the current offest in the input to bit number |offset|. It
     // returns true if |offset| is within the range of the input and false
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.cc b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.cc
index a1b65f371ce..dcc0bd1a4ca 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.cc
+++ b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.cc
@@ -35,6 +35,7 @@
 #include "net/extras/sqlite/cookie_crypto_delegate.h"
 #include "net/extras/sqlite/sqlite_persistent_store_backend_base.h"
 #include "net/log/net_log.h"
+#include "net/log/net_log_values.h"
 #include "sql/error_delegate_util.h"
 #include "sql/meta_table.h"
 #include "sql/statement.h"
@@ -45,9 +46,9 @@ using base::Time;
 
 namespace {
 
-base::Value CookieKeyedLoadNetLogCallback(const std::string& key,
-                                          net::NetLogCaptureMode capture_mode) {
-  if (!capture_mode.include_cookies_and_credentials())
+base::Value CookieKeyedLoadNetLogParams(const std::string& key,
+                                        net::NetLogCaptureMode capture_mode) {
+  if (!net::NetLogCaptureIncludesSensitive(capture_mode))
     return base::Value();
   base::DictionaryValue dict;
   dict.SetString("key", key);
@@ -257,7 +258,6 @@ class SQLitePersistentCookieStore::Backend
                                          std::move(client_task_runner)),
         num_pending_(0),
         restore_old_session_cookies_(restore_old_session_cookies),
-        num_cookies_read_(0),
         num_priority_waiting_(0),
         total_priority_requests_(0),
         crypto_(crypto_delegate) {}
@@ -271,7 +271,6 @@ class SQLitePersistentCookieStore::Backend
 
   // Steps through all results of |smt|, makes a cookie from each, and adds the
   // cookie to |cookies|. Returns true if everything loaded successfully.
-  // Always updates |num_cookies_read_|.
   bool MakeCookiesFromSQLStatement(
       std::vector<std::unique_ptr<CanonicalCookie>>* cookies,
       sql::Statement* statement);
@@ -415,11 +414,6 @@ class SQLitePersistentCookieStore::Backend
   // Incremented and reported from the background runner.
   base::TimeDelta cookie_load_duration_;
 
-  // The total number of cookies read. Incremented and reported on the
-  // background runner.  Includes those that were malformed, not decrypted
-  // correctly, etc.
-  int num_cookies_read_;
-
   // Guards the following metrics-related properties (only accessed when
   // starting/completing priority loads or completing the total load).
   base::Lock metrics_lock_;
@@ -724,9 +718,6 @@ void SQLitePersistentCookieStore::Backend::ReportMetrics() {
 
     UMA_HISTOGRAM_COUNTS_100("Cookie.PriorityLoadCount",
                              total_priority_requests_);
-
-    UMA_HISTOGRAM_COUNTS_10000("Cookie.NumberOfLoadedCookies",
-                               num_cookies_read_);
   }
 }
 
@@ -765,8 +756,6 @@ bool SQLitePersistentCookieStore::Backend::CreateDatabaseSchema() {
 bool SQLitePersistentCookieStore::Backend::DoInitializeDatabase() {
   DCHECK(db());
 
-  base::Time start = base::Time::Now();
-
   // Retrieve all the domains
   sql::Statement smt(
       db()->GetUniqueStatement("SELECT DISTINCT host_key FROM cookies"));
@@ -780,13 +769,6 @@ bool SQLitePersistentCookieStore::Backend::DoInitializeDatabase() {
   while (smt.Step())
     host_keys.push_back(smt.ColumnString(0));
 
-  UMA_HISTOGRAM_CUSTOM_TIMES("Cookie.TimeLoadDomains",
-                             base::Time::Now() - start,
-                             base::TimeDelta::FromMilliseconds(1),
-                             base::TimeDelta::FromMinutes(1), 50);
-
-  base::Time start_parse = base::Time::Now();
-
   // Build a map of domain keys (always eTLD+1) to domains.
   for (size_t idx = 0; idx < host_keys.size(); ++idx) {
     const std::string& domain = host_keys[idx];
@@ -794,16 +776,6 @@ bool SQLitePersistentCookieStore::Backend::DoInitializeDatabase() {
     keys_to_load_[key].insert(domain);
   }
 
-  UMA_HISTOGRAM_CUSTOM_TIMES("Cookie.TimeParseDomains",
-                             base::Time::Now() - start_parse,
-                             base::TimeDelta::FromMilliseconds(1),
-                             base::TimeDelta::FromMinutes(1), 50);
-
-  UMA_HISTOGRAM_CUSTOM_TIMES("Cookie.TimeInitializeDomainMap",
-                             base::Time::Now() - start,
-                             base::TimeDelta::FromMilliseconds(1),
-                             base::TimeDelta::FromMinutes(1), 50);
-
   if (!restore_old_session_cookies_)
     DeleteSessionCookiesOnStartup();
 
@@ -913,7 +885,6 @@ bool SQLitePersistentCookieStore::Backend::MakeCookiesFromSQLStatement(
   sql::Statement& smt = *statement;
   bool ok = true;
   while (smt.Step()) {
-    ++num_cookies_read_;
     std::string value;
     std::string encrypted_value = smt.ColumnString(4);
     if (!encrypted_value.empty() && crypto_) {
@@ -1386,7 +1357,9 @@ void SQLitePersistentCookieStore::LoadCookiesForKey(
     LoadedCallback loaded_callback) {
   DCHECK(!loaded_callback.is_null());
   net_log_.AddEvent(NetLogEventType::COOKIE_PERSISTENT_STORE_KEY_LOAD_STARTED,
-                    base::BindRepeating(CookieKeyedLoadNetLogCallback, key));
+                    [&](NetLogCaptureMode capture_mode) {
+                      return CookieKeyedLoadNetLogParams(key, capture_mode);
+                    });
   // Note that |backend_| keeps |this| alive by keeping a reference count.
   // If this class is ever converted over to a WeakPtr<> pattern (as TODO it
   // should be) this will need to be replaced by a more complex pattern that
@@ -1428,9 +1401,9 @@ size_t SQLitePersistentCookieStore::GetQueueLengthForTesting() {
 }
 
 SQLitePersistentCookieStore::~SQLitePersistentCookieStore() {
-  net_log_.AddEvent(
-      NetLogEventType::COOKIE_PERSISTENT_STORE_CLOSED,
-      NetLog::StringCallback("type", "SQLitePersistentCookieStore"));
+  net_log_.AddEventWithStringParams(
+      NetLogEventType::COOKIE_PERSISTENT_STORE_CLOSED, "type",
+      "SQLitePersistentCookieStore");
   backend_->Close();
 }
 
@@ -1445,8 +1418,9 @@ void SQLitePersistentCookieStore::CompleteKeyedLoad(
     const std::string& key,
     LoadedCallback callback,
     std::vector<std::unique_ptr<CanonicalCookie>> cookie_list) {
-  net_log_.AddEvent(NetLogEventType::COOKIE_PERSISTENT_STORE_KEY_LOAD_COMPLETED,
-                    NetLog::StringCallback("domain", &key));
+  net_log_.AddEventWithStringParams(
+      NetLogEventType::COOKIE_PERSISTENT_STORE_KEY_LOAD_COMPLETED, "domain",
+      key);
   std::move(callback).Run(std::move(cookie_list));
 }
 
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc
index dc3612a49fc..793bdd90540 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc
+++ b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc
@@ -392,7 +392,7 @@ TEST_F(SQLitePersistentCookieStoreTest, TestLoadCookiesForKey) {
                           base::Unretained(this)),
                net_log.bound());
   base::RunLoop run_loop;
-  net_log.SetCaptureMode(NetLogCaptureMode::Default());
+  net_log.SetObserverCaptureMode(NetLogCaptureMode::kDefault);
   store_->LoadCookiesForKey(
       "aaa.com", base::Bind(&SQLitePersistentCookieStoreTest::OnKeyLoaded,
                             base::Unretained(this), run_loop.QuitClosure()));
@@ -439,8 +439,7 @@ TEST_F(SQLitePersistentCookieStoreTest, TestLoadCookiesForKey) {
   cookies_.clear();
 
   store_ = nullptr;
-  TestNetLogEntry::List entries;
-  net_log.GetEntries(&entries);
+  auto entries = net_log.GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::COOKIE_PERSISTENT_STORE_LOAD,
       NetLogEventPhase::BEGIN);
@@ -453,8 +452,7 @@ TEST_F(SQLitePersistentCookieStoreTest, TestLoadCookiesForKey) {
   pos = ExpectLogContainsSomewhere(
       entries, pos, NetLogEventType::COOKIE_PERSISTENT_STORE_KEY_LOAD_STARTED,
       NetLogEventPhase::NONE);
-  std::string key;
-  EXPECT_FALSE(entries[pos].GetStringValue("key", &key));
+  EXPECT_FALSE(GetOptionalStringValueFromParams(entries[pos], "key"));
   pos = ExpectLogContainsSomewhere(
       entries, pos, NetLogEventType::COOKIE_PERSISTENT_STORE_KEY_LOAD_COMPLETED,
       NetLogEventPhase::NONE);
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.cc b/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.cc
index e0f6f156831..f67e487ca50 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.cc
+++ b/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.cc
@@ -1257,8 +1257,7 @@ SQLitePersistentReportingAndNelStore::SQLitePersistentReportingAndNelStore(
     const base::FilePath& path,
     const scoped_refptr<base::SequencedTaskRunner>& client_task_runner,
     const scoped_refptr<base::SequencedTaskRunner>& background_task_runner)
-    : backend_(new Backend(path, client_task_runner, background_task_runner)),
-      weak_factory_(this) {}
+    : backend_(new Backend(path, client_task_runner, background_task_runner)) {}
 
 SQLitePersistentReportingAndNelStore::~SQLitePersistentReportingAndNelStore() {
   backend_->Close();
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.h b/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.h
index 1a6a7fb25c6..cbd8646ce8b 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.h
+++ b/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.h
@@ -77,7 +77,8 @@ class COMPONENT_EXPORT(NET_EXTRAS) SQLitePersistentReportingAndNelStore
 
   const scoped_refptr<Backend> backend_;
 
-  base::WeakPtrFactory<SQLitePersistentReportingAndNelStore> weak_factory_;
+  base::WeakPtrFactory<SQLitePersistentReportingAndNelStore> weak_factory_{
+      this};
 
   DISALLOW_COPY_AND_ASSIGN(SQLitePersistentReportingAndNelStore);
 };
diff --git a/chromium/net/features.gni b/chromium/net/features.gni
index 86598e8a095..f9ae69ae193 100644
--- a/chromium/net/features.gni
+++ b/chromium/net/features.gni
@@ -5,9 +5,6 @@
 import("//build/config/features.gni")
 
 declare_args() {
-  # If true, prune things down as needed for proto-quic build.
-  is_proto_quic = false
-
   # Disables support for file URLs.  File URL support requires use of icu.
   disable_file_support = false
 
@@ -42,4 +39,11 @@ declare_args() {
   # Platforms where the cert verifier comparison trial is supported.
   # See https://crbug.com/649026.
   trial_comparison_cert_verifier_supported = is_desktop_linux || is_mac
+
+  # Platforms where both the builtin cert verifier and a platform verifier are
+  # supported and may be switched between using the CertVerifierBuiltin feature
+  # flag. This does not include platforms where the builtin cert verifier is
+  # the only verifier supported.
+  builtin_cert_verifier_feature_supported =
+      is_desktop_linux || is_mac || is_chromeos
 }
diff --git a/chromium/net/filter/brotli_source_stream_fuzzer.cc b/chromium/net/filter/brotli_source_stream_fuzzer.cc
index ef3f4a0994b..7305a18aef0 100644
--- a/chromium/net/filter/brotli_source_stream_fuzzer.cc
+++ b/chromium/net/filter/brotli_source_stream_fuzzer.cc
@@ -6,18 +6,18 @@
 
 #include "base/logging.h"
 #include "base/memory/ref_counted.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "net/base/io_buffer.h"
 #include "net/base/test_completion_callback.h"
 #include "net/filter/fuzzed_source_stream.h"
 #include "net/filter/source_stream.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 // Fuzzer for BrotliSourceStream.
 //
 // |data| is used to create a FuzzedSourceStream.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   net::TestCompletionCallback callback;
-  base::FuzzedDataProvider data_provider(data, size);
+  FuzzedDataProvider data_provider(data, size);
   std::unique_ptr<net::FuzzedSourceStream> fuzzed_source_stream(
       new net::FuzzedSourceStream(&data_provider));
   std::unique_ptr<net::SourceStream> brotli_stream =
diff --git a/chromium/net/filter/filter_source_stream.cc b/chromium/net/filter/filter_source_stream.cc
index 3802dcacaea..7df6219df44 100644
--- a/chromium/net/filter/filter_source_stream.cc
+++ b/chromium/net/filter/filter_source_stream.cc
@@ -89,10 +89,6 @@ FilterSourceStream::SourceType FilterSourceStream::ParseEncodingType(
   }
 }
 
-void FilterSourceStream::ReportContentDecodingFailed(SourceType type) {
-  UMA_HISTOGRAM_ENUMERATION("Net.ContentDecodingFailed2", type, TYPE_MAX);
-}
-
 int FilterSourceStream::DoLoop(int result) {
   DCHECK_NE(STATE_NONE, next_state_);
 
@@ -161,9 +157,6 @@ int FilterSourceStream::DoFilterData() {
   DCHECK(bytes_output != 0 ||
          consumed_bytes == drainable_input_buffer_->BytesRemaining());
 
-  if (bytes_output == ERR_CONTENT_DECODING_FAILED) {
-    ReportContentDecodingFailed(type());
-  }
   // FilterData() is not allowed to return ERR_IO_PENDING.
   DCHECK_NE(ERR_IO_PENDING, bytes_output);
 
diff --git a/chromium/net/filter/filter_source_stream.h b/chromium/net/filter/filter_source_stream.h
index be55a508cb2..75cddc165b9 100644
--- a/chromium/net/filter/filter_source_stream.h
+++ b/chromium/net/filter/filter_source_stream.h
@@ -40,8 +40,6 @@ class NET_EXPORT_PRIVATE FilterSourceStream : public SourceStream {
 
   static SourceType ParseEncodingType(const std::string& encoding);
 
-  static void ReportContentDecodingFailed(SourceType type);
-
  private:
   enum State {
     STATE_NONE,
diff --git a/chromium/net/filter/fuzzed_source_stream.cc b/chromium/net/filter/fuzzed_source_stream.cc
index 6a711d0e476..bfe9c986600 100644
--- a/chromium/net/filter/fuzzed_source_stream.cc
+++ b/chromium/net/filter/fuzzed_source_stream.cc
@@ -9,10 +9,10 @@
 #include <utility>
 
 #include "base/bind.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 namespace net {
 
@@ -23,7 +23,7 @@ const Error kReadErrors[] = {OK, ERR_FAILED, ERR_CONTENT_DECODING_FAILED};
 
 }  // namespace
 
-FuzzedSourceStream::FuzzedSourceStream(base::FuzzedDataProvider* data_provider)
+FuzzedSourceStream::FuzzedSourceStream(FuzzedDataProvider* data_provider)
     : SourceStream(SourceStream::TYPE_NONE),
       data_provider_(data_provider),
       read_pending_(false),
diff --git a/chromium/net/filter/fuzzed_source_stream.h b/chromium/net/filter/fuzzed_source_stream.h
index 4b26829c744..fea1ee3b218 100644
--- a/chromium/net/filter/fuzzed_source_stream.h
+++ b/chromium/net/filter/fuzzed_source_stream.h
@@ -12,9 +12,7 @@
 #include "net/base/completion_once_callback.h"
 #include "net/filter/source_stream.h"
 
-namespace base {
 class FuzzedDataProvider;
-}  // namespace base
 
 namespace net {
 
@@ -26,7 +24,7 @@ class FuzzedSourceStream : public SourceStream {
  public:
   // |data_provider| is used to determine behavior of the FuzzedSourceStream.
   // It must remain valid until after the FuzzedSocket is destroyed.
-  explicit FuzzedSourceStream(base::FuzzedDataProvider* data_provider);
+  explicit FuzzedSourceStream(FuzzedDataProvider* data_provider);
   ~FuzzedSourceStream() override;
 
   // SourceStream implementation
@@ -41,7 +39,7 @@ class FuzzedSourceStream : public SourceStream {
                       scoped_refptr<IOBuffer> read_buf,
                       int result);
 
-  base::FuzzedDataProvider* data_provider_;
+  FuzzedDataProvider* data_provider_;
 
   // Whether there is a pending Read().
   bool read_pending_;
diff --git a/chromium/net/filter/gzip_source_stream_fuzzer.cc b/chromium/net/filter/gzip_source_stream_fuzzer.cc
index 1fde1d8a527..a6dd834a56a 100644
--- a/chromium/net/filter/gzip_source_stream_fuzzer.cc
+++ b/chromium/net/filter/gzip_source_stream_fuzzer.cc
@@ -8,17 +8,17 @@
 
 #include "base/logging.h"
 #include "base/memory/ref_counted.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "net/base/io_buffer.h"
 #include "net/base/test_completion_callback.h"
 #include "net/filter/fuzzed_source_stream.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 // Fuzzer for GzipSourceStream.
 //
 // |data| is used to create a FuzzedSourceStream.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   net::TestCompletionCallback callback;
-  base::FuzzedDataProvider data_provider(data, size);
+  FuzzedDataProvider data_provider(data, size);
   std::unique_ptr<net::FuzzedSourceStream> fuzzed_source_stream(
       new net::FuzzedSourceStream(&data_provider));
 
diff --git a/chromium/net/ftp/ftp_ctrl_response_buffer.cc b/chromium/net/ftp/ftp_ctrl_response_buffer.cc
index 997c2c62abd..b1bd27336a8 100644
--- a/chromium/net/ftp/ftp_ctrl_response_buffer.cc
+++ b/chromium/net/ftp/ftp_ctrl_response_buffer.cc
@@ -6,15 +6,13 @@
 
 #include <utility>
 
-#include "base/bind.h"
-#include "base/callback.h"
 #include "base/logging.h"
 #include "base/strings/string_piece.h"
 #include "base/values.h"
 #include "net/base/net_errors.h"
 #include "net/base/parse_number.h"
-#include "net/log/net_log.h"
 #include "net/log/net_log_event_type.h"
+#include "net/log/net_log_values.h"
 
 namespace net {
 
@@ -84,8 +82,7 @@ int FtpCtrlResponseBuffer::ConsumeData(const char* data, int data_length) {
 
 namespace {
 
-base::Value NetLogFtpCtrlResponseCallback(const FtpCtrlResponse* response,
-                                          NetLogCaptureMode capture_mode) {
+base::Value NetLogFtpCtrlResponseParams(const FtpCtrlResponse* response) {
   base::ListValue lines;
   for (const auto& line : response->lines)
     lines.GetList().push_back(NetLogStringValue(line));
@@ -103,7 +100,7 @@ FtpCtrlResponse FtpCtrlResponseBuffer::PopResponse() {
   responses_.pop();
 
   net_log_.AddEvent(NetLogEventType::FTP_CONTROL_RESPONSE,
-                    base::Bind(&NetLogFtpCtrlResponseCallback, &result));
+                    [&] { return NetLogFtpCtrlResponseParams(&result); });
 
   return result;
 }
diff --git a/chromium/net/ftp/ftp_network_transaction.cc b/chromium/net/ftp/ftp_network_transaction.cc
index ba30a4dd512..4780240bed6 100644
--- a/chromium/net/ftp/ftp_network_transaction.cc
+++ b/chromium/net/ftp/ftp_network_transaction.cc
@@ -10,7 +10,6 @@
 #include "base/bind_helpers.h"
 #include "base/callback_helpers.h"
 #include "base/compiler_specific.h"
-#include "base/metrics/histogram_macros.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
@@ -505,8 +504,8 @@ int FtpNetworkTransaction::SendFtpCommand(const std::string& command,
   memcpy(write_command_buf_->data(), command.data(), command.length());
   memcpy(write_command_buf_->data() + command.length(), kCRLF, 2);
 
-  net_log_.AddEvent(NetLogEventType::FTP_COMMAND_SENT,
-                    NetLog::StringCallback("command", &command_for_log));
+  net_log_.AddEventWithStringParams(NetLogEventType::FTP_COMMAND_SENT,
+                                    "command", command_for_log);
 
   next_state_ = STATE_CTRL_WRITE;
   return OK;
@@ -681,9 +680,8 @@ int FtpNetworkTransaction::DoCtrlConnect() {
   ctrl_socket_ = socket_factory_->CreateTransportClientSocket(
       resolve_request_->GetAddressResults().value(), nullptr,
       net_log_.net_log(), net_log_.source());
-  net_log_.AddEvent(
-      NetLogEventType::FTP_CONTROL_CONNECTION,
-      ctrl_socket_->NetLog().source().ToEventParametersCallback());
+  net_log_.AddEventReferencingSource(NetLogEventType::FTP_CONTROL_CONNECTION,
+                                     ctrl_socket_->NetLog().source());
   return ctrl_socket_->Connect(io_callback_);
 }
 
@@ -1235,9 +1233,8 @@ int FtpNetworkTransaction::DoDataConnect() {
       ip_endpoint.address(), data_connection_port_);
   data_socket_ = socket_factory_->CreateTransportClientSocket(
       data_address, nullptr, net_log_.net_log(), net_log_.source());
-  net_log_.AddEvent(
-      NetLogEventType::FTP_DATA_CONNECTION,
-      data_socket_->NetLog().source().ToEventParametersCallback());
+  net_log_.AddEventReferencingSource(NetLogEventType::FTP_DATA_CONNECTION,
+                                     data_socket_->NetLog().source());
   return data_socket_->Connect(io_callback_);
 }
 
diff --git a/chromium/net/ftp/ftp_response_info.h b/chromium/net/ftp/ftp_response_info.h
index d20249a09d5..576ef2501b4 100644
--- a/chromium/net/ftp/ftp_response_info.h
+++ b/chromium/net/ftp/ftp_response_info.h
@@ -9,10 +9,11 @@
 
 #include "base/time/time.h"
 #include "net/base/ip_endpoint.h"
+#include "net/base/net_export.h"
 
 namespace net {
 
-class FtpResponseInfo {
+class NET_EXPORT_PRIVATE FtpResponseInfo {
  public:
   FtpResponseInfo();
   ~FtpResponseInfo();
diff --git a/chromium/net/http/bidirectional_stream.cc b/chromium/net/http/bidirectional_stream.cc
index 780b8e4d01d..867f7678191 100644
--- a/chromium/net/http/bidirectional_stream.cc
+++ b/chromium/net/http/bidirectional_stream.cc
@@ -24,6 +24,7 @@
 #include "net/log/net_log_capture_mode.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_source_type.h"
+#include "net/log/net_log_values.h"
 #include "net/spdy/spdy_http_utils.h"
 #include "net/spdy/spdy_log_util.h"
 #include "net/ssl/ssl_cert_request_info.h"
@@ -36,22 +37,22 @@ namespace net {
 
 namespace {
 
-base::Value NetLogHeadersCallback(const spdy::SpdyHeaderBlock* headers,
-                                  NetLogCaptureMode capture_mode) {
+base::Value NetLogHeadersParams(const spdy::SpdyHeaderBlock* headers,
+                                NetLogCaptureMode capture_mode) {
   base::DictionaryValue dict;
   dict.SetKey("headers", ElideSpdyHeaderBlockForNetLog(*headers, capture_mode));
   return std::move(dict);
 }
 
-base::Value NetLogCallback(const GURL* url,
-                           const std::string* method,
-                           const HttpRequestHeaders* headers,
-                           NetLogCaptureMode capture_mode) {
+base::Value NetLogParams(const GURL& url,
+                         const std::string& method,
+                         const HttpRequestHeaders* headers,
+                         NetLogCaptureMode capture_mode) {
   base::DictionaryValue dict;
-  dict.SetString("url", url->possibly_invalid_spec());
-  dict.SetString("method", *method);
+  dict.SetString("url", url.possibly_invalid_spec());
+  dict.SetString("method", method);
   std::string empty;
-  base::Value headers_param(headers->NetLogCallback(&empty, capture_mode));
+  base::Value headers_param(headers->NetLogParams(empty, capture_mode));
   dict.SetKey("headers", std::move(headers_param));
   return std::move(dict);
 }
@@ -86,8 +87,7 @@ BidirectionalStream::BidirectionalStream(
       send_request_headers_automatically_(send_request_headers_automatically),
       request_headers_sent_(false),
       delegate_(delegate),
-      timer_(std::move(timer)),
-      weak_factory_(this) {
+      timer_(std::move(timer)) {
   DCHECK(delegate_);
   DCHECK(request_info_);
 
@@ -96,10 +96,12 @@ BidirectionalStream::BidirectionalStream(
   load_timing_info_.request_start = base::TimeTicks::Now();
 
   if (net_log_.IsCapturing()) {
-    net_log_.BeginEvent(
-        NetLogEventType::BIDIRECTIONAL_STREAM_ALIVE,
-        base::Bind(&NetLogCallback, &request_info_->url, &request_info_->method,
-                   base::Unretained(&request_info_->extra_headers)));
+    net_log_.BeginEvent(NetLogEventType::BIDIRECTIONAL_STREAM_ALIVE,
+                        [&](NetLogCaptureMode capture_mode) {
+                          return NetLogParams(
+                              request_info_->url, request_info_->method,
+                              &request_info_->extra_headers, capture_mode);
+                        });
   }
 
   if (!request_info_->url.SchemeIs(url::kHttpsScheme)) {
@@ -145,8 +147,8 @@ int BidirectionalStream::ReadData(IOBuffer* buf, int buf_len) {
     // Bytes will be logged in OnDataRead().
   }
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(NetLogEventType::BIDIRECTIONAL_STREAM_READ_DATA,
-                      NetLog::IntCallback("rv", rv));
+    net_log_.AddEventWithIntParams(
+        NetLogEventType::BIDIRECTIONAL_STREAM_READ_DATA, "rv", rv);
   }
   return rv;
 }
@@ -161,8 +163,9 @@ void BidirectionalStream::SendvData(
   DCHECK(write_buffer_len_list_.empty());
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(NetLogEventType::BIDIRECTIONAL_STREAM_SENDV_DATA,
-                      NetLog::IntCallback("num_buffers", buffers.size()));
+    net_log_.AddEventWithIntParams(
+        NetLogEventType::BIDIRECTIONAL_STREAM_SENDV_DATA, "num_buffers",
+        buffers.size());
   }
   stream_impl_->SendvData(buffers, lengths, end_stream);
   for (size_t i = 0; i < buffers.size(); ++i) {
@@ -226,9 +229,9 @@ void BidirectionalStream::StartRequest(const SSLConfig& ssl_config) {
 void BidirectionalStream::OnStreamReady(bool request_headers_sent) {
   request_headers_sent_ = request_headers_sent;
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(
-        NetLogEventType::BIDIRECTIONAL_STREAM_READY,
-        NetLog::BoolCallback("request_headers_sent", request_headers_sent));
+    net_log_.AddEntryWithBoolParams(
+        NetLogEventType::BIDIRECTIONAL_STREAM_READY, NetLogEventPhase::NONE,
+        "request_headers_sent", request_headers_sent);
   }
   load_timing_info_.send_start = base::TimeTicks::Now();
   load_timing_info_.send_end = load_timing_info_.send_start;
@@ -245,7 +248,10 @@ void BidirectionalStream::OnHeadersReceived(
   }
   if (net_log_.IsCapturing()) {
     net_log_.AddEvent(NetLogEventType::BIDIRECTIONAL_STREAM_RECV_HEADERS,
-                      base::Bind(&NetLogHeadersCallback, &response_headers));
+                      [&](NetLogCaptureMode capture_mode) {
+                        return NetLogHeadersParams(&response_headers,
+                                                   capture_mode);
+                      });
   }
   // Impl should only provide |connect_timing| and |socket_reused| info,
   // so use a copy to get these information only.
@@ -284,9 +290,10 @@ void BidirectionalStream::OnDataSent() {
   if (net_log_.IsCapturing()) {
     if (write_buffer_list_.size() > 1) {
       net_log_.BeginEvent(
-          NetLogEventType::BIDIRECTIONAL_STREAM_BYTES_SENT_COALESCED,
-          NetLog::IntCallback("num_buffers_coalesced",
-                              write_buffer_list_.size()));
+          NetLogEventType::BIDIRECTIONAL_STREAM_BYTES_SENT_COALESCED, [&] {
+            return NetLogParamsWithInt("num_buffers_coalesced",
+                                       write_buffer_list_.size());
+          });
     }
     for (size_t i = 0; i < write_buffer_list_.size(); ++i) {
       net_log_.AddByteTransferEvent(
@@ -308,7 +315,9 @@ void BidirectionalStream::OnTrailersReceived(
     const spdy::SpdyHeaderBlock& trailers) {
   if (net_log_.IsCapturing()) {
     net_log_.AddEvent(NetLogEventType::BIDIRECTIONAL_STREAM_RECV_TRAILERS,
-                      base::Bind(&NetLogHeadersCallback, &trailers));
+                      [&](NetLogCaptureMode capture_mode) {
+                        return NetLogHeadersParams(&trailers, capture_mode);
+                      });
   }
   read_end_time_ = base::TimeTicks::Now();
   delegate_->OnTrailersReceived(trailers);
@@ -316,8 +325,8 @@ void BidirectionalStream::OnTrailersReceived(
 
 void BidirectionalStream::OnFailed(int status) {
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(NetLogEventType::BIDIRECTIONAL_STREAM_FAILED,
-                      NetLog::IntCallback("net_error", status));
+    net_log_.AddEventWithIntParams(NetLogEventType::BIDIRECTIONAL_STREAM_FAILED,
+                                   "net_error", status);
   }
   NotifyFailed(status);
 }
diff --git a/chromium/net/http/bidirectional_stream.h b/chromium/net/http/bidirectional_stream.h
index d4f56f4b14e..4f0b4ab4ff6 100644
--- a/chromium/net/http/bidirectional_stream.h
+++ b/chromium/net/http/bidirectional_stream.h
@@ -263,7 +263,7 @@ class NET_EXPORT BidirectionalStream : public BidirectionalStreamImpl::Delegate,
   // are received. Other fields are populated at different stages of the request
   LoadTimingInfo load_timing_info_;
 
-  base::WeakPtrFactory<BidirectionalStream> weak_factory_;
+  base::WeakPtrFactory<BidirectionalStream> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(BidirectionalStream);
 };
diff --git a/chromium/net/http/bidirectional_stream_unittest.cc b/chromium/net/http/bidirectional_stream_unittest.cc
index 7f6387d79c2..cb02bd3bdd5 100644
--- a/chromium/net/http/bidirectional_stream_unittest.cc
+++ b/chromium/net/http/bidirectional_stream_unittest.cc
@@ -408,7 +408,7 @@ class BidirectionalStreamTest : public TestWithScopedTaskEnvironment {
     ssl_data_.next_proto = kProtoHTTP2;
     ssl_data_.ssl_info.cert =
         ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
-    net_log_.SetCaptureMode(NetLogCaptureMode::IncludeSocketBytes());
+    net_log_.SetObserverCaptureMode(NetLogCaptureMode::kEverything);
     socket_factory_ = new MockTaggingClientSocketFactory();
     session_deps_.socket_factory.reset(socket_factory_);
   }
@@ -591,7 +591,7 @@ TEST_F(BidirectionalStreamTest,
 }
 
 TEST_F(BidirectionalStreamTest, ClientAuthRequestIgnored) {
-  scoped_refptr<SSLCertRequestInfo> cert_request(new SSLCertRequestInfo());
+  auto cert_request = base::MakeRefCounted<SSLCertRequestInfo>();
   cert_request->host_and_port = host_port_pair_;
 
   // First attempt receives client auth request.
@@ -830,8 +830,7 @@ TEST_F(BidirectionalStreamTest, TestNetLogContainEntries) {
   // Destroy the delegate will destroy the stream, so we can get an end event
   // for BIDIRECTIONAL_STREAM_ALIVE.
   delegate.reset();
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
 
   size_t index = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::BIDIRECTIONAL_STREAM_ALIVE,
@@ -858,29 +857,23 @@ TEST_F(BidirectionalStreamTest, TestNetLogContainEntries) {
   index = ExpectLogContainsSomewhere(
       entries, index, NetLogEventType::BIDIRECTIONAL_STREAM_READ_DATA,
       NetLogEventPhase::NONE);
-  TestNetLogEntry entry = entries[index];
-  int read_result = 0;
-  EXPECT_TRUE(entry.params->GetInteger("rv", &read_result));
-  EXPECT_EQ(ERR_IO_PENDING, read_result);
+  EXPECT_EQ(ERR_IO_PENDING, GetIntegerValueFromParams(entries[index], "rv"));
 
   // Sent bytes. Sending data is always asynchronous.
   index = ExpectLogContainsSomewhere(
       entries, index, NetLogEventType::BIDIRECTIONAL_STREAM_BYTES_SENT,
       NetLogEventPhase::NONE);
-  entry = entries[index];
-  EXPECT_EQ(NetLogSourceType::BIDIRECTIONAL_STREAM, entry.source.type);
+  EXPECT_EQ(NetLogSourceType::BIDIRECTIONAL_STREAM, entries[index].source.type);
   // Received bytes for asynchronous read.
   index = ExpectLogContainsSomewhere(
       entries, index, NetLogEventType::BIDIRECTIONAL_STREAM_BYTES_RECEIVED,
       NetLogEventPhase::NONE);
-  entry = entries[index];
-  EXPECT_EQ(NetLogSourceType::BIDIRECTIONAL_STREAM, entry.source.type);
+  EXPECT_EQ(NetLogSourceType::BIDIRECTIONAL_STREAM, entries[index].source.type);
   // Received bytes for synchronous read.
   index = ExpectLogContainsSomewhere(
       entries, index, NetLogEventType::BIDIRECTIONAL_STREAM_BYTES_RECEIVED,
       NetLogEventPhase::NONE);
-  entry = entries[index];
-  EXPECT_EQ(NetLogSourceType::BIDIRECTIONAL_STREAM, entry.source.type);
+  EXPECT_EQ(NetLogSourceType::BIDIRECTIONAL_STREAM, entries[index].source.type);
   ExpectLogContainsSomewhere(entries, index,
                              NetLogEventType::BIDIRECTIONAL_STREAM_ALIVE,
                              NetLogEventPhase::END);
@@ -1051,41 +1044,30 @@ TEST_F(BidirectionalStreamTest, TestCoalesceSmallDataBuffers) {
   EXPECT_EQ(CountWriteBytes(writes), delegate->GetTotalSentBytes());
   EXPECT_EQ(CountReadBytes(reads), delegate->GetTotalReceivedBytes());
 
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
   size_t index = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::BIDIRECTIONAL_STREAM_SENDV_DATA,
       NetLogEventPhase::NONE);
-  TestNetLogEntry entry = entries[index];
-  int num_buffers = 0;
-  EXPECT_TRUE(entry.params->GetInteger("num_buffers", &num_buffers));
-  EXPECT_EQ(2, num_buffers);
+  EXPECT_EQ(2, GetIntegerValueFromParams(entries[index], "num_buffers"));
 
   index = ExpectLogContainsSomewhereAfter(
       entries, index,
       NetLogEventType::BIDIRECTIONAL_STREAM_BYTES_SENT_COALESCED,
       NetLogEventPhase::BEGIN);
-  entry = entries[index];
-  int num_buffers_coalesced = 0;
-  EXPECT_TRUE(entry.params->GetInteger("num_buffers_coalesced",
-                                       &num_buffers_coalesced));
-  EXPECT_EQ(2, num_buffers_coalesced);
+  EXPECT_EQ(2,
+            GetIntegerValueFromParams(entries[index], "num_buffers_coalesced"));
 
   index = ExpectLogContainsSomewhereAfter(
       entries, index, NetLogEventType::BIDIRECTIONAL_STREAM_BYTES_SENT,
       NetLogEventPhase::NONE);
-  entry = entries[index];
-  int byte_count = 0;
-  EXPECT_TRUE(entry.params->GetInteger("byte_count", &byte_count));
-  EXPECT_EQ(buf->size(), byte_count);
+  EXPECT_EQ(buf->size(),
+            GetIntegerValueFromParams(entries[index], "byte_count"));
 
   index = ExpectLogContainsSomewhereAfter(
       entries, index + 1, NetLogEventType::BIDIRECTIONAL_STREAM_BYTES_SENT,
       NetLogEventPhase::NONE);
-  entry = entries[index];
-  byte_count = 0;
-  EXPECT_TRUE(entry.params->GetInteger("byte_count", &byte_count));
-  EXPECT_EQ(buf2->size(), byte_count);
+  EXPECT_EQ(buf2->size(),
+            GetIntegerValueFromParams(entries[index], "byte_count"));
 
   ExpectLogContainsSomewhere(
       entries, index,
@@ -1464,7 +1446,7 @@ TEST_F(BidirectionalStreamTest, PropagateProtocolError) {
   delegate->Start(std::move(request_info), http_session_.get());
 
   base::RunLoop().RunUntilIdle();
-  EXPECT_THAT(delegate->error(), IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(delegate->error(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
   EXPECT_EQ(delegate->response_headers().end(),
             delegate->response_headers().find(":status"));
   EXPECT_EQ(0, delegate->on_data_read_count());
@@ -1476,25 +1458,19 @@ TEST_F(BidirectionalStreamTest, PropagateProtocolError) {
             delegate->GetTotalSentBytes());
   EXPECT_EQ(0, delegate->GetTotalReceivedBytes());
 
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
 
   size_t index = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::BIDIRECTIONAL_STREAM_READY,
       NetLogEventPhase::NONE);
-  TestNetLogEntry entry = entries[index];
-  bool request_headers_sent = false;
   EXPECT_TRUE(
-      entry.params->GetBoolean("request_headers_sent", &request_headers_sent));
-  EXPECT_TRUE(request_headers_sent);
+      GetBooleanValueFromParams(entries[index], "request_headers_sent"));
 
   index = ExpectLogContainsSomewhere(
       entries, index, NetLogEventType::BIDIRECTIONAL_STREAM_FAILED,
       NetLogEventPhase::NONE);
-  entry = entries[index];
-  int net_error = OK;
-  EXPECT_TRUE(entry.params->GetInteger("net_error", &net_error));
-  EXPECT_THAT(net_error, IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_EQ(ERR_HTTP2_PROTOCOL_ERROR,
+            GetNetErrorCodeFromParams(entries[index]));
 }
 
 TEST_F(BidirectionalStreamTest, DeleteStreamDuringOnHeadersReceived) {
@@ -1704,7 +1680,7 @@ TEST_F(BidirectionalStreamTest, DeleteStreamDuringOnFailed) {
             delegate->response_headers().find(":status"));
   EXPECT_EQ(0, delegate->on_data_sent_count());
   EXPECT_EQ(0, delegate->on_data_read_count());
-  EXPECT_THAT(delegate->error(), IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(delegate->error(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
 
   EXPECT_EQ(kProtoHTTP2, delegate->GetProtocol());
   // Bytes sent excludes the RST frame.
diff --git a/chromium/net/http/broken_alternative_services.cc b/chromium/net/http/broken_alternative_services.cc
index e2a71855b03..fcb9548f9f7 100644
--- a/chromium/net/http/broken_alternative_services.cc
+++ b/chromium/net/http/broken_alternative_services.cc
@@ -34,7 +34,7 @@ base::TimeDelta ComputeBrokenAlternativeServiceExpirationDelay(
 BrokenAlternativeServices::BrokenAlternativeServices(
     Delegate* delegate,
     const base::TickClock* clock)
-    : delegate_(delegate), clock_(clock), weak_ptr_factory_(this) {
+    : delegate_(delegate), clock_(clock) {
   DCHECK(delegate_);
   DCHECK(clock_);
 }
diff --git a/chromium/net/http/broken_alternative_services.h b/chromium/net/http/broken_alternative_services.h
index 3d6690f2162..2d93fb4901a 100644
--- a/chromium/net/http/broken_alternative_services.h
+++ b/chromium/net/http/broken_alternative_services.h
@@ -165,7 +165,7 @@ class NET_EXPORT_PRIVATE BrokenAlternativeServices {
   // services.
   base::OneShotTimer expiration_timer_;
 
-  base::WeakPtrFactory<BrokenAlternativeServices> weak_ptr_factory_;
+  base::WeakPtrFactory<BrokenAlternativeServices> weak_ptr_factory_{this};
 };
 
 }  // namespace net
diff --git a/chromium/net/http/http_auth.cc b/chromium/net/http/http_auth.cc
index 338aabb4ec0..5381f1b6865 100644
--- a/chromium/net/http/http_auth.cc
+++ b/chromium/net/http/http_auth.cc
@@ -20,9 +20,16 @@
 #include "net/http/http_response_headers.h"
 #include "net/http/http_util.h"
 #include "net/log/net_log.h"
+#include "net/log/net_log_values.h"
 
 namespace net {
 
+namespace {
+const char* const kSchemeNames[] = {kBasicAuthScheme,     kDigestAuthScheme,
+                                    kNtlmAuthScheme,      kNegotiateAuthScheme,
+                                    kSpdyProxyAuthScheme, kMockAuthScheme};
+}  // namespace
+
 HttpAuth::Identity::Identity() : source(IDENT_SRC_NONE), invalid(true) {}
 
 // static
@@ -137,9 +144,6 @@ std::string HttpAuth::GetAuthTargetString(Target target) {
 
 // static
 const char* HttpAuth::SchemeToString(Scheme scheme) {
-  static const char* const kSchemeNames[] = {
-      kBasicAuthScheme,     kDigestAuthScheme,    kNtlmAuthScheme,
-      kNegotiateAuthScheme, kSpdyProxyAuthScheme, kMockAuthScheme};
   static_assert(base::size(kSchemeNames) == AUTH_SCHEME_MAX,
                 "http auth scheme names incorrect size");
   if (scheme < AUTH_SCHEME_BASIC || scheme >= AUTH_SCHEME_MAX) {
@@ -150,6 +154,16 @@ const char* HttpAuth::SchemeToString(Scheme scheme) {
 }
 
 // static
+HttpAuth::Scheme HttpAuth::StringToScheme(const std::string& str) {
+  for (uint8_t i = 0; i < base::size(kSchemeNames); i++) {
+    if (str == kSchemeNames[i])
+      return static_cast<Scheme>(i);
+  }
+  NOTREACHED();
+  return AUTH_SCHEME_MAX;
+}
+
+// static
 const char* HttpAuth::AuthorizationResultToString(
     AuthorizationResult authorization_result) {
   switch (authorization_result) {
@@ -169,10 +183,10 @@ const char* HttpAuth::AuthorizationResultToString(
 }
 
 // static
-NetLogParametersCallback HttpAuth::NetLogAuthorizationResultCallback(
+base::Value HttpAuth::NetLogAuthorizationResultParams(
     const char* name,
     AuthorizationResult authorization_result) {
-  return NetLog::StringCallback(
+  return NetLogParamsWithString(
       name, AuthorizationResultToString(authorization_result));
 }
 
diff --git a/chromium/net/http/http_auth.h b/chromium/net/http/http_auth.h
index 90841cdbc7d..622015423a9 100644
--- a/chromium/net/http/http_auth.h
+++ b/chromium/net/http/http_auth.h
@@ -12,10 +12,13 @@
 #include "net/base/auth.h"
 #include "net/base/net_export.h"
 #include "net/http/http_util.h"
-#include "net/log/net_log_parameters_callback.h"
 
 template <class T> class scoped_refptr;
 
+namespace base {
+class Value;
+}
+
 namespace net {
 
 class HttpAuthHandler;
@@ -141,13 +144,16 @@ class NET_EXPORT_PRIVATE HttpAuth {
   // Returns a string representation of an authentication Scheme.
   static const char* SchemeToString(Scheme scheme);
 
+  // Returns an authentication Scheme from a string which was produced by
+  // SchemeToString().
+  static Scheme StringToScheme(const std::string& str);
+
   // Returns a string representation of an authorization result.
   static const char* AuthorizationResultToString(
       AuthorizationResult authorization_result);
 
-  // Use with BoundNetLog to log an authorization result. The returned callback
-  // is valid as long as |name| is valid.
-  static NetLogParametersCallback NetLogAuthorizationResultCallback(
+  // Returns a value for logging an authorization result to a NetLog.
+  static base::Value NetLogAuthorizationResultParams(
       const char* name,
       AuthorizationResult authorization_result);
 
diff --git a/chromium/net/http/http_auth_cache.cc b/chromium/net/http/http_auth_cache.cc
index 6a36b9fb12a..ae5ccb22186 100644
--- a/chromium/net/http/http_auth_cache.cc
+++ b/chromium/net/http/http_auth_cache.cc
@@ -27,12 +27,6 @@ std::string GetParentDirectory(const std::string& path) {
   return path.substr(0, last_slash + 1);
 }
 
-// Debug helper to check that |path| arguments are properly formed.
-// (should be absolute path, or empty string).
-void CheckPathIsValid(const std::string& path) {
-  DCHECK(path.empty() || path[0] == '/');
-}
-
 // Return true if |path| is a subpath of |container|. In other words, is
 // |container| an ancestor of |path|?
 bool IsEnclosingPath(const std::string& container, const std::string& path) {
@@ -42,13 +36,22 @@ bool IsEnclosingPath(const std::string& container, const std::string& path) {
            base::StartsWith(path, container, base::CompareCase::SENSITIVE)));
 }
 
+#if DCHECK_IS_ON()
 // Debug helper to check that |origin| arguments are properly formed.
+// TODO(asanka): Switch auth cache to use url::Origin.
 void CheckOriginIsValid(const GURL& origin) {
   DCHECK(origin.is_valid());
   DCHECK(origin.SchemeIsHTTPOrHTTPS() || origin.SchemeIsWSOrWSS());
   DCHECK(origin.GetOrigin() == origin);
 }
 
+// Debug helper to check that |path| arguments are properly formed.
+// (should be absolute path, or empty string).
+void CheckPathIsValid(const std::string& path) {
+  DCHECK(path.empty() || path[0] == '/');
+}
+#endif
+
 // Functor used by EraseIf.
 struct IsEnclosedBy {
   explicit IsEnclosedBy(const std::string& path) : path(path) { }
@@ -83,8 +86,10 @@ HttpAuthCache::Entry* HttpAuthCache::Lookup(const GURL& origin,
 // AddPath() only keeps the shallowest entry.
 HttpAuthCache::Entry* HttpAuthCache::LookupByPath(const GURL& origin,
                                                   const std::string& path) {
+#if DCHECK_IS_ON()
   CheckOriginIsValid(origin);
   CheckPathIsValid(path);
+#endif
 
   // RFC 2617 section 2:
   // A client SHOULD assume that all paths at or deeper than the depth of
@@ -120,8 +125,10 @@ HttpAuthCache::Entry* HttpAuthCache::Add(const GURL& origin,
                                          const std::string& auth_challenge,
                                          const AuthCredentials& credentials,
                                          const std::string& path) {
+#if DCHECK_IS_ON()
   CheckOriginIsValid(origin);
   CheckPathIsValid(path);
+#endif
 
   base::TimeTicks now_ticks = tick_clock_->NowTicks();
 
@@ -130,13 +137,16 @@ HttpAuthCache::Entry* HttpAuthCache::Add(const GURL& origin,
   if (!entry) {
     bool evicted = false;
     // Failsafe to prevent unbounded memory growth of the cache.
+    //
+    // Data collected in June of 2019 indicate that the eviction rate is at
+    // around 0.05%. I.e. 0.05% of the time the number of entries in the cache
+    // exceed kMaxNumRealmEntries. The evicted entry is roughly half an hour old
+    // (median), and it's been around 25 minutes since its last use (median).
     if (entries_.size() >= kMaxNumRealmEntries) {
-      LOG(WARNING) << "Num auth cache entries reached limit -- evicting";
+      DLOG(WARNING) << "Num auth cache entries reached limit -- evicting";
       EvictLeastRecentlyUsedEntry();
       evicted = true;
     }
-    UMA_HISTOGRAM_BOOLEAN("Net.HttpAuthCacheAddEvicted", evicted);
-
     entry = &(entries_.emplace(std::make_pair(origin, Entry()))->second);
     entry->origin_ = origin;
     entry->realm_ = realm;
@@ -198,13 +208,15 @@ void HttpAuthCache::Entry::AddPath(const std::string& path) {
 
     bool evicted = false;
     // Failsafe to prevent unbounded memory growth of the cache.
+    //
+    // Data collected on June of 2019 indicate that when we get here, the list
+    // of paths has reached the 10 entry maximum around 1% of the time.
     if (paths_.size() >= kMaxNumPathsPerRealmEntry) {
-      LOG(WARNING) << "Num path entries for " << origin()
-                   << " has grown too large -- evicting";
+      DLOG(WARNING) << "Num path entries for " << origin()
+                    << " has grown too large -- evicting";
       paths_.pop_back();
       evicted = true;
     }
-    UMA_HISTOGRAM_BOOLEAN("Net.HttpAuthCacheAddPathEvicted", evicted);
 
     // Add new path.
     paths_.push_front(parent_dir);
@@ -297,7 +309,9 @@ HttpAuthCache::EntryMap::iterator HttpAuthCache::LookupEntryIt(
     const GURL& origin,
     const std::string& realm,
     HttpAuth::Scheme scheme) {
+#if DCHECK_IS_ON()
   CheckOriginIsValid(origin);
+#endif
 
   // Linear scan through the <scheme, realm> entries for the given origin.
   auto entry_range = entries_.equal_range(origin);
@@ -330,11 +344,6 @@ void HttpAuthCache::EvictLeastRecentlyUsedEntry() {
     }
   }
   DCHECK(oldest_entry_it != entries_.end());
-  Entry& oldest_entry = oldest_entry_it->second;
-  UMA_HISTOGRAM_LONG_TIMES("Net.HttpAuthCacheAddEvictedCreation",
-                           now_ticks - oldest_entry.creation_time_ticks_);
-  UMA_HISTOGRAM_LONG_TIMES("Net.HttpAuthCacheAddEvictedLastUse",
-                           now_ticks - oldest_entry.last_use_time_ticks_);
   entries_.erase(oldest_entry_it);
 }
 
diff --git a/chromium/net/http/http_auth_controller.cc b/chromium/net/http/http_auth_controller.cc
index d7cf6c20183..9f7923bb524 100644
--- a/chromium/net/http/http_auth_controller.cc
+++ b/chromium/net/http/http_auth_controller.cc
@@ -23,7 +23,6 @@
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
 #include "net/log/net_log_event_type.h"
-#include "net/log/net_log_parameters_callback.h"
 #include "net/log/net_log_source.h"
 #include "net/log/net_log_source_type.h"
 #include "net/log/net_log_with_source.h"
@@ -128,20 +127,13 @@ void HistogramAuthEvent(HttpAuthHandler* handler, AuthEvent auth_event) {
                             kTargetBucketsEnd);
 }
 
-base::Value ControllerParamsToValue(HttpAuth::Target target,
-                                    const GURL* url,
-                                    NetLogCaptureMode) {
+base::Value ControllerParamsToValue(HttpAuth::Target target, const GURL& url) {
   base::Value params(base::Value::Type::DICTIONARY);
   params.SetStringPath("target", HttpAuth::GetAuthTargetString(target));
-  params.SetStringPath("url", url->spec());
+  params.SetStringPath("url", url.spec());
   return params;
 }
 
-NetLogParametersCallback ControllerParamsCallback(HttpAuth::Target target,
-                                                  const GURL& url) {
-  return base::BindRepeating(&ControllerParamsToValue, target, &url);
-}
-
 }  // namespace
 
 HttpAuthController::HttpAuthController(
@@ -173,11 +165,12 @@ void HttpAuthController::BindToCallingNetLog(
   if (!net_log_.source().IsValid()) {
     net_log_ = NetLogWithSource::Make(caller_net_log.net_log(),
                                       NetLogSourceType::HTTP_AUTH_CONTROLLER);
-    net_log_.BeginEvent(NetLogEventType::AUTH_CONTROLLER,
-                        ControllerParamsCallback(target_, auth_url_));
+    net_log_.BeginEvent(NetLogEventType::AUTH_CONTROLLER, [&] {
+      return ControllerParamsToValue(target_, auth_url_);
+    });
   }
-  caller_net_log.AddEvent(NetLogEventType::AUTH_BOUND_TO_CONTROLLER,
-                          net_log_.source().ToEventParametersCallback());
+  caller_net_log.AddEventReferencingSource(
+      NetLogEventType::AUTH_BOUND_TO_CONTROLLER, net_log_.source());
 }
 
 int HttpAuthController::MaybeGenerateAuthToken(
@@ -189,8 +182,8 @@ int HttpAuthController::MaybeGenerateAuthToken(
   bool needs_auth = HaveAuth() || SelectPreemptiveAuth(caller_net_log);
   if (!needs_auth)
     return OK;
-  net_log_.BeginEvent(NetLogEventType::AUTH_GENERATE_TOKEN,
-                      caller_net_log.source().ToEventParametersCallback());
+  net_log_.BeginEventReferencingSource(NetLogEventType::AUTH_GENERATE_TOKEN,
+                                       caller_net_log.source());
   const AuthCredentials* credentials = nullptr;
   if (identity_.source != HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS)
     credentials = &identity_.credentials;
@@ -275,8 +268,8 @@ int HttpAuthController::HandleAuthChallenge(
   DCHECK(!auth_info_);
 
   BindToCallingNetLog(caller_net_log);
-  net_log_.BeginEvent(NetLogEventType::AUTH_HANDLE_CHALLENGE,
-                      caller_net_log.source().ToEventParametersCallback());
+  net_log_.BeginEventReferencingSource(NetLogEventType::AUTH_HANDLE_CHALLENGE,
+                                       caller_net_log.source());
 
   // Give the existing auth handler first try at the authentication headers.
   // This will also evict the entry in the HttpAuthCache if the previous
diff --git a/chromium/net/http/http_auth_controller_unittest.cc b/chromium/net/http/http_auth_controller_unittest.cc
index 1ce5b4e6b24..90fa3a8c2e0 100644
--- a/chromium/net/http/http_auth_controller_unittest.cc
+++ b/chromium/net/http/http_auth_controller_unittest.cc
@@ -21,7 +21,7 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
+#include "net/log/test_net_log_util.h"
 #include "net/ssl/ssl_info.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -138,29 +138,29 @@ TEST(HttpAuthControllerTest, Logging) {
 
   RunSingleRoundAuthTest(RUN_HANDLER_SYNC, OK, OK, SCHEME_IS_ENABLED,
                          net_log.bound());
-  TestNetLogEntry::List entries;
-  net_log.GetEntries(&entries);
+  auto entries = net_log.GetEntries();
 
   // There should be at least two events.
   ASSERT_GE(entries.size(), 2u);
 
-  auto begin = std::find_if(entries.begin(), entries.end(),
-                            [](const TestNetLogEntry& e) -> bool {
-                              std::string target, url;
-                              if (e.type != NetLogEventType::AUTH_CONTROLLER ||
-                                  e.phase != NetLogEventPhase::BEGIN ||
-                                  !e.GetStringValue("target", &target) ||
-                                  !e.GetStringValue("url", &url)) {
-                                return false;
-                              }
-
-                              EXPECT_EQ("proxy", target);
-                              EXPECT_EQ("http://example.com/", url);
-                              return true;
-                            });
+  auto begin = std::find_if(
+      entries.begin(), entries.end(), [](const NetLogEntry& e) -> bool {
+        if (e.type != NetLogEventType::AUTH_CONTROLLER ||
+            e.phase != NetLogEventPhase::BEGIN)
+          return false;
+
+        auto target = GetOptionalStringValueFromParams(e, "target");
+        auto url = GetOptionalStringValueFromParams(e, "url");
+        if (!target || !url)
+          return false;
+
+        EXPECT_EQ("proxy", *target);
+        EXPECT_EQ("http://example.com/", *url);
+        return true;
+      });
   EXPECT_TRUE(begin != entries.end());
   auto end = std::find_if(++begin, entries.end(),
-                          [](const TestNetLogEntry& e) -> bool {
+                          [](const NetLogEntry& e) -> bool {
                             return e.type == NetLogEventType::AUTH_CONTROLLER &&
                                    e.phase == NetLogEventPhase::END;
                           });
diff --git a/chromium/net/http/http_auth_gssapi_posix.cc b/chromium/net/http/http_auth_gssapi_posix.cc
index 68a4ed882c4..f8efa9f7a2d 100644
--- a/chromium/net/http/http_auth_gssapi_posix.cc
+++ b/chromium/net/http/http_auth_gssapi_posix.cc
@@ -8,72 +8,24 @@
 #include <string>
 
 #include "base/base64.h"
+#include "base/compiler_specific.h"
 #include "base/files/file_path.h"
 #include "base/format_macros.h"
 #include "base/logging.h"
 #include "base/stl_util.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/threading/thread_restrictions.h"
+#include "base/values.h"
 #include "net/base/net_errors.h"
+#include "net/http/http_auth_gssapi_posix.h"
 #include "net/http/http_auth_multi_round_parse.h"
-
-// These are defined for the GSSAPI library:
-// Paraphrasing the comments from gssapi.h:
-// "The implementation must reserve static storage for a
-// gss_OID_desc object for each constant.  That constant
-// should be initialized to point to that gss_OID_desc."
-// These are encoded using ASN.1 BER encoding.
-namespace {
-
-static gss_OID_desc GSS_C_NT_USER_NAME_VAL = {
-  10,
-  const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01")
-};
-static gss_OID_desc GSS_C_NT_MACHINE_UID_NAME_VAL = {
-  10,
-  const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02")
-};
-static gss_OID_desc GSS_C_NT_STRING_UID_NAME_VAL = {
-  10,
-  const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03")
-};
-static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_X_VAL = {
-  6,
-  const_cast<char*>("\x2b\x06\x01\x05\x06\x02")
-};
-static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_VAL = {
-  10,
-  const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04")
-};
-static gss_OID_desc GSS_C_NT_ANONYMOUS_VAL = {
-  6,
-  const_cast<char*>("\x2b\x06\01\x05\x06\x03")
-};
-static gss_OID_desc GSS_C_NT_EXPORT_NAME_VAL = {
-  6,
-  const_cast<char*>("\x2b\x06\x01\x05\x06\x04")
-};
-
-}  // namespace
-
-// Heimdal >= 1.4 will define the following as preprocessor macros.
-// To avoid conflicting declarations, we have to undefine these.
-#undef GSS_C_NT_USER_NAME
-#undef GSS_C_NT_MACHINE_UID_NAME
-#undef GSS_C_NT_STRING_UID_NAME
-#undef GSS_C_NT_HOSTBASED_SERVICE_X
-#undef GSS_C_NT_HOSTBASED_SERVICE
-#undef GSS_C_NT_ANONYMOUS
-#undef GSS_C_NT_EXPORT_NAME
-
-gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_VAL;
-gss_OID GSS_C_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_VAL;
-gss_OID GSS_C_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_VAL;
-gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &GSS_C_NT_HOSTBASED_SERVICE_X_VAL;
-gss_OID GSS_C_NT_HOSTBASED_SERVICE = &GSS_C_NT_HOSTBASED_SERVICE_VAL;
-gss_OID GSS_C_NT_ANONYMOUS = &GSS_C_NT_ANONYMOUS_VAL;
-gss_OID GSS_C_NT_EXPORT_NAME = &GSS_C_NT_EXPORT_NAME_VAL;
+#include "net/log/net_log_event_type.h"
+#include "net/log/net_log_values.h"
+#include "net/log/net_log_with_source.h"
+#include "net/net_buildflags.h"
 
 namespace net {
 
@@ -90,243 +42,239 @@ gss_OID_desc CHROME_GSS_SPNEGO_MECH_OID_DESC_VAL = {
 gss_OID CHROME_GSS_SPNEGO_MECH_OID_DESC =
     &CHROME_GSS_SPNEGO_MECH_OID_DESC_VAL;
 
-// Debugging helpers.
-namespace {
-
-std::string DisplayStatus(OM_uint32 major_status,
-                          OM_uint32 minor_status) {
-  if (major_status == GSS_S_COMPLETE)
-    return "OK";
-  return base::StringPrintf("0x%08X 0x%08X", major_status, minor_status);
-}
-
-std::string DisplayCode(GSSAPILibrary* gssapi_lib,
-                        OM_uint32 status,
-                        OM_uint32 status_code_type) {
-  const int kMaxDisplayIterations = 8;
-  const size_t kMaxMsgLength = 4096;
-  // msg_ctx needs to be outside the loop because it is invoked multiple times.
-  OM_uint32 msg_ctx = 0;
-  std::string rv = base::StringPrintf("(0x%08X)", status);
-
-  // This loop should continue iterating until msg_ctx is 0 after the first
-  // iteration. To be cautious and prevent an infinite loop, it stops after
-  // a finite number of iterations as well. As an added sanity check, no
-  // individual message may exceed |kMaxMsgLength|, and the final result
-  // will not exceed |kMaxMsgLength|*2-1.
-  for (int i = 0; i < kMaxDisplayIterations && rv.size() < kMaxMsgLength;
-       ++i) {
-    OM_uint32 min_stat;
-    gss_buffer_desc_struct msg = GSS_C_EMPTY_BUFFER;
-    OM_uint32 maj_stat =
-        gssapi_lib->display_status(&min_stat, status, status_code_type,
-                                   GSS_C_NULL_OID, &msg_ctx, &msg);
-    if (maj_stat == GSS_S_COMPLETE) {
-      int msg_len = (msg.length > kMaxMsgLength) ?
-          static_cast<int>(kMaxMsgLength) :
-          static_cast<int>(msg.length);
-      if (msg_len > 0 && msg.value != nullptr) {
-        rv += base::StringPrintf(" %.*s", msg_len,
-                                 static_cast<char*>(msg.value));
-      }
-    }
-    gssapi_lib->release_buffer(&min_stat, &msg);
-    if (!msg_ctx)
-      break;
+OM_uint32 DelegationTypeToFlag(DelegationType delegation_type) {
+  switch (delegation_type) {
+    case DelegationType::kNone:
+      return 0;
+    case DelegationType::kByKdcPolicy:
+      return GSS_C_DELEG_POLICY_FLAG;
+    case DelegationType::kUnconstrained:
+      return GSS_C_DELEG_FLAG;
   }
-  return rv;
 }
 
-std::string DisplayExtendedStatus(GSSAPILibrary* gssapi_lib,
-                                  OM_uint32 major_status,
-                                  OM_uint32 minor_status) {
-  if (major_status == GSS_S_COMPLETE)
-    return "OK";
-  std::string major = DisplayCode(gssapi_lib, major_status, GSS_C_GSS_CODE);
-  std::string minor = DisplayCode(gssapi_lib, minor_status, GSS_C_MECH_CODE);
-  return base::StringPrintf("Major: %s | Minor: %s", major.c_str(),
-                            minor.c_str());
-}
-
-// ScopedName releases a gss_name_t when it goes out of scope.
-class ScopedName {
+// ScopedBuffer releases a gss_buffer_t when it goes out of scope.
+class ScopedBuffer {
  public:
-  ScopedName(gss_name_t name,
-             GSSAPILibrary* gssapi_lib)
-      : name_(name),
-        gssapi_lib_(gssapi_lib) {
+  ScopedBuffer(gss_buffer_t buffer, GSSAPILibrary* gssapi_lib)
+      : buffer_(buffer), gssapi_lib_(gssapi_lib) {
     DCHECK(gssapi_lib_);
   }
 
-  ~ScopedName() {
-    if (name_ != GSS_C_NO_NAME) {
+  ~ScopedBuffer() {
+    if (buffer_ != GSS_C_NO_BUFFER) {
       OM_uint32 minor_status = 0;
       OM_uint32 major_status =
-          gssapi_lib_->release_name(&minor_status, &name_);
-      if (major_status != GSS_S_COMPLETE) {
-        LOG(WARNING) << "Problem releasing name. "
-                     << DisplayStatus(major_status, minor_status);
-      }
-      name_ = GSS_C_NO_NAME;
+          gssapi_lib_->release_buffer(&minor_status, buffer_);
+      DLOG_IF(WARNING, major_status != GSS_S_COMPLETE)
+          << "Problem releasing buffer. major=" << major_status
+          << ", minor=" << minor_status;
+      buffer_ = GSS_C_NO_BUFFER;
     }
   }
 
  private:
-  gss_name_t name_;
+  gss_buffer_t buffer_;
   GSSAPILibrary* gssapi_lib_;
 
-  DISALLOW_COPY_AND_ASSIGN(ScopedName);
+  DISALLOW_COPY_AND_ASSIGN(ScopedBuffer);
 };
 
-// ScopedBuffer releases a gss_buffer_t when it goes out of scope.
-class ScopedBuffer {
+// ScopedName releases a gss_name_t when it goes out of scope.
+class ScopedName {
  public:
-  ScopedBuffer(gss_buffer_t buffer,
-               GSSAPILibrary* gssapi_lib)
-      : buffer_(buffer),
-        gssapi_lib_(gssapi_lib) {
+  ScopedName(gss_name_t name, GSSAPILibrary* gssapi_lib)
+      : name_(name), gssapi_lib_(gssapi_lib) {
     DCHECK(gssapi_lib_);
   }
 
-  ~ScopedBuffer() {
-    if (buffer_ != GSS_C_NO_BUFFER) {
+  ~ScopedName() {
+    if (name_ != GSS_C_NO_NAME) {
       OM_uint32 minor_status = 0;
-      OM_uint32 major_status =
-          gssapi_lib_->release_buffer(&minor_status, buffer_);
+      OM_uint32 major_status = gssapi_lib_->release_name(&minor_status, &name_);
       if (major_status != GSS_S_COMPLETE) {
-        LOG(WARNING) << "Problem releasing buffer. "
-                     << DisplayStatus(major_status, minor_status);
+        DLOG_IF(WARNING, major_status != GSS_S_COMPLETE)
+            << "Problem releasing name. "
+            << GetGssStatusValue(nullptr, "gss_release_name", major_status,
+                                 minor_status);
       }
-      buffer_ = GSS_C_NO_BUFFER;
+      name_ = GSS_C_NO_NAME;
     }
   }
 
  private:
-  gss_buffer_t buffer_;
+  gss_name_t name_;
   GSSAPILibrary* gssapi_lib_;
 
-  DISALLOW_COPY_AND_ASSIGN(ScopedBuffer);
+  DISALLOW_COPY_AND_ASSIGN(ScopedName);
 };
 
-namespace {
-
-std::string AppendIfPredefinedValue(gss_OID oid,
-                                    gss_OID predefined_oid,
-                                    const char* predefined_oid_name) {
-  DCHECK(oid);
-  DCHECK(predefined_oid);
-  DCHECK(predefined_oid_name);
-  std::string output;
-  if (oid->length != predefined_oid->length)
-    return output;
-  if (0 != memcmp(oid->elements,
-                  predefined_oid->elements,
-                  predefined_oid->length))
-    return output;
-
-  output += " (";
-  output += predefined_oid_name;
-  output += ")";
-  return output;
+bool OidEquals(const gss_OID left, const gss_OID right) {
+  if (left->length != right->length)
+    return false;
+  return 0 == memcmp(left->elements, right->elements, right->length);
 }
 
-}  // namespace
+base::Value GetGssStatusCodeValue(GSSAPILibrary* gssapi_lib,
+                                  OM_uint32 status,
+                                  OM_uint32 status_code_type) {
+  base::Value rv{base::Value::Type::DICTIONARY};
 
-std::string DescribeOid(GSSAPILibrary* gssapi_lib, const gss_OID oid) {
-  if (!oid)
-    return "<NULL>";
-  std::string output;
-  const size_t kMaxCharsToPrint = 1024;
-  OM_uint32 byte_length = oid->length;
-  size_t char_length = byte_length / sizeof(char);
-  if (char_length > kMaxCharsToPrint) {
-    // This might be a plain ASCII string.
-    // Check if the first |kMaxCharsToPrint| characters
-    // contain only printable characters and are NUL terminated.
-    const char* str = reinterpret_cast<const char*>(oid);
-    size_t str_length = 0;
-    for ( ; str_length < kMaxCharsToPrint; ++str_length) {
-      if (!str[str_length] || !isprint(str[str_length]))
-        break;
-    }
-    if (!str[str_length]) {
-      output += base::StringPrintf("\"%s\"", str);
-      return output;
+  rv.SetIntKey("status", status);
+
+  // Message lookups aren't performed if there's no library or if the status
+  // indicates success.
+  if (!gssapi_lib || status == GSS_S_COMPLETE)
+    return rv;
+
+  // gss_display_status() can potentially return multiple strings by sending
+  // each string on successive invocations. State is maintained across these
+  // invocations in a caller supplied OM_uint32.  After each successful call,
+  // the context is set to a non-zero value that should be passed as a message
+  // context to each successive gss_display_status() call.  The initial and
+  // terminal values of this context storage is 0.
+  OM_uint32 message_context = 0;
+
+  // To account for the off chance that gss_display_status() misbehaves and gets
+  // into an infinite loop, we'll artificially limit the number of iterations to
+  // |kMaxDisplayIterations|. This limit is arbitrary.
+  constexpr size_t kMaxDisplayIterations = 8;
+  size_t iterations = 0;
+
+  // In addition, each message string is again arbitrarily limited to
+  // |kMaxMsgLength|. There's no real documented limit to work with here.
+  constexpr size_t kMaxMsgLength = 4096;
+
+  base::Value messages{base::Value::Type::LIST};
+  do {
+    gss_buffer_desc_struct message_buffer = GSS_C_EMPTY_BUFFER;
+    ScopedBuffer message_buffer_releaser(&message_buffer, gssapi_lib);
+
+    OM_uint32 minor_status = 0;
+    OM_uint32 major_status = gssapi_lib->display_status(
+        &minor_status, status, status_code_type, GSS_C_NO_OID, &message_context,
+        &message_buffer);
+
+    if (major_status != GSS_S_COMPLETE || message_buffer.length == 0 ||
+        !message_buffer.value) {
+      continue;
     }
+
+    base::StringPiece message_string{
+        static_cast<const char*>(message_buffer.value),
+        std::min(kMaxMsgLength, message_buffer.length)};
+
+    // The returned string is almost assuredly ASCII, but be defensive.
+    if (!base::IsStringUTF8(message_string))
+      continue;
+
+    messages.GetList().emplace_back(message_string);
+  } while (message_context != 0 && ++iterations < kMaxDisplayIterations);
+
+  if (messages.GetList().size() > 0)
+    rv.SetKey("message", std::move(messages));
+  return rv;
+}
+
+base::Value GetGssStatusValue(GSSAPILibrary* gssapi_lib,
+                              base::StringPiece method,
+                              OM_uint32 major_status,
+                              OM_uint32 minor_status) {
+  base::Value params{base::Value::Type::DICTIONARY};
+  params.SetStringKey("function", method);
+  params.SetKey("major_status", GetGssStatusCodeValue(gssapi_lib, major_status,
+                                                      GSS_C_GSS_CODE));
+  params.SetKey("minor_status", GetGssStatusCodeValue(gssapi_lib, minor_status,
+                                                      GSS_C_MECH_CODE));
+  return params;
+}
+
+base::Value OidToValue(gss_OID oid) {
+  base::Value params(base::Value::Type::DICTIONARY);
+
+  if (!oid || oid->length == 0) {
+    params.SetStringKey("oid", "<Empty OID>");
+    return params;
   }
-  output = base::StringPrintf("(%u) \"", byte_length);
-  if (!oid->elements) {
-    output += "<NULL>";
-    return output;
-  }
-  const unsigned char* elements =
-      reinterpret_cast<const unsigned char*>(oid->elements);
-  // Don't print more than |kMaxCharsToPrint| characters.
-  size_t i = 0;
-  for ( ; (i < byte_length) && (i < kMaxCharsToPrint); ++i) {
-    output += base::StringPrintf("\\x%02X", elements[i]);
+
+  params.SetIntKey("length", oid->length);
+  if (!oid->elements)
+    return params;
+
+  // Cap OID content at arbitrary limit 1k.
+  constexpr OM_uint32 kMaxOidDataSize = 1024;
+  params.SetKey(
+      "bytes",
+      NetLogBinaryValue(oid->elements, std::min(kMaxOidDataSize, oid->length)));
+
+  // Based on RFC 2744 Appendix A. Hardcoding the OIDs in the list below to
+  // avoid having a static dependency on the library.
+  static const struct {
+    const char* symbolic_name;
+    const gss_OID_desc oid_desc;
+  } kWellKnownOIDs[] = {
+      {"GSS_C_NT_USER_NAME",
+       {10, const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01")}},
+      {"GSS_C_NT_MACHINE_UID_NAME",
+       {10, const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02")}},
+      {"GSS_C_NT_STRING_UID_NAME",
+       {10, const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03")}},
+      {"GSS_C_NT_HOSTBASED_SERVICE_X",
+       {6, const_cast<char*>("\x2b\x06\x01\x05\x06\x02")}},
+      {"GSS_C_NT_HOSTBASED_SERVICE",
+       {10, const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04")}},
+      {"GSS_C_NT_ANONYMOUS", {6, const_cast<char*>("\x2b\x06\01\x05\x06\x03")}},
+      {"GSS_C_NT_EXPORT_NAME",
+       {6, const_cast<char*>("\x2b\x06\x01\x05\x06\x04")}}};
+
+  for (auto& well_known_oid : kWellKnownOIDs) {
+    if (OidEquals(oid, const_cast<const gss_OID>(&well_known_oid.oid_desc)))
+      params.SetStringKey("oid", well_known_oid.symbolic_name);
   }
-  if (i >= kMaxCharsToPrint)
-    output += "...";
-  output += "\"";
-
-  // Check if the OID is one of the predefined values.
-  output += AppendIfPredefinedValue(oid,
-                                    GSS_C_NT_USER_NAME,
-                                    "GSS_C_NT_USER_NAME");
-  output += AppendIfPredefinedValue(oid,
-                                    GSS_C_NT_MACHINE_UID_NAME,
-                                    "GSS_C_NT_MACHINE_UID_NAME");
-  output += AppendIfPredefinedValue(oid,
-                                    GSS_C_NT_STRING_UID_NAME,
-                                    "GSS_C_NT_STRING_UID_NAME");
-  output += AppendIfPredefinedValue(oid,
-                                    GSS_C_NT_HOSTBASED_SERVICE_X,
-                                    "GSS_C_NT_HOSTBASED_SERVICE_X");
-  output += AppendIfPredefinedValue(oid,
-                                    GSS_C_NT_HOSTBASED_SERVICE,
-                                    "GSS_C_NT_HOSTBASED_SERVICE");
-  output += AppendIfPredefinedValue(oid,
-                                    GSS_C_NT_ANONYMOUS,
-                                    "GSS_C_NT_ANONYMOUS");
-  output += AppendIfPredefinedValue(oid,
-                                    GSS_C_NT_EXPORT_NAME,
-                                    "GSS_C_NT_EXPORT_NAME");
-
-  return output;
-}
-
-std::string DescribeName(GSSAPILibrary* gssapi_lib, const gss_name_t name) {
+
+  return params;
+}
+
+base::Value GetDisplayNameValue(GSSAPILibrary* gssapi_lib,
+                                const gss_name_t gss_name) {
   OM_uint32 major_status = 0;
   OM_uint32 minor_status = 0;
-  gss_buffer_desc_struct output_name_buffer = GSS_C_EMPTY_BUFFER;
-  gss_OID_desc output_name_type_desc = GSS_C_EMPTY_BUFFER;
-  gss_OID output_name_type = &output_name_type_desc;
-  major_status = gssapi_lib->display_name(&minor_status,
-                                          name,
-                                          &output_name_buffer,
-                                          &output_name_type);
-  ScopedBuffer scoped_output_name(&output_name_buffer, gssapi_lib);
+  gss_buffer_desc_struct name = GSS_C_EMPTY_BUFFER;
+  gss_OID name_type = GSS_C_NO_OID;
+
+  base::Value rv{base::Value::Type::DICTIONARY};
+  major_status =
+      gssapi_lib->display_name(&minor_status, gss_name, &name, &name_type);
+  ScopedBuffer scoped_output_name(&name, gssapi_lib);
   if (major_status != GSS_S_COMPLETE) {
-    std::string error =
-        base::StringPrintf("Unable to describe name 0x%p, %s",
-                           name,
-                           DisplayExtendedStatus(gssapi_lib,
-                                                 major_status,
-                                                 minor_status).c_str());
-    return error;
+    rv.SetKey("error", GetGssStatusValue(gssapi_lib, "gss_display_name",
+                                         major_status, minor_status));
+    return rv;
   }
-  int len = output_name_buffer.length;
-  std::string description = base::StringPrintf(
-      "%*s (Type %s)",
-      len,
-      reinterpret_cast<const char*>(output_name_buffer.value),
-      DescribeOid(gssapi_lib, output_name_type).c_str());
-  return description;
+  auto name_string =
+      base::StringPiece(reinterpret_cast<const char*>(name.value), name.length);
+  rv.SetKey("name", base::IsStringUTF8(name_string)
+                        ? NetLogStringValue(name_string)
+                        : NetLogBinaryValue(name.value, name.length));
+  rv.SetKey("type", OidToValue(name_type));
+  return rv;
+}
+
+base::Value ContextFlagsToValue(OM_uint32 flags) {
+  // TODO(asanka): This should break down known flags. At least the
+  // GSS_C_DELEG_FLAG.
+  return base::Value(base::StringPrintf("%08x", flags));
 }
 
-std::string DescribeContext(GSSAPILibrary* gssapi_lib,
-                            const gss_ctx_id_t context_handle) {
+base::Value GetContextStateAsValue(GSSAPILibrary* gssapi_lib,
+                                   const gss_ctx_id_t context_handle) {
+  base::Value rv{base::Value::Type::DICTIONARY};
+  if (context_handle == GSS_C_NO_CONTEXT) {
+    rv.SetKey("error",
+              GetGssStatusValue(nullptr, "<none>", GSS_S_NO_CONTEXT, 0));
+    return rv;
+  }
+
   OM_uint32 major_status = 0;
   OM_uint32 minor_status = 0;
   gss_name_t src_name = GSS_C_NO_NAME;
@@ -336,8 +284,6 @@ std::string DescribeContext(GSSAPILibrary* gssapi_lib,
   OM_uint32 ctx_flags = 0;
   int locally_initiated = 0;
   int open = 0;
-  if (context_handle == GSS_C_NO_CONTEXT)
-    return std::string("Context: GSS_C_NO_CONTEXT");
   major_status = gssapi_lib->inquire_context(&minor_status,
                                              context_handle,
                                              &src_name,
@@ -347,65 +293,41 @@ std::string DescribeContext(GSSAPILibrary* gssapi_lib,
                                              &ctx_flags,
                                              &locally_initiated,
                                              &open);
-  ScopedName scoped_src_name(src_name, gssapi_lib);
-  ScopedName scoped_targ_name(targ_name, gssapi_lib);
   if (major_status != GSS_S_COMPLETE) {
-    std::string error =
-        base::StringPrintf("Unable to describe context 0x%p, %s",
-                           context_handle,
-                           DisplayExtendedStatus(gssapi_lib,
-                                                 major_status,
-                                                 minor_status).c_str());
-    return error;
+    rv.SetKey("error", GetGssStatusValue(gssapi_lib, "gss_inquire_context",
+                                         major_status, minor_status));
+    return rv;
   }
-  std::string source(DescribeName(gssapi_lib, src_name));
-  std::string target(DescribeName(gssapi_lib, targ_name));
-  std::string description = base::StringPrintf("Context 0x%p: "
-                                               "Source \"%s\", "
-                                               "Target \"%s\", "
-                                                "lifetime %d, "
-                                                "mechanism %s, "
-                                                "flags 0x%08X, "
-                                                "local %d, "
-                                                "open %d",
-                                                context_handle,
-                                                source.c_str(),
-                                                target.c_str(),
-                                                lifetime_rec,
-                                                DescribeOid(gssapi_lib,
-                                                            mech_type).c_str(),
-                                                ctx_flags,
-                                                locally_initiated,
-                                                open);
-  return description;
+  ScopedName scoped_src_name(src_name, gssapi_lib);
+  ScopedName scoped_targ_name(targ_name, gssapi_lib);
+
+  rv.SetKey("source", GetDisplayNameValue(gssapi_lib, src_name));
+  rv.SetKey("target", GetDisplayNameValue(gssapi_lib, targ_name));
+  // lifetime_rec is a uint32, while base::Value only takes ints. On 32 bit
+  // platforms uint32 doesn't fit on an int.
+  rv.SetStringKey("lifetime", base::NumberToString(lifetime_rec));
+  rv.SetKey("mechanism", OidToValue(mech_type));
+  rv.SetKey("flags", ContextFlagsToValue(ctx_flags));
+  rv.SetBoolKey("open", !!open);
+  return rv;
 }
 
-OM_uint32 DelegationTypeToFlag(DelegationType delegation_type) {
-  switch (delegation_type) {
-    case DelegationType::kNone:
-      return 0;
-    case DelegationType::kByKdcPolicy:
-      return GSS_C_DELEG_POLICY_FLAG;
-    case DelegationType::kUnconstrained:
-      return GSS_C_DELEG_FLAG;
-  }
+namespace {
+
+// Return a NetLog value for the result of loading a library.
+base::Value LibraryLoadResultParams(base::StringPiece library_name,
+                                    base::StringPiece load_result) {
+  base::Value params{base::Value::Type::DICTIONARY};
+  params.SetStringKey("library_name", library_name);
+  if (!load_result.empty())
+    params.SetStringKey("load_result", load_result);
+  return params;
 }
 
 }  // namespace
 
 GSSAPISharedLibrary::GSSAPISharedLibrary(const std::string& gssapi_library_name)
-    : initialized_(false),
-      gssapi_library_name_(gssapi_library_name),
-      gssapi_library_(nullptr),
-      import_name_(nullptr),
-      release_name_(nullptr),
-      release_buffer_(nullptr),
-      display_name_(nullptr),
-      display_status_(nullptr),
-      init_sec_context_(nullptr),
-      wrap_size_limit_(nullptr),
-      delete_sec_context_(nullptr),
-      inquire_context_(nullptr) {}
+    : gssapi_library_name_(gssapi_library_name) {}
 
 GSSAPISharedLibrary::~GSSAPISharedLibrary() {
   if (gssapi_library_) {
@@ -414,24 +336,23 @@ GSSAPISharedLibrary::~GSSAPISharedLibrary() {
   }
 }
 
-bool GSSAPISharedLibrary::Init() {
+bool GSSAPISharedLibrary::Init(const NetLogWithSource& net_log) {
   if (!initialized_)
-    InitImpl();
+    InitImpl(net_log);
   return initialized_;
 }
 
-bool GSSAPISharedLibrary::InitImpl() {
+bool GSSAPISharedLibrary::InitImpl(const NetLogWithSource& net_log) {
   DCHECK(!initialized_);
-#if defined(DLOPEN_KERBEROS)
-  gssapi_library_ = LoadSharedLibrary();
+  gssapi_library_ = LoadSharedLibrary(net_log);
   if (gssapi_library_ == nullptr)
     return false;
-#endif  // defined(DLOPEN_KERBEROS)
   initialized_ = true;
   return true;
 }
 
-base::NativeLibrary GSSAPISharedLibrary::LoadSharedLibrary() {
+base::NativeLibrary GSSAPISharedLibrary::LoadSharedLibrary(
+    const NetLogWithSource& net_log) {
   const char* const* library_names;
   size_t num_lib_names;
   const char* user_specified_library[1];
@@ -456,68 +377,117 @@ base::NativeLibrary GSSAPISharedLibrary::LoadSharedLibrary() {
     num_lib_names = base::size(kDefaultLibraryNames);
   }
 
+  net_log.BeginEvent(NetLogEventType::AUTH_LIBRARY_LOAD);
+
+  // There has to be at least one candidate.
+  DCHECK_NE(0u, num_lib_names);
+
+  const char* library_name = nullptr;
+  base::NativeLibraryLoadError load_error;
+
   for (size_t i = 0; i < num_lib_names; ++i) {
-    const char* library_name = library_names[i];
+    load_error = base::NativeLibraryLoadError();
+    library_name = library_names[i];
     base::FilePath file_path(library_name);
 
     // TODO(asanka): Move library loading to a separate thread.
     //               http://crbug.com/66702
     base::ThreadRestrictions::ScopedAllowIO allow_io_temporarily;
-    base::NativeLibraryLoadError load_error;
     base::NativeLibrary lib = base::LoadNativeLibrary(file_path, &load_error);
     if (lib) {
-      // Only return this library if we can bind the functions we need.
-      if (BindMethods(lib))
+      if (BindMethods(lib, library_name, net_log)) {
+        net_log.EndEvent(NetLogEventType::AUTH_LIBRARY_LOAD, [&] {
+          return LibraryLoadResultParams(library_name, "");
+        });
         return lib;
+      }
       base::UnloadNativeLibrary(lib);
-    } else {
-      // If this is the only library available, log the reason for failure.
-      LOG_IF(WARNING, num_lib_names == 1) << load_error.ToString();
     }
   }
-  LOG(WARNING) << "Unable to find a compatible GSSAPI library";
+
+  // If loading failed, then log the result of the final attempt. Doing so
+  // is specially important on platforms where there's only one possible
+  // library. Doing so also always logs the failure when the GSSAPI library
+  // name is explicitly specified.
+  net_log.EndEvent(NetLogEventType::AUTH_LIBRARY_LOAD, [&] {
+    return LibraryLoadResultParams(library_name, load_error.ToString());
+  });
   return nullptr;
 }
 
-#if defined(DLOPEN_KERBEROS)
-#define BIND(lib, x)                                              \
-  DCHECK(lib);                                                    \
-  gss_##x##_type x = reinterpret_cast<gss_##x##_type>(            \
-      base::GetFunctionPointerFromNativeLibrary(lib, "gss_" #x)); \
-  if (x == nullptr) {                                             \
-    LOG(WARNING) << "Unable to bind function \""                  \
-                 << "gss_" #x << "\"";                            \
-    return false;                                                 \
-  }
-#else
-#define BIND(lib, x) gss_##x##_type x = gss_##x
-#endif
+namespace {
 
-bool GSSAPISharedLibrary::BindMethods(base::NativeLibrary lib) {
-  BIND(lib, import_name);
-  BIND(lib, release_name);
-  BIND(lib, release_buffer);
-  BIND(lib, display_name);
-  BIND(lib, display_status);
-  BIND(lib, init_sec_context);
-  BIND(lib, wrap_size_limit);
-  BIND(lib, delete_sec_context);
-  BIND(lib, inquire_context);
-
-  import_name_ = import_name;
-  release_name_ = release_name;
-  release_buffer_ = release_buffer;
-  display_name_ = display_name;
-  display_status_ = display_status;
-  init_sec_context_ = init_sec_context;
-  wrap_size_limit_ = wrap_size_limit;
-  delete_sec_context_ = delete_sec_context;
-  inquire_context_ = inquire_context;
+base::Value BindFailureParams(base::StringPiece library_name,
+                              base::StringPiece method) {
+  base::Value params{base::Value::Type::DICTIONARY};
+  params.SetStringKey("library_name", library_name);
+  params.SetStringKey("method", method);
+  return params;
+}
+
+void* BindUntypedMethod(base::NativeLibrary lib,
+                        base::StringPiece library_name,
+                        base::StringPiece method,
+                        const NetLogWithSource& net_log) {
+  void* ptr = base::GetFunctionPointerFromNativeLibrary(lib, method);
+  if (ptr == nullptr) {
+    std::string method_string = method.as_string();
+    net_log.AddEvent(NetLogEventType::AUTH_LIBRARY_BIND_FAILED,
+                     [&] { return BindFailureParams(library_name, method); });
+  }
+  return ptr;
+}
 
-  return true;
+template <typename T>
+bool BindMethod(base::NativeLibrary lib,
+                base::StringPiece library_name,
+                base::StringPiece method,
+                T* receiver,
+                const NetLogWithSource& net_log) {
+  *receiver = reinterpret_cast<T>(
+      BindUntypedMethod(lib, library_name, method, net_log));
+  return *receiver != nullptr;
 }
 
-#undef BIND
+}  // namespace
+
+bool GSSAPISharedLibrary::BindMethods(base::NativeLibrary lib,
+                                      base::StringPiece name,
+                                      const NetLogWithSource& net_log) {
+  bool ok = true;
+  // It's unlikely for BindMethods() to fail if LoadNativeLibrary() succeeded. A
+  // failure in this function indicates an interoperability issue whose
+  // diagnosis requires knowing all the methods that are missing. Hence |ok| is
+  // updated in a manner that prevents short-circuiting the BindGssMethod()
+  // invocations.
+  ok &= BindMethod(lib, name, "gss_delete_sec_context", &delete_sec_context_,
+                   net_log);
+  ok &= BindMethod(lib, name, "gss_display_name", &display_name_, net_log);
+  ok &= BindMethod(lib, name, "gss_display_status", &display_status_, net_log);
+  ok &= BindMethod(lib, name, "gss_import_name", &import_name_, net_log);
+  ok &= BindMethod(lib, name, "gss_init_sec_context", &init_sec_context_,
+                   net_log);
+  ok &=
+      BindMethod(lib, name, "gss_inquire_context", &inquire_context_, net_log);
+  ok &= BindMethod(lib, name, "gss_release_buffer", &release_buffer_, net_log);
+  ok &= BindMethod(lib, name, "gss_release_name", &release_name_, net_log);
+  ok &=
+      BindMethod(lib, name, "gss_wrap_size_limit", &wrap_size_limit_, net_log);
+
+  if (LIKELY(ok))
+    return true;
+
+  delete_sec_context_ = nullptr;
+  display_name_ = nullptr;
+  display_status_ = nullptr;
+  import_name_ = nullptr;
+  init_sec_context_ = nullptr;
+  inquire_context_ = nullptr;
+  release_buffer_ = nullptr;
+  release_name_ = nullptr;
+  wrap_size_limit_ = nullptr;
+  return false;
+}
 
 OM_uint32 GSSAPISharedLibrary::import_name(
     OM_uint32* minor_status,
@@ -665,10 +635,10 @@ ScopedSecurityContext::~ScopedSecurityContext() {
     OM_uint32 minor_status = 0;
     OM_uint32 major_status = gssapi_lib_->delete_sec_context(
         &minor_status, &security_context_, &output_token);
-    if (major_status != GSS_S_COMPLETE) {
-      LOG(WARNING) << "Problem releasing security_context. "
-                   << DisplayStatus(major_status, minor_status);
-    }
+    DLOG_IF(WARNING, major_status != GSS_S_COMPLETE)
+        << "Problem releasing security_context. "
+        << GetGssStatusValue(gssapi_lib_, "delete_sec_context", major_status,
+                             minor_status);
     security_context_ = GSS_C_NO_CONTEXT;
   }
 }
@@ -685,10 +655,10 @@ HttpAuthGSSAPI::HttpAuthGSSAPI(GSSAPILibrary* library,
 
 HttpAuthGSSAPI::~HttpAuthGSSAPI() = default;
 
-bool HttpAuthGSSAPI::Init() {
+bool HttpAuthGSSAPI::Init(const NetLogWithSource& net_log) {
   if (!library_)
     return false;
-  return library_->Init();
+  return library_->Init(net_log);
 }
 
 bool HttpAuthGSSAPI::NeedsIdentity() const {
@@ -717,6 +687,7 @@ int HttpAuthGSSAPI::GenerateAuthToken(const AuthCredentials* credentials,
                                       const std::string& spn,
                                       const std::string& channel_bindings,
                                       std::string* auth_token,
+                                      const NetLogWithSource& net_log,
                                       CompletionOnceCallback /*callback*/) {
   DCHECK(auth_token);
 
@@ -727,8 +698,8 @@ int HttpAuthGSSAPI::GenerateAuthToken(const AuthCredentials* credentials,
                           : nullptr;
   gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
   ScopedBuffer scoped_output_token(&output_token, library_);
-  int rv =
-      GetNextSecurityToken(spn, channel_bindings, &input_token, &output_token);
+  int rv = GetNextSecurityToken(spn, channel_bindings, &input_token,
+                                &output_token, net_log);
   if (rv != OK)
     return rv;
 
@@ -741,7 +712,6 @@ int HttpAuthGSSAPI::GenerateAuthToken(const AuthCredentials* credentials,
   return OK;
 }
 
-
 namespace {
 
 // GSSAPI status codes consist of a calling error (essentially, a programmer
@@ -750,7 +720,6 @@ namespace {
 // This means a simple switch on the return codes is not sufficient.
 
 int MapImportNameStatusToError(OM_uint32 major_status) {
-  VLOG(1) << "import_name returned 0x" << std::hex << major_status;
   if (major_status == GSS_S_COMPLETE)
     return OK;
   if (GSS_CALLING_ERROR(major_status) != 0)
@@ -777,7 +746,6 @@ int MapImportNameStatusToError(OM_uint32 major_status) {
 }
 
 int MapInitSecContextStatusToError(OM_uint32 major_status) {
-  VLOG(1) << "init_sec_context returned 0x" << std::hex << major_status;
   // Although GSS_S_CONTINUE_NEEDED is an additional bit, it seems like
   // other code just checks if major_status is equivalent to it to indicate
   // that there are no other errors included.
@@ -833,12 +801,45 @@ int MapInitSecContextStatusToError(OM_uint32 major_status) {
   return ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS;
 }
 
+base::Value ImportNameErrorParams(GSSAPILibrary* library,
+                                  base::StringPiece spn,
+                                  OM_uint32 major_status,
+                                  OM_uint32 minor_status) {
+  base::Value params{base::Value::Type::DICTIONARY};
+  params.SetStringKey("spn", spn);
+  if (major_status != GSS_S_COMPLETE)
+    params.SetKey("status", GetGssStatusValue(library, "import_name",
+                                              major_status, minor_status));
+  return params;
+}
+
+base::Value InitSecContextErrorParams(GSSAPILibrary* library,
+                                      gss_ctx_id_t context,
+                                      OM_uint32 major_status,
+                                      OM_uint32 minor_status) {
+  base::Value params{base::Value::Type::DICTIONARY};
+  if (major_status != GSS_S_COMPLETE)
+    params.SetKey("status", GetGssStatusValue(library, "gss_init_sec_context",
+                                              major_status, minor_status));
+  if (context != GSS_C_NO_CONTEXT)
+    params.SetKey("context", GetContextStateAsValue(library, context));
+  return params;
+}
+
 }  // anonymous namespace
 
 int HttpAuthGSSAPI::GetNextSecurityToken(const std::string& spn,
                                          const std::string& channel_bindings,
                                          gss_buffer_t in_token,
-                                         gss_buffer_t out_token) {
+                                         gss_buffer_t out_token,
+                                         const NetLogWithSource& net_log) {
+  // GSSAPI header files, to this day, require OIDs passed in as non-const
+  // pointers. Rather than const casting, let's just leave this as non-const.
+  // Even if the OID pointer is const, the inner |elements| pointer is still
+  // non-const.
+  static gss_OID_desc kGSS_C_NT_HOSTBASED_SERVICE = {
+      10, const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04")};
+
   // Create a name for the principal
   // TODO(cbentzel): Just do this on the first pass?
   std::string spn_principal = spn;
@@ -847,38 +848,33 @@ int HttpAuthGSSAPI::GetNextSecurityToken(const std::string& spn,
   spn_buffer.length = spn_principal.size() + 1;
   OM_uint32 minor_status = 0;
   gss_name_t principal_name = GSS_C_NO_NAME;
-  OM_uint32 major_status = library_->import_name(
-      &minor_status,
-      &spn_buffer,
-      GSS_C_NT_HOSTBASED_SERVICE,
-      &principal_name);
+
+  OM_uint32 major_status =
+      library_->import_name(&minor_status, &spn_buffer,
+                            &kGSS_C_NT_HOSTBASED_SERVICE, &principal_name);
+  net_log.AddEvent(NetLogEventType::AUTH_LIBRARY_IMPORT_NAME, [&] {
+    return ImportNameErrorParams(library_, spn, major_status, minor_status);
+  });
   int rv = MapImportNameStatusToError(major_status);
-  if (rv != OK) {
-    LOG(ERROR) << "Problem importing name from "
-               << "spn \"" << spn_principal << "\"\n"
-               << DisplayExtendedStatus(library_, major_status, minor_status);
+  if (rv != OK)
     return rv;
-  }
   ScopedName scoped_name(principal_name, library_);
 
   // Continue creating a security context.
-  OM_uint32 req_flags = DelegationTypeToFlag(delegation_type_);
+  net_log.BeginEvent(NetLogEventType::AUTH_LIBRARY_INIT_SEC_CTX);
   major_status = library_->init_sec_context(
       &minor_status, GSS_C_NO_CREDENTIAL, scoped_sec_context_.receive(),
-      principal_name, gss_oid_, req_flags, GSS_C_INDEFINITE,
-      GSS_C_NO_CHANNEL_BINDINGS, in_token,
+      principal_name, gss_oid_, DelegationTypeToFlag(delegation_type_),
+      GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, in_token,
       nullptr,  // actual_mech_type
       out_token,
       nullptr,  // ret flags
       nullptr);
-  rv = MapInitSecContextStatusToError(major_status);
-  if (rv != OK) {
-    LOG(ERROR) << "Problem initializing context. \n"
-               << DisplayExtendedStatus(library_, major_status, minor_status)
-               << '\n'
-               << DescribeContext(library_, scoped_sec_context_.get());
-  }
-  return rv;
+  net_log.EndEvent(NetLogEventType::AUTH_LIBRARY_INIT_SEC_CTX, [&] {
+    return InitSecContextErrorParams(library_, scoped_sec_context_.get(),
+                                     major_status, minor_status);
+  });
+  return MapInitSecContextStatusToError(major_status);
 }
 
 }  // namespace net
diff --git a/chromium/net/http/http_auth_gssapi_posix.h b/chromium/net/http/http_auth_gssapi_posix.h
index eba04bbd7f2..c118e5b1706 100644
--- a/chromium/net/http/http_auth_gssapi_posix.h
+++ b/chromium/net/http/http_auth_gssapi_posix.h
@@ -10,6 +10,8 @@
 #include "base/gtest_prod_util.h"
 #include "base/macros.h"
 #include "base/native_library.h"
+#include "base/strings/string_piece_forward.h"
+#include "base/values.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_export.h"
 #include "net/http/http_auth.h"
@@ -41,7 +43,7 @@ class NET_EXPORT_PRIVATE GSSAPILibrary {
   // Initializes the library, including any necessary dynamic libraries.
   // This is done separately from construction (which happens at startup time)
   // in order to delay work until the class is actually needed.
-  virtual bool Init() = 0;
+  virtual bool Init(const NetLogWithSource& net_log) = 0;
 
   // These methods match the ones in the GSSAPI library.
   virtual OM_uint32 import_name(
@@ -114,7 +116,7 @@ class NET_EXPORT_PRIVATE GSSAPISharedLibrary : public GSSAPILibrary {
   ~GSSAPISharedLibrary() override;
 
   // GSSAPILibrary methods:
-  bool Init() override;
+  bool Init(const NetLogWithSource& net_log) override;
   OM_uint32 import_name(OM_uint32* minor_status,
                         const gss_buffer_t input_name_buffer,
                         const gss_OID input_name_type,
@@ -167,41 +169,33 @@ class NET_EXPORT_PRIVATE GSSAPISharedLibrary : public GSSAPILibrary {
   const std::string& GetLibraryNameForTesting() override;
 
  private:
-  typedef decltype(&gss_import_name) gss_import_name_type;
-  typedef decltype(&gss_release_name) gss_release_name_type;
-  typedef decltype(&gss_release_buffer) gss_release_buffer_type;
-  typedef decltype(&gss_display_name) gss_display_name_type;
-  typedef decltype(&gss_display_status) gss_display_status_type;
-  typedef decltype(&gss_init_sec_context) gss_init_sec_context_type;
-  typedef decltype(&gss_wrap_size_limit) gss_wrap_size_limit_type;
-  typedef decltype(&gss_delete_sec_context) gss_delete_sec_context_type;
-  typedef decltype(&gss_inquire_context) gss_inquire_context_type;
-
   FRIEND_TEST_ALL_PREFIXES(HttpAuthGSSAPIPOSIXTest, GSSAPIStartup);
 
-  bool InitImpl();
+  bool InitImpl(const NetLogWithSource& net_log);
   // Finds a usable dynamic library for GSSAPI and loads it.  The criteria are:
   //   1. The library must exist.
   //   2. The library must export the functions we need.
-  base::NativeLibrary LoadSharedLibrary();
-  bool BindMethods(base::NativeLibrary lib);
+  base::NativeLibrary LoadSharedLibrary(const NetLogWithSource& net_log);
+  bool BindMethods(base::NativeLibrary lib,
+                   base::StringPiece library_name,
+                   const NetLogWithSource& net_log);
 
-  bool initialized_;
+  bool initialized_ = false;
 
   std::string gssapi_library_name_;
   // Need some way to invalidate the library.
-  base::NativeLibrary gssapi_library_;
+  base::NativeLibrary gssapi_library_ = nullptr;
 
   // Function pointers
-  gss_import_name_type import_name_;
-  gss_release_name_type release_name_;
-  gss_release_buffer_type release_buffer_;
-  gss_display_name_type display_name_;
-  gss_display_status_type display_status_;
-  gss_init_sec_context_type init_sec_context_;
-  gss_wrap_size_limit_type wrap_size_limit_;
-  gss_delete_sec_context_type delete_sec_context_;
-  gss_inquire_context_type inquire_context_;
+  decltype(&gss_import_name) import_name_ = nullptr;
+  decltype(&gss_release_name) release_name_ = nullptr;
+  decltype(&gss_release_buffer) release_buffer_ = nullptr;
+  decltype(&gss_display_name) display_name_ = nullptr;
+  decltype(&gss_display_status) display_status_ = nullptr;
+  decltype(&gss_init_sec_context) init_sec_context_ = nullptr;
+  decltype(&gss_wrap_size_limit) wrap_size_limit_ = nullptr;
+  decltype(&gss_delete_sec_context) delete_sec_context_ = nullptr;
+  decltype(&gss_inquire_context) inquire_context_ = nullptr;
 };
 
 // ScopedSecurityContext releases a gss_ctx_id_t when it goes out of
@@ -215,7 +209,7 @@ class ScopedSecurityContext {
   gss_ctx_id_t* receive() { return &security_context_; }
 
  private:
-  gss_ctx_id_t security_context_;
+  gss_ctx_id_t security_context_ = GSS_C_NO_CONTEXT;
   GSSAPILibrary* gssapi_lib_;
 
   DISALLOW_COPY_AND_ASSIGN(ScopedSecurityContext);
@@ -231,7 +225,7 @@ class NET_EXPORT_PRIVATE HttpAuthGSSAPI : public HttpNegotiateAuthSystem {
   ~HttpAuthGSSAPI() override;
 
   // HttpNegotiateAuthSystem implementation:
-  bool Init() override;
+  bool Init(const NetLogWithSource& net_log) override;
   bool NeedsIdentity() const override;
   bool AllowsExplicitCredentials() const override;
   HttpAuth::AuthorizationResult ParseChallenge(
@@ -240,6 +234,7 @@ class NET_EXPORT_PRIVATE HttpAuthGSSAPI : public HttpNegotiateAuthSystem {
                         const std::string& spn,
                         const std::string& channel_bindings,
                         std::string* auth_token,
+                        const NetLogWithSource& net_log,
                         CompletionOnceCallback callback) override;
   void SetDelegation(HttpAuth::DelegationType delegation_type) override;
 
@@ -247,7 +242,8 @@ class NET_EXPORT_PRIVATE HttpAuthGSSAPI : public HttpNegotiateAuthSystem {
   int GetNextSecurityToken(const std::string& spn,
                            const std::string& channel_bindings,
                            gss_buffer_t in_token,
-                           gss_buffer_t out_token);
+                           gss_buffer_t out_token,
+                           const NetLogWithSource& net_log);
 
   std::string scheme_;
   gss_OID gss_oid_;
@@ -257,6 +253,117 @@ class NET_EXPORT_PRIVATE HttpAuthGSSAPI : public HttpNegotiateAuthSystem {
   HttpAuth::DelegationType delegation_type_ = HttpAuth::DelegationType::kNone;
 };
 
+// Diagnostics
+
+// GetGssStatusCodeValue constructs a base::Value containing a status code and a
+// message.
+//
+//     {
+//       "status" : <status value as a number>,
+//       "message": [
+//          <list of strings explaining what that number means>
+//       ]
+//     }
+//
+// Messages are looked up via gss_display_status() exposed by |gssapi_lib|. The
+// type of status code should be indicated by setting |status_code_type| to
+// either |GSS_C_MECH_CODE| or |GSS_C_GSS_CODE|.
+//
+// Mechanism specific codes aren't unique, so the mechanism needs to be
+// identified to look up messages if |status_code_type| is |GSS_C_MECH_CODE|.
+// Since no mechanism OIDs are passed in, mechanism specific status codes will
+// likely not have messages.
+NET_EXPORT_PRIVATE base::Value GetGssStatusCodeValue(
+    GSSAPILibrary* gssapi_lib,
+    OM_uint32 status,
+    OM_uint32 status_code_type);
+
+// Given major and minor GSSAPI status codes, returns a base::Value
+// encapsulating the codes as well as their meanings as expanded via
+// gss_display_status().
+//
+// The base::Value has the following structure:
+//   {
+//     "function": <name of GSSAPI function that returned the error>
+//     "major_status": {
+//       "status" : <status value as a number>,
+//       "message": [
+//          <list of strings hopefully explaining what that number means>
+//       ]
+//     },
+//     "minor_status": {
+//       "status" : <status value as a number>,
+//       "message": [
+//          <list of strings hopefully explaining what that number means>
+//       ]
+//     }
+//   }
+//
+// Passing nullptr to |gssapi_lib| will skip the message lookups. Thus the
+// returned value will be missing the "message" fields. The same is true if the
+// message lookup failed for some reason, or if the lookups succeeded but
+// yielded an empty message.
+NET_EXPORT_PRIVATE base::Value GetGssStatusValue(GSSAPILibrary* gssapi_lib,
+                                                 base::StringPiece method,
+                                                 OM_uint32 major_status,
+                                                 OM_uint32 minor_status);
+
+// OidToValue returns a base::Value representing an OID. The structure of the
+// value is:
+//   {
+//     "oid":    <symbolic name of OID if it is known>
+//     "length": <length in bytes of serialized OID>,
+//     "bytes":  <hexdump of up to 1024 bytes of serialized OID>
+//   }
+NET_EXPORT_PRIVATE base::Value OidToValue(const gss_OID oid);
+
+// GetDisplayNameValue returns a base::Value representing a gss_name_t. It
+// invokes |gss_display_name()| via |gssapi_lib| to determine the display name
+// associated with |gss_name|.
+//
+// The structure of the returned value is:
+//   {
+//     "gss_name": <display name as returned by gss_display_name()>,
+//     "type": <OID indicating type. See OidToValue() for structure of this
+//              field>
+//   }
+//
+// If the lookup failed, then the structure is:
+//   {
+//     "error": <error. See GetGssStatusValue() for structure.>
+//   }
+//
+// Note that |gss_name_t| is platform dependent. If |gss_display_name| fails,
+// there's no good value to display in its stead.
+NET_EXPORT_PRIVATE base::Value GetDisplayNameValue(GSSAPILibrary* gssapi_lib,
+                                                   const gss_name_t gss_name);
+
+// GetContextStateAsValue returns a base::Value that describes the state of a
+// GSSAPI context. The structure of the value is:
+//
+//   {
+//     "source": {
+//       "name": <GSSAPI principal name of source (e.g. the user)>,
+//       "type": <OID of name type>
+//     },
+//     "target": {
+//       "name": <GSSAPI principal name of target (e.g. the server)>,
+//       "type": <OID of name type>
+//     },
+//     "lifetime": <Lifetime of the negotiated context in seconds.>,
+//     "mechanism": <OID of negotiated mechanism>,
+//     "flags": <Context flags. See documentation for gss_inquire_context for
+//               flag values>
+//     "open": <True if the context has finished the handshake>
+//   }
+//
+// If the inquiry fails, the following is returned:
+//   {
+//     "error": <error. See GetGssStatusValue() for structure.>
+//   }
+NET_EXPORT_PRIVATE base::Value GetContextStateAsValue(
+    GSSAPILibrary* gssapi_lib,
+    const gss_ctx_id_t context_handle);
 }  // namespace net
 
 #endif  // NET_HTTP_HTTP_AUTH_GSSAPI_POSIX_H_
diff --git a/chromium/net/http/http_auth_gssapi_posix_unittest.cc b/chromium/net/http/http_auth_gssapi_posix_unittest.cc
index 158f5f1ff06..7ae41f76c82 100644
--- a/chromium/net/http/http_auth_gssapi_posix_unittest.cc
+++ b/chromium/net/http/http_auth_gssapi_posix_unittest.cc
@@ -6,13 +6,20 @@
 
 #include <memory>
 
+#include "base/base_paths.h"
 #include "base/bind.h"
+#include "base/json/json_reader.h"
 #include "base/logging.h"
 #include "base/native_library.h"
+#include "base/path_service.h"
 #include "base/stl_util.h"
 #include "net/base/net_errors.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/mock_gssapi_library_posix.h"
+#include "net/log/net_log_with_source.h"
+#include "net/log/test_net_log.h"
+#include "net/log/test_net_log_util.h"
+#include "net/net_buildflags.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
@@ -82,27 +89,100 @@ void UnexpectedCallback(int result) {
 }  // namespace
 
 TEST(HttpAuthGSSAPIPOSIXTest, GSSAPIStartup) {
+  BoundTestNetLog log;
   // TODO(ahendrickson): Manipulate the libraries and paths to test each of the
   // libraries we expect, and also whether or not they have the interface
   // functions we want.
   std::unique_ptr<GSSAPILibrary> gssapi(new GSSAPISharedLibrary(std::string()));
   DCHECK(gssapi.get());
-  EXPECT_TRUE(gssapi.get()->Init());
+  EXPECT_TRUE(gssapi.get()->Init(log.bound()));
+
+  // Should've logged a AUTH_LIBRARY_LOAD event, but not
+  // AUTH_LIBRARY_BIND_FAILED.
+  auto entries = log.GetEntries();
+  auto offset = ExpectLogContainsSomewhere(
+      entries, 0u, NetLogEventType::AUTH_LIBRARY_LOAD, NetLogEventPhase::BEGIN);
+  offset = ExpectLogContainsSomewhereAfter(entries, offset,
+                                           NetLogEventType::AUTH_LIBRARY_LOAD,
+                                           NetLogEventPhase::END);
+  ASSERT_LT(offset, entries.size());
+
+  const auto& entry = entries[offset];
+  EXPECT_NE("", GetStringValueFromParams(entry, "library_name"));
+
+  // No load_result since it succeeded.
+  EXPECT_FALSE(GetOptionalStringValueFromParams(entry, "load_result"));
 }
 
-#if defined(DLOPEN_KERBEROS)
-TEST(HttpAuthGSSAPIPOSIXTest, GSSAPILoadCustomLibrary) {
+TEST(HttpAuthGSSAPIPOSIXTest, CustomLibraryMissing) {
+  BoundTestNetLog log;
+
   std::unique_ptr<GSSAPILibrary> gssapi(
       new GSSAPISharedLibrary("/this/library/does/not/exist"));
-  EXPECT_FALSE(gssapi.get()->Init());
+  EXPECT_FALSE(gssapi.get()->Init(log.bound()));
+
+  auto entries = log.GetEntries();
+  auto offset = ExpectLogContainsSomewhere(
+      entries, 0, NetLogEventType::AUTH_LIBRARY_LOAD, NetLogEventPhase::END);
+  ASSERT_LT(offset, entries.size());
+
+  const auto& entry = entries[offset];
+  EXPECT_NE("", GetStringValueFromParams(entry, "load_result"));
+}
+
+TEST(HttpAuthGSSAPIPOSIXTest, CustomLibraryExists) {
+  BoundTestNetLog log;
+  base::FilePath module;
+  ASSERT_TRUE(base::PathService::Get(base::DIR_MODULE, &module));
+  auto basename = base::GetNativeLibraryName("test_gssapi");
+  module = module.AppendASCII(basename);
+  auto gssapi = std::make_unique<GSSAPISharedLibrary>(module.value());
+  EXPECT_TRUE(gssapi.get()->Init(log.bound()));
+
+  auto entries = log.GetEntries();
+  auto offset = ExpectLogContainsSomewhere(
+      entries, 0, NetLogEventType::AUTH_LIBRARY_LOAD, NetLogEventPhase::END);
+  ASSERT_LT(offset, entries.size());
+
+  const auto& entry = entries[offset];
+  EXPECT_FALSE(GetOptionalStringValueFromParams(entry, "load_result"));
+  EXPECT_EQ(module.AsUTF8Unsafe(),
+            GetStringValueFromParams(entry, "library_name"));
+}
+
+TEST(HttpAuthGSSAPIPOSIXTest, CustomLibraryMethodsMissing) {
+  BoundTestNetLog log;
+  base::FilePath module;
+  ASSERT_TRUE(base::PathService::Get(base::DIR_MODULE, &module));
+  auto basename = base::GetNativeLibraryName("test_badgssapi");
+  module = module.AppendASCII(basename);
+  auto gssapi = std::make_unique<GSSAPISharedLibrary>(module.value());
+
+  // Are you here because this test mysteriously passed even though the library
+  // doesn't actually have all the methods we need? This could be because the
+  // test library (//net:test_badgssapi) inadvertently depends on a valid GSSAPI
+  // library. On macOS this can happen because it's pretty easy to end up
+  // depending on GSS.framework.
+  //
+  // To resolve this issue, make sure that //net:test_badgssapi target in
+  // //net/BUILD.gn should have an empty `deps` and an empty `libs`.
+  EXPECT_FALSE(gssapi.get()->Init(log.bound()));
+
+  auto entries = log.GetEntries();
+  auto offset = ExpectLogContainsSomewhere(
+      entries, 0, NetLogEventType::AUTH_LIBRARY_BIND_FAILED,
+      NetLogEventPhase::NONE);
+  ASSERT_LT(offset, entries.size());
+
+  const auto& entry = entries[offset];
+  EXPECT_EQ("gss_import_name", GetStringValueFromParams(entry, "method"));
 }
-#endif  // defined(DLOPEN_KERBEROS)
 
 TEST(HttpAuthGSSAPIPOSIXTest, GSSAPICycle) {
   std::unique_ptr<test::MockGSSAPILibrary> mock_library(
       new test::MockGSSAPILibrary);
   DCHECK(mock_library.get());
-  mock_library->Init();
+  mock_library->Init(NetLogWithSource());
   const char kAuthResponse[] = "Mary had a little lamb";
   test::GssContextMockImpl context1(
       "localhost",                         // Source name
@@ -198,6 +278,7 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_FirstRound) {
 }
 
 TEST(HttpAuthGSSAPITest, ParseChallenge_TwoRounds) {
+  BoundTestNetLog log;
   // The first round should just have "Negotiate", and the second round should
   // have a valid base64 token associated with it.
   test::MockGSSAPILibrary mock_library;
@@ -212,15 +293,30 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_TwoRounds) {
   // Generate an auth token and create another thing.
   EstablishInitialContext(&mock_library);
   std::string auth_token;
-  EXPECT_EQ(OK, auth_gssapi.GenerateAuthToken(
-                    nullptr, "HTTP/intranet.google.com", std::string(),
-                    &auth_token, base::BindOnce(&UnexpectedCallback)));
+  EXPECT_EQ(
+      OK, auth_gssapi.GenerateAuthToken(nullptr, "HTTP/intranet.google.com",
+                                        std::string(), &auth_token, log.bound(),
+                                        base::BindOnce(&UnexpectedCallback)));
 
   std::string second_challenge_text = "Negotiate Zm9vYmFy";
   HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
                                               second_challenge_text.end());
   EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
             auth_gssapi.ParseChallenge(&second_challenge));
+
+  auto entries = log.GetEntries();
+  auto offset = ExpectLogContainsSomewhere(
+      entries, 0, NetLogEventType::AUTH_LIBRARY_INIT_SEC_CTX,
+      NetLogEventPhase::END);
+  // There should be two of these.
+  offset = ExpectLogContainsSomewhere(
+      entries, offset, NetLogEventType::AUTH_LIBRARY_INIT_SEC_CTX,
+      NetLogEventPhase::END);
+  ASSERT_LT(offset, entries.size());
+  const std::string* source =
+      entries[offset].params.FindStringPath("context.source.name");
+  ASSERT_TRUE(source);
+  EXPECT_EQ("localhost", *source);
 }
 
 TEST(HttpAuthGSSAPITest, ParseChallenge_UnexpectedTokenFirstRound) {
@@ -250,9 +346,10 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_MissingTokenSecondRound) {
 
   EstablishInitialContext(&mock_library);
   std::string auth_token;
-  EXPECT_EQ(OK, auth_gssapi.GenerateAuthToken(
-                    nullptr, "HTTP/intranet.google.com", std::string(),
-                    &auth_token, base::BindOnce(&UnexpectedCallback)));
+  EXPECT_EQ(OK,
+            auth_gssapi.GenerateAuthToken(
+                nullptr, "HTTP/intranet.google.com", std::string(), &auth_token,
+                NetLogWithSource(), base::BindOnce(&UnexpectedCallback)));
   std::string second_challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
                                               second_challenge_text.end());
@@ -274,9 +371,10 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_NonBase64EncodedToken) {
 
   EstablishInitialContext(&mock_library);
   std::string auth_token;
-  EXPECT_EQ(OK, auth_gssapi.GenerateAuthToken(
-                    nullptr, "HTTP/intranet.google.com", std::string(),
-                    &auth_token, base::BindOnce(&UnexpectedCallback)));
+  EXPECT_EQ(OK,
+            auth_gssapi.GenerateAuthToken(
+                nullptr, "HTTP/intranet.google.com", std::string(), &auth_token,
+                NetLogWithSource(), base::BindOnce(&UnexpectedCallback)));
   std::string second_challenge_text = "Negotiate =happyjoy=";
   HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
                                               second_challenge_text.end());
@@ -284,4 +382,282 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_NonBase64EncodedToken) {
             auth_gssapi.ParseChallenge(&second_challenge));
 }
 
+TEST(HttpAuthGSSAPITest, OidToValue_NIL) {
+  auto actual = OidToValue(GSS_C_NO_OID);
+  auto expected = base::JSONReader::Read(R"({ "oid": "<Empty OID>" })");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
+TEST(HttpAuthGSSAPITest, OidToValue_Known) {
+  gss_OID_desc known = {6, const_cast<char*>("\x2b\x06\01\x05\x06\x03")};
+
+  auto actual = OidToValue(const_cast<const gss_OID>(&known));
+  auto expected = base::JSONReader::Read(R"(
+      {
+        "oid"   : "GSS_C_NT_ANONYMOUS",
+        "length": 6,
+        "bytes" : "KwYBBQYD"
+      }
+  )");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
+TEST(HttpAuthGSSAPITest, OidToValue_Unknown) {
+  gss_OID_desc unknown = {6, const_cast<char*>("\x2b\x06\01\x05\x06\x05")};
+  auto actual = OidToValue(const_cast<const gss_OID>(&unknown));
+  auto expected = base::JSONReader::Read(R"(
+      {
+        "length": 6,
+        "bytes" : "KwYBBQYF"
+      }
+  )");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
+TEST(HttpAuthGSSAPITest, GetGssStatusValue_NoLibrary) {
+  auto actual = GetGssStatusValue(nullptr, "my_method", GSS_S_BAD_NAME, 1);
+  auto expected = base::JSONReader::Read(R"(
+      {
+        "function": "my_method",
+        "major_status": {
+          "status": 131072
+        },
+        "minor_status": {
+          "status": 1
+        }
+      }
+  )");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
+TEST(HttpAuthGSSAPITest, GetGssStatusValue_WithLibrary) {
+  test::MockGSSAPILibrary library;
+  auto actual = GetGssStatusValue(&library, "my_method", GSS_S_BAD_NAME, 1);
+  auto expected = base::JSONReader::Read(R"(
+      {
+        "function": "my_method",
+        "major_status": {
+          "status": 131072,
+          "message": [ "Value: 131072, Type 1" ]
+        },
+        "minor_status": {
+          "status": 1,
+          "message": [ "Value: 1, Type 2" ]
+        }
+      }
+  )");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
+TEST(HttpAuthGSSAPITest, GetGssStatusValue_Multiline) {
+  test::MockGSSAPILibrary library;
+  auto actual = GetGssStatusValue(
+      &library, "my_method",
+      static_cast<OM_uint32>(
+          test::MockGSSAPILibrary::DisplayStatusSpecials::MultiLine),
+      0);
+  auto expected = base::JSONReader::Read(R"(
+      {
+        "function": "my_method",
+        "major_status": {
+          "status": 128,
+          "message": [
+            "Line 1 for status 128",
+            "Line 2 for status 128",
+            "Line 3 for status 128",
+            "Line 4 for status 128",
+            "Line 5 for status 128"
+          ]
+        },
+        "minor_status": {
+          "status": 0
+        }
+      }
+  )");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
+TEST(HttpAuthGSSAPITest, GetGssStatusValue_InfiniteLines) {
+  test::MockGSSAPILibrary library;
+  auto actual = GetGssStatusValue(
+      &library, "my_method",
+      static_cast<OM_uint32>(
+          test::MockGSSAPILibrary::DisplayStatusSpecials::InfiniteLines),
+      0);
+  auto expected = base::JSONReader::Read(R"(
+      {
+        "function": "my_method",
+        "major_status": {
+          "status": 129,
+          "message": [
+            "Line 1 for status 129",
+            "Line 2 for status 129",
+            "Line 3 for status 129",
+            "Line 4 for status 129",
+            "Line 5 for status 129",
+            "Line 6 for status 129",
+            "Line 7 for status 129",
+            "Line 8 for status 129"
+          ]
+        },
+        "minor_status": {
+          "status": 0
+        }
+      }
+  )");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
+TEST(HttpAuthGSSAPITest, GetGssStatusValue_Failure) {
+  test::MockGSSAPILibrary library;
+  auto actual = GetGssStatusValue(
+      &library, "my_method",
+      static_cast<OM_uint32>(
+          test::MockGSSAPILibrary::DisplayStatusSpecials::Fail),
+      0);
+  auto expected = base::JSONReader::Read(R"(
+      {
+        "function": "my_method",
+        "major_status": {
+          "status": 130
+        },
+        "minor_status": {
+          "status": 0
+        }
+      }
+  )");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
+TEST(HttpAuthGSSAPITest, GetGssStatusValue_EmptyMessage) {
+  test::MockGSSAPILibrary library;
+  auto actual = GetGssStatusValue(
+      &library, "my_method",
+      static_cast<OM_uint32>(
+          test::MockGSSAPILibrary::DisplayStatusSpecials::EmptyMessage),
+      0);
+  auto expected = base::JSONReader::Read(R"(
+      {
+        "function": "my_method",
+        "major_status": {
+          "status": 131
+        },
+        "minor_status": {
+          "status": 0
+        }
+      }
+  )");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
+TEST(HttpAuthGSSAPITest, GetGssStatusValue_Misbehave) {
+  test::MockGSSAPILibrary library;
+  auto actual = GetGssStatusValue(
+      &library, "my_method",
+      static_cast<OM_uint32>(
+          test::MockGSSAPILibrary::DisplayStatusSpecials::UninitalizedBuffer),
+      0);
+  auto expected = base::JSONReader::Read(R"(
+      {
+        "function": "my_method",
+        "major_status": {
+          "status": 132
+        },
+        "minor_status": {
+          "status": 0
+        }
+      }
+  )");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
+TEST(HttpAuthGSSAPITest, GetGssStatusValue_NotUtf8) {
+  test::MockGSSAPILibrary library;
+  auto actual = GetGssStatusValue(
+      &library, "my_method",
+      static_cast<OM_uint32>(
+          test::MockGSSAPILibrary::DisplayStatusSpecials::InvalidUtf8),
+      0);
+  auto expected = base::JSONReader::Read(R"(
+      {
+        "function": "my_method",
+        "major_status": {
+          "status": 133
+        },
+        "minor_status": {
+          "status": 0
+        }
+      }
+  )");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
+TEST(HttpAuthGSSAPITest, GetContextStateAsValue_ValidContext) {
+  test::GssContextMockImpl context{"source_spn@somewhere",
+                                   "target_spn@somewhere.else",
+                                   /* lifetime_rec= */ 100,
+                                   *CHROME_GSS_SPNEGO_MECH_OID_DESC,
+                                   /* ctx_flags= */ 0,
+                                   /* locally_initiated= */ 1,
+                                   /* open= */ 0};
+  test::MockGSSAPILibrary library;
+  auto actual = GetContextStateAsValue(
+      &library, reinterpret_cast<const gss_ctx_id_t>(&context));
+  auto expected = base::JSONReader::Read(R"(
+      {
+        "source": {
+          "name": "source_spn@somewhere",
+          "type": {
+            "oid" : "<Empty OID>"
+          }
+        },
+        "target": {
+          "name": "target_spn@somewhere.else",
+          "type": {
+            "oid" : "<Empty OID>"
+          }
+        },
+        "lifetime": "100",
+        "mechanism": {
+          "oid": "<Empty OID>"
+        },
+        "flags": "00000000",
+        "open": false
+      }
+  )");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
+TEST(HttpAuthGSSAPITest, GetContextStateAsValue_NoContext) {
+  test::MockGSSAPILibrary library;
+  auto actual = GetContextStateAsValue(&library, GSS_C_NO_CONTEXT);
+  auto expected = base::JSONReader::Read(R"(
+      {
+         "error": {
+            "function": "<none>",
+            "major_status": {
+               "status": 524288
+            },
+            "minor_status": {
+               "status": 0
+            }
+         }
+      }
+  )");
+  ASSERT_TRUE(expected.has_value());
+  EXPECT_EQ(actual, expected);
+}
+
 }  // namespace net
diff --git a/chromium/net/http/http_auth_handler.cc b/chromium/net/http/http_auth_handler.cc
index f1cf12bf5f4..fc89e546a8f 100644
--- a/chromium/net/http/http_auth_handler.cc
+++ b/chromium/net/http/http_auth_handler.cc
@@ -39,8 +39,8 @@ bool HttpAuthHandler::InitFromChallenge(HttpAuthChallengeTokenizer* challenge,
   auth_challenge_ = challenge->challenge_text();
   net_log_.BeginEvent(NetLogEventType::AUTH_HANDLER_INIT);
   bool ok = Init(challenge, ssl_info);
-  net_log_.EndEvent(NetLogEventType::AUTH_HANDLER_INIT,
-                    NetLog::BoolCallback("succeeded", ok));
+  net_log_.AddEntryWithBoolParams(NetLogEventType::AUTH_HANDLER_INIT,
+                                  NetLogEventPhase::END, "succeeded", ok);
 
   // Init() is expected to set the scheme, realm, score, and properties.  The
   // realm may be empty.
@@ -100,9 +100,10 @@ void HttpAuthHandler::FinishGenerateAuthToken(int rv) {
 HttpAuth::AuthorizationResult HttpAuthHandler::HandleAnotherChallenge(
     HttpAuthChallengeTokenizer* challenge) {
   auto authorization_result = HandleAnotherChallengeImpl(challenge);
-  net_log_.AddEvent(NetLogEventType::AUTH_HANDLE_CHALLENGE,
-                    HttpAuth::NetLogAuthorizationResultCallback(
-                        "authorization_result", authorization_result));
+  net_log_.AddEvent(NetLogEventType::AUTH_HANDLE_CHALLENGE, [&] {
+    return HttpAuth::NetLogAuthorizationResultParams("authorization_result",
+                                                     authorization_result);
+  });
   return authorization_result;
 }
 
diff --git a/chromium/net/http/http_auth_handler_factory.cc b/chromium/net/http/http_auth_handler_factory.cc
index d44ad9c6589..9961e04454c 100644
--- a/chromium/net/http/http_auth_handler_factory.cc
+++ b/chromium/net/http/http_auth_handler_factory.cc
@@ -103,8 +103,7 @@ HttpAuthHandlerFactory* HttpAuthHandlerRegistryFactory::GetSchemeFactory(
 std::unique_ptr<HttpAuthHandlerRegistryFactory>
 HttpAuthHandlerFactory::CreateDefault(
     const HttpAuthPreferences* prefs
-#if (defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)) || \
-    defined(OS_FUCHSIA)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
     ,
     const std::string& gssapi_library_name
 #endif
@@ -116,7 +115,7 @@ HttpAuthHandlerFactory::CreateDefault(
   std::vector<std::string> auth_types(std::begin(kDefaultAuthSchemes),
                                       std::end(kDefaultAuthSchemes));
   return HttpAuthHandlerRegistryFactory::Create(prefs, auth_types
-#if defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
                                                 ,
                                                 gssapi_library_name
 #endif
@@ -132,8 +131,7 @@ std::unique_ptr<HttpAuthHandlerRegistryFactory>
 HttpAuthHandlerRegistryFactory::Create(
     const HttpAuthPreferences* prefs,
     const std::vector<std::string>& auth_schemes
-#if (defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)) || \
-    defined(OS_FUCHSIA)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
     ,
     const std::string& gssapi_library_name
 #endif
@@ -147,17 +145,17 @@ HttpAuthHandlerRegistryFactory::Create(
 
   std::unique_ptr<HttpAuthHandlerRegistryFactory> registry_factory(
       new HttpAuthHandlerRegistryFactory());
-  if (base::ContainsKey(auth_schemes_set, kBasicAuthScheme)) {
+  if (base::Contains(auth_schemes_set, kBasicAuthScheme)) {
     registry_factory->RegisterSchemeFactory(
         kBasicAuthScheme, new HttpAuthHandlerBasic::Factory());
   }
 
-  if (base::ContainsKey(auth_schemes_set, kDigestAuthScheme)) {
+  if (base::Contains(auth_schemes_set, kDigestAuthScheme)) {
     registry_factory->RegisterSchemeFactory(
         kDigestAuthScheme, new HttpAuthHandlerDigest::Factory());
   }
 
-  if (base::ContainsKey(auth_schemes_set, kNtlmAuthScheme)) {
+  if (base::Contains(auth_schemes_set, kNtlmAuthScheme)) {
     HttpAuthHandlerNTLM::Factory* ntlm_factory =
         new HttpAuthHandlerNTLM::Factory();
 #if defined(OS_WIN)
@@ -167,16 +165,14 @@ HttpAuthHandlerRegistryFactory::Create(
   }
 
 #if BUILDFLAG(USE_KERBEROS)
-  if (base::ContainsKey(auth_schemes_set, kNegotiateAuthScheme)) {
+  if (base::Contains(auth_schemes_set, kNegotiateAuthScheme)) {
     HttpAuthHandlerNegotiate::Factory* negotiate_factory =
         new HttpAuthHandlerNegotiate::Factory(negotiate_auth_system_factory);
 #if defined(OS_WIN)
     negotiate_factory->set_library(std::make_unique<SSPILibraryDefault>());
-#elif defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)
+#elif BUILDFLAG(USE_EXTERNAL_GSSAPI)
     negotiate_factory->set_library(
         std::make_unique<GSSAPISharedLibrary>(gssapi_library_name));
-#elif defined(OS_CHROMEOS)
-    negotiate_factory->set_library(std::make_unique<GSSAPISharedLibrary>(""));
 #endif
     registry_factory->RegisterSchemeFactory(kNegotiateAuthScheme,
                                             negotiate_factory);
diff --git a/chromium/net/http/http_auth_handler_factory.h b/chromium/net/http/http_auth_handler_factory.h
index d7215cc1f9a..f4f985e3a25 100644
--- a/chromium/net/http/http_auth_handler_factory.h
+++ b/chromium/net/http/http_auth_handler_factory.h
@@ -141,8 +141,7 @@ class NET_EXPORT HttpAuthHandlerFactory {
   // used by the Negotiate authentication handler.
   static std::unique_ptr<HttpAuthHandlerRegistryFactory> CreateDefault(
       const HttpAuthPreferences* prefs = nullptr
-#if (defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)) || \
-    defined(OS_FUCHSIA)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
       ,
       const std::string& gssapi_library_name = ""
 #endif
@@ -204,8 +203,7 @@ class NET_EXPORT HttpAuthHandlerRegistryFactory
   static std::unique_ptr<HttpAuthHandlerRegistryFactory> Create(
       const HttpAuthPreferences* prefs,
       const std::vector<std::string>& auth_schemes
-#if (defined(OS_POSIX) && !defined(OS_ANDROID) && !defined(OS_CHROMEOS)) || \
-    defined(OS_FUCHSIA)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
       ,
       const std::string& gssapi_library_name = ""
 #endif
diff --git a/chromium/net/http/http_auth_handler_mock.cc b/chromium/net/http/http_auth_handler_mock.cc
index 74d9fefcb13..2f051cedddf 100644
--- a/chromium/net/http/http_auth_handler_mock.cc
+++ b/chromium/net/http/http_auth_handler_mock.cc
@@ -49,8 +49,7 @@ HttpAuthHandlerMock::HttpAuthHandlerMock()
       first_round_(true),
       connection_based_(false),
       allows_default_credentials_(false),
-      allows_explicit_credentials_(true),
-      weak_factory_(this) {}
+      allows_explicit_credentials_(true) {}
 
 HttpAuthHandlerMock::~HttpAuthHandlerMock() = default;
 
diff --git a/chromium/net/http/http_auth_handler_mock.h b/chromium/net/http/http_auth_handler_mock.h
index abc36936dec..5e7e32c82f1 100644
--- a/chromium/net/http/http_auth_handler_mock.h
+++ b/chromium/net/http/http_auth_handler_mock.h
@@ -111,7 +111,7 @@ class HttpAuthHandlerMock : public HttpAuthHandler {
   bool allows_default_credentials_;
   bool allows_explicit_credentials_;
   GURL request_url_;
-  base::WeakPtrFactory<HttpAuthHandlerMock> weak_factory_;
+  base::WeakPtrFactory<HttpAuthHandlerMock> weak_factory_{this};
 };
 
 void PrintTo(const HttpAuthHandlerMock::State& state, ::std::ostream* os);
diff --git a/chromium/net/http/http_auth_handler_negotiate.cc b/chromium/net/http/http_auth_handler_negotiate.cc
index 612e52eb88d..83e88725560 100644
--- a/chromium/net/http/http_auth_handler_negotiate.cc
+++ b/chromium/net/http/http_auth_handler_negotiate.cc
@@ -36,7 +36,7 @@ base::Value NetLogParameterChannelBindings(
     const std::string& channel_binding_token,
     NetLogCaptureMode capture_mode) {
   base::DictionaryValue dict;
-  if (!capture_mode.include_socket_bytes())
+  if (!NetLogCaptureIncludesSocketBytes(capture_mode))
     return std::move(dict);
 
   dict.Clear();
@@ -131,7 +131,7 @@ int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler(
   if (!http_auth_preferences()->AllowGssapiLibraryLoad())
     return ERR_UNSUPPORTED_AUTH_SCHEME;
 #endif
-  if (!auth_library_->Init()) {
+  if (!auth_library_->Init(net_log)) {
     is_unsupported_ = true;
     return ERR_UNSUPPORTED_AUTH_SCHEME;
   }
@@ -185,7 +185,7 @@ bool HttpAuthHandlerNegotiate::AllowsExplicitCredentials() {
 bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge,
                                     const SSLInfo& ssl_info) {
 #if defined(OS_POSIX)
-  if (!auth_system_->Init()) {
+  if (!auth_system_->Init(net_log())) {
     VLOG(1) << "can't initialize GSSAPI library";
     return false;
   }
@@ -211,9 +211,11 @@ bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge,
     x509_util::GetTLSServerEndPointChannelBinding(*ssl_info.cert,
                                                   &channel_bindings_);
   if (!channel_bindings_.empty())
-    net_log().AddEvent(
-        NetLogEventType::AUTH_CHANNEL_BINDINGS,
-        base::Bind(&NetLogParameterChannelBindings, channel_bindings_));
+    net_log().AddEvent(NetLogEventType::AUTH_CHANNEL_BINDINGS,
+                       [&](NetLogCaptureMode capture_mode) {
+                         return NetLogParameterChannelBindings(
+                             channel_bindings_, capture_mode);
+                       });
   return true;
 }
 
@@ -385,7 +387,7 @@ int HttpAuthHandlerNegotiate::DoGenerateAuthToken() {
   next_state_ = STATE_GENERATE_AUTH_TOKEN_COMPLETE;
   AuthCredentials* credentials = has_credentials_ ? &credentials_ : nullptr;
   return auth_system_->GenerateAuthToken(
-      credentials, spn_, channel_bindings_, auth_token_,
+      credentials, spn_, channel_bindings_, auth_token_, net_log(),
       base::BindOnce(&HttpAuthHandlerNegotiate::OnIOComplete,
                      base::Unretained(this)));
 }
diff --git a/chromium/net/http/http_auth_handler_negotiate_unittest.cc b/chromium/net/http/http_auth_handler_negotiate_unittest.cc
index ce0ada3f8fe..e4111c8acfa 100644
--- a/chromium/net/http/http_auth_handler_negotiate_unittest.cc
+++ b/chromium/net/http/http_auth_handler_negotiate_unittest.cc
@@ -18,6 +18,7 @@
 #include "net/http/http_request_info.h"
 #include "net/http/mock_allow_http_auth_preferences.h"
 #include "net/log/net_log_with_source.h"
+#include "net/net_buildflags.h"
 #include "net/ssl/ssl_info.h"
 #include "net/test/gtest_util.h"
 #include "net/test/test_with_scoped_task_environment.h"
@@ -25,12 +26,18 @@
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/platform_test.h"
 
+#if !BUILDFLAG(USE_KERBEROS)
+#error "use_kerberos should be true to use Negotiate authentication scheme."
+#endif
+
 #if defined(OS_ANDROID)
 #include "net/android/dummy_spnego_authenticator.h"
 #elif defined(OS_WIN)
 #include "net/http/mock_sspi_library_win.h"
-#elif defined(OS_POSIX)
+#elif BUILDFLAG(USE_EXTERNAL_GSSAPI)
 #include "net/http/mock_gssapi_library_posix.h"
+#else
+#error "use_kerberos is true, but no Kerberos implementation available."
 #endif
 
 using net::test::IsError;
@@ -40,14 +47,6 @@ namespace net {
 
 constexpr char kFakeToken[] = "FakeToken";
 
-#if defined(OS_ANDROID)
-typedef net::android::DummySpnegoAuthenticator MockAuthLibrary;
-#elif defined(OS_WIN)
-typedef MockSSPILibrary MockAuthLibrary;
-#elif defined(OS_POSIX)
-typedef test::MockGSSAPILibrary MockAuthLibrary;
-#endif
-
 class HttpAuthHandlerNegotiateTest : public PlatformTest,
                                      public WithScopedTaskEnvironment {
  public:
@@ -65,10 +64,9 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest,
     http_auth_preferences_->set_auth_android_negotiate_account_type(
         "org.chromium.test.DummySpnegoAuthenticator");
     MockAuthLibrary::EnsureTestAccountExists();
-#endif
-#if defined(OS_WIN) || (defined(OS_POSIX) && !defined(OS_ANDROID))
+#else
     factory_->set_library(base::WrapUnique(auth_library_));
-#endif
+#endif  // !OS_ANDROID
   }
 
 #if defined(OS_ANDROID)
@@ -82,7 +80,7 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest,
     security_package_->cbMaxToken = 1337;
     mock_library->ExpectQuerySecurityPackageInfo(
         L"Negotiate", SEC_E_OK, security_package_.get());
-#elif defined(OS_POSIX)
+#else
     // Copied from an actual transaction!
     static const char kAuthResponse[] =
         "\x60\x82\x02\xCA\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x01"
@@ -171,7 +169,7 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest,
                                           queries[i].expected_input_token,
                                           queries[i].output_token);
     }
-#endif  // defined(OS_POSIX)
+#endif  // !OS_WIN
   }
 
 #if defined(OS_POSIX)
@@ -202,7 +200,6 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest,
                                         query.expected_input_token,
                                         query.output_token);
   }
-
 #endif  // defined(OS_POSIX)
 
   int CreateHandler(bool disable_cname_lookup,
@@ -267,7 +264,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, DisableCname) {
                     nullptr, &request_info, callback.callback(), &token)));
 #if defined(OS_WIN)
   EXPECT_EQ("HTTP/alias", auth_handler->spn_for_testing());
-#elif defined(OS_POSIX)
+#else
   EXPECT_EQ("HTTP@alias", auth_handler->spn_for_testing());
 #endif
 }
@@ -285,7 +282,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, DisableCnameStandardPort) {
                     nullptr, &request_info, callback.callback(), &token)));
 #if defined(OS_WIN)
   EXPECT_EQ("HTTP/alias", auth_handler->spn_for_testing());
-#elif defined(OS_POSIX)
+#else
   EXPECT_EQ("HTTP@alias", auth_handler->spn_for_testing());
 #endif
 }
@@ -303,7 +300,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, DisableCnameNonstandardPort) {
                     nullptr, &request_info, callback.callback(), &token)));
 #if defined(OS_WIN)
   EXPECT_EQ("HTTP/alias:500", auth_handler->spn_for_testing());
-#elif defined(OS_POSIX)
+#else
   EXPECT_EQ("HTTP@alias:500", auth_handler->spn_for_testing());
 #endif
 }
@@ -321,7 +318,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, CnameSync) {
                     nullptr, &request_info, callback.callback(), &token)));
 #if defined(OS_WIN)
   EXPECT_EQ("HTTP/canonical.example.com", auth_handler->spn_for_testing());
-#elif defined(OS_POSIX)
+#else
   EXPECT_EQ("HTTP@canonical.example.com", auth_handler->spn_for_testing());
 #endif
 }
@@ -341,7 +338,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, CnameAsync) {
   EXPECT_THAT(callback.WaitForResult(), IsOk());
 #if defined(OS_WIN)
   EXPECT_EQ("HTTP/canonical.example.com", auth_handler->spn_for_testing());
-#elif defined(OS_POSIX)
+#else
   EXPECT_EQ("HTTP@canonical.example.com", auth_handler->spn_for_testing());
 #endif
 }
@@ -382,14 +379,12 @@ TEST_F(HttpAuthHandlerNegotiateTest, NoKerberosCredentials) {
   EXPECT_THAT(callback.WaitForResult(), IsError(ERR_MISSING_AUTH_CREDENTIALS));
 }
 
-#if defined(DLOPEN_KERBEROS)
+#if BUILDFLAG(USE_EXTERNAL_GSSAPI)
 TEST_F(HttpAuthHandlerNegotiateTest, MissingGSSAPI) {
-  std::unique_ptr<HostResolver> host_resolver(new MockHostResolver());
   MockAllowHttpAuthPreferences http_auth_preferences;
   std::unique_ptr<HttpAuthHandlerNegotiate::Factory> negotiate_factory(
       new HttpAuthHandlerNegotiate::Factory(
           net::HttpAuthHandlerFactory::NegotiateAuthSystemFactory()));
-  negotiate_factory->set_host_resolver(host_resolver);
   negotiate_factory->set_http_auth_preferences(&http_auth_preferences);
   negotiate_factory->set_library(
       std::make_unique<GSSAPISharedLibrary>("/this/library/does/not/exist"));
@@ -397,12 +392,12 @@ TEST_F(HttpAuthHandlerNegotiateTest, MissingGSSAPI) {
   GURL gurl("http://www.example.com");
   std::unique_ptr<HttpAuthHandler> generic_handler;
   int rv = negotiate_factory->CreateAuthHandlerFromString(
-      "Negotiate", HttpAuth::AUTH_SERVER, gurl, NetLogWithSource(),
-      &generic_handler);
+      "Negotiate", HttpAuth::AUTH_SERVER, SSLInfo(), gurl, NetLogWithSource(),
+      resolver(), &generic_handler);
   EXPECT_THAT(rv, IsError(ERR_UNSUPPORTED_AUTH_SCHEME));
   EXPECT_TRUE(generic_handler.get() == nullptr);
 }
-#endif  // defined(DLOPEN_KERBEROS)
+#endif  // BUILDFLAG(USE_EXTERNAL_GSSAPI)
 
 // AllowGssapiLibraryLoad() is only supported on Chrome OS.
 #if defined(OS_CHROMEOS)
@@ -431,7 +426,7 @@ class TestAuthSystem : public HttpNegotiateAuthSystem {
   ~TestAuthSystem() override = default;
 
   // HttpNegotiateAuthSystem implementation:
-  bool Init() override { return true; }
+  bool Init(const NetLogWithSource&) override { return true; }
   bool NeedsIdentity() const override { return true; }
   bool AllowsExplicitCredentials() const override { return true; }
 
@@ -444,6 +439,7 @@ class TestAuthSystem : public HttpNegotiateAuthSystem {
                         const std::string& spn,
                         const std::string& channel_bindings,
                         std::string* auth_token,
+                        const NetLogWithSource& net_log,
                         net::CompletionOnceCallback callback) override {
     *auth_token = kFakeToken;
     return net::OK;
diff --git a/chromium/net/http/http_auth_handler_ntlm.cc b/chromium/net/http/http_auth_handler_ntlm.cc
index 926f62ce45b..5dd7093d71b 100644
--- a/chromium/net/http/http_auth_handler_ntlm.cc
+++ b/chromium/net/http/http_auth_handler_ntlm.cc
@@ -41,7 +41,7 @@ int HttpAuthHandlerNTLM::GenerateAuthTokenImpl(
     std::string* auth_token) {
 #if defined(NTLM_SSPI)
   return auth_sspi_.GenerateAuthToken(credentials, CreateSPN(origin_),
-                                      channel_bindings_, auth_token,
+                                      channel_bindings_, auth_token, net_log(),
                                       std::move(callback));
 #else  // !defined(NTLM_SSPI)
   // TODO(cbentzel): Shouldn't be hitting this case.
diff --git a/chromium/net/http/http_auth_handler_ntlm.h b/chromium/net/http/http_auth_handler_ntlm.h
index 799a026c1c4..8403ee0572c 100644
--- a/chromium/net/http/http_auth_handler_ntlm.h
+++ b/chromium/net/http/http_auth_handler_ntlm.h
@@ -40,6 +40,18 @@
 
 namespace net {
 
+#if defined(NTLM_PORTABLE)
+// These values are persisted to logs. Entries should not be renumbered and
+// numeric values should never be reused.
+enum class NtlmV2Usage : int {
+  kDisabledOverInsecure = 0,
+  kDisabledOverSecure,
+  kEnabledOverInsecure,
+  kEnabledOverSecure,
+  kMaxValue = kEnabledOverSecure
+};
+#endif
+
 class HttpAuthPreferences;
 
 // Code for handling HTTP NTLM authentication.
diff --git a/chromium/net/http/http_auth_handler_ntlm_portable.cc b/chromium/net/http/http_auth_handler_ntlm_portable.cc
index 1b13f78216a..3a52b57551f 100644
--- a/chromium/net/http/http_auth_handler_ntlm_portable.cc
+++ b/chromium/net/http/http_auth_handler_ntlm_portable.cc
@@ -4,12 +4,15 @@
 
 #include "net/http/http_auth_handler_ntlm.h"
 
+#include "base/metrics/histogram_macros.h"
 #include "base/rand_util.h"
 #include "base/time/time.h"
 #include "net/base/net_errors.h"
 #include "net/base/network_interfaces.h"
 #include "net/dns/host_resolver.h"
+#include "net/http/http_auth_handler_ntlm.h"
 #include "net/http/http_auth_preferences.h"
+#include "net/ssl/ssl_info.h"
 
 namespace net {
 
@@ -23,6 +26,14 @@ void GenerateRandom(uint8_t* output, size_t n) {
   base::RandBytes(output, n);
 }
 
+void RecordNtlmV2Usage(bool is_v2, bool is_secure) {
+  auto bucket = is_v2 ? is_secure ? NtlmV2Usage::kEnabledOverSecure
+                                  : NtlmV2Usage::kEnabledOverInsecure
+                      : is_secure ? NtlmV2Usage::kDisabledOverSecure
+                                  : NtlmV2Usage::kDisabledOverInsecure;
+  UMA_HISTOGRAM_ENUMERATION("Net.HttpAuthNtlmV2Usage", bucket);
+}
+
 }  // namespace
 
 // static
@@ -133,6 +144,9 @@ int HttpAuthHandlerNTLM::Factory::CreateAuthHandler(
   if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info, origin,
                                       net_log))
     return ERR_INVALID_RESPONSE;
+  RecordNtlmV2Usage(
+      http_auth_preferences() ? http_auth_preferences()->NtlmV2Enabled() : true,
+      ssl_info.is_valid());
   handler->swap(tmp_handler);
   return OK;
 }
diff --git a/chromium/net/http/http_auth_handler_ntlm_portable_unittest.cc b/chromium/net/http/http_auth_handler_ntlm_portable_unittest.cc
index ff42afffea6..c48b815dd6a 100644
--- a/chromium/net/http/http_auth_handler_ntlm_portable_unittest.cc
+++ b/chromium/net/http/http_auth_handler_ntlm_portable_unittest.cc
@@ -9,6 +9,7 @@
 #include "base/stl_util.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
+#include "base/test/metrics/histogram_tester.h"
 #include "build/build_config.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/mock_host_resolver.h"
@@ -163,8 +164,11 @@ class HttpAuthHandlerNtlmPortableTest : public PlatformTest {
 };
 
 TEST_F(HttpAuthHandlerNtlmPortableTest, SimpleConstruction) {
+  base::HistogramTester histogram_tester;
   ASSERT_EQ(OK, CreateHandler());
   ASSERT_TRUE(GetAuthHandler() != nullptr);
+  histogram_tester.ExpectBucketCount("Net.HttpAuthNtlmV2Usage",
+                                     NtlmV2Usage::kDisabledOverInsecure, 1);
 }
 
 TEST_F(HttpAuthHandlerNtlmPortableTest, DoNotAllowDefaultCreds) {
@@ -217,6 +221,7 @@ TEST_F(HttpAuthHandlerNtlmPortableTest, CantChangeSchemeMidway) {
 }
 
 TEST_F(HttpAuthHandlerNtlmPortableTest, NtlmV1AuthenticationSuccess) {
+  base::HistogramTester histogram_tester;
   HttpAuthHandlerNTLM::ScopedProcSetter proc_setter(MockGetMSTime, MockRandom,
                                                     MockGetHostName);
   ASSERT_EQ(OK, CreateHandler());
@@ -236,6 +241,8 @@ TEST_F(HttpAuthHandlerNtlmPortableTest, NtlmV1AuthenticationSuccess) {
   ASSERT_EQ(0, memcmp(decoded.data(),
                       ntlm::test::kExpectedAuthenticateMsgSpecResponseV1,
                       decoded.size()));
+  histogram_tester.ExpectBucketCount("Net.HttpAuthNtlmV2Usage",
+                                     NtlmV2Usage::kDisabledOverInsecure, 1);
 }
 
 }  // namespace net
diff --git a/chromium/net/http/http_auth_handler_unittest.cc b/chromium/net/http/http_auth_handler_unittest.cc
index d4898983697..bb25c16f103 100644
--- a/chromium/net/http/http_auth_handler_unittest.cc
+++ b/chromium/net/http/http_auth_handler_unittest.cc
@@ -15,7 +15,6 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_source_type.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/ssl/ssl_info.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -53,8 +52,7 @@ TEST(HttpAuthHandlerTest, NetLog) {
 
       mock_handler.HandleAnotherChallenge(&tokenizer);
 
-      TestNetLogEntry::List entries;
-      test_net_log.GetEntries(&entries);
+      auto entries = test_net_log.GetEntries();
 
       ASSERT_EQ(5u, entries.size());
       EXPECT_TRUE(LogContainsBeginEvent(entries, 0,
diff --git a/chromium/net/http/http_auth_sspi_win.cc b/chromium/net/http/http_auth_sspi_win.cc
index d9c098f928d..8bc2665f9d8 100644
--- a/chromium/net/http/http_auth_sspi_win.cc
+++ b/chromium/net/http/http_auth_sspi_win.cc
@@ -263,7 +263,7 @@ HttpAuthSSPI::~HttpAuthSSPI() {
   }
 }
 
-bool HttpAuthSSPI::Init() {
+bool HttpAuthSSPI::Init(const NetLogWithSource&) {
   return true;
 }
 
@@ -300,6 +300,7 @@ int HttpAuthSSPI::GenerateAuthToken(const AuthCredentials* credentials,
                                     const std::string& spn,
                                     const std::string& channel_bindings,
                                     std::string* auth_token,
+                                    const NetLogWithSource&,
                                     CompletionOnceCallback /*callback*/) {
   // Initial challenge.
   if (!SecIsValidHandle(&cred_)) {
diff --git a/chromium/net/http/http_auth_sspi_win.h b/chromium/net/http/http_auth_sspi_win.h
index e672c89fade..408ac5931d7 100644
--- a/chromium/net/http/http_auth_sspi_win.h
+++ b/chromium/net/http/http_auth_sspi_win.h
@@ -116,7 +116,7 @@ class NET_EXPORT_PRIVATE HttpAuthSSPI : public HttpNegotiateAuthSystem {
   ~HttpAuthSSPI() override;
 
   // HttpNegotiateAuthSystem implementation:
-  bool Init() override;
+  bool Init(const NetLogWithSource& net_log) override;
   bool NeedsIdentity() const override;
   bool AllowsExplicitCredentials() const override;
   HttpAuth::AuthorizationResult ParseChallenge(
@@ -125,6 +125,7 @@ class NET_EXPORT_PRIVATE HttpAuthSSPI : public HttpNegotiateAuthSystem {
                         const std::string& spn,
                         const std::string& channel_bindings,
                         std::string* auth_token,
+                        const NetLogWithSource& net_log,
                         CompletionOnceCallback callback) override;
   void SetDelegation(HttpAuth::DelegationType delegation_type) override;
 
diff --git a/chromium/net/http/http_auth_sspi_win_unittest.cc b/chromium/net/http/http_auth_sspi_win_unittest.cc
index 3c427679103..d9031fa7e28 100644
--- a/chromium/net/http/http_auth_sspi_win_unittest.cc
+++ b/chromium/net/http/http_auth_sspi_win_unittest.cc
@@ -3,10 +3,12 @@
 // found in the LICENSE file.
 
 #include "net/http/http_auth_sspi_win.h"
+
 #include "base/bind.h"
 #include "net/base/net_errors.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/mock_sspi_library_win.h"
+#include "net/log/net_log_with_source.h"
 #include "net/test/gtest_util.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -96,9 +98,10 @@ TEST(HttpAuthSSPITest, ParseChallenge_TwoRounds) {
 
   // Generate an auth token and create another thing.
   std::string auth_token;
-  EXPECT_EQ(OK, auth_sspi.GenerateAuthToken(
-                    nullptr, "HTTP/intranet.google.com", std::string(),
-                    &auth_token, base::BindOnce(&UnexpectedCallback)));
+  EXPECT_EQ(OK,
+            auth_sspi.GenerateAuthToken(
+                nullptr, "HTTP/intranet.google.com", std::string(), &auth_token,
+                NetLogWithSource(), base::BindOnce(&UnexpectedCallback)));
 
   std::string second_challenge_text = "Negotiate Zm9vYmFy";
   HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
@@ -133,9 +136,10 @@ TEST(HttpAuthSSPITest, ParseChallenge_MissingTokenSecondRound) {
             auth_sspi.ParseChallenge(&first_challenge));
 
   std::string auth_token;
-  EXPECT_EQ(OK, auth_sspi.GenerateAuthToken(
-                    nullptr, "HTTP/intranet.google.com", std::string(),
-                    &auth_token, base::BindOnce(&UnexpectedCallback)));
+  EXPECT_EQ(OK,
+            auth_sspi.GenerateAuthToken(
+                nullptr, "HTTP/intranet.google.com", std::string(), &auth_token,
+                NetLogWithSource(), base::BindOnce(&UnexpectedCallback)));
   std::string second_challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
                                               second_challenge_text.end());
@@ -156,9 +160,10 @@ TEST(HttpAuthSSPITest, ParseChallenge_NonBase64EncodedToken) {
             auth_sspi.ParseChallenge(&first_challenge));
 
   std::string auth_token;
-  EXPECT_EQ(OK, auth_sspi.GenerateAuthToken(
-                    nullptr, "HTTP/intranet.google.com", std::string(),
-                    &auth_token, base::BindOnce(&UnexpectedCallback)));
+  EXPECT_EQ(OK,
+            auth_sspi.GenerateAuthToken(
+                nullptr, "HTTP/intranet.google.com", std::string(), &auth_token,
+                NetLogWithSource(), base::BindOnce(&UnexpectedCallback)));
   std::string second_challenge_text = "Negotiate =happyjoy=";
   HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
                                               second_challenge_text.end());
diff --git a/chromium/net/http/http_cache.cc b/chromium/net/http/http_cache.cc
index a23d7bce0bb..b6803dc9c7c 100644
--- a/chromium/net/http/http_cache.cc
+++ b/chromium/net/http/http_cache.cc
@@ -56,6 +56,9 @@
 
 namespace net {
 
+const char HttpCache::kDoubleKeyPrefix[] = "_dk_";
+const char HttpCache::kDoubleKeySeparator[] = " ";
+
 HttpCache::DefaultBackend::DefaultBackend(CacheType type,
                                           BackendType backend_type,
                                           const base::FilePath& path,
@@ -229,94 +232,6 @@ class HttpCache::WorkItem {
 
 //-----------------------------------------------------------------------------
 
-// This class encapsulates a transaction whose only purpose is to write metadata
-// to a given entry.
-class HttpCache::MetadataWriter {
- public:
-  explicit MetadataWriter(HttpCache::Transaction* transaction)
-      : verified_(false), buf_len_(0), transaction_(transaction) {}
-
-  ~MetadataWriter() = default;
-
-  // Implements the bulk of HttpCache::WriteMetadata.
-  void Write(const GURL& url,
-             base::Time expected_response_time,
-             IOBuffer* buf,
-             int buf_len);
-
- private:
-  void VerifyResponse(int result);
-  void SelfDestroy();
-  void OnIOComplete(int result);
-
-  bool verified_;
-  scoped_refptr<IOBuffer> buf_;
-  int buf_len_;
-  base::Time expected_response_time_;
-  HttpRequestInfo request_info_;
-
-  // |transaction_| to come after |request_info_| so that |request_info_| is not
-  // destroyed earlier.
-  std::unique_ptr<HttpCache::Transaction> transaction_;
-  DISALLOW_COPY_AND_ASSIGN(MetadataWriter);
-};
-
-void HttpCache::MetadataWriter::Write(const GURL& url,
-                                      base::Time expected_response_time,
-                                      IOBuffer* buf,
-                                      int buf_len) {
-  DCHECK_GT(buf_len, 0);
-  DCHECK(buf);
-  DCHECK(buf->data());
-  request_info_.url = url;
-  request_info_.method = "GET";
-
-  // todo (crbug.com/690099): Incorrect usage of LOAD_ONLY_FROM_CACHE.
-  request_info_.load_flags =
-      LOAD_ONLY_FROM_CACHE | LOAD_SKIP_CACHE_VALIDATION | LOAD_SKIP_VARY_CHECK;
-
-  expected_response_time_ = expected_response_time;
-  buf_ = buf;
-  buf_len_ = buf_len;
-  verified_ = false;
-
-  int rv = transaction_->Start(
-      &request_info_,
-      base::Bind(&MetadataWriter::OnIOComplete, base::Unretained(this)),
-      NetLogWithSource());
-  if (rv != ERR_IO_PENDING)
-    VerifyResponse(rv);
-}
-
-void HttpCache::MetadataWriter::VerifyResponse(int result) {
-  verified_ = true;
-  if (result != OK)
-    return SelfDestroy();
-
-  const HttpResponseInfo* response_info = transaction_->GetResponseInfo();
-  DCHECK(response_info->was_cached);
-  if (response_info->response_time != expected_response_time_)
-    return SelfDestroy();
-
-  result = transaction_->WriteMetadata(
-      buf_.get(),
-      buf_len_,
-      base::Bind(&MetadataWriter::OnIOComplete, base::Unretained(this)));
-  if (result != ERR_IO_PENDING)
-    SelfDestroy();
-}
-
-void HttpCache::MetadataWriter::SelfDestroy() {
-  delete this;
-}
-
-void HttpCache::MetadataWriter::OnIOComplete(int result) {
-  if (!verified_)
-    return VerifyResponse(result);
-  SelfDestroy();
-}
-
-//-----------------------------------------------------------------------------
 HttpCache::HttpCache(HttpNetworkSession* session,
                      std::unique_ptr<BackendFactory> backend_factory,
                      bool is_main_cache)
@@ -335,8 +250,7 @@ HttpCache::HttpCache(std::unique_ptr<HttpTransactionFactory> network_layer,
       fail_conditionalization_for_test_(false),
       mode_(NORMAL),
       network_layer_(std::move(network_layer)),
-      clock_(base::DefaultClock::GetInstance()),
-      weak_factory_(this) {
+      clock_(base::DefaultClock::GetInstance()) {
   HttpNetworkSession* session = network_layer_->GetSession();
   // Session may be NULL in unittests.
   // TODO(mmenke): Seems like tests could be changed to provide a session,
@@ -422,28 +336,6 @@ bool HttpCache::ParseResponseInfo(const char* data, int len,
   return response_info->InitFromPickle(pickle, response_truncated);
 }
 
-void HttpCache::WriteMetadata(const GURL& url,
-                              RequestPriority priority,
-                              base::Time expected_response_time,
-                              IOBuffer* buf,
-                              int buf_len) {
-  if (!buf_len)
-    return;
-
-  // Do lazy initialization of disk cache if needed.
-  if (!disk_cache_.get()) {
-    // We don't care about the result.
-    CreateBackend(nullptr, CompletionOnceCallback());
-  }
-
-  HttpCache::Transaction* transaction =
-      new HttpCache::Transaction(priority, this);
-  MetadataWriter* writer = new MetadataWriter(transaction);
-
-  // The writer will self destruct when done.
-  writer->Write(url, expected_response_time, buf, buf_len);
-}
-
 void HttpCache::CloseAllConnections() {
   HttpNetworkSession* session = GetSession();
   if (session)
@@ -459,14 +351,14 @@ void HttpCache::CloseIdleConnections() {
 void HttpCache::OnExternalCacheHit(
     const GURL& url,
     const std::string& http_method,
-    base::Optional<url::Origin> top_frame_origin) {
+    const NetworkIsolationKey& network_isolation_key) {
   if (!disk_cache_.get() || mode_ == DISABLE)
     return;
 
   HttpRequestInfo request_info;
   request_info.url = url;
   request_info.method = http_method;
-  request_info.network_isolation_key = NetworkIsolationKey(top_frame_origin);
+  request_info.network_isolation_key = network_isolation_key;
   std::string key = GenerateCacheKey(&request_info);
   disk_cache_->OnExternalCacheHit(key);
 }
@@ -527,6 +419,33 @@ void HttpCache::DumpMemoryStats(base::trace_event::ProcessMemoryDump* pmd,
                   base::trace_event::MemoryAllocatorDump::kUnitsBytes, size);
 }
 
+std::string HttpCache::GetResourceURLFromHttpCacheKey(const std::string& key) {
+  // Search the key to see whether it begins with |kDoubleKeyPrefix|. If so,
+  // then the entry was double-keyed.
+  if (base::StartsWith(key, kDoubleKeyPrefix, base::CompareCase::SENSITIVE)) {
+    // Find the rightmost occurrence of |kDoubleKeySeparator|, as when both
+    // the top-frame origin and the initiator are added to the key, there will
+    // be two occurrences of |kDoubleKeySeparator|.  When the cache entry is
+    // originally written to disk, GenerateCacheKey method calls
+    // HttpUtil::SpecForRequest method, which has a DCHECK to ensure that
+    // the original resource url is valid, and hence will not contain the
+    // unescaped whitespace of |kDoubleKeySeparator|.
+    size_t separator_position = key.rfind(kDoubleKeySeparator);
+    DCHECK_NE(separator_position, std::string::npos);
+
+    size_t separator_size = strlen(kDoubleKeySeparator);
+    size_t start_position = separator_position + separator_size;
+    DCHECK_LE(start_position, key.size() - 1);
+
+    return key.substr(start_position);
+  }
+  return key;
+}
+
+std::string HttpCache::GenerateCacheKeyForTest(const HttpRequestInfo* request) {
+  return GenerateCacheKey(request);
+}
+
 //-----------------------------------------------------------------------------
 
 net::Error HttpCache::CreateAndSetWorkItem(ActiveEntry** entry,
@@ -603,12 +522,15 @@ int HttpCache::GetBackendForTransaction(Transaction* transaction) {
 std::string HttpCache::GenerateCacheKey(const HttpRequestInfo* request) {
   std::string isolation_key;
 
-  if (base::FeatureList::IsEnabled(features::kSplitCacheByTopFrameOrigin)) {
-    // Prepend the key with "_dk_" to mark it as double keyed (and makes it an
-    // invalid url so that it doesn't get confused with a single-keyed
-    // entry). Separate the origin and url with invalid whitespace character.
-    isolation_key =
-        base::StrCat({"_dk_", request->network_isolation_key.ToString(), " "});
+  if (base::FeatureList::IsEnabled(
+          features::kSplitCacheByNetworkIsolationKey)) {
+    // Prepend the key with |kDoubleKeyPrefix| = "_dk_" to mark it as
+    // double-keyed (and makes it an invalid url so that it doesn't get
+    // confused with a single-keyed entry). Separate the origin and url
+    // with invalid whitespace character |kDoubleKeySeparator|.
+    isolation_key = base::StrCat({kDoubleKeyPrefix,
+                                  request->network_isolation_key.ToString(),
+                                  kDoubleKeySeparator});
   }
 
   // Strip out the reference, username, and password sections of the URL and
diff --git a/chromium/net/http/http_cache.h b/chromium/net/http/http_cache.h
index bd2dd225d0c..371786c56a2 100644
--- a/chromium/net/http/http_cache.h
+++ b/chromium/net/http/http_cache.h
@@ -56,7 +56,6 @@ namespace net {
 
 class HttpNetworkSession;
 class HttpResponseInfo;
-class IOBuffer;
 class NetLog;
 struct HttpRequestInfo;
 
@@ -203,17 +202,6 @@ class NET_EXPORT HttpCache : public HttpTransactionFactory {
                                 HttpResponseInfo* response_info,
                                 bool* response_truncated);
 
-  // Writes |buf_len| bytes of metadata stored in |buf| to the cache entry
-  // referenced by |url|, as long as the entry's |expected_response_time| has
-  // not changed. This method returns without blocking, and the operation will
-  // be performed asynchronously without any completion notification.
-  // Takes ownership of |buf|.
-  virtual void WriteMetadata(const GURL& url,
-                             RequestPriority priority,
-                             base::Time expected_response_time,
-                             IOBuffer* buf,
-                             int buf_len);
-
   // Get/Set the cache's mode.
   void set_mode(Mode value) { mode_ = value; }
   Mode mode() { return mode_; }
@@ -231,13 +219,10 @@ class NET_EXPORT HttpCache : public HttpTransactionFactory {
   void CloseIdleConnections();
 
   // Called whenever an external cache in the system reuses the resource
-  // referred to by |url| and |http_method|, inside a page with a top-level
-  // URL at |top_frame_origin|.
-  // TODO(crbug.com/965126): Use NetworkIsolationKey instead of top frame
-  // origin.
+  // referred to by |url| and |http_method| and |network_isolation_key|.
   void OnExternalCacheHit(const GURL& url,
                           const std::string& http_method,
-                          base::Optional<url::Origin> top_frame_origin);
+                          const NetworkIsolationKey& network_isolation_key);
 
   // Causes all transactions created after this point to simulate lock timeout
   // and effectively bypass the cache lock whenever there is lock contention.
@@ -277,6 +262,13 @@ class NET_EXPORT HttpCache : public HttpTransactionFactory {
   void DumpMemoryStats(base::trace_event::ProcessMemoryDump* pmd,
                        const std::string& parent_absolute_name) const;
 
+  // Get the URL from the entry's cache key. If double-keying is not enabled,
+  // this will be the key itself.
+  static std::string GetResourceURLFromHttpCacheKey(const std::string& key);
+
+  // Function to generate cache key for testing.
+  std::string GenerateCacheKeyForTest(const HttpRequestInfo* request);
+
  private:
   // Types --------------------------------------------------------------------
 
@@ -293,13 +285,17 @@ class NET_EXPORT HttpCache : public HttpTransactionFactory {
   enum {
     kResponseInfoIndex = 0,
     kResponseContentIndex,
+    // Only currently used in DoTruncateCachedMetadata().
+    // TODO(mmenke): Remove this in and DoTruncateCachedMetadata() in M79, after
+    // most metadata entries in the cache have been removed. Without
+    // DoTruncateCachedMetadata(), the metadata will be removed when a cache
+    // entry is destroyed, but some conditionalized updates will keep it around.
     kMetadataIndex,
 
     // Must remain at the end of the enum.
     kNumCacheEntryDataIndices
   };
 
-  class MetadataWriter;
   class QuicServerInfoFactoryAdaptor;
   class Transaction;
   class WorkItem;
@@ -625,6 +621,12 @@ class NET_EXPORT HttpCache : public HttpTransactionFactory {
   // Processes the backend creation notification.
   void OnBackendCreated(int result, PendingOp* pending_op);
 
+  // Constants ----------------------------------------------------------------
+
+  // Used when generating and accessing keys if cache is split.
+  static const char kDoubleKeyPrefix[];
+  static const char kDoubleKeySeparator[];
+
   // Variables ----------------------------------------------------------------
 
   NetLog* net_log_;
@@ -658,7 +660,7 @@ class NET_EXPORT HttpCache : public HttpTransactionFactory {
 
   THREAD_CHECKER(thread_checker_);
 
-  base::WeakPtrFactory<HttpCache> weak_factory_;
+  base::WeakPtrFactory<HttpCache> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(HttpCache);
 };
diff --git a/chromium/net/http/http_cache_lookup_manager.cc b/chromium/net/http/http_cache_lookup_manager.cc
index 6fd010f50aa..1d59385cbc5 100644
--- a/chromium/net/http/http_cache_lookup_manager.cc
+++ b/chromium/net/http/http_cache_lookup_manager.cc
@@ -14,10 +14,9 @@ namespace net {
 
 // Returns parameters associated with the start of a server push lookup
 // transaction.
-base::Value NetLogPushLookupTransactionCallback(
+base::Value NetLogPushLookupTransactionParams(
     const NetLogSource& net_log,
-    const ServerPushDelegate::ServerPushHelper* push_helper,
-    NetLogCaptureMode /* capture_mode */) {
+    const ServerPushDelegate::ServerPushHelper* push_helper) {
   base::DictionaryValue dict;
   net_log.AddToEventParameters(&dict);
   dict.SetString("push_url", push_helper->GetURL().possibly_invalid_spec());
@@ -40,9 +39,10 @@ int HttpCacheLookupManager::LookupTransaction::StartLookup(
     HttpCache* cache,
     CompletionOnceCallback callback,
     const NetLogWithSource& session_net_log) {
-  net_log_.BeginEvent(NetLogEventType::SERVER_PUSH_LOOKUP_TRANSACTION,
-                      base::Bind(&NetLogPushLookupTransactionCallback,
-                                 session_net_log.source(), push_helper_.get()));
+  net_log_.BeginEvent(NetLogEventType::SERVER_PUSH_LOOKUP_TRANSACTION, [&] {
+    return NetLogPushLookupTransactionParams(session_net_log.source(),
+                                             push_helper_.get());
+  });
 
   request_->url = push_helper_->GetURL();
   request_->method = "GET";
@@ -61,7 +61,7 @@ void HttpCacheLookupManager::LookupTransaction::OnLookupComplete(int result) {
 }
 
 HttpCacheLookupManager::HttpCacheLookupManager(HttpCache* http_cache)
-    : http_cache_(http_cache), weak_factory_(this) {}
+    : http_cache_(http_cache) {}
 
 HttpCacheLookupManager::~HttpCacheLookupManager() = default;
 
@@ -71,7 +71,7 @@ void HttpCacheLookupManager::OnPush(
   GURL pushed_url = push_helper->GetURL();
 
   // There's a pending lookup transaction sent over already.
-  if (base::ContainsKey(lookup_transactions_, pushed_url))
+  if (base::Contains(lookup_transactions_, pushed_url))
     return;
 
   auto lookup = std::make_unique<LookupTransaction>(std::move(push_helper),
diff --git a/chromium/net/http/http_cache_lookup_manager.h b/chromium/net/http/http_cache_lookup_manager.h
index ba649cde90b..d7ece6785d7 100644
--- a/chromium/net/http/http_cache_lookup_manager.h
+++ b/chromium/net/http/http_cache_lookup_manager.h
@@ -57,7 +57,7 @@ class NET_EXPORT_PRIVATE HttpCacheLookupManager : public ServerPushDelegate {
   // HttpCache must outlive the HttpCacheLookupManager.
   HttpCache* http_cache_;
   std::map<GURL, std::unique_ptr<LookupTransaction>> lookup_transactions_;
-  base::WeakPtrFactory<HttpCacheLookupManager> weak_factory_;
+  base::WeakPtrFactory<HttpCacheLookupManager> weak_factory_{this};
 };
 
 }  // namespace net
diff --git a/chromium/net/http/http_cache_transaction.cc b/chromium/net/http/http_cache_transaction.cc
index 8c5633af59c..68ed6135ea1 100644
--- a/chromium/net/http/http_cache_transaction.cc
+++ b/chromium/net/http/http_cache_transaction.cc
@@ -42,6 +42,7 @@
 #include "net/cert/x509_certificate.h"
 #include "net/disk_cache/disk_cache.h"
 #include "net/http/http_cache_writers.h"
+#include "net/http/http_log_util.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_util.h"
@@ -87,20 +88,9 @@ enum ExternallyConditionalizedType {
 
 }  // namespace
 
-#define CACHE_STATUS_HISTOGRAMS(type)                                        \
-  do {                                                                       \
-    UMA_HISTOGRAM_ENUMERATION("HttpCache.Pattern" type, cache_entry_status_, \
-                              CacheEntryStatus::ENTRY_MAX);                  \
-    if (validation_request) {                                                \
-      UMA_HISTOGRAM_ENUMERATION("HttpCache.ValidationCause" type,            \
-                                validation_cause_, VALIDATION_CAUSE_MAX);    \
-    }                                                                        \
-    if (stale_request) {                                                     \
-      UMA_HISTOGRAM_COUNTS_1M(                                               \
-          "HttpCache.StaleEntry.FreshnessPeriodsSinceLastUsed" type,         \
-          freshness_periods_since_last_used);                                \
-    }                                                                        \
-  } while (0)
+#define CACHE_STATUS_HISTOGRAMS(type)                                      \
+  UMA_HISTOGRAM_ENUMERATION("HttpCache.Pattern" type, cache_entry_status_, \
+                            CacheEntryStatus::ENTRY_MAX)
 
 struct HeaderNameAndValue {
   const char* name;
@@ -182,6 +172,7 @@ HttpCache::Transaction::Transaction(RequestPriority priority, HttpCache* cache)
       bypass_lock_for_test_(false),
       bypass_lock_after_headers_for_test_(false),
       fail_conditionalization_for_test_(false),
+      read_buf_len_(0),
       io_buf_len_(0),
       read_offset_(0),
       effective_load_flags_(0),
@@ -193,8 +184,7 @@ HttpCache::Transaction::Transaction(RequestPriority priority, HttpCache* cache)
       parallel_writing_pattern_(PARALLEL_WRITING_NONE),
       moved_network_transaction_to_writers_(false),
       websocket_handshake_stream_base_create_helper_(nullptr),
-      in_do_loop_(false),
-      weak_factory_(this) {
+      in_do_loop_(false) {
   TRACE_EVENT0("io", "HttpCacheTransaction::Transaction");
   static_assert(HttpCache::Transaction::kNumValidationHeaders ==
                     base::size(kValidationHeaders),
@@ -223,23 +213,6 @@ HttpCache::Transaction::Mode HttpCache::Transaction::mode() const {
   return mode_;
 }
 
-int HttpCache::Transaction::WriteMetadata(IOBuffer* buf,
-                                          int buf_len,
-                                          CompletionOnceCallback callback) {
-  DCHECK(buf);
-  DCHECK_GT(buf_len, 0);
-  DCHECK(!callback.is_null());
-  if (!cache_.get() || !entry_)
-    return ERR_UNEXPECTED;
-
-  // We don't need to track this operation for anything.
-  // It could be possible to check if there is something already written and
-  // avoid writing again (it should be the same, right?), but let's allow the
-  // caller to "update" the contents with something new.
-  return entry_->disk_entry->WriteData(kMetadataIndex, 0, buf, buf_len,
-                                       std::move(callback), true);
-}
-
 LoadState HttpCache::Transaction::GetWriterLoadState() const {
   const HttpTransaction* transaction = network_transaction();
   if (transaction)
@@ -376,7 +349,7 @@ int HttpCache::Transaction::Read(IOBuffer* buf,
 
   reading_ = true;
   read_buf_ = buf;
-  io_buf_len_ = buf_len;
+  read_buf_len_ = buf_len;
   int rv = TransitionToReadingState();
   if (rv != OK || next_state_ == STATE_NONE)
     return rv;
@@ -977,13 +950,6 @@ int HttpCache::Transaction::DoLoop(int result) {
         DCHECK_EQ(OK, rv);
         rv = DoPartialHeadersReceived();
         break;
-      case STATE_CACHE_READ_METADATA:
-        DCHECK_EQ(OK, rv);
-        rv = DoCacheReadMetadata();
-        break;
-      case STATE_CACHE_READ_METADATA_COMPLETE:
-        rv = DoCacheReadMetadataComplete(rv);
-        break;
       case STATE_HEADERS_PHASE_CANNOT_PROCEED:
         rv = DoHeadersPhaseCannotProceed(rv);
         break;
@@ -1054,7 +1020,7 @@ int HttpCache::Transaction::DoGetBackendComplete(int result) {
   mode_ = NONE;
 
   // Keep track of the fraction of requests that we can double-key.
-  UMA_HISTOGRAM_BOOLEAN("HttpCache.TopFrameOriginPresent",
+  UMA_HISTOGRAM_BOOLEAN("HttpCache.NetworkIsolationKeyPresent",
                         request_->network_isolation_key.IsFullyPopulated());
 
   if (!ShouldPassThrough()) {
@@ -2078,17 +2044,7 @@ int HttpCache::Transaction::DoTruncateCachedMetadataComplete(int result) {
 int HttpCache::Transaction::DoPartialHeadersReceived() {
   new_response_ = nullptr;
 
-  if (!partial_) {
-    if (entry_ && entry_->disk_entry->GetDataSize(kMetadataIndex) &&
-        !base::FeatureList::IsEnabled(net::features::kIsolatedCodeCache)) {
-      TransitionToState(STATE_CACHE_READ_METADATA);
-    } else {
-      TransitionToState(STATE_FINISH_HEADERS);
-    }
-    return OK;
-  }
-
-  if (mode_ != NONE && !reading_) {
+  if (partial_ && mode_ != NONE && !reading_) {
     // We are about to return the headers for a byte-range request to the user,
     // so let's fix them.
     partial_->FixResponseHeaders(response_.headers.get(), true);
@@ -2175,39 +2131,11 @@ int HttpCache::Transaction::DoFinishHeadersComplete(int rv) {
   return rv;
 }
 
-int HttpCache::Transaction::DoCacheReadMetadata() {
-  TRACE_EVENT0("io", "HttpCacheTransaction::DoCacheReadMetadata");
-  DCHECK(entry_);
-  DCHECK(!response_.metadata.get());
-  DCHECK(!base::FeatureList::IsEnabled(net::features::kIsolatedCodeCache));
-  TransitionToState(STATE_CACHE_READ_METADATA_COMPLETE);
-
-  response_.metadata = base::MakeRefCounted<IOBufferWithSize>(
-      entry_->disk_entry->GetDataSize(kMetadataIndex));
-
-  net_log_.BeginEvent(NetLogEventType::HTTP_CACHE_READ_INFO);
-  return entry_->disk_entry->ReadData(kMetadataIndex, 0,
-                                      response_.metadata.get(),
-                                      response_.metadata->size(),
-                                      io_callback_);
-}
-
-int HttpCache::Transaction::DoCacheReadMetadataComplete(int result) {
-  TRACE_EVENT0("io", "HttpCacheTransaction::DoCacheReadMetadataComplete");
-  net_log_.EndEventWithNetErrorCode(NetLogEventType::HTTP_CACHE_READ_INFO,
-                                    result);
-  if (result != response_.metadata->size())
-    return OnCacheReadError(result, false);
-
-  TransitionToState(STATE_FINISH_HEADERS);
-  return OK;
-}
-
 int HttpCache::Transaction::DoNetworkReadCacheWrite() {
   TRACE_EVENT0("io", "HttpCacheTransaction::DoNetworkReadCacheWrite");
   DCHECK(InWriters());
   TransitionToState(STATE_NETWORK_READ_CACHE_WRITE_COMPLETE);
-  return entry_->writers->Read(read_buf_, io_buf_len_, io_callback_, this);
+  return entry_->writers->Read(read_buf_, read_buf_len_, io_callback_, this);
 }
 
 int HttpCache::Transaction::DoNetworkReadCacheWriteComplete(int result) {
@@ -2280,7 +2208,7 @@ int HttpCache::Transaction::DoPartialNetworkReadCompleted(int result) {
 int HttpCache::Transaction::DoNetworkRead() {
   TRACE_EVENT0("io", "HttpCacheTransaction::DoNetworkRead");
   TransitionToState(STATE_NETWORK_READ_COMPLETE);
-  return network_trans_->Read(read_buf_.get(), io_buf_len_, io_callback_);
+  return network_trans_->Read(read_buf_.get(), read_buf_len_, io_callback_);
 }
 
 int HttpCache::Transaction::DoNetworkReadComplete(int result) {
@@ -2312,12 +2240,12 @@ int HttpCache::Transaction::DoCacheReadData() {
   if (net_log_.IsCapturing())
     net_log_.BeginEvent(NetLogEventType::HTTP_CACHE_READ_DATA);
   if (partial_) {
-    return partial_->CacheRead(entry_->disk_entry, read_buf_.get(), io_buf_len_,
-                               io_callback_);
+    return partial_->CacheRead(entry_->disk_entry, read_buf_.get(),
+                               read_buf_len_, io_callback_);
   }
 
   return entry_->disk_entry->ReadData(kResponseContentIndex, read_offset_,
-                                      read_buf_.get(), io_buf_len_,
+                                      read_buf_.get(), read_buf_len_,
                                       io_callback_);
 }
 
@@ -2425,10 +2353,9 @@ void HttpCache::Transaction::SetRequest(const NetLogWithSource& net_log) {
   if (range_found || special_headers || external_validation_.initialized) {
     // Log the headers before request_ is modified.
     std::string empty;
-    net_log_.AddEvent(
-        NetLogEventType::HTTP_CACHE_CALLER_REQUEST_HEADERS,
-        base::Bind(&HttpRequestHeaders::NetLogCallback,
-                   base::Unretained(&request_->extra_headers), &empty));
+    NetLogRequestHeaders(net_log_,
+                         NetLogEventType::HTTP_CACHE_CALLER_REQUEST_HEADERS,
+                         empty, &request_->extra_headers);
   }
 
   // We don't support ranges and validation headers.
@@ -2481,7 +2408,8 @@ bool HttpCache::Transaction::ShouldPassThrough() {
   // again. Also, if the request does not have a top frame origin, bypass the
   // cache otherwise resources from different pages could share a cached entry
   // in such cases.
-  if (base::FeatureList::IsEnabled(features::kSplitCacheByTopFrameOrigin) &&
+  if (base::FeatureList::IsEnabled(
+          features::kSplitCacheByNetworkIsolationKey) &&
       request_->network_isolation_key.IsTransient()) {
     return true;
   }
@@ -2526,12 +2454,7 @@ int HttpCache::Transaction::BeginCacheRead() {
   if (method_ == "HEAD")
     FixHeadersForHead();
 
-  if (entry_->disk_entry->GetDataSize(kMetadataIndex) &&
-      !base::FeatureList::IsEnabled(net::features::kIsolatedCodeCache)) {
-    TransitionToState(STATE_CACHE_READ_METADATA);
-  } else {
-    TransitionToState(STATE_FINISH_HEADERS);
-  }
+  TransitionToState(STATE_FINISH_HEADERS);
   return OK;
 }
 
@@ -2783,10 +2706,6 @@ ValidationType HttpCache::Transaction::RequiresValidation() {
       validation_cause_ = VALIDATION_CAUSE_ZERO_FRESHNESS;
     } else {
       validation_cause_ = VALIDATION_CAUSE_STALE;
-      stale_entry_freshness_ = lifetimes.freshness;
-      stale_entry_age_ = response_.headers->GetCurrentAge(
-          response_.request_time, response_.response_time,
-          cache_->clock_->Now());
     }
   }
 
@@ -3104,12 +3023,7 @@ int HttpCache::Transaction::DoSetupEntryForRead() {
   if (method_ == "HEAD")
     FixHeadersForHead();
 
-  if (entry_->disk_entry->GetDataSize(kMetadataIndex) &&
-      !base::FeatureList::IsEnabled(net::features::kIsolatedCodeCache)) {
-    TransitionToState(STATE_CACHE_READ_METADATA);
-  } else {
-    TransitionToState(STATE_FINISH_HEADERS);
-  }
+  TransitionToState(STATE_FINISH_HEADERS);
   return OK;
 }
 
@@ -3450,45 +3364,6 @@ void HttpCache::Transaction::RecordHistograms() {
       cache_entry_status_ == CacheEntryStatus::ENTRY_VALIDATED ||
       cache_entry_status_ == CacheEntryStatus::ENTRY_UPDATED;
 
-  bool stale_request =
-      validation_cause_ == VALIDATION_CAUSE_STALE &&
-      (validation_request ||
-       cache_entry_status_ == CacheEntryStatus::ENTRY_CANT_CONDITIONALIZE);
-  int64_t freshness_periods_since_last_used = 0;
-
-  if (stale_request && !open_entry_last_used_.is_null()) {
-    // Note that we are not able to capture those transactions' histograms which
-    // when added to entry, the response was being written by another
-    // transaction because getting the last used timestamp might lead to a data
-    // race in that case. TODO(crbug.com/713354).
-
-    // For stale entries, record how many freshness periods have elapsed since
-    // the entry was last used.
-    DCHECK(!stale_entry_freshness_.is_zero());
-    base::TimeDelta time_since_use = base::Time::Now() - open_entry_last_used_;
-    freshness_periods_since_last_used =
-        (time_since_use * 1000) / stale_entry_freshness_;
-
-    if (validation_request) {
-      int64_t age_in_freshness_periods =
-          (stale_entry_age_ * 100) / stale_entry_freshness_;
-      if (cache_entry_status_ == CacheEntryStatus::ENTRY_VALIDATED) {
-        UMA_HISTOGRAM_COUNTS_1M("HttpCache.StaleEntry.Validated.Age",
-                                stale_entry_age_.InSeconds());
-        UMA_HISTOGRAM_COUNTS_1M(
-            "HttpCache.StaleEntry.Validated.AgeInFreshnessPeriods",
-            age_in_freshness_periods);
-
-      } else {
-        UMA_HISTOGRAM_COUNTS_1M("HttpCache.StaleEntry.Updated.Age",
-                                stale_entry_age_.InSeconds());
-        UMA_HISTOGRAM_COUNTS_1M(
-            "HttpCache.StaleEntry.Updated.AgeInFreshnessPeriods",
-            age_in_freshness_periods);
-      }
-    }
-  }
-
   std::string mime_type;
   HttpResponseHeaders* response_headers = GetResponseInfo()->headers.get();
   if (response_headers && response_headers->GetMimeType(&mime_type)) {
@@ -3528,6 +3403,10 @@ void HttpCache::Transaction::RecordHistograms() {
   }
 
   CACHE_STATUS_HISTOGRAMS("");
+  if (validation_request) {
+    UMA_HISTOGRAM_ENUMERATION("HttpCache.ValidationCause", validation_cause_,
+                              VALIDATION_CAUSE_MAX);
+  }
 
   if (cache_entry_status_ == CacheEntryStatus::ENTRY_CANT_CONDITIONALIZE) {
     UMA_HISTOGRAM_ENUMERATION("HttpCache.CantConditionalizeCause",
@@ -3568,17 +3447,9 @@ void HttpCache::Transaction::RecordHistograms() {
 
   TimeDelta before_send_time = send_request_since_ - first_cache_access_since_;
   TimeDelta after_send_time = now - send_request_since_;
-  int64_t before_send_percent = (total_time.ToInternalValue() == 0)
-                                    ? 0
-                                    : before_send_time * 100 / total_time;
-  DCHECK_GE(before_send_percent, 0);
-  DCHECK_LE(before_send_percent, 100);
-  base::HistogramBase::Sample before_send_sample =
-      static_cast<base::HistogramBase::Sample>(before_send_percent);
 
   UMA_HISTOGRAM_TIMES("HttpCache.AccessToDone.SentRequest", total_time);
   UMA_HISTOGRAM_TIMES("HttpCache.BeforeSend", before_send_time);
-  UMA_HISTOGRAM_PERCENTAGE("HttpCache.PercentBeforeSend", before_send_sample);
 
   // TODO(gavinp): Remove or minimize these histograms, particularly the ones
   // below this comment after we have received initial data.
@@ -3588,29 +3459,21 @@ void HttpCache::Transaction::RecordHistograms() {
                           before_send_time);
       UMA_HISTOGRAM_TIMES("HttpCache.AfterSend.CantConditionalize",
                           after_send_time);
-      UMA_HISTOGRAM_PERCENTAGE("HttpCache.PercentBeforeSend.CantConditionalize",
-                               before_send_sample);
       break;
     }
     case CacheEntryStatus::ENTRY_NOT_IN_CACHE: {
       UMA_HISTOGRAM_TIMES("HttpCache.BeforeSend.NotCached", before_send_time);
       UMA_HISTOGRAM_TIMES("HttpCache.AfterSend.NotCached", after_send_time);
-      UMA_HISTOGRAM_PERCENTAGE("HttpCache.PercentBeforeSend.NotCached",
-                               before_send_sample);
       break;
     }
     case CacheEntryStatus::ENTRY_VALIDATED: {
       UMA_HISTOGRAM_TIMES("HttpCache.BeforeSend.Validated", before_send_time);
       UMA_HISTOGRAM_TIMES("HttpCache.AfterSend.Validated", after_send_time);
-      UMA_HISTOGRAM_PERCENTAGE("HttpCache.PercentBeforeSend.Validated",
-                               before_send_sample);
       break;
     }
     case CacheEntryStatus::ENTRY_UPDATED: {
       UMA_HISTOGRAM_TIMES("HttpCache.AfterSend.Updated", after_send_time);
       UMA_HISTOGRAM_TIMES("HttpCache.BeforeSend.Updated", before_send_time);
-      UMA_HISTOGRAM_PERCENTAGE("HttpCache.PercentBeforeSend.Updated",
-                               before_send_sample);
       break;
     }
     default:
diff --git a/chromium/net/http/http_cache_transaction.h b/chromium/net/http/http_cache_transaction.h
index e4cc343f25f..ec14305ab56 100644
--- a/chromium/net/http/http_cache_transaction.h
+++ b/chromium/net/http/http_cache_transaction.h
@@ -86,25 +86,6 @@ class NET_EXPORT_PRIVATE HttpCache::Transaction : public HttpTransaction {
 
   const std::string& key() const { return cache_key_; }
 
-  // Writes |buf_len| bytes of meta-data from the provided buffer |buf|. to the
-  // HTTP cache entry that backs this transaction (if any).
-  // Returns the number of bytes actually written, or a net error code. If the
-  // operation cannot complete immediately, returns ERR_IO_PENDING, grabs a
-  // reference to the buffer (until completion), and notifies the caller using
-  // the provided |callback| when the operation finishes.
-  //
-  // The first time this method is called for a given transaction, previous
-  // meta-data will be overwritten with the provided data, and subsequent
-  // invocations will keep appending to the cached entry.
-  //
-  // In order to guarantee that the metadata is set to the correct entry, the
-  // response (or response info) must be evaluated by the caller, for instance
-  // to make sure that the response_time is as expected, before calling this
-  // method.
-  int WriteMetadata(IOBuffer* buf,
-                    int buf_len,
-                    CompletionOnceCallback callback);
-
   HttpCache::ActiveEntry* entry() { return entry_; }
 
   // Returns the LoadState of the writer transaction of a given ActiveEntry. In
@@ -278,8 +259,6 @@ class NET_EXPORT_PRIVATE HttpCache::Transaction : public HttpTransaction {
     STATE_TRUNCATE_CACHED_METADATA,
     STATE_TRUNCATE_CACHED_METADATA_COMPLETE,
     STATE_PARTIAL_HEADERS_RECEIVED,
-    STATE_CACHE_READ_METADATA,
-    STATE_CACHE_READ_METADATA_COMPLETE,
     STATE_HEADERS_PHASE_CANNOT_PROCEED,
     STATE_FINISH_HEADERS,
     STATE_FINISH_HEADERS_COMPLETE,
@@ -360,8 +339,6 @@ class NET_EXPORT_PRIVATE HttpCache::Transaction : public HttpTransaction {
   int DoTruncateCachedMetadata();
   int DoTruncateCachedMetadataComplete(int result);
   int DoPartialHeadersReceived();
-  int DoCacheReadMetadata();
-  int DoCacheReadMetadataComplete(int result);
   int DoHeadersPhaseCannotProceed(int result);
   int DoFinishHeaders(int result);
   int DoFinishHeadersComplete(int result);
@@ -621,6 +598,10 @@ class NET_EXPORT_PRIVATE HttpCache::Transaction : public HttpTransaction {
                                              // lock.
   bool fail_conditionalization_for_test_;  // Fail ConditionalizeRequest.
   scoped_refptr<IOBuffer> read_buf_;
+
+  // Length of the buffer passed in Read().
+  int read_buf_len_;
+
   int io_buf_len_;
   int read_offset_;
   int effective_load_flags_;
@@ -643,8 +624,6 @@ class NET_EXPORT_PRIVATE HttpCache::Transaction : public HttpTransaction {
   base::TimeTicks send_request_since_;
   base::TimeTicks read_headers_since_;
   base::Time open_entry_last_used_;
-  base::TimeDelta stale_entry_freshness_;
-  base::TimeDelta stale_entry_age_;
   bool cant_conditionalize_zero_freshness_from_memhint_;
   bool recorded_histograms_;
   ParallelWritingPattern parallel_writing_pattern_;
@@ -675,7 +654,7 @@ class NET_EXPORT_PRIVATE HttpCache::Transaction : public HttpTransaction {
   // True if the Transaction is currently processing the DoLoop.
   bool in_do_loop_;
 
-  base::WeakPtrFactory<Transaction> weak_factory_;
+  base::WeakPtrFactory<Transaction> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(Transaction);
 };
diff --git a/chromium/net/http/http_cache_unittest.cc b/chromium/net/http/http_cache_unittest.cc
index 51452135915..8d4f37b7cba 100644
--- a/chromium/net/http/http_cache_unittest.cc
+++ b/chromium/net/http/http_cache_unittest.cc
@@ -57,7 +57,6 @@
 #include "net/log/net_log_source.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/ssl/ssl_cert_request_info.h"
@@ -659,7 +658,7 @@ class FakeWebSocketHandshakeStreamCreateHelper
 // Returns true if |entry| is not one of the log types paid attention to in this
 // test. Note that HTTP_CACHE_WRITE_INFO and HTTP_CACHE_*_DATA are
 // ignored.
-bool ShouldIgnoreLogEntry(const TestNetLogEntry& entry) {
+bool ShouldIgnoreLogEntry(const NetLogEntry& entry) {
   switch (entry.type) {
     case NetLogEventType::HTTP_CACHE_GET_BACKEND:
     case NetLogEventType::HTTP_CACHE_OPEN_OR_CREATE_ENTRY:
@@ -674,21 +673,18 @@ bool ShouldIgnoreLogEntry(const TestNetLogEntry& entry) {
   }
 }
 
-// Modifies |entries| to only include log entries created by the cache layer and
-// asserted on in these tests.
-void FilterLogEntries(TestNetLogEntry::List* entries) {
-  base::EraseIf(*entries, ShouldIgnoreLogEntry);
+// Gets the entries from |net_log| created by the cache layer and asserted on in
+// these tests.
+std::vector<NetLogEntry> GetFilteredNetLogEntries(
+    const BoundTestNetLog& net_log) {
+  auto entries = net_log.GetEntries();
+  base::EraseIf(entries, ShouldIgnoreLogEntry);
+  return entries;
 }
 
 bool LogContainsEventType(const BoundTestNetLog& log,
                           NetLogEventType expected) {
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
-  for (size_t i = 0; i < entries.size(); i++) {
-    if (entries[i].type == expected)
-      return true;
-  }
-  return false;
+  return !log.GetEntriesWithType(expected).empty();
 }
 
 }  // namespace
@@ -736,6 +732,24 @@ class HttpCacheIOCallbackTest : public HttpCacheTest {
   }
 };
 
+class HttpSplitCacheKeyTest : public HttpCacheTest {
+ public:
+  HttpSplitCacheKeyTest() {}
+  ~HttpSplitCacheKeyTest() override = default;
+
+  std::string ComputeCacheKey(const std::string& url_string) {
+    GURL url(url_string);
+    const auto kOrigin = url::Origin::Create(url);
+    net::HttpRequestInfo request_info;
+    request_info.url = url;
+    request_info.method = "GET";
+    request_info.network_isolation_key =
+        net::NetworkIsolationKey(kOrigin, kOrigin);
+    MockHttpCache cache;
+    return cache.http_cache()->GenerateCacheKeyForTest(&request_info);
+  }
+};
+
 //-----------------------------------------------------------------------------
 // Tests.
 
@@ -786,9 +800,7 @@ TEST_F(HttpCacheTest, SimpleGETNoDiskCache) {
 
   // Check that the NetLog was filled as expected.
   // (We attempted to OpenOrCreate entries, but fail).
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
-  FilterLogEntries(&entries);
+  auto entries = GetFilteredNetLogEntries(log);
 
   EXPECT_EQ(4u, entries.size());
   EXPECT_TRUE(LogContainsBeginEvent(entries, 0,
@@ -955,9 +967,7 @@ TEST_F(HttpCacheTest, SimpleGET_LoadOnlyFromCache_Hit) {
                                  log.bound(), &load_timing_info);
 
   // Check that the NetLog was filled as expected.
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
-  FilterLogEntries(&entries);
+  auto entries = GetFilteredNetLogEntries(log);
 
   EXPECT_EQ(6u, entries.size());
   EXPECT_TRUE(LogContainsBeginEvent(entries, 0,
@@ -985,8 +995,7 @@ TEST_F(HttpCacheTest, SimpleGET_LoadOnlyFromCache_Hit) {
                                  &load_timing_info);
 
   // Check that the NetLog was filled as expected.
-  log.GetEntries(&entries);
-  FilterLogEntries(&entries);
+  entries = GetFilteredNetLogEntries(log);
 
   EXPECT_EQ(8u, entries.size());
   EXPECT_TRUE(LogContainsBeginEvent(entries, 0,
@@ -1260,9 +1269,7 @@ TEST_F(HttpCacheTest, SimpleGET_LoadBypassCache) {
                                  &load_timing_info);
 
   // Check that the NetLog was filled as expected.
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
-  FilterLogEntries(&entries);
+  auto entries = GetFilteredNetLogEntries(log);
 
   EXPECT_EQ(8u, entries.size());
   EXPECT_TRUE(LogContainsBeginEvent(entries, 0,
@@ -5809,7 +5816,8 @@ TEST_F(HttpCacheTest, SimplePOST_Invalidate_205) {
 // with cache split by top-frame origin.
 TEST_F(HttpCacheTest, SimplePOST_Invalidate_205_SplitCache) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(net::features::kSplitCacheByTopFrameOrigin);
+  feature_list.InitAndEnableFeature(
+      net::features::kSplitCacheByNetworkIsolationKey);
   url::Origin origin_a = url::Origin::Create(GURL("http://a.com"));
   url::Origin origin_b = url::Origin::Create(GURL("http://b.com"));
 
@@ -5818,14 +5826,14 @@ TEST_F(HttpCacheTest, SimplePOST_Invalidate_205_SplitCache) {
   MockTransaction transaction(kSimpleGET_Transaction);
   AddMockTransaction(&transaction);
   MockHttpRequest req1(transaction);
-  req1.network_isolation_key = NetworkIsolationKey(origin_a);
+  req1.network_isolation_key = NetworkIsolationKey(origin_a, origin_a);
 
   // Attempt to populate the cache.
   RunTransactionTestWithRequest(cache.http_cache(), transaction, req1, nullptr);
 
   // Same for a different origin.
   MockHttpRequest req1b(transaction);
-  req1b.network_isolation_key = NetworkIsolationKey(origin_b);
+  req1b.network_isolation_key = NetworkIsolationKey(origin_b, origin_b);
   RunTransactionTestWithRequest(cache.http_cache(), transaction, req1b,
                                 nullptr);
 
@@ -5842,7 +5850,7 @@ TEST_F(HttpCacheTest, SimplePOST_Invalidate_205_SplitCache) {
   transaction.status = "HTTP/1.1 205 No Content";
   MockHttpRequest req2(transaction);
   req2.upload_data_stream = &upload_data_stream;
-  req2.network_isolation_key = NetworkIsolationKey(origin_a);
+  req2.network_isolation_key = NetworkIsolationKey(origin_a, origin_a);
 
   RunTransactionTestWithRequest(cache.http_cache(), transaction, req2, nullptr);
 
@@ -9597,10 +9605,89 @@ TEST_F(HttpCacheTest, UpdatesRequestResponseTimeOn304) {
 
   RemoveMockTransaction(&mock_network_response);
 }
+TEST_F(HttpCacheTest, SplitCacheWithFrameOrigin) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitWithFeatures(
+      {net::features::kSplitCacheByNetworkIsolationKey,
+       net::features::kAppendFrameOriginToNetworkIsolationKey},
+      {});
+
+  base::HistogramTester histograms;
+  MockHttpCache cache;
+  HttpResponseInfo response;
+
+  url::Origin origin_a = url::Origin::Create(GURL("http://a.com"));
+  url::Origin origin_b = url::Origin::Create(GURL("http://b.com"));
+  url::Origin origin_data =
+      url::Origin::Create(GURL("data:text/html,<body>Hello World</body>"));
+
+  MockHttpRequest trans_info = MockHttpRequest(kSimpleGET_Transaction);
+  // Request with a.com as the top frame and subframe origins. It shouldn't be
+  // cached.
+  trans_info.network_isolation_key = NetworkIsolationKey(origin_a, origin_a);
+  RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
+                                trans_info, &response);
+  EXPECT_FALSE(response.was_cached);
+  histograms.ExpectBucketCount("HttpCache.NetworkIsolationKeyPresent", true, 1);
+  histograms.ExpectTotalCount("HttpCache.NetworkIsolationKeyPresent", 1);
+
+  // The second request should be cached.
+  RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
+                                trans_info, &response);
+  EXPECT_TRUE(response.was_cached);
+
+  // Now request with b.com as the subframe origin. It shouldn't be cached.
+  trans_info.network_isolation_key = NetworkIsolationKey(origin_a, origin_b);
+  RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
+                                trans_info, &response);
+  EXPECT_FALSE(response.was_cached);
+
+  // The second request should be cached.
+  RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
+                                trans_info, &response);
+  EXPECT_TRUE(response.was_cached);
+
+  // a.com should still be cached.
+  trans_info.network_isolation_key = NetworkIsolationKey(origin_a, origin_a);
+  RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
+                                trans_info, &response);
+  EXPECT_TRUE(response.was_cached);
+
+  // Now make a request with an opaque subframe origin.  It shouldn't be
+  // cached.
+  trans_info.network_isolation_key = NetworkIsolationKey(origin_a, origin_data);
+  EXPECT_TRUE(trans_info.network_isolation_key.ToString().empty());
+  RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
+                                trans_info, &response);
+  EXPECT_FALSE(response.was_cached);
+
+  // On the second request, it still shouldn't be cached.
+  RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
+                                trans_info, &response);
+  EXPECT_FALSE(response.was_cached);
+
+  // Verify that a post transaction with a data stream uses a separate key.
+  const int64_t kUploadId = 1;  // Just a dummy value.
+
+  std::vector<std::unique_ptr<UploadElementReader>> element_readers;
+  element_readers.push_back(
+      std::make_unique<UploadBytesElementReader>("hello", 5));
+  ElementsUploadDataStream upload_data_stream(std::move(element_readers),
+                                              kUploadId);
+
+  MockHttpRequest post_info = MockHttpRequest(kSimplePOST_Transaction);
+  post_info.network_isolation_key = NetworkIsolationKey(origin_a, origin_a);
+  post_info.upload_data_stream = &upload_data_stream;
+
+  RunTransactionTestWithRequest(cache.http_cache(), kSimplePOST_Transaction,
+                                post_info, &response);
+  EXPECT_FALSE(response.was_cached);
+}
 
 TEST_F(HttpCacheTest, SplitCache) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(net::features::kSplitCacheByTopFrameOrigin);
+  feature_list.InitAndEnableFeature(
+      net::features::kSplitCacheByNetworkIsolationKey);
 
   base::HistogramTester histograms;
   MockHttpCache cache;
@@ -9616,7 +9703,8 @@ TEST_F(HttpCacheTest, SplitCache) {
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
-  histograms.ExpectUniqueSample("HttpCache.TopFrameOriginPresent", false, 1);
+  histograms.ExpectUniqueSample("HttpCache.NetworkIsolationKeyPresent", false,
+                                1);
 
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
@@ -9624,12 +9712,12 @@ TEST_F(HttpCacheTest, SplitCache) {
 
   // Now request with a.com as the top frame origin. It shouldn't be cached
   // since the cached resource has a different top frame origin.
-  trans_info.network_isolation_key = NetworkIsolationKey(origin_a);
+  trans_info.network_isolation_key = NetworkIsolationKey(origin_a, origin_a);
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
-  histograms.ExpectBucketCount("HttpCache.TopFrameOriginPresent", true, 1);
-  histograms.ExpectTotalCount("HttpCache.TopFrameOriginPresent", 3);
+  histograms.ExpectBucketCount("HttpCache.NetworkIsolationKeyPresent", true, 1);
+  histograms.ExpectTotalCount("HttpCache.NetworkIsolationKeyPresent", 3);
 
   // The second request should be cached.
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
@@ -9637,7 +9725,7 @@ TEST_F(HttpCacheTest, SplitCache) {
   EXPECT_TRUE(response.was_cached);
 
   // Now request with b.com as the top frame origin. It shouldn't be cached.
-  trans_info.network_isolation_key = NetworkIsolationKey(origin_b);
+  trans_info.network_isolation_key = NetworkIsolationKey(origin_b, origin_b);
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -9648,14 +9736,15 @@ TEST_F(HttpCacheTest, SplitCache) {
   EXPECT_TRUE(response.was_cached);
 
   // a.com should still be cached.
-  trans_info.network_isolation_key = NetworkIsolationKey(origin_a);
+  trans_info.network_isolation_key = NetworkIsolationKey(origin_a, origin_b);
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_TRUE(response.was_cached);
 
   // Now make a request with an opaque top frame origin.  It shouldn't be
   // cached.
-  trans_info.network_isolation_key = NetworkIsolationKey(origin_data);
+  trans_info.network_isolation_key =
+      NetworkIsolationKey(origin_data, origin_data);
   EXPECT_TRUE(trans_info.network_isolation_key.ToString().empty());
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
@@ -9676,7 +9765,7 @@ TEST_F(HttpCacheTest, SplitCache) {
                                               kUploadId);
 
   MockHttpRequest post_info = MockHttpRequest(kSimplePOST_Transaction);
-  post_info.network_isolation_key = NetworkIsolationKey(origin_a);
+  post_info.network_isolation_key = NetworkIsolationKey(origin_a, origin_a);
   post_info.upload_data_stream = &upload_data_stream;
 
   RunTransactionTestWithRequest(cache.http_cache(), kSimplePOST_Transaction,
@@ -9687,7 +9776,7 @@ TEST_F(HttpCacheTest, SplitCache) {
 TEST_F(HttpCacheTest, NonSplitCache) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndDisableFeature(
-      net::features::kSplitCacheByTopFrameOrigin);
+      net::features::kSplitCacheByNetworkIsolationKey);
 
   base::HistogramTester histograms;
   MockHttpCache cache;
@@ -9706,176 +9795,13 @@ TEST_F(HttpCacheTest, NonSplitCache) {
 
   // Now request with a.com as the top frame origin. It should use the same
   // cached object.
-  trans_info.network_isolation_key =
-      NetworkIsolationKey(url::Origin::Create(GURL("http://a.com/")));
+  const auto kOriginA = url::Origin::Create(GURL("http://a.com/"));
+  trans_info.network_isolation_key = NetworkIsolationKey(kOriginA, kOriginA);
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_TRUE(response.was_cached);
-  histograms.ExpectBucketCount("HttpCache.TopFrameOriginPresent", true, 1);
-  histograms.ExpectTotalCount("HttpCache.TopFrameOriginPresent", 3);
-}
-
-// Tests that we can write metadata to an entry.
-TEST_F(HttpCacheTest, WriteMetadata_OK) {
-  base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndDisableFeature(net::features::kIsolatedCodeCache);
-  ASSERT_FALSE(base::FeatureList::IsEnabled(net::features::kIsolatedCodeCache));
-  MockHttpCache cache;
-
-  // Write to the cache
-  HttpResponseInfo response;
-  RunTransactionTestWithResponseInfo(cache.http_cache(), kSimpleGET_Transaction,
-                                     &response);
-  EXPECT_TRUE(response.metadata.get() == nullptr);
-
-  // Trivial call.
-  cache.http_cache()->WriteMetadata(GURL("foo"), DEFAULT_PRIORITY, Time::Now(),
-                                    nullptr, 0);
-
-  // Write meta data to the same entry.
-  scoped_refptr<IOBufferWithSize> buf =
-      base::MakeRefCounted<IOBufferWithSize>(50);
-  memset(buf->data(), 0, buf->size());
-  base::strlcpy(buf->data(), "Hi there", buf->size());
-  cache.http_cache()->WriteMetadata(GURL(kSimpleGET_Transaction.url),
-                                    DEFAULT_PRIORITY, response.response_time,
-                                    buf.get(), buf->size());
-
-  // Release the buffer before the operation takes place.
-  buf = nullptr;
-
-  // Makes sure we finish pending operations.
-  base::RunLoop().RunUntilIdle();
-
-  RunTransactionTestWithResponseInfo(cache.http_cache(), kSimpleGET_Transaction,
-                                     &response);
-  ASSERT_TRUE(response.metadata.get() != nullptr);
-  EXPECT_EQ(50, response.metadata->size());
-  EXPECT_EQ(0, strcmp(response.metadata->data(), "Hi there"));
-
-  EXPECT_EQ(1, cache.network_layer()->transaction_count());
-  EXPECT_EQ(2, cache.disk_cache()->open_count());
-  EXPECT_EQ(1, cache.disk_cache()->create_count());
-}
-
-// Tests that we don't read metadata when IsolatedCodeCache is enabled.
-TEST_F(HttpCacheTest, ReadMetadata_IsolatedCache) {
-  base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(net::features::kIsolatedCodeCache);
-  ASSERT_TRUE(base::FeatureList::IsEnabled(net::features::kIsolatedCodeCache));
-  MockHttpCache cache;
-
-  // Write to the cache
-  HttpResponseInfo response;
-  RunTransactionTestWithResponseInfo(cache.http_cache(), kSimpleGET_Transaction,
-                                     &response);
-  EXPECT_TRUE(response.metadata.get() == nullptr);
-
-  // Trivial call.
-  cache.http_cache()->WriteMetadata(GURL("foo"), DEFAULT_PRIORITY, Time::Now(),
-                                    nullptr, 0);
-
-  // Write meta data to the same entry.
-  scoped_refptr<IOBufferWithSize> buf =
-      base::MakeRefCounted<IOBufferWithSize>(50);
-  memset(buf->data(), 0, buf->size());
-  base::strlcpy(buf->data(), "Hi there", buf->size());
-  cache.http_cache()->WriteMetadata(GURL(kSimpleGET_Transaction.url),
-                                    DEFAULT_PRIORITY, response.response_time,
-                                    buf.get(), buf->size());
-
-  // Release the buffer before the operation takes place.
-  buf = nullptr;
-
-  // Makes sure we finish pending operations.
-  base::RunLoop().RunUntilIdle();
-
-  RunTransactionTestWithResponseInfo(cache.http_cache(), kSimpleGET_Transaction,
-                                     &response);
-  ASSERT_TRUE(response.metadata.get() == nullptr);
-
-  EXPECT_EQ(1, cache.network_layer()->transaction_count());
-  EXPECT_EQ(2, cache.disk_cache()->open_count());
-  EXPECT_EQ(1, cache.disk_cache()->create_count());
-}
-
-// Tests that we only write metadata to an entry if the time stamp matches.
-TEST_F(HttpCacheTest, WriteMetadata_Fail) {
-  base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndDisableFeature(net::features::kIsolatedCodeCache);
-  ASSERT_FALSE(base::FeatureList::IsEnabled(net::features::kIsolatedCodeCache));
-  MockHttpCache cache;
-
-  // Write to the cache
-  HttpResponseInfo response;
-  RunTransactionTestWithResponseInfo(cache.http_cache(), kSimpleGET_Transaction,
-                                     &response);
-  EXPECT_TRUE(response.metadata.get() == nullptr);
-
-  // Attempt to write meta data to the same entry.
-  scoped_refptr<IOBufferWithSize> buf =
-      base::MakeRefCounted<IOBufferWithSize>(50);
-  memset(buf->data(), 0, buf->size());
-  base::strlcpy(buf->data(), "Hi there", buf->size());
-  base::Time expected_time = response.response_time -
-                             base::TimeDelta::FromMilliseconds(20);
-  cache.http_cache()->WriteMetadata(GURL(kSimpleGET_Transaction.url),
-                                    DEFAULT_PRIORITY, expected_time, buf.get(),
-                                    buf->size());
-
-  // Makes sure we finish pending operations.
-  base::RunLoop().RunUntilIdle();
-
-  RunTransactionTestWithResponseInfo(cache.http_cache(), kSimpleGET_Transaction,
-                                     &response);
-  EXPECT_TRUE(response.metadata.get() == nullptr);
-
-  EXPECT_EQ(1, cache.network_layer()->transaction_count());
-  EXPECT_EQ(2, cache.disk_cache()->open_count());
-  EXPECT_EQ(1, cache.disk_cache()->create_count());
-}
-
-// Tests that we ignore VARY checks when writing metadata since the request
-// headers for the WriteMetadata transaction are made up.
-TEST_F(HttpCacheTest, WriteMetadata_IgnoreVary) {
-  base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndDisableFeature(net::features::kIsolatedCodeCache);
-  ASSERT_FALSE(base::FeatureList::IsEnabled(net::features::kIsolatedCodeCache));
-  MockHttpCache cache;
-
-  // Write to the cache
-  HttpResponseInfo response;
-  ScopedMockTransaction transaction(kSimpleGET_Transaction);
-  transaction.request_headers = "accept-encoding: gzip\r\n";
-  transaction.response_headers =
-      "Vary: accept-encoding\n"
-      "Cache-Control: max-age=10000\n";
-
-  RunTransactionTestWithResponseInfo(cache.http_cache(), transaction,
-                                     &response);
-  EXPECT_FALSE(response.metadata);
-
-  // Attempt to write meta data to the same entry.
-  scoped_refptr<IOBufferWithSize> buf =
-      base::MakeRefCounted<IOBufferWithSize>(50);
-  memset(buf->data(), 0, buf->size());
-  base::strlcpy(buf->data(), "Hi there", buf->size());
-  cache.http_cache()->WriteMetadata(GURL(transaction.url), DEFAULT_PRIORITY,
-                                    response.response_time, buf.get(),
-                                    buf->size());
-
-  // Makes sure we finish pending operations.
-  base::RunLoop().RunUntilIdle();
-
-  RunTransactionTestWithResponseInfo(cache.http_cache(), transaction,
-                                     &response);
-  ASSERT_TRUE(response.metadata);
-  EXPECT_EQ(50, response.metadata->size());
-  EXPECT_EQ(0, strcmp(response.metadata->data(), "Hi there"));
-
-  EXPECT_EQ(1, cache.network_layer()->transaction_count());
-  EXPECT_EQ(2, cache.disk_cache()->open_count());
-  EXPECT_EQ(1, cache.disk_cache()->create_count());
+  histograms.ExpectBucketCount("HttpCache.NetworkIsolationKeyPresent", true, 1);
+  histograms.ExpectTotalCount("HttpCache.NetworkIsolationKeyPresent", 3);
 }
 
 TEST_F(HttpCacheTest, SkipVaryCheck) {
@@ -9969,72 +9895,6 @@ TEST_F(HttpCacheTest, InvalidLoadFlagCombination) {
   RunTransactionTest(cache.http_cache(), transaction);
 }
 
-// Tests that we can read metadata after validating the entry and with READ mode
-// transactions.
-TEST_F(HttpCacheTest, ReadMetadata) {
-  base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndDisableFeature(net::features::kIsolatedCodeCache);
-  ASSERT_FALSE(base::FeatureList::IsEnabled(net::features::kIsolatedCodeCache));
-  MockHttpCache cache;
-
-  // Write to the cache
-  HttpResponseInfo response;
-  RunTransactionTestWithResponseInfo(cache.http_cache(),
-                                     kTypicalGET_Transaction, &response);
-  EXPECT_TRUE(response.metadata.get() == nullptr);
-
-  // Write meta data to the same entry.
-  scoped_refptr<IOBufferWithSize> buf =
-      base::MakeRefCounted<IOBufferWithSize>(50);
-  memset(buf->data(), 0, buf->size());
-  base::strlcpy(buf->data(), "Hi there", buf->size());
-  cache.http_cache()->WriteMetadata(GURL(kTypicalGET_Transaction.url),
-                                    DEFAULT_PRIORITY, response.response_time,
-                                    buf.get(), buf->size());
-
-  // Makes sure we finish pending operations.
-  base::RunLoop().RunUntilIdle();
-
-  // Start with a READ mode transaction.
-  MockTransaction trans1(kTypicalGET_Transaction);
-  trans1.load_flags = LOAD_ONLY_FROM_CACHE | LOAD_SKIP_CACHE_VALIDATION;
-
-  RunTransactionTestWithResponseInfo(cache.http_cache(), trans1, &response);
-  ASSERT_TRUE(response.metadata.get() != nullptr);
-  EXPECT_EQ(50, response.metadata->size());
-  EXPECT_EQ(0, strcmp(response.metadata->data(), "Hi there"));
-
-  EXPECT_EQ(1, cache.network_layer()->transaction_count());
-  EXPECT_EQ(2, cache.disk_cache()->open_count());
-  EXPECT_EQ(1, cache.disk_cache()->create_count());
-  base::RunLoop().RunUntilIdle();
-
-  // Now make sure that the entry is re-validated with the server.
-  trans1.load_flags = LOAD_VALIDATE_CACHE;
-  trans1.status = "HTTP/1.1 304 Not Modified";
-  AddMockTransaction(&trans1);
-
-  response.metadata = nullptr;
-  RunTransactionTestWithResponseInfo(cache.http_cache(), trans1, &response);
-  EXPECT_TRUE(response.metadata.get() != nullptr);
-
-  EXPECT_EQ(2, cache.network_layer()->transaction_count());
-  EXPECT_EQ(3, cache.disk_cache()->open_count());
-  EXPECT_EQ(1, cache.disk_cache()->create_count());
-  base::RunLoop().RunUntilIdle();
-  RemoveMockTransaction(&trans1);
-
-  // Now return 200 when validating the entry so the metadata will be lost.
-  MockTransaction trans2(kTypicalGET_Transaction);
-  trans2.load_flags = LOAD_VALIDATE_CACHE;
-  RunTransactionTestWithResponseInfo(cache.http_cache(), trans2, &response);
-  EXPECT_TRUE(response.metadata.get() == nullptr);
-
-  EXPECT_EQ(3, cache.network_layer()->transaction_count());
-  EXPECT_EQ(4, cache.disk_cache()->open_count());
-  EXPECT_EQ(1, cache.disk_cache()->create_count());
-}
-
 // Tests that we don't mark entries as truncated when a filter detects the end
 // of the stream.
 TEST_F(HttpCacheTest, FilterCompletion) {
@@ -11343,6 +11203,21 @@ TEST_F(HttpCacheTest, CacheEntryStatusCantConditionalize) {
             response_info.cache_entry_status);
 }
 
+TEST_F(HttpSplitCacheKeyTest, GetResourceURLFromKey) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      net::features::kSplitCacheByNetworkIsolationKey);
+  MockHttpCache cache;
+  std::string urls[] = {"http://www.a.com/", "https://b.com/example.html",
+                        "http://example.com/Some Path/Some Leaf?some query"};
+
+  for (const std::string& url : urls) {
+    std::string key = ComputeCacheKey(url);
+    EXPECT_EQ(GURL(url).spec(),
+              cache.http_cache()->GetResourceURLFromHttpCacheKey(key));
+  }
+}
+
 class TestCompletionCallbackForHttpCache : public TestCompletionCallbackBase {
  public:
   TestCompletionCallbackForHttpCache() {}
diff --git a/chromium/net/http/http_cache_writers.cc b/chromium/net/http/http_cache_writers.cc
index c20d5d37936..5d8e78d22dd 100644
--- a/chromium/net/http/http_cache_writers.cc
+++ b/chromium/net/http/http_cache_writers.cc
@@ -50,7 +50,7 @@ HttpCache::Writers::TransactionInfo::TransactionInfo(const TransactionInfo&) =
     default;
 
 HttpCache::Writers::Writers(HttpCache* cache, HttpCache::ActiveEntry* entry)
-    : cache_(cache), entry_(entry), weak_factory_(this) {}
+    : cache_(cache), entry_(entry) {}
 
 HttpCache::Writers::~Writers() = default;
 
diff --git a/chromium/net/http/http_cache_writers.h b/chromium/net/http/http_cache_writers.h
index e914ab1026e..c638aeba65e 100644
--- a/chromium/net/http/http_cache_writers.h
+++ b/chromium/net/http/http_cache_writers.h
@@ -283,7 +283,7 @@ class NET_EXPORT_PRIVATE HttpCache::Writers {
   // end of DoLoop().
   base::OnceClosure cache_callback_;  // Callback for cache_.
 
-  base::WeakPtrFactory<Writers> weak_factory_;
+  base::WeakPtrFactory<Writers> weak_factory_{this};
   DISALLOW_COPY_AND_ASSIGN(Writers);
 };
 
diff --git a/chromium/net/http/http_log_util.cc b/chromium/net/http/http_log_util.cc
index 699dd804e35..9c9bc1dbe5c 100644
--- a/chromium/net/http/http_log_util.cc
+++ b/chromium/net/http/http_log_util.cc
@@ -8,6 +8,9 @@
 #include "base/strings/stringprintf.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/http_auth_scheme.h"
+#include "net/http/http_request_headers.h"
+#include "net/http/http_response_headers.h"
+#include "net/log/net_log_with_source.h"
 
 namespace net {
 
@@ -41,7 +44,7 @@ std::string ElideHeaderValueForNetLog(NetLogCaptureMode capture_mode,
   std::string::const_iterator redact_end = value.begin();
 
   if (redact_begin == redact_end &&
-      !capture_mode.include_cookies_and_credentials()) {
+      !NetLogCaptureIncludesSensitive(capture_mode)) {
     if (base::EqualsCaseInsensitiveASCII(header, "set-cookie") ||
         base::EqualsCaseInsensitiveASCII(header, "set-cookie2") ||
         base::EqualsCaseInsensitiveASCII(header, "cookie") ||
@@ -70,4 +73,21 @@ std::string ElideHeaderValueForNetLog(NetLogCaptureMode capture_mode,
       std::string(redact_end, value.end());
 }
 
+NET_EXPORT void NetLogResponseHeaders(const NetLogWithSource& net_log,
+                                      NetLogEventType type,
+                                      const HttpResponseHeaders* headers) {
+  net_log.AddEvent(type, [&](NetLogCaptureMode capture_mode) {
+    return headers->NetLogParams(capture_mode);
+  });
+}
+
+void NetLogRequestHeaders(const NetLogWithSource& net_log,
+                          NetLogEventType type,
+                          const std::string& request_line,
+                          const HttpRequestHeaders* headers) {
+  net_log.AddEvent(type, [&](NetLogCaptureMode capture_mode) {
+    return headers->NetLogParams(request_line, capture_mode);
+  });
+}
+
 }  // namespace net
diff --git a/chromium/net/http/http_log_util.h b/chromium/net/http/http_log_util.h
index 15a58f7f0b6..ca417487338 100644
--- a/chromium/net/http/http_log_util.h
+++ b/chromium/net/http/http_log_util.h
@@ -9,9 +9,14 @@
 
 #include "net/base/net_export.h"
 #include "net/log/net_log_capture_mode.h"
+#include "net/log/net_log_event_type.h"
 
 namespace net {
 
+class NetLogWithSource;
+class HttpResponseHeaders;
+class HttpRequestHeaders;
+
 // Given an HTTP header |header| with value |value|, returns the elided version
 // of the header value at |log_level|.
 NET_EXPORT_PRIVATE std::string ElideHeaderValueForNetLog(
@@ -19,6 +24,15 @@ NET_EXPORT_PRIVATE std::string ElideHeaderValueForNetLog(
     const std::string& header,
     const std::string& value);
 
+NET_EXPORT void NetLogResponseHeaders(const NetLogWithSource& net_log,
+                                      NetLogEventType type,
+                                      const HttpResponseHeaders* headers);
+
+NET_EXPORT void NetLogRequestHeaders(const NetLogWithSource& net_log,
+                                     NetLogEventType type,
+                                     const std::string& request_line,
+                                     const HttpRequestHeaders* headers);
+
 }  // namespace net
 
 #endif  // NET_HTTP_HTTP_LOG_UTIL_H_
diff --git a/chromium/net/http/http_log_util_unittest.cc b/chromium/net/http/http_log_util_unittest.cc
index 9b6ec8f8646..c4406c8afdb 100644
--- a/chromium/net/http/http_log_util_unittest.cc
+++ b/chromium/net/http/http_log_util_unittest.cc
@@ -11,61 +11,61 @@ namespace net {
 TEST(HttpLogUtilTest, ElideHeaderValueForNetLog) {
   // Only elide for appropriate log level.
   EXPECT_EQ("[10 bytes were stripped]",
-            ElideHeaderValueForNetLog(NetLogCaptureMode::Default(), "Cookie",
+            ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault, "Cookie",
                                       "name=value"));
-  EXPECT_EQ("name=value", ElideHeaderValueForNetLog(
-                              NetLogCaptureMode::IncludeCookiesAndCredentials(),
-                              "Cookie", "name=value"));
+  EXPECT_EQ("name=value",
+            ElideHeaderValueForNetLog(NetLogCaptureMode::kIncludeSensitive,
+                                      "Cookie", "name=value"));
 
   // Headers are compared case insensitively.
   EXPECT_EQ("[10 bytes were stripped]",
-            ElideHeaderValueForNetLog(NetLogCaptureMode::Default(), "cOoKiE",
+            ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault, "cOoKiE",
                                       "name=value"));
 
   // These headers should be completely elided.
   EXPECT_EQ("[10 bytes were stripped]",
-            ElideHeaderValueForNetLog(NetLogCaptureMode::Default(),
-                                      "Set-Cookie", "name=value"));
+            ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault, "Set-Cookie",
+                                      "name=value"));
   EXPECT_EQ("[10 bytes were stripped]",
-            ElideHeaderValueForNetLog(NetLogCaptureMode::Default(),
+            ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault,
                                       "Set-Cookie2", "name=value"));
   EXPECT_EQ("[10 bytes were stripped]",
-            ElideHeaderValueForNetLog(NetLogCaptureMode::Default(),
+            ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault,
                                       "Authorization", "Basic 1234"));
   EXPECT_EQ("[10 bytes were stripped]",
-            ElideHeaderValueForNetLog(NetLogCaptureMode::Default(),
+            ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault,
                                       "Proxy-Authorization", "Basic 1234"));
 
   // Unknown headers should pass through.
-  EXPECT_EQ("value", ElideHeaderValueForNetLog(NetLogCaptureMode::Default(),
+  EXPECT_EQ("value", ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault,
                                                "Boring", "value"));
 
   // Basic and Digest auth challenges are public.
   EXPECT_EQ("Basic realm=test",
-            ElideHeaderValueForNetLog(NetLogCaptureMode::Default(),
+            ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault,
                                       "WWW-Authenticate", "Basic realm=test"));
   EXPECT_EQ("Digest realm=test",
-            ElideHeaderValueForNetLog(NetLogCaptureMode::Default(),
+            ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault,
                                       "WWW-Authenticate", "Digest realm=test"));
   EXPECT_EQ("Basic realm=test", ElideHeaderValueForNetLog(
-                                    NetLogCaptureMode::Default(),
+                                    NetLogCaptureMode::kDefault,
                                     "Proxy-Authenticate", "Basic realm=test"));
   EXPECT_EQ(
       "Digest realm=test",
-      ElideHeaderValueForNetLog(NetLogCaptureMode::Default(),
+      ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault,
                                 "Proxy-Authenticate", "Digest realm=test"));
 
   // Multi-round mechanisms partially elided.
   EXPECT_EQ("NTLM [4 bytes were stripped]",
-            ElideHeaderValueForNetLog(NetLogCaptureMode::Default(),
+            ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault,
                                       "WWW-Authenticate", "NTLM 1234"));
   EXPECT_EQ("NTLM [4 bytes were stripped]",
-            ElideHeaderValueForNetLog(NetLogCaptureMode::Default(),
+            ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault,
                                       "Proxy-Authenticate", "NTLM 1234"));
 
   // Leave whitespace intact.
   EXPECT_EQ("NTLM  [4 bytes were stripped] ",
-            ElideHeaderValueForNetLog(NetLogCaptureMode::Default(),
+            ElideHeaderValueForNetLog(NetLogCaptureMode::kDefault,
                                       "WWW-Authenticate", "NTLM  1234 "));
 }
 
diff --git a/chromium/net/http/http_negotiate_auth_system.h b/chromium/net/http/http_negotiate_auth_system.h
index cf90cd66a8d..15dcc6c4425 100644
--- a/chromium/net/http/http_negotiate_auth_system.h
+++ b/chromium/net/http/http_negotiate_auth_system.h
@@ -13,12 +13,13 @@ namespace net {
 
 class AuthCredentials;
 class HttpAuthChallengeTokenizer;
+class NetLogWithSource;
 
 class NET_EXPORT_PRIVATE HttpNegotiateAuthSystem {
  public:
   virtual ~HttpNegotiateAuthSystem() = default;
 
-  virtual bool Init() = 0;
+  virtual bool Init(const NetLogWithSource& net_log) = 0;
 
   // True if authentication needs the identity of the user from Chrome.
   virtual bool NeedsIdentity() const = 0;
@@ -57,6 +58,7 @@ class NET_EXPORT_PRIVATE HttpNegotiateAuthSystem {
                                 const std::string& spn,
                                 const std::string& channel_bindings,
                                 std::string* auth_token,
+                                const NetLogWithSource& net_log,
                                 CompletionOnceCallback callback) = 0;
 
   // Sets the delegation type allowed on the Kerberos ticket. This allows
diff --git a/chromium/net/http/http_network_layer.cc b/chromium/net/http/http_network_layer.cc
index ab48161c637..1c835fa6d75 100644
--- a/chromium/net/http/http_network_layer.cc
+++ b/chromium/net/http/http_network_layer.cc
@@ -24,18 +24,14 @@ HttpNetworkLayer::HttpNetworkLayer(HttpNetworkSession* session)
       suspended_(false) {
   DCHECK(session_);
 #if defined(OS_WIN)
-  base::PowerMonitor* power_monitor = base::PowerMonitor::Get();
-  if (power_monitor)
-    power_monitor->AddObserver(this);
+  base::PowerMonitor::AddObserver(this);
 #endif
 }
 
 HttpNetworkLayer::~HttpNetworkLayer() {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 #if defined(OS_WIN)
-  base::PowerMonitor* power_monitor = base::PowerMonitor::Get();
-  if (power_monitor)
-    power_monitor->RemoveObserver(this);
+  base::PowerMonitor::RemoveObserver(this);
 #endif
 }
 
diff --git a/chromium/net/http/http_network_session.cc b/chromium/net/http/http_network_session.cc
index d3ed27d0886..93e89e46866 100644
--- a/chromium/net/http/http_network_session.cc
+++ b/chromium/net/http/http_network_session.cc
@@ -40,19 +40,6 @@
 
 namespace net {
 
-namespace {
-
-SSLClientSocketContext CreateClientSocketContext(
-    const HttpNetworkSession::Context& context,
-    SSLClientSessionCache* ssl_client_session_cache) {
-  return SSLClientSocketContext(
-      context.cert_verifier, context.transport_security_state,
-      context.cert_transparency_verifier, context.ct_policy_enforcer,
-      ssl_client_session_cache);
-}
-
-}  // unnamed namespace
-
 // The maximum receive window sizes for HTTP/2 sessions and streams.
 const int32_t kSpdySessionMaxRecvWindowSize = 15 * 1024 * 1024;  // 15 MB
 const int32_t kSpdyStreamMaxRecvWindowSize = 6 * 1024 * 1024;    //  6 MB
@@ -98,46 +85,8 @@ HttpNetworkSession::Params::Params()
       enable_websocket_over_http2(false),
       enable_quic(false),
       enable_quic_proxies_for_https_urls(false),
-      quic_max_packet_length(quic::kDefaultMaxPacketSize),
-      quic_max_server_configs_stored_in_properties(0u),
-      quic_enable_socket_recv_optimization(false),
-      mark_quic_broken_when_network_blackholes(false),
-      retry_without_alt_svc_on_quic_errors(true),
-      support_ietf_format_quic_altsvc(false),
-      quic_close_sessions_on_ip_change(false),
-      quic_goaway_sessions_on_ip_change(false),
-      quic_idle_connection_timeout_seconds(kIdleConnectionTimeoutSeconds),
-      quic_reduced_ping_timeout_seconds(quic::kPingTimeoutSecs),
-      quic_retransmittable_on_wire_timeout_milliseconds(0),
-      quic_max_time_before_crypto_handshake_seconds(
-          quic::kMaxTimeForCryptoHandshakeSecs),
-      quic_max_idle_time_before_crypto_handshake_seconds(
-          quic::kInitialIdleTimeoutSecs),
-      quic_migrate_sessions_on_network_change_v2(false),
-      quic_migrate_sessions_early_v2(false),
-      quic_retry_on_alternate_network_before_handshake(false),
-      quic_migrate_idle_sessions(false),
-      quic_idle_session_migration_period(base::TimeDelta::FromSeconds(
-          kDefaultIdleSessionMigrationPeriodSeconds)),
-      quic_max_time_on_non_default_network(
-          base::TimeDelta::FromSeconds(kMaxTimeOnNonDefaultNetworkSecs)),
-      quic_max_migrations_to_non_default_network_on_write_error(
-          kMaxMigrationsToNonDefaultNetworkOnWriteError),
-      quic_max_migrations_to_non_default_network_on_path_degrading(
-          kMaxMigrationsToNonDefaultNetworkOnPathDegrading),
-      quic_allow_server_migration(false),
-      quic_allow_remote_alt_svc(true),
-      quic_race_stale_dns_on_connection(false),
-      quic_go_away_on_path_degrading(false),
-      quic_disable_bidirectional_streams(false),
-      quic_race_cert_verification(false),
-      quic_estimate_initial_rtt(false),
-      quic_headers_include_h2_stream_dependency(false),
-      quic_initial_rtt_for_handshake_milliseconds(0),
       http_09_on_non_default_ports_enabled(false),
       disable_idle_sockets_close_on_memory_pressure(false) {
-  quic_supported_versions.push_back(quic::ParsedQuicVersion(
-      quic::PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_46));
   enable_early_data =
       base::FeatureList::IsEnabled(features::kEnableTLS13EarlyData);
 }
@@ -190,7 +139,11 @@ HttpNetworkSession::HttpNetworkSession(const Params& params,
       proxy_resolution_service_(context.proxy_resolution_service),
       ssl_config_service_(context.ssl_config_service),
       ssl_client_session_cache_(SSLClientSessionCache::Config()),
-      ssl_client_session_cache_privacy_mode_(SSLClientSessionCache::Config()),
+      ssl_client_context_(context.cert_verifier,
+                          context.transport_security_state,
+                          context.cert_transparency_verifier,
+                          context.ct_policy_enforcer,
+                          &ssl_client_session_cache_),
       push_delegate_(nullptr),
       quic_stream_factory_(
           context.net_log,
@@ -210,42 +163,14 @@ HttpNetworkSession::HttpNetworkSession(const Params& params,
                               : quic::QuicRandom::GetInstance(),
           context.quic_clock ? context.quic_clock
                              : quic::QuicChromiumClock::GetInstance(),
-          params.quic_max_packet_length,
-          params.quic_user_agent_id,
-          params.quic_max_server_configs_stored_in_properties > 0,
-          params.quic_close_sessions_on_ip_change,
-          params.quic_goaway_sessions_on_ip_change,
-          params.mark_quic_broken_when_network_blackholes,
-          params.quic_idle_connection_timeout_seconds,
-          params.quic_reduced_ping_timeout_seconds,
-          params.quic_retransmittable_on_wire_timeout_milliseconds,
-          params.quic_max_time_before_crypto_handshake_seconds,
-          params.quic_max_idle_time_before_crypto_handshake_seconds,
-          params.quic_migrate_sessions_on_network_change_v2,
-          params.quic_migrate_sessions_early_v2,
-          params.quic_retry_on_alternate_network_before_handshake,
-          params.quic_migrate_idle_sessions,
-          params.quic_idle_session_migration_period,
-          params.quic_max_time_on_non_default_network,
-          params.quic_max_migrations_to_non_default_network_on_write_error,
-          params.quic_max_migrations_to_non_default_network_on_path_degrading,
-          params.quic_allow_server_migration,
-          params.quic_race_stale_dns_on_connection,
-          params.quic_go_away_on_path_degrading,
-          params.quic_race_cert_verification,
-          params.quic_estimate_initial_rtt,
-          params.quic_headers_include_h2_stream_dependency,
-          params.quic_connection_options,
-          params.quic_client_connection_options,
-          params.quic_enable_socket_recv_optimization,
-          params.quic_initial_rtt_for_handshake_milliseconds),
+          params.quic_params),
       spdy_session_pool_(context.host_resolver,
                          context.ssl_config_service,
                          context.http_server_properties,
                          context.transport_security_state,
-                         params.quic_supported_versions,
+                         params.quic_params.supported_versions,
                          params.enable_spdy_ping_based_connection_checking,
-                         params.support_ietf_format_quic_altsvc,
+                         params.quic_params.support_ietf_format_quic_altsvc,
                          params.spdy_session_max_recv_window_size,
                          AddDefaultHttp2Settings(params.http2_settings),
                          params.greased_http2_frame,
@@ -274,7 +199,7 @@ HttpNetworkSession::HttpNetworkSession(const Params& params,
   next_protos_.push_back(kProtoHTTP11);
 
   http_server_properties_->SetMaxServerConfigsStoredInProperties(
-      params.quic_max_server_configs_stored_in_properties);
+      params.quic_params.max_server_configs_stored_in_properties);
 
   if (!params_.disable_idle_sockets_close_on_memory_pressure) {
     memory_pressure_listener_.reset(
@@ -293,14 +218,14 @@ HttpNetworkSession::~HttpNetworkSession() {
 
 void HttpNetworkSession::AddResponseDrainer(
     std::unique_ptr<HttpResponseBodyDrainer> drainer) {
-  DCHECK(!base::ContainsKey(response_drainers_, drainer.get()));
+  DCHECK(!base::Contains(response_drainers_, drainer.get()));
   HttpResponseBodyDrainer* drainer_ptr = drainer.get();
   response_drainers_[drainer_ptr] = std::move(drainer);
 }
 
 void HttpNetworkSession::RemoveResponseDrainer(
     HttpResponseBodyDrainer* drainer) {
-  DCHECK(base::ContainsKey(response_drainers_, drainer));
+  DCHECK(base::Contains(response_drainers_, drainer));
   response_drainers_[drainer].release();
   response_drainers_.erase(drainer);
 }
@@ -327,69 +252,78 @@ std::unique_ptr<base::Value> HttpNetworkSession::QuicInfoToValue() const {
   dict->SetBoolean("quic_enabled", IsQuicEnabled());
 
   auto connection_options(std::make_unique<base::ListValue>());
-  for (const auto& option : params_.quic_connection_options)
+  for (const auto& option : params_.quic_params.connection_options)
     connection_options->AppendString(quic::QuicTagToString(option));
   dict->Set("connection_options", std::move(connection_options));
 
   auto supported_versions(std::make_unique<base::ListValue>());
-  for (const auto& version : params_.quic_supported_versions)
+  for (const auto& version : params_.quic_params.supported_versions)
     supported_versions->AppendString(ParsedQuicVersionToString(version));
   dict->Set("supported_versions", std::move(supported_versions));
 
   auto origins_to_force_quic_on(std::make_unique<base::ListValue>());
-  for (const auto& origin : params_.origins_to_force_quic_on)
+  for (const auto& origin : params_.quic_params.origins_to_force_quic_on)
     origins_to_force_quic_on->AppendString(origin.ToString());
   dict->Set("origins_to_force_quic_on", std::move(origins_to_force_quic_on));
 
-  dict->SetInteger("max_packet_length", params_.quic_max_packet_length);
+  dict->SetInteger("max_packet_length", params_.quic_params.max_packet_length);
   dict->SetInteger("max_server_configs_stored_in_properties",
-                   params_.quic_max_server_configs_stored_in_properties);
+                   params_.quic_params.max_server_configs_stored_in_properties);
   dict->SetInteger("idle_connection_timeout_seconds",
-                   params_.quic_idle_connection_timeout_seconds);
+                   params_.quic_params.idle_connection_timeout.InSeconds());
   dict->SetInteger("reduced_ping_timeout_seconds",
-                   params_.quic_reduced_ping_timeout_seconds);
-  dict->SetBoolean("mark_quic_broken_when_network_blackholes",
-                   params_.mark_quic_broken_when_network_blackholes);
+                   params_.quic_params.reduced_ping_timeout.InSeconds());
+  dict->SetBoolean(
+      "mark_quic_broken_when_network_blackholes",
+      params_.quic_params.mark_quic_broken_when_network_blackholes);
   dict->SetBoolean("retry_without_alt_svc_on_quic_errors",
-                   params_.retry_without_alt_svc_on_quic_errors);
+                   params_.quic_params.retry_without_alt_svc_on_quic_errors);
   dict->SetBoolean("race_cert_verification",
-                   params_.quic_race_cert_verification);
+                   params_.quic_params.race_cert_verification);
   dict->SetBoolean("disable_bidirectional_streams",
-                   params_.quic_disable_bidirectional_streams);
+                   params_.quic_params.disable_bidirectional_streams);
   dict->SetBoolean("close_sessions_on_ip_change",
-                   params_.quic_close_sessions_on_ip_change);
+                   params_.quic_params.close_sessions_on_ip_change);
   dict->SetBoolean("goaway_sessions_on_ip_change",
-                   params_.quic_goaway_sessions_on_ip_change);
+                   params_.quic_params.goaway_sessions_on_ip_change);
   dict->SetBoolean("migrate_sessions_on_network_change_v2",
-                   params_.quic_migrate_sessions_on_network_change_v2);
+                   params_.quic_params.migrate_sessions_on_network_change_v2);
   dict->SetBoolean("migrate_sessions_early_v2",
-                   params_.quic_migrate_sessions_early_v2);
-  dict->SetInteger("retransmittable_on_wire_timeout_milliseconds",
-                   params_.quic_retransmittable_on_wire_timeout_milliseconds);
-  dict->SetBoolean("retry_on_alternate_network_before_handshake",
-                   params_.quic_retry_on_alternate_network_before_handshake);
-  dict->SetBoolean("migrate_idle_sessions", params_.quic_migrate_idle_sessions);
-  dict->SetInteger("idle_session_migration_period_seconds",
-                   params_.quic_idle_session_migration_period.InSeconds());
-  dict->SetInteger("max_time_on_non_default_network_seconds",
-                   params_.quic_max_time_on_non_default_network.InSeconds());
+                   params_.quic_params.migrate_sessions_early_v2);
+  dict->SetInteger(
+      "retransmittable_on_wire_timeout_milliseconds",
+      params_.quic_params.retransmittable_on_wire_timeout.InMilliseconds());
+  dict->SetBoolean(
+      "retry_on_alternate_network_before_handshake",
+      params_.quic_params.retry_on_alternate_network_before_handshake);
+  dict->SetBoolean("migrate_idle_sessions",
+                   params_.quic_params.migrate_idle_sessions);
+  dict->SetInteger(
+      "idle_session_migration_period_seconds",
+      params_.quic_params.idle_session_migration_period.InSeconds());
+  dict->SetInteger(
+      "max_time_on_non_default_network_seconds",
+      params_.quic_params.max_time_on_non_default_network.InSeconds());
   dict->SetInteger(
       "max_num_migrations_to_non_default_network_on_write_error",
-      params_.quic_max_migrations_to_non_default_network_on_write_error);
+      params_.quic_params.max_migrations_to_non_default_network_on_write_error);
   dict->SetInteger(
       "max_num_migrations_to_non_default_network_on_path_degrading",
-      params_.quic_max_migrations_to_non_default_network_on_path_degrading);
+      params_.quic_params
+          .max_migrations_to_non_default_network_on_path_degrading);
   dict->SetBoolean("allow_server_migration",
-                   params_.quic_allow_server_migration);
+                   params_.quic_params.allow_server_migration);
   dict->SetBoolean("race_stale_dns_on_connection",
-                   params_.quic_race_stale_dns_on_connection);
+                   params_.quic_params.race_stale_dns_on_connection);
   dict->SetBoolean("go_away_on_path_degrading",
-                   params_.quic_go_away_on_path_degrading);
-  dict->SetBoolean("estimate_initial_rtt", params_.quic_estimate_initial_rtt);
+                   params_.quic_params.go_away_on_path_degrading);
+  dict->SetBoolean("estimate_initial_rtt",
+                   params_.quic_params.estimate_initial_rtt);
   dict->SetBoolean("server_push_cancellation",
                    params_.enable_server_push_cancellation);
-  dict->SetInteger("initial_rtt_for_handshake_milliseconds",
-                   params_.quic_initial_rtt_for_handshake_milliseconds);
+  dict->SetInteger(
+      "initial_rtt_for_handshake_milliseconds",
+      params_.quic_params.initial_rtt_for_handshake.InMilliseconds());
 
   return std::move(dict);
 }
@@ -398,7 +332,8 @@ void HttpNetworkSession::CloseAllConnections() {
   normal_socket_pool_manager_->FlushSocketPoolsWithError(ERR_ABORTED);
   websocket_socket_pool_manager_->FlushSocketPoolsWithError(ERR_ABORTED);
   spdy_session_pool_.CloseCurrentSessions(ERR_ABORTED);
-  quic_stream_factory_.CloseAllSessions(ERR_ABORTED, quic::QUIC_INTERNAL_ERROR);
+  quic_stream_factory_.CloseAllSessions(ERR_ABORTED,
+                                        quic::QUIC_PEER_GOING_AWAY);
 }
 
 void HttpNetworkSession::CloseIdleConnections() {
@@ -489,7 +424,6 @@ void HttpNetworkSession::DisableQuic() {
 
 void HttpNetworkSession::ClearSSLSessionCache() {
   ssl_client_session_cache_.Flush();
-  ssl_client_session_cache_privacy_mode_.Flush();
 }
 
 CommonConnectJobParams HttpNetworkSession::CreateCommonConnectJobParams(
@@ -501,12 +435,9 @@ CommonConnectJobParams HttpNetworkSession::CreateCommonConnectJobParams(
                                      : ClientSocketFactory::GetDefaultFactory(),
       context_.host_resolver, &http_auth_cache_,
       context_.http_auth_handler_factory, &spdy_session_pool_,
-      &params_.quic_supported_versions, &quic_stream_factory_,
+      &params_.quic_params.supported_versions, &quic_stream_factory_,
       context_.proxy_delegate, context_.http_user_agent_settings,
-      CreateClientSocketContext(context_, &ssl_client_session_cache_),
-      CreateClientSocketContext(context_,
-                                &ssl_client_session_cache_privacy_mode_),
-      context_.socket_performance_watcher_factory,
+      &ssl_client_context_, context_.socket_performance_watcher_factory,
       context_.network_quality_estimator, context_.net_log,
       for_websockets ? &websocket_endpoint_lock_manager_ : nullptr);
 }
diff --git a/chromium/net/http/http_network_session.h b/chromium/net/http/http_network_session.h
index d6caef9c3a9..1e2131fe79e 100644
--- a/chromium/net/http/http_network_session.h
+++ b/chromium/net/http/http_network_session.h
@@ -136,105 +136,8 @@ class NET_EXPORT HttpNetworkSession {
     // If true, HTTPS URLs can be sent to QUIC proxies.
     bool enable_quic_proxies_for_https_urls;
 
-    // QUIC runtime configuration options.
-
-    // Versions of QUIC which may be used.
-    quic::ParsedQuicVersionVector quic_supported_versions;
-    // User agent description to send in the QUIC handshake.
-    std::string quic_user_agent_id;
-    // Limit on the size of QUIC packets.
-    size_t quic_max_packet_length;
-    // Maximum number of server configs that are to be stored in
-    // HttpServerProperties, instead of the disk cache.
-    size_t quic_max_server_configs_stored_in_properties;
-    // QUIC will be used for all connections in this set.
-    std::set<HostPortPair> origins_to_force_quic_on;
-    // Set of QUIC tags to send in the handshake's connection options.
-    quic::QuicTagVector quic_connection_options;
-    // Set of QUIC tags to send in the handshake's connection options that only
-    // affect the client.
-    quic::QuicTagVector quic_client_connection_options;
-    // Enables experimental optimization for receiving data in UDPSocket.
-    bool quic_enable_socket_recv_optimization;
-
-    // Active QUIC experiments
-
-    // Marks a QUIC server broken when a connection blackholes after the
-    // handshake is confirmed.
-    bool mark_quic_broken_when_network_blackholes;
-    // Retry requests which fail with QUIC_PROTOCOL_ERROR, and mark QUIC
-    // broken if the retry succeeds.
-    bool retry_without_alt_svc_on_quic_errors;
-    // If true, alt-svc headers advertising QUIC in IETF format will be
-    // supported.
-    bool support_ietf_format_quic_altsvc;
-    // If true, all QUIC sessions are closed when any local IP address changes.
-    bool quic_close_sessions_on_ip_change;
-    // If true, all QUIC sessions are marked as goaway when any local IP address
-    // changes.
-    bool quic_goaway_sessions_on_ip_change;
-    // Specifies QUIC idle connection state lifetime.
-    int quic_idle_connection_timeout_seconds;
-    // Specifies the reduced ping timeout subsequent connections should use when
-    // a connection was timed out with open streams.
-    int quic_reduced_ping_timeout_seconds;
-    // Maximum time that a session can have no retransmittable packets on the
-    // wire. Set to zero if not specified and no retransmittable PING will be
-    // sent to peer when the wire has no retransmittable packets.
-    int quic_retransmittable_on_wire_timeout_milliseconds;
-    // Maximum time the session can be alive before crypto handshake is
-    // finished.
-    int quic_max_time_before_crypto_handshake_seconds;
-    // Maximum idle time before the crypto handshake has completed.
-    int quic_max_idle_time_before_crypto_handshake_seconds;
-    // If true, connection migration v2 will be used to migrate existing
-    // sessions to network when the platform indicates that the default network
-    // is changing.
-    bool quic_migrate_sessions_on_network_change_v2;
-    // If true, connection migration v2 may be used to migrate active QUIC
-    // sessions to alternative network if current network connectivity is poor.
-    bool quic_migrate_sessions_early_v2;
-    // If true, a new connection may be kicked off on an alternate network when
-    // a connection fails on the default network before handshake is confirmed.
-    bool quic_retry_on_alternate_network_before_handshake;
-    // If true, an idle session will be migrated within the idle migration
-    // period.
-    bool quic_migrate_idle_sessions;
-    // A session can be migrated if its idle time is within this period.
-    base::TimeDelta quic_idle_session_migration_period;
-    // Maximum time the session could be on the non-default network before
-    // migrates back to default network. Defaults to
-    // kMaxTimeOnNonDefaultNetwork.
-    base::TimeDelta quic_max_time_on_non_default_network;
-    // Maximum number of migrations to the non-default network on write error
-    // per network for each session.
-    int quic_max_migrations_to_non_default_network_on_write_error;
-    // Maximum number of migrations to the non-default network on path
-    // degrading per network for each session.
-    int quic_max_migrations_to_non_default_network_on_path_degrading;
-    // If true, allows migration of QUIC connections to a server-specified
-    // alternate server address.
-    bool quic_allow_server_migration;
-    // If true, allows QUIC to use alternative services with a different
-    // hostname from the origin.
-    bool quic_allow_remote_alt_svc;
-    // If true, the quic stream factory may race connection from stale dns
-    // result with the original dns resolution
-    bool quic_race_stale_dns_on_connection;
-    // If true, the quic session may mark itself as GOAWAY on path degrading.
-    bool quic_go_away_on_path_degrading;
-    // If true, bidirectional streams over QUIC will be disabled.
-    bool quic_disable_bidirectional_streams;
-    // If true, race cert verification with host resolution.
-    bool quic_race_cert_verification;
-    // If true, estimate the initial RTT for QUIC connections based on network.
-    bool quic_estimate_initial_rtt;
-    // If true, client headers will include HTTP/2 stream dependency info
-    // derived from the request priority.
-    bool quic_headers_include_h2_stream_dependency;
-    // The initial rtt that will be used in crypto handshake if no cached
-    // smoothed rtt is present.
-    int quic_initial_rtt_for_handshake_milliseconds;
+    // QUIC runtime configuration options and active experiments.
+    QuicParams quic_params;
 
     // If non-empty, QUIC will only be spoken to hosts in this list.
     base::flat_set<std::string> quic_host_whitelist;
@@ -414,7 +317,7 @@ class NET_EXPORT HttpNetworkSession {
   HttpAuthCache http_auth_cache_;
   SSLClientAuthCache ssl_client_auth_cache_;
   SSLClientSessionCache ssl_client_session_cache_;
-  SSLClientSessionCache ssl_client_session_cache_privacy_mode_;
+  SSLClientContext ssl_client_context_;
   WebSocketEndpointLockManager websocket_endpoint_lock_manager_;
   std::unique_ptr<ClientSocketPoolManager> normal_socket_pool_manager_;
   std::unique_ptr<ClientSocketPoolManager> websocket_socket_pool_manager_;
diff --git a/chromium/net/http/http_network_transaction.cc b/chromium/net/http/http_network_transaction.cc
index 010c62a496b..9aea7f000c9 100644
--- a/chromium/net/http/http_network_transaction.cc
+++ b/chromium/net/http/http_network_transaction.cc
@@ -40,6 +40,7 @@
 #include "net/http/http_auth_handler_factory.h"
 #include "net/http/http_basic_stream.h"
 #include "net/http/http_chunked_decoder.h"
+#include "net/http/http_log_util.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_proxy_client_socket.h"
 #include "net/http/http_request_headers.h"
@@ -399,9 +400,6 @@ int HttpNetworkTransaction::Read(IOBuffer* buf,
     DCHECK(proxy_info_.is_http() || proxy_info_.is_https() ||
            proxy_info_.is_quic());
     DCHECK_EQ(headers->response_code(), HTTP_PROXY_AUTHENTICATION_REQUIRED);
-    LOG(WARNING) << "Blocked proxy response with status "
-                 << headers->response_code() << " to CONNECT request for "
-                 << GetHostAndPort(url_) << ".";
     return ERR_TUNNEL_CONNECTION_FAILED;
   }
 
@@ -1060,7 +1058,7 @@ int HttpNetworkTransaction::DoReadHeadersComplete(int result) {
   } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
     DCHECK(stream_.get());
     DCHECK(IsSecureRequest());
-    response_.cert_request_info = new SSLCertRequestInfo;
+    response_.cert_request_info = base::MakeRefCounted<SSLCertRequestInfo>();
     stream_->GetSSLCertRequestInfo(response_.cert_request_info.get());
     result = HandleCertificateRequest(result);
     if (result == OK)
@@ -1108,16 +1106,9 @@ int HttpNetworkTransaction::DoReadHeadersComplete(int result) {
     return OK;
   }
 
-  // Like Net.HttpResponseCode, but only for MAIN_FRAME loads.
-  if (request_->load_flags & LOAD_MAIN_FRAME_DEPRECATED) {
-    const int response_code = response_.headers->response_code();
-    UMA_HISTOGRAM_ENUMERATION(
-        "Net.HttpResponseCode_Nxx_MainFrame", response_code/100, 10);
-  }
-
-  net_log_.AddEvent(
-      NetLogEventType::HTTP_TRANSACTION_READ_RESPONSE_HEADERS,
-      base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers));
+  NetLogResponseHeaders(net_log_,
+                        NetLogEventType::HTTP_TRANSACTION_READ_RESPONSE_HEADERS,
+                        response_.headers.get());
   if (response_headers_callback_)
     response_headers_callback_.Run(response_.headers);
 
@@ -1633,11 +1624,11 @@ int HttpNetworkTransaction::HandleIOError(int error) {
       ResetConnectionAndRequestForResend();
       error = OK;
       break;
-    case ERR_SPDY_PING_FAILED:
-    case ERR_SPDY_SERVER_REFUSED_STREAM:
-    case ERR_SPDY_PUSHED_STREAM_NOT_AVAILABLE:
-    case ERR_SPDY_CLAIMED_PUSHED_STREAM_RESET_BY_SERVER:
-    case ERR_SPDY_PUSHED_RESPONSE_DOES_NOT_MATCH:
+    case ERR_HTTP2_PING_FAILED:
+    case ERR_HTTP2_SERVER_REFUSED_STREAM:
+    case ERR_HTTP2_PUSHED_STREAM_NOT_AVAILABLE:
+    case ERR_HTTP2_CLAIMED_PUSHED_STREAM_RESET_BY_SERVER:
+    case ERR_HTTP2_PUSHED_RESPONSE_DOES_NOT_MATCH:
     case ERR_QUIC_HANDSHAKE_FAILED:
       if (HasExceededMaxRetries())
         break;
@@ -1668,7 +1659,8 @@ int HttpNetworkTransaction::HandleIOError(int error) {
         retry_attempts_++;
         ResetConnectionAndRequestForResend();
         error = OK;
-      } else if (session_->params().retry_without_alt_svc_on_quic_errors) {
+      } else if (session_->params()
+                     .quic_params.retry_without_alt_svc_on_quic_errors) {
         // Disable alternative services for this request and retry it. If the
         // retry succeeds, then the alternative service will be marked as
         // broken then.
@@ -1853,18 +1845,14 @@ bool HttpNetworkTransaction::ContentEncodingsValid() const {
   request_headers_.GetHeader(HttpRequestHeaders::kAcceptEncoding,
                              &accept_encoding);
   std::set<std::string> allowed_encodings;
-  if (!HttpUtil::ParseAcceptEncoding(accept_encoding, &allowed_encodings)) {
-    FilterSourceStream::ReportContentDecodingFailed(SourceStream::TYPE_INVALID);
+  if (!HttpUtil::ParseAcceptEncoding(accept_encoding, &allowed_encodings))
     return false;
-  }
 
   std::string content_encoding;
   headers->GetNormalizedHeader("Content-Encoding", &content_encoding);
   std::set<std::string> used_encodings;
-  if (!HttpUtil::ParseContentEncoding(content_encoding, &used_encodings)) {
-    FilterSourceStream::ReportContentDecodingFailed(SourceStream::TYPE_INVALID);
+  if (!HttpUtil::ParseContentEncoding(content_encoding, &used_encodings))
     return false;
-  }
 
   // When "Accept-Encoding" is not specified, it is parsed as "*".
   // If "*" encoding is advertised, then any encoding should be "accepted".
@@ -1880,8 +1868,6 @@ bool HttpNetworkTransaction::ContentEncodingsValid() const {
     if (source_type == SourceStream::TYPE_UNKNOWN)
       continue;
     if (allowed_encodings.find(encoding) == allowed_encodings.end()) {
-      FilterSourceStream::ReportContentDecodingFailed(
-          SourceStream::TYPE_REJECTED);
       result = false;
       break;
     }
diff --git a/chromium/net/http/http_network_transaction.h b/chromium/net/http/http_network_transaction.h
index 86775540290..fbb7bf69337 100644
--- a/chromium/net/http/http_network_transaction.h
+++ b/chromium/net/http/http_network_transaction.h
@@ -422,8 +422,8 @@ class NET_EXPORT_PRIVATE HttpNetworkTransaction
   // Network error details for this transaction.
   NetErrorDetails net_error_details_;
 
-  // Number of retries made for network errors like ERR_SPDY_PING_FAILED,
-  // ERR_SPDY_SERVER_REFUSED_STREAM, ERR_QUIC_HANDSHAKE_FAILED and
+  // Number of retries made for network errors like ERR_HTTP2_PING_FAILED,
+  // ERR_HTTP2_SERVER_REFUSED_STREAM, ERR_QUIC_HANDSHAKE_FAILED and
   // ERR_QUIC_PROTOCOL_ERROR. Currently we stop after 3 tries
   // (including the initial request) and fail the request.
   // This count excludes retries on reused sockets since a well
diff --git a/chromium/net/http/http_network_transaction_unittest.cc b/chromium/net/http/http_network_transaction_unittest.cc
index 510b0e83524..7bd3fffca68 100644
--- a/chromium/net/http/http_network_transaction_unittest.cc
+++ b/chromium/net/http/http_network_transaction_unittest.cc
@@ -77,7 +77,6 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/proxy_resolution/mock_proxy_resolver.h"
 #include "net/proxy_resolution/proxy_config_service_fixed.h"
@@ -101,6 +100,7 @@
 #include "net/spdy/spdy_test_util_common.h"
 #include "net/ssl/client_cert_identity_test_util.h"
 #include "net/ssl/ssl_cert_request_info.h"
+#include "net/ssl/ssl_config.h"
 #include "net/ssl/ssl_config_service.h"
 #include "net/ssl/ssl_info.h"
 #include "net/ssl/ssl_private_key.h"
@@ -177,17 +177,17 @@ bool IsTransportSocketPoolStalled(HttpNetworkSession* session) {
 
 // Takes in a Value created from a NetLogHttpResponseParameter, and returns
 // a JSONified list of headers as a single string.  Uses single quotes instead
-// of double quotes for easier comparison.  Returns false on failure.
-bool GetHeaders(base::DictionaryValue* params, std::string* headers) {
-  if (!params)
-    return false;
-  base::ListValue* header_list;
-  if (!params->GetList("headers", &header_list))
-    return false;
-  std::string double_quote_headers;
-  base::JSONWriter::Write(*header_list, &double_quote_headers);
-  base::ReplaceChars(double_quote_headers, "\"", "'", headers);
-  return true;
+// of double quotes for easier comparison.
+std::string GetHeaders(const base::Value& params) {
+  if (!params.is_dict())
+    return "";
+  const base::Value* header_list = params.FindListKey("headers");
+  if (!header_list)
+    return "";
+  std::string headers;
+  base::JSONWriter::Write(*header_list, &headers);
+  base::ReplaceChars(headers, "\"", "'", &headers);
+  return headers;
 }
 
 // Tests LoadTimingInfo in the case a socket is reused and no PAC script is
@@ -360,6 +360,11 @@ class TestSSLConfigService : public SSLConfigService {
     return false;
   }
 
+  void UpdateSSLConfigAndNotify(const SSLConfig& config) {
+    config_ = config;
+    NotifySSLConfigChange();
+  }
+
  private:
   SSLConfig config_;
 };
@@ -381,9 +386,7 @@ class HttpNetworkTransactionTest : public PlatformTest,
  protected:
   HttpNetworkTransactionTest()
       : WithScopedTaskEnvironment(
-            base::test::ScopedTaskEnvironment::MainThreadType::IO_MOCK_TIME,
-            base::test::ScopedTaskEnvironment::NowSource::
-                MAIN_THREAD_MOCK_TIME),
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME_AND_NOW),
         dummy_connect_job_params_(
             nullptr /* client_socket_factory */,
             nullptr /* host_resolver */,
@@ -394,8 +397,7 @@ class HttpNetworkTransactionTest : public PlatformTest,
             nullptr /* quic_stream_factory */,
             nullptr /* proxy_delegate */,
             nullptr /* http_user_agent_settings */,
-            SSLClientSocketContext(),
-            SSLClientSocketContext(),
+            nullptr /* ssl_client_context */,
             nullptr /* socket_performance_watcher_factory */,
             nullptr /* network_quality_estimator */,
             nullptr /* net_log */,
@@ -511,8 +513,7 @@ class HttpNetworkTransactionTest : public PlatformTest,
     rv = ReadTransaction(&trans, &out.response_data);
     EXPECT_THAT(rv, IsOk());
 
-    TestNetLogEntry::List entries;
-    log.GetEntries(&entries);
+    auto entries = log.GetEntries();
     size_t pos = ExpectLogContainsSomewhere(
         entries, 0, NetLogEventType::HTTP_TRANSACTION_SEND_REQUEST_HEADERS,
         NetLogEventPhase::NONE);
@@ -520,9 +521,8 @@ class HttpNetworkTransactionTest : public PlatformTest,
         entries, pos, NetLogEventType::HTTP_TRANSACTION_READ_RESPONSE_HEADERS,
         NetLogEventPhase::NONE);
 
-    std::string line;
-    EXPECT_TRUE(entries[pos].GetStringValue("line", &line));
-    EXPECT_EQ("GET / HTTP/1.1\r\n", line);
+    EXPECT_EQ("GET / HTTP/1.1\r\n",
+              GetStringValueFromParams(entries[pos], "line"));
 
     HttpRequestHeaders request_headers;
     EXPECT_TRUE(trans.GetFullRequestHeaders(&request_headers));
@@ -532,10 +532,8 @@ class HttpNetworkTransactionTest : public PlatformTest,
     EXPECT_TRUE(request_headers.GetHeader("Connection", &value));
     EXPECT_EQ("keep-alive", value);
 
-    std::string response_headers;
-    EXPECT_TRUE(GetHeaders(entries[pos].params.get(), &response_headers));
     EXPECT_EQ("['Host: www.example.org','Connection: keep-alive']",
-              response_headers);
+              GetHeaders(entries[pos].params));
 
     out.total_received_bytes = trans.GetTotalReceivedBytes();
     // The total number of sent bytes should not have changed.
@@ -808,6 +806,9 @@ bool CheckNTLMProxyAuth(
 
 }  // namespace
 
+// TODO(950069): Add testing for frame_origin in NetworkIsolationKey
+// using kAppendInitiatingFrameOriginToNetworkIsolationKey.
+
 TEST_F(HttpNetworkTransactionTest, Basic) {
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
@@ -1884,7 +1885,7 @@ void HttpNetworkTransactionTest::PreconnectErrorResendRequestTest(
 }
 
 // Test that we do not retry indefinitely when a server sends an error like
-// ERR_SPDY_PING_FAILED, ERR_SPDY_SERVER_REFUSED_STREAM,
+// ERR_HTTP2_PING_FAILED, ERR_HTTP2_SERVER_REFUSED_STREAM,
 // ERR_QUIC_HANDSHAKE_FAILED or ERR_QUIC_PROTOCOL_ERROR.
 TEST_F(HttpNetworkTransactionTest, FiniteRetriesOnIOError) {
   HttpRequestInfo request;
@@ -1923,7 +1924,7 @@ TEST_F(HttpNetworkTransactionTest, FiniteRetriesOnIOError) {
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   rv = callback.WaitForResult();
-  EXPECT_THAT(rv, IsError(ERR_SPDY_SERVER_REFUSED_STREAM));
+  EXPECT_THAT(rv, IsError(ERR_HTTP2_SERVER_REFUSED_STREAM));
 }
 
 TEST_F(HttpNetworkTransactionTest, RetryTwiceOnIOError) {
@@ -3361,8 +3362,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyNoKeepAliveHttp10) {
 
   rv = callback1.WaitForResult();
   EXPECT_THAT(rv, IsOk());
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
       NetLogEventPhase::NONE);
@@ -3486,8 +3486,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyNoKeepAliveHttp11) {
 
   rv = callback1.WaitForResult();
   EXPECT_THAT(rv, IsOk());
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
       NetLogEventPhase::NONE);
@@ -3609,8 +3608,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyKeepAliveHttp10) {
     int rv = trans.Start(&request, callback1.callback(), log.bound());
     EXPECT_THAT(callback1.GetResult(rv), IsOk());
 
-    TestNetLogEntry::List entries;
-    log.GetEntries(&entries);
+    auto entries = log.GetEntries();
     size_t pos = ExpectLogContainsSomewhere(
         entries, 0, NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
         NetLogEventPhase::NONE);
@@ -3720,8 +3718,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyKeepAliveHttp11) {
     int rv = trans.Start(&request, callback1.callback(), log.bound());
     EXPECT_THAT(callback1.GetResult(rv), IsOk());
 
-    TestNetLogEntry::List entries;
-    log.GetEntries(&entries);
+    auto entries = log.GetEntries();
     size_t pos = ExpectLogContainsSomewhere(
         entries, 0, NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
         NetLogEventPhase::NONE);
@@ -3846,8 +3843,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyKeepAliveExtraData) {
   int rv = trans->Start(&request, callback1.callback(), log.bound());
   EXPECT_THAT(callback1.GetResult(rv), IsOk());
 
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
       NetLogEventPhase::NONE);
@@ -4197,8 +4193,7 @@ TEST_F(HttpNetworkTransactionTest, HttpsServerRequestsProxyAuthThroughProxy) {
 
   rv = callback1.WaitForResult();
   EXPECT_THAT(rv, IsError(ERR_UNEXPECTED_PROXY_AUTH));
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
       NetLogEventPhase::NONE);
@@ -9969,8 +9964,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthSpdyProxy) {
 
   rv = callback1.WaitForResult();
   EXPECT_THAT(rv, IsOk());
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
       NetLogEventPhase::NONE);
@@ -12191,7 +12185,7 @@ TEST_F(HttpNetworkTransactionTest, ClearAlternativeServices) {
   base::Time expiration = base::Time::Now() + base::TimeDelta::FromDays(1);
   http_server_properties->SetQuicAlternativeService(
       test_server, alternative_service, expiration,
-      session->params().quic_supported_versions);
+      session->params().quic_params.supported_versions);
   EXPECT_EQ(
       1u,
       http_server_properties->GetAlternativeServiceInfos(test_server).size());
@@ -12344,7 +12338,7 @@ TEST_F(HttpNetworkTransactionTest, IdentifyQuicBroken) {
   base::Time expiration = base::Time::Now() + base::TimeDelta::FromDays(1);
   http_server_properties->SetQuicAlternativeService(
       server, alternative_service, expiration,
-      HttpNetworkSession::Params().quic_supported_versions);
+      HttpNetworkSession::Params().quic_params.supported_versions);
   // Mark the QUIC alternative service as broken.
   http_server_properties->MarkAlternativeServiceBroken(alternative_service);
 
@@ -12409,12 +12403,12 @@ TEST_F(HttpNetworkTransactionTest, IdentifyQuicNotBroken) {
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           alternative_service1, expiration,
-          session->params().quic_supported_versions));
+          session->params().quic_params.supported_versions));
   AlternativeService alternative_service2(kProtoQUIC, alternative2);
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           alternative_service2, expiration,
-          session->params().quic_supported_versions));
+          session->params().quic_params.supported_versions));
 
   http_server_properties->SetAlternativeServices(
       server, alternative_service_info_vector);
@@ -14832,8 +14826,7 @@ TEST_F(HttpNetworkTransactionTest, ProxyTunnelGet) {
 
   rv = callback1.WaitForResult();
   EXPECT_THAT(rv, IsOk());
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
       NetLogEventPhase::NONE);
@@ -14913,8 +14906,7 @@ TEST_F(HttpNetworkTransactionTest, ProxyTunnelGetIPv6) {
 
   rv = callback1.WaitForResult();
   EXPECT_THAT(rv, IsOk());
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
       NetLogEventPhase::NONE);
@@ -14986,8 +14978,7 @@ TEST_F(HttpNetworkTransactionTest, ProxyTunnelGetHangup) {
 
   rv = callback1.WaitForResult();
   EXPECT_THAT(rv, IsError(ERR_EMPTY_RESPONSE));
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
       NetLogEventPhase::NONE);
@@ -15097,7 +15088,7 @@ TEST_F(HttpNetworkTransactionTest, ClientAuthCertCache_Direct_NoFalseStart) {
   request_info.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  scoped_refptr<SSLCertRequestInfo> cert_request(new SSLCertRequestInfo());
+  auto cert_request = base::MakeRefCounted<SSLCertRequestInfo>();
   cert_request->host_and_port = HostPortPair("www.example.com", 443);
 
   // [ssl_]data1 contains the data for the first SSL handshake. When a
@@ -15202,7 +15193,7 @@ TEST_F(HttpNetworkTransactionTest, ClientAuthCertCache_Direct_FalseStart) {
   request_info.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  scoped_refptr<SSLCertRequestInfo> cert_request(new SSLCertRequestInfo());
+  auto cert_request = base::MakeRefCounted<SSLCertRequestInfo>();
   cert_request->host_and_port = HostPortPair("www.example.com", 443);
 
   // When TLS False Start is used, SSLClientSocket::Connect() calls will
@@ -15818,8 +15809,7 @@ TEST_F(HttpNetworkTransactionTest, RetryWithoutConnectionPooling) {
   ASSERT_THAT(ReadTransaction(&trans2, &response_data), IsOk());
   EXPECT_EQ("hello!", response_data);
 
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::HTTP_TRANSACTION_RESTART_MISDIRECTED_REQUEST,
       NetLogEventPhase::NONE);
@@ -20198,7 +20188,6 @@ TEST_F(HttpNetworkTransactionTest, AuthEverything) {
   SSLSocketDataProvider ssl_proxy1(ASYNC, ERR_SSL_CLIENT_AUTH_CERT_NEEDED);
   ssl_proxy1.cert_request_info = cert_request_info_proxy.get();
   ssl_proxy1.expected_send_client_cert = false;
-  ssl_proxy1.expected_false_start_enabled = true;
   StaticSocketDataProvider data1;
   session_deps_.socket_factory->AddSocketDataProvider(&data1);
   session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_proxy1);
@@ -20208,8 +20197,6 @@ TEST_F(HttpNetworkTransactionTest, AuthEverything) {
   SSLSocketDataProvider ssl_proxy2(ASYNC, OK);
   ssl_proxy2.expected_send_client_cert = true;
   ssl_proxy2.expected_client_cert = identity_proxy->certificate();
-  // Proxy connections with client certs disable False Start.
-  ssl_proxy2.expected_false_start_enabled = false;
   // The client attempts an HTTP CONNECT, but the proxy requests basic auth.
   std::vector<MockWrite> mock_writes2;
   std::vector<MockRead> mock_reads2;
@@ -20232,9 +20219,6 @@ TEST_F(HttpNetworkTransactionTest, AuthEverything) {
   // The origin requests client certificates.
   SSLSocketDataProvider ssl_origin2(ASYNC, ERR_SSL_CLIENT_AUTH_CERT_NEEDED);
   ssl_origin2.cert_request_info = cert_request_info_origin.get();
-  // The origin connection is eligible for False Start, despite the proxy
-  // connection disabling it.
-  ssl_origin2.expected_false_start_enabled = true;
   StaticSocketDataProvider data2(mock_reads2, mock_writes2);
   session_deps_.socket_factory->AddSocketDataProvider(&data2);
   session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_proxy2);
@@ -20245,8 +20229,6 @@ TEST_F(HttpNetworkTransactionTest, AuthEverything) {
   SSLSocketDataProvider ssl_proxy3(ASYNC, OK);
   ssl_proxy3.expected_send_client_cert = true;
   ssl_proxy3.expected_client_cert = identity_proxy->certificate();
-  // Proxy connections with client certs disable False Start.
-  ssl_proxy3.expected_false_start_enabled = false;
   std::vector<MockWrite> mock_writes3;
   std::vector<MockRead> mock_reads3;
   mock_writes3.emplace_back(
@@ -20259,9 +20241,6 @@ TEST_F(HttpNetworkTransactionTest, AuthEverything) {
   SSLSocketDataProvider ssl_origin3(ASYNC, OK);
   ssl_origin3.expected_send_client_cert = true;
   ssl_origin3.expected_client_cert = identity_origin->certificate();
-  // The origin connection is eligible for False Start, despite the proxy
-  // connection disabling it.
-  ssl_origin3.expected_false_start_enabled = true;
   // The client sends the origin HTTP request, which results in another HTTP
   // auth request.
   mock_writes3.emplace_back(
@@ -20746,10 +20725,10 @@ TEST_F(HttpNetworkTransactionTest, ClientCertSocketReuse) {
 // same key, the second a different one. Checks that the requests are
 // partitioned across sockets as expected.
 TEST_F(HttpNetworkTransactionTest, NetworkIsolation) {
-  NetworkIsolationKey network_isolation_key1(
-      url::Origin::Create(GURL("http://origin1/")));
-  NetworkIsolationKey network_isolation_key2(
-      url::Origin::Create(GURL("http://origin2/")));
+  const auto kOrigin1 = url::Origin::Create(GURL("http://origin1/"));
+  const auto kOrigin2 = url::Origin::Create(GURL("http://origin2/"));
+  NetworkIsolationKey network_isolation_key1(kOrigin1, kOrigin1);
+  NetworkIsolationKey network_isolation_key2(kOrigin2, kOrigin2);
 
   for (bool partition_connections : {false, true}) {
     SCOPED_TRACE(partition_connections);
@@ -20894,10 +20873,10 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolation) {
 }
 
 TEST_F(HttpNetworkTransactionTest, NetworkIsolationH2) {
-  NetworkIsolationKey network_isolation_key1(
-      url::Origin::Create(GURL("http://origin1/")));
-  NetworkIsolationKey network_isolation_key2(
-      url::Origin::Create(GURL("http://origin2/")));
+  const auto kOrigin1 = url::Origin::Create(GURL("http://origin1/"));
+  const auto kOrigin2 = url::Origin::Create(GURL("http://origin2/"));
+  NetworkIsolationKey network_isolation_key1(kOrigin1, kOrigin1);
+  NetworkIsolationKey network_isolation_key2(kOrigin2, kOrigin2);
 
   // Whether to use an H2 proxy. When false, uses HTTPS H2 requests without a
   // proxy, when true, uses HTTP requests over an H2 proxy. It's unnecessary to
@@ -21109,4 +21088,490 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationH2) {
   }
 }
 
+// Preconnect two sockets with different NetworkIsolationKeys when
+// features::kPartitionConnectionsByNetworkIsolationKey is enabled. Then issue a
+// request and make sure the correct socket is used. Loops three times,
+// expecting to use the first preconnect, second preconnect, and neither.
+TEST_F(HttpNetworkTransactionTest, NetworkIsolationPreconnect) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      features::kPartitionConnectionsByNetworkIsolationKey);
+
+  enum class TestCase {
+    kUseFirstPreconnect,
+    kUseSecondPreconnect,
+    kDontUsePreconnect,
+  };
+
+  const auto kOrigin1 = url::Origin::Create(GURL("http://origin1/"));
+  const auto kOrigin2 = url::Origin::Create(GURL("http://origin2/"));
+  const auto kOrigin3 = url::Origin::Create(GURL("http://origin3/"));
+  NetworkIsolationKey preconnect1_isolation_key(kOrigin1, kOrigin1);
+  NetworkIsolationKey preconnect2_isolation_key(kOrigin2, kOrigin2);
+  NetworkIsolationKey not_preconnected_isolation_key(kOrigin3, kOrigin3);
+
+  // Test that only preconnects with
+  for (TestCase test_case :
+       {TestCase::kUseFirstPreconnect, TestCase::kUseSecondPreconnect,
+        TestCase::kDontUsePreconnect}) {
+    SpdySessionDependencies session_deps;
+    // Make DNS lookups completely synchronously, so preconnects complete
+    // immediately.
+    session_deps.host_resolver->set_synchronous_mode(true);
+
+    const MockWrite kMockWrites[] = {
+        MockWrite(ASYNC, 0,
+                  "GET / HTTP/1.1\r\n"
+                  "Host: www.foo.com\r\n"
+                  "Connection: keep-alive\r\n\r\n"),
+    };
+
+    const MockRead kMockReads[] = {
+        MockRead(ASYNC, 1,
+                 "HTTP/1.1 200 OK\r\nContent-Length: 5\r\n\r\n"
+                 "hello"),
+    };
+
+    // Used for the socket that will actually be used, which may or may not be
+    // one of the preconnects
+    SequencedSocketData used_socket_data(MockConnect(SYNCHRONOUS, OK),
+                                         kMockReads, kMockWrites);
+
+    // Used for the preconnects that won't actually be used.
+    SequencedSocketData preconnect1_data(MockConnect(SYNCHRONOUS, OK),
+                                         base::span<const MockRead>(),
+                                         base::span<const MockWrite>());
+    SequencedSocketData preconnect2_data(MockConnect(SYNCHRONOUS, OK),
+                                         base::span<const MockRead>(),
+                                         base::span<const MockWrite>());
+
+    NetworkIsolationKey network_isolation_key_for_request;
+
+    switch (test_case) {
+      case TestCase::kUseFirstPreconnect:
+        session_deps.socket_factory->AddSocketDataProvider(&used_socket_data);
+        session_deps.socket_factory->AddSocketDataProvider(&preconnect2_data);
+        network_isolation_key_for_request = preconnect1_isolation_key;
+        break;
+      case TestCase::kUseSecondPreconnect:
+        session_deps.socket_factory->AddSocketDataProvider(&preconnect1_data);
+        session_deps.socket_factory->AddSocketDataProvider(&used_socket_data);
+        network_isolation_key_for_request = preconnect2_isolation_key;
+        break;
+      case TestCase::kDontUsePreconnect:
+        session_deps.socket_factory->AddSocketDataProvider(&preconnect1_data);
+        session_deps.socket_factory->AddSocketDataProvider(&preconnect2_data);
+        session_deps.socket_factory->AddSocketDataProvider(&used_socket_data);
+        network_isolation_key_for_request = not_preconnected_isolation_key;
+        break;
+    }
+
+    std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps));
+
+    // Preconnect sockets.
+    HttpRequestInfo request;
+    request.method = "GET";
+    request.url = GURL("http://www.foo.com/");
+    request.traffic_annotation =
+        net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+
+    request.network_isolation_key = preconnect1_isolation_key;
+    session->http_stream_factory()->PreconnectStreams(1, request);
+
+    request.network_isolation_key = preconnect2_isolation_key;
+    session->http_stream_factory()->PreconnectStreams(1, request);
+
+    request.network_isolation_key = network_isolation_key_for_request;
+
+    EXPECT_EQ(2, GetIdleSocketCountInTransportSocketPool(session.get()));
+
+    // Make the request.
+    TestCompletionCallback callback;
+
+    HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
+
+    int rv = trans.Start(&request, callback.callback(), NetLogWithSource());
+    EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
+
+    rv = callback.WaitForResult();
+    EXPECT_THAT(rv, IsOk());
+
+    const HttpResponseInfo* response = trans.GetResponseInfo();
+    ASSERT_TRUE(response);
+    ASSERT_TRUE(response->headers);
+    EXPECT_EQ(200, response->headers->response_code());
+
+    std::string response_data;
+    rv = ReadTransaction(&trans, &response_data);
+    EXPECT_THAT(rv, IsOk());
+    EXPECT_EQ("hello", response_data);
+
+    if (test_case != TestCase::kDontUsePreconnect) {
+      EXPECT_EQ(2, GetIdleSocketCountInTransportSocketPool(session.get()));
+    } else {
+      EXPECT_EQ(3, GetIdleSocketCountInTransportSocketPool(session.get()));
+    }
+  }
+}
+
+// Test that the NetworkIsolationKey is passed down to SSLConfig so the session
+// cache is isolated.
+TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSL) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitWithFeatures(
+      {features::kPartitionConnectionsByNetworkIsolationKey,
+       features::kPartitionSSLSessionsByNetworkIsolationKey},
+      {});
+
+  const auto kOrigin1 = url::Origin::Create(GURL("http://origin1/"));
+  const auto kOrigin2 = url::Origin::Create(GURL("http://origin2/"));
+  const NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
+  const NetworkIsolationKey kNetworkIsolationKey2(kOrigin2, kOrigin2);
+  std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
+
+  // The server always sends Connection: close, so each request goes over a
+  // distinct socket.
+
+  const MockWrite kWrites1[] = {
+      MockWrite("GET /1 HTTP/1.1\r\n"
+                "Host: foo.test\r\n"
+                "Connection: keep-alive\r\n\r\n")};
+
+  const MockRead kReads1[] = {
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Connection: close\r\n"
+               "Content-Length: 1\r\n\r\n"
+               "1")};
+
+  const MockWrite kWrites2[] = {
+      MockWrite("GET /2 HTTP/1.1\r\n"
+                "Host: foo.test\r\n"
+                "Connection: keep-alive\r\n\r\n")};
+
+  const MockRead kReads2[] = {
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Connection: close\r\n"
+               "Content-Length: 1\r\n\r\n"
+               "2")};
+
+  const MockWrite kWrites3[] = {
+      MockWrite("GET /3 HTTP/1.1\r\n"
+                "Host: foo.test\r\n"
+                "Connection: keep-alive\r\n\r\n")};
+
+  const MockRead kReads3[] = {
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Connection: close\r\n"
+               "Content-Length: 1\r\n\r\n"
+               "3")};
+
+  StaticSocketDataProvider data1(kReads1, kWrites1);
+  StaticSocketDataProvider data2(kReads2, kWrites2);
+  StaticSocketDataProvider data3(kReads3, kWrites3);
+  session_deps_.socket_factory->AddSocketDataProvider(&data1);
+  session_deps_.socket_factory->AddSocketDataProvider(&data2);
+  session_deps_.socket_factory->AddSocketDataProvider(&data3);
+
+  SSLSocketDataProvider ssl_data1(ASYNC, OK);
+  ssl_data1.expected_host_and_port = HostPortPair("foo.test", 443);
+  ssl_data1.expected_network_isolation_key = kNetworkIsolationKey1;
+  SSLSocketDataProvider ssl_data2(ASYNC, OK);
+  ssl_data2.expected_host_and_port = HostPortPair("foo.test", 443);
+  ssl_data2.expected_network_isolation_key = kNetworkIsolationKey2;
+  SSLSocketDataProvider ssl_data3(ASYNC, OK);
+  ssl_data3.expected_host_and_port = HostPortPair("foo.test", 443);
+  ssl_data3.expected_network_isolation_key = kNetworkIsolationKey1;
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_data1);
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_data2);
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_data3);
+
+  TestCompletionCallback callback;
+  HttpRequestInfo request1;
+  request1.method = "GET";
+  request1.url = GURL("https://foo.test/1");
+  request1.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+  request1.network_isolation_key = kNetworkIsolationKey1;
+  auto trans1 =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  int rv = trans1->Start(&request1, callback.callback(), NetLogWithSource());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  std::string response_data1;
+  EXPECT_THAT(ReadTransaction(trans1.get(), &response_data1), IsOk());
+  EXPECT_EQ("1", response_data1);
+  trans1.reset();
+
+  HttpRequestInfo request2;
+  request2.method = "GET";
+  request2.url = GURL("https://foo.test/2");
+  request2.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+  request2.network_isolation_key = kNetworkIsolationKey2;
+  auto trans2 =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  rv = trans2->Start(&request2, callback.callback(), NetLogWithSource());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  std::string response_data2;
+  EXPECT_THAT(ReadTransaction(trans2.get(), &response_data2), IsOk());
+  EXPECT_EQ("2", response_data2);
+  trans2.reset();
+
+  HttpRequestInfo request3;
+  request3.method = "GET";
+  request3.url = GURL("https://foo.test/3");
+  request3.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+  request3.network_isolation_key = kNetworkIsolationKey1;
+  auto trans3 =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  rv = trans3->Start(&request3, callback.callback(), NetLogWithSource());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  std::string response_data3;
+  EXPECT_THAT(ReadTransaction(trans3.get(), &response_data3), IsOk());
+  EXPECT_EQ("3", response_data3);
+  trans3.reset();
+}
+
+// Test that the NetworkIsolationKey is passed down to SSLConfig so the session
+// cache is isolated, for both origins and proxies.
+TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSLProxy) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitWithFeatures(
+      {features::kPartitionConnectionsByNetworkIsolationKey,
+       features::kPartitionSSLSessionsByNetworkIsolationKey},
+      {});
+
+  session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
+      "https://myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
+
+  const auto kOrigin1 = url::Origin::Create(GURL("http://origin1/"));
+  const auto kOrigin2 = url::Origin::Create(GURL("http://origin2/"));
+  const NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
+  const NetworkIsolationKey kNetworkIsolationKey2(kOrigin2, kOrigin2);
+  std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
+
+  // Make both a tunneled and non-tunneled request.
+  HttpRequestInfo request1;
+  request1.method = "GET";
+  request1.url = GURL("https://foo.test/1");
+  request1.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+  request1.network_isolation_key = kNetworkIsolationKey1;
+
+  HttpRequestInfo request2;
+  request2.method = "GET";
+  request2.url = GURL("http://foo.test/2");
+  request2.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+  request2.network_isolation_key = kNetworkIsolationKey2;
+
+  const MockWrite kWrites1[] = {
+      MockWrite("CONNECT foo.test:443 HTTP/1.1\r\n"
+                "Host: foo.test:443\r\n"
+                "Proxy-Connection: keep-alive\r\n\r\n"),
+      MockWrite("GET /1 HTTP/1.1\r\n"
+                "Host: foo.test\r\n"
+                "Connection: keep-alive\r\n\r\n")};
+
+  const MockRead kReads1[] = {
+      MockRead("HTTP/1.1 200 Connection Established\r\n\r\n"),
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Connection: close\r\n"
+               "Content-Length: 1\r\n\r\n"
+               "1")};
+
+  const MockWrite kWrites2[] = {
+      MockWrite("GET http://foo.test/2 HTTP/1.1\r\n"
+                "Host: foo.test\r\n"
+                "Proxy-Connection: keep-alive\r\n\r\n")};
+
+  const MockRead kReads2[] = {
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Connection: close\r\n"
+               "Content-Length: 1\r\n\r\n"
+               "2")};
+
+  StaticSocketDataProvider data1(kReads1, kWrites1);
+  StaticSocketDataProvider data2(kReads2, kWrites2);
+  session_deps_.socket_factory->AddSocketDataProvider(&data1);
+  session_deps_.socket_factory->AddSocketDataProvider(&data2);
+  session_deps_.socket_factory->AddSocketDataProvider(&data2);
+
+  SSLSocketDataProvider ssl_proxy1(ASYNC, OK);
+  ssl_proxy1.expected_host_and_port = HostPortPair("myproxy", 70);
+  ssl_proxy1.expected_network_isolation_key = kNetworkIsolationKey1;
+  SSLSocketDataProvider ssl_origin1(ASYNC, OK);
+  ssl_origin1.expected_host_and_port = HostPortPair("foo.test", 443);
+  ssl_origin1.expected_network_isolation_key = kNetworkIsolationKey1;
+  SSLSocketDataProvider ssl_proxy2(ASYNC, OK);
+  ssl_proxy2.expected_host_and_port = HostPortPair("myproxy", 70);
+  ssl_proxy2.expected_network_isolation_key = kNetworkIsolationKey2;
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_proxy1);
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_origin1);
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_proxy2);
+
+  TestCompletionCallback callback;
+  auto trans1 =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  int rv = trans1->Start(&request1, callback.callback(), NetLogWithSource());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  std::string response_data1;
+  EXPECT_THAT(ReadTransaction(trans1.get(), &response_data1), IsOk());
+  EXPECT_EQ("1", response_data1);
+  trans1.reset();
+
+  auto trans2 =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  rv = trans2->Start(&request2, callback.callback(), NetLogWithSource());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  std::string response_data2;
+  EXPECT_THAT(ReadTransaction(trans2.get(), &response_data2), IsOk());
+  EXPECT_EQ("2", response_data2);
+  trans2.reset();
+}
+
+// Test that SSLConfig changes from SSLConfigService are picked up even when
+// there are live sockets.
+TEST_F(HttpNetworkTransactionTest, SSLConfigChanged) {
+  SSLConfig ssl_config;
+  ssl_config.version_max = SSL_PROTOCOL_VERSION_TLS1_3;
+  auto ssl_config_service = std::make_unique<TestSSLConfigService>(ssl_config);
+  TestSSLConfigService* ssl_config_service_raw = ssl_config_service.get();
+
+  session_deps_.ssl_config_service = std::move(ssl_config_service);
+
+  // Make three requests. Between the second and third, the SSL config will
+  // change.
+  HttpRequestInfo request1;
+  request1.method = "GET";
+  request1.url = GURL("https://foo.test/1");
+  request1.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+
+  HttpRequestInfo request2;
+  request2.method = "GET";
+  request2.url = GURL("https://foo.test/2");
+  request2.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+
+  HttpRequestInfo request3;
+  request3.method = "GET";
+  request3.url = GURL("https://foo.test/3");
+  request3.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+
+  const MockWrite kWrites1[] = {
+      MockWrite("GET /1 HTTP/1.1\r\n"
+                "Host: foo.test\r\n"
+                "Connection: keep-alive\r\n\r\n"),
+      MockWrite("GET /2 HTTP/1.1\r\n"
+                "Host: foo.test\r\n"
+                "Connection: keep-alive\r\n\r\n"),
+  };
+
+  const MockRead kReads1[] = {
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Connection: keep-alive\r\n"
+               "Content-Length: 1\r\n\r\n"
+               "1"),
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Connection: keep-alive\r\n"
+               "Content-Length: 1\r\n\r\n"
+               "2"),
+  };
+
+  // The third request goes on a different socket because the SSL config has
+  // changed.
+  const MockWrite kWrites2[] = {
+      MockWrite("GET /3 HTTP/1.1\r\n"
+                "Host: foo.test\r\n"
+                "Connection: keep-alive\r\n\r\n")};
+
+  const MockRead kReads2[] = {
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Connection: keep-alive\r\n"
+               "Content-Length: 1\r\n\r\n"
+               "3")};
+
+  StaticSocketDataProvider data1(kReads1, kWrites1);
+  StaticSocketDataProvider data2(kReads2, kWrites2);
+  session_deps_.socket_factory->AddSocketDataProvider(&data1);
+  session_deps_.socket_factory->AddSocketDataProvider(&data2);
+
+  SSLSocketDataProvider ssl1(ASYNC, OK);
+  ssl1.expected_ssl_version_max = SSL_PROTOCOL_VERSION_TLS1_3;
+  SSLSocketDataProvider ssl2(ASYNC, OK);
+  ssl2.expected_ssl_version_max = SSL_PROTOCOL_VERSION_TLS1_2;
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl1);
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl2);
+
+  std::unique_ptr<HttpNetworkSession> session = CreateSession(&session_deps_);
+
+  TestCompletionCallback callback;
+  auto trans1 =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  int rv = trans1->Start(&request1, callback.callback(), NetLogWithSource());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  std::string response_data1;
+  EXPECT_THAT(ReadTransaction(trans1.get(), &response_data1), IsOk());
+  EXPECT_EQ("1", response_data1);
+  trans1.reset();
+
+  auto trans2 =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  rv = trans2->Start(&request2, callback.callback(), NetLogWithSource());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  std::string response_data2;
+  EXPECT_THAT(ReadTransaction(trans2.get(), &response_data2), IsOk());
+  EXPECT_EQ("2", response_data2);
+  trans2.reset();
+
+  ssl_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
+  ssl_config_service_raw->UpdateSSLConfigAndNotify(ssl_config);
+
+  auto trans3 =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  rv = trans3->Start(&request3, callback.callback(), NetLogWithSource());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  std::string response_data3;
+  EXPECT_THAT(ReadTransaction(trans3.get(), &response_data3), IsOk());
+  EXPECT_EQ("3", response_data3);
+  trans3.reset();
+}
+
+TEST_F(HttpNetworkTransactionTest, SSLConfigChangedPendingConnect) {
+  SSLConfig ssl_config;
+  ssl_config.version_max = SSL_PROTOCOL_VERSION_TLS1_3;
+  auto ssl_config_service = std::make_unique<TestSSLConfigService>(ssl_config);
+  TestSSLConfigService* ssl_config_service_raw = ssl_config_service.get();
+
+  session_deps_.ssl_config_service = std::move(ssl_config_service);
+
+  HttpRequestInfo request;
+  request.method = "GET";
+  request.url = GURL("https://foo.test/1");
+  request.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+
+  // Make a socket which never connects.
+  StaticSocketDataProvider data({}, {});
+  session_deps_.socket_factory->AddSocketDataProvider(&data);
+  SSLSocketDataProvider ssl_data(SYNCHRONOUS, ERR_IO_PENDING);
+  ssl_data.expected_ssl_version_max = SSL_PROTOCOL_VERSION_TLS1_3;
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_data);
+
+  std::unique_ptr<HttpNetworkSession> session = CreateSession(&session_deps_);
+
+  TestCompletionCallback callback;
+  auto trans =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  int rv = trans->Start(&request, callback.callback(), NetLogWithSource());
+  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
+
+  ssl_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
+  ssl_config_service_raw->UpdateSSLConfigAndNotify(ssl_config);
+
+  EXPECT_THAT(callback.GetResult(rv), IsError(ERR_NETWORK_CHANGED));
+}
+
 }  // namespace net
diff --git a/chromium/net/http/http_proxy_client_socket.cc b/chromium/net/http/http_proxy_client_socket.cc
index 46ff67800a2..f9ebee2a584 100644
--- a/chromium/net/http/http_proxy_client_socket.cc
+++ b/chromium/net/http/http_proxy_client_socket.cc
@@ -16,6 +16,7 @@
 #include "net/base/io_buffer.h"
 #include "net/base/proxy_delegate.h"
 #include "net/http/http_basic_stream.h"
+#include "net/http/http_log_util.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
@@ -394,10 +395,9 @@ int HttpProxyClientSocket::DoSendRequest() {
     BuildTunnelRequest(endpoint_, extra_headers, user_agent, &request_line_,
                        &request_headers_);
 
-    net_log_.AddEvent(
-        NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
-        base::Bind(&HttpRequestHeaders::NetLogCallback,
-                   base::Unretained(&request_headers_), &request_line_));
+    NetLogRequestHeaders(net_log_,
+                         NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
+                         request_line_, &request_headers_);
   }
 
   parser_buf_ = base::MakeRefCounted<GrowableIOBuffer>();
@@ -429,9 +429,9 @@ int HttpProxyClientSocket::DoReadHeadersComplete(int result) {
   if (response_.headers->GetHttpVersion() < HttpVersion(1, 0))
     return ERR_TUNNEL_CONNECTION_FAILED;
 
-  net_log_.AddEvent(
-      NetLogEventType::HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
-      base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers));
+  NetLogResponseHeaders(
+      net_log_, NetLogEventType::HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
+      response_.headers.get());
 
   if (proxy_delegate_) {
     int rv = proxy_delegate_->OnHttp1TunnelHeadersReceived(proxy_server_,
diff --git a/chromium/net/http/http_proxy_client_socket_fuzzer.cc b/chromium/net/http/http_proxy_client_socket_fuzzer.cc
index 57a50f6bc47..45c36ccabf2 100644
--- a/chromium/net/http/http_proxy_client_socket_fuzzer.cc
+++ b/chromium/net/http/http_proxy_client_socket_fuzzer.cc
@@ -12,7 +12,6 @@
 
 #include "base/logging.h"
 #include "base/strings/utf_string_conversions.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "net/base/address_list.h"
 #include "net/base/auth.h"
 #include "net/base/host_port_pair.h"
@@ -26,6 +25,7 @@
 #include "net/socket/fuzzed_socket.h"
 #include "net/socket/next_proto.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 // Fuzzer for HttpProxyClientSocket only tests establishing a connection when
 // using the proxy as a tunnel.
@@ -36,7 +36,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // Use a test NetLog, to exercise logging code.
   net::TestNetLog test_net_log;
 
-  base::FuzzedDataProvider data_provider(data, size);
+  FuzzedDataProvider data_provider(data, size);
 
   net::TestCompletionCallback callback;
   std::unique_ptr<net::FuzzedSocket> fuzzed_socket(
diff --git a/chromium/net/http/http_proxy_connect_job.cc b/chromium/net/http/http_proxy_connect_job.cc
index d4886569c47..a9fbbdc38fd 100644
--- a/chromium/net/http/http_proxy_connect_job.cc
+++ b/chromium/net/http/http_proxy_connect_job.cc
@@ -188,8 +188,7 @@ HttpProxyConnectJob::HttpProxyConnectJob(
                     common_connect_job_params->http_auth_cache,
                     common_connect_job_params->http_auth_handler_factory,
                     host_resolver())
-              : nullptr),
-      weak_ptr_factory_(this) {}
+              : nullptr) {}
 
 HttpProxyConnectJob::~HttpProxyConnectJob() {}
 
@@ -662,8 +661,8 @@ int HttpProxyConnectJob::DoQuicProxyCreateSession() {
   quic::ParsedQuicVersion quic_version =
       common_connect_job_params()->quic_supported_versions->front();
   return quic_stream_request_->Request(
-      proxy_server, quic_version.transport_version, ssl_params->privacy_mode(),
-      kH2QuicTunnelPriority, socket_tag(),
+      proxy_server, quic_version, ssl_params->privacy_mode(),
+      kH2QuicTunnelPriority, socket_tag(), params_->network_isolation_key(),
       ssl_params->ssl_config().GetCertVerifyFlags(),
       GURL("https://" + proxy_server.ToString()), net_log(),
       &quic_net_error_details_,
diff --git a/chromium/net/http/http_proxy_connect_job.h b/chromium/net/http/http_proxy_connect_job.h
index ef12a1e31a8..7a7b9677f55 100644
--- a/chromium/net/http/http_proxy_connect_job.h
+++ b/chromium/net/http/http_proxy_connect_job.h
@@ -239,7 +239,7 @@ class NET_EXPORT_PRIVATE HttpProxyConnectJob : public ConnectJob,
   // Time when the connection to the proxy was started.
   base::TimeTicks connect_start_time_;
 
-  base::WeakPtrFactory<HttpProxyConnectJob> weak_ptr_factory_;
+  base::WeakPtrFactory<HttpProxyConnectJob> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(HttpProxyConnectJob);
 };
diff --git a/chromium/net/http/http_proxy_connect_job_unittest.cc b/chromium/net/http/http_proxy_connect_job_unittest.cc
index f555b9f1ca9..8ddd8e2f422 100644
--- a/chromium/net/http/http_proxy_connect_job_unittest.cc
+++ b/chromium/net/http/http_proxy_connect_job_unittest.cc
@@ -57,14 +57,8 @@ class HttpProxyConnectJobTest : public ::testing::TestWithParam<HttpProxyType>,
  protected:
   HttpProxyConnectJobTest()
       : WithScopedTaskEnvironment(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME,
-            base::test::ScopedTaskEnvironment::NowSource::
-                MAIN_THREAD_MOCK_TIME),
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME_AND_NOW),
         field_trial_list_(nullptr) {
-    // Set an initial delay to ensure that calls to TimeTicks::Now() do not
-    // return a null value.
-    FastForwardBy(base::TimeDelta::FromSeconds(1));
-
     // Used a mock HostResolver that does not have a cache.
     session_deps_.host_resolver = std::make_unique<MockHostResolver>();
 
@@ -125,7 +119,7 @@ class HttpProxyConnectJobTest : public ::testing::TestWithParam<HttpProxyType>,
         base::MakeRefCounted<TransportSocketParams>(
             HostPortPair(kHttpsProxyHost, 443), OnHostResolutionCallback()),
         nullptr, nullptr, HostPortPair(kHttpsProxyHost, 443), SSLConfig(),
-        PRIVACY_MODE_DISABLED);
+        PRIVACY_MODE_DISABLED, NetworkIsolationKey());
   }
 
   // Returns a correctly constructed HttpProxyParams for the HTTP or HTTPS
diff --git a/chromium/net/http/http_request_headers.cc b/chromium/net/http/http_request_headers.cc
index 50190a909e2..b8db53837a4 100644
--- a/chromium/net/http/http_request_headers.cc
+++ b/chromium/net/http/http_request_headers.cc
@@ -15,8 +15,8 @@
 #include "net/base/escape.h"
 #include "net/http/http_log_util.h"
 #include "net/http/http_util.h"
-#include "net/log/net_log.h"
 #include "net/log/net_log_capture_mode.h"
+#include "net/log/net_log_values.h"
 
 namespace net {
 
@@ -184,11 +184,11 @@ std::string HttpRequestHeaders::ToString() const {
   return output;
 }
 
-base::Value HttpRequestHeaders::NetLogCallback(
-    const std::string* request_line,
+base::Value HttpRequestHeaders::NetLogParams(
+    const std::string& request_line,
     NetLogCaptureMode capture_mode) const {
   base::DictionaryValue dict;
-  dict.SetKey("line", NetLogStringValue(*request_line));
+  dict.SetKey("line", NetLogStringValue(request_line));
   auto headers = std::make_unique<base::ListValue>();
   for (auto it = headers_.begin(); it != headers_.end(); ++it) {
     std::string log_value =
diff --git a/chromium/net/http/http_request_headers.h b/chromium/net/http/http_request_headers.h
index 2ec412731ce..3124ee7aeaa 100644
--- a/chromium/net/http/http_request_headers.h
+++ b/chromium/net/http/http_request_headers.h
@@ -17,6 +17,7 @@
 #include "base/macros.h"
 #include "base/strings/string_piece.h"
 #include "net/base/net_export.h"
+#include "net/log/net_log_capture_mode.h"
 
 namespace base {
 class Value;
@@ -24,8 +25,6 @@ class Value;
 
 namespace net {
 
-class NetLogCaptureMode;
-
 class NET_EXPORT HttpRequestHeaders {
  public:
   struct NET_EXPORT HeaderKeyValuePair {
@@ -173,8 +172,8 @@ class NET_EXPORT HttpRequestHeaders {
 
   // Takes in the request line and returns a Value for use with the NetLog
   // containing both the request line and all headers fields.
-  base::Value NetLogCallback(const std::string* request_line,
-                             NetLogCaptureMode capture_mode) const;
+  base::Value NetLogParams(const std::string& request_line,
+                           NetLogCaptureMode capture_mode) const;
 
   const HeaderVector& GetHeaderVector() const { return headers_; }
 
diff --git a/chromium/net/http/http_response_body_drainer_unittest.cc b/chromium/net/http/http_response_body_drainer_unittest.cc
index a1c3c96136e..b40cdca15b8 100644
--- a/chromium/net/http/http_response_body_drainer_unittest.cc
+++ b/chromium/net/http/http_response_body_drainer_unittest.cc
@@ -85,8 +85,7 @@ class MockHttpStream : public HttpStream {
         is_sync_(false),
         is_last_chunk_zero_size_(false),
         is_complete_(false),
-        can_reuse_connection_(true),
-        weak_factory_(this) {}
+        can_reuse_connection_(true) {}
   ~MockHttpStream() override = default;
 
   // HttpStream implementation.
@@ -177,7 +176,7 @@ class MockHttpStream : public HttpStream {
   bool is_complete_;
   bool can_reuse_connection_;
 
-  base::WeakPtrFactory<MockHttpStream> weak_factory_;
+  base::WeakPtrFactory<MockHttpStream> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(MockHttpStream);
 };
diff --git a/chromium/net/http/http_response_headers.cc b/chromium/net/http/http_response_headers.cc
index 8b3a4aca87c..087922755a2 100644
--- a/chromium/net/http/http_response_headers.cc
+++ b/chromium/net/http/http_response_headers.cc
@@ -32,8 +32,8 @@
 #include "net/http/http_byte_range.h"
 #include "net/http/http_log_util.h"
 #include "net/http/http_util.h"
-#include "net/log/net_log.h"
 #include "net/log/net_log_capture_mode.h"
+#include "net/log/net_log_values.h"
 
 using base::StringPiece;
 using base::Time;
@@ -1330,7 +1330,7 @@ bool HttpResponseHeaders::GetContentRangeFor206(
       instance_length);
 }
 
-base::Value HttpResponseHeaders::NetLogCallback(
+base::Value HttpResponseHeaders::NetLogParams(
     NetLogCaptureMode capture_mode) const {
   base::DictionaryValue dict;
   base::ListValue headers;
diff --git a/chromium/net/http/http_response_headers.h b/chromium/net/http/http_response_headers.h
index be216358e1f..a0d74d9c539 100644
--- a/chromium/net/http/http_response_headers.h
+++ b/chromium/net/http/http_response_headers.h
@@ -18,6 +18,7 @@
 #include "base/time/time.h"
 #include "net/base/net_export.h"
 #include "net/http/http_version.h"
+#include "net/log/net_log_capture_mode.h"
 
 namespace base {
 class Pickle;
@@ -30,7 +31,6 @@ class Value;
 namespace net {
 
 class HttpByteRange;
-class NetLogCaptureMode;
 
 enum ValidationType {
   VALIDATION_NONE,          // The resource is fresh.
@@ -295,7 +295,7 @@ class NET_EXPORT HttpResponseHeaders
   bool IsChunkEncoded() const;
 
   // Creates a Value for use with the NetLog containing the response headers.
-  base::Value NetLogCallback(NetLogCaptureMode capture_mode) const;
+  base::Value NetLogParams(NetLogCaptureMode capture_mode) const;
 
   // Returns the HTTP response code.  This is 0 if the response code text seems
   // to exist but could not be parsed.  Otherwise, it defaults to 200 if the
diff --git a/chromium/net/http/http_response_info.cc b/chromium/net/http/http_response_info.cc
index 1debebaa8e7..0b9844e9ac1 100644
--- a/chromium/net/http/http_response_info.cc
+++ b/chromium/net/http/http_response_info.cc
@@ -419,6 +419,7 @@ bool HttpResponseInfo::DidUseQuic() const {
     case CONNECTION_INFO_QUIC_45:
     case CONNECTION_INFO_QUIC_46:
     case CONNECTION_INFO_QUIC_47:
+    case CONNECTION_INFO_QUIC_48:
     case CONNECTION_INFO_QUIC_99:
     case CONNECTION_INFO_QUIC_999:
       return true;
@@ -485,6 +486,8 @@ std::string HttpResponseInfo::ConnectionInfoToString(
       return "http/2+quic/46";
     case CONNECTION_INFO_QUIC_47:
       return "http/2+quic/47";
+    case CONNECTION_INFO_QUIC_48:
+      return "http/2+quic/48";
     case CONNECTION_INFO_QUIC_99:
       return "http/2+quic/99";
     case CONNECTION_INFO_HTTP0_9:
diff --git a/chromium/net/http/http_response_info.h b/chromium/net/http/http_response_info.h
index 742cf23e32c..1f75fe4793c 100644
--- a/chromium/net/http/http_response_info.h
+++ b/chromium/net/http/http_response_info.h
@@ -63,6 +63,7 @@ class NET_EXPORT HttpResponseInfo {
     CONNECTION_INFO_QUIC_46 = 25,
     CONNECTION_INFO_QUIC_47 = 26,
     CONNECTION_INFO_QUIC_999 = 27,
+    CONNECTION_INFO_QUIC_48 = 28,
     NUM_OF_CONNECTION_INFOS,
   };
 
diff --git a/chromium/net/http/http_server_properties_impl.cc b/chromium/net/http/http_server_properties_impl.cc
index f18530db106..bf614b37103 100644
--- a/chromium/net/http/http_server_properties_impl.cc
+++ b/chromium/net/http/http_server_properties_impl.cc
@@ -29,13 +29,10 @@ HttpServerPropertiesImpl::HttpServerPropertiesImpl(
                              : base::DefaultTickClock::GetInstance()),
       clock_(clock ? clock : base::DefaultClock::GetInstance()),
       broken_alternative_services_(this, tick_clock_),
+      canonical_suffixes_({".ggpht.com", ".c.youtube.com", ".googlevideo.com",
+                           ".googleusercontent.com"}),
       quic_server_info_map_(kDefaultMaxQuicServerEntries),
-      max_server_configs_stored_in_properties_(kDefaultMaxQuicServerEntries) {
-  canonical_suffixes_.push_back(".ggpht.com");
-  canonical_suffixes_.push_back(".c.youtube.com");
-  canonical_suffixes_.push_back(".googlevideo.com");
-  canonical_suffixes_.push_back(".googleusercontent.com");
-}
+      max_server_configs_stored_in_properties_(kDefaultMaxQuicServerEntries) {}
 
 HttpServerPropertiesImpl::HttpServerPropertiesImpl()
     : HttpServerPropertiesImpl(nullptr, nullptr) {}
@@ -92,7 +89,7 @@ void HttpServerPropertiesImpl::SetAlternativeServiceServers(
     url::SchemeHostPort canonical_server(kCanonicalScheme, canonical_suffix,
                                          kCanonicalPort);
     // If we already have a valid canonical server, we're done.
-    if (base::ContainsKey(canonical_alt_svc_map_, canonical_server) &&
+    if (base::Contains(canonical_alt_svc_map_, canonical_server) &&
         (alternative_service_map_.Peek(
              canonical_alt_svc_map_[canonical_server]) !=
          alternative_service_map_.end())) {
diff --git a/chromium/net/http/http_server_properties_impl.h b/chromium/net/http/http_server_properties_impl.h
index 5ae2d6b358f..863d1531f01 100644
--- a/chromium/net/http/http_server_properties_impl.h
+++ b/chromium/net/http/http_server_properties_impl.h
@@ -159,7 +159,7 @@ class NET_EXPORT HttpServerPropertiesImpl
       CanonicalAltSvcMap;
   typedef base::flat_map<HostPortPair, quic::QuicServerId>
       CanonicalServerInfoMap;
-  typedef std::vector<std::string> CanonicalSufficList;
+  typedef std::vector<std::string> CanonicalSuffixList;
   typedef std::set<HostPortPair> Http11ServerHostPortSet;
 
   // Return the iterator for |server|, or for its canonical host, or end.
@@ -202,9 +202,9 @@ class NET_EXPORT HttpServerPropertiesImpl
   // to an actual origin, which has a plausible alternate protocol mapping.
   CanonicalAltSvcMap canonical_alt_svc_map_;
 
-  // Contains list of suffixes (for exmaple ".c.youtube.com",
+  // Contains list of suffixes (for example ".c.youtube.com",
   // ".googlevideo.com", ".googleusercontent.com") of canonical hostnames.
-  CanonicalSufficList canonical_suffixes_;
+  const CanonicalSuffixList canonical_suffixes_;
 
   QuicServerInfoMap quic_server_info_map_;
 
@@ -212,7 +212,7 @@ class NET_EXPORT HttpServerPropertiesImpl
   // and have a corresponding entry in |quic_server_info_map_|. The map can be
   // used to quickly look for server info for hosts that share the same
   // canonical suffix but don't have exact match in |quic_server_info_map_|. The
-  // map exists solely to improve the search performance. It only contais
+  // map exists solely to improve the search performance. It only contains
   // derived data that can be recalculated by traversing
   // |quic_server_info_map_|.
   CanonicalServerInfoMap canonical_server_info_map_;
diff --git a/chromium/net/http/http_server_properties_impl_unittest.cc b/chromium/net/http/http_server_properties_impl_unittest.cc
index 5ae3d35fbf1..95aa25ddaf6 100644
--- a/chromium/net/http/http_server_properties_impl_unittest.cc
+++ b/chromium/net/http/http_server_properties_impl_unittest.cc
@@ -69,7 +69,7 @@ class HttpServerPropertiesImplTest : public TestWithScopedTaskEnvironment {
  protected:
   HttpServerPropertiesImplTest()
       : TestWithScopedTaskEnvironment(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME),
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME),
         test_tick_clock_(GetMockTickClock()),
         impl_(test_tick_clock_, &test_clock_) {
     // Set |test_clock_| to some random time.
@@ -89,7 +89,7 @@ class HttpServerPropertiesImplTest : public TestWithScopedTaskEnvironment {
     if (alternative_service.protocol == kProtoQUIC) {
       return impl_.SetQuicAlternativeService(
           origin, alternative_service, expiration,
-          HttpNetworkSession::Params().quic_supported_versions);
+          HttpNetworkSession::Params().quic_params.supported_versions);
     } else {
       return impl_.SetHttp2AlternativeService(origin, alternative_service,
                                               expiration);
@@ -376,7 +376,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, ExcludeOrigin) {
   AlternativeServiceInfo alternative_service_info4 =
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           AlternativeService(kProtoQUIC, "foo", 443), expiration,
-          HttpNetworkSession::Params().quic_supported_versions);
+          HttpNetworkSession::Params().quic_params.supported_versions);
   alternative_service_info_vector.push_back(alternative_service_info4);
 
   url::SchemeHostPort test_server("https", "foo", 443);
@@ -571,7 +571,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, ClearServerWithCanonical) {
   const AlternativeServiceInfo alternative_service_info =
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           alternative_service, expiration,
-          HttpNetworkSession::Params().quic_supported_versions);
+          HttpNetworkSession::Params().quic_params.supported_versions);
 
   impl_.SetAlternativeServices(
       canonical_server,
@@ -987,7 +987,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, Canonical) {
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           canonical_alternative_service1, expiration,
-          HttpNetworkSession::Params().quic_supported_versions));
+          HttpNetworkSession::Params().quic_params.supported_versions));
   const AlternativeService canonical_alternative_service2(kProtoHTTP2, "", 443);
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
@@ -1234,12 +1234,12 @@ TEST_F(AlternateProtocolServerPropertiesTest,
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           AlternativeService(kProtoQUIC, "bar", 443),
           now + base::TimeDelta::FromHours(1),
-          HttpNetworkSession::Params().quic_supported_versions));
+          HttpNetworkSession::Params().quic_params.supported_versions));
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           AlternativeService(kProtoQUIC, "baz", 443),
           now + base::TimeDelta::FromHours(1),
-          HttpNetworkSession::Params().quic_supported_versions));
+          HttpNetworkSession::Params().quic_params.supported_versions));
 
   impl_.SetAlternativeServices(url::SchemeHostPort("https", "youtube.com", 443),
                                alternative_service_info_vector);
diff --git a/chromium/net/http/http_server_properties_manager.cc b/chromium/net/http/http_server_properties_manager.cc
index 9b780f4c742..8cb7cd9d563 100644
--- a/chromium/net/http/http_server_properties_manager.cc
+++ b/chromium/net/http/http_server_properties_manager.cc
@@ -73,11 +73,6 @@ void AddAlternativeServiceFieldsToDictionaryValue(
                   NextProtoToString(alternative_service.protocol));
 }
 
-base::Value NetLogCallback(const base::Value* http_server_properties_dict,
-                           NetLogCaptureMode capture_mode) {
-  return http_server_properties_dict->Clone();
-}
-
 // A local or temporary data structure to hold preferences for a server.
 // This is used only in UpdatePrefs.
 struct ServerPref {
@@ -140,17 +135,6 @@ HttpServerPropertiesManager::~HttpServerPropertiesManager() {
   UpdatePrefsFromCache(base::OnceClosure());
 }
 
-// static
-void HttpServerPropertiesManager::SetVersion(
-    base::DictionaryValue* http_server_properties_dict,
-    int version_number) {
-  if (version_number < 0)
-    version_number = kVersionNumber;
-  DCHECK_LE(version_number, kVersionNumber);
-  if (version_number <= kVersionNumber)
-    http_server_properties_dict->SetInteger(kVersionKey, version_number);
-}
-
 void HttpServerPropertiesManager::Clear(base::OnceClosure callback) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
@@ -179,7 +163,7 @@ void HttpServerPropertiesManager::SetSupportsSpdy(
   http_server_properties_impl_->SetSupportsSpdy(server, support_spdy);
   bool new_support_spdy = http_server_properties_impl_->GetSupportsSpdy(server);
   if (old_support_spdy != new_support_spdy)
-    ScheduleUpdatePrefs(SUPPORTS_SPDY);
+    ScheduleUpdatePrefs();
 }
 
 bool HttpServerPropertiesManager::RequiresHTTP11(const HostPortPair& server) {
@@ -192,7 +176,7 @@ void HttpServerPropertiesManager::SetHTTP11Required(
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   http_server_properties_impl_->SetHTTP11Required(server);
-  ScheduleUpdatePrefs(HTTP_11_REQUIRED);
+  ScheduleUpdatePrefs();
 }
 
 void HttpServerPropertiesManager::MaybeForceHTTP11(const HostPortPair& server,
@@ -216,7 +200,7 @@ bool HttpServerPropertiesManager::SetHttp2AlternativeService(
   const bool changed = http_server_properties_impl_->SetHttp2AlternativeService(
       origin, alternative_service, expiration);
   if (changed) {
-    ScheduleUpdatePrefs(SET_ALTERNATIVE_SERVICES);
+    ScheduleUpdatePrefs();
   }
   return changed;
 }
@@ -230,7 +214,7 @@ bool HttpServerPropertiesManager::SetQuicAlternativeService(
   const bool changed = http_server_properties_impl_->SetQuicAlternativeService(
       origin, alternative_service, expiration, advertised_versions);
   if (changed) {
-    ScheduleUpdatePrefs(SET_ALTERNATIVE_SERVICES);
+    ScheduleUpdatePrefs();
   }
   return changed;
 }
@@ -242,7 +226,7 @@ bool HttpServerPropertiesManager::SetAlternativeServices(
   const bool changed = http_server_properties_impl_->SetAlternativeServices(
       origin, alternative_service_info_vector);
   if (changed) {
-    ScheduleUpdatePrefs(SET_ALTERNATIVE_SERVICES);
+    ScheduleUpdatePrefs();
   }
   return changed;
 }
@@ -252,7 +236,7 @@ void HttpServerPropertiesManager::MarkAlternativeServiceBroken(
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   http_server_properties_impl_->MarkAlternativeServiceBroken(
       alternative_service);
-  ScheduleUpdatePrefs(MARK_ALTERNATIVE_SERVICE_BROKEN);
+  ScheduleUpdatePrefs();
 }
 
 void HttpServerPropertiesManager::
@@ -262,8 +246,7 @@ void HttpServerPropertiesManager::
   http_server_properties_impl_
       ->MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
           alternative_service);
-  ScheduleUpdatePrefs(
-      MARK_ALTERNATIVE_SERVICE_BROKEN_UNTIL_DEFAULT_NETWORK_CHANGES);
+  ScheduleUpdatePrefs();
 }
 
 void HttpServerPropertiesManager::MarkAlternativeServiceRecentlyBroken(
@@ -271,7 +254,7 @@ void HttpServerPropertiesManager::MarkAlternativeServiceRecentlyBroken(
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   http_server_properties_impl_->MarkAlternativeServiceRecentlyBroken(
       alternative_service);
-  ScheduleUpdatePrefs(MARK_ALTERNATIVE_SERVICE_RECENTLY_BROKEN);
+  ScheduleUpdatePrefs();
 }
 
 bool HttpServerPropertiesManager::IsAlternativeServiceBroken(
@@ -299,14 +282,14 @@ void HttpServerPropertiesManager::ConfirmAlternativeService(
   // For persisting, we only care about the value returned by
   // IsAlternativeServiceBroken. If that value changes, then call persist.
   if (old_value != new_value)
-    ScheduleUpdatePrefs(CONFIRM_ALTERNATIVE_SERVICE);
+    ScheduleUpdatePrefs();
 }
 
 bool HttpServerPropertiesManager::OnDefaultNetworkChanged() {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   bool changed = http_server_properties_impl_->OnDefaultNetworkChanged();
   if (changed)
-    ScheduleUpdatePrefs(ON_DEFAULT_NETWORK_CHANGED);
+    ScheduleUpdatePrefs();
   return changed;
 }
 
@@ -337,7 +320,7 @@ void HttpServerPropertiesManager::SetSupportsQuic(bool used_quic,
   IPAddress new_last_quic_addr;
   http_server_properties_impl_->GetSupportsQuic(&new_last_quic_addr);
   if (old_last_quic_addr != new_last_quic_addr)
-    ScheduleUpdatePrefs(SET_SUPPORTS_QUIC);
+    ScheduleUpdatePrefs();
 }
 
 void HttpServerPropertiesManager::SetServerNetworkStats(
@@ -353,7 +336,7 @@ void HttpServerPropertiesManager::SetServerNetworkStats(
   ServerNetworkStats new_stats =
       *(http_server_properties_impl_->GetServerNetworkStats(server));
   if (old_stats != new_stats)
-    ScheduleUpdatePrefs(SET_SERVER_NETWORK_STATS);
+    ScheduleUpdatePrefs();
 }
 
 void HttpServerPropertiesManager::ClearServerNetworkStats(
@@ -363,7 +346,7 @@ void HttpServerPropertiesManager::ClearServerNetworkStats(
       http_server_properties_impl_->GetServerNetworkStats(server) != nullptr;
   http_server_properties_impl_->ClearServerNetworkStats(server);
   if (need_update)
-    ScheduleUpdatePrefs(CLEAR_SERVER_NETWORK_STATS);
+    ScheduleUpdatePrefs();
 }
 
 const ServerNetworkStats* HttpServerPropertiesManager::GetServerNetworkStats(
@@ -385,7 +368,7 @@ bool HttpServerPropertiesManager::SetQuicServerInfo(
   bool changed =
       http_server_properties_impl_->SetQuicServerInfo(server_id, server_info);
   if (changed)
-    ScheduleUpdatePrefs(SET_QUIC_SERVER_INFO);
+    ScheduleUpdatePrefs();
   return changed;
 }
 
@@ -467,65 +450,35 @@ void HttpServerPropertiesManager::UpdateCacheFromPrefs() {
 
   bool detected_corrupted_prefs = false;
   net_log_.AddEvent(NetLogEventType::HTTP_SERVER_PROPERTIES_UPDATE_CACHE,
-                    base::Bind(&NetLogCallback, http_server_properties_dict));
-  int version = kMissingVersion;
-  if (!http_server_properties_dict->GetIntegerWithoutPathExpansion(kVersionKey,
-                                                                   &version)) {
-    DVLOG(1) << "Missing version. Clearing all properties.";
+                    [&] { return http_server_properties_dict->Clone(); });
+  int version_number = kMissingVersion;
+  if (!http_server_properties_dict->GetIntegerWithoutPathExpansion(
+          kVersionKey, &version_number) ||
+      version_number != kVersionNumber) {
+    DVLOG(1) << "Missing or unsupported. Clearing all properties. "
+             << version_number;
     return;
   }
 
   const base::DictionaryValue* servers_dict = nullptr;
   const base::ListValue* servers_list = nullptr;
-  if (version < 4) {
-    // The properties for a given server is in
-    // http_server_properties_dict["servers"][server].
-    // Before Version 4, server data was stored in the following format in
-    // alphabetical order.
-    //
-    //   "http_server_properties": {
-    //      "servers": {
-    //         "0-edge-chat.facebook.com:443" : {...},
-    //         "0.client-channel.google.com:443" : {...},
-    //         "yt3.ggpht.com:80" : {...},
-    //         ...
-    //      }, ...
-    // },
-    if (!http_server_properties_dict->GetDictionaryWithoutPathExpansion(
-            kServersKey, &servers_dict)) {
-      DVLOG(1) << "Malformed http_server_properties for servers.";
-      return;
-    }
-  } else {
-    // For Version 4, data was stored in the following format.
-    // |servers| are saved in MRU order.
-    //
-    // "http_server_properties": {
-    //      "servers": [
-    //          {"yt3.ggpht.com:443" : {...}},
-    //          {"0.client-channel.google.com:443" : {...}},
-    //          {"0-edge-chat.facebook.com:80" : {...}},
-    //          ...
-    //      ], ...
-    // },
-    // For Version 5, data was stored in the following format.
-    // |servers| are saved in MRU order. |servers| are in the format flattened
-    // representation of (scheme/host/port) where port might be ignored if is
-    // default with scheme.
-    //
-    // "http_server_properties": {
-    //      "servers": [
-    //          {"https://yt3.ggpht.com" : {...}},
-    //          {"http://0.client-channel.google.com:443" : {...}},
-    //          {"http://0-edge-chat.facebook.com" : {...}},
-    //          ...
-    //      ], ...
-    // },
-    if (!http_server_properties_dict->GetListWithoutPathExpansion(
-            kServersKey, &servers_list)) {
-      DVLOG(1) << "Malformed http_server_properties for servers list.";
-      return;
-    }
+  // For Version 5, data is stored in the following format.
+  // |servers| are saved in MRU order. |servers| are in the format flattened
+  // representation of (scheme/host/port) where port might be ignored if is
+  // default with scheme.
+  //
+  // "http_server_properties": {
+  //      "servers": [
+  //          {"https://yt3.ggpht.com" : {...}},
+  //          {"http://0.client-channel.google.com:443" : {...}},
+  //          {"http://0-edge-chat.facebook.com" : {...}},
+  //          ...
+  //      ], ...
+  // },
+  if (!http_server_properties_dict->GetListWithoutPathExpansion(
+          kServersKey, &servers_list)) {
+    DVLOG(1) << "Malformed http_server_properties for servers list.";
+    return;
   }
 
   std::unique_ptr<IPAddress> addr = std::make_unique<IPAddress>();
@@ -542,29 +495,21 @@ void HttpServerPropertiesManager::UpdateCacheFromPrefs() {
       std::make_unique<QuicServerInfoMap>(
           max_server_configs_stored_in_properties());
 
-  if (version < 4) {
+  // Iterate servers list in reverse MRU order so that entries are inserted
+  // into |spdy_servers_map|, |alternative_service_map|, and
+  // |server_network_stats_map| from oldest to newest.
+  for (auto it = servers_list->end(); it != servers_list->begin();) {
+    --it;
+    if (!it->GetAsDictionary(&servers_dict)) {
+      DVLOG(1) << "Malformed http_server_properties for servers dictionary.";
+      detected_corrupted_prefs = true;
+      continue;
+    }
     if (!AddServersData(*servers_dict, spdy_servers_map.get(),
                         alternative_service_map.get(),
-                        server_network_stats_map.get(), version)) {
+                        server_network_stats_map.get())) {
       detected_corrupted_prefs = true;
     }
-  } else {
-    // Iterate servers list in reverse MRU order so that entries are inserted
-    // into |spdy_servers_map|, |alternative_service_map|, and
-    // |server_network_stats_map| from oldest to newest.
-    for (auto it = servers_list->end(); it != servers_list->begin();) {
-      --it;
-      if (!it->GetAsDictionary(&servers_dict)) {
-        DVLOG(1) << "Malformed http_server_properties for servers dictionary.";
-        detected_corrupted_prefs = true;
-        continue;
-      }
-      if (!AddServersData(*servers_dict, spdy_servers_map.get(),
-                          alternative_service_map.get(),
-                          server_network_stats_map.get(), version)) {
-        detected_corrupted_prefs = true;
-      }
-    }
   }
 
   if (!AddToQuicServerInfoMap(*http_server_properties_dict,
@@ -642,7 +587,7 @@ void HttpServerPropertiesManager::UpdateCacheFromPrefs() {
 
   // Update the prefs with what we have read (delete all corrupted prefs).
   if (detected_corrupted_prefs)
-    ScheduleUpdatePrefs(DETECTED_CORRUPTED_PREFS);
+    ScheduleUpdatePrefs();
 }
 
 bool HttpServerPropertiesManager::AddToBrokenAlternativeServices(
@@ -713,17 +658,12 @@ bool HttpServerPropertiesManager::AddServersData(
     const base::DictionaryValue& servers_dict,
     SpdyServersMap* spdy_servers_map,
     AlternativeServiceMap* alternative_service_map,
-    ServerNetworkStatsMap* network_stats_map,
-    int version) {
+    ServerNetworkStatsMap* network_stats_map) {
   for (base::DictionaryValue::Iterator it(servers_dict); !it.IsAtEnd();
        it.Advance()) {
     // Get server's scheme/host/pair.
     const std::string& server_str = it.key();
     std::string spdy_server_url = server_str;
-    if (version < 5) {
-      // For old version disk data, always use HTTPS as the scheme.
-      spdy_server_url.insert(0, "https://");
-    }
     url::SchemeHostPort spdy_server((GURL(spdy_server_url)));
     if (spdy_server.host().empty()) {
       DVLOG(1) << "Malformed http_server_properties for server: " << server_str;
@@ -999,10 +939,7 @@ bool HttpServerPropertiesManager::AddToQuicServerInfoMap(
   return !detected_corrupted_prefs;
 }
 
-//
-// Update Preferences with data from the cached data.
-//
-void HttpServerPropertiesManager::ScheduleUpdatePrefs(Location location) {
+void HttpServerPropertiesManager::ScheduleUpdatePrefs() {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   // Do not schedule a new update if there is already one scheduled.
   if (network_prefs_update_timer_.IsRunning())
@@ -1012,10 +949,6 @@ void HttpServerPropertiesManager::ScheduleUpdatePrefs(Location location) {
       FROM_HERE, kUpdatePrefsDelay,
       base::Bind(&HttpServerPropertiesManager::UpdatePrefsFromCache,
                  base::Unretained(this), base::Passed(base::OnceClosure())));
-
-  // TODO(rtenneti): Delete the following histogram after collecting some data.
-  UMA_HISTOGRAM_ENUMERATION("Net.HttpServerProperties.UpdatePrefs", location,
-                            HttpServerPropertiesManager::NUM_LOCATIONS);
 }
 
 void HttpServerPropertiesManager::UpdatePrefsFromCache(
@@ -1127,7 +1060,7 @@ void HttpServerPropertiesManager::UpdatePrefsFromCache(
   http_server_properties_dict.SetWithoutPathExpansion(kServersKey,
                                                       std::move(servers_list));
 
-  SetVersion(&http_server_properties_dict, kVersionNumber);
+  http_server_properties_dict.SetInteger(kVersionKey, kVersionNumber);
 
   IPAddress last_quic_addr;
   if (http_server_properties_impl_->GetSupportsQuic(&last_quic_addr)) {
@@ -1150,7 +1083,7 @@ void HttpServerPropertiesManager::UpdatePrefsFromCache(
   setting_prefs_ = false;
 
   net_log_.AddEvent(NetLogEventType::HTTP_SERVER_PROPERTIES_UPDATE_PREFS,
-                    base::Bind(&NetLogCallback, &http_server_properties_dict));
+                    [&] { return http_server_properties_dict.Clone(); });
 }
 
 void HttpServerPropertiesManager::SaveAlternativeServiceToServerPrefs(
diff --git a/chromium/net/http/http_server_properties_manager.h b/chromium/net/http/http_server_properties_manager.h
index a8ecf3199f9..17d7d969455 100644
--- a/chromium/net/http/http_server_properties_manager.h
+++ b/chromium/net/http/http_server_properties_manager.h
@@ -80,10 +80,6 @@ class NET_EXPORT HttpServerPropertiesManager : public HttpServerProperties {
 
   ~HttpServerPropertiesManager() override;
 
-  // Helper function for unit tests to set the version in the dictionary.
-  static void SetVersion(base::DictionaryValue* http_server_properties_dict,
-                         int version_number);
-
   // ----------------------------------
   // HttpServerProperties methods:
   // ----------------------------------
@@ -150,33 +146,6 @@ class NET_EXPORT HttpServerPropertiesManager : public HttpServerProperties {
   void ScheduleUpdateCacheForTesting();
 
  protected:
-  // The location where ScheduleUpdatePrefs was called.
-  // Must be kept up to date with HttpServerPropertiesUpdatePrefsLocation in
-  // histograms.xml.
-  enum Location {
-    SUPPORTS_SPDY = 0,
-    HTTP_11_REQUIRED = 1,
-    SET_ALTERNATIVE_SERVICES = 2,
-    MARK_ALTERNATIVE_SERVICE_BROKEN = 3,
-    MARK_ALTERNATIVE_SERVICE_RECENTLY_BROKEN = 4,
-    CONFIRM_ALTERNATIVE_SERVICE = 5,
-    CLEAR_ALTERNATIVE_SERVICE = 6,
-    // deprecated: SET_SPDY_SETTING = 7,
-    // deprecated: CLEAR_SPDY_SETTINGS = 8,
-    // deprecated: CLEAR_ALL_SPDY_SETTINGS = 9,
-    SET_SUPPORTS_QUIC = 10,
-    SET_SERVER_NETWORK_STATS = 11,
-    DETECTED_CORRUPTED_PREFS = 12,
-    SET_QUIC_SERVER_INFO = 13,
-    CLEAR_SERVER_NETWORK_STATS = 14,
-    MARK_ALTERNATIVE_SERVICE_BROKEN_UNTIL_DEFAULT_NETWORK_CHANGES = 15,
-    ON_DEFAULT_NETWORK_CHANGED = 16,
-    NUM_LOCATIONS = 17,
-  };
-
-  // --------------------
-  // SPDY related methods
-
   // These are used to delay updating of the cached data in
   // |http_server_properties_impl_| while the preferences are changing, and
   // execute only one update per simultaneous prefs changes.
@@ -190,7 +159,7 @@ class NET_EXPORT HttpServerPropertiesManager : public HttpServerProperties {
   // |http_server_properties_impl_| is changing, and execute only one update per
   // simultaneous changes.
   // |location| specifies where this method is called from.
-  void ScheduleUpdatePrefs(Location location);
+  void ScheduleUpdatePrefs();
 
   // Update prefs::kHttpServerProperties in preferences with the cached data
   // from |http_server_properties_impl_|. Invokes |callback| when changes have
@@ -211,8 +180,7 @@ class NET_EXPORT HttpServerPropertiesManager : public HttpServerProperties {
   bool AddServersData(const base::DictionaryValue& server_dict,
                       SpdyServersMap* spdy_servers_map,
                       AlternativeServiceMap* alternative_service_map,
-                      ServerNetworkStatsMap* network_stats_map,
-                      int version);
+                      ServerNetworkStatsMap* network_stats_map);
   // Helper method used for parsing an alternative service from JSON.
   // |dict| is the JSON dictionary to be parsed. It should contain fields
   // corresponding to members of AlternativeService.
diff --git a/chromium/net/http/http_server_properties_manager_unittest.cc b/chromium/net/http/http_server_properties_manager_unittest.cc
index 59762bcc1f7..4921d2e610b 100644
--- a/chromium/net/http/http_server_properties_manager_unittest.cc
+++ b/chromium/net/http/http_server_properties_manager_unittest.cc
@@ -98,20 +98,17 @@ class MockPrefDelegate : public net::HttpServerPropertiesManager::PrefDelegate {
 
 }  // namespace
 
-// TODO(rtenneti): After we stop supporting version 3 and everyone has migrated
-// to version 4, delete the following code.
-static const int kHttpServerPropertiesVersions[] = {3, 4, 5};
-
-class HttpServerPropertiesManagerTest : public testing::TestWithParam<int>,
+class HttpServerPropertiesManagerTest : public testing::Test,
                                         public WithScopedTaskEnvironment {
  protected:
   HttpServerPropertiesManagerTest()
       : WithScopedTaskEnvironment(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME) {}
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME) {}
 
   void SetUp() override {
     one_day_from_now_ = base::Time::Now() + base::TimeDelta::FromDays(1);
-    advertised_versions_ = HttpNetworkSession::Params().quic_supported_versions;
+    advertised_versions_ =
+        HttpNetworkSession::Params().quic_params.supported_versions;
     pref_delegate_ = new MockPrefDelegate;
 
     http_server_props_manager_ = std::make_unique<HttpServerPropertiesManager>(
@@ -141,6 +138,13 @@ class HttpServerPropertiesManagerTest : public testing::TestWithParam<int>,
     return !alternative_service_info_vector.empty();
   }
 
+  // Returns a dictionary with only the version field populated.
+  static base::DictionaryValue DictWithVersion() {
+    base::DictionaryValue http_server_properties_dict;
+    http_server_properties_dict.SetInteger("version", 5);
+    return http_server_properties_dict;
+  }
+
   MockPrefDelegate* pref_delegate_;  // Owned by HttpServerPropertiesManager.
   std::unique_ptr<HttpServerPropertiesManager> http_server_props_manager_;
   base::Time one_day_from_now_;
@@ -150,11 +154,7 @@ class HttpServerPropertiesManagerTest : public testing::TestWithParam<int>,
   DISALLOW_COPY_AND_ASSIGN(HttpServerPropertiesManagerTest);
 };
 
-INSTANTIATE_TEST_SUITE_P(/* no prefix */,
-                         HttpServerPropertiesManagerTest,
-                         ::testing::ValuesIn(kHttpServerPropertiesVersions));
-
-TEST_P(HttpServerPropertiesManagerTest,
+TEST_F(HttpServerPropertiesManagerTest,
        SingleUpdateForTwoSpdyServerPrefChanges) {
   // Set up the prefs for https://www.google.com and https://mail.google.com and
   // then set it twice. Only expect a single cache update.
@@ -186,15 +186,11 @@ TEST_P(HttpServerPropertiesManagerTest,
 
   // Set the server preference for https://www.google.com.
   auto servers_dict = std::make_unique<base::DictionaryValue>();
-  servers_dict->SetWithoutPathExpansion(
-      GetParam() >= 5 ? "https://www.google.com" : "www.google.com:443",
-      std::move(server_pref_dict));
-  std::unique_ptr<base::ListValue> servers_list;
-  if (GetParam() >= 4) {
-    servers_list = std::make_unique<base::ListValue>();
-    servers_list->Append(std::move(servers_dict));
-    servers_dict = std::make_unique<base::DictionaryValue>();
-  }
+  servers_dict->SetWithoutPathExpansion("https://www.google.com",
+                                        std::move(server_pref_dict));
+  auto servers_list = std::make_unique<base::ListValue>();
+  servers_list->Append(std::move(servers_dict));
+  servers_dict = std::make_unique<base::DictionaryValue>();
 
   // Set the preference for mail.google.com server.
   auto server_pref_dict1 = std::make_unique<base::DictionaryValue>();
@@ -218,26 +214,12 @@ TEST_P(HttpServerPropertiesManagerTest,
   server_pref_dict1->SetWithoutPathExpansion("network_stats",
                                              std::move(stats1));
   // Set the server preference for https://mail.google.com.
-  servers_dict->SetWithoutPathExpansion(
-      GetParam() >= 5 ? "https://mail.google.com" : "mail.google.com:443",
-      std::move(server_pref_dict1));
-  base::DictionaryValue http_server_properties_dict;
-  if (GetParam() >= 4) {
-    servers_list->AppendIfNotPresent(std::move(servers_dict));
-    if (GetParam() == 5) {
-      HttpServerPropertiesManager::SetVersion(&http_server_properties_dict, -1);
-    } else {
-      HttpServerPropertiesManager::SetVersion(&http_server_properties_dict,
-                                              GetParam());
-    }
-    http_server_properties_dict.SetWithoutPathExpansion(
-        "servers", std::move(servers_list));
-  } else {
-    HttpServerPropertiesManager::SetVersion(&http_server_properties_dict,
-                                            GetParam());
-    http_server_properties_dict.SetWithoutPathExpansion(
-        "servers", std::move(servers_dict));
-  }
+  servers_dict->SetWithoutPathExpansion("https://mail.google.com",
+                                        std::move(server_pref_dict1));
+  servers_list->Append(std::move(servers_dict));
+  base::DictionaryValue http_server_properties_dict = DictWithVersion();
+  http_server_properties_dict.SetWithoutPathExpansion("servers",
+                                                      std::move(servers_list));
   auto supports_quic = std::make_unique<base::DictionaryValue>();
   supports_quic->SetBoolean("used_quic", true);
   supports_quic->SetString("address", "127.0.0.1");
@@ -343,7 +325,7 @@ TEST_P(HttpServerPropertiesManagerTest,
                                    play_quic_server_id));
 }
 
-TEST_P(HttpServerPropertiesManagerTest, BadCachedHostPortPair) {
+TEST_F(HttpServerPropertiesManagerTest, BadCachedHostPortPair) {
   auto server_pref_dict = std::make_unique<base::DictionaryValue>();
 
   // Set supports_spdy for www.google.com:65536.
@@ -367,24 +349,11 @@ TEST_P(HttpServerPropertiesManagerTest, BadCachedHostPortPair) {
   auto servers_dict = std::make_unique<base::DictionaryValue>();
   servers_dict->SetWithoutPathExpansion("www.google.com:65536",
                                         std::move(server_pref_dict));
-  base::DictionaryValue http_server_properties_dict;
-  if (GetParam() >= 4) {
     auto servers_list = std::make_unique<base::ListValue>();
     servers_list->Append(std::move(servers_dict));
-    if (GetParam() == 5) {
-      HttpServerPropertiesManager::SetVersion(&http_server_properties_dict, -1);
-    } else {
-      HttpServerPropertiesManager::SetVersion(&http_server_properties_dict,
-                                              GetParam());
-    }
+    base::DictionaryValue http_server_properties_dict = DictWithVersion();
     http_server_properties_dict.SetWithoutPathExpansion(
         "servers", std::move(servers_list));
-  } else {
-    HttpServerPropertiesManager::SetVersion(&http_server_properties_dict,
-                                            GetParam());
-    http_server_properties_dict.SetWithoutPathExpansion(
-        "servers", std::move(servers_dict));
-  }
 
   // Set quic_server_info for www.google.com:65536.
   auto quic_servers_dict = std::make_unique<base::DictionaryValue>();
@@ -421,7 +390,7 @@ TEST_P(HttpServerPropertiesManagerTest, BadCachedHostPortPair) {
   EXPECT_EQ(0u, http_server_props_manager_->quic_server_info_map().size());
 }
 
-TEST_P(HttpServerPropertiesManagerTest, BadCachedAltProtocolPort) {
+TEST_F(HttpServerPropertiesManagerTest, BadCachedAltProtocolPort) {
   auto server_pref_dict = std::make_unique<base::DictionaryValue>();
 
   // Set supports_spdy for www.google.com:80.
@@ -440,24 +409,11 @@ TEST_P(HttpServerPropertiesManagerTest, BadCachedAltProtocolPort) {
   auto servers_dict = std::make_unique<base::DictionaryValue>();
   servers_dict->SetWithoutPathExpansion("www.google.com:80",
                                         std::move(server_pref_dict));
-  base::DictionaryValue http_server_properties_dict;
-  if (GetParam() >= 4) {
     auto servers_list = std::make_unique<base::ListValue>();
     servers_list->Append(std::move(servers_dict));
-    if (GetParam() == 5) {
-      HttpServerPropertiesManager::SetVersion(&http_server_properties_dict, -1);
-    } else {
-      HttpServerPropertiesManager::SetVersion(&http_server_properties_dict,
-                                              GetParam());
-    }
+    base::DictionaryValue http_server_properties_dict = DictWithVersion();
     http_server_properties_dict.SetWithoutPathExpansion(
         "servers", std::move(servers_list));
-  } else {
-    HttpServerPropertiesManager::SetVersion(&http_server_properties_dict,
-                                            GetParam());
-    http_server_properties_dict.SetWithoutPathExpansion(
-        "servers", std::move(servers_dict));
-  }
 
   // Set up the pref.
   pref_delegate_->SetPrefs(http_server_properties_dict);
@@ -473,7 +429,7 @@ TEST_P(HttpServerPropertiesManagerTest, BadCachedAltProtocolPort) {
       HasAlternativeService(url::SchemeHostPort("http", "www.google.com", 80)));
 }
 
-TEST_P(HttpServerPropertiesManagerTest, SupportsSpdy) {
+TEST_F(HttpServerPropertiesManagerTest, SupportsSpdy) {
   // Add mail.google.com:443 as a supporting spdy server.
   url::SchemeHostPort spdy_server("https", "mail.google.com", 443);
   EXPECT_FALSE(
@@ -502,7 +458,7 @@ TEST_P(HttpServerPropertiesManagerTest, SupportsSpdy) {
 // scheduled if multiple updates happen in a given time period. Subsequent pref
 // update could also be scheduled once the previous scheduled update is
 // completed.
-TEST_P(HttpServerPropertiesManagerTest,
+TEST_F(HttpServerPropertiesManagerTest,
        SinglePrefUpdateForTwoSpdyServerCacheChanges) {
   // Post an update task. SetSupportsSpdy calls ScheduleUpdatePrefs with a delay
   // of 60ms.
@@ -545,7 +501,7 @@ TEST_P(HttpServerPropertiesManagerTest,
   EXPECT_EQ(1, pref_delegate_->GetAndClearNumPrefUpdates());
 }
 
-TEST_P(HttpServerPropertiesManagerTest, GetAlternativeServiceInfos) {
+TEST_F(HttpServerPropertiesManagerTest, GetAlternativeServiceInfos) {
   url::SchemeHostPort spdy_server_mail("http", "mail.google.com", 80);
   EXPECT_FALSE(HasAlternativeService(spdy_server_mail));
   const AlternativeService alternative_service(kProtoHTTP2, "mail.google.com",
@@ -569,7 +525,7 @@ TEST_P(HttpServerPropertiesManagerTest, GetAlternativeServiceInfos) {
             alternative_service_info_vector[0].alternative_service());
 }
 
-TEST_P(HttpServerPropertiesManagerTest, SetAlternativeServices) {
+TEST_F(HttpServerPropertiesManagerTest, SetAlternativeServices) {
   url::SchemeHostPort spdy_server_mail("http", "mail.google.com", 80);
   EXPECT_FALSE(HasAlternativeService(spdy_server_mail));
   AlternativeServiceInfoVector alternative_service_info_vector;
@@ -603,7 +559,7 @@ TEST_P(HttpServerPropertiesManagerTest, SetAlternativeServices) {
             alternative_service_info_vector2[1].alternative_service());
 }
 
-TEST_P(HttpServerPropertiesManagerTest, SetAlternativeServicesEmpty) {
+TEST_F(HttpServerPropertiesManagerTest, SetAlternativeServicesEmpty) {
   url::SchemeHostPort spdy_server_mail("http", "mail.google.com", 80);
   EXPECT_FALSE(HasAlternativeService(spdy_server_mail));
   const AlternativeService alternative_service(kProtoHTTP2, "mail.google.com",
@@ -617,7 +573,7 @@ TEST_P(HttpServerPropertiesManagerTest, SetAlternativeServicesEmpty) {
   EXPECT_FALSE(HasAlternativeService(spdy_server_mail));
 }
 
-TEST_P(HttpServerPropertiesManagerTest, ConfirmAlternativeService) {
+TEST_F(HttpServerPropertiesManagerTest, ConfirmAlternativeService) {
   url::SchemeHostPort spdy_server_mail;
   AlternativeService alternative_service;
 
@@ -663,7 +619,7 @@ TEST_P(HttpServerPropertiesManagerTest, ConfirmAlternativeService) {
       alternative_service));
 }
 
-TEST_P(HttpServerPropertiesManagerTest,
+TEST_F(HttpServerPropertiesManagerTest,
        ConfirmBrokenUntilDefaultNetworkChanges) {
   url::SchemeHostPort spdy_server_mail;
   AlternativeService alternative_service;
@@ -712,7 +668,7 @@ TEST_P(HttpServerPropertiesManagerTest,
       alternative_service));
 }
 
-TEST_P(HttpServerPropertiesManagerTest,
+TEST_F(HttpServerPropertiesManagerTest,
        OnDefaultNetworkChangedWithBrokenUntilDefaultNetworkChanges) {
   url::SchemeHostPort spdy_server_mail;
   AlternativeService alternative_service;
@@ -761,7 +717,7 @@ TEST_P(HttpServerPropertiesManagerTest,
       alternative_service));
 }
 
-TEST_P(HttpServerPropertiesManagerTest, OnDefaultNetworkChangedWithBrokenOnly) {
+TEST_F(HttpServerPropertiesManagerTest, OnDefaultNetworkChangedWithBrokenOnly) {
   url::SchemeHostPort spdy_server_mail;
   AlternativeService alternative_service;
 
@@ -807,7 +763,7 @@ TEST_P(HttpServerPropertiesManagerTest, OnDefaultNetworkChangedWithBrokenOnly) {
       alternative_service));
 }
 
-TEST_P(HttpServerPropertiesManagerTest, SupportsQuic) {
+TEST_F(HttpServerPropertiesManagerTest, SupportsQuic) {
   IPAddress address;
   EXPECT_FALSE(http_server_props_manager_->GetSupportsQuic(&address));
 
@@ -831,7 +787,7 @@ TEST_P(HttpServerPropertiesManagerTest, SupportsQuic) {
   EXPECT_EQ(0u, GetPendingMainThreadTaskCount());
 }
 
-TEST_P(HttpServerPropertiesManagerTest, ServerNetworkStats) {
+TEST_F(HttpServerPropertiesManagerTest, ServerNetworkStats) {
   url::SchemeHostPort mail_server("http", "mail.google.com", 80);
   const ServerNetworkStats* stats =
       http_server_props_manager_->GetServerNetworkStats(mail_server);
@@ -869,7 +825,7 @@ TEST_P(HttpServerPropertiesManagerTest, ServerNetworkStats) {
             http_server_props_manager_->GetServerNetworkStats(mail_server));
 }
 
-TEST_P(HttpServerPropertiesManagerTest, QuicServerInfo) {
+TEST_F(HttpServerPropertiesManagerTest, QuicServerInfo) {
   quic::QuicServerId mail_quic_server_id("mail.google.com", 80, false);
   EXPECT_EQ(nullptr,
             http_server_props_manager_->GetQuicServerInfo(mail_quic_server_id));
@@ -896,7 +852,7 @@ TEST_P(HttpServerPropertiesManagerTest, QuicServerInfo) {
   EXPECT_EQ(0u, GetPendingMainThreadTaskCount());
 }
 
-TEST_P(HttpServerPropertiesManagerTest, Clear) {
+TEST_F(HttpServerPropertiesManagerTest, Clear) {
   const url::SchemeHostPort spdy_server("https", "mail.google.com", 443);
   const IPAddress actual_address(127, 0, 0, 1);
   const quic::QuicServerId mail_quic_server_id("mail.google.com", 80, false);
@@ -972,11 +928,10 @@ TEST_P(HttpServerPropertiesManagerTest, Clear) {
 
 // https://crbug.com/444956: Add 200 alternative_service servers followed by
 // supports_quic and verify we have read supports_quic from prefs.
-TEST_P(HttpServerPropertiesManagerTest, BadSupportsQuic) {
+TEST_F(HttpServerPropertiesManagerTest, BadSupportsQuic) {
   auto servers_dict = std::make_unique<base::DictionaryValue>();
-  std::unique_ptr<base::ListValue> servers_list;
-  if (GetParam() >= 4)
-    servers_list = std::make_unique<base::ListValue>();
+  std::unique_ptr<base::ListValue> servers_list =
+      std::make_unique<base::ListValue>();
 
   for (int i = 1; i <= 200; ++i) {
     // Set up alternative_service for www.google.com:i.
@@ -988,46 +943,21 @@ TEST_P(HttpServerPropertiesManagerTest, BadSupportsQuic) {
     auto server_pref_dict = std::make_unique<base::DictionaryValue>();
     server_pref_dict->SetWithoutPathExpansion(
         "alternative_service", std::move(alternative_service_list));
-    if (GetParam() >= 5) {
       servers_dict->SetWithoutPathExpansion(
           StringPrintf("https://www.google.com:%d", i),
           std::move(server_pref_dict));
-    } else {
-      servers_dict->SetWithoutPathExpansion(
-          StringPrintf("www.google.com:%d", i), std::move(server_pref_dict));
-    }
-    if (GetParam() >= 4) {
       servers_list->AppendIfNotPresent(std::move(servers_dict));
       servers_dict = std::make_unique<base::DictionaryValue>();
-    }
   }
 
   // Set the server preference for http://mail.google.com server.
   auto server_pref_dict1 = std::make_unique<base::DictionaryValue>();
-  if (GetParam() >= 5) {
     servers_dict->SetWithoutPathExpansion("https://mail.google.com",
                                           std::move(server_pref_dict1));
-  } else {
-    servers_dict->SetWithoutPathExpansion("mail.google.com:80",
-                                          std::move(server_pref_dict1));
-  }
-  base::DictionaryValue http_server_properties_dict;
-  if (GetParam() >= 4) {
     servers_list->AppendIfNotPresent(std::move(servers_dict));
-    if (GetParam() == 5) {
-      HttpServerPropertiesManager::SetVersion(&http_server_properties_dict, -1);
-    } else {
-      HttpServerPropertiesManager::SetVersion(&http_server_properties_dict,
-                                              GetParam());
-    }
+    base::DictionaryValue http_server_properties_dict = DictWithVersion();
     http_server_properties_dict.SetWithoutPathExpansion(
         "servers", std::move(servers_list));
-  } else {
-    HttpServerPropertiesManager::SetVersion(&http_server_properties_dict,
-                                            GetParam());
-    http_server_properties_dict.SetWithoutPathExpansion(
-        "servers", std::move(servers_dict));
-  }
 
   // Set up SupportsQuic for 127.0.0.1
   auto supports_quic = std::make_unique<base::DictionaryValue>();
@@ -1043,11 +973,7 @@ TEST_P(HttpServerPropertiesManagerTest, BadSupportsQuic) {
   // Verify alternative service.
   for (int i = 1; i <= 200; ++i) {
     GURL server_gurl;
-    if (GetParam() >= 5) {
-      server_gurl = GURL(StringPrintf("https://www.google.com:%d", i));
-    } else {
       server_gurl = GURL(StringPrintf("https://www.google.com:%d", i));
-    }
     url::SchemeHostPort server(server_gurl);
     AlternativeServiceInfoVector alternative_service_info_vector =
         http_server_props_manager_->GetAlternativeServiceInfos(server);
@@ -1064,7 +990,7 @@ TEST_P(HttpServerPropertiesManagerTest, BadSupportsQuic) {
   EXPECT_EQ("127.0.0.1", address.ToString());
 }
 
-TEST_P(HttpServerPropertiesManagerTest, UpdatePrefsWithCache) {
+TEST_F(HttpServerPropertiesManagerTest, UpdatePrefsWithCache) {
   const url::SchemeHostPort server_www("https", "www.google.com", 80);
   const url::SchemeHostPort server_mail("https", "mail.google.com", 80);
 
@@ -1210,7 +1136,7 @@ TEST_P(HttpServerPropertiesManagerTest, UpdatePrefsWithCache) {
   EXPECT_EQ(expected_json, preferences_json);
 }
 
-TEST_P(HttpServerPropertiesManagerTest,
+TEST_F(HttpServerPropertiesManagerTest,
        SingleCacheUpdateForMultipleUpdatesScheduled) {
   EXPECT_EQ(0u, GetPendingMainThreadTaskCount());
   // Update cache.
@@ -1241,7 +1167,7 @@ TEST_P(HttpServerPropertiesManagerTest,
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
 }
 
-TEST_P(HttpServerPropertiesManagerTest, AddToAlternativeServiceMap) {
+TEST_F(HttpServerPropertiesManagerTest, AddToAlternativeServiceMap) {
   std::unique_ptr<base::Value> server_value = base::JSONReader::ReadDeprecated(
       "{\"alternative_service\":[{\"port\":443,\"protocol_str\":\"h2\"},"
       "{\"port\":123,\"protocol_str\":\"quic\","
@@ -1293,7 +1219,7 @@ TEST_P(HttpServerPropertiesManagerTest, AddToAlternativeServiceMap) {
 }
 
 // Regression test for https://crbug.com/615497.
-TEST_P(HttpServerPropertiesManagerTest, DoNotLoadAltSvcForInsecureOrigins) {
+TEST_F(HttpServerPropertiesManagerTest, DoNotLoadAltSvcForInsecureOrigins) {
   std::unique_ptr<base::Value> server_value = base::JSONReader::ReadDeprecated(
       "{\"alternative_service\":[{\"port\":443,\"protocol_str\":\"h2\","
       "\"expiration\":\"9223372036854775807\"}]}");
@@ -1311,7 +1237,7 @@ TEST_P(HttpServerPropertiesManagerTest, DoNotLoadAltSvcForInsecureOrigins) {
 }
 
 // Do not persist expired alternative service entries to disk.
-TEST_P(HttpServerPropertiesManagerTest, DoNotPersistExpiredAlternativeService) {
+TEST_F(HttpServerPropertiesManagerTest, DoNotPersistExpiredAlternativeService) {
   AlternativeServiceInfoVector alternative_service_info_vector;
 
   const AlternativeService broken_alternative_service(
@@ -1386,7 +1312,7 @@ TEST_P(HttpServerPropertiesManagerTest, DoNotPersistExpiredAlternativeService) {
 }
 
 // Test that expired alternative service entries on disk are ignored.
-TEST_P(HttpServerPropertiesManagerTest, DoNotLoadExpiredAlternativeService) {
+TEST_F(HttpServerPropertiesManagerTest, DoNotLoadExpiredAlternativeService) {
   auto alternative_service_list = std::make_unique<base::ListValue>();
   auto expired_dict = std::make_unique<base::DictionaryValue>();
   expired_dict->SetString("protocol_str", "h2");
@@ -1429,7 +1355,7 @@ TEST_P(HttpServerPropertiesManagerTest, DoNotLoadExpiredAlternativeService) {
 }
 
 // Make sure prefs are updated on destruction.
-TEST_P(HttpServerPropertiesManagerTest, UpdatePrefsOnShutdown) {
+TEST_F(HttpServerPropertiesManagerTest, UpdatePrefsOnShutdown) {
   int pref_updates = 0;
   pref_delegate_->set_extra_update_prefs_callback(
       base::Bind([](int* updates) { (*updates)++; }, &pref_updates));
@@ -1437,7 +1363,7 @@ TEST_P(HttpServerPropertiesManagerTest, UpdatePrefsOnShutdown) {
   EXPECT_EQ(1, pref_updates);
 }
 
-TEST_P(HttpServerPropertiesManagerTest, PersistAdvertisedVersionsToPref) {
+TEST_F(HttpServerPropertiesManagerTest, PersistAdvertisedVersionsToPref) {
   const url::SchemeHostPort server_www("https", "www.google.com", 80);
   const url::SchemeHostPort server_mail("https", "mail.google.com", 80);
 
@@ -1449,7 +1375,7 @@ TEST_P(HttpServerPropertiesManagerTest, PersistAdvertisedVersionsToPref) {
   ASSERT_TRUE(base::Time::FromUTCString("2036-12-01 10:00:00", &expiration1));
   quic::ParsedQuicVersionVector advertised_versions = {
       quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
-                              quic::QUIC_VERSION_44),
+                              quic::QUIC_VERSION_46),
       quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
                               quic::QUIC_VERSION_39)};
   alternative_service_info_vector.push_back(
@@ -1499,7 +1425,7 @@ TEST_P(HttpServerPropertiesManagerTest, PersistAdvertisedVersionsToPref) {
       "{\"quic_servers\":{\"https://mail.google.com:80\":{"
       "\"server_info\":\"quic_server_info1\"}},\"servers\":["
       "{\"https://www.google.com:80\":{\"alternative_service\":[{"
-      "\"advertised_versions\":[39,44],\"expiration\":\"13756212000000000\","
+      "\"advertised_versions\":[39,46],\"expiration\":\"13756212000000000\","
       "\"port\":443,\"protocol_str\":\"quic\"},{\"advertised_versions\":[],"
       "\"expiration\":\"13758804000000000\",\"host\":\"www.google.com\","
       "\"port\":1234,\"protocol_str\":\"h2\"}]}},"
@@ -1517,13 +1443,13 @@ TEST_P(HttpServerPropertiesManagerTest, PersistAdvertisedVersionsToPref) {
   EXPECT_EQ(expected_json, preferences_json);
 }
 
-TEST_P(HttpServerPropertiesManagerTest, ReadAdvertisedVersionsFromPref) {
+TEST_F(HttpServerPropertiesManagerTest, ReadAdvertisedVersionsFromPref) {
   std::unique_ptr<base::Value> server_value = base::JSONReader::ReadDeprecated(
       "{\"alternative_service\":["
       "{\"port\":443,\"protocol_str\":\"quic\"},"
       "{\"port\":123,\"protocol_str\":\"quic\","
       "\"expiration\":\"9223372036854775807\","
-      "\"advertised_versions\":[44,39]}]}");
+      "\"advertised_versions\":[46,39]}]}");
   ASSERT_TRUE(server_value);
   base::DictionaryValue* server_dict;
   ASSERT_TRUE(server_value->GetAsDictionary(&server_dict));
@@ -1564,18 +1490,18 @@ TEST_P(HttpServerPropertiesManagerTest, ReadAdvertisedVersionsFromPref) {
                                     quic::QUIC_VERSION_39),
             loaded_advertised_versions[0]);
   EXPECT_EQ(quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
-                                    quic::QUIC_VERSION_44),
+                                    quic::QUIC_VERSION_46),
             loaded_advertised_versions[1]);
 }
 
-TEST_P(HttpServerPropertiesManagerTest,
+TEST_F(HttpServerPropertiesManagerTest,
        UpdatePrefWhenAdvertisedVersionsChange) {
   const url::SchemeHostPort server_www("https", "www.google.com", 80);
 
   // #1: Set alternate protocol.
   AlternativeServiceInfoVector alternative_service_info_vector;
   // Quic alternative service set with a single QUIC version:
-  // quic::QUIC_VERSION_44.
+  // quic::QUIC_VERSION_46.
   AlternativeService quic_alternative_service1(kProtoQUIC, "", 443);
   base::Time expiration1;
   ASSERT_TRUE(base::Time::FromUTCString("2036-12-01 10:00:00", &expiration1));
@@ -1624,7 +1550,7 @@ TEST_P(HttpServerPropertiesManagerTest,
   // Quic alternative service set with two advertised QUIC versions.
   quic::ParsedQuicVersionVector advertised_versions = {
       quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
-                              quic::QUIC_VERSION_44),
+                              quic::QUIC_VERSION_46),
       quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
                               quic::QUIC_VERSION_39)};
   alternative_service_info_vector_2.push_back(
@@ -1644,7 +1570,7 @@ TEST_P(HttpServerPropertiesManagerTest,
       "{\"quic_servers\":{\"https://mail.google.com:80\":"
       "{\"server_info\":\"quic_server_info1\"}},\"servers\":["
       "{\"https://www.google.com:80\":"
-      "{\"alternative_service\":[{\"advertised_versions\":[39,44],"
+      "{\"alternative_service\":[{\"advertised_versions\":[39,46],"
       "\"expiration\":\"13756212000000000\",\"port\":443,"
       "\"protocol_str\":\"quic\"}]}}],\"supports_quic\":"
       "{\"address\":\"127.0.0.1\",\"used_quic\":true},\"version\":5}";
@@ -1659,7 +1585,7 @@ TEST_P(HttpServerPropertiesManagerTest,
       quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
                               quic::QUIC_VERSION_39),
       quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
-                              quic::QUIC_VERSION_44)};
+                              quic::QUIC_VERSION_46)};
   alternative_service_info_vector_3.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           quic_alternative_service1, expiration1, advertised_versions_2));
@@ -1671,7 +1597,7 @@ TEST_P(HttpServerPropertiesManagerTest,
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
 }
 
-TEST_P(HttpServerPropertiesManagerTest, UpdateCacheWithPrefs) {
+TEST_F(HttpServerPropertiesManagerTest, UpdateCacheWithPrefs) {
   AlternativeService cached_broken_service(kProtoQUIC, "cached_broken", 443);
   AlternativeService cached_broken_service2(kProtoQUIC, "cached_broken2", 443);
   AlternativeService cached_recently_broken_service(kProtoQUIC,
diff --git a/chromium/net/http/http_stream_factory.cc b/chromium/net/http/http_stream_factory.cc
index 3bca1d7c738..51bcae28729 100644
--- a/chromium/net/http/http_stream_factory.cc
+++ b/chromium/net/http/http_stream_factory.cc
@@ -78,8 +78,9 @@ void HttpStreamFactory::ProcessAlternativeServices(
     quic::ParsedQuicVersionVector advertised_versions;
     if (protocol == kProtoQUIC && !alternative_service_entry.version.empty()) {
       advertised_versions = FilterSupportedAltSvcVersions(
-          alternative_service_entry, session->params().quic_supported_versions,
-          session->params().support_ietf_format_quic_altsvc);
+          alternative_service_entry,
+          session->params().quic_params.supported_versions,
+          session->params().quic_params.support_ietf_format_quic_altsvc);
       if (advertised_versions.empty())
         continue;
     }
@@ -256,8 +257,8 @@ bool HttpStreamFactory::OnInitConnection(const JobController& controller,
   PreconnectingProxyServer preconnecting_proxy_server(proxy_info.proxy_server(),
                                                       privacy_mode);
 
-  if (base::ContainsKey(preconnecting_proxy_servers_,
-                        preconnecting_proxy_server)) {
+  if (base::Contains(preconnecting_proxy_servers_,
+                     preconnecting_proxy_server)) {
     UMA_HISTOGRAM_EXACT_LINEAR("Net.PreconnectSkippedToProxyServers", 1, 2);
     // Skip preconnect to the proxy server since we are already preconnecting
     // (probably via some other job). See https://crbug.com/682041 for details.
diff --git a/chromium/net/http/http_stream_factory_job.cc b/chromium/net/http/http_stream_factory_job.cc
index e176dfd7dc8..ed7b2346906 100644
--- a/chromium/net/http/http_stream_factory_job.cc
+++ b/chromium/net/http/http_stream_factory_job.cc
@@ -66,18 +66,17 @@ const base::Feature kLimitEarlyPreconnectsExperiment{
 }  // namespace
 
 // Returns parameters associated with the start of a HTTP stream job.
-base::Value NetLogHttpStreamJobCallback(const NetLogSource& source,
-                                        const GURL* original_url,
-                                        const GURL* url,
-                                        bool expect_spdy,
-                                        bool using_quic,
-                                        RequestPriority priority,
-                                        NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogHttpStreamJobParams(const NetLogSource& source,
+                                      const GURL& original_url,
+                                      const GURL& url,
+                                      bool expect_spdy,
+                                      bool using_quic,
+                                      RequestPriority priority) {
   base::DictionaryValue dict;
   if (source.IsValid())
     source.AddToEventParameters(&dict);
-  dict.SetString("original_url", original_url->GetOrigin().spec());
-  dict.SetString("url", url->GetOrigin().spec());
+  dict.SetString("original_url", original_url.GetOrigin().spec());
+  dict.SetString("url", url.GetOrigin().spec());
   dict.SetBoolean("expect_spdy", expect_spdy);
   dict.SetBoolean("using_quic", using_quic);
   dict.SetString("priority", RequestPriorityToString(priority));
@@ -86,9 +85,7 @@ base::Value NetLogHttpStreamJobCallback(const NetLogSource& source,
 
 // Returns parameters associated with the Proto (with NPN negotiation) of a HTTP
 // stream.
-base::Value NetLogHttpStreamProtoCallback(
-    NextProto negotiated_protocol,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogHttpStreamProtoParams(NextProto negotiated_protocol) {
   base::DictionaryValue dict;
 
   dict.SetString("proto", NextProtoToString(negotiated_protocol));
@@ -169,8 +166,7 @@ HttpStreamFactory::Job::Job(Delegate* delegate,
                                           request_info_.socket_tag,
                                           request_info_.network_isolation_key)),
       stream_type_(HttpStreamRequest::BIDIRECTIONAL_STREAM),
-      init_connection_already_resumed_(false),
-      ptr_factory_(this) {
+      init_connection_already_resumed_(false) {
   // QUIC can only be spoken to servers, never to proxies.
   if (alternative_protocol == kProtoQUIC)
     DCHECK(proxy_info_.is_direct());
@@ -180,7 +176,7 @@ HttpStreamFactory::Job::Job(Delegate* delegate,
   if (quic_version_ == quic::UnsupportedQuicVersion() &&
       ShouldForceQuic(session, destination, origin_url, proxy_info,
                       using_ssl_)) {
-    quic_version_ = session->params().quic_supported_versions[0];
+    quic_version_ = session->params().quic_params.supported_versions[0];
   }
 
   if (using_quic_)
@@ -362,10 +358,10 @@ bool HttpStreamFactory::Job::ShouldForceQuic(HttpNetworkSession* session,
   // handled by the socket pools, using an HttpProxyConnectJob.
   if (proxy_info.is_quic())
     return !using_ssl;
-  return (base::ContainsKey(session->params().origins_to_force_quic_on,
-                            HostPortPair()) ||
-          base::ContainsKey(session->params().origins_to_force_quic_on,
-                            destination)) &&
+  return (base::Contains(session->params().quic_params.origins_to_force_quic_on,
+                         HostPortPair()) ||
+          base::Contains(session->params().quic_params.origins_to_force_quic_on,
+                         destination)) &&
          proxy_info.is_direct() && origin_url.SchemeIs(url::kHttpsScheme);
 }
 
@@ -630,13 +626,13 @@ int HttpStreamFactory::Job::DoStart() {
   const NetLogWithSource* net_log = delegate_->GetNetLog();
 
   if (net_log) {
-    net_log_.BeginEvent(
-        NetLogEventType::HTTP_STREAM_JOB,
-        base::Bind(&NetLogHttpStreamJobCallback, net_log->source(),
-                   &request_info_.url, &origin_url_, expect_spdy_, using_quic_,
-                   priority_));
-    net_log->AddEvent(NetLogEventType::HTTP_STREAM_REQUEST_STARTED_JOB,
-                      net_log_.source().ToEventParametersCallback());
+    net_log_.BeginEvent(NetLogEventType::HTTP_STREAM_JOB, [&] {
+      return NetLogHttpStreamJobParams(net_log->source(), request_info_.url,
+                                       origin_url_, expect_spdy_, using_quic_,
+                                       priority_);
+    });
+    net_log->AddEventReferencingSource(
+        NetLogEventType::HTTP_STREAM_REQUEST_STARTED_JOB, net_log_.source());
   }
 
   // Don't connect to restricted ports.
@@ -657,8 +653,9 @@ int HttpStreamFactory::Job::DoStart() {
 int HttpStreamFactory::Job::DoWait() {
   next_state_ = STATE_WAIT_COMPLETE;
   bool should_wait = delegate_->ShouldWait(this);
-  net_log_.BeginEvent(NetLogEventType::HTTP_STREAM_JOB_WAITING,
-                      NetLog::BoolCallback("should_wait", should_wait));
+  net_log_.AddEntryWithBoolParams(NetLogEventType::HTTP_STREAM_JOB_WAITING,
+                                  NetLogEventPhase::BEGIN, "should_wait",
+                                  should_wait);
   if (should_wait)
     return ERR_IO_PENDING;
 
@@ -711,25 +708,6 @@ int HttpStreamFactory::Job::DoInitConnectionImpl() {
     // Disable network fetches for HTTPS proxies, since the network requests
     // are probably going to need to go through the proxy too.
     proxy_ssl_config_.disable_cert_verification_network_fetches = true;
-
-    if (proxy_ssl_config_.send_client_cert) {
-      // When connecting through an HTTPS proxy, disable TLS False Start so that
-      // client authentication errors can be distinguished between those
-      // originating from the proxy server (ERR_PROXY_CONNECTION_FAILED) and
-      // those originating from the endpoint (ERR_SSL_PROTOCOL_ERROR /
-      // ERR_BAD_SSL_CLIENT_AUTH_CERT).
-      //
-      // We now handle this fine for SSLClientAuthCache updates, though not
-      // ReconsiderProxyAfterError() below. In case of issues there, and general
-      // False Start compatibility risk, we continue to disable False Start. (If
-      // it becomes a problem, the risk of removing this is likely low.)
-      //
-      // This assumes the proxy will only request certificates on the initial
-      // handshake; renegotiation on the proxy connection is unsupported.
-      //
-      // See https://crbug.com/828965.
-      proxy_ssl_config_.false_start_enabled = false;
-    }
   }
   if (using_ssl_) {
     // Prior to HTTP/2 and SPDY, some servers use TLS renegotiation to request
@@ -773,8 +751,8 @@ int HttpStreamFactory::Job::DoInitConnectionImpl() {
       ssl_config = &server_ssl_config_;
     }
     int rv = quic_request_.Request(
-        destination, quic_version_.transport_version,
-        request_info_.privacy_mode, priority_, request_info_.socket_tag,
+        destination, quic_version_, request_info_.privacy_mode, priority_,
+        request_info_.socket_tag, request_info_.network_isolation_key,
         ssl_config->GetCertVerifyFlags(), url, net_log_, &net_error_details_,
         base::BindOnce(&Job::OnFailedOnDefaultNetwork,
                        ptr_factory_.GetWeakPtr()),
@@ -875,7 +853,8 @@ int HttpStreamFactory::Job::DoInitConnectionImpl() {
     return PreconnectSocketsForHttpRequest(
         GetSocketGroup(), destination_, request_info_.load_flags, priority_,
         session_, proxy_info_, server_ssl_config_, proxy_ssl_config_,
-        request_info_.privacy_mode, net_log_, num_streams_);
+        request_info_.privacy_mode, request_info_.network_isolation_key,
+        net_log_, num_streams_);
   }
 
   ClientSocketPool::ProxyAuthCallback proxy_auth_callback =
@@ -945,9 +924,9 @@ int HttpStreamFactory::Job::DoInitConnectionComplete(int result) {
       if (connection_->socket()->WasAlpnNegotiated()) {
         was_alpn_negotiated_ = true;
         negotiated_protocol_ = connection_->socket()->GetNegotiatedProtocol();
-        net_log_.AddEvent(
-            NetLogEventType::HTTP_STREAM_REQUEST_PROTO,
-            base::Bind(&NetLogHttpStreamProtoCallback, negotiated_protocol_));
+        net_log_.AddEvent(NetLogEventType::HTTP_STREAM_REQUEST_PROTO, [&] {
+          return NetLogHttpStreamProtoParams(negotiated_protocol_);
+        });
         if (negotiated_protocol_ == kProtoHTTP2) {
           if (is_websocket_) {
             // WebSocket is not supported over a fresh HTTP/2 connection.
@@ -1152,9 +1131,9 @@ int HttpStreamFactory::Job::DoCreateStream() {
           net_log_);
 
   if (!spdy_session->HasAcceptableTransportSecurity()) {
-    spdy_session->CloseSessionOnError(ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY,
+    spdy_session->CloseSessionOnError(ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY,
                                       "");
-    return ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY;
+    return ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY;
   }
 
   url::SchemeHostPort scheme_host_port(
diff --git a/chromium/net/http/http_stream_factory_job.h b/chromium/net/http/http_stream_factory_job.h
index 3a5488e312c..94d1a9190f8 100644
--- a/chromium/net/http/http_stream_factory_job.h
+++ b/chromium/net/http/http_stream_factory_job.h
@@ -477,7 +477,7 @@ class HttpStreamFactory::Job
 
   std::unique_ptr<SpdySessionPool::SpdySessionRequest> spdy_session_request_;
 
-  base::WeakPtrFactory<Job> ptr_factory_;
+  base::WeakPtrFactory<Job> ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(Job);
 };
diff --git a/chromium/net/http/http_stream_factory_job_controller.cc b/chromium/net/http/http_stream_factory_job_controller.cc
index d208cd01f3a..45a9e840014 100644
--- a/chromium/net/http/http_stream_factory_job_controller.cc
+++ b/chromium/net/http/http_stream_factory_job_controller.cc
@@ -16,6 +16,7 @@
 #include "base/trace_event/memory_usage_estimator.h"
 #include "base/values.h"
 #include "net/base/host_mapping_rules.h"
+#include "net/base/load_flags.h"
 #include "net/http/bidirectional_stream_impl.h"
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log.h"
@@ -32,8 +33,7 @@ namespace {
 
 // Returns parameters associated with the proxy resolution.
 base::Value NetLogHttpStreamJobProxyServerResolved(
-    const ProxyServer& proxy_server,
-    NetLogCaptureMode /* capture_mode */) {
+    const ProxyServer& proxy_server) {
   base::DictionaryValue dict;
 
   dict.SetString("proxy_server", proxy_server.is_valid()
@@ -48,18 +48,15 @@ base::Value NetLogHttpStreamJobProxyServerResolved(
 // the main job.
 const int kMaxDelayTimeForMainJobSecs = 3;
 
-base::Value NetLogJobControllerCallback(const GURL* url,
-                                        bool is_preconnect,
-                                        NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogJobControllerParams(const GURL& url, bool is_preconnect) {
   base::DictionaryValue dict;
-  dict.SetString("url", url->possibly_invalid_spec());
+  dict.SetString("url", url.possibly_invalid_spec());
   dict.SetBoolean("is_preconnect", is_preconnect);
   return std::move(dict);
 }
 
-base::Value NetLogAltSvcCallback(const AlternativeServiceInfo* alt_svc_info,
-                                 bool is_broken,
-                                 NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogAltSvcParams(const AlternativeServiceInfo* alt_svc_info,
+                               bool is_broken) {
   base::DictionaryValue dict;
   dict.SetString("alt_svc", alt_svc_info->ToString());
   dict.SetBoolean("is_broken", is_broken);
@@ -102,14 +99,13 @@ HttpStreamFactory::JobController::JobController(
       proxy_ssl_config_(proxy_ssl_config),
       num_streams_(0),
       priority_(IDLE),
-      net_log_(
-          NetLogWithSource::Make(session->net_log(),
-                                 NetLogSourceType::HTTP_STREAM_JOB_CONTROLLER)),
-      ptr_factory_(this) {
+      net_log_(NetLogWithSource::Make(
+          session->net_log(),
+          NetLogSourceType::HTTP_STREAM_JOB_CONTROLLER)) {
   DCHECK(factory);
-  net_log_.BeginEvent(NetLogEventType::HTTP_STREAM_JOB_CONTROLLER,
-                      base::Bind(&NetLogJobControllerCallback,
-                                 &request_info.url, is_preconnect));
+  net_log_.BeginEvent(NetLogEventType::HTTP_STREAM_JOB_CONTROLLER, [&] {
+    return NetLogJobControllerParams(request_info.url, is_preconnect);
+  });
 }
 
 HttpStreamFactory::JobController::~JobController() {
@@ -143,10 +139,11 @@ std::unique_ptr<HttpStreamRequest> HttpStreamFactory::JobController::Start(
   request_ = request.get();
 
   // Associates |net_log_| with |source_net_log|.
-  source_net_log.AddEvent(NetLogEventType::HTTP_STREAM_JOB_CONTROLLER_BOUND,
-                          net_log_.source().ToEventParametersCallback());
-  net_log_.AddEvent(NetLogEventType::HTTP_STREAM_JOB_CONTROLLER_BOUND,
-                    source_net_log.source().ToEventParametersCallback());
+  source_net_log.AddEventReferencingSource(
+      NetLogEventType::HTTP_STREAM_JOB_CONTROLLER_BOUND, net_log_.source());
+  net_log_.AddEventReferencingSource(
+      NetLogEventType::HTTP_STREAM_JOB_CONTROLLER_BOUND,
+      source_net_log.source());
 
   RunLoop(OK);
   return request;
@@ -459,8 +456,8 @@ void HttpStreamFactory::JobController::AddConnectionAttemptsToRequest(
 
 void HttpStreamFactory::JobController::ResumeMainJobLater(
     const base::TimeDelta& delay) {
-  net_log_.AddEvent(NetLogEventType::HTTP_STREAM_JOB_DELAYED,
-                    NetLog::Int64Callback("delay", delay.InMilliseconds()));
+  net_log_.AddEventWithInt64Params(NetLogEventType::HTTP_STREAM_JOB_DELAYED,
+                                   "delay", delay.InMilliseconds());
   resume_main_job_callback_.Reset(
       base::BindOnce(&HttpStreamFactory::JobController::ResumeMainJob,
                      ptr_factory_.GetWeakPtr()));
@@ -475,9 +472,9 @@ void HttpStreamFactory::JobController::ResumeMainJob() {
     return;
   }
   main_job_is_resumed_ = true;
-  main_job_->net_log().AddEvent(
-      NetLogEventType::HTTP_STREAM_JOB_RESUMED,
-      NetLog::Int64Callback("delay", main_job_wait_time_.InMilliseconds()));
+  main_job_->net_log().AddEventWithInt64Params(
+      NetLogEventType::HTTP_STREAM_JOB_RESUMED, "delay",
+      main_job_wait_time_.InMilliseconds());
 
   main_job_->Resume();
   main_job_wait_time_ = base::TimeDelta();
@@ -641,10 +638,11 @@ int HttpStreamFactory::JobController::DoResolveProxyComplete(int rv) {
 
   proxy_resolve_request_ = nullptr;
   net_log_.AddEvent(
-      NetLogEventType::HTTP_STREAM_JOB_CONTROLLER_PROXY_SERVER_RESOLVED,
-      base::Bind(
-          &NetLogHttpStreamJobProxyServerResolved,
-          proxy_info_.is_empty() ? ProxyServer() : proxy_info_.proxy_server()));
+      NetLogEventType::HTTP_STREAM_JOB_CONTROLLER_PROXY_SERVER_RESOLVED, [&] {
+        return NetLogHttpStreamJobProxyServerResolved(
+            proxy_info_.is_empty() ? ProxyServer()
+                                   : proxy_info_.proxy_server());
+      });
 
   if (rv != OK)
     return rv;
@@ -771,12 +769,12 @@ void HttpStreamFactory::JobController::BindJob(Job* job) {
   job_bound_ = true;
   bound_job_ = job;
 
-  request_->net_log().AddEvent(
+  request_->net_log().AddEventReferencingSource(
       NetLogEventType::HTTP_STREAM_REQUEST_BOUND_TO_JOB,
-      job->net_log().source().ToEventParametersCallback());
-  job->net_log().AddEvent(
+      job->net_log().source());
+  job->net_log().AddEventReferencingSource(
       NetLogEventType::HTTP_STREAM_JOB_BOUND_TO_REQUEST,
-      request_->net_log().source().ToEventParametersCallback());
+      request_->net_log().source());
 
   OrphanUnboundJob();
 }
@@ -1013,9 +1011,9 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal(
     const bool is_broken = http_server_properties.IsAlternativeServiceBroken(
         alternative_service_info.alternative_service());
     net_log_.AddEvent(
-        NetLogEventType::HTTP_STREAM_JOB_CONTROLLER_ALT_SVC_FOUND,
-        base::BindRepeating(&NetLogAltSvcCallback, &alternative_service_info,
-                            is_broken));
+        NetLogEventType::HTTP_STREAM_JOB_CONTROLLER_ALT_SVC_FOUND, [&] {
+          return NetLogAltSvcParams(&alternative_service_info, is_broken);
+        });
     if (is_broken) {
       HistogramAlternateProtocolUsage(ALTERNATE_PROTOCOL_USAGE_BROKEN, false);
       continue;
@@ -1050,7 +1048,7 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal(
       continue;
 
     if (stream_type == HttpStreamRequest::BIDIRECTIONAL_STREAM &&
-        session_->params().quic_disable_bidirectional_streams) {
+        session_->params().quic_params.disable_bidirectional_streams) {
       continue;
     }
 
@@ -1067,11 +1065,12 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal(
     HostPortPair mapped_origin(origin.host(), origin.port());
     ignore_result(ApplyHostMappingRules(original_url, &mapped_origin));
     QuicSessionKey session_key(mapped_origin, request_info.privacy_mode,
-                               request_info.socket_tag);
+                               request_info.socket_tag,
+                               request_info.network_isolation_key);
 
     HostPortPair destination(alternative_service_info.host_port_pair());
     if (session_key.host() != destination.host() &&
-        !session_->params().quic_allow_remote_alt_svc) {
+        !session_->params().quic_params.allow_remote_alt_svc) {
       continue;
     }
     ignore_result(ApplyHostMappingRules(original_url, &destination));
@@ -1098,7 +1097,7 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal(
 quic::ParsedQuicVersion HttpStreamFactory::JobController::SelectQuicVersion(
     const quic::ParsedQuicVersionVector& advertised_versions) {
   const quic::ParsedQuicVersionVector& supported_versions =
-      session_->params().quic_supported_versions;
+      session_->params().quic_params.supported_versions;
   if (advertised_versions.empty())
     return supported_versions[0];
 
@@ -1242,7 +1241,7 @@ bool HttpStreamFactory::JobController::IsQuicWhitelistedForHost(
     return true;
 
   std::string lowered_host = base::ToLowerASCII(host);
-  return base::ContainsKey(host_whitelist, lowered_host);
+  return base::Contains(host_whitelist, lowered_host);
 }
 
 }  // namespace net
diff --git a/chromium/net/http/http_stream_factory_job_controller.h b/chromium/net/http/http_stream_factory_job_controller.h
index f24cdd7a81f..783759ead81 100644
--- a/chromium/net/http/http_stream_factory_job_controller.h
+++ b/chromium/net/http/http_stream_factory_job_controller.h
@@ -360,7 +360,7 @@ class HttpStreamFactory::JobController
   RequestPriority priority_;
   const NetLogWithSource net_log_;
 
-  base::WeakPtrFactory<JobController> ptr_factory_;
+  base::WeakPtrFactory<JobController> ptr_factory_{this};
 };
 
 }  // namespace net
diff --git a/chromium/net/http/http_stream_factory_job_controller_unittest.cc b/chromium/net/http/http_stream_factory_job_controller_unittest.cc
index 05c444f7283..b3407f02428 100644
--- a/chromium/net/http/http_stream_factory_job_controller_unittest.cc
+++ b/chromium/net/http/http_stream_factory_job_controller_unittest.cc
@@ -31,7 +31,6 @@
 #include "net/http/http_stream_factory_test_util.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/proxy_resolution/mock_proxy_resolver.h"
 #include "net/proxy_resolution/proxy_config_service_fixed.h"
@@ -178,7 +177,7 @@ class HttpStreamFactoryJobControllerTest
  public:
   HttpStreamFactoryJobControllerTest()
       : TestWithScopedTaskEnvironment(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME) {
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME) {
     session_deps_.enable_quic = true;
     session_deps_.host_resolver->set_synchronous_mode(true);
   }
@@ -274,7 +273,7 @@ class HttpStreamFactoryJobControllerTest
     if (alternative_service.protocol == kProtoQUIC) {
       session_->http_server_properties()->SetQuicAlternativeService(
           server, alternative_service, expiration,
-          session_->params().quic_supported_versions);
+          session_->params().quic_params.supported_versions);
     } else {
       session_->http_server_properties()->SetHttp2AlternativeService(
           server, alternative_service, expiration);
@@ -307,6 +306,7 @@ class HttpStreamFactoryJobControllerTest
   void TestMainJobFailsAfterAltJobSucceeded(
       bool alt_job_retried_on_non_default_network);
 
+  BoundTestNetLog net_log_;
   TestJobFactory job_factory_;
   MockHttpStreamRequestDelegate request_delegate_;
   SpdySessionDependencies session_deps_{ProxyResolutionService::CreateDirect()};
@@ -320,7 +320,7 @@ class HttpStreamFactoryJobControllerTest
   quic::MockClock clock_;
   quic::test::MockRandom random_generator_{0};
   QuicTestPacketMaker client_maker_{
-      HttpNetworkSession::Params().quic_supported_versions[0],
+      HttpNetworkSession::Params().quic_params.supported_versions[0],
       quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
       &clock_,
       kServerHostname,
@@ -328,7 +328,6 @@ class HttpStreamFactoryJobControllerTest
       false};
 
  protected:
-  BoundTestNetLog net_log_;
   bool use_alternative_proxy_ = false;
   bool is_preconnect_ = false;
   bool enable_ip_based_pooling_ = true;
@@ -706,7 +705,8 @@ TEST_F(JobControllerReconsiderProxyAfterErrorTest,
       url::SchemeHostPort(GURL("http://www.example.com")), stats1);
 
   // Prepare the mocked data.
-  MockQuicData quic_data;
+  MockQuicData quic_data(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data.AddRead(ASYNC, ERR_QUIC_PROTOCOL_ERROR);
   quic_data.AddWrite(ASYNC, OK);
   quic_data.AddSocketDataToFactory(session_deps_.socket_factory.get());
@@ -796,7 +796,8 @@ TEST_F(HttpStreamFactoryJobControllerTest, CancelJobsBeforeBinding) {
   // Use COLD_START to make the alt job pending.
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddRead(SYNCHRONOUS, OK);
 
   tcp_data_ = std::make_unique<SequencedSocketData>();
@@ -856,7 +857,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 
 void HttpStreamFactoryJobControllerTest::TestOnStreamFailedForBothJobs(
     bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddConnect(ASYNC, ERR_FAILED);
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(ASYNC, ERR_FAILED));
@@ -907,7 +909,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 
 void HttpStreamFactoryJobControllerTest::TestAltJobFailsAfterMainJobSucceeded(
     bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddRead(ASYNC, ERR_FAILED);
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
@@ -976,7 +979,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 
 // Tests that when alt job succeeds, main job is destroyed.
 TEST_F(HttpStreamFactoryJobControllerTest, AltJobSucceedsMainJobDestroyed) {
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Use cold start and complete alt job manually.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1024,9 +1028,9 @@ TEST_F(HttpStreamFactoryJobControllerTest, AltJobSucceedsMainJobDestroyed) {
 // Regression test for crbug.com/678768.
 TEST_F(HttpStreamFactoryJobControllerTest,
        AltJobSucceedsMainJobBlockedControllerDestroyed) {
-  quic_data_ = std::make_unique<MockQuicData>();
-  quic_data_->AddWrite(SYNCHRONOUS,
-                       client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_->AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   quic_data_->AddRead(ASYNC, OK);
 
   HttpRequestInfo request_info;
@@ -1103,7 +1107,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 // JobController will be cleaned up.
 TEST_F(HttpStreamFactoryJobControllerTest,
        OrphanedJobCompletesControllerDestroyed) {
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Use cold start and complete alt job manually.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1157,7 +1162,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 
 void HttpStreamFactoryJobControllerTest::TestAltJobSucceedsAfterMainJobFailed(
     bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Use cold start and complete alt job manually.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1225,7 +1231,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 void HttpStreamFactoryJobControllerTest::
     TestAltJobSucceedsAfterMainJobSucceeded(
         bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Use cold start and complete alt job manually.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1308,7 +1315,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 void HttpStreamFactoryJobControllerTest::
     TestMainJobSucceedsAfterAltJobSucceeded(
         bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Use cold start and complete alt job manually.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1383,7 +1391,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 
 void HttpStreamFactoryJobControllerTest::TestMainJobFailsAfterAltJobSucceeded(
     bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Use cold start and complete alt job manually.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1446,7 +1455,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 
 void HttpStreamFactoryJobControllerTest::TestMainJobSucceedsAfterAltJobFailed(
     bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddConnect(SYNCHRONOUS, ERR_FAILED);
 
   tcp_data_ = std::make_unique<SequencedSocketData>();
@@ -1514,7 +1524,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 // then the alternative service is not marked as broken.
 TEST_F(HttpStreamFactoryJobControllerTest,
        MainJobSucceedsAfterConnectionChanged) {
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddConnect(SYNCHRONOUS, ERR_NETWORK_CHANGED);
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(SYNCHRONOUS, OK));
@@ -1556,7 +1567,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 // Get load state after main job fails and before alternative job succeeds.
 TEST_F(HttpStreamFactoryJobControllerTest, GetLoadStateAfterMainJobFailed) {
   // Use COLD_START to complete alt job manually.
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
@@ -1603,7 +1615,8 @@ TEST_F(HttpStreamFactoryJobControllerTest, GetLoadStateAfterMainJobFailed) {
 
 TEST_F(HttpStreamFactoryJobControllerTest, ResumeMainJobWhenAltJobStalls) {
   // Use COLD_START to stall alt job.
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
@@ -1672,7 +1685,8 @@ TEST_F(HttpStreamFactoryJobControllerTest, HostResolutionHang) {
   Initialize(request_info);
 
   // handshake will fail asynchronously after mock data is unpaused.
-  MockQuicData quic_data;
+  MockQuicData quic_data(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data.AddRead(ASYNC, ERR_FAILED);
   quic_data.AddWrite(ASYNC, ERR_FAILED);
@@ -1744,7 +1758,8 @@ TEST_F(HttpStreamFactoryJobControllerTest, DelayedTCP) {
   Initialize(request_info);
 
   // Handshake will fail asynchronously after mock data is unpaused.
-  MockQuicData quic_data;
+  MockQuicData quic_data(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data.AddRead(ASYNC, ERR_FAILED);
   quic_data.AddWrite(ASYNC, ERR_FAILED);
@@ -1884,7 +1899,8 @@ TEST_F(HttpStreamFactoryJobControllerTest, DelayedTCPWithLargeSrtt) {
   Initialize(request_info);
 
   // handshake will fail asynchronously after mock data is unpaused.
-  MockQuicData quic_data;
+  MockQuicData quic_data(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data.AddRead(ASYNC, ERR_FAILED);
   quic_data.AddWrite(ASYNC, ERR_FAILED);
@@ -1943,7 +1959,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
   Initialize(request_info);
 
   // handshake will fail asynchronously after mock data is unpaused.
-  MockQuicData quic_data;
+  MockQuicData quic_data(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data.AddRead(ASYNC, ERR_FAILED);
   quic_data.AddWrite(ASYNC, ERR_FAILED);
@@ -2064,7 +2081,8 @@ TEST_F(HttpStreamFactoryJobControllerTest, DelayedTCPAlternativeProxy) {
   EXPECT_TRUE(test_proxy_delegate()->alternative_proxy_server().is_quic());
 
   // Handshake will fail asynchronously after mock data is unpaused.
-  MockQuicData quic_data;
+  MockQuicData quic_data(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data.AddRead(ASYNC, ERR_FAILED);
   quic_data.AddWrite(ASYNC, ERR_FAILED);
@@ -2122,7 +2140,8 @@ TEST_F(HttpStreamFactoryJobControllerTest, FailAlternativeProxy) {
   ProxyClientSocketDataProvider proxy_data(SYNCHRONOUS, OK);
   session_deps_.socket_factory->AddProxyClientSocketDataProvider(&proxy_data);
 
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddConnect(SYNCHRONOUS, ERR_FAILED);
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(SYNCHRONOUS, OK));
@@ -2175,7 +2194,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
   ProxyClientSocketDataProvider proxy_data(SYNCHRONOUS, OK);
   session_deps_.socket_factory->AddProxyClientSocketDataProvider(&proxy_data);
 
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddConnect(SYNCHRONOUS, ERR_INTERNET_DISCONNECTED);
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(SYNCHRONOUS, OK));
@@ -2228,7 +2248,8 @@ TEST_F(HttpStreamFactoryJobControllerTest,
   // Use COLD_START to make the alt job pending.
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(SYNCHRONOUS, OK));
@@ -2276,9 +2297,9 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 }
 
 TEST_F(HttpStreamFactoryJobControllerTest, PreconnectToHostWithValidAltSvc) {
-  quic_data_ = std::make_unique<MockQuicData>();
-  quic_data_->AddWrite(SYNCHRONOUS,
-                       client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_->AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   quic_data_->AddRead(ASYNC, OK);
 
   HttpRequestInfo request_info;
@@ -2450,10 +2471,9 @@ TEST_F(JobControllerLimitMultipleH2Requests, MultipleRequests) {
   base::RunLoop().RunUntilIdle();
   requests.clear();
   EXPECT_TRUE(HttpStreamFactoryPeer::IsJobControllerDeleted(factory_));
-  TestNetLogEntry::List entries;
+  auto entries = net_log_.GetEntries();
   size_t log_position = 0;
   for (int i = 0; i < kNumRequests - 1; ++i) {
-    net_log_.GetEntries(&entries);
     log_position = ExpectLogContainsSomewhereAfter(
         entries, log_position, NetLogEventType::HTTP_STREAM_JOB_THROTTLED,
         NetLogEventPhase::NONE);
@@ -2707,7 +2727,8 @@ TEST_F(JobControllerLimitMultipleH2Requests, H1NegotiatedForFirstRequest) {
 TEST_F(JobControllerLimitMultipleH2Requests, QuicJobNotThrottled) {
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
-  quic_data_ = std::make_unique<MockQuicData>();
+  quic_data_ = std::make_unique<MockQuicData>(
+      HttpNetworkSession::Params().quic_params.supported_versions.front());
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING)};
   tcp_data_ =
@@ -2751,9 +2772,8 @@ TEST_F(JobControllerLimitMultipleH2Requests, QuicJobNotThrottled) {
   EXPECT_TRUE(job_controller->alternative_job());
   EXPECT_CALL(request_delegate_, OnStreamReadyImpl(_, _, _));
   base::RunLoop().RunUntilIdle();
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
-  for (auto entry : entries) {
+  auto entries = net_log_.GetEntries();
+  for (const auto& entry : entries) {
     ASSERT_NE(NetLogEventType::HTTP_STREAM_JOB_THROTTLED, entry.type);
   }
 }
@@ -2772,10 +2792,11 @@ TEST_P(HttpStreamFactoryJobControllerMisdirectedRequestRetry,
   const bool enable_ip_based_pooling = ::testing::get<0>(GetParam());
   const bool enable_alternative_services = ::testing::get<1>(GetParam());
   if (enable_alternative_services) {
-    quic_data_ = std::make_unique<MockQuicData>();
+    quic_data_ = std::make_unique<MockQuicData>(
+        HttpNetworkSession::Params().quic_params.supported_versions.front());
     quic_data_->AddConnect(SYNCHRONOUS, OK);
     quic_data_->AddWrite(SYNCHRONOUS,
-                         client_maker_.MakeInitialSettingsPacket(1, nullptr));
+                         client_maker_.MakeInitialSettingsPacket(1));
     quic_data_->AddRead(ASYNC, OK);
   }
   tcp_data_ = std::make_unique<SequencedSocketData>();
@@ -2908,7 +2929,7 @@ TEST_F(HttpStreamFactoryJobControllerTest, GetAlternativeServiceInfoFor) {
   // Set alternative service for the same server with the same list of versions
   // that is supported.
   quic::ParsedQuicVersionVector supported_versions =
-      session_->params().quic_supported_versions;
+      session_->params().quic_params.supported_versions;
   ASSERT_TRUE(session_->http_server_properties()->SetQuicAlternativeService(
       server, alternative_service, expiration, supported_versions));
 
@@ -2940,9 +2961,11 @@ TEST_F(HttpStreamFactoryJobControllerTest, GetAlternativeServiceInfoFor) {
 
   // Set alternative service for the same server with two QUIC versions:
   // - one unsupported version: |unsupported_version_1|,
-  // - one supported version: session_->params().quic_supported_versions[0].
+  // - one supported version:
+  // session_->params().quic_params.supported_versions[0].
   quic::ParsedQuicVersionVector mixed_quic_versions = {
-      unsupported_version_1, session_->params().quic_supported_versions[0]};
+      unsupported_version_1,
+      session_->params().quic_params.supported_versions[0]};
   ASSERT_TRUE(session_->http_server_properties()->SetQuicAlternativeService(
       server, alternative_service, expiration, mixed_quic_versions));
 
@@ -2985,13 +3008,13 @@ TEST_F(HttpStreamFactoryJobControllerTest, QuicHostWhitelist) {
   // Set HttpNetworkSession's QUIC host whitelist to only have www.example.com
   HttpNetworkSessionPeer session_peer(session_.get());
   session_peer.params()->quic_host_whitelist.insert("www.example.com");
-  session_peer.params()->quic_allow_remote_alt_svc = true;
+  session_peer.params()->quic_params.allow_remote_alt_svc = true;
 
   // Set alternative service for www.google.com to be www.example.com over QUIC.
   url::SchemeHostPort server(request_info.url);
   base::Time expiration = base::Time::Now() + base::TimeDelta::FromDays(1);
   quic::ParsedQuicVersionVector supported_versions =
-      session_->params().quic_supported_versions;
+      session_->params().quic_params.supported_versions;
   session_->http_server_properties()->SetQuicAlternativeService(
       server, AlternativeService(kProtoQUIC, "www.example.com", 443),
       expiration, supported_versions);
diff --git a/chromium/net/http/http_stream_factory_unittest.cc b/chromium/net/http/http_stream_factory_unittest.cc
index 9258f8fb7af..be453dc1fa3 100644
--- a/chromium/net/http/http_stream_factory_unittest.cc
+++ b/chromium/net/http/http_stream_factory_unittest.cc
@@ -18,8 +18,10 @@
 #include "base/run_loop.h"
 #include "base/stl_util.h"
 #include "base/test/metrics/histogram_tester.h"
+#include "base/test/scoped_feature_list.h"
 #include "build/build_config.h"
 #include "net/base/completion_once_callback.h"
+#include "net/base/features.h"
 #include "net/base/port_util.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/proxy_server.h"
@@ -48,6 +50,7 @@
 #include "net/quic/quic_http_utils.h"
 #include "net/quic/quic_stream_factory_peer.h"
 #include "net/quic/quic_test_packet_maker.h"
+#include "net/quic/quic_test_packet_printer.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/socket/client_socket_pool.h"
 #include "net/socket/connect_job.h"
@@ -110,8 +113,7 @@ class MockWebSocketHandshakeStream : public WebSocketHandshakeStreamBase {
     kStreamTypeSpdy,
   };
 
-  explicit MockWebSocketHandshakeStream(StreamType type)
-      : type_(type), weak_ptr_factory_(this) {}
+  explicit MockWebSocketHandshakeStream(StreamType type) : type_(type) {}
 
   ~MockWebSocketHandshakeStream() override = default;
 
@@ -170,7 +172,7 @@ class MockWebSocketHandshakeStream : public WebSocketHandshakeStreamBase {
 
  private:
   const StreamType type_;
-  base::WeakPtrFactory<MockWebSocketHandshakeStream> weak_ptr_factory_;
+  base::WeakPtrFactory<MockWebSocketHandshakeStream> weak_ptr_factory_{this};
 };
 
 // HttpStreamFactory subclass that can wait until a preconnect is complete.
@@ -360,6 +362,7 @@ TestCase kTests[] = {
 
 void PreconnectHelperForURL(int num_streams,
                             const GURL& url,
+                            NetworkIsolationKey network_isolation_key,
                             HttpNetworkSession* session) {
   HttpNetworkSessionPeer peer(session);
   MockHttpStreamFactoryForPreconnect* mock_factory =
@@ -370,6 +373,7 @@ void PreconnectHelperForURL(int num_streams,
   request.method = "GET";
   request.url = url;
   request.load_flags = 0;
+  request.network_isolation_key = network_isolation_key;
   request.traffic_annotation =
       MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
@@ -380,7 +384,7 @@ void PreconnectHelperForURL(int num_streams,
 void PreconnectHelper(const TestCase& test, HttpNetworkSession* session) {
   GURL url =
       test.ssl ? GURL("https://www.google.com") : GURL("http://www.google.com");
-  PreconnectHelperForURL(test.num_streams, url, session);
+  PreconnectHelperForURL(test.num_streams, url, NetworkIsolationKey(), session);
 }
 
 ClientSocketPool::GroupId GetGroupId(const TestCase& test) {
@@ -479,6 +483,9 @@ class CapturePreconnectsTransportSocketPool : public TransportClientSocketPool {
 
 using HttpStreamFactoryTest = TestWithScopedTaskEnvironment;
 
+// TODO(950069): Add testing for frame_origin in NetworkIsolationKey using
+// kAppendInitiatingFrameOriginToNetworkIsolationKey.
+
 TEST_F(HttpStreamFactoryTest, PreconnectDirect) {
   for (size_t i = 0; i < base::size(kTests); ++i) {
     SpdySessionDependencies session_deps(
@@ -609,10 +616,50 @@ TEST_F(HttpStreamFactoryTest, PreconnectUnsafePort) {
                                    std::move(owned_transport_conn_pool));
   peer.SetClientSocketPoolManager(std::move(mock_pool_manager));
 
-  PreconnectHelperForURL(1, GURL("http://www.google.com:7"), session.get());
+  PreconnectHelperForURL(1, GURL("http://www.google.com:7"),
+                         NetworkIsolationKey(), session.get());
   EXPECT_EQ(-1, transport_conn_pool->last_num_streams());
 }
 
+// Verify that preconnects use the specified NetworkIsolationKey.
+TEST_F(HttpStreamFactoryTest, PreconnectNetworkIsolationKey) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      features::kPartitionConnectionsByNetworkIsolationKey);
+
+  SpdySessionDependencies session_deps(ProxyResolutionService::CreateDirect());
+  std::unique_ptr<HttpNetworkSession> session(
+      SpdySessionDependencies::SpdyCreateSession(&session_deps));
+  HttpNetworkSessionPeer peer(session.get());
+  CommonConnectJobParams common_connect_job_params =
+      session->CreateCommonConnectJobParams();
+  std::unique_ptr<CapturePreconnectsTransportSocketPool>
+      owned_transport_conn_pool =
+          std::make_unique<CapturePreconnectsTransportSocketPool>(
+              &common_connect_job_params);
+  CapturePreconnectsTransportSocketPool* transport_conn_pool =
+      owned_transport_conn_pool.get();
+  auto mock_pool_manager = std::make_unique<MockClientSocketPoolManager>();
+  mock_pool_manager->SetSocketPool(ProxyServer::Direct(),
+                                   std::move(owned_transport_conn_pool));
+  peer.SetClientSocketPoolManager(std::move(mock_pool_manager));
+
+  const GURL kURL("http://foo.test/");
+  const auto kOriginFoo = url::Origin::Create(GURL("http://foo.test"));
+  const auto kOriginBar = url::Origin::Create(GURL("http://bar.test"));
+  const NetworkIsolationKey kKey1(kOriginFoo, kOriginFoo);
+  const NetworkIsolationKey kKey2(kOriginBar, kOriginBar);
+  PreconnectHelperForURL(1, kURL, kKey1, session.get());
+  EXPECT_EQ(1, transport_conn_pool->last_num_streams());
+  EXPECT_EQ(kKey1,
+            transport_conn_pool->last_group_id().network_isolation_key());
+
+  PreconnectHelperForURL(2, kURL, kKey2, session.get());
+  EXPECT_EQ(2, transport_conn_pool->last_num_streams());
+  EXPECT_EQ(kKey2,
+            transport_conn_pool->last_group_id().network_isolation_key());
+}
+
 TEST_F(HttpStreamFactoryTest, JobNotifiesProxy) {
   const char* kProxyString = "PROXY bad:99; PROXY maybe:80; DIRECT";
   SpdySessionDependencies session_deps(
@@ -835,7 +882,8 @@ class TestBidirectionalDelegate : public BidirectionalStreamImpl::Delegate {
 // Simplify ownership issues and the interaction with the MockSocketFactory.
 class MockQuicData {
  public:
-  MockQuicData() : packet_number_(0) {}
+  explicit MockQuicData(quic::ParsedQuicVersion version)
+      : packet_number_(0), printer_(version) {}
 
   ~MockQuicData() = default;
 
@@ -857,6 +905,7 @@ class MockQuicData {
 
   void AddSocketDataToFactory(MockClientSocketFactory* factory) {
     socket_data_ = std::make_unique<SequencedSocketData>(reads_, writes_);
+    socket_data_->set_printer(&printer_);
     factory->AddSocketDataProvider(socket_data_.get());
   }
 
@@ -865,6 +914,7 @@ class MockQuicData {
   std::vector<MockWrite> writes_;
   std::vector<MockRead> reads_;
   size_t packet_number_;
+  QuicPacketPrinter printer_;
   std::unique_ptr<SequencedSocketData> socket_data_;
 };
 
@@ -1141,7 +1191,7 @@ TEST_F(HttpStreamFactoryTest, UsePreConnectIfNoZeroRTT) {
                                host_port_pair.port());
     http_server_properties.SetQuicAlternativeService(
         server, alternative_service, expiration,
-        session_params.quic_supported_versions);
+        session_params.quic_params.supported_versions);
 
     HttpNetworkSession::Context session_context =
         SpdySessionDependencies::CreateSessionContext(&session_deps);
@@ -1160,7 +1210,8 @@ TEST_F(HttpStreamFactoryTest, UsePreConnectIfNoZeroRTT) {
     mock_pool_manager->SetSocketPool(proxy_server,
                                      base::WrapUnique(http_proxy_pool));
     peer.SetClientSocketPoolManager(std::move(mock_pool_manager));
-    PreconnectHelperForURL(num_streams, url, session.get());
+    PreconnectHelperForURL(num_streams, url, NetworkIsolationKey(),
+                           session.get());
     EXPECT_EQ(num_streams, http_proxy_pool->last_num_streams());
   }
 }
@@ -2197,6 +2248,9 @@ class HttpStreamFactoryBidirectionalQuicTest
         proxy_resolution_service_(ProxyResolutionService::CreateDirect()),
         ssl_config_service_(new SSLConfigServiceDefaults) {
     clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(20));
+    if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+      SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
+    }
   }
 
   void TearDown() override { session_.reset(); }
@@ -2204,13 +2258,14 @@ class HttpStreamFactoryBidirectionalQuicTest
   // Disable bidirectional stream over QUIC. This should be invoked before
   // Initialize().
   void DisableQuicBidirectionalStream() {
-    params_.quic_disable_bidirectional_streams = true;
+    params_.quic_params.disable_bidirectional_streams = true;
   }
 
   void Initialize() {
     params_.enable_quic = true;
-    params_.quic_supported_versions = quic::test::SupportedVersions(version_);
-    params_.quic_headers_include_h2_stream_dependency =
+    params_.quic_params.supported_versions =
+        quic::test::SupportedVersions(version_);
+    params_.quic_params.headers_include_h2_stream_dependency =
         client_headers_include_h2_stream_dependency_;
 
     HttpNetworkSession::Context session_context;
@@ -2247,7 +2302,7 @@ class HttpStreamFactoryBidirectionalQuicTest
     base::Time expiration = base::Time::Now() + base::TimeDelta::FromDays(1);
     http_server_properties_.SetQuicAlternativeService(
         url::SchemeHostPort(default_url_), alternative_service, expiration,
-        session_->params().quic_supported_versions);
+        session_->params().quic_params.supported_versions);
   }
 
   test::QuicTestPacketMaker& client_packet_maker() {
@@ -2268,7 +2323,10 @@ class HttpStreamFactoryBidirectionalQuicTest
         version_.transport_version, n);
   }
 
+  quic::ParsedQuicVersion version() const { return version_; }
+
  private:
+  QuicFlagSaver saver_;
   const quic::ParsedQuicVersion version_;
   const bool client_headers_include_h2_stream_dependency_;
   quic::MockClock clock_;
@@ -2298,20 +2356,17 @@ INSTANTIATE_TEST_SUITE_P(
 
 TEST_P(HttpStreamFactoryBidirectionalQuicTest,
        RequestBidirectionalStreamImplQuicAlternative) {
-  MockQuicData mock_quic_data;
+  MockQuicData mock_quic_data(version());
   spdy::SpdyPriority priority =
       ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
   size_t spdy_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(client_packet_maker().MakeInitialSettingsPacket(
-      1, &header_stream_offset));
+  mock_quic_data.AddWrite(client_packet_maker().MakeInitialSettingsPacket(1));
   mock_quic_data.AddWrite(client_packet_maker().MakeRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0),
       /*should_include_version=*/true,
       /*fin=*/true, priority,
       client_packet_maker().GetRequestHeaders("GET", "https", "/"),
-      /*parent_stream_id=*/0, &spdy_headers_frame_length,
-      &header_stream_offset));
+      /*parent_stream_id=*/0, &spdy_headers_frame_length));
   size_t spdy_response_headers_frame_length;
   mock_quic_data.AddRead(server_packet_maker().MakeResponseHeadersPacket(
       1, GetNthClientInitiatedBidirectionalStreamId(0),
@@ -2426,20 +2481,17 @@ TEST_P(HttpStreamFactoryBidirectionalQuicTest,
 TEST_P(HttpStreamFactoryBidirectionalQuicTest,
        RequestBidirectionalStreamImplHttpJobFailsQuicJobSucceeds) {
   // Set up Quic data.
-  MockQuicData mock_quic_data;
+  MockQuicData mock_quic_data(version());
   spdy::SpdyPriority priority =
       ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
   size_t spdy_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(client_packet_maker().MakeInitialSettingsPacket(
-      1, &header_stream_offset));
+  mock_quic_data.AddWrite(client_packet_maker().MakeInitialSettingsPacket(1));
   mock_quic_data.AddWrite(client_packet_maker().MakeRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0),
       /*should_include_version=*/true,
       /*fin=*/true, priority,
       client_packet_maker().GetRequestHeaders("GET", "https", "/"),
-      /*parent_stream_id=*/0, &spdy_headers_frame_length,
-      &header_stream_offset));
+      /*parent_stream_id=*/0, &spdy_headers_frame_length));
   size_t spdy_response_headers_frame_length;
   mock_quic_data.AddRead(server_packet_maker().MakeResponseHeadersPacket(
       1, GetNthClientInitiatedBidirectionalStreamId(0),
@@ -2680,20 +2732,17 @@ TEST_F(HttpStreamFactoryTest, Tag) {
 // should not be shared amongst streams with different socket tags).
 TEST_P(HttpStreamFactoryBidirectionalQuicTest, Tag) {
   // Prepare mock QUIC data for a first session establishment.
-  MockQuicData mock_quic_data;
+  MockQuicData mock_quic_data(version());
   spdy::SpdyPriority priority =
       ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
   size_t spdy_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(client_packet_maker().MakeInitialSettingsPacket(
-      1, &header_stream_offset));
+  mock_quic_data.AddWrite(client_packet_maker().MakeInitialSettingsPacket(1));
   mock_quic_data.AddWrite(client_packet_maker().MakeRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0),
       /*should_include_version=*/true,
       /*fin=*/true, priority,
       client_packet_maker().GetRequestHeaders("GET", "https", "/"),
-      /*parent_stream_id=*/0, &spdy_headers_frame_length,
-      &header_stream_offset));
+      /*parent_stream_id=*/0, &spdy_headers_frame_length));
   size_t spdy_response_headers_frame_length;
   mock_quic_data.AddRead(server_packet_maker().MakeResponseHeadersPacket(
       1, GetNthClientInitiatedBidirectionalStreamId(0),
@@ -2704,17 +2753,15 @@ TEST_P(HttpStreamFactoryBidirectionalQuicTest, Tag) {
   mock_quic_data.AddSocketDataToFactory(&socket_factory());
 
   // Prepare mock QUIC data for a second session establishment.
-  MockQuicData mock_quic_data2;
-  quic::QuicStreamOffset header_stream_offset2 = 0;
-  mock_quic_data2.AddWrite(client_packet_maker().MakeInitialSettingsPacket(
-      1, &header_stream_offset2));
+  client_packet_maker().Reset();
+  MockQuicData mock_quic_data2(version());
+  mock_quic_data2.AddWrite(client_packet_maker().MakeInitialSettingsPacket(1));
   mock_quic_data2.AddWrite(client_packet_maker().MakeRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0),
       /*should_include_version=*/true,
       /*fin=*/true, priority,
       client_packet_maker().GetRequestHeaders("GET", "https", "/"),
-      /*parent_stream_id=*/0, &spdy_headers_frame_length,
-      &header_stream_offset));
+      /*parent_stream_id=*/0, &spdy_headers_frame_length));
   mock_quic_data2.AddRead(server_packet_maker().MakeResponseHeadersPacket(
       1, GetNthClientInitiatedBidirectionalStreamId(0),
       /*should_include_version=*/false,
diff --git a/chromium/net/http/http_stream_parser.cc b/chromium/net/http/http_stream_parser.cc
index 6615a48c8fe..3112cae517a 100644
--- a/chromium/net/http/http_stream_parser.cc
+++ b/chromium/net/http/http_stream_parser.cc
@@ -17,6 +17,7 @@
 #include "net/base/ip_endpoint.h"
 #include "net/base/upload_data_stream.h"
 #include "net/http/http_chunked_decoder.h"
+#include "net/http/http_log_util.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
@@ -67,11 +68,9 @@ bool HeadersContainMultipleCopiesOfField(const HttpResponseHeaders& headers,
   return false;
 }
 
-base::Value NetLogSendRequestBodyCallback(
-    uint64_t length,
-    bool is_chunked,
-    bool did_merge,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSendRequestBodyParams(uint64_t length,
+                                        bool is_chunked,
+                                        bool did_merge) {
   base::DictionaryValue dict;
   dict.SetInteger("length", static_cast<int>(length));
   dict.SetBoolean("is_chunked", is_chunked);
@@ -79,6 +78,15 @@ base::Value NetLogSendRequestBodyCallback(
   return std::move(dict);
 }
 
+void NetLogSendRequestBody(const NetLogWithSource& net_log,
+                           uint64_t length,
+                           bool is_chunked,
+                           bool did_merge) {
+  net_log.AddEvent(NetLogEventType::HTTP_TRANSACTION_SEND_REQUEST_BODY, [&] {
+    return NetLogSendRequestBodyParams(length, is_chunked, did_merge);
+  });
+}
+
 // Returns true if |error_code| is an error for which we give the server a
 // chance to send a body containing error information, if the error was received
 // while trying to upload a request body.
@@ -211,8 +219,7 @@ HttpStreamParser::HttpStreamParser(StreamSocket* stream_socket,
       connection_is_reused_(connection_is_reused),
       net_log_(net_log),
       sent_last_chunk_(false),
-      upload_error_(OK),
-      weak_ptr_factory_(this) {
+      upload_error_(OK) {
   io_callback_ = base::BindRepeating(&HttpStreamParser::OnIOComplete,
                                      weak_ptr_factory_.GetWeakPtr());
 }
@@ -230,9 +237,9 @@ int HttpStreamParser::SendRequest(
   DCHECK(!callback.is_null());
   DCHECK(response);
 
-  net_log_.AddEvent(NetLogEventType::HTTP_TRANSACTION_SEND_REQUEST_HEADERS,
-                    base::Bind(&HttpRequestHeaders::NetLogCallback,
-                               base::Unretained(&headers), &request_line));
+  NetLogRequestHeaders(net_log_,
+                       NetLogEventType::HTTP_TRANSACTION_SEND_REQUEST_HEADERS,
+                       request_line, &headers);
 
   DVLOG(1) << __func__ << "() request_line = \"" << request_line << "\""
            << " headers = \"" << headers.ToString() << "\"";
@@ -296,11 +303,9 @@ int HttpStreamParser::SendRequest(
     request_headers_->SetOffset(0);
     did_merge = true;
 
-    net_log_.AddEvent(NetLogEventType::HTTP_TRANSACTION_SEND_REQUEST_BODY,
-                      base::Bind(&NetLogSendRequestBodyCallback,
-                                 request_->upload_data_stream->size(),
-                                 false, /* not chunked */
-                                 true /* merged */));
+    NetLogSendRequestBody(net_log_, request_->upload_data_stream->size(),
+                          false, /* not chunked */
+                          true /* merged */);
   }
 
   if (!did_merge) {
@@ -501,11 +506,9 @@ int HttpStreamParser::DoSendHeadersComplete(int result) {
        // !IsEOF() indicates that the body wasn't merged.
        (request_->upload_data_stream->size() > 0 &&
         !request_->upload_data_stream->IsEOF()))) {
-    net_log_.AddEvent(NetLogEventType::HTTP_TRANSACTION_SEND_REQUEST_BODY,
-                      base::Bind(&NetLogSendRequestBodyCallback,
-                                 request_->upload_data_stream->size(),
-                                 request_->upload_data_stream->is_chunked(),
-                                 false /* not merged */));
+    NetLogSendRequestBody(net_log_, request_->upload_data_stream->size(),
+                          request_->upload_data_stream->is_chunked(),
+                          false /* not merged */);
     io_state_ = STATE_SEND_BODY;
     return OK;
   }
diff --git a/chromium/net/http/http_stream_parser.h b/chromium/net/http/http_stream_parser.h
index 16d24e247f2..0d559c3a828 100644
--- a/chromium/net/http/http_stream_parser.h
+++ b/chromium/net/http/http_stream_parser.h
@@ -303,7 +303,7 @@ class NET_EXPORT_PRIVATE HttpStreamParser {
 
   MutableNetworkTrafficAnnotationTag traffic_annotation_;
 
-  base::WeakPtrFactory<HttpStreamParser> weak_ptr_factory_;
+  base::WeakPtrFactory<HttpStreamParser> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(HttpStreamParser);
 };
diff --git a/chromium/net/http/http_stream_parser_fuzzer.cc b/chromium/net/http/http_stream_parser_fuzzer.cc
index 1cfcb27087a..3f99250d7a9 100644
--- a/chromium/net/http/http_stream_parser_fuzzer.cc
+++ b/chromium/net/http/http_stream_parser_fuzzer.cc
@@ -15,7 +15,6 @@
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_completion_callback.h"
@@ -25,6 +24,7 @@
 #include "net/log/test_net_log.h"
 #include "net/socket/fuzzed_socket.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 #include "url/gurl.h"
 
 // Fuzzer for HttpStreamParser.
@@ -33,7 +33,7 @@
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   net::TestCompletionCallback callback;
   net::BoundTestNetLog bound_test_net_log;
-  base::FuzzedDataProvider data_provider(data, size);
+  FuzzedDataProvider data_provider(data, size);
   net::FuzzedSocket fuzzed_socket(&data_provider,
                                   bound_test_net_log.bound().net_log());
   CHECK_EQ(net::OK, fuzzed_socket.Connect(callback.callback()));
diff --git a/chromium/net/http/http_stream_parser_unittest.cc b/chromium/net/http/http_stream_parser_unittest.cc
index 16b77a305fd..a74972cfe23 100644
--- a/chromium/net/http/http_stream_parser_unittest.cc
+++ b/chromium/net/http/http_stream_parser_unittest.cc
@@ -24,6 +24,7 @@
 #include "net/base/chunked_upload_data_stream.h"
 #include "net/base/elements_upload_data_stream.h"
 #include "net/base/io_buffer.h"
+#include "net/base/load_flags.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_completion_callback.h"
 #include "net/base/upload_bytes_element_reader.h"
@@ -71,7 +72,7 @@ class ReadErrorUploadDataStream : public UploadDataStream {
   enum class FailureMode { SYNC, ASYNC };
 
   explicit ReadErrorUploadDataStream(FailureMode mode)
-      : UploadDataStream(true, 0), async_(mode), weak_factory_(this) {}
+      : UploadDataStream(true, 0), async_(mode) {}
 
  private:
   void CompleteRead() { UploadDataStream::OnReadCompleted(ERR_FAILED); }
@@ -93,7 +94,7 @@ class ReadErrorUploadDataStream : public UploadDataStream {
 
   const FailureMode async_;
 
-  base::WeakPtrFactory<ReadErrorUploadDataStream> weak_factory_;
+  base::WeakPtrFactory<ReadErrorUploadDataStream> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(ReadErrorUploadDataStream);
 };
@@ -200,7 +201,7 @@ TEST(HttpStreamParser, DataReadErrorAsynchronous) {
 class InitAsyncUploadDataStream : public ChunkedUploadDataStream {
  public:
   explicit InitAsyncUploadDataStream(int64_t identifier)
-      : ChunkedUploadDataStream(identifier), weak_factory_(this) {}
+      : ChunkedUploadDataStream(identifier) {}
 
  private:
   void CompleteInit() { UploadDataStream::OnInitCompleted(OK); }
@@ -212,7 +213,7 @@ class InitAsyncUploadDataStream : public ChunkedUploadDataStream {
     return ERR_IO_PENDING;
   }
 
-  base::WeakPtrFactory<InitAsyncUploadDataStream> weak_factory_;
+  base::WeakPtrFactory<InitAsyncUploadDataStream> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(InitAsyncUploadDataStream);
 };
diff --git a/chromium/net/http/http_transaction_test_util.cc b/chromium/net/http/http_transaction_test_util.cc
index ce61d097826..28b65dd1704 100644
--- a/chromium/net/http/http_transaction_test_util.cc
+++ b/chromium/net/http/http_transaction_test_util.cc
@@ -263,8 +263,7 @@ MockNetworkTransaction::MockNetworkTransaction(RequestPriority priority,
       sent_bytes_(0),
       socket_log_id_(NetLogSource::kInvalidId),
       done_reading_called_(false),
-      reading_(false),
-      weak_factory_(this) {}
+      reading_(false) {}
 
 MockNetworkTransaction::~MockNetworkTransaction() {
   // Use request_ as in ~HttpNetworkTransaction to make sure its valid and not
diff --git a/chromium/net/http/http_transaction_test_util.h b/chromium/net/http/http_transaction_test_util.h
index 745a31f1b9d..f1724b0b4bd 100644
--- a/chromium/net/http/http_transaction_test_util.h
+++ b/chromium/net/http/http_transaction_test_util.h
@@ -291,8 +291,7 @@ class MockNetworkTransaction
 
   CompletionOnceCallback resume_start_callback_;  // used for pause and restart.
 
-  base::WeakPtrFactory<MockNetworkTransaction> weak_factory_;
-
+  base::WeakPtrFactory<MockNetworkTransaction> weak_factory_{this};
 };
 
 class MockNetworkLayer : public HttpTransactionFactory,
diff --git a/chromium/net/http/mock_gssapi_library_posix.cc b/chromium/net/http/mock_gssapi_library_posix.cc
index b043361298c..e492bd99425 100644
--- a/chromium/net/http/mock_gssapi_library_posix.cc
+++ b/chromium/net/http/mock_gssapi_library_posix.cc
@@ -16,6 +16,14 @@ namespace test {
 struct GssNameMockImpl {
   std::string name;
   gss_OID_desc name_type;
+
+  static GssNameMockImpl* FromGssName(gss_name_t name) {
+    return reinterpret_cast<GssNameMockImpl*>(name);
+  }
+
+  static gss_name_t ToGssName(GssNameMockImpl* name) {
+    return reinterpret_cast<gss_name_t>(name);
+  }
 };
 
 }  // namespace test
@@ -56,8 +64,10 @@ void ClearBuffer(gss_buffer_t dest) {
   if (!dest)
     return;
   dest->length = 0;
-  delete [] reinterpret_cast<char*>(dest->value);
-  dest->value = nullptr;
+  if (dest->value) {
+    delete[] reinterpret_cast<char*>(dest->value);
+    dest->value = nullptr;
+  }
 }
 
 void SetBuffer(gss_buffer_t dest, const void* src, size_t length) {
@@ -101,7 +111,7 @@ void BufferFromString(const std::string& src, gss_buffer_t dest) {
 void ClearName(gss_name_t dest) {
   if (!dest)
     return;
-  test::GssNameMockImpl* name = reinterpret_cast<test::GssNameMockImpl*>(dest);
+  auto* name = test::GssNameMockImpl::FromGssName(dest);
   name->name.clear();
   ClearOid(&name->name_type);
 }
@@ -112,24 +122,15 @@ void SetName(gss_name_t dest, const void* src, size_t length) {
   ClearName(dest);
   if (!src)
     return;
-  test::GssNameMockImpl* name = reinterpret_cast<test::GssNameMockImpl*>(dest);
+  auto* name = test::GssNameMockImpl::FromGssName(dest);
   name->name.assign(reinterpret_cast<const char*>(src), length);
 }
 
-std::string NameToString(const gss_name_t& src) {
-  std::string dest;
-  if (!src)
-    return dest;
-  test::GssNameMockImpl* string =
-      reinterpret_cast<test::GssNameMockImpl*>(src);
-  dest = string->name;
-  return dest;
-}
-
-void NameFromString(const std::string& src, gss_name_t dest) {
-  if (!dest)
-    return;
+gss_name_t NameFromString(const std::string& src) {
+  gss_name_t dest = test::GssNameMockImpl::ToGssName(
+      new test::GssNameMockImpl{"", {0, nullptr}});
   SetName(dest, src.c_str(), src.length());
+  return dest;
 }
 
 }  // namespace
@@ -252,7 +253,7 @@ void MockGSSAPILibrary::ExpectSecurityContext(
   expected_security_queries_.push_back(security_query);
 }
 
-bool MockGSSAPILibrary::Init() {
+bool MockGSSAPILibrary::Init(const NetLogWithSource&) {
   return true;
 }
 
@@ -279,7 +280,7 @@ OM_uint32 MockGSSAPILibrary::import_name(
   // Save the data.
   output->name = BufferToString(input_name_buffer);
   CopyOid(&output->name_type, input_name_type);
-  *output_name = reinterpret_cast<gss_name_t>(output);
+  *output_name = test::GssNameMockImpl::ToGssName(output);
 
   return GSS_S_COMPLETE;
 }
@@ -293,10 +294,10 @@ OM_uint32 MockGSSAPILibrary::release_name(
     return GSS_S_BAD_NAME;
   if (!*input_name)
     return GSS_S_COMPLETE;
-  GssNameMockImpl* name = *reinterpret_cast<GssNameMockImpl**>(input_name);
+  GssNameMockImpl* name = GssNameMockImpl::FromGssName(*input_name);
   ClearName(*input_name);
   delete name;
-  *input_name = nullptr;
+  *input_name = GSS_C_NO_NAME;
   return GSS_S_COMPLETE;
 }
 
@@ -324,12 +325,13 @@ OM_uint32 MockGSSAPILibrary::display_name(
     return GSS_S_CALL_BAD_STRUCTURE;
   if (!output_name_type)
     return GSS_S_CALL_BAD_STRUCTURE;
-  std::string name(NameToString(input_name));
+  GssNameMockImpl* internal_name = GssNameMockImpl::FromGssName(input_name);
+  std::string name = internal_name->name;
   BufferFromString(name, output_name_buffer);
-  GssNameMockImpl* internal_name =
-      *reinterpret_cast<GssNameMockImpl**>(input_name);
-  if (output_name_type)
-    *output_name_type = internal_name ? &internal_name->name_type : nullptr;
+  if (output_name_type) {
+    *output_name_type =
+        internal_name ? &internal_name->name_type : GSS_C_NO_OID;
+  }
   return GSS_S_COMPLETE;
 }
 
@@ -340,15 +342,47 @@ OM_uint32 MockGSSAPILibrary::display_status(
       const gss_OID mech_type,
       OM_uint32* message_context,
       gss_buffer_t status_string) {
-  if (minor_status)
-    *minor_status = 0;
-  std::string msg = base::StringPrintf("Value: %u, Type %u",
-                                       status_value,
-                                       status_type);
-  if (message_context)
-    *message_context = 0;
+  OM_uint32 rv = GSS_S_COMPLETE;
+  *minor_status = 0;
+  std::string msg;
+  switch (static_cast<DisplayStatusSpecials>(status_value)) {
+    case DisplayStatusSpecials::MultiLine:
+      msg = base::StringPrintf("Line %u for status %u", ++*message_context,
+                               status_value);
+      if (*message_context >= 5u)
+        *message_context = 0u;
+      break;
+
+    case DisplayStatusSpecials::InfiniteLines:
+      msg = base::StringPrintf("Line %u for status %u", ++*message_context,
+                               status_value);
+      break;
+
+    case DisplayStatusSpecials::Fail:
+      rv = GSS_S_BAD_MECH;
+      msg = "You should not see this";
+      EXPECT_EQ(*message_context, 0u);
+      break;
+
+    case DisplayStatusSpecials::EmptyMessage:
+      EXPECT_EQ(*message_context, 0u);
+      break;
+
+    case DisplayStatusSpecials::UninitalizedBuffer:
+      EXPECT_EQ(*message_context, 0u);
+      return GSS_S_COMPLETE;
+
+    case DisplayStatusSpecials::InvalidUtf8:
+      msg = "\xff\xff\xff";
+      EXPECT_EQ(*message_context, 0u);
+      break;
+
+    default:
+      msg = base::StringPrintf("Value: %u, Type %u", status_value, status_type);
+      EXPECT_EQ(*message_context, 0u);
+  }
   BufferFromString(msg, status_string);
-  return GSS_S_COMPLETE;
+  return rv;
 }
 
 OM_uint32 MockGSSAPILibrary::init_sec_context(
@@ -459,9 +493,9 @@ OM_uint32 MockGSSAPILibrary::inquire_context(
       reinterpret_cast<GssContextMockImpl*>(context_handle);
   GssContextMockImpl& context = *internal_context_ptr;
   if (src_name)
-    NameFromString(context.src_name, *src_name);
+    *src_name = NameFromString(context.src_name);
   if (targ_name)
-    NameFromString(context.targ_name, *targ_name);
+    *targ_name = NameFromString(context.targ_name);
   if (lifetime_rec)
     *lifetime_rec = context.lifetime_rec;
   if (mech_type)
diff --git a/chromium/net/http/mock_gssapi_library_posix.h b/chromium/net/http/mock_gssapi_library_posix.h
index 1488be70f02..d04ca82bb33 100644
--- a/chromium/net/http/mock_gssapi_library_posix.h
+++ b/chromium/net/http/mock_gssapi_library_posix.h
@@ -113,7 +113,7 @@ class MockGSSAPILibrary : public GSSAPILibrary {
   // Initializes the library, including any necessary dynamic libraries.
   // This is done separately from construction (which happens at startup time)
   // in order to delay work until the class is actually needed.
-  bool Init() override;
+  bool Init(const NetLogWithSource& net_log) override;
 
   // These methods match the ones in the GSSAPI library.
   OM_uint32 import_name(OM_uint32* minor_status,
@@ -128,6 +128,28 @@ class MockGSSAPILibrary : public GSSAPILibrary {
                          const gss_name_t input_name,
                          gss_buffer_t output_name_buffer,
                          gss_OID* output_name_type) override;
+
+  // These special status values can be used to trigger specific behavior in
+  // |display_status()|.
+  enum class DisplayStatusSpecials : OM_uint32 {
+    // A multiline status message.
+    MultiLine = 128,
+
+    // Multiline, execept there's no ending message.
+    InfiniteLines,
+
+    // Causes |display_status()| to fail.
+    Fail,
+
+    // Returns an empty message.
+    EmptyMessage,
+
+    // Returns successfully without modifying |status_string|.
+    UninitalizedBuffer,
+
+    // Returns a message that's invalid UTF-8.
+    InvalidUtf8
+  };
   OM_uint32 display_status(OM_uint32* minor_status,
                            OM_uint32 status_value,
                            int status_type,
@@ -181,6 +203,8 @@ class MockGSSAPILibrary : public GSSAPILibrary {
 
 }  // namespace test
 
+using MockAuthLibrary = test::MockGSSAPILibrary;
+
 }  // namespace net
 
 #endif  // NET_HTTP_MOCK_GSSAPI_LIBRARY_POSIX_H_
diff --git a/chromium/net/http/mock_http_cache.cc b/chromium/net/http/mock_http_cache.cc
index cf2ff7e28d0..3ab7e86742f 100644
--- a/chromium/net/http/mock_http_cache.cc
+++ b/chromium/net/http/mock_http_cache.cc
@@ -11,9 +11,11 @@
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
+#include "base/feature_list.h"
 #include "base/location.h"
 #include "base/single_thread_task_runner.h"
 #include "base/threading/thread_task_runner_handle.h"
+#include "net/base/features.h"
 #include "net/base/net_errors.h"
 #include "net/http/http_cache_writers.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -54,6 +56,11 @@ int GetTestModeForEntry(const std::string& key) {
   if (base::StartsWith(url, "_dk_", base::CompareCase::SENSITIVE)) {
     auto const pos = url.find(" http");
     url = url.substr(pos + 1);
+    if (base::FeatureList::IsEnabled(
+            net::features::kAppendFrameOriginToNetworkIsolationKey)) {
+      auto const pos = url.find(" http");
+      url = url.substr(pos + 1);
+    }
   }
 
   const MockTransaction* t = FindMockTransaction(GURL(url));
diff --git a/chromium/net/http/mock_sspi_library_win.h b/chromium/net/http/mock_sspi_library_win.h
index b042ebf6ca1..c0b76925c38 100644
--- a/chromium/net/http/mock_sspi_library_win.h
+++ b/chromium/net/http/mock_sspi_library_win.h
@@ -106,6 +106,8 @@ class MockSSPILibrary : public SSPILibrary {
   std::set<PSecPkgInfoW> expected_freed_packages_;
 };
 
+using MockAuthLibrary = MockSSPILibrary;
+
 }  // namespace net
 
 #endif  // NET_HTTP_MOCK_SSPI_LIBRARY_WIN_H_
diff --git a/chromium/net/http/partial_data.cc b/chromium/net/http/partial_data.cc
index fa6b488e104..e0eb396c7a3 100644
--- a/chromium/net/http/partial_data.cc
+++ b/chromium/net/http/partial_data.cc
@@ -41,8 +41,7 @@ PartialData::PartialData()
       final_range_(false),
       sparse_entry_(true),
       truncated_(false),
-      initial_validation_(false),
-      weak_factory_(this) {}
+      initial_validation_(false) {}
 
 PartialData::~PartialData() = default;
 
diff --git a/chromium/net/http/partial_data.h b/chromium/net/http/partial_data.h
index 0ca5926586c..3e8b1a406dc 100644
--- a/chromium/net/http/partial_data.h
+++ b/chromium/net/http/partial_data.h
@@ -159,7 +159,7 @@ class PartialData {
   bool truncated_;  // We have an incomplete 200 stored.
   bool initial_validation_;  // Only used for truncated entries.
   CompletionOnceCallback callback_;
-  base::WeakPtrFactory<PartialData> weak_factory_;
+  base::WeakPtrFactory<PartialData> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(PartialData);
 };
diff --git a/chromium/net/http/transport_security_persister.cc b/chromium/net/http/transport_security_persister.cc
index 804ea45d7d9..0df5a0f78e3 100644
--- a/chromium/net/http/transport_security_persister.cc
+++ b/chromium/net/http/transport_security_persister.cc
@@ -219,8 +219,7 @@ TransportSecurityPersister::TransportSecurityPersister(
     : transport_security_state_(state),
       writer_(profile_path.AppendASCII("TransportSecurity"), background_runner),
       foreground_runner_(base::ThreadTaskRunnerHandle::Get()),
-      background_runner_(background_runner),
-      weak_ptr_factory_(this) {
+      background_runner_(background_runner) {
   transport_security_state_->SetDelegate(this);
 
   base::PostTaskAndReplyWithResult(
diff --git a/chromium/net/http/transport_security_persister.h b/chromium/net/http/transport_security_persister.h
index bfc85cb336c..c8ba1d88216 100644
--- a/chromium/net/http/transport_security_persister.h
+++ b/chromium/net/http/transport_security_persister.h
@@ -131,7 +131,7 @@ class NET_EXPORT TransportSecurityPersister
   scoped_refptr<base::SequencedTaskRunner> foreground_runner_;
   scoped_refptr<base::SequencedTaskRunner> background_runner_;
 
-  base::WeakPtrFactory<TransportSecurityPersister> weak_ptr_factory_;
+  base::WeakPtrFactory<TransportSecurityPersister> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(TransportSecurityPersister);
 };
diff --git a/chromium/net/http/transport_security_state.cc b/chromium/net/http/transport_security_state.cc
index b7a2bca7bf4..275553cd42b 100644
--- a/chromium/net/http/transport_security_state.cc
+++ b/chromium/net/http/transport_security_state.cc
@@ -218,7 +218,7 @@ std::string HashHost(const std::string& canonicalized_host) {
 bool HashesIntersect(const HashValueVector& a,
                      const HashValueVector& b) {
   for (const auto& hash : a) {
-    if (base::ContainsValue(b, hash))
+    if (base::Contains(b, hash))
       return true;
   }
   return false;
diff --git a/chromium/net/http/transport_security_state_static.json b/chromium/net/http/transport_security_state_static.json
index a249501191f..abd1519f4a1 100644
--- a/chromium/net/http/transport_security_state_static.json
+++ b/chromium/net/http/transport_security_state_static.json
@@ -2525,7 +2525,6 @@
     { "name": "bit-sentinel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bitnet.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "buildkite.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "calvin.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cklie.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ckliemann.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ckliemann.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -2914,7 +2913,6 @@
     { "name": "collabornation.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cloudflareonazure.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chrismckee.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cobalt.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dealbanana.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cydia-search.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dotsiam.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -3435,7 +3433,6 @@
     { "name": "anfsanchezo.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bcvps.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beautykat.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bevapehappy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bouncyballs.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cafe-scientifique.org.ec", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "caveclan.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -3520,7 +3517,6 @@
     { "name": "koerperimpuls.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lostinsecurity.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mailinabox.email", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "malash.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "masjidtawheed.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "newodesign.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nicolaelmer.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -3770,7 +3766,6 @@
     { "name": "atgseed.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "atgseed.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "authint.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "basnoslovno.com.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "basnoslovno.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bettrlifeapp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "billninja.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -3873,7 +3868,6 @@
     { "name": "perfektesgewicht.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "perfektesgewicht.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "perplex.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pettsy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "please-deny.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pm13.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "postbox.life", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -3893,7 +3887,6 @@
     { "name": "ryansmithphotography.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schnell-gold.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "selectel.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sevsopr.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "silver-heart.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "slamix.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "smartpolicingplatform.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -4181,7 +4174,6 @@
     { "name": "jlkhosting.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "juniwalk.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kiebel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kimmel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kynaston.org.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "larrysalibra.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lateralsecurity.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -4360,7 +4352,6 @@
     { "name": "dmxledlights.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "docemeldoces.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "doctorwho.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "domainstaff.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dopost.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dot.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dyrenesverden.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -4393,7 +4384,6 @@
     { "name": "gilly.berlin", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "globalcomix.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "globalperspectivescanada.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "goat.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gotocloud.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gpfclan.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grandmasfridge.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -4882,7 +4872,6 @@
     { "name": "comitesaustria.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "consonare.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "custodyxchange.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cvursache.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cyph.im", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cyph.video", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cysec.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -5437,7 +5426,6 @@
     { "name": "realgarant-shop.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "remodela.com.ve", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "restchart.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "richmondsunlight.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rightcapital.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rolemaster.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "room208.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -5619,7 +5607,6 @@
     { "name": "basnieuwenhuizen.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beanjuice.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beardydave.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "beframed.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beinad.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "believablebook.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bely-mishka.by", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -5763,7 +5750,6 @@
     { "name": "deinballon.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dementiapraecox.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "denniskoot.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dennogumi.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dersoundhunter.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "derwolfe.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "detoxsinutritie.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -5786,7 +5772,6 @@
     { "name": "doublefun.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dovecotadmin.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "downsouthweddings.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "drahcro.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "drdevil.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "driesjtuver.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "drivenes.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -5813,7 +5798,6 @@
     { "name": "emilyhorsman.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eminovic.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "emnitech.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "endlessdark.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "enterprisey.enterprises", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eoldb.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "epicwalnutcreek.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -6039,7 +6023,6 @@
     { "name": "kirara.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kirschbaum.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kirstin-peters.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kisalt.im", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "klausimas.lt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kolaykaydet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "konata.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -6285,7 +6268,6 @@
     { "name": "reachr.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "reactivarte.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "readonly.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "redmbk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rednsx.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "regionale.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "regmyr.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -6316,7 +6298,6 @@
     { "name": "samifar.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "samwu.tw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sanglierhurlant.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sarakas.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sash.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "satrent.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "saturne.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -6702,13 +6683,11 @@
     { "name": "enteente.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "enveloppenopmaat.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "epanurse.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "erawanarifnugroho.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "erotalia.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "erp-band.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "erp.band", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "erpband.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "errolz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "estan.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "esteam.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "euanbaines.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eulenleben.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -7401,7 +7380,6 @@
     { "name": "adderall.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "agwa.name", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alanlee.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "anoncom.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "antocom.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "atletika.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "auto-anleitung.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -7456,7 +7434,6 @@
     { "name": "mediawikicn.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mikeg.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nalao-company.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nodi.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pekoe.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "php-tuning.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "prytkov.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -7464,7 +7441,6 @@
     { "name": "s13d.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "saorsat.ie", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sazuz.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "scotbirchfield.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sectia22.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shiftplanning.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shinju.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -7579,7 +7555,6 @@
     { "name": "comparamejor.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "compareandrecycle.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comparetravelinsurance.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "connectingconcepts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "contarkos.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cookinglife.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cookmedical.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -7716,7 +7691,6 @@
     { "name": "jennybeaned.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jr5proxdoug.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "juhakoho.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kairion.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kaisers.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "karmaplatform.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "katekligys.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -7730,7 +7704,6 @@
     { "name": "kriegt.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "krizek.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kum.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kuponrazzi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kynastonwedding.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lacentral.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ldarby.me.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -7800,7 +7773,6 @@
     { "name": "olafnorge.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "onmarketbookbuilds.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ononpay.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "oost.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "openvz.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "optumrxhealthstore.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "orcamoney.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -7865,7 +7837,6 @@
     { "name": "sat4all.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schont.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schwarzkopfforyou.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "selectorders.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "serveradminz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shawnh.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shoplandia.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -7961,7 +7932,6 @@
     { "name": "vinilosdecorativos.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vitta.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vivaldi.club", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vivatv.com.tw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vizeat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vorodevops.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vpn.ht", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -8327,13 +8297,11 @@
     { "name": "antscript.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ao-dev.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apervita.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "api-geek.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apmg-certified.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apmg-cyber.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "app-arena.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "appdrinks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "appleoosa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "applic8.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "appointed.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "appraisal-comps.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "appreciationkards.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -8346,7 +8314,6 @@
     { "name": "arnesolutions.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arpa.ph", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arrowgrove.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "artetrama.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "artisanhd.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "artistnetwork.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arubasunsetbeach.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -8953,7 +8920,6 @@
     { "name": "foxtrot.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fragnic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fraho.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "francescopalazzo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "franckgirard.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "frank.fyi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fransallen.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -9003,7 +8969,6 @@
     { "name": "gamingmedia.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gamingreinvented.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ganhonet.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gar-nich.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gasbarkenora.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gatapro.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gateworld.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -9011,7 +8976,6 @@
     { "name": "geeq.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "geli-graphics.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gemeentemolenwaard.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "generationnext.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "genyhitch.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "georgesonarthurs.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "georgmayer.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -9093,7 +9057,6 @@
     { "name": "hansen.hn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hansvaneijsden.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hanu.la", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "haomwei.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "happyandrelaxeddogs.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "harmoney.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hartie95.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -9108,7 +9071,6 @@
     { "name": "hd-gaming.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hdhoang.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "heartmdinstitute.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "heavensinferno.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hebikhiv.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hedgeschool.ie", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "heinpost.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -9235,7 +9197,6 @@
     { "name": "izoox.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "izzzorgconcerten.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ja-publications.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "jaispirit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jaketremper.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jan27.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "janbrodda.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -9503,7 +9464,6 @@
     { "name": "mein-webportal.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meincenter-meinemeinung.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meine-email-im.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "melissaadkins.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "melody-lyrics.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "melvinlow.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mensagemdaluz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -9535,7 +9495,6 @@
     { "name": "missrain.tw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mixposure.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mizi.name", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mjcaffarattilaw.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mkes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mkp-deutschland.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mktemp.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -9679,7 +9638,6 @@
     { "name": "nutleyef.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nuttyveg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nwra.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nwwc.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nyip.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nzbs.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "o0o.one", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -9698,7 +9656,6 @@
     { "name": "olymp-arts.world", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "omniasl.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "onefour.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "oneminute.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oneweb.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oneworldbank.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "onguardonline.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -9745,7 +9702,6 @@
     { "name": "paperwork.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paragreen.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "parentinterview.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "parentmail.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "parleu2016.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "partnerbeam.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pastaenprosecco.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -10036,7 +9992,6 @@
     { "name": "serverpedia.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "servious.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sesha.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "setphaserstostun.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "setuid.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sevenmatches.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shadowsocks.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -10167,7 +10122,6 @@
     { "name": "static.or.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stationnementdenuit.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "statuschecks.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "stealsaga.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "steidlewirt.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "steigerplank.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stevensononthe.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -10461,7 +10415,6 @@
     { "name": "warhaggis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "warhistoryonline.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "warmservers.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "warped.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "watchium.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wave.is", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wavefrontsystemstech.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -10846,7 +10799,6 @@
     { "name": "digitaldeliarchive.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "depijl-mz.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "developerfair.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dieselgalleri.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dgt-portal.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dmcibulldog.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dinepont.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -11281,7 +11233,6 @@
     { "name": "nukute.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "numero-aleatorio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ockendenhemming.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "oh14.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ojls.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ons.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "onearth.one", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -11331,7 +11282,6 @@
     { "name": "pokeinthe.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pixi.chat", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pocketsix.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "playflick.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "poris.web.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "portercup.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pornstars.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -11721,12 +11671,10 @@
     { "name": "agotnes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aistockcharts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ajmahal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "akovana.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "akvorrat.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alecrust.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aljaspod.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aljaspod.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "alkel.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "allmystery.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alltubedownload.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alternativet.party", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -11844,7 +11792,6 @@
     { "name": "danieliancu.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "danielthompson.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "danielvoogsgerd.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "danny.fm", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "darcymarshall.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "darth-sonic.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "davidadrian.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -11991,7 +11938,6 @@
     { "name": "howtocuremysciatica.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hpbn.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hsts-preload-test.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "iftrue.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ime.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "imitza.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "immunicity.date", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -12417,10 +12363,7 @@
     { "name": "yoga-prive.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yooooex.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "youngandunited.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "youran.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yoyoost.duckdns.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ytec.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "yukontec.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yux.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "z3liff.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "z3liff.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -12480,7 +12423,6 @@
     { "name": "addtoany.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "adfa-1.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "adhoc.is", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "adonnante.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "advocatenalkmaar.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "adxperience.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aerialmediapro.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -12689,7 +12631,6 @@
     { "name": "cheapticket.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chelseafs.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chennien.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cherryonit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chicisimo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "choiralberta.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chourishi-shigoto.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -13117,7 +13058,6 @@
     { "name": "ironcarnival.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "isbc-telecom.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "isdf.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "isgp-studies.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "istgame.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "istherrienstillcoach.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "it-rotter.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -13193,7 +13133,6 @@
     { "name": "kartec.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kasadara.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kashmirobserver.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kat.al", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kateduggan.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kati-raumplaner.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "katproxy.al", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -13224,7 +13163,6 @@
     { "name": "kncg.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "knthost.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "koethen-markt.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "koldanews.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "komidoc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kommune42.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "konkurs.ba", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -13236,7 +13174,6 @@
     { "name": "kundenerreichen.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kundenerreichen.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kuschku.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kutukupret.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kwok.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kyliehunt.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kyy.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -13273,7 +13210,6 @@
     { "name": "lew.im", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "liaoshuma.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lichess.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "liduan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lightarmory.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lightcloud.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "likeablehub.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -13396,15 +13332,12 @@
     { "name": "mutuals.cool", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "muusikoiden.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mwba.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "my-hps.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myadself.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "myfedloan.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myfrenchtattoo.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mygpsite.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myimmitracker.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mymotor.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mypaperwriter.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "myptsite.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myrepublic.co.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myschoolphoto.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mythengay.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -13810,7 +13743,6 @@
     { "name": "streetspotr.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "studiomarcella.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "suborbital.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "subsys.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sudoschool.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "suitocracy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "superpase.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -13907,7 +13839,6 @@
     { "name": "treinaweb.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tributh.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tripcombi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "trueinstincts.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tsuyuzakihiroyuki.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tts.co.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ttt.tt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -14223,7 +14154,6 @@
     { "name": "borderlinegroup.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "awaremi-tai.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bewerbungsfibel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "besnik.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bemsoft.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bluebill.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beyondalderaan.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -14602,11 +14532,9 @@
     { "name": "endohaus.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fuvpn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ff-obersunzing-niedersunzing.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "film.photos", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fnzc.co.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "galardi.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "garden.trade", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "frdl.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fwei.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gdv.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ezhik-din.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -14707,7 +14635,6 @@
     { "name": "heiland.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "glitzmirror.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hanimalis.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hillcity.org.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hokieprivacy.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gyu-raku.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hans-natur.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -14864,7 +14791,6 @@
     { "name": "kovnsk.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kamikatse.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kpumuk.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "jankoepsel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kisa.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kennethaasan.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kaela.design", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -14940,7 +14866,6 @@
     { "name": "limiteddata.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lim-light.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lirion.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "legendary.camera", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leanplando.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lacicloud.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "librends.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -15138,7 +15063,6 @@
     { "name": "notify.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nabu-bad-nauheim.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nitropur.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mustardking.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nossasenhoradaconceicao.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "montand.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oauth-dropins.appspot.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -15321,7 +15245,6 @@
     { "name": "radreisetraumtreibstoff.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "randomkoalafacts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rapidshit.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "radionicabg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "randomprecision.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "quantum-cloud.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pretzlaff.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -16010,7 +15933,6 @@
     { "name": "bandiga.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chxdf.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "breckle.com.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cnwage.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bmros.com.ar", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "clickclock.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "christensenplace.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -16072,7 +15994,6 @@
     { "name": "clubeohara.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "curtissmith.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "curtis-smith.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "danbarrett.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cleanmta.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bityes.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "correct.horse", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -16147,7 +16068,6 @@
     { "name": "elliotgluck.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ebiografia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dinmtb.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dianefriedli.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ebiografias.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dronexpertos.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "doyoulyft.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -16219,7 +16139,6 @@
     { "name": "f1minute.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "factbytefactbox.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ewuchuan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "favorit.club", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eve0s.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "defi-metiers.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "f1bigpicture.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -16280,7 +16199,6 @@
     { "name": "forcewave.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "flurrybridge.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "godrive.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fotoallerlei.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "geofox.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fuechschen.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gamingwithcromulent.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -16298,7 +16216,6 @@
     { "name": "glasfaser-im-hanseviertel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "greger.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fwww7.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gzitech.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "espanova.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "getsecure.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grupopgn.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -16604,7 +16521,6 @@
     { "name": "minitruckin.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meincloudspeicher.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "migrator.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "medzinenews.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mimemo.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "medialab.nrw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "miguelmoura.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -16690,7 +16606,6 @@
     { "name": "ofda.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "olanderflorist.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "noclegi-online.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "monpc-pro.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "norrkemi.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oldoakflorist.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "opic.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -17110,7 +17025,6 @@
     { "name": "wirsol.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xtom.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wyday.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wv-n.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yabrt.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xilkoi.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webtechgadgetry.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -17293,7 +17207,6 @@
     { "name": "aov.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anita-mukorom.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arewedubstepyet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "antikvariat.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arados.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "artlifeisgood.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aschaefer.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -17599,7 +17512,6 @@
     { "name": "creepypastas.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "csmainframe.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cryptoshot.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "creativeliquid.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "codedump.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "countryoutlaws.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "codebrahma.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -17644,7 +17556,6 @@
     { "name": "cranems.com.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "david-pearce.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cube-cloud.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "danwillenberg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cornishcamels.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cubecart-demo.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cuni-cuni-club.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -17841,7 +17752,6 @@
     { "name": "exhalespa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "estcequonmetenprodaujourdhui.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "facebook.ax", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ecolesrec.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eganassociates.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "escapeplaza.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evafojtova.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -18016,7 +17926,6 @@
     { "name": "hannah.link", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hac30.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hakugin.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "guideo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "getpublii.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hiltonhyland.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "habtium.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -18287,7 +18196,6 @@
     { "name": "knaake.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kgnk.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "knapp.noip.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kristjanrang.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kohlistkool.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "klempnershop.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kprog.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -18339,7 +18247,6 @@
     { "name": "lifanov.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lemuslimpost.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lel.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kids-at-home.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kuaza.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lijero.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lexicography.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -18613,7 +18520,6 @@
     { "name": "nootropic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "neartothesky.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "normaculta.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nicolas-hoffmann.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mystown.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mutuelle-obligatoire-pme.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nexusconnectinternational.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -18931,7 +18837,6 @@
     { "name": "schwarztrade.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "scoolcode.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sciencemonster.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "seccom.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pchospital.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "serverlauget.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "security-thoughts.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -18963,7 +18868,6 @@
     { "name": "shang-yu.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shiftdevices.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "snekchat.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "smartwelve.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seobot.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "smartcheck.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "salmonvision.com.tw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19290,7 +19194,6 @@
     { "name": "valeriansaliou.name", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "viosey.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vorangerie.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vldkn.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "visikom.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vicenage.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vodpay.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19338,7 +19241,6 @@
     { "name": "ujob.com.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "whistleblower.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vjeff.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "unquote.li", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "voodoochile.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webcontentspinning.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vbazile.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19403,7 +19305,6 @@
     { "name": "wereldplanner.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "worldeventscalendars.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wmawri.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "yukonconnector.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wiz.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zao.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--rdiger-kuhlmann-zvb.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19553,8 +19454,6 @@
     { "name": "akalashnikov.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "advokat-romanov.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "a-ix.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "2bcompany.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "abimelec.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alibip.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "akkadia.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aolabs.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19595,15 +19494,12 @@
     { "name": "120dayweightloss.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "altunbas.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andrew.london", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "airmail.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ansas.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "appdb.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aocast.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aidhan.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "appartement-andrea.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andruvision.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "alca31.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "alainbaechlerphotography.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ashleyfoley.photography", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "2krueger.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "247quickbooks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19628,7 +19524,6 @@
     { "name": "ares-trading.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "astraalivankila.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "archivesdelavieordinaire.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "antcas.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "armleads.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arcusnova.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "abeontech.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19636,7 +19531,6 @@
     { "name": "aristilabs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "araleeniken.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "azrazalea.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "apef.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "attilavandervelde.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ato4sound.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arthur.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19650,10 +19544,8 @@
     { "name": "backterris.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "awan.tech", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "amlvfs.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "arteshow.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "artstopinc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "azamra.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ans-ge.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ayahuascaadvisor.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "asseenfromthesidecar.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bankstownapartments.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19692,7 +19584,6 @@
     { "name": "bashstreetband.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "2048-spiel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "avi9526.pp.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "automotivegroup-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bandito.re", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aquilalab.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "automobiles5.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19703,7 +19594,6 @@
     { "name": "agridir.site", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "asepms.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ac-epmservices.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "arveron.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bbwteens.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "begabungsfoerderung.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "betseybuckheit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19725,7 +19615,6 @@
     { "name": "bebetrotteur.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "biswas.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bitplay.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "artisans-libres.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bitbucket.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bey.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bitbucket.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19742,7 +19631,6 @@
     { "name": "belgien.guide", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bergland-seefeld.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bernat.im", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "aubonmanger.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blinking.link", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bina.az", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bodygearguide.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19758,7 +19646,6 @@
     { "name": "blockxit.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "berdu.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blechinger.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bauthier-occasions.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "battle-game.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "boldmediagroup.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "betterscience.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19766,7 +19653,6 @@
     { "name": "bolwerk.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blacknetwork.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bazziergraphik.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bch7al.ma", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bienoubien.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brando753.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bruun.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19777,14 +19663,12 @@
     { "name": "bestfitnesswatchreview.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blogaid.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "burke.services", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "batlab.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "board-buy.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blumen-garage.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "benjakesjohnson.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blogconcours.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "black.host", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blogabout.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "biscoint.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "boss.az", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "biovalue.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "britneyclause.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19872,7 +19756,6 @@
     { "name": "chatxtutti.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chriswbarry.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ccl-sti.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cantatio.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chocolatesandhealth.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "canlidoviz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chatt-gratis.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19898,7 +19781,6 @@
     { "name": "bitcoinrealestate.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "charlotte-touati.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cloudservice.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "chantalguggenbuhl.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cocinoyo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chytraauta.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "backintomotionphysiotherapy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19944,7 +19826,6 @@
     { "name": "corderoscleaning.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cmso-cal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cernega.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "coinpit.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coolrc.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "commoncode.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "common.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19952,7 +19833,6 @@
     { "name": "commoncode.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "childrendeservebetter.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "citylights.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cinq-elements.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cpy.pt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crge.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crackslut.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19990,7 +19870,6 @@
     { "name": "cynoshair.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crecket.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "csgf.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cotwe-ge.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dearfcc.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "conkret.mobi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "data.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20032,7 +19911,6 @@
     { "name": "dflcares.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "denimtoday.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "darkeststar.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "csp.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "diccionariodedudas.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dieser.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "das-tyrol.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20085,7 +19963,6 @@
     { "name": "driverless.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dreamlighteyeserum.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dtub.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "curieux.digital", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dochitaceahlau.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "diversityflags.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "domprojects.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20108,12 +19985,10 @@
     { "name": "duckbase.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "doska.by", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "csgoshifter.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "demarle.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dracisvet.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "educationevolving.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dprb.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "doli.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "didche.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "doclassworks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ebooki.eu.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eickhofcolumbaria.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20139,7 +20014,6 @@
     { "name": "elektro-pfeiffer.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "elektro-hornetz.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "deadmann.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "diegogelin.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "effdocs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ehazi.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ec-baran.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20172,7 +20046,6 @@
     { "name": "elektrokarges.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eichel.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eprofitacademy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dzeina.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "epickitty.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "emanga.su", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "etk2000.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20180,7 +20053,6 @@
     { "name": "ellemental.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evades.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "envant.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "domainedemiolan.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "erudicia.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ejdv-anmeldung.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "elektro-stock.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20221,14 +20093,12 @@
     { "name": "europeantransportmanagement.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fabianackle.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eurora.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ecole-attalens.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ewanm89.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eupay.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "europapier.bg", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eutram.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ewanm89.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evergladesrestoration.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "esafar.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "esquisse.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "euroscot.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fearghus.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20239,7 +20109,6 @@
     { "name": "femdombbw.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "expokohler.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "femaledom.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fed51.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "felicifia.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fashionunited.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "erasmusplusrooms.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20269,7 +20138,6 @@
     { "name": "firegoby.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "filme-online.eu.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fliptable.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "eyes-berg.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "filebox.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fight215.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fight215.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20410,7 +20278,6 @@
     { "name": "grekland.guide", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hashidays.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grapholio.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ggl-luzern.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "guyot-tech.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "guge.gq", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gotoxy.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20468,7 +20335,6 @@
     { "name": "hosts.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "higilopocht.li", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hitter.family", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hec-espace-entreprise.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hotartup.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "heello.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gers-authentique.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20514,10 +20380,8 @@
     { "name": "huirongis.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hoowhen.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ic-lighting.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hopconseils.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hosyaku.gr.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "idealmykonos.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hopconseils.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hugi.is", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hotel-huberhof.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ih8sn0w.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20544,7 +20408,6 @@
     { "name": "hypothecairelening.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hyphenpda.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "illich.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "iceberg.academy", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "imaginarymakings.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ifsclist.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "infosoph.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20598,7 +20461,6 @@
     { "name": "iplife.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jake.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iteke.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "infirmieredevie.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iteke.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "javascriptlab.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jeff.is", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20638,7 +20500,6 @@
     { "name": "idinby.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "how2fsbo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "joshuajohnson.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ipura.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jomo.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jncie.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jonscaife.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20666,7 +20527,6 @@
     { "name": "keypersonins.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kaketalk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "frodriguez.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "jlr-luxembourg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kayscs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "johncardell.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "joseetesser.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20746,7 +20606,6 @@
     { "name": "koha.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jichi.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "laredsemanario.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "julienpaterne.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kuponydoher.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "learnedhacker.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kowalmik.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20809,7 +20668,6 @@
     { "name": "lowson.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lostwithdan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lilapmedia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "laclaque.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "isognattori.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lilyfarmfreshskincare.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lbarrios.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20827,10 +20685,8 @@
     { "name": "logitel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "londoncalling.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kingpincages.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lapparente-aise.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "linux-mint-czech.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lifeqa.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lghfinancialstrategy.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "locksport.org.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "likemovies.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lovelyfriends.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20848,7 +20704,6 @@
     { "name": "mamadea.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "loyaltech.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "load-ev.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lesmamy.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lyngvaer.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "koelbli.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lotos-ag.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20856,7 +20711,6 @@
     { "name": "magictable.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lotw.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maceinturecuir.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "luc-oberson.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "majahoidja.ee", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "madoka.nu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "langkahteduh.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20913,15 +20767,12 @@
     { "name": "mikusinec.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mensagensperfeitas.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mileme.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "margecommunication.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mikk.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mimobile.website", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mbeo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mdosch.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mendy.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mfedderke.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "menaraannonces.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "malysvet.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "memoryex.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meshotes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lifenexto.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20932,7 +20783,6 @@
     { "name": "minnesotamathcorps.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meinezwangsversteigerung.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "minnesotareadingcorps.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "maze.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "michalspacek.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meteosmit.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mitior.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20979,7 +20829,6 @@
     { "name": "morpheusx.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mannford.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mrd.ninja", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mind-box.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mygrotto.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mode-marine.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "macsandcheesedreams.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21012,7 +20861,6 @@
     { "name": "nbari.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "necessaryandproportionate.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "necessaryandproportionate.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "monsieursavon.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mikkelvej.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mycr.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mystic-welten.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21037,9 +20885,7 @@
     { "name": "monpermismoto.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "navitime.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myweb360.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mon22.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nalepky-na-zed.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "modemaille.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mytripcar.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nagios.by", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nesolabs.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21062,7 +20908,6 @@
     { "name": "netdex.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "murz.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "neoclick.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nexthop.co.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nidsuber.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "noncombatant.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nellen.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21076,7 +20921,6 @@
     { "name": "netapps.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nginxyii.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "numbercult.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nexthop.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nylonfeetporn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nyanpasu.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "neolaudia.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21093,7 +20937,6 @@
     { "name": "ntzwrk.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "noexec.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nstd.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "newcityinfo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ngvf.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "netguide.co.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nitrokey.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21109,10 +20952,8 @@
     { "name": "odinkapital.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "northeastcdc.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mardelcupon.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ninofink.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nu3tion.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oceanvisuals.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nezrouge-geneve.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "newcityinfo.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "olback.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "one-tab.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21127,7 +20968,6 @@
     { "name": "offgames.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "musehelix.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ohyooo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "newcitystudio.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nstremsdoerfer.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "optimalsetup.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "openrealestate.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21147,7 +20987,6 @@
     { "name": "neyer-lorenz.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "openconcept.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "olightstore.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nova-dess.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nuiguru.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paigeglass.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nosbenevolesontdutalent.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21270,7 +21109,6 @@
     { "name": "planktonholland.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "premiership-predictors.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pikeitservices.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "philia-sa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "proxybay.eu.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "projectte.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pseudo.coffee", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21290,7 +21128,6 @@
     { "name": "projectsecretidentity.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pkov.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pianetaottica.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pianetaottica.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pianetaottica.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pianetaottica.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "privasphere.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21298,10 +21135,8 @@
     { "name": "promocao.email", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pizzadoc.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "qetic.co.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "physiovesenaz.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pianetaottica.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "r3nt3r.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pex.digital", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "profinetz.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "prostohobby.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "radiomodem.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21355,7 +21190,6 @@
     { "name": "richonrails.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "respectmyprivacy.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "remonttitekniikka.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "polletmera.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "proteinnuts.sk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rechtsanwalt-koeppen-feucht.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "qirinus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21408,7 +21242,6 @@
     { "name": "safe.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "romarin.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "reinaldudrasfamily.ee", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "roseliere.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rugs.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rodevlaggen.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "robert-flynn.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21416,10 +21249,8 @@
     { "name": "sanatorionosti.com.ar", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "roelsworld.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rozeapp.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "rlds.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "restaurant-rosengarten.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rotex1840.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "roseliere.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rumtaste.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rumtaste.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "psicologoforensemadrid.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21494,7 +21325,6 @@
     { "name": "scriptenforcer.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shadowsocks.com.hk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schadevergoedingen.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "salmotierra-salvatierra.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "securita.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shootpooloklahoma.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "security.xn--q9jyb4c", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21512,7 +21342,6 @@
     { "name": "shipmile.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shitposts.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "saumondefrance.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "seeclop.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shirosaki.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "saumon-france.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "securitybrief.co.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21627,7 +21456,6 @@
     { "name": "studiograou.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "super-radiant-skin.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "super-ripped-power.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sinergy.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "super-slim-coffee.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stern.koeln", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "streklhof.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21639,7 +21467,6 @@
     { "name": "tallcraft.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sunfox.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stellarium-gornergrat.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "suggestim.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sweharris.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stampederadon.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "superlandnetwork.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21698,7 +21525,6 @@
     { "name": "tech-director.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tempo.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thcpbees.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "systemeprod.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thamesfamilydentistry.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "testbirds.sk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thefutureharrills.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21780,9 +21606,7 @@
     { "name": "trinary.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tmtradingmorocco.ma", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "too.gy", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "therapysxm.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "trafficmanager.xxx", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tir-pistolet-chexbres.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "top10mountainbikes.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thedailyupvote.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tretail.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21881,7 +21705,6 @@
     { "name": "weils.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vinarstvimodryhrozen.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thesocialmediacentral.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "urbalex.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vsestiralnie.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vasileruscior.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vitaminler.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21908,7 +21731,6 @@
     { "name": "we-run-linux.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webuni.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "we-use-linux.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "valoremtax.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "winbuzzer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "windholz.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "windwoodmedia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21920,7 +21742,6 @@
     { "name": "vrijstaandhuis-in-alphen-aan-den-rijn-kopen.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "treasuredinheritanceministry.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "whoneedstobeprimaried.today", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "valorem-tax.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "walkhighlandsandislands.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wifimapa.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ts-publishers.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21932,7 +21753,6 @@
     { "name": "wisper.net.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tpolemis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wimbo.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "weidmannfibertechnology.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wilhelm-nathan.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "worldsgreatestazuredemo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wheatley.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21944,7 +21764,6 @@
     { "name": "visaop.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wonderbill.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xkcd.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "whitefm.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "willeminfo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wpblog.com.tw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wissl.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21957,7 +21776,6 @@
     { "name": "x69.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "winter-elektro.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wsyy.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "weemakers.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xgn.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wsb-immo.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xhadius.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21985,10 +21803,7 @@
     { "name": "xn--90accgba6bldkcbb7a.xn--p1acf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xninja.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "youdungoofd.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wheelwork.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--d1acj9c.xn--90ais", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "xn--roselire-60a.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "xn--roselire-60a.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yukonrefugees.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yubi.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zeds-official.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22018,7 +21833,6 @@
     { "name": "zrt.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yoimise.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yama.su", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "whyopencomputing.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zuzumba.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zigi.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yourgames.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22047,12 +21861,9 @@
     { "name": "xpenology-fr.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yin.roma.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xperiacodes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "whyopencomputing.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wyssmuller.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zenwears.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "watermonitor.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yugege.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tirs4ne.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zenfusion.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "0c3.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "0x00ff00ff.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22068,7 +21879,6 @@
     { "name": "3ags.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "3chat.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "3dproteinimaging.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "762.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "9651678.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "a3workshop.swiss", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "abdullah.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22111,7 +21921,6 @@
     { "name": "anthony-rouanet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "antipa.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "antoined.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "antoineschaller.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "antragsgruen.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apartmanicg.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apila.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22233,7 +22042,6 @@
     { "name": "cdburnerxp.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "censurfridns.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "censurfridns.nu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "centos.pub", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "certificatedetails.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cf-ide.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chancat.blog", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22241,7 +22049,6 @@
     { "name": "chat40.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chatfacile.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chatt-gratis.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cherrett.digital", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chiaseeds24.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chorkley.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chorkley.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22262,7 +22069,6 @@
     { "name": "classics.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "click-licht.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cmweller.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cock.li", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coconutoil24.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "code.taxi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "colaborativa.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22284,9 +22090,7 @@
     { "name": "creativeink.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "creators-design.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "creerunsitepro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cretdupuy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cristarta.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "croixblanche-haguenau.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cryoit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "csvalpha.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cyberdos.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22318,7 +22122,6 @@
     { "name": "destinationsofnewyorkstate.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "develop.fitness", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "devpgsv.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dhconcept.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dicando.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "diegorbaquero.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "diemattels.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22343,7 +22146,6 @@
     { "name": "dragonsmoke.cloud", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dreiweiden.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "drheibel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "drone-it.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "drostschocolates.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dugunedavet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "duongpho.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22353,7 +22155,6 @@
     { "name": "earlyyearshub.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eattherich.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "edisonnissanparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "egami.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "einheft.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "einsatzstiefel.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ekedp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22374,7 +22175,6 @@
     { "name": "evtripping.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ewus.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "exousiakaidunamis.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "eyes-berg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ezgif.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "faderweb.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "faldoria.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22387,7 +22187,6 @@
     { "name": "feastr.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "feedstringer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "felixkauer.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "feng.si", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ferdies.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ffprofile.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "figura.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22420,7 +22219,6 @@
     { "name": "fruchtikus.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fuckcf.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fullytrained.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fundeego.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fuorifuocogenova.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "futurope.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "g10e.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22435,8 +22233,6 @@
     { "name": "gearev.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "geekzone.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gelb-computer.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "georgiastuartyoga.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "geschenkly.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gfk-kunststoff-luebben.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ghislainphu.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gianlucapartengo.photography", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22444,7 +22240,6 @@
     { "name": "giochi-online.ws", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "girlan.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "glamour4you.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "glloq.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "globalhorses.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "globalinsights.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gloucesterphotographer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22456,12 +22251,10 @@
     { "name": "gradsm-ci.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gratis-app.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grettogeek.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "groepjam-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grow-shop.lv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grusenmeyer.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gtcprojects.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "guesthouse-namaste.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "guide-peche-cantal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "guim.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "guineafruitcorp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gulleyperformancecenter.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22491,7 +22284,6 @@
     { "name": "hrabogados.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hs-arbeitsschutz.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hukkatavara.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hydroturbine.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hypothes.is", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ibcmed.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "icecars.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22505,7 +22297,6 @@
     { "name": "immobilien-badlippspringe.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "impactfestival.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "inceptionradionetwork.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ineardisplay.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "infinitioflynnwoodparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "infopagina.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "informaticapremium.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22513,7 +22304,6 @@
     { "name": "inobun.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "internetaanbieders.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "intl-webs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "intmissioncenter.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iojo.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iostream.by", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ipfirebox.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22545,7 +22335,6 @@
     { "name": "johnroberts.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jongha.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "joshua-kuepper.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "juls.cloud", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "justgalak.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "justinellingwood.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jwatt.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22571,7 +22360,6 @@
     { "name": "kiesuwkerstkaart.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "killerit.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kipin.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kitbag.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kmashworth.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kniga.market", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kolkataflowermall.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22582,12 +22370,10 @@
     { "name": "kusdaryanto.web.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "l0re.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lambauer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lancyvbc.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "land-links.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lanna.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lasrecetasdeguada.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lastrada-minden.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lausannedentiste.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "law-peters.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lawrence-institute.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leafandseed.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22599,9 +22385,7 @@
     { "name": "legiscontabilidade.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "legland.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lemon.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lepsos.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "les-voitures-electriques.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lespagesweb.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "letteringinstitute.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "levensbron.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leveredge.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22646,7 +22430,6 @@
     { "name": "maxibanki.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maximdens.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maximiliankaul.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "maximov.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maxkaul.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "may24.tw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mbs-journey.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22681,7 +22464,6 @@
     { "name": "mistybox.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "miyako-kyoto.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mk89.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mkimage.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mo.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mobilebay.top", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mobileritelushi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22711,7 +22493,6 @@
     { "name": "nadelholzkulturen.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nagel-dentaltechnik.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nakama.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nakandya.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nanpuyue.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nasmocopati.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nasralmabrooka.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22724,7 +22505,6 @@
     { "name": "neonnuke.tech", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nepovolenainternetovahazardnihra.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "net-navi.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "netto-service.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "newspsychology.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nfz.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "niagara.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22749,7 +22529,6 @@
     { "name": "nyored.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "o3.wf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "object.earth", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ocim.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oklahomamoversassociation.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "onee3.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ontheten.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22870,7 +22649,6 @@
     { "name": "scriptgates.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sebastian-janich.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "secondbyte.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "secretsanta.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "section-31.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "secwise.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seeworkdone.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22943,11 +22721,8 @@
     { "name": "studport.rv.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stuka-art.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stuvel.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "suprem.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "suprem.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "svennd.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "swd.agency", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "swissfreshaircan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "swu.party", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "syleam.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "symphonos.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22961,7 +22736,6 @@
     { "name": "tdfbfoundation.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "teamcombat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "teammathics.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tec3000.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tech-blog.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "telefon.report", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "testbirds.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23049,7 +22823,6 @@
     { "name": "vacuumpump.co.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vadodesign.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "valesdigital.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "valoremtax.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vandeput.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vaphone.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vawebsite.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23081,10 +22854,8 @@
     { "name": "witneywaterpolo.org.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wlci.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wmkowa.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wohnbegleitung.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wolfram.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wollekorb.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "women-only.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wpsharks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wstx.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wxh.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23119,7 +22890,6 @@
     { "name": "yubikey.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yubikey.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yubiking.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "yveslegendre.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yyc.city", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zahyantechnologies.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zamos.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23183,7 +22953,6 @@
     { "name": "379700.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "393335.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "3circlefunding.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "3cs.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "3dcart.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "3dprintsondemand.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "3haeuserprojekt.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23198,7 +22967,6 @@
     { "name": "4freepress.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "4hvac.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "4plebs.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "4u.services", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "5c1fd0f31022cbc40af9f785847baaf9.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "64616e.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "6541166.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23253,10 +23021,8 @@
     { "name": "absolutewaterproofingsolutions.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ac-admin.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "academytv.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "acbrussels-used.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "accentthailand.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "accesloges.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "accessauto-occasions.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "acecerts.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "acerislaw.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "achterhoekseveiligheidsbeurs.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23296,15 +23062,12 @@
     { "name": "aheng.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ahlaejaba.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aicial.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "aiden.link", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aikido-club-limburg.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aiponne.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "air-shots.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "airdur.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "airicy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "airplayradio.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "airpurifierproductsonline.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "aiutodomestico.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aixxe.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ajarope.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ajces.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23329,7 +23092,6 @@
     { "name": "aliwebstore.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aljammaz.holdings", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aljmz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "allaboutbelgaum.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "allamericanmuslim.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "allcovered.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "allensun.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23361,7 +23123,6 @@
     { "name": "amorim.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "analgesia.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ancientcraft.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ancolies-andre.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andrerose.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andrespaz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andreundnina.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23391,7 +23152,6 @@
     { "name": "anon-next.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anongoth.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anothermilan.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ansermet.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ansgar-sonntag.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ansgarsonntag.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anti-bible.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23402,7 +23162,6 @@
     { "name": "anymetrix.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anyon.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aozora.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ap-swiss.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apertis.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apila.care", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aplikaceproandroid.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23438,14 +23197,10 @@
     { "name": "ashleakunowski.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ashleyadum.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "asperti.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "assguidesporrentruy.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "astenretail.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "astronomie-fulda.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "asvsa.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "at-one.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "at1.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ateliersantgervasi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "atgoetschel.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "athena-bartholdi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "atkdesign.pt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "atlantareroof.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23459,15 +23214,12 @@
     { "name": "auri.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aurora-terraria.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aurorarecordings.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ausec.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "austinmobilemechanics.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "authinfo-bestellen.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "author24.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "autoecolebudget.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "auxquatrevents.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "averen.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "avonlearningcampus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "avpres.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "avtoforex.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "awei.pub", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "awningsaboveus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23476,7 +23228,6 @@
     { "name": "axtux.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ayothemes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ayuru.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ayurveda-mantry.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "azia.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "b-b-law.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "b-pi.duckdns.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23490,7 +23241,6 @@
     { "name": "badam.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bakaproxy.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bakim.li", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "balatoni-nyar.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "balnearionaturaspa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bals.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "banburybid.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23498,7 +23248,6 @@
     { "name": "banri.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "baptistboard.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bariller.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "baripedia.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "baropkamp.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "barracuda.blog", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "barracuda.com.tr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23515,11 +23264,9 @@
     { "name": "bayerstefan.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bayherbalist.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bazisszoftver.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bbgeschenke.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bbimarketing.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bbkworldwide.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bbrinck.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bcbulle.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bcpc-ccgpfcheminots.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beadare.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beagreenbean.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23542,9 +23289,6 @@
     { "name": "benjaminjurke.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "benleemd.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "benscobie.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bernardcontainers.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bersierservices.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bersotavocats.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bertholdsson.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bertoliniodontoiatria.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "best10websitebuilders.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23576,7 +23320,6 @@
     { "name": "biohappiness.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "biomax-mep.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "biometrics.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "biosafe.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bioshine.com.sg", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "birbaumer.li", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "birkengarten.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23592,7 +23335,6 @@
     { "name": "bitmainwarranty.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bitrush.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bixservice.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bizeau.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bizniskatalog.mk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bizzi.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blackdiam.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23615,7 +23357,6 @@
     { "name": "bluteklab.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blutopia.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bnty.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bobazar.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bobep.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "boboates.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bogdanepureanu.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23651,11 +23392,7 @@
     { "name": "brahmins.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "braiampeguero.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brain-force.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "brainserve.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "brainserve.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "brainserve.swiss", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brainvoyagermusic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "brandcodestyle.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brasal.ma", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brasserie-mino.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brasspipedreams.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23671,7 +23408,6 @@
     { "name": "britishmeat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brodowski.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brompton-cocktail.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "brouillard.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bruna-cdn.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bs-network.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bsdracing.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23683,7 +23419,6 @@
     { "name": "buckypaper.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "buildingcostestimators.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bulkingtime.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bulledair-savons.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bullettags.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bullterrier.nu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bunadarbankinn.is", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23694,7 +23429,6 @@
     { "name": "burrowingsec.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "buryat-mongol.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bushbaby.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "buxum-communication.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "buyerdocs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "byronr.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bytes.fyi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23712,7 +23446,6 @@
     { "name": "campula.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "campuswire.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "campwabashi.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "canada-tourisme.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "canadiantouristboard.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "candidasa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "candygirl.shop", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23736,7 +23469,6 @@
     { "name": "casburggraaf.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cashless.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "casinolegal.pt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cassimo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "castlecms.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "catalin.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "catbold.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23751,15 +23483,12 @@
     { "name": "ce-pimkie.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cebz.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cecilwalker.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cedriccassimo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cedriccassimo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ceebee.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cefak.org.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "centerpoint.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "centruvechisv.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cerber.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cert.or.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cgbassurances.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cgsshelper.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chaisystems.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chalker.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23779,7 +23508,6 @@
     { "name": "charp.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chaseganey.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chateau-de-lisle.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "chateaudestrainchamps.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chatint.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chatu.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chatu.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23814,7 +23542,6 @@
     { "name": "cira.email", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "circ-logic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "citymoobel.ee", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "citysportapp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cityworksonline.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "civillines.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cjtkfan.club", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23844,7 +23571,6 @@
     { "name": "cnetw.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "co-driversphoto.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "co-factor.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "coaching-impulse.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coalitionministries.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cobrax.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "code-digsite.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23894,7 +23620,6 @@
     { "name": "complt.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "computerassistance.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "computertal.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "concept-web.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "conception.sk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "congz.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "conservatoriesincornwall.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23916,7 +23641,6 @@
     { "name": "corsa-b.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cosplayer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "costow.club", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "counstellor.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "countrybrewer.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "course.pp.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "courseworkbank.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23931,24 +23655,18 @@
     { "name": "craftination.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crandall.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crdmendoza.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "crea-etc.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "crea-shops.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "creadstudy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "createursdefilms.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "creations-edita.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "creativesurvey.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "creators.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "credex.bg", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "creepycraft.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "crepa.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "creusalp.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crisissurvivalspecialists.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cristianhares.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crizin.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "croco.vision", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crop-alert.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "croquette.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "crossorig.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cruzeiropedia.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cryothanasia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crypted.chat", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23967,7 +23685,6 @@
     { "name": "curveprotect.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "customwritings.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cutimbo.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cve-le-carrousel.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cvninja.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cwrcoding.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cyber-computer.club", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24003,7 +23720,6 @@
     { "name": "darinkotter.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "darkengine.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dartsdon.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "datalysis.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "datovyaudit.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dave-pearce.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "davecardwell.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24021,12 +23737,10 @@
     { "name": "dcaracing.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dccraft.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "deanosplace.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "debie-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "debtprotectionreporting.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "decidetreatment.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "decodeanddestroy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "decormiernissanparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "decrousaz-ceramique.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "deepvision.com.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "defrax.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "defrax.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24049,9 +23763,6 @@
     { "name": "desmo.gg", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "despotika.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "det-te.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "detecte-fuite.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "detecte.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "detectefuite.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "detroit-english.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dev-aegon.azurewebsites.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "develop.cool", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24098,7 +23809,6 @@
     { "name": "docabo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "doclot.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "docxtemplater.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dofuspvp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dolorism.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "domain-ermittlung.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "domenicocatelli.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24145,7 +23855,6 @@
     { "name": "dylanknoll.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dynamicyou.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dynastic.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dynn.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dynorphin.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dynorphins.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dysthymia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24164,8 +23873,6 @@
     { "name": "ebayinc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ebooksgratuits.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ecelembrou.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ecoccinelles.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ecoccinelles.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ecodigital.social", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ecolala.my", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "econativa.pt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24238,8 +23945,6 @@
     { "name": "esh.ink", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eskdale.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "espo.com.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "espritrait.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "essencesdeprana.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "etenendrinken.nu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "etherpad.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "etys.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24284,10 +23989,8 @@
     { "name": "expressmarket.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eyecandy.gr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eyeglasses.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "f1classement.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "f42.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "f5nu.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fabriceleroux.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fabriko.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "facciadastile.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "facealacrise.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24296,9 +23999,7 @@
     { "name": "falkhusemann.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "falkus.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fame-agency.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "familiaperez.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "familyreal.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fanfareunion.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fanflow.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fantasticgardenersmelbourne.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fantastichandymanmelbourne.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24325,7 +24026,6 @@
     { "name": "fhsseniormens.club", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ficklenote.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fickweiler.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fiduciaire-ratio.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fifichachnil.paris", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "figura.im", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "file-cloud.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24367,25 +24067,19 @@
     { "name": "flyingrub.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fmapplication.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fminsight.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fmodoux.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "foairbus.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "foairbussas.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "focusministries1.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fokan.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fol.tf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "foodattitude.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "forcamp.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "forces.army", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "foregroundweb.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "foreverssl.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "formation-assureur.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "formation-mac.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "formersessalaries.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "forrestheller.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "forsyththeatre.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fortress.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "forty8creates.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "forvisualdesign.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "foryourhealthybody.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fosdem.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fossgruppen.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24413,23 +24107,17 @@
     { "name": "freifunk-in-solingen.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "freifunk-lindlar.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "freifunk-remscheid.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "frequencebanane.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "freshdesigns.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "freshmaza.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "friedrich-foto-art.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "friedsamphotography.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "frigi.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "frinkiac.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "front-end.dog", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "frontline6.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "frugalmechanic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "frumious.fyi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fsckd.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fsvt.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fudanshi.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fuite.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fuitedeau.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fuites.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fukuoka-cityliner.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fulilingyu.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fuliwang.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24451,7 +24139,6 @@
     { "name": "gagnerplusdargent.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gainesvillegoneaustin.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gajas18.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "galeries.photo", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "galileanhome.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gameconservation.org.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gameparagon.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24500,7 +24187,6 @@
     { "name": "gibraltar-firma.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gigantism.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gigawattz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gilnet.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gina-architektur.design", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "giraffes.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "girsa.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24543,7 +24229,6 @@
     { "name": "gpws.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "graeber.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grandcapital.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "grandchene.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grantmorrison.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grapeintentions.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "greditsoft.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24558,7 +24243,6 @@
     { "name": "grillteller42.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "groenewoud.run", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grow-shop.ee", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "growy.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gruenprint.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gsmsecurity.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gt-mp.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24572,8 +24256,6 @@
     { "name": "gulfcoast-sandbox.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gulshankumar.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "guusvandewal.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gvi-timing.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gvitiming.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gymhero.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gympap.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gzitech.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24606,7 +24288,6 @@
     { "name": "hangtenseo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hanksservice.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "happycarb.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "happydoq.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hapsfordmill.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hardesec.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hardforum.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24617,7 +24298,6 @@
     { "name": "hashcat.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hashish.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hauntedhouserecords.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hauteslatitudes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "havenmoon.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "haz.cat", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hcbj.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24666,7 +24346,6 @@
     { "name": "hire-a-coder.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hirefitness.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hirokilog.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "histoire-cite.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hiwiki.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hjartasmarta.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hjf-immobilien.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24678,21 +24357,17 @@
     { "name": "hodamakade.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hodgephotography.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hoeft-autolackierung.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hoewler.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "holebedeljek.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hollermann.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "holymolycasinos.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "holywhite.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "homeandyarddetailing.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "homecarpetcleaning.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "homeogenium.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hommeatoutfaire.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hongyd.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hoppyx.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hostgigz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hostmodern.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hostserv.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hot-spa.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hottaro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "houdremont-la-courneuve.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "house-sparrow.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24706,7 +24381,6 @@
     { "name": "hppub.site", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hrk.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hrtraining.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "htsure.ma", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "httpsecured.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "huangguancq.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "huduser.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24725,7 +24399,6 @@
     { "name": "hundter.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "huntingdonlifesciences.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "huwcbjones.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hydrante.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hylians.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hyperalgesia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hypersomnia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24746,14 +24419,12 @@
     { "name": "idealwhite.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "idmanagement.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iemas.azurewebsites.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ifixe.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ignatovich.by", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ignatovich.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ikkoku.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ilamparas.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ilamparas.com.ve", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ilazycat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "illambias.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "illuminationis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ilya.pp.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "im-design.com.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24788,8 +24459,6 @@
     { "name": "inmusrv.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "innerfence.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "innsalzachsingles.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "inondation.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "insblauehinein.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "inscript.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "inst.mobi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "instinctive.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24841,7 +24510,6 @@
     { "name": "isuzupartscenter.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "isv.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "itactiq.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ital-gamma.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "itamservices.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "itchimes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iteecafe.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24849,7 +24517,6 @@
     { "name": "itnews-bg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "itproject.guru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "itshka.rv.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "itsnotquitethehilton.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "itsupport-luzern.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ivfausland.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ivvl.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24908,7 +24575,6 @@
     { "name": "johannaojanen.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "johannes-bauer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "johannes-zinke.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "johnsiu.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jomp16.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jonandnoraswedding.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jonathansanchez.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24970,7 +24636,6 @@
     { "name": "kermadec.blog", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kernelpanics.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ketamine.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ketty-voyance.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kevinhill.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kevinlocke.name", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kewego.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24982,7 +24647,6 @@
     { "name": "kibibit.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kibriscicek.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kickasscanadians.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kidsneversleep.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kiekko.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kiel-kind.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kikbb.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25039,8 +24703,6 @@
     { "name": "kyonagashima.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kyoto-tomoshibi.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kyunyuki.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "la-baldosa.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "la-maison.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "labande-annonce.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lacarpesaintaubinoise.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lachlan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25063,11 +24725,8 @@
     { "name": "lavaux.lv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lawnuk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ldcraft.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "le-creux-du-van.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "le-palantir.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "le-traiteur-parisien.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "le23.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "leap-it.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lebourgeo.is", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lechaudrondupertuis.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leebiblestudycenter.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25078,7 +24737,6 @@
     { "name": "leebiblestudycentre.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leetgamers.asia", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leflibustier.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lefonddeloeil.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "legit.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "legymnase.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leipzig.photo", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25091,7 +24749,6 @@
     { "name": "lesancheslibres.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lespecialiste-pradelexcellence.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lessets-graphiques.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lesyndicat.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lets-go-acoustic.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lets.nu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lettland-firma.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25132,7 +24789,6 @@
     { "name": "loandolphin.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lobivia.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "logic8.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "loichot.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "loli.world", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lolicon.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "londongynaecologist.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25142,7 +24798,6 @@
     { "name": "loss.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lostkeys.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lou.lt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "louange-reconvilier.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "louisvillecarguys.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "loveandloyalty.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lovelive-anime.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25161,7 +24816,6 @@
     { "name": "lucy.science", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lukeistschuld.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lumi.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lunar6.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lunartail.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "luolikong.vip", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lutoma.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25315,7 +24969,6 @@
     { "name": "meterhost.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "methamphetamine.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "methylone.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "metropop.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mevo.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mflodin.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mgknet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25337,7 +24990,6 @@
     { "name": "miki.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mikro-inwestycje.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mikropixel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mil-spec.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "milesapart.dating", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "militarycarlot.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "milkingit.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25349,7 +25001,6 @@
     { "name": "minecraft-server.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "minecraftforum.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "minepod.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mingwah.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mingyueli.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "minigolf-reisinger.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "minikidz.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25357,7 +25008,6 @@
     { "name": "mintosherbs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "minube.co.cr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mipymesenlinea.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mirshak.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "missguidedus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "missionsgemeinde.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "misssex.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25392,12 +25042,10 @@
     { "name": "mon-a-lisa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moneychangersoftware.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "montagne-tendance.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "montpreveyres.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "montsaintaignan.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moodzshop.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mopsuite.club", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "morbotron.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "morchino.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mordrum.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mosin.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mosos.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25409,7 +25057,6 @@
     { "name": "mozillians.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mpe.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mpg.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mplanetphl.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mpy.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mr-anderson.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mscenter.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25439,7 +25086,6 @@
     { "name": "mwohlfarth.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mxawei.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "my-floor.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "myconsulting.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mycreativeartsconsulting.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mycrypnet.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mydaywebapp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25448,7 +25094,6 @@
     { "name": "mydjsongbook.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mydriversedge.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myfantasysportstalk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "myfirenet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mygeotrip.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mygreatjob.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mygymer.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25465,7 +25110,6 @@
     { "name": "myrig.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myrsa.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mysocialporn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "myswissmailaddress.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mywebinar.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "n2servers.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "n3twork.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25479,13 +25123,10 @@
     { "name": "nanubo.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "napolinissanctparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "narko.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "narmos.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "naroska.name", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nastoletni.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nataliedawnhanson.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "natatorium.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nathaliebaron.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nathaliebaroncoaching.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nationalmap.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "natur-udvar.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "naturesorganichaven.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25533,7 +25174,6 @@
     { "name": "niva.synology.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nmadda.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nmnd.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "no-xice.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nodejs.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "noellabo.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "noisebridge.social", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25562,7 +25202,6 @@
     { "name": "nuclearcrimes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nuclearcrimes1.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nulltime.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "numero1.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "numerossanos.com.ar", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "numis.tech", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nuriacamaras.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25577,28 +25216,22 @@
     { "name": "oberhof.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oberhofdrinks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oberhofjuice.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "objectif-terre.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "objekt-textil.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "observatory.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "obyvateleceska.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ocelot.help", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ocsigroup.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "odzyskaniedomeny.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ofcampuslausanne.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ofcss.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "off-the-clock.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "offroadeq.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "offshore-unternehmen.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "offshorefirma-gruenden.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "offtherails.ie", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "oge.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ohai.su", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "okburrito.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oldnews.news", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "olegs.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "olgiati.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "olympic-research.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "omanko.porn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ometepeislandinfo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "omf.link", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "omi-news.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25661,7 +25294,6 @@
     { "name": "ourwedding.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ovuscloud.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ownc.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "oxelie.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ozonitron.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ozonitron.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ozonitron.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25670,14 +25302,12 @@
     { "name": "ozonytron.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "p-pc.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "p3ter.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pacifictilkin-occasions.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "packetapp.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "packetcrash.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pactf-flag-4boxdpa21ogonzkcrs9p.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pactocore.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paleosquawk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "palletflow.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "palli.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pammbook.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pan.tips", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "panascais.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25685,7 +25315,6 @@
     { "name": "panpsychist.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "panzer72.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "papakatsu-life.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "parachute70.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paradise-engineer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paradise-engineers.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paragon.edu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25702,13 +25331,10 @@
     { "name": "partsestore.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "passpilot.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "passwd.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "patsyforyou.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "patsytoforyou.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paulbramhall.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paulbunyanmls.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paulus-foto.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pautadiaria.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pavando.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pawsr.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pback.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pbcknd.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25719,8 +25345,6 @@
     { "name": "peep.gq", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "peerless.ae", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "peippo.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pelopogrund.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pelopoplot.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pepwaterproofing.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pernatie.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "perniciousgames.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25735,20 +25359,15 @@
     { "name": "phasme-2016.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "phdsupply.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "philippa.cool", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "philipperoose.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "phillipgoldfarb.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "philonas.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "philosoftware.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "philux.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "photographe-reims.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "photomodelcasting.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "photon.sh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "phpliteadmin.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "picture.team", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pidatacenters.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pidjipi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pierrefv.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pimpmyperf.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pinemountainnursery.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pinemountbaptistchurch.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pinimg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25757,7 +25376,6 @@
     { "name": "pizzafest.ddns.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pjbet.mg", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pkschat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pl-cours.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "plan-immobilier.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "planetbeauty.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "planeteroliste.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25787,12 +25405,9 @@
     { "name": "poinsot.beer", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pokemondb.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pol-expo.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pole-emotion.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "polyfill.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "polytechecosystem.vc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pommedepain.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pompiers-martigny.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "poneypourtous.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ponychan.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ponyfoo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "poopjournal.rocks", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25829,7 +25444,6 @@
     { "name": "prefix.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "preludes.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "prepare-job-hunting.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "prestige-car-location.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pretachique.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "prettygrouse.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "prifo.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25922,7 +25536,6 @@
     { "name": "ranegroup.hosting", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ranking-deli.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ranos.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "raphaelcasazza.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rapidstone.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rareative.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rastreie.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25978,8 +25591,6 @@
     { "name": "resl20.servehttp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ressl.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "restaurantesimonetti.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "reto.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "retokromer.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "retro.sx", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "revelaciones.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "review.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25995,7 +25606,6 @@
     { "name": "richardlugten.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "riddims.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rievo.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "righini.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rijnmondeg.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rile5.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rimcountrymuseum.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26049,11 +25659,9 @@
     { "name": "rteone.ie", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rubyquincunx.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rudelune.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ruedirrenggli.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ruk.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rulu.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "run-forrest.run", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "runagain.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rushpoppershop.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rusi-ns.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rutiger.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26112,10 +25720,8 @@
     { "name": "schmelzle.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schmitt.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schmitt.ws", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "schnegg.name", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schnyder-werbung.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schsrch.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "schull.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schwarzwald-flirt.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "scintilla.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "scintillating.stream", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26150,7 +25756,6 @@
     { "name": "seiler-bad.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seiryokuzai-ch.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sektor.team", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "selected-properties.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "selfdefenserx.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "selfishness.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "selfloath.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26180,7 +25785,6 @@
     { "name": "shadowsocks.wiki", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shadowsocksvpn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shadowsoks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "shakan.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shamka.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sharanyamunsi.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sharejoy.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26196,8 +25800,6 @@
     { "name": "shockercityservices.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shoemuse.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shoestringeventing.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "shred.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "shredoptics.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sidelka-tver.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sigmalux.sarl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sigsegv.run", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26260,7 +25862,6 @@
     { "name": "sklepsamsung.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sklotechnik.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sktan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "skynet233.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "skyris.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "slash64.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "slash64.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26273,7 +25874,6 @@
     { "name": "slowgames.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "slvh.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "slwilde.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "slytech.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "smime.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "smksultanismail2.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "snapserv.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26287,8 +25887,6 @@
     { "name": "sociopathy.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sockscap64.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "softprayog.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "solacyre.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "solfegiator.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "solidwebnetworks.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "solvemethod.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "somali-derp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26307,13 +25905,11 @@
     { "name": "specialedesigns.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "speciesism.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spedition-transport-umzug.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "speechndraw.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spellcheck24.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spha.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sphinx.network", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spidermail.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spiders.org.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "spiga.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spinspin.wtf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spoketwist.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spokonline.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26336,7 +25932,6 @@
     { "name": "starfeeling.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stastka.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "static-692b8c32.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "stationa.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "std-home-test.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "steef389.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "steelbea.ms", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26374,7 +25969,6 @@
     { "name": "supa.sexy", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "supercalorias.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "superklima.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "supern0va.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "support4server.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "supportericking.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "surasak.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26389,17 +25983,11 @@
     { "name": "swarlys-server.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "swfloshatraining.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "swipetv.ie", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "swissfreshaircan.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "swisstranslate.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "swisstranslate.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "swissxperts.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "syllogi.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sylve.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "system.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "system12.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "systemd.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "szyndler.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tac-volley.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tacoma-games.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tagesmutter-in-bilm.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tahosalodge.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26408,7 +25996,6 @@
     { "name": "takemoto-ped.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "talkitup.mx", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "talkitup.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tango-ouest.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tangyue.date", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tarasecurity.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tarasecurity.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26418,8 +26005,6 @@
     { "name": "targimieszkaniowe.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tateesq.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tatsidou.gr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "taysonvodao.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tc-st-leonard.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tchoukball.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tdsb.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tdsb.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26452,12 +26037,10 @@
     { "name": "tengu.cloud", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tenthousandcoffees.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "teranacreative.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "teranga.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "terminalvelocity.co.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "terralimno.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "terralimno.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "terraluna.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "terresmagiques.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "teschenhausen.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tessai.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "testgeomed.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26495,12 +26078,10 @@
     { "name": "thepiabo.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theprivacysolution.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thequillmagazine.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "thermique.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theroyalmarinescharity.org.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thesearchnerds.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thethirdroad.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theyearinpictures.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "thiry-automobiles.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thiscloudiscrap.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thiswasalreadymyusername.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thm.vn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26530,7 +26111,6 @@
     { "name": "tinyhousefinance.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tipaki.gr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tiste.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "titusetcompagnies.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tjandpals.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tkacz.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tkts.cl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26562,7 +26142,6 @@
     { "name": "tostu.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "totalhomecareinc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "totalsystemcare.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tournevis.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tourtransferitaly.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "touslesdrivers.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tousproducteurs.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26618,12 +26197,10 @@
     { "name": "tunca.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tuner.cloud", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tupa-germania.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tupeuxpastest.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "turncircles.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tuto-craft.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tutoragency.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tutorio.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tuttimundi.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tuxpeliculas.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tuxtimo.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tvc.red", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26650,12 +26227,8 @@
     { "name": "ukrnet.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ultimateanu.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "unblocked.cam", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "unefuite.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "unga.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "unhu.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "unique-pathways.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "unique-pathways.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "uniquepathways.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "unite-ka.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "unitedpsychological.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "universal-happiness.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26681,20 +26254,16 @@
     { "name": "valenhub.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "valenhub.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "valenscaelum.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "valentinritz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "validatis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vanajahosting.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vandenbroeck-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vanderkrieken.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vanessabalibridal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vanhoudt-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vapor.cloud", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "varta.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vaskulitis-info.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vasyharan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vatelecom.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vayaport.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vc.gg", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vcam.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vdisk24.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "veganism.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26705,17 +26274,14 @@
     { "name": "venoom.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "verliebt-in-bw.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "verliebt-in-niedersachsen.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "verrerie-mousseline.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "versagercloud.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vertebrates.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vfn-nrw.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vhummel.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vidbooster.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "videorullen.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "videoueberwachung-set.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vider.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "viekelis.lt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "viemontante.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vierpluseins.wtf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vieux.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vigenebio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26723,7 +26289,6 @@
     { "name": "villainsclothing.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vilog.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vinolli.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vinsetchampagne.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vintagecaskandbarrel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vintagejeeps.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "viral8.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26741,7 +26306,6 @@
     { "name": "voice-of-design.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "void-zero.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "volcanconcretos.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vonauw.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vonniehudson.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vorderklier.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vorkbaard.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26751,7 +26315,6 @@
     { "name": "vsc-don-stocksport.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vsesrazu-raiffeisen.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vstehn.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vsx.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vuakhuyenmai.vn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vulpine.club", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vuojolahti.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26768,7 +26331,6 @@
     { "name": "walksedona.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wallabag.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wallabies.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "walnutis.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "walruses.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wanashi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wangjiatun.com.tw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26828,7 +26390,6 @@
     { "name": "wiredcut.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wireframesoftware.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wiseflat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "withlocals.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wkennington.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wmustore.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wodboss.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26854,14 +26415,12 @@
     { "name": "writereditor.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wsdcap.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wssv.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wstudio.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wug.news", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wwgc2011.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "www-507.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "www-746.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "www-771122.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "www-jinshavip.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wxrlab.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wygibanki.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wygluszanie.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wygodnie.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26901,7 +26460,6 @@
     { "name": "ycm2.wtf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yeesker.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yemekbaz.az", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "yep-pro.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yepbitcoin.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yfengs.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yffengshi.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26953,7 +26511,6 @@
     { "name": "zinniamay.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zinoui.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zip.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "zivmergers.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zixo.sk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zoners.si", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zooish.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27071,7 +26628,6 @@
     { "name": "adzuna.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "adamwallington.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "af-internet.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "2stv.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "acpinformatique.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aebian.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "abrakidabra.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27092,7 +26648,6 @@
     { "name": "8azino777.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "adentalsolution.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alaxyjewellers.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "acperu.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "agreor.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "afavre.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "allscammers.exposed", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27106,8 +26661,6 @@
     { "name": "aip-marine.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "akul.co.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alexander-beck.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "achalay.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "acoustique-tardy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "allplayer.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aintevenmad.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "akoch.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27115,11 +26668,9 @@
     { "name": "alfaponny.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "3dmusiclab.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andrewdavidwong.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "agalliasis.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alpha.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "americanmediainstitute.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alex97000.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "alainmargot.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anime1video.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anime1.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andschwa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27130,7 +26681,6 @@
     { "name": "anedot.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "allangirvan.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alexandre-blond.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "agamsecurity.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "angusmak.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "amiciidogrescue.org.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alleskomtgoed.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27153,10 +26703,8 @@
     { "name": "apiary.blog", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apiary.supplies", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "annedaniels.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "amicalecanyon.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apiary.supply", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apis.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ambholding-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "altstipendiaten.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "amicsdelbus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "angeloroberto.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27170,10 +26718,8 @@
     { "name": "apartmentkroatien.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "archsec.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "antoinemary.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "alize-theatre.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alpinepubliclibrary.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "albanien.guide", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "agsb.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andreasanti.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ankwanoma.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "amoozesh98.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27203,8 +26749,6 @@
     { "name": "arresttracker.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ajnasz.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anipassion.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "api-connect.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "animationsmusicales.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "antama.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "armyofbane.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apm.com.tw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27228,18 +26772,13 @@
     { "name": "asuka.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "artansoft.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "au2pb.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ar-informatique.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "appel-aide.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "asialeonding.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "atzenchefin.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "airportlimototoronto.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "anons.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arnaudminable.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aussieservicedown.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "aquadonis.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "astaninki.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "aquabio.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "asdyx.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "asanger.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "armil.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "assumptionpj.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27256,12 +26795,9 @@
     { "name": "awsmdev.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aspatrimoine.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "australianfreebets.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "arnoldkontz-occasions.lu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "avspot.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "art-et-culture.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andrea-m.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "audiolibri.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ataton.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "auvernet.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "autos-retro-plaisir.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "360live.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27271,7 +26807,6 @@
     { "name": "avnet.ws", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "assistance-personnes-agees.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "azu-l.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "atelier-coiffure.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "babeleo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "autoxy.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bandarifamily.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27285,12 +26820,10 @@
     { "name": "atracaosexshop.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "avtogara-isperih.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alter-news.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "artdeco-photo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "babycamapp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "austromorph.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aveapps.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "avedesk.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "atds.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ateliernihongo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bangdream.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "autostop-occasions.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27298,8 +26831,6 @@
     { "name": "babai.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "antoinemary.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ax25.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "b-services.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "avvcorda.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "barnrats.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bananensap.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "b-ticket.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27307,8 +26838,6 @@
     { "name": "balcaonet.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "b4z.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "avid.blue", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "atraverscugy.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "autoterminus-used.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "awen.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "barlotta.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "audiorental.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27316,13 +26845,8 @@
     { "name": "answers-online.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "baumannfabrice.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "battleboxx.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "autotechschool.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "baby-digne.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bearingworks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bdenzer.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "backsideverbier.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "baladecommune.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "balade-commune.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beekeeper.blog", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beekeeper.clothing", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beekeeper.supplies", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27339,10 +26863,8 @@
     { "name": "aurora-multimedia.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "balidesignshop.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "around-the-blog.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bariseau-mottrie.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "banned-bitches.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "averam.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "baciu.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beautyevent.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aqua-fotowelt.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bc-diffusion.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27355,7 +26877,6 @@
     { "name": "bernhard-seidenspinner.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bedandbreakfast.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bedandbreakfasteuropa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bda-boulevarddesairs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "belewpictures.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bichonfrise.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bghost.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27364,18 +26885,14 @@
     { "name": "betterworldinternational.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "berlin-flirt.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "berthelier.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "better.fyi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "beaute-eternelle.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bentphotos.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "biaggeo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "arfad.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beraru.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "birdbrowser.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bestwarezone.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "biletua.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bedouille.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "biletru.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "belien-tweedehandswagens.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bikkelbroeders.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "binaryappdev.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bikkelbroeders.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27384,16 +26901,12 @@
     { "name": "bibliotekarien.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beacinsight.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bestbyte.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "becs.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bernhardkau.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "belastingdienst-in-beeld.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bison.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "batipresta.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blenderrecipereviews.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "biblioblog.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "belloy.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bladesmith.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "belloy.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bestschools.top", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blizhost.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bijoux.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27405,7 +26918,6 @@
     { "name": "bitpoll.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blackhillsinfosec.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bakersafari.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "b-cyclesshop.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bilalkilic.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bitsync.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "baugemeinschaftbernstein.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27418,7 +26930,6 @@
     { "name": "bookingready.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bookmakersfreebets.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bitwrought.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "beexfit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bnin.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bohyn.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bodyconshop.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27428,9 +26939,6 @@
     { "name": "batolis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bradypatterson.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blumenwiese.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bioligo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "biogecho.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "biogecho.swiss", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "booox.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "boschee.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bornfiber.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27446,13 +26954,10 @@
     { "name": "blakecoin.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bondarenko.dn.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brettelliff.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bonnant-associes.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aprpullmanportermuseum.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brianfoshee.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "braeunlich-gmbh.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bress.cloud", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bouckaert-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "boscoyacht.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bls-fiduciaire.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bsidesf.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "biologis.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27463,11 +26968,9 @@
     { "name": "brightonchilli.org.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "botserver.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "boutiquedecanetas.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bonnant-partners.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brrd.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bubhub.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brainfpv.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "boimmobilier.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brewsouth.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "btserv.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "broerweb.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27492,8 +26995,6 @@
     { "name": "byji.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "buyessays.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "byatte.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bretzner.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "brainball.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "c2o-library.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "burckardtnet.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bronetb2b.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27501,7 +27002,6 @@
     { "name": "by1898.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "boyan.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "buttercupstraining.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bm-immo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "butarque.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ca5.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "caliderumba.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27517,8 +27017,6 @@
     { "name": "caferagazzi.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bytecode.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bodyworkbymichael.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "businesscentermarin.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cadetsge.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "calleveryday.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "camelservers.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "caerostris.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27528,8 +27026,6 @@
     { "name": "cardelmar.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "buronwater.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cashmaxtexas.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "brave-foods.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "brave-foods.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "catchersgear.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cata.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "carre-lutz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27555,7 +27051,6 @@
     { "name": "cafefresco.pe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cfneia.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "celigo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cdda.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ccv-deutschland.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cc-brantomois.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "catburton.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27577,24 +27072,17 @@
     { "name": "cheapessay.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "catalogoreina.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cheah.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "celiendev.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chordso.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "charitylog.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "celuliteonline.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "centreoeil.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "c3-compose.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "chaletpierrot.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "chazalet.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chronic101.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "casbia.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "churchlinkpro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "catharisme.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "catharisme.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chemicalguys-ruhrpott.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chinwag.im", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "catharisme.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cheapestgamecards.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "chevymotor-occasions.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chrispstreet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chesspoint.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cityoftitans.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27647,30 +27135,23 @@
     { "name": "coincealed.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chocolat-suisse.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cloudfren.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cie-theatre-montfaucon.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cncbazar365.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "conservados.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chsh.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cielbleu.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comparesoft.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cloppenburg-automobil.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "clubscannan.ie", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cloppenburg-autmobil.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "conmedapps.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "colasjourdain.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "chiropratique-neuchatel.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coolbutbroken.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "collard.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "chirosphere.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cocquyt-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cloud2go.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "capachitos.cl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "chiro-neuchatel.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "continuation.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comyuno.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cloud.bugatti", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coastline.net.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "chiropraticien-neuchatel.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "copycrafter.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coorpacademy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "computernetwerkwestland.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27687,29 +27168,23 @@
     { "name": "controleer-maar-een-ander.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cosmofunnel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cptoon.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "clindoeilmontagne.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cestunmetier.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chaifeng.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "conceptatelier.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "corlinde.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "claudia-urio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comunidadmontepinar.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cpcheats.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cometonovascotia.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "consejosdenutricion.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "conkret.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cncrans.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "condroz-motors.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comefollowme2016.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "connectmy.car", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ctj.im", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coptic-treasures.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "compagniemartin.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crossfunctional.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "curiouscat.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cosmiatria.pe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "conkret.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "colson-occasions.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "conkret.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "colarelli.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "conformist.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27720,7 +27195,6 @@
     { "name": "creeks-coworking.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "costa-rica-reisen.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crunchy.rocks", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "congobunkering.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cuongthach.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "currynissanmaparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "customwritingservice.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27736,11 +27210,9 @@
     { "name": "curvesandwords.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coroasdefloresonline.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crox.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cqn.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cryptofan.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "d3njjcbhbojbot.cloudfront.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cypressinheritancesaga.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "counter-team.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cruikshank.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ctnguyen.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ctnguyen.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27760,16 +27232,13 @@
     { "name": "cryptography.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "create-ls.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cryptology.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "csinterstargeneve.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "daisuki.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "davetempleton.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "d1ves.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cotonmusic.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "danwin1210.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cyberspace.today", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "darookee.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crawl.report", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cordeydesign.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "daktarisys.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cspeti.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "datacubed.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27780,9 +27249,7 @@
     { "name": "darkanzali.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "darylcumbo.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cutner.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cospol.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cyumus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "darioackermann.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dallaslu.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cs2016.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "defender-pro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27798,7 +27265,6 @@
     { "name": "cutelariafiveladeouro.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dcw.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dctxf.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "daoro.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "danotage.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dbyz.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "deniszczuk.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27807,9 +27273,7 @@
     { "name": "dawnbringer.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "demo-server.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dermot.org.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dchatelain.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "d-academia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "davo-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "deepsouthsounds.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "d-parts24.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dennisvandenbos.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27817,12 +27281,10 @@
     { "name": "danskringsporta.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "defxing.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "depaddestoeltjes.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "decock-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "diamondpkg.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dental-misaki.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dhaynes.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "demotivatorbi.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "delbecqvo.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "diabolic.chat", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "decofire.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "depone.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27830,14 +27292,11 @@
     { "name": "destileria.net.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dalmatiersheusden.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "devalps.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "depotter-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "deliandiver.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "desktopfx.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dc-occasies.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "developersclub.website", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "depth-co.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "diccionarioabierto.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "coteries.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "digitaldatacenter.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dicionariopopular.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "datumou-osusume.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27845,15 +27304,10 @@
     { "name": "diwei.vip", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "digitaldeli.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dissertationhelp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "designskin.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "degata.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "devjack.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "demeyere-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dhl-smart.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "devillers-occasions.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "digitalewelten.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "digitaltechnologies.ltd.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dermatologie-morges.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "diskbit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "discha.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dieselanimals.lt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27893,13 +27347,11 @@
     { "name": "domythesis.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "djangogolf.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dewapress.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "disrupters.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dm4productions.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "drdipilla.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "doujin.nagoya", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "disinisharing.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dog-blum.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dessinemoilademocratie.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "disadattamentolavorativo.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "doomoo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "doop.im", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27945,7 +27397,6 @@
     { "name": "dsancomics.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dormebebe.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "doveholesband.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "do-prod.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dullapp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "droidwave.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ebertek.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27969,7 +27420,6 @@
     { "name": "digitalcraftmarketing.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dtdsh.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eeetrust.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "duriaux-dentiste.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "elite-box.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "elhamadimi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "divvyradio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28004,7 +27454,6 @@
     { "name": "elliff.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dovenzorgmalawi.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "efa-football.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dvnatura.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "emil.click", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "elektro-roth.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eolme.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28017,7 +27466,6 @@
     { "name": "eickhof.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "envoyglobal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eickhof.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ecoledusabbat.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "epiphyte.network", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eigenbubi.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "elternverein-utzenstorf.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28045,11 +27493,7 @@
     { "name": "elodieclerc.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "essenceofvitalitydetox.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "essayforsale.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "emivauthey.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eltern-verein.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "economies.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "emond-usedcars.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ellevit.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dynts.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "etaoinwu.win", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "enemiesoflight.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28067,22 +27511,18 @@
     { "name": "eworksmedia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "exeintel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evolutionpets.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "energie-sante.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "example.wf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evilarmy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "epistas.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "etienne.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "epossystems.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "echoworld.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ethiobaba.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ethicsburg.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evertonarentwe.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "esquirou-trieves.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evrica.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "expowerhps.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eron.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "essentiel-physique.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "entrecieletpierres.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ergovitanet.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "esteticanorte.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "etangs-magazine.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28093,11 +27533,8 @@
     { "name": "exmoe.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "exploravacations.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "exembit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "etoile-usedcars.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "etre-soi.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eth-faucet.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "falconwiz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "essteebee.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "faberusa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "extradesktops.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evodation.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28111,7 +27548,6 @@
     { "name": "ezwritingservice.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "faithmissionaries.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "efag.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "etudesbibliques.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "exceed.global", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fantasticcleaners.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ecococon.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28125,10 +27561,8 @@
     { "name": "euroalter.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fads-center.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "faxite.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "etudesbibliques.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fabienne-roux.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "faluninfo.ba", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "etudesbibliques.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "felixbarta.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fermanacuratampaparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fireboxfood.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28160,7 +27594,6 @@
     { "name": "filoitoupediou.gr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "finvantage.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "followback.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "florianschmitt.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "faraslot8.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fassi-sport.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "faraslot8.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28178,7 +27611,6 @@
     { "name": "fougner.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eswap.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "filo.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fini-de-jouer.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "flagshop.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fonseguin.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fidelis-it.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28217,13 +27649,10 @@
     { "name": "franklinhua.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "friller.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fs-fitness.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "feuetgloire.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "format-paysage.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "freergform.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fussell.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gafunds.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "futrou.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "forge-goerger.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gadabit.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "funniestclip.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fsck.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28236,7 +27665,6 @@
     { "name": "frino.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gdb-tutorial.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "friezy.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "francoislepage.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "funnybikini.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fukakukeiba.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fid-elite.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28247,11 +27675,9 @@
     { "name": "fokan.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fsck.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "foerster-kunststoff.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "francois-occasions.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ftgho.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fwest98.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "geh.li", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fuelingyourdreams.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "espigol.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "g-i-s.vn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "freifamily.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28260,12 +27686,9 @@
     { "name": "fusa-miyamoto.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gdgrzeszow.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fussball-xxl.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "forward-fly-fishing.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fit-4u.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gemsoftheworld.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "geekles.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "geass.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "g3dev.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gamenerd.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "genesismachina.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gginin.today", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28273,9 +27696,7 @@
     { "name": "gethow.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gestormensajeria.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "erf-neuilly.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "frtrains.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "getyourphix.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gachter.name", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gentoo-blog.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "georgebrighton.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "george-brighton.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28286,9 +27707,7 @@
     { "name": "geldimblick.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "getmerch.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gamblersgaming.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gegeco.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "getfilterlive.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fumerolles.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "globalelite.black", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gleanview.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "getyeflask.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28311,11 +27730,9 @@
     { "name": "gmx.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "geektopia.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gmx.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "geoscope.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gmx.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ginniemae.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gelis.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gapfa.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gottfridsberg.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fysiovdberg.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "glutenfreelife.co.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28325,15 +27742,12 @@
     { "name": "grande.coffee", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gigin.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grayhatter.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gentianes.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "festival.house", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "galak.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gfxbench.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "goldfelt.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "givastar.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gpalabs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gendundrupa.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ginionusedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "goup.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grayson.sh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "global.hr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28341,14 +27755,10 @@
     { "name": "gmanukyan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gronau-it-cloud-computing.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "goup.com.tr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gillesmorelle.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gagygnole.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "freesourcestl.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gmat.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gioielleriamolena.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "global-office.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gregoryrealestategroup.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "geneve-naturisme.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gilmoreid.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "govtjobs.blog", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gmx.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28403,7 +27813,6 @@
     { "name": "guichet-entreprises.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "globalnewsdaily.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hdguru.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gregoirow.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "healthlabs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "haschrebellen.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "harmfarm.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28417,8 +27826,6 @@
     { "name": "gvpt.sk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hanashi.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hexapt.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hd1tj.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "groupghistelinck-cars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "heroicpixel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "helenaknowledge.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "heinzelmann.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28464,7 +27871,6 @@
     { "name": "hopglass.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hizzacked.xxx", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "howtogeekpro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hinrich.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hostingfirst.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hoiku-navi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "humanity.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28494,7 +27900,6 @@
     { "name": "hydrodipcenter.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "home-cloud.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "i1place.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hugolynx.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "horodance.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hvdbox.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "i-geld.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28548,16 +27953,13 @@
     { "name": "immobiza.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "innovativebuildingsolutions.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "holidayincotswolds.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "igimusic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "icsadviseurs.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ingalabs.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "internetbugbounty.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "indecipherable.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ingjobs.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "indogermantrade.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "idc-business.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "industrybazar.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "huguesditciles.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "investigazionimoretti.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ifan.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ibrom.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28572,14 +27974,11 @@
     { "name": "instagramtweet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "int-ext-design.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "innolabfribourg.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "imagerive.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ifosep.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "inventtheworld.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "irugs.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ingresscode.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "inlink.ee", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "invinsec.cloud", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hockeymotion.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "istheservicedown.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "istheservicedowncanada.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "istheservicedown.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28605,7 +28004,6 @@
     { "name": "iwpbk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "isdn.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ivi-co.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ip-hahn.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "j-eck.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "internetinhetbuitengebied.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jabergrutschi.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28614,7 +28012,6 @@
     { "name": "insolent.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jaberg-rutschi.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "innwan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "inventaire.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iteha.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "its-future.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jhaveri.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28626,8 +28023,6 @@
     { "name": "janking.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "javilacat.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jamesforman.co.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "jaguarlandrover-asse.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "jaguarlandrover-occasions.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jakobkrigovsky.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "itpro-mg.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jimenacocina.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28641,7 +28036,6 @@
     { "name": "jmarciniak.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "johnrockefeller.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "impacter.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "investir.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jasonmili.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jardinderline.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jardin-exotique-rennes.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28650,7 +28044,6 @@
     { "name": "joelmunch.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "josefottosson.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jmbelloteau.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "jbs-jardins.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jobsuchmaschine.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jobs4sales.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jelena-adeli.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28672,13 +28065,11 @@
     { "name": "jumpinchat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jordikroon.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jsbentertainment.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "izuba.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jongcs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jasonradin.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jvn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jungleducks.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "julianickel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "joi-dhl.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "juliawebber.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jornalalerta.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "joyjohnston.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28686,12 +28077,10 @@
     { "name": "johnfulgenzi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "just-pools.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jskoelliken.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "jasongerber.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kakolightingmuseum.or.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kasnoffskinclinic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jyggen.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kaydan.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "je-vends.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "keb.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "k1cp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jonathanmassacand.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28724,7 +28113,6 @@
     { "name": "kazuhirohigashi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "karlic.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kanscooking.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "k-pture.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jsjyhzy.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jouetspetitechanson.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "keishiando.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28739,7 +28127,6 @@
     { "name": "kiehls.pt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kelm.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "keezin.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "julianskitchen.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kolin.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kanuvu.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "knegten-agilis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28792,7 +28179,6 @@
     { "name": "kteen.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "la-serendipite.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lafayette-rushford.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kode.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ladylucks.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kuko-crews.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "krag.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28829,10 +28215,8 @@
     { "name": "lenyip.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "launchpad-app2.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lernerspersonalinjury.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lapassiondutrading.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "labella-umbrella.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lenyip.works", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "laled.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "latabledebry.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kiwiplace.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "klaim.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28858,22 +28242,18 @@
     { "name": "lesquatredauphins.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "limeburst.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lilygreen.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "legendesdechine.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "linky.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lichess4545.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lichess4545.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "likenosis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lingeriesilhouette.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lightning-ashe.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lapotagere.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "le-page.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lidl-holidays.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leponton-lorient.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "laemen.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "librairie-asie.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jordanstrustcompany.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "locker3.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "latitudesign.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lidl-shop.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "locker.email", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lithianissaneugeneparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28882,9 +28262,6 @@
     { "name": "laforetenchantee.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lezard-com.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lexxyn.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lacledor.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "laclefdor.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "les-ateliers-de-melineo.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leavesofchangeweekly.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jwolt-lx.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "libdeer.so", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28901,7 +28278,6 @@
     { "name": "limules.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kotausaha.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "linuxiuvat.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lesberger.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "linearaudio.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lostarq.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lissabon.guide", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28934,9 +28310,7 @@
     { "name": "luk.earth", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lovetravel360.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "loyaleco.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lausannelovers.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lodgesdureynou.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lordofthebrick.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lucid-light.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lojasviavento.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lojamascate.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28961,7 +28335,6 @@
     { "name": "malikussa.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "magebankin.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "manavgabhawala.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "loperetti.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "madirc.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maomihz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lzh.one", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28971,15 +28344,12 @@
     { "name": "mailflank.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maartenprovo.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "makeshiftco.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mac-i-tea.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "malasuk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maedchenflohmarkt.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "littlepincha.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "manipulatedtme.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "le-blog.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "m-orthodontic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maedchenflohmarkt.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "loveysa.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marcianoandtopazio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marakovits.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maliar.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28988,15 +28358,11 @@
     { "name": "massagecupping.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marshmallow.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "madbin.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "macnetwork.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mastichor.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lune-indigo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "macnetwork.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "markus-ullmann.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mainston.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maroc-bivouac.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "markllego.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "macnetwork.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marqueswines.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "main-unit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mckinleytk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29004,11 +28370,9 @@
     { "name": "maleexcel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marcelparra.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "massage-vitalite.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lyonelkaufmann.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mattisam.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marykshoup.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "magazinedabeleza.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lovesmagical.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mannheimbloggt.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "makenaiyo-fx.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mckenry.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29017,14 +28381,11 @@
     { "name": "matthijssen.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ma-plancha.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "me-dc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "memfrob.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "me-center.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "marin-business-center.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "martingansler.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "me-groups.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mazda626.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "melnessgroup.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "marinbusinesscenter.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maxims-travel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "manipil.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mathers.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29045,8 +28406,6 @@
     { "name": "mbdrogenbos-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mbwemmel-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mgsisk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mbcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "maxipcalls.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "metin2sepeti.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mercanix.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mhatlaw.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29066,11 +28425,9 @@
     { "name": "millhousenchurch.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "metrans-spedition.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mikedugan.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mirco-grams.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "microblading.pe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mikegarnett.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "medifab.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "marin-tullet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "minebier.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mgiay.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mfrsgb45.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29118,7 +28475,6 @@
     { "name": "momstableonline.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "miguelmartinez.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "monteurzimmerfrei.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "moreserviceleads.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moneytoday.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moonrhythm.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moonrhythm.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29126,10 +28482,8 @@
     { "name": "moppeleinhorn.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mojefilmy.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mrca-sharp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "moncoach.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mosaique-lachenaie.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "migueldominguez.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mobilisation-generale.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "modcasts.video", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "multipleservers.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moritztremmel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29137,7 +28491,6 @@
     { "name": "mizipack.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mindbodytherapymn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mrbmafrica.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mieuxgrandir.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mstd.tokyo", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mindercasso.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mrstat.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29177,7 +28530,6 @@
     { "name": "mycamda.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "music-is-my-life.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myrent.quebec", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mycofairtrade.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "munirajiwa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myoptumhealthcomplexmedical.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mariage-photo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29186,7 +28538,6 @@
     { "name": "muenchberger.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mystorymonster.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mtfgnettoyage.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mullens-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nahura.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moderatorenpool.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "my-ebook.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29207,7 +28558,6 @@
     { "name": "myrig.com.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mzorn.photography", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nbtparse.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "moha-swiss.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moudicat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "netki.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "napcae.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29217,7 +28567,6 @@
     { "name": "nedwave.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "newbownerton.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mysteryblog.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "monbudget.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nacin.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "newsquantified.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nalukfitness.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29227,7 +28576,6 @@
     { "name": "nehoupat.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "netde.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nesolabs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nailattitude.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "musikverein-elten.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ndcpolipak.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "neostralis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29236,7 +28584,6 @@
     { "name": "nbur.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "newaccess.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nicolasiung.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mysterymind.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "night2stay.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nebulae.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nexgeneration-solutions.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29268,7 +28615,6 @@
     { "name": "nexus-vienna.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myspicer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nodeselect.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mitaines.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nirvanashop.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nipe-systems.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nihon-no-sake.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29291,15 +28637,12 @@
     { "name": "nsfw-story.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nopaste.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "notboring.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nativs.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "needstyle.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "menanwc.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "northernhamsterclub.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nordinfo.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nowcost.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "newguidance.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "munch.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nanarose.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "noudjalink.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "niceguyit.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nofrillsdns.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29308,7 +28651,6 @@
     { "name": "nystudio107.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nothing.org.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "officemovepro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "niesstar.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nucleuscore.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "newsmotor.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nodesturut.cl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29316,7 +28658,6 @@
     { "name": "nullpointer.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nuel.cl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nsbfalconacademy.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nikimix.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oklahomanotepro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "netbows.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nlrb.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29355,20 +28696,16 @@
     { "name": "omertabeyond.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "netbows.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "natuterra.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "numerik-games.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "overstockpromote.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "olivlabs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "opengateway.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "osakeannit.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nxinfo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oficinadocelular.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "openstem.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "novelinglife.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "orians.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oswalds.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "owennelson.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paizinhovirgula.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "oftamedic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "owapi.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "p3.marketing", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paavolastudio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29384,14 +28721,12 @@
     { "name": "ofo2.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pasadenasandwichcompany.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "padrepio.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "oneclic.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "papersmart.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paperwritinghelp.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "onnee.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "panascais.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "papayame.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "panascais.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "olasouris.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "passwordscon.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "panascais.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "panascais.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29425,7 +28760,6 @@
     { "name": "pdfconvert.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "noc.wang", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "party-kneipe-bar.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "paf-events.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pawelnazaruk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paranoidpenguin.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "peterjohnson.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29455,7 +28789,6 @@
     { "name": "peraparker.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paulomonteiro.pt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pinterest.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "olizeite.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "piccirello.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pinterest.engineering", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "peterandjoelle.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29476,7 +28809,6 @@
     { "name": "pinterest.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pivotanimation.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pinkapple.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "parentheseardenne.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pirateproxy.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pikmy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "phoenicis.com.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29529,16 +28861,13 @@
     { "name": "plus-u.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "plasvilledescartaveis.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "plumpie.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pharmacieplusfm.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "proctorio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pornomens.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "potatopro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pbosquet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pardnoy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "plutopia.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "poeg.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "poseidonwaterproofing.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pleine-conscience.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "prac.to", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "post.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "plumnet.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29554,7 +28883,6 @@
     { "name": "projectunity.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "phcimages.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pornohub.su", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ploofer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pmconference.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "proovn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "project.supply", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29563,7 +28891,6 @@
     { "name": "procharter.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "primaconsulting.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "proxyportal.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "plantastique.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "power-fit.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "profitablewebprojects.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "programsupport300procent.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29572,11 +28899,8 @@
     { "name": "privacyscore.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "propepper.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "prodinger.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "plantastique.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "poleacademie.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "proactive.run", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "productpeo.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "planetbreath.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "qbnt.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "puentes.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "py-amf.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29584,14 +28908,10 @@
     { "name": "prestigerepairs.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "premiumwebdesign.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ptrl.ws", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "prevenir.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "presses.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "protonvpn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "psychic-healer-mariya-i-petrova-boyankinska-b-borovan-bg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "prepaid-cards.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "polizeiwallis.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pythonic.training", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "procert.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "queensrdapartments.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pieterbos.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "quickandroid.tools", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29609,18 +28929,15 @@
     { "name": "packagingproject.management", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "quaggan.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "raryosu.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "queroreceitasoberana.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rationalcreation.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pulsedursley.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "prestigesigns.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "puzzlepoint.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "psyao.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rabota-x.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "reath.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "qiannews.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "redeemingbeautyminerals.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "raghavdua.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "puissancemac.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rcraigmurphy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "realraghavgupta.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rakugokai.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29642,7 +28959,6 @@
     { "name": "propagandablog.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "realworldholidays.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rdyrda.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "query-massage.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "qrcontagion.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "redshiftlabs.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rebelz.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29697,7 +29013,6 @@
     { "name": "revapost.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rigabeerbike.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "prague-swim.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "rgcomportement.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "richardson.systems", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "reimann.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "retetenoi.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29750,16 +29065,13 @@
     { "name": "said.my.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "s3n.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "runklesecurity.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "rrg-partner.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "robertrijnders.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "samaritan.tech", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sagarhandicraft.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "rogersaam.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rtvi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ruurdboomsma.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rogersremovals.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rage-overload.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "roulinfo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pragueswim.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "richardson.software", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sanskritiyoga.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29771,8 +29083,6 @@
     { "name": "s4tips.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rummel-platz.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "savingbytes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "rvnoel.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "rrdesignsuisse.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "salonestella.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sbobetfun.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sanatrans.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29782,10 +29092,8 @@
     { "name": "sandraindenfotografie.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "regily.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sayura.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "risaphuketproperty.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rychlikoderi.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rnt.cl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "salensmotors-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rucnerobene.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "savisasolutions.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sanatorii-sverdlovskoy-oblasti.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29794,7 +29102,6 @@
     { "name": "sanitairwinkel.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "redperegrine.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schippendale.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "santenatureetcie.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schmaeh-coaching.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schraugerrun.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sanitairwinkel.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29825,7 +29132,6 @@
     { "name": "redcomet.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sentinelproject.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "scm-2017.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sapprendre.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sebastian-kraus.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schnell-abnehmen.tips", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seo.tl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29844,7 +29150,6 @@
     { "name": "serbien.guide", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "semacode.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "servpanel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sdvigpress.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "serviceboss.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "securocloud.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seoprovider.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29871,16 +29176,13 @@
     { "name": "shopsouthafrican.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sfhobbies.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "securityarena.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sgtt.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "santorinibbs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sharezen.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sha2017.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "santevie.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shaharyaranjum.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seo-portal.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shieldofachilles.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shichibukai.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "schwarzhenri.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sexshopnet.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sheying.tm", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shining.gifts", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29913,13 +29215,11 @@
     { "name": "sirena.co.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "singles-berlin.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "skinpwrd.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sfo-fog.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "slik.ai", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "single-in-stuttgart.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sjdaws.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shoshin-aikido.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "silvergoldbull.mw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sigismonda.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "skylgenet.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "smartwritingservice.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "skatingchina.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29932,7 +29232,6 @@
     { "name": "sl0.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "scistarter.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "silvergoldbull.cm", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "smutek.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "snap.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "securoswiss.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "silvergoldbull.ws", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29964,13 +29263,11 @@
     { "name": "songsmp3.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "smit.com.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sgtsnookums.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "smartandcom.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "southcoastswords.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seanstrout.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "softclean.pt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "silvergoldbull.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sodafilm.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "skyloisirs.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sluplift.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "some.rip", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sm2016.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30050,10 +29347,8 @@
     { "name": "sportscollection.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stratmann-b.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spisoggrin.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "souris.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "strozik.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "syneart.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sterchi-fromages.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "strila.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sportovnidum.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sukrie.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30068,7 +29363,6 @@
     { "name": "supercreepsvideo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stylewish.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sja-se-training.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "stadm.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "survivebox.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stlukesbrandon.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sylvaindurand.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30079,14 +29373,12 @@
     { "name": "systoolbox.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tam7t.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tattvaayoga.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "studiovaud.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tdsbhack.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "szybkiebieganie.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sysadm.guru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tapestries.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tbonejs.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tastystakes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "soinvett.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "talon.rip", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "svenskaservern.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tankfreunde.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30094,7 +29386,6 @@
     { "name": "tadtadya.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tdsbhack.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "student-eshop.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "stringvox.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "student-eshop.sk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tdsbhack.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tajper.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30112,10 +29403,8 @@
     { "name": "teamupturn.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tabithawebb.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tabino.top", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "symbiose-immobilier.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "snafarms.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "teddybradford.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "swisselement365.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "taartenfeesies.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "suzi3d.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tatiloley.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30136,7 +29425,6 @@
     { "name": "spillersfamily.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tantei100.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tenerife-villas.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "taxicollectif.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "talkreal.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "taniku-succulent.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "textpedia.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30144,23 +29432,16 @@
     { "name": "tenberg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tandblekningidag.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tele-online.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "taxiscollectifs.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "taxi-collectif.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "taxi-chamonix.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "taxis-collectifs.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thebasementguys.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "symbiose-com.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tenseapp.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thailandpharmacy.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "takeitoffline.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "telecharger-open-office.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "telecharger-winrar.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "the-zenti.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "symb.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thebrightons.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theebookkeepers.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thajskyraj.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "symbiosecom.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thefbstalker.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tf2calculator.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thepathsofdiscovery.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30187,7 +29468,6 @@
     { "name": "sundanceusa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thecsw.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thunderkeys.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "thalmann.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ticketsource.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ticketsource.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tillberg.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30201,7 +29481,6 @@
     { "name": "thunderfield-boat.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ti-js.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "therumfordcitizen.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "thierry-daellenbach.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tiew.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thomas-ferney.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thgros.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30210,14 +29489,11 @@
     { "name": "todaciencia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thinkswap.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tibovanheule.site", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "thecherryship.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tele-alarme.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tommounsey.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tilient.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "todosrv.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "telealarme.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thuthuatios.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "thomasstevensmusic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "totoro.pub", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thisistheserver.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "teleallarme.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30228,7 +29504,6 @@
     { "name": "tircentrale.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tpansino.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "toka.sg", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "thierrybasset.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tokumei.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tinf15b4.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tobyx.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30240,7 +29515,6 @@
     { "name": "themacoaching.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tkjg.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "startup.melbourne", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tjp.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tobischo.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "trangcongnghe.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "top-obaly.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30288,7 +29562,6 @@
     { "name": "twem.ddns.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "twenty71.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ttll.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "thaiforest.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tsukuba.style", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tuts4you.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "twincitynissantxparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30340,7 +29613,6 @@
     { "name": "upwork.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "twohuo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thebeginningisnye.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "trustfield.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vccmurah.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "umaimise.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vasports.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30355,7 +29627,6 @@
     { "name": "vernonchan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "u-tokyo.club", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "usebean.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "totalforcegym.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "unleash.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vicyu.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "united-schools.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30377,10 +29648,8 @@
     { "name": "vionicbeach.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "urgences-valais.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "torbay.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "teoleonie.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vandermeer.frl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vegepa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "univercite.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "visistruct.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "victornet.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vermuetje.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30392,18 +29661,15 @@
     { "name": "verzick.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "veverusak.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vaud-fleurs.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "univitale.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "viptamin.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vallutaja.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vitalyzhukphoto.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vlvvl.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "visaexpert.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vrlaid.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vaperolles.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "voidshift.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vladislavstoyanov.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "uniformecomgas.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "verstraetenusedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "versfin.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vagabondgal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "virtualvaults.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30413,8 +29679,6 @@
     { "name": "ventzke.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vivianmaier.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "viceversa.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ucch.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vima.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vpn.pics", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vancouvercosmeticsurgery.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vamoaeturismo.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30437,16 +29701,11 @@
     { "name": "wafni.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webproshosting.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wadsworth.gallery", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "voicu.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vlsm.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webfox.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wearesouthafricans.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "viabemestar.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "viralpop.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "viteoscrm.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "waaw.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vriesdonkow.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "visapourailleurs.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "websharks.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wellopp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "we.serveftp.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30481,10 +29740,8 @@
     { "name": "web2ldap.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wellbeing360.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wildboaratvparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "votresiteweb.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "waytt.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "weedypedia.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "webrentcars.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wjm2038.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "werehub.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webliberty.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30507,7 +29764,6 @@
     { "name": "vocalviews.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wprevs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webcookies.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wiliquet.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vos-fleurs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vos-fleurs.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "willkommen-fuerstenberg.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30527,7 +29783,6 @@
     { "name": "wsup.social", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "writing-expert.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "writecustomessay.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wirbatz.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wpturnedup.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "victoreriksson.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "writingcities.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30551,9 +29806,7 @@
     { "name": "wrongware.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vpnservice.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wieobensounten.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "whatsupoutdoor.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wubify.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "xferion.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xkblog.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "woodev.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wrapitup.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30561,7 +29814,6 @@
     { "name": "www.re", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xmedius.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--gmq92k.nagoya", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wikipeter.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--l8j9d2b.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--baron-bonzenbru-elb.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "woheni.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30601,7 +29853,6 @@
     { "name": "yelp.com.tr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xubo666.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "whitealps.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.co.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xyzulu.hosting", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30615,16 +29866,12 @@
     { "name": "yelp.com.ar", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.cl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.com.sg", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "whitealps.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.com.ph", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "www-1116.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.com.tw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--uist1idrju3i.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "whitealps.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "whitealps.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "whitealps.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yemalu.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30639,7 +29886,6 @@
     { "name": "yelp.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.ie", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "whitealps.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yiyuanzhong.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yelp.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30683,12 +29929,10 @@
     { "name": "yumeconcert.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yggdar.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zeilles.nu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "yanngraf.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yourforex.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zeilenmethans.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yue2.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zlima12.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "yanngraf.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zrniecka-pre-sny.sk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zepect.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zfree.co.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30723,7 +29967,6 @@
     { "name": "xn--e--ig4a4c3f6bvc5et632i.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--pck4e3a2ex597b4ml.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--e--0g4aiy1b8rmfg3o.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "zug-anwalt.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--vck8crcu789ajtaj92eura.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--t8j4aa4nkg1h9bwcvud.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wpunpacked.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30782,7 +30025,6 @@
     { "name": "4bike.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "5francs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "afbeelding.im", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "actionmadagascar.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aabanet.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alerts.sg", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alextaffe.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30828,7 +30070,6 @@
     { "name": "arlenarmageddon.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alistairstowing.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arachina.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "alphafiduciaryservices.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "areyouever.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "antimatiere.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "afmtevents.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30852,7 +30093,6 @@
     { "name": "alroniks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anttitenhunen.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aevpn.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "alliances-globalsolutions.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "b8a.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aqua-fitness-nacht.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "asmdz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30862,7 +30102,6 @@
     { "name": "amoozesh98.ir", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arox.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "azlo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "allo-credit.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arxell.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "astral.gq", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "acendealuz.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30885,7 +30124,6 @@
     { "name": "artartefatos.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "balslev.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bargainmovingcompany.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "atelierdefrancais.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bedrocklinux.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bar-harcourt.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apparels24.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30904,7 +30142,6 @@
     { "name": "bernhardluginbuehl.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "benediktdichgans.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bagspecialist.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "audiophile.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beyondthecode.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bernhardluginbuehl.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "billrobinson.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30925,7 +30162,6 @@
     { "name": "billy.pictures", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "24hrs.shopping", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "astutikhonda.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "base-autonome-durable.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bilder-designs.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bigerbio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bgtgames.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30985,8 +30221,6 @@
     { "name": "brandcodeconsulting.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "birchbarkfurniture.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "birchbarkfurniture.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "brickheroes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "brickvortex.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "briefhansa.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "birchbarkfurniture.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cabaladada.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31056,7 +30290,6 @@
     { "name": "cd-sport.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chefgalles.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "christophebarbezat.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cftcarouge.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "citimarinestore.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ckostecki.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cjdpenterprises.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31084,7 +30317,6 @@
     { "name": "commitsandrebases.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "connorsmith.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coda.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cambiowatch.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "codefordus.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coincolors.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "confidential.network", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31098,7 +30330,6 @@
     { "name": "clubedalutashop.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coigach-assynt.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comprehensiveihc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "client.coach", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "countingto.one", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cove.sh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "countyjailinmatesearch.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31121,7 +30352,6 @@
     { "name": "cookingcrusade.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "csharpmarc.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cosirex.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "coachezmoi.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "controlarlaansiedad.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "csinfo.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cultofperf.org.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31159,7 +30389,6 @@
     { "name": "daemwool.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cosmeticosnet.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "corpoatletico.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "club103.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "darbi.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "deborahmarinelli.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "daniel-stahl.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31172,10 +30401,7 @@
     { "name": "dengode.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "deped.blog", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dataformers.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "derrickemery.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "criadorespet.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cvl.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "decalquai.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dcautomacao.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "daren.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "defme.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31200,7 +30426,6 @@
     { "name": "devops.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dicoding.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "discord-chan.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dborcard.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "designgraphic.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dev-talk.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "do13.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31296,15 +30521,12 @@
     { "name": "enixgaming.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "en4rab.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "emergenzalavoro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "economiefidu.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ecohostingservices.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ecosound.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ecole-iaf.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "elpoderdelespiritu.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "erverydown.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eightyfour.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "esipublications.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "edition-bambou.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "elxsi.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "enduranceday.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eldertons.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31313,7 +30535,6 @@
     { "name": "doriginal.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evidence-based.review", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eventosenmendoza.com.ar", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "enigma.swiss", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "esports-network.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "etalent.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "drew.beer", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31330,14 +30551,12 @@
     { "name": "ebolsas.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ecfnorte.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "elementalict.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "effe.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eatfitoutlet.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evaartinger.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eyesoccer-didikh.rhcloud.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "erotpo.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fantasiapainter.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evony.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "encretplomb.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "esb112.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ewsfeed.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eonhive.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31349,7 +30568,6 @@
     { "name": "editoraacademiacrista.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "factorypartsdirect.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ezdog.press", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "diligo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fatedata.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "expandeco.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "escueladewordpress.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31359,7 +30577,6 @@
     { "name": "fashionunited.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "exside.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "expresswins.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "escontact.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eyes-of-universe.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "expert.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fanzlive.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31388,11 +30605,9 @@
     { "name": "emporiopatanegra.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "figan.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "emporiovinareal.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "findingkorea.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "facanabota.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fotohome.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "filewall.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "film.photography", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "faixaazul.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "florinlungu.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fontawesome.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31430,7 +30645,6 @@
     { "name": "ferreteriaxerez.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "finnclass.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ftng.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fhconseil.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fullhub.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fyodorpi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "frickelmeister.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31459,7 +30673,6 @@
     { "name": "geyduschek.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "girlsgenerationgoods.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fortricks.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "garagevanhulle-used.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "genfaerd.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fullautomotivo.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gochu.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31498,7 +30711,6 @@
     { "name": "hackmeplz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hamking.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "flyspace.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "grupomakben.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gruenderlehrstuhl.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gzom.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "health-match.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31567,7 +30779,6 @@
     { "name": "illuxat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hostarea51.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "increasetestosteronelevels.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hothbricks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "infotainworld.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "img.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "igi.codes", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31581,7 +30792,6 @@
     { "name": "ilamparas.com.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hoshimaquinas.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "inorder.website", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "illusionephemere.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ilmataat.ee", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "imperialmiami.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "inkhor.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31599,7 +30809,6 @@
     { "name": "indilens.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "instava.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "irvinepa.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "imi-rhapsody.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "infoweb.ee", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "into.technology", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "irisjieun.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31641,17 +30850,14 @@
     { "name": "imperialonlinestore.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jameshemmings.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "intertime.services", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "itecor.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jeffmcneill.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ispsoft.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "joaosampaio.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "josemikkola.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "invisibles.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "inflexsys.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jawnelodzkie.org.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "italyinspires.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jose.eti.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ivyshop.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jpmelos.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jpmelos.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "janaundgeorgsagenja.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31674,7 +30880,6 @@
     { "name": "jez.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "juanxt.ddns.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kandec.co.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "jeanneret-combustibles.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "josoansi.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "k82.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kambodja.guide", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31694,7 +30899,6 @@
     { "name": "kakoo.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kd.net.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kakoomedia.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "jpdeharenne.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "judc-ge.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jundimax.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "judosaintdenis.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31705,9 +30909,7 @@
     { "name": "khs1994.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kalifornien-tourismus.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kloia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kelgtermans-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "katoju.co.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "jimmyroura.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kostya.ws", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "klimchuk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kleberstoff.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31777,7 +30979,6 @@
     { "name": "liehuojun.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "logymedia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kyusyu.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lesecuadors.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "linkmauve.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "legjobblogo.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ledecologie.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31799,7 +31000,6 @@
     { "name": "lineauniformes.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lgpecasoriginais.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "locvis.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kreativelabs.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "loadwallet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "linuxchick.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lepiquillo.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31825,7 +31025,6 @@
     { "name": "lojavirtualfct.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "la-petite-entreprise.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lisowski-photography.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lirlandais.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "localdecor.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lojafilipaper.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lojashowdecozinha.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31833,7 +31032,6 @@
     { "name": "mac-world.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mailbox.mg", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kitchenaccessories.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kohsandra.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lz.sb", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lojafazendoarte.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lojavisamed.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31873,21 +31071,18 @@
     { "name": "martin-arend.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mentalhealthmn.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meu-smartphone.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "masta.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "markrobin.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mallonline.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mariacristinadoces.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maisalto.ind.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "masterofbytes.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "matjaz.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "marche-contre-monsanto.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marcaudefroy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marketizare.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "materiaischiquinho.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mgoessel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "madcatdesign.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ltechnologygroup.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "margo-co.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "megamarkey.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meehle.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mikehamburg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31898,7 +31093,6 @@
     { "name": "mi-so-ji.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "matlabjo.ir", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "minnit.chat", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mdf-bis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "metacoda.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mestr.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marvinkeller.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31961,7 +31155,6 @@
     { "name": "mr-labo.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "manager-efficacement.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "museumstreak.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "monachatdeco.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "milhoazul.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mystudycart.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nba-2k.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32072,8 +31265,6 @@
     { "name": "notablog.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nyphox.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "numwave.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nohkan.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "noorsolidarity.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "octosys.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "octosys.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mrksk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32107,7 +31298,6 @@
     { "name": "novfishing.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "passrhcsa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "parksubaruoemparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "onlfait.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nuovamoda.al", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "passrhce.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "palavatv.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32199,9 +31389,7 @@
     { "name": "powersergusercontent.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "premiumweb.co.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "personnedisparue.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "parts4phone.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "postdeck.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "perroquet-passion.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "plantarum.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "planetasuboficial.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pc-tweak.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32213,7 +31401,6 @@
     { "name": "printery.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pixelesque.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "placassinal.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "projectvault.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "purplez.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "psycho.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pumperszene.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32259,7 +31446,6 @@
     { "name": "replaceits.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "redgatesoftware.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "regulations.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "planify.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "regnix.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rebirthia.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "raykitchenware.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32280,12 +31466,10 @@
     { "name": "rissato.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "renscreations.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rinvex.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "repaik.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "reposaarenkuva.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "redwoodpaddle.pt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "qoqo.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "resursedigitale.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "rtwcourse.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pethelpers.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rinj.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rteplayer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32309,7 +31493,6 @@
     { "name": "rocketgnomes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "runschrauger.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "saikou.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "resoplus.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rejushiiplotter.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rehabthailand.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "saimoe.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32346,7 +31529,6 @@
     { "name": "santmark.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "priorite-education.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schraebanowicz.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pzgreni.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "saxol-group.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "samuirehabcenter.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "santmark.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32361,7 +31543,6 @@
     { "name": "secureheaders.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "searchbrothers.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "santafemacas.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "salle-quali.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "searchbrothers.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "searchdatalogy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "searchbrothers.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32481,7 +31662,6 @@
     { "name": "stavros.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stephensol.is", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stephensolisrey.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "springfieldbricks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "steph3n.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sunshinesf.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sonoecoracao.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32489,7 +31669,6 @@
     { "name": "staxflax.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stephsolis.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "steinbergmedia.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "soldout-app.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sqroot.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stephensolis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stephensolis.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32523,7 +31702,6 @@
     { "name": "svj-stochovska.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "taoburee.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "street-smart-home.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sudmotor-occasions.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "taidu.news", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spdepartamentos.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stayme.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32555,7 +31733,6 @@
     { "name": "texhnolyze.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tetedelacourse.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "t2i.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "swissdojo.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shopcoupons.my", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tgexport.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tenispopular.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32592,12 +31769,10 @@
     { "name": "tjl.rocks", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "titanlab.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theroks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "thebakers.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thomasetsophie.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tomticket.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "timbishopartist.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thuisverpleging-meerdael.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tissot-mayenfisch.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "the.ie", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "transcriptionwave.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tomwassenberg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32728,8 +31903,6 @@
     { "name": "trush.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "weareincognito.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "valentineapparel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "usipvd.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "unerosesurlalune.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wearewithyou.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vonborstelboerner.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tutiendarosa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32761,8 +31934,6 @@
     { "name": "webfronten.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "victorenxovais.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "windowwellexperts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vsl-defi.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vm-co.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "viniferawineclub.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wedding-m.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vyshivanochka.in.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32799,10 +31970,8 @@
     { "name": "wir-bewegen.sh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wmaccess.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "workplaces.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "weemake.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webwolf.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vapesense.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "welcome26.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "x-lan.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wikibulz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "windowwellcovers.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32841,7 +32010,6 @@
     { "name": "yubico.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yubico.cloud", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yubico.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "voyagesaufildespages.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yubico.mobi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yosheenetwork.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yubico.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32869,7 +32037,6 @@
     { "name": "zlatakus.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zdx.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--q9jb1h5dvcspke3218b9mn4p0c.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "zone-produkte.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--n8j7dygrbu0c31a5861bq8qb.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zerosource.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--u9j0ia6hb7347cg8wavz0avb0e.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32886,7 +32053,6 @@
     { "name": "yandere.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--6x6a.life", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xiaoyu.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "welcome-tahiti.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "westcentenaryscouts.org.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aiforsocialmedia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "digitalrights.center", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33349,7 +32515,6 @@
     { "name": "rockuse.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rohanbassett.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rpine.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "rtsr.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rubymartin.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "salishseawhalewatching.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "samsungxoa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33452,7 +32617,6 @@
     { "name": "7delights.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "7delights.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "8tuffbeers.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "aalstmotors-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ac0g.dyndns.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "actu-film.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "adelightfulglow.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33475,19 +32639,12 @@
     { "name": "andrewpeng.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "antirepressionbayarea.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anyfood.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "appartement-evolene.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apponic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "apps4inter.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "araro.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "areaclienti.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arenns.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arislight.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arminc.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "artmaxi.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "asge-handel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "astroscopy.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "astural.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "atelierssud.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "atelierssud.swiss", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "august.black", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "autozane.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33504,9 +32661,6 @@
     { "name": "beehive.govt.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ben2.co.il", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bengalurugifts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "benjaminpiquet.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bergevoet-fa.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bernadetteanderes.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "besthotsales.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bet-99.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beyondtodaymediagroup.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33517,7 +32671,6 @@
     { "name": "bititrain.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bizpare.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bkhpilates.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "blogpentrusuflet.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bluemeda.web.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bobstronomie.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bodymusclejournal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33531,21 +32684,16 @@
     { "name": "bouchonville-knifemaker.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bourqu.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bowlsheet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "boz.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bqr.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brasilien.guide", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "breathedreamgo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bretcarmichael.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bricolajeux.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bs.sb", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "btku.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "businessmodeler.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "butikvip.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bynder.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "capitainebaggy.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "casa-mea-inteligenta.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "catchief.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cdbf.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cenatorium.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "centurialeonina.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "certmonitor.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33562,7 +32710,6 @@
     { "name": "clayandcottonkirkwood.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "codejunkie.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "codespromo.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "compliance-management.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "compuplast.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "convexset.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coonelnel.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33578,23 +32725,18 @@
     { "name": "darlastudio66.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dasgeestig.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "datakick.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "datascience.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "datenschutzgrundverordnung.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "datingticino.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ddel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "de-mail.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "deeparamaraj.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "denis-martinez.photos", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "digicert-support.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dingcc.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "disanteimpianti.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "discoverwellness.center", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dismail.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "divenwa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "donmaldeamores.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "doriangirod.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dotnetsandbox.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "doyoutax.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "doze-cloud.tech", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dreamhack.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "drivewithstatetransit.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33606,7 +32748,6 @@
     { "name": "easy-factures.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "echodio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ecovision.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ecrandouble.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "electricgatemotorgermiston.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "elinevanhaaften.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "elixir.bzh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33615,7 +32756,6 @@
     { "name": "entaurus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eoitek.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "equinox.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "erath.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "esb111.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "espacio-cultural.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evelienzorgt.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33654,7 +32794,6 @@
     { "name": "gisgov.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gitep.org.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "glavsudexpertiza.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "globalventil.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gosciencegirls.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gourmetfestival.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gozadentro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33669,9 +32808,6 @@
     { "name": "grothoff.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "guides-peche64.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gustaff.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gymnaserenens.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gyre.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gyrenens.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "haloobaloo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "harald-pfeiffer.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "haven-staging.cloud", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33684,7 +32820,6 @@
     { "name": "hhidr.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hialatv.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hidedd.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "highlatitudestravel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hill.selfip.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hippo.ge", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hoast.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33704,12 +32839,10 @@
     { "name": "hybridiyhdistys.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hybridklubben.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ibrainmedicine.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "icmhd.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "idatha.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ifort.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ima-tourcoing.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "imgul.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "immo-passion.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "independencerecovery.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "inexlog.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ingo-schlueter.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33717,7 +32850,6 @@
     { "name": "inter-corporate.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "intraobes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ioslo.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ip3office.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iplantom.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ipo-times.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "islandpumpandtank.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33726,7 +32858,6 @@
     { "name": "ivanpolchenko.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "izumi.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jakewalker.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "james-parker.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "janada.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jeremy-chen.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jevisite.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33791,7 +32922,6 @@
     { "name": "matthewtester.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "maxhorvath.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mayoristassexshop.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mazda-thermote.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mcuexchange.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meincoach.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "melonstudios.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33812,9 +32942,6 @@
     { "name": "mubiflex.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "multimail.work", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "multivpn.com.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "my-contract.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "my-contract.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "my-contract.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "my-host.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mybb.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myday.eu.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33822,12 +32949,9 @@
     { "name": "myspa.asia", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nataldigital.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nathumarket.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "natives-team.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nawroth.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "neavision.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nerot.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "neuch.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nezrouge-est-vaudois.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ngiemboon.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nico.st", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "niess.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33838,11 +32962,9 @@
     { "name": "nosyu.pe.kr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nova-wd.org.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "noyocenter.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nrev.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nuamooreaindonesia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "obamalibrary.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "obrienlab.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "oc-sa.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "octohedralpvp.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "officium.tech", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ogis.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33886,19 +33008,14 @@
     { "name": "primordialsnooze.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "principalstest.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "probiv.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "prof.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "projectx.top", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "projest.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "promolover.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "proplan.co.il", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "provence-appartements.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pscleaningsolutions.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "purrfect-box.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pwi.agency", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "qhse-professionals.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "qualite-ecole-et-formation.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "quality-life.gr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "quanterra.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "quantor.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "r-ay.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ragnaroktop.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33909,13 +33026,11 @@
     { "name": "recantoshop.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "redair.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "renascentia.asia", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "renaultclubticino.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "report-incident.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "restoruns.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rivercruiseadvisor.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "robinflikkema.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "roeldevries.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "rootsbar.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rosesciences.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "roussos.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rove3d.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33933,11 +33048,9 @@
     { "name": "santmark.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "saxojoe.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sb-tuning.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "scswam.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seatshare.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "secutrans.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seraph.tokyo", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "serrano-chris.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "serw.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "setuid0.kr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "severine-trousselard.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33949,7 +33062,6 @@
     { "name": "shoprsc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shrinidhiclinic.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "silashes.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "simmis.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "simon-mueller.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "simpbx.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sinkip.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34003,8 +33115,6 @@
     { "name": "thehivedesign.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thepaulagcompany.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thepromisemusic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "thesharedbrain.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "thesharedbrain.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thestrategyagency.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thewebflash.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thiepcuoidep.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34043,11 +33153,9 @@
     { "name": "variablyconstant.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "varimedoma.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vbcdn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "verbierfestival.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vidiproject.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vierdaagsehotel.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "viltsu.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vinticom.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "virtusaero.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "visual-cockpit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vivirenelmundo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34061,12 +33169,6 @@
     { "name": "watchfreeonline.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wbci.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wbx.support", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "webneuch.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "webneuch.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "webneuch.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "webneuch.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "webneuch.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "webneuch.swiss", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "weyland-yutani.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "widegab.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wintermeyer-consulting.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34105,8 +33207,6 @@
     { "name": "899699.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "98laba.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "98laba.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "abvlbasketviganello.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "academie-de-police.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "allesisonline.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alphabetsigns.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andrewdaws.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34215,7 +33315,6 @@
     { "name": "risiinfo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "royalcitytaxi.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sahb.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "samaritainsmeyrin.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sat7a-riyadh.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sbanken.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schlueter-software.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34274,7 +33373,6 @@
     { "name": "a1scubastore.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "abaapplianceservice.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "abcdentalcare.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "abeilles-idapi.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "academy4.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "achtzehnterachter.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "actionlabs.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34306,7 +33404,6 @@
     { "name": "ais.fashion", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ajibot.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alaboard.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "alchimic.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alexeykopytko.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alexmol.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "algoentremanos.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34335,15 +33432,11 @@
     { "name": "anthedesign.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "antoinebetas.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aomberg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "appt.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "aprefix.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "araxis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "area3.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arethsu.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "arganaderm.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ariba.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arizonaautomobileclub.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "arjanvaartjes.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arjunasdaughter.pub", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "armeni-jewellery.gr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arnoudraeven.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34359,7 +33452,6 @@
     { "name": "astutr.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "asustreiber.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "atmocdn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "aubergegilly.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "augrandinquisiteur.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "auroraassociationofrealtors.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "auslandsjahr-usa.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34396,9 +33488,7 @@
     { "name": "baychimo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bazaarcompass.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bb37roma.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bblsa.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bclogandtimberbuilders.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "beatrizaebischer.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bebes.uno", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bedfordnissanparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beermedlar.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34420,7 +33510,6 @@
     { "name": "bewerbungsfoto-deinfoto.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bewertet.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bezemkast.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bft-media.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bhost.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "biaoqingfuhao.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "biaoqingfuhao.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34457,7 +33546,6 @@
     { "name": "brecknell.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brecknell.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "briangarcia.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "brianwesaala.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bridgingdirectory.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brilliantproductions.co.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "brinkmann.one", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34494,7 +33582,6 @@
     { "name": "carrierplatform.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "carthedral.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "casamariposaspi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cashlogic.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "caspicards.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "catbull.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "catdecor.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34502,11 +33589,9 @@
     { "name": "cavevinsdefrance.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ccgx.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "centralcountiesservices.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "centredaccueil.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "certmonitor.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cfno.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cgsmart.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "chambion.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "charakato.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "charlimarie.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chatsworthelectrical.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34519,7 +33604,6 @@
     { "name": "chessreporter.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "childrenandmedia.org.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chinatrademarkoffice.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "chocolatier-tristan.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chowii.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "christian-liebel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "christianfaq.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34551,7 +33635,6 @@
     { "name": "colorectalcompounding.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comicrelief.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comicwiki.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "commechezvous.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "community-cupboard.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comopuededejardefumar.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "compostatebien.com.ar", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34579,7 +33662,6 @@
     { "name": "cross-link.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "crypalert.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "csilies.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cstb.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cuanhua3s.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "customgear.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cuxpool.club", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34680,8 +33762,6 @@
     { "name": "e2feed.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "e64.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "easycoding.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "eauxdespleiades.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ecolemathurincordier.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "edenvalerubbleremovals.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "edhesive.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "edstep.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34710,7 +33790,6 @@
     { "name": "enrollapp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "enterprivacy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "epave.paris", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "epi.one", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "epilis.gr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eposkent.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eposleeds.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34722,12 +33801,10 @@
     { "name": "esball.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eshepperd.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "esp.community", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "espace-caen.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "esslm.sk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "estespr.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "etccooperative.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "etincelle.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "etre-vivant.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evailoil.ee", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "everydaywot.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "everytruckjob.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34795,7 +33872,6 @@
     { "name": "formkiq.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "forourselves.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fortran.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "foxphotography.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "frantorregrosa.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "frauenarzt-zinke.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fredliang.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34828,12 +33904,10 @@
     { "name": "gamesplanet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gameswitchers.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "garage-door.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "garage-leone.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gautham.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gauthier.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gazette.govt.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gbit.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gboys.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gdhzcgs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "geekbaba.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gehrke.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34938,7 +34012,6 @@
     { "name": "hulet.tech", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "humanexperiments.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hyckenberg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "i-proswiss.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iacono.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iberiaversicherungen.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ibiz.mk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34957,7 +34030,6 @@
     { "name": "ilhan.name", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iligang.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "imlinan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "impactpub.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "inchcape-fleet-autobid.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "indianaantlersupply.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "indieethos.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35082,7 +34154,6 @@
     { "name": "kyle.place", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "la-tourmaline.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "laatikko.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "labiblioafronebrulepas.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "labobooks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ladybugjam.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ladylikeit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35094,7 +34165,6 @@
     { "name": "lakehavasuhouserentals.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lakehavasuhouses.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lakehavasuwebsites.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lalyre-corcelles.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lanetix.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lanturtle.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "larraz.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35110,9 +34180,6 @@
     { "name": "leinfelder.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lennyfaces.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leon.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "leretour.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lesplatanes.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lesterrassesdusoleil.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lexpartsofac.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lianwen.kim", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "libmpq.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35138,8 +34205,6 @@
     { "name": "lstma.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lubar.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "luganskservers.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lunidea.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lunidea.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "luso-livros.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "luvare.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "luxcraft.eng.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35165,7 +34230,6 @@
     { "name": "mamospienas.lt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mandm.servebeer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "manfredgruber.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mankans.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "manneguiden.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "manualscollection.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "manuel-schefczyk.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35192,12 +34256,9 @@
     { "name": "mbits.solutions", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "media-pi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mediadandy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mediagenic.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mediationculturelleclp.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "medstreaming.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "medtankers.management", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meetingfriends.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "meeusen-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mehmetakif.edu.tr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mehr-schulferien.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meierhofer.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35215,14 +34276,12 @@
     { "name": "merimatka.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "merlet.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "messagescelestes.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "metalu.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meteo-parc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "metrix.design", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meupedido.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mfgod.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mhi.web.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "micaiahparker.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "micalodeal.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "michael-schefczyk.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "michael-schilling.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "michaelasawyer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35262,7 +34321,6 @@
     { "name": "mszavodumiru.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mullen.net.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "multi-vpn.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "multirep.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "multivpn.cn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "multivpn.com.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "multivpn.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35341,7 +34399,6 @@
     { "name": "on-te.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "on-tech.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "onestepfootcare.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "oniria.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "onlinebillingform.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "onlinecasino.vlaanderen", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "onlinerollout.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35364,14 +34421,11 @@
     { "name": "oskrba.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "otakurumi.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "outdoorimagingportal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "overdrive-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "owl-stat.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "owlishmedia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paazmaya.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "painlessproperty.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paktolos.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pantallasled.com.mx", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pantographe.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "parisescortgirls.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "parleamonluc.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "partycentrumdebinnenhof.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35393,7 +34447,6 @@
     { "name": "photodeal.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "piedfeed.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "piercing-store.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pilani.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "piratepay.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "piratepay.ir", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pitot-rs.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35417,7 +34470,6 @@
     { "name": "pokomichi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "polandb2b.directory", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "polish.directory", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "poly-fast.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ponga.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ponteus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pop-corn.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35453,8 +34505,6 @@
     { "name": "probely.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "processesinmotion.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "proft.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "progiscad.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "project-splash.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "project-stats.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "projectherogames.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "promoterms.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35509,7 +34559,6 @@
     { "name": "ricknox.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rienasemettre.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "risada.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "rivierasaints.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rmcbs.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "robinvdmarkt.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "robpol86.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35565,7 +34614,6 @@
     { "name": "scis.com.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "scorp13.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "scripo-bay.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "scuolaguidalame.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "scw.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "se7ensins.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "search-job-in.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35581,7 +34629,6 @@
     { "name": "selkiemckatrick.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sellguard.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sentinel.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "septfinance.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sergos.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "serve-a.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "servea.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35608,8 +34655,6 @@
     { "name": "silviamacallister.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "simpleinout.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "simplewire.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "simplylovejesus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sin.swiss", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "singerwang.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sistel.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "skei.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35673,7 +34718,6 @@
     { "name": "suuria.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "suvidhaapay.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sw33tp34.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sweepay.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "swiftconf.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "switch.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "switzerland-family-office.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35706,7 +34750,6 @@
     { "name": "thedrunkencabbage.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theeducationchannel.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theevergreen.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "theferrarista.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thefrk.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thehookup.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thestoritplace.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35773,7 +34816,6 @@
     { "name": "uploadbro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ursae.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "urukproject.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ussuka.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ut-addicted.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "uuit.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "uzaymedya.com.tr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35784,8 +34826,6 @@
     { "name": "valika.ee", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "valkor.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vanderkroon.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vareillefoundation.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vareillefoundation.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "variable.agency", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vcdn.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vcsjones.codes", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35797,7 +34837,6 @@
     { "name": "venturum.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "venturum.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "venturum.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vernaeve-usedcars.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vernonhouseofhope.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vernonsecureselfstorage.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "verteilergetriebe.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35830,7 +34869,6 @@
     { "name": "webaeon.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webapky.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webappky.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "webclimbers.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webkeks.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webnoob.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "websites4business.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35913,7 +34951,6 @@
     { "name": "yuxuan.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zach.codes", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zaoext.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "zavec.com.ec", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zebbra.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zeguigui.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zestylemon.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35930,7 +34967,6 @@
     { "name": "zuppy.pm", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zuralski.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zutsu-raku.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "zwy.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zyciedlazwierzat.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "188522.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arai21.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -36649,7 +35685,6 @@
     { "name": "akkbouncycastles.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "albbounce.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "alchemia.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "alexvdveen.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "alice-noutore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "allaboutfunuk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "allactioneventhire.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -37410,7 +36445,6 @@
     { "name": "katscastles.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kbbouncycastlehire.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kbleventhire.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "keinanung.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kellyskastles.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kensbouncycastles.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "keycontainers.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -37724,7 +36758,6 @@
     { "name": "prestigeeventshire.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "primalinea.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pristineevents.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "proautorepairs.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "projectcastle.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "promarketer.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "provokator.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -38339,7 +37372,6 @@
     { "name": "drdavidgilpin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dreyfussplasticsurgery.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dstamou.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "duan.li", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dujsq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dujsq.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dziurdzia.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39244,7 +38276,6 @@
     { "name": "prosenseit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "puhka.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qswoo.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ranyeh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "raspberryultradrops.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rathbonesonline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "raven.dog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39268,7 +38299,6 @@
     { "name": "servers4all.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "shellj.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "shellshock.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "shoxmusic.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sigma-signalisation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "significantbanter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "simpleindianrecipes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39406,7 +38436,6 @@
     { "name": "accessoripersmartphone.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "acemypaper.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "acordes.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "adorade.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "africanimpact.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agoodmind.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agoravox.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39469,7 +38498,6 @@
     { "name": "bran.soy", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "brandweertrainingen.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bravehearts.org.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bridgevest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "brokervalues.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bsdunix.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buy-thing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39693,8 +38721,6 @@
     { "name": "lostandcash.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lsvih.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "luckyfrog.hk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "lukestebbing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "lunis.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lusynth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lv5.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lyoness.digital", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39936,7 +38962,6 @@
     { "name": "00660066.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "00770077.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "00880088.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "00990099.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "110110110.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "112112112.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "113113113.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -40005,7 +39030,6 @@
     { "name": "aboutyou.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aboutyou.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "abstractbarista.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "accredit.ly", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aceanswering.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "acroso.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "actom.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -40419,7 +39443,6 @@
     { "name": "checkspf.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cheladmin.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chemicalcrux.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "chemiphys.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cherie-belle.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cherylsoleway.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chiboard.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -40837,7 +39860,6 @@
     { "name": "getteamninja.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gfms.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gfw.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ghid-pitesti.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "giethoorn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gigime.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ginza-luce.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -41896,7 +40918,6 @@
     { "name": "ybscareers.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yenibilgi.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yetishirt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "yimgo.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yocchan1513.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yoga-alliance-teacher-training.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yongbin.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -42094,7 +41115,6 @@
     { "name": "chatzimanolis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "checkmypsoriasis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cheesehosting.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "chicagolug.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chilio.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chrislane.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "christianpeltier.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -42183,7 +41203,6 @@
     { "name": "druznek.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dso-imaging.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "duchyoffeann.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "duct.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dunamiscommunity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dushu.cat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "e-tonery.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -42318,7 +41337,6 @@
     { "name": "hazukilab.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hcaz.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "heatershop.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "hermes.cat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hiv.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hnfertilizermachine.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "holmq.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -42497,9 +41515,7 @@
     { "name": "noobswhatelse.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nordicirc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nova.com.hk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "novojet.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nv.gw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "nybiz.nyc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nytrafficticket.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ochrepoint.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ochsenfeld.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -42524,7 +41540,6 @@
     { "name": "padberx-marketing-consultants.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "paintball-shop.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "paketo.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "paleotraining.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "panaxis.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "panaxis.li", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "panpa.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -42708,7 +41723,6 @@
     { "name": "strategiccapital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "strongpassword.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stubbings.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "studentfinancecountdown.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "studiogavioli.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "studiolegalepaternostro.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "studipro-formation.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -42975,7 +41989,6 @@
     { "name": "blupig.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "boat-engines.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "boskeopolis-stories.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "brainbuxa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "breadofgod.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bremen-restaurants.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "briefvorlagen-papierformat.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43029,7 +42042,6 @@
     { "name": "craftsmandruggets.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cretica.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "croceverdevb.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "crosslifenutrition.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "crownchessclub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "csi.lk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "customdissertation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43110,7 +42122,6 @@
     { "name": "expoort.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "exporo.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fackovec.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "fai.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fansided.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "faxvorlagen-druckvorlagen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fdn.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43613,7 +42624,6 @@
     { "name": "wafelland.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "warekit.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wasserburg.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "wdol.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "web-dl.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "webcreation.rocks", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wedotrains.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43745,7 +42755,6 @@
     { "name": "autospurgo.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "awxg.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b72.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "baches-piscines.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "badgesenpatches.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "balia.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "balticnetworks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43863,7 +42872,6 @@
     { "name": "dietacelulitis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dietafeliz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "divi-experte.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "djsk.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dko-steiermark.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dmailshop.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dmmultionderhoud.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -44056,7 +43064,6 @@
     { "name": "laranjada.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "larbertbaptist.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lavasing.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "laylo.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lemouillour.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lespret.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "letraba.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -44195,7 +43202,6 @@
     { "name": "poopr.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "portofala.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "posyperfume.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "precision.st", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "prijsvergelijken.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "primalbase.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pristinegreenlandscaping.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -44377,7 +43383,6 @@
     { "name": "wallacehigh.org.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wallacequinn.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "waterdrop.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "webgaff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "weedcircles.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wella-download-center.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "welpo.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -45390,7 +44395,6 @@
     { "name": "dsteiner.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dubaosheng.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dumont.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "dung-massage.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "duonganhtuan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dwbtoftshit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dwellstudio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -45617,7 +44621,6 @@
     { "name": "meraseo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mes-bouquins.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "metanodo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mijnetz.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "moc.ac", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "modalrakyat.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "molokai.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -46320,7 +45323,6 @@
     { "name": "midgawash.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mightymillionslottery.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mikumaycry.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "milanstephan.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mirepublic.co.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "misanci.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mizuho-trade.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -46335,7 +45337,6 @@
     { "name": "mr-coffee.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "msopopop.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "multitec.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mumakil.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "murashun.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "my4thtelco.com.sg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mydreamshaadi.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -47018,7 +46019,6 @@
     { "name": "f13cybertech.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fastforwardsociety.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ffsociety.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "fojing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "freakyawesome.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "freakyawesome.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "freakyawesome.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -47033,9 +46033,7 @@
     { "name": "giuem.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "glykofridis.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "golfpark-bostalsee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "guoke.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gut8er.com.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "h404bi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hackreone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hahay.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hajekj.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -47113,7 +46111,6 @@
     { "name": "office-discount.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "onionplay.live", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "onyxgen.duckdns.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "opticaltest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "orbu.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oryva.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "overwall.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -47184,12 +46181,10 @@
     { "name": "verwayen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "viris.si", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vistec-support.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vreaulafacultate.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vwhcare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wakandasun.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "walshbanks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "warofelements.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "websec.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wenchieh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wine-tapa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wisal.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -47281,7 +46276,6 @@
     { "name": "basementfinishingohio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "batch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bbj.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bednar.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "betterweb.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bezr.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "biehlsoft.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -47574,7 +46568,6 @@
     { "name": "jimbiproducts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jmcataffo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jtl-software.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "juusujanar.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jydemarked.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kabarlinux.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kagitreklam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -48075,7 +47068,6 @@
     { "name": "bytesign.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cad-noerdlingen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cangku.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "cangku.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "carassure.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cascadesjobcorpscca.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "casio-caisses-enregistreuses.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -48268,7 +47260,6 @@
     { "name": "geektimes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "genderidentiteit.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "geomex.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "geschichtscheck.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "getpei.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gigis-pizzeria.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gigseekr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -48322,7 +47313,6 @@
     { "name": "ignacjanskiednimlodziezy.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "illumed.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "import-shopping.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "imwnk.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "instant-thinking.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "intelhost.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "intergozd.si", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -48425,7 +47415,6 @@
     { "name": "massive.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "material-ui.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "matratzentester.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "matthiasheil.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "matway.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "max-mad.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "maya-ro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -48499,13 +47488,11 @@
     { "name": "oosoo.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oreskylaw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "orgsyn.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "orkiv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "osworx.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ourls.win", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pacatlantic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "packair.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pahnid.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "paranormalweirdo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "parksland.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "parry.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "paste.gg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -48532,7 +47519,6 @@
     { "name": "qaz.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qtn.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qwallet.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "r18.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rai-co.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "readingrats.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "reakyaweso.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -48603,7 +47589,6 @@
     { "name": "ssmca.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ssready.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ssuc.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "st-antonius-kuenzell.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "staticline.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stationatbuckscounty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stationatlyndhurst.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -48635,7 +47620,6 @@
     { "name": "theosblog.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thereaper.net.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thestationatwillowgrove.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "thestonegroup.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thewinstonatlyndhurst.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thiagohersan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thienteakee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -48672,7 +47656,6 @@
     { "name": "urcentral.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "use.ci", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "uwelilienthal.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vacationsbyvip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "varztupasaulis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "varztupasaulis.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "varztupasaulis.lt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -48865,7 +47848,6 @@
     { "name": "brand-foo.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bsee.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buchwegweiser.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "burotec-sarl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buurtpreventiefraneker.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bvgg.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bytes.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -48949,7 +47931,6 @@
     { "name": "divari.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "divorciosmurcia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dk-kromeriz.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "domainwatch.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dowellconsulting.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dozecloud.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dpi-design.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -49152,7 +48133,6 @@
     { "name": "intelhost.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "invuite.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ipssl.li", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "irgendeine.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "isabellavandijk.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "isarklinikum.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "isastylish.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -49213,7 +48193,6 @@
     { "name": "lapix.com.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lauxzahnheilkunde.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "legalinmotion.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "legendarycamera.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lehti-tarjous.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lethbridgecoffee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "leviscop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -49389,7 +48368,6 @@
     { "name": "photographersdaydream.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "phpinfo.in.th", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "physiotherapie-seiwald.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "pianyigou.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pikimusic.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pildat.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pineapplesapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -49838,7 +48816,6 @@
     { "name": "discord4j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dkstage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dns-swiss.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "domain-swiss.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "domeconseil.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "donkennedyandsons.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "doomtech.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -49951,7 +48928,6 @@
     { "name": "fegame.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fgdc.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fijnefeestdageneneengelukkignieuwjaar.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "finecocoin.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "firmen-assekuranz.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "flashbeing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fnfpt.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50065,7 +49041,6 @@
     { "name": "klebeband.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "koe.hn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "koyo.kr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kroy.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kunstschule-krabax.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kyoto-sake.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lagodny.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50270,7 +49245,6 @@
     { "name": "piscine.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pj881988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "plantes.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "plantezcheznous.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "plzz.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "poncho-bedrucken.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "porchdaydreamer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50762,7 +49736,6 @@
     { "name": "onepointsafeband.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "onepointsafeband.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "online-horoskop.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "onnext.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "openbankproject.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "openstreetmap.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "orangenuts.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50793,7 +49766,6 @@
     { "name": "qqrss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qqvrsmart.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "r-t-b.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "rendre-service.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rnbjunk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "robtatemusic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "romanticfirstdance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50853,7 +49825,6 @@
     { "name": "transgendernetwerk.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "truckgpsreviews.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "truessl.shop", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ttwt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tutu.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "uldsh.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vat.direct", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -51374,7 +50345,6 @@
     { "name": "mivzakim.mobi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mivzakim.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mivzakim.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mixinglight.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mlytics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mmaps.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mo2021.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -51564,7 +50534,6 @@
     { "name": "sms.storage", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "snowyluma.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sociability.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "somewherein.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sondersobk.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "soquee.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "soundbytemedia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -51910,7 +50879,6 @@
     { "name": "jeroldirvin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jessicahrehor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jisha.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "joaoaugusto.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jockbusuttil.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jockbusuttil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jockbusuttil.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -51962,7 +50930,6 @@
     { "name": "nazigol.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nebenbeiblog.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nevergreen.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "nexril.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nextcloud.nerdpol.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nhgteam.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ninverse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -52149,7 +51116,6 @@
     { "name": "adwokatzdunek.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "affordableblindsexpress.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ag8-game.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "agendatelefonica.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agostinhoenascimento.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agscinemas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agscinemasapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -52293,7 +51259,6 @@
     { "name": "bztraveler.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "c0rporation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cabineritten.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "caleb.cx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "calendly.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "calrotaract.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cambridge-security.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -52823,7 +51788,6 @@
     { "name": "milsonhypnotherapyservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "minetracker.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "misinstrumentos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mitre10.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mivzaklive.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mizu.coffee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mobisium.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -52844,7 +51808,6 @@
     { "name": "mrprintables.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mrtunnel.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mu3on.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "muitadica.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "murray.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "my-best-wishes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "myamihealth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -52907,7 +51870,6 @@
     { "name": "oldita.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oles-hundehaus.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "olifant.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "onesnzeroes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "onionbot.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "opportunity.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oppwa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -52955,7 +51917,6 @@
     { "name": "photography-workshops.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "phumin.in.th", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pie-express.xxx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "pigs.pictures", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pilatescenteraz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pintosplumbing.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pizza-show.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53215,7 +52176,6 @@
     { "name": "thebinarys.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thebulletin.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thecookiejar.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "thefourthmoira.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thefuckingtide.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thehoryzon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thelatedcult.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53293,7 +52253,6 @@
     { "name": "vandorenscholars.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vandyhacks.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vangoghcoaching.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vantaio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "varalwamp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vendermicasarapido.com.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "verifiedjoseph.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53311,7 +52270,6 @@
     { "name": "vrjetpackgame.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vsestoki.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vuojolahti.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vv1234.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vwfsrentacar.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w1221.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wandystan.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53369,7 +52327,6 @@
     { "name": "xoonth.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yellowfly.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yhfou.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "yiheng.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yogahealsinc.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yourtrainingsolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yrjanheikki.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53429,7 +52386,6 @@
     { "name": "aquelarreweb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "arnevankauter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "arose.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "arrowheadflats.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "atelierfantazie.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "austinlockout.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "austintxacrepairtoday.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53723,7 +52679,6 @@
     { "name": "mchel.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mcon.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mds-paris.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mebanesteakhouse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "meditel.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "medmarkt24.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "medvedikorenka.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53840,7 +52795,6 @@
     { "name": "qualpay.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "queene.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "queextensiones.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "quizstore.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "r3bl.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "radarnext.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rail24.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53999,13 +52953,11 @@
     { "name": "vitra-showrooms.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vrij-links.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vwo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "waldkinder-ilmenau.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "waligorska.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "walksfourpaws.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wanlieyan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wapking.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "waterbrook.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "weaspireusa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "webauthority.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "webdollarvpn.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "webexpertsdirect.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54144,7 +53096,6 @@
     { "name": "cursossena.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cybercrime.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cypherpunk.observer", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "deadinsi.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "denwauranailab.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "devnull.zone", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "devragu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54195,7 +53146,6 @@
     { "name": "gfwno.win", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gimme.money", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "grandcapital.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "grippe-impftermin.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hagiati.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hatpakha.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "healthcultureexpo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54247,7 +53197,6 @@
     { "name": "lormansas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lucafontana.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lumminary.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "lunastrail.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "m-gh.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "magic-cards.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "magiccards.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54447,7 +53396,6 @@
     { "name": "233bwg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "291167.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "2h-nagoya.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "2nics.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "2y.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "51tiaojiu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "66bwf.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54468,7 +53416,6 @@
     { "name": "ad13.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "adra.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ae-construction.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "aelisya.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aerapass.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "afcompany.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "afcurgentcarelyndhurst.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54629,7 +53576,6 @@
     { "name": "chabik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chang-feng.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chbk.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "checkmyip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chilimathwords.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chovancova.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ciiex.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54906,7 +53852,6 @@
     { "name": "lignite.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "likesforinsta.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "likui.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "linux.pizza", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "liquipedia.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "littleboutiqueshop.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "littleboutiqueshop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55131,7 +54076,6 @@
     { "name": "puralps.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pursuedtirol.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pushphp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "pyxo.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qlix.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qualityhvacservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "quarus.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55272,7 +54216,6 @@
     { "name": "softbebe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "solepurposetest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "solitairenetwork.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "somepills.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "southernlights.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "southernstructuralsolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "space-y.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55422,7 +54365,6 @@
     { "name": "yoppoy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "you2you.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yourstake.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "yuntong.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zacco.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zerowastesavvy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zionnationalpark.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55567,7 +54509,6 @@
     { "name": "bejarano.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "berger-chiro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bernardez-photo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "berndklaus.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bescover.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "best-accounting-schools.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "best-art-colleges.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55656,7 +54597,6 @@
     { "name": "cloudcrux.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "club-climate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cnlau.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "codein.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "codemill.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cognixia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cololi.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55721,7 +54661,6 @@
     { "name": "docusearch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "doge.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "doge.town", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "doki.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dorpshuis-dwarsgracht.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dr-it.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "drump-truck.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55753,7 +54692,6 @@
     { "name": "eosol.zone", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eromon.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "esgen.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "eslint.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "essayace.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "estherlew.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "esuretynew.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56307,12 +55245,10 @@
     { "name": "thevoya.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thewayofthedojo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ticketdriver.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "timelessskincare.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tlyphed.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tmas.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "todoereaders.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tohochofu-sportspark.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "toldositajuba.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tom94.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tomik.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "toontownrewritten.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56330,7 +55266,6 @@
     { "name": "trustedbody.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "truyenfull.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tuev-hessen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tuimprenta.com.ar", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tweedehandslaptophardenberg.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "uaci.edu.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ubcani.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56576,7 +55511,6 @@
     { "name": "fateitalia.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "faultlines.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fbi.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "fccarbon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "feeeei.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "feuerwehr-gebirge.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "finkmartin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56622,7 +55556,6 @@
     { "name": "indiecongdr.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "info-screen-usercontent.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "interpol.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "introverted.ninja", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "invasivespeciesinfo.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "invinoaustria.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "invinoaustria.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56785,7 +55718,6 @@
     { "name": "rteguide.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rteworld.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rths.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "rthsoftware.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rttss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ryssl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "saidtezel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56822,7 +55754,6 @@
     { "name": "spartacuslife.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "spectroom.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "spectrum.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "sportabee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "st-bede.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "steemyy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stfrancisnaugatuck.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56988,7 +55919,6 @@
     { "name": "buyebook.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buzzcontent.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "calculadoraconversor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "canyons.media", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "carroattrezzimilanodaluiso.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "casa-lunchbreak.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "case-vacanza-salento.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -57010,7 +55940,6 @@
     { "name": "coffeetime.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cognicom-gaming.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "communitymanagertorrejon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "computerbas.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "conpath.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "conradsautotransmissionrepair.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "consultoriadeseguranca.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -57184,7 +56113,6 @@
     { "name": "margots.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "margots.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "margots.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "markus-blog.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "martialarts-wels.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "massvow.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "maxbachmann.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -57388,7 +56316,6 @@
     { "name": "wxkxsw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wyysoft.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xeryus.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "xfcy.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xgzepto.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xlui.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--irr.xn--fiqs8s", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -57750,7 +56677,6 @@
     { "name": "epi-lichtblick.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "epspolymer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ericschwartzlive.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ero.ink", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eshspotatoes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "espanolseguros.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "espower.com.sg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -57895,7 +56821,6 @@
     { "name": "indie.dog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "indigotreeservice.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "inframint.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "inno.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "innotas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "insidesolutions.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "inspiredrealtyinc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -57960,7 +56885,6 @@
     { "name": "kontrolapovinnosti.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kornrunner.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "krusesec.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "krypmonet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kuchen-am-stiel.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kwoll.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lachyoga-schwieberdingen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -58036,7 +56960,6 @@
     { "name": "modern-family.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "moderncommercialrealestate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "moeclue.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "monsterx.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "montanteaesthetics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "moreniche.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "morgansjewelerspv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -58085,7 +57008,6 @@
     { "name": "ocalaflwomenshealth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oceancity4sales.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "of2m.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "offroadhoverboard.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ofsetas.lt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "okaidi.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "okaidi.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -58396,7 +57318,6 @@
     { "name": "tonigallagherinteriors.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "toomy.pri.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "toool.nyc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tot-radio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "totaldragonshop.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "touchstone.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tradeshowfreightservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -58699,7 +57620,6 @@
     { "name": "bavartec.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "baykatre.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bayportbotswana.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bayportfinance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bayportghana.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bayporttanzania.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bayportuganda.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -58784,7 +57704,6 @@
     { "name": "callantonia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "camara360grados.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "canariculturacolor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "candelec.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "capebretonpiper.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "career.support", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "carlinmack.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -58948,7 +57867,6 @@
     { "name": "dreemurr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "driessoftsec.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dronebl.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "drpure.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "drtimothybradley.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dryjersey.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dstvinstallfourways.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -59031,7 +57949,6 @@
     { "name": "etssquare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eurheilu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "euwid-energie.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "evansdesignstudio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "evrotrust.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "evtscan.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ewhitehat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -59112,7 +58029,6 @@
     { "name": "geluk.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "genevachauffeur.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "geocar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "geoinstinct.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "geomonkeys.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gesundheitszentrum-am-reischberg.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ghettonetflix.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -59266,7 +58182,6 @@
     { "name": "it-support.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "it-supportistockholm.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "it-tekniker.nu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "it-uws.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ithink.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ithjalpforetag.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "itm-c.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -59433,7 +58348,6 @@
     { "name": "mariatash.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "marketingeinnovacion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "martel-innovate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "martinfranc.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "maryhaze.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mastafu.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "matheusmacedo.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -59448,7 +58362,6 @@
     { "name": "mediabogen.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mediapath.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "medikalakademi.com.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "megafilmesplay.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "megamp3.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "meia.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "meimeistartup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -59980,7 +58893,6 @@
     { "name": "testsvigilantesdeseguridad.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tfb.az", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tfk.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "thamtubinhminh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "the-arabs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thebeardedrapscallion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thebluub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -60009,13 +58921,11 @@
     { "name": "timbrado.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tittelbach.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tjcuk.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tnd.net.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tobi-server.goip.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tobi-videos.goip.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "toddmath.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tofliving.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tombroker.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "toni-dis.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tonifarres.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tonnygaric.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "toolbox-bodensee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -60097,7 +59007,6 @@
     { "name": "vinigas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vitalium-therme.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vocescruzadasbcs.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "volqanic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vsl.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vulyk-medu.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w889-line.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -60255,7 +59164,6 @@
     { "name": "chrisvannooten.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cica.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ciel.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "cityextra.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "clearer.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "colorguni.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "crazybulk.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -60493,7 +59401,6 @@
     { "name": "sicurezzalavoro24.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "siemencaes.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "skateaustria.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "skywalkers.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "slatko.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "smitug.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "smokefreerowan.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -60638,7 +59545,6 @@
     { "name": "amazingraymond.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aminullrouted.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ampleroads.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ance.lv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "anlovegeek.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "anopan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "antiaz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -60683,7 +59589,6 @@
     { "name": "benjaminbedard.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bensokol.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bepsvpt.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "beringsoegaard.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bestdoc.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "besti.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bestpractice.domains", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -60790,7 +59695,6 @@
     { "name": "desertmedaesthetics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "devswag.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dexonrest.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "dexonsoftware.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dhbr.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dia.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "diccionarqui.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -60809,7 +59713,6 @@
     { "name": "dophys.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dox-box.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dragon.nu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "drainagedirect.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "draintechnorthwest.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "driftingruby.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "droidandy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -61804,7 +60707,6 @@
     { "name": "decor-live.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "deep-labs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "deepinnov.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "degrasboom.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dein-trueffel.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dejting-sidor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "deleenheir.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -61933,7 +60835,6 @@
     { "name": "g3circuit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gabrielkoo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gadget-tips.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "gadgetadvisor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gailbartist.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gallmeyer-consulting.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "galoserver.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -61964,19 +60865,9 @@
     { "name": "gostargazing.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "goufaan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "graandco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "grasboomamersfoort.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "grasboombinnendoor.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "grasboomclophaemer.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "grasboomderoos.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "grasboomleusden.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "grasboommax.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "grasboommeerbalans.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "grasboomveenendaal.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "grasboomvondellaan.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "grenlandkiropraktor.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "grupodatco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gtn-pravda.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "guchengf.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gx3.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gyakori.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gzriedstadt.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62027,7 +60918,6 @@
     { "name": "igdn.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "igrarium.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ijsclubdwarsgracht.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ikkakujuku.work", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ikmx.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "iliasdeli.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ima.re", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62156,7 +61046,6 @@
     { "name": "legionminecraft.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "legnami24.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lehrermarktplatz.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "lequateur.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lesummeira.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "letson.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "level6.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62212,7 +61101,6 @@
     { "name": "marietrap.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "maroismasso.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "martian.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "massageishealthy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "massagetherapyschoolsinformation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "math-coaching.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "matocmedia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62410,7 +61298,6 @@
     { "name": "pawspuppy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "paxchecker.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pbren.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "pcs.org.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pearlsonly.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pearlsonly.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pearlsonly.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62422,7 +61309,6 @@
     { "name": "pepfar.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "peppelmedi.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "performancegate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "perge.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "permaseal.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "peruvianphotography.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "peterboweycomputerservices.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62439,7 +61325,6 @@
     { "name": "plastic-id.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "plumbercincoranch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "plusminus30.si", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "plutonx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ponio.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ponxel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "porncompanions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62526,7 +61411,6 @@
     { "name": "ryuanerin.kr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "saga-umzuege.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sajtoskal.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "samdrewtakeson.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "samorazvitie.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sangyoui.health", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sanovnik.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62879,7 +61763,6 @@
     { "name": "bezposrednio.net.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bicycleuniverse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bioastin.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "biopronut.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "blackbyte.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "blatnice.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "blatnice.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62915,7 +61798,6 @@
     { "name": "climaticarus.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cloudsec.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cognixia.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "collage.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "compitak.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "conraid.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cookingperfected.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62929,7 +61811,6 @@
     { "name": "d-imitacion.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "d2qa61rbluifiq.cloudfront.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "danielfeau.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "danskoya.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dax.guide", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "daxpatterns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "degroupage.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62963,7 +61844,6 @@
     { "name": "fakeemergency.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "familienportal.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "faradrive.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "farizizhan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "farleymetals.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "farmaciacorvi.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fishlanestudios.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63068,7 +61948,6 @@
     { "name": "movestub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "multimediapc.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "museclef.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mybakkupakku.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ncarmine.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ndime.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nerdrockshop.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63181,7 +62060,6 @@
     { "name": "wuav.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wyldfiresignage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xanderbron.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "xenum.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--solidaritt-am-ort-yqb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yuyiyang.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zhy.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63390,7 +62268,6 @@
     { "name": "nagrad.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "naivetube.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "netfeeds.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "networkmas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nevalogic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nevivur.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "newbernpost539.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63400,7 +62277,6 @@
     { "name": "ninjasquad.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nomaster.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nomik.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "o0o.st", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "onesearay.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oolsa.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oroscopodelmese.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63488,7 +62364,6 @@
     { "name": "stlouisinsuranceco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stonegateapartmentsstl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "strengthinyoufitness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "swey.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "syskit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tacticalavocado.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "telegra.ph", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63796,7 +62671,6 @@
     { "name": "murphycraftbeerfest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mvbug.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mycreditunion.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mypt3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nailsart.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nan.ge", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "napkins-wholesale.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -64059,8 +62933,6 @@
     { "name": "diethood.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "distinctdesign2009.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "diysec.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "dizzie.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "dizzieforums.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dnastatic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "doc.ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "doeren.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -64121,14 +62993,12 @@
     { "name": "iinix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ikparis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "industrial-remote-control.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "infoteka.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "infravoce.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "intellihr.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "isdr-bukavu.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jaamaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "janz.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jcvidroseespelhos.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "jeremy.codes", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "joelving.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jogjacar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jungidee.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -64339,7 +63209,6 @@
     { "name": "ypfr.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yunsoupian.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yuucchi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zeit.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zstgmnachod.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "intercom.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "06804.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -64433,7 +63302,6 @@
     { "name": "continental-zermatt.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "contourheating.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "controllertech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "cookiee.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cradle.ph", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "crowdspire.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "current-usa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -64649,7 +63517,6 @@
     { "name": "raccoon.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "reissnehme.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rentta.fashion", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "resepi.my", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rhycloud.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rhymc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "riffelhaus.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -64687,14 +63554,12 @@
     { "name": "startablog.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "startmail.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stavnager.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "stdemianabookstore.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "studiodentisticomasi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "surefleet.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "swi.sytes.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "takipone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tech-ninja.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "teetje-doko.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "terrorismattacks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "terrybutler.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "textbrawlers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tgbabyzoo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -64868,7 +63733,6 @@
     { "name": "esmincg2t1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "etduvindemoselle.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eventsframe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "evitacion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "executiveresolutions.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "f1nal-lap.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "factory-f.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -64925,7 +63789,6 @@
     { "name": "jesiensredniowiecza.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jmwap.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jobbuddy.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "jpoirierlavoie.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kappie.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kapsalonlinds.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "keez.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -65393,7 +64256,6 @@
     { "name": "laan247.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lachlanallison.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "landoncreekapartments.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "laresistencia.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lartduportrait.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "laurencball.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "letsflyinto.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -65417,7 +64279,6 @@
     { "name": "madpsy.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "madridagency.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "maikoloc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "malacat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "martinbaileyphotography.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mcblain.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "medeurope.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -65514,7 +64375,6 @@
     { "name": "sexedrescue.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "shadowsocks.live", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sheaspire.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "siwyd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sketch.jpn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "skorovsud.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "skylarker.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -65624,7 +64484,6 @@
     { "name": "367553.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "367556.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "387763.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "3ve.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "638566.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "666618.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "7f.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -65963,7 +64822,6 @@
     { "name": "tvteam.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "twwd.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ugy.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "unknown.kyoto", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vdio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "venzagroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "veronicaphotography.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -65971,7 +64829,6 @@
     { "name": "vetpraxis.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vifsoft.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "viku.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vuasinhly.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "washoedems.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "watchcow.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wb2288.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -65987,7 +64844,6 @@
     { "name": "xn--anyd-7na.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--int-ru8ea.xn--6qq986b3xl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--kkcon-fwab.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "xn--l8jydta9i239uzq6aqz9a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xtremeperformance.co.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xtri.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ys6888.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66107,7 +64963,6 @@
     { "name": "freeaf.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "furniturezoneboone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ga-part.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "gabehoban.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "galaxus.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "galaxus.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "galaxus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66138,7 +64993,6 @@
     { "name": "houseandgarden.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "htmanager.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hydracommunity.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "hypehost.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "idleleo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "im-in.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "imbiancatura.milano.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66297,7 +65151,6 @@
     { "name": "tanovar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tauflight.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tchverheul.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tech-banker.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thc-stadvdzon.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thecyberaid.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tmadev.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66305,7 +65158,6 @@
     { "name": "topshelf.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "totalaccessnicaragua.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "touhou.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tradavenue.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "trastornoevitacion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tronlaserarena.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tsrv.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66475,7 +65327,6 @@
     { "name": "flexve.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "floodsmart.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "floristmou.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "forever.cat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "forthetoys.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "founderio.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fuzenet.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66577,7 +65428,6 @@
     { "name": "miaololi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "midart.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "midweb.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "miku.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "millionen-von-sonnen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mirazperu.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "misini.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66712,9 +65562,7 @@
     { "name": "vamosbets.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vanwa.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vertigo-rec.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "viantours.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vizionnetwork.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vkikaku.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vorbrodt.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vrifox.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vygeja.lt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66771,7 +65619,6 @@
     { "name": "acp-integrative.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "adarshcloud.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aditibhatia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "aduthapa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "advancedelectricalservicesqld.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ae86x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "afree.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66782,7 +65629,6 @@
     { "name": "alexglover.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "allerstorfer.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "altco.group", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "alvin.cool", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ankaraevdenevenakliyat.name.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "antoineelizabe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aqarategypt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66888,7 +65734,6 @@
     { "name": "empatico.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "enersolelectrical.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "entropy.su", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "equiac.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eringmaguire.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "estintori.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "etni-cidade.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66942,7 +65787,6 @@
     { "name": "impactplumbingdrainage.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "indiapur.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "intoparking.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ip-ra.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "iparkki.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ipslsig.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ironpony.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66978,7 +65822,6 @@
     { "name": "lianhongrui.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "libbywinberginteriors.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "limo.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "lion-tech.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "litebit.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "literaki123.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "liubliu.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67024,7 +65867,6 @@
     { "name": "notequal.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nxcd.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "odden.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "onair.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "onlinehaircuts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "orthodocspro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ourocg.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67264,10 +66106,8 @@
     { "name": "aei-asc.edu.my", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aero.parts", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ag88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ageragrosirdistro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agilicus.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agilicus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ahmedknowmadic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ai00.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aisin.ae", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ajgroup-me.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67287,11 +66127,8 @@
     { "name": "alteria.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "am-39.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "am156.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "am5039.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "am5199.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "am6118.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "am8213.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "am9588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "am9d104.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "amaranthinewanderlust.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "amateurpornhours.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67334,7 +66171,6 @@
     { "name": "b2families.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bachkhoa.net.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "badedesign.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "baldy.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ban.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "batiskaf.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "batteryboys.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67412,7 +66248,6 @@
     { "name": "bytepark.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "byteterrace.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "c0o.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "c2media.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cabuna.hr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cakeoffencesact.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "calendriergratuit.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67479,7 +66314,6 @@
     { "name": "customcontract.network", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cwwise.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cybermotives.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "d8853.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dagmarhamalova.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dahliacake.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dakin.nyc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67498,7 +66332,6 @@
     { "name": "defiantrust.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "delkniga42.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "denariu.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "denied.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dental-cloud.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "depedclub.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "depedsurigaodelnorte.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67571,7 +66404,6 @@
     { "name": "elgrecohotel.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "elitsa.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ell888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "email-pipeline.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "emigratieplanner.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "emiliobonelli.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "enderle.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67652,7 +66484,6 @@
     { "name": "gruper.mk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gutenbergthemes.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gvwgroup.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "gwilken.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "h-ealthy.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hackhouse.sh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hackingarise.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67752,7 +66583,6 @@
     { "name": "k8668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kaloni.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kartbird.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "karuna.community", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "katieriker.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kaypasocks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb09.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67780,10 +66610,6 @@
     { "name": "koreaninhd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "korem011-tniad.mil.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "krikorianconstruction.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks0718.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks0768.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks0877.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks0996.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks5000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks5660.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks88.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67814,7 +66640,6 @@
     { "name": "limsia.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "limsia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "linge-ma.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "linuxhub.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "linuxno.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "litebit.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "littlenlargeevents.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68150,7 +66975,6 @@
     { "name": "shopunilever.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "shsh.host", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "shunliandongli.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "sieuthigomviet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "siggi.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sik-it.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "silverblog.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68231,7 +67055,6 @@
     { "name": "superlisa.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "survivingmesothelioma.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "svatbamisiaviti.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "svc4u.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "svdesign.su", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "swisscypher.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "swy.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68352,7 +67175,6 @@
     { "name": "voidnya.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vojtekpince.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vonimus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vonitsanet.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vpsvz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vtul.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w4solutions.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68382,7 +67204,6 @@
     { "name": "workplace.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "workshopengine.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wound-doc.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "wpabu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wpbox.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wrestling.net.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wsetech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68438,9 +67259,7 @@
     { "name": "xn--die-hrercharts-zpb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--t8jo9k1b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xpiuat.global", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "yamei1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yamei8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "yamei88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yao28.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yesogovinpetcare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ym039.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68469,14 +67288,12 @@
     { "name": "01-edu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "123birthdaygreetings.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "373816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "5197dh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "68hvip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "731716.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "731783.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "736371.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "736381.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "961621.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9728dh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "977hghg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9988ty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aaa-racing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68567,7 +67384,6 @@
     { "name": "dragcave.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "e-referendum.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "echomall.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "edsinet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "edugundavetiyesi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ej.uz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "elblogdegoyo.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68630,8 +67446,6 @@
     { "name": "ivocopro.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ivocotec.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jeancafe.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "jms8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "jmsjms.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jmsjms.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jmsjms.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jmsjms.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68672,7 +67486,6 @@
     { "name": "lvtrafficticketguy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lycetre.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "magicroom.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "makariza.com.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "malenaamatomd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "maniaiti.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mantachiepharmacy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68711,7 +67524,6 @@
     { "name": "noxx.solutions", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "olitham.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oneearthapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "onevpn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "opcare.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ortho-europe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ourfavorite-kakamigahara.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68719,7 +67531,6 @@
     { "name": "parsdev.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pechonova.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pentagonreviewcenter.com.ph", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "peter-hurtenbach.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pirapiserver.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "planningsagenda.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "plumbingkingsllc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68952,9 +67763,6 @@
     { "name": "504737.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "518558.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "5197.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "5197dns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "5197dz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "5197sx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "52051.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "52051a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "52051b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69020,7 +67828,6 @@
     { "name": "6133feng.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6859551.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "715805617.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "758m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "7717411.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "781371.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "781376.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69045,20 +67852,11 @@
     { "name": "8666213.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8880005555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "919093590.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "91d27.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9297.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9297dns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9297e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9297hb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9297hd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9297p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "962312.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9728.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9728dns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9728dz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9728hb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9728hd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9728sx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "98198823.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "989868888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "99818adc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69211,7 +68009,6 @@
     { "name": "epiclub.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eppione.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "equi.ac", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ertir.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "escapejoplin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "esu.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "etajerka.spb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69220,7 +68017,6 @@
     { "name": "expromo.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fabianbeiner.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "facchinaggio.milano.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "facfox.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fafa106.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fallenmoons.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fallin.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69265,7 +68061,6 @@
     { "name": "hingston.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hm5189.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "houhaoyi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "howson.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hpvtimmerwerken.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "html2gutenberg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hugonote.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69469,7 +68264,6 @@
     { "name": "tagtoys.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tarfin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "taxi-edessas.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "techzjc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "televizeseznam.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "testvocacional.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "texasurodoc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69591,7 +68385,6 @@
     { "name": "1sand0s.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "293921.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "3615jacky.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "5197.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "5197a.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "5197aa.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "5197b.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69600,7 +68393,6 @@
     { "name": "5197cc.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "5197d.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "5197dd.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "5197dh.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "5197e.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "5197ee.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "5197f.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69652,10 +68444,7 @@
     { "name": "8228d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8230d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "842844.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "91d52.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "91d58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "91d89.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9297.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9297a.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9297aa.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9297b.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69818,11 +68607,9 @@
     { "name": "9721yy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9721z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9721zz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9728.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9728a.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9728aa.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9728b.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9728bb.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9728c.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9728cc.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9728d.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69873,7 +68660,6 @@
     { "name": "9728yy.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9728z.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9728zz.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9k886.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "a30.tokyo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "a5197.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "a9297.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69904,7 +68690,6 @@
     { "name": "asfaleianet.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "attendanceondemand.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "auvidos.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "awakenedmind.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "awesomenamegenerator.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b5197.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b9297.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69915,7 +68700,6 @@
     { "name": "bb9721.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bb9728.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "beardboys.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bernama.com.my", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bernbrucher.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bernbrucher.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "blideobames.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69926,7 +68710,6 @@
     { "name": "brandonlui.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "brandweerbarboek.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "briansemrau.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "broerict.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bsaft.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "business-creators.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "c5197.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69957,7 +68740,6 @@
     { "name": "corruptsamurai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cyberfamily.network", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "d5197.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "d8872.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "d9297.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "d9397.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "d9721.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70172,7 +68954,6 @@
     { "name": "managedservicesraleighnc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "maorx.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "marinat2012.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "marsble.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mazepa.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "medcorfu.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "medicinasaludvida.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70226,7 +69007,6 @@
     { "name": "o9728.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oasiristorantebagno.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "octavus.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "offtopic.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "okazoo.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "olmik.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "omerefe.av.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70247,7 +69027,6 @@
     { "name": "paratlantalalkozas.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "partin.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "passionate.org.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "pd2bans.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pentatec.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "permisecole.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "persefonne.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70343,7 +69122,6 @@
     { "name": "sicurled.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sidi-smotri.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "skulblaka.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "skyparlourfilms.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "solarloon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sondebase.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "spilnu.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70522,14 +69300,9 @@
     { "name": "z9721.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z9728.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zacco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zd1313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zebranolemagicien.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zhaotongjun.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zl016.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zl7373.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zl8849.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zl9292.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zl9696.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zz5197.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zz9297.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zz9397.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70587,7 +69360,6 @@
     { "name": "9181187.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9181189.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "99321365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "aaminntourtravel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "abmackenzie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "academica.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "account4u.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70598,7 +69370,6 @@
     { "name": "adrian.web.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "affairefacile.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aguarani.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "akuseorangtraveler.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "alamowellnessalliance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ambulari.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "apachezone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70661,7 +69432,6 @@
     { "name": "brooklynentdoc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bsmn.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buscasimple.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "businesscircle.com.my", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "caiben.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "californiawomensmedicalclinic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "campgesher.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70694,7 +69464,6 @@
     { "name": "cristianrasch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "crux.camp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "csd-slovenije.si", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "curatedtaste.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cureatr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cyclonebikes.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cyphar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70739,7 +69508,6 @@
     { "name": "fabservicos.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "factorio.tools", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "factoriotools.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "farzli.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fashioneditor.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "feministspectrum.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "findaffordablehousing.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70791,7 +69559,6 @@
     { "name": "invuite.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "isamay.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "isterfaslur.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "isusemasa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "it-meneer.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "itsburning.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "itsynergy.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70818,7 +69585,6 @@
     { "name": "jake.wales", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jake1.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jakewales.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "japansm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jbeta.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "johngmchenrymd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "juristique.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70826,16 +69592,11 @@
     { "name": "katalogkapsli.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb8882.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb88dc23.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "keyyek.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "khairul-zamri.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "koboldmalade.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kotke.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kouponboket.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kpopsource.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "krasnodar-pravoved.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks080.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks191.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks381.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks628.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kulturmel.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kuwichitagastro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70858,7 +69619,6 @@
     { "name": "lorenzocompeticion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lsiq.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "luckystorevn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mac101hq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "madsstorm.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "manicuradegel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "manicuradegel.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71253,7 +70013,6 @@
     { "name": "rejoice1009.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rene-eizenhoefer.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rentsbg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "resepimok.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "reuzenplaneten.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "reviewu.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rexxworld.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71325,7 +70084,6 @@
     { "name": "thsc.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thscpac.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tmachinery.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tojannah.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tomjepp.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "towzone.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "traslocatore.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71421,10 +70179,6 @@
     { "name": "yellowparachute.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yoelelbaz.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yr8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zd1717.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zd6565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zd8863.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zd8869.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zingpetfood.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zl9889.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "01918.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71458,11 +70212,9 @@
     { "name": "567666365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "616f88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "618btt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "618btt.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "666365app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "666365ios.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "666365iosapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729aa.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71497,8 +70249,6 @@
     { "name": "6729gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729h.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6729hb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6729hd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729hh.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729i.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71538,7 +70288,6 @@
     { "name": "6729s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729ss.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729ss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6729sx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729t.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729tt.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71556,7 +70305,6 @@
     { "name": "6729x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729xx.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729xx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6729xy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729y.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729yy.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71564,58 +70312,38 @@
     { "name": "6729z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729zz.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6729zz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957a.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957aa.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957apk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957b.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957bb.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957c.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957d.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957dd.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957dh.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957dz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957ee.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957f.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957ff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957g.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957gg.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957h.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957hd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957hh.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957i.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957ii.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957ipa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957j.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957jj.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957k.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957kk.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957l.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957ll.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957m.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957mm.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71624,28 +70352,17 @@
     { "name": "6957nn.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957o.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957oo.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957oo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957p.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957qq.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957r.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957rr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957s.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957ss.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957ss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957sx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957t.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957tt.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957tt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957u.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957uu.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957uu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957v.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957vv.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71653,23 +70370,17 @@
     { "name": "6957w.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957ww.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957x.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957xx.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957xx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957xy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957y.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957yy.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957yy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957z.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6957zz.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "6957zz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "7ka.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "86btt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "876666365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "8809d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8826ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8858ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8868ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71702,14 +70413,11 @@
     { "name": "918btty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "918bttz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "918ca.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "918caa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "918cch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "918ch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "918cr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "918cx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "918dc04.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "918dc16.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "918dc20.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "918dp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "918ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "918ej.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71761,7 +70469,6 @@
     { "name": "aa6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aa6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aa6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "aa6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aaron-russell.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aboutpublishers.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ac-cosmetics.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71794,13 +70501,11 @@
     { "name": "barankababra.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bb6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bb6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bb6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bc-reloaded.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "beachmarketing.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "beproduct.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bettaline.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bevhills.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bezmlska.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "biancapulizie.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bibliotherapie-existentiale.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bilibili.sh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71809,7 +70514,6 @@
     { "name": "boran.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bphostels.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bruckmuehler-kanu-club.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "brunetderochebrune.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bta00.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bta55.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt-39.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71820,7 +70524,6 @@
     { "name": "btt2020.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt2121.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt213.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "btt217.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt219.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt225.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt256.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71828,7 +70531,6 @@
     { "name": "btt381g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt529g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt686.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "btt776.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt8.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt88818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71836,9 +70538,7 @@
     { "name": "btt8989a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt907.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt9090.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "btt918.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt945g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "btt9797.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt9898.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btta13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btta15.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71863,7 +70563,6 @@
     { "name": "cc6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cc6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cc6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "cc6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cendata.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "center-elite.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "centralconvergence.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71890,7 +70589,6 @@
     { "name": "datisstom.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dd6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dd6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "dd6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "decal-times.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "declarationlocationmeublee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "delphia.ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71925,7 +70623,6 @@
     { "name": "eastwind.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ecuatask.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ee6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ee6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "elevationtech.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "elitebike.com.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "elpaseadordeperros.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71957,7 +70654,6 @@
     { "name": "fe-data.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ff6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ff6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ff6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "filecloud.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "files.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fizjoterapia.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71976,7 +70672,6 @@
     { "name": "gg6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gg6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gg6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "gg6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "globecollege.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "goehler-baumpflege.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "goprimal.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71994,7 +70689,6 @@
     { "name": "hh6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hh6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hh6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "hh6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hidroshoping.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hoofdredacteuren.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "horochx.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72036,7 +70730,6 @@
     { "name": "jj6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jj6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jj6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "jj6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jobalicious.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jobsindemedia.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "johnkraal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72055,11 +70748,9 @@
     { "name": "kk6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kk6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kk6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kk6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kli.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks0618.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks0776.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks681.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kupiewszystkieauta.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "l6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "l6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72077,7 +70768,6 @@
     { "name": "ll6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ll6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ll6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ll6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lock.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lockme.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lockme.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72092,7 +70782,6 @@
     { "name": "madwarlock.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "maesinox.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "magdeburg.directory", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "maltarea.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mariasbonitas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "marktguru.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "marktguru.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72111,14 +70800,11 @@
     { "name": "mm6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mm6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mm6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mm6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mneti.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "modelemax.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mononom.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "monospazzole.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mouche.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mrichard333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ms-a.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "myparisiankitchen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "n6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "n6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72138,7 +70824,6 @@
     { "name": "nn6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nn6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nn6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "nn6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nophelet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nousyukum.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nullxsec.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72153,7 +70838,6 @@
     { "name": "oo6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oo6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oo6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "oo6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oo918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "orologeria.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p1979.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72173,7 +70857,6 @@
     { "name": "poopthereitisla.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "potsdam.directory", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pp6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "pp6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "praleria.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "prepagosyescortforyou.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "primos-tech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72188,7 +70871,6 @@
     { "name": "qq6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qq6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qq6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "qq6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "quic.network", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "r6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "r6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72232,7 +70914,6 @@
     { "name": "shibbydex.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "siikaflix.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sjamaan.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "sjp.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "skolnilogin.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "skolniweby.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sldlcdn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72248,7 +70929,6 @@
     { "name": "sqdll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ss6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ss6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ss6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sspanel.host", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stariders.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "starvizyon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72289,7 +70969,6 @@
     { "name": "tt6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tt6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tt6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tt6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tt918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tyree.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "u6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72300,7 +70979,6 @@
     { "name": "uu6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "uu6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "uu6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "uu6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ux-designers.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "uxdesignerjobs.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "v6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72331,7 +71009,6 @@
     { "name": "ww6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ww6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ww6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ww6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xinbo190.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xinbo269.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72371,7 +71048,6 @@
     { "name": "xx6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xx6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xx6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "xx6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xy6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xy6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "y6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72399,7 +71075,6 @@
     { "name": "zhenggangzhao.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zz6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zz6957.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zz6957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "0--1.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "14159.gb.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "200201.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72443,8 +71118,6 @@
     { "name": "a1post.bg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "a6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "adamlee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "adversus-test.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "adversus-web-staging.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ag-2.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ag-3.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ag-33.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72490,7 +71163,6 @@
     { "name": "anunturitv.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "arcovix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "arufu.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "asngear.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "asociacionbienestarinmobiliariobogota.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "auburnperio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "autopark-ost-fichtner.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72500,7 +71172,6 @@
     { "name": "axom.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "backmitra.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "balafon.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "balkancrystals.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "baroloboys.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bb6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bbc67.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72514,7 +71185,6 @@
     { "name": "bigbank.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bishoptx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bongbabyhouse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "boutique-giovanni.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "boxlink.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt1111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btt1313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72600,7 +71270,6 @@
     { "name": "defibrillateur.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "delpark.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "devops.pf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "die-partei.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dimo-analytics.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dimo-crm.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dimo-dematerialisation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72621,7 +71290,6 @@
     { "name": "dreamsxxl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "duchateaugyn.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dunyahalleri.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "duoyin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "e-mandataires.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "e-michiganinsurance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ebooknetworking.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72783,7 +71451,6 @@
     { "name": "payps.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pensionecani.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "perfect-privacy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "phanmemcuocsong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "philia.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "phonefleet.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "phpmynewsletter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72808,7 +71475,6 @@
     { "name": "quintenbraakman.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rabotayes.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "radicalepil-haguenau.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ragtimeinrandall.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "raiffeisenleasing-kosovo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rambedjeans.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rayadventure.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72857,7 +71523,6 @@
     { "name": "ss6729.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "starfixreparaciones.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stemkit4kids.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "stephenschruhl.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stokl.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "storzrealty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "suksesbisnisonline.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72881,7 +71546,6 @@
     { "name": "transferwiseturkiye.com.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "treeline.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "triozon.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "triplecrossfarm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "trophy-discount.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "trophy-solution.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tukdesigns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72913,10 +71577,11487 @@
     { "name": "zell-mbc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zenways.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zhujiceping.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zixin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "znakcomstva.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zoso.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zz6729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "000btt.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "015kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "016kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "026kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "055kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "056kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "058kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "066kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "068kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "071k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0760ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0763ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "076k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "077k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "078kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "109k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "113k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "13-th.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "133ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "135416.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "159ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "160763.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1661618.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "170376.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "170386.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "178kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "178ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "181k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "182ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "185k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "192569.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "210k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "213k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2222k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "222k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2264707.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2isk.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3333k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36594.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "398kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "39w66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "508kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "518k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "565kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "585kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "616btt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "660887.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66619991.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "666k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "668k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "668k8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "673569.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "688libo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "76668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7666898.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "76669.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "787kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "806kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "819kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "856kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "869kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8801ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8859ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "885kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8885ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8886ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88kash.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9108.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918aac.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ayy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cca.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918dxx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eej.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918yy.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "97735.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "977kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9800.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "985kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "99989796.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "99989796.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9998k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9999k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9999k8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "99d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9h.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9to5notes.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abogadoperu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abogadoscav.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acceptancerecoverycenter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "activephoto.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adrian2023.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "advancedpestspecialists.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag600.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88086.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag978.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks08.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks133.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks19.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aglc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agworkers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aidmycomputer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aitrust.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allram.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "almisnedrm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andicui.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andicui.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "animebits.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antoniogatti.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apotheke55.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "applegun.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "appraf.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artsmarket.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artyengine.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asananutrition.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "axone-computers.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "azlocalbusiness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "backmitra.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "backmitra.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baiyu.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baiyu.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "banglets.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bdupnews.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "belgraver.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bin92.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bintach.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitcoin-wizards.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitcoiner-or-shitcoiner.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "black-cat-seo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blondesguide.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bransive.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brettpostin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "broadyexpress.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bsimyanmar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt0707.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt269g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt932g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt996.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "butterflycare.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bytheglass.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "campaignlake.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "canine-mobility.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carefulcolor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carloshmoreira.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cartaodigi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cashflowstrategist.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casino-cash-flow.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "celiac.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "centricagency.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chrisx.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clearspringhealthcare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cnymenshealth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cododigital.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comeyegroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comicsans.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "contabilidadebrooklin.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "contactaffix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "correctemails.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coteetciel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creatic.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crebita.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crmenrich.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cryptonx.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "csy.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d888818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dachbleche24-shop.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "data-captive.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "databasez.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dddmelbourne.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "detrapdoor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "devrim.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "diariodearaxa.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "disinfestatore.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "displaysfas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "diver-equipment.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doctorperu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domjh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "donnabrothers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dsi7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dt688.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "duama.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dzu.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e-emploi.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eaststudios.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "easyrents.com.ng", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eckstein.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "edmm.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "educaestado.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eine-andere-welt.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emailtemporal.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emcentrix-com-site-mvc.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emotionalmente.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "encryptlist.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "energybank.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esalesclub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "escobarservice7000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "estadoreclamos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esthe-zukan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eve-online-com.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eventim-business.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eventim-business.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ewar.lt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "facadeforum.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "facchinaggio.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "factoriotools.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "factoriotools.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "failforward.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ferprobolivia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff763.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff769.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff916.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff967.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ffdhw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "filehippo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firc.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fisioterapista.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fpsv.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "francisdelreal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fresh4.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fro.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funcabinrentals.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fundamentt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "galganoboutique.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gass-transformatoren.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gemstn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "genioideal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gggggg.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giaoxudongtri.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "glexia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gobiz.com.my", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goldenhostmyanmar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gordyf.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "habbstars.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hallaminternet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hanyingw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hashtagswimwear.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hdwalldownloads.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "he.kg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "healthyhomesofmichigan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "heijmans.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "henlich.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hepla.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ho18.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ho518.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ho68.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ho918.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hubitt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "huotuyouxi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hv-huset.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hvt.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "i-fastnet.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iceandfiremechanical.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "idealize.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ime-a-tolerancia-eredmenye.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imedia.com.sg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imediamyanmar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imediasingapore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "immivest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inboxceo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "industinc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inewroom.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "instantdomainsearch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "investforum.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "italiataxi.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itaporanga.se.gov.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itmx.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "izs8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "japanese-cuisine.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jecurranpc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jobit.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joeldbolivarc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "johnsongenealogy.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "judaicaganeden.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jumpbuttonnorth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "juszczak.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jvdz.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8002.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k80039.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8023.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8037.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8039.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k805.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8063.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8071.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8075.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8082.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8102.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8106.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k81111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8125.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k816.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k82222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8268.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8268.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k829.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8368.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8368.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8370.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8403.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8421.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8437.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8463.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8487.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k851.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8524.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8533.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86681.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86788.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8694.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86965.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88208.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88801.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88870.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88891.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k89188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k89388.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k89999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8dc01.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8dc13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8dc17.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8md01.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8md12.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi006.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8835.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8839.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8844.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8857.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8864.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8875.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8897.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kebhanamyanmar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf-59.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf0000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf388.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6464.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6868.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kff7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kidneydonation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kodikom.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "koreanrandom.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kr.cm", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0098.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0288.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0388.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0550.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0577.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0599.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0858.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks098.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks15.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks16.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks16.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks1608.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks161.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks18.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks200.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks2000.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks28.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks28.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks32.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks36.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks55.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks58.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks636.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks66.la", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6601.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6602.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6603.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6605.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6607.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6609.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6612.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6615.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6617.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6618.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6619.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6620.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6621.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6623.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6625.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6627.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6628.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6629.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6630.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6631.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6632.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6635.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6637.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6638.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6650.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6651.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6652.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6653.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6656.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6657.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6659.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6670.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6671.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks68.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6808.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6860.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks81.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks86.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks86.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8600.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks888.la", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks89.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks958.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks98.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ladakhtrip.tours", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lasterhub.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc1588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc1818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc389.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc460.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc5998.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68694.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68699.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8.live", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8841.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8893.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc12.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc14.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc17.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8guidance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8md03.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8md30.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc98.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9910.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng08.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ledspadova.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "libertas.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lifestorage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "livv168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "livv88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "locksmithsinsanantoniotx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lombri-agro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long788.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lonny.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "looptics.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lord.city", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "loveweddingphotosandfilm.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lucidlink.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lysbed.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magnumwallet.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mailbro.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maximind.sg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mayper.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md19lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md21lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md24lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md33lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "medicoleads.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mein-einszueins.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mercedes-benz-kiev.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miguelkertsman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikaeljansson.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mipnet.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "missivystorm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mklenterprises.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mklenterprisesacademy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mklenterprisescoaching.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mmpaymentsystem.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "momobako.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moosmaus.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motorzone.od.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "movementdanceacademy.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mrsiding.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mueblesemporium.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mypromoshop.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nationalcashoffer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "navaneethnagesh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nerdinator.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netsoj.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nicaise.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nikitin.photo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nnkkserver02.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "noop.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "notablepeeps.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "o98.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "okmyanmartravels.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ommcitalflex.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onetwosweetatelier.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orchardnh.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orembaeviajes.tur.ar", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "overmark.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p-mint.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paal.network", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pakaranggrek.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parleur.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pawnkingloansmore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peaceandjava.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pekinet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "philiperiksson.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phonedoc.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "playstationtrophies.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "poke.blue", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "porondam.lk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "positiveaffirmationscenter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pranita-schals.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pranita.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pranita.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pre-renewal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "premiereco.com.sg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "princezna.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prodatalabs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psicanalista.milano.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pterodactyl.org.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pya.org.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qed.ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qq6177.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qq6177.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qualbe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quizz.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rattattees.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rcra-uganda.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "refjob.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rheijmans.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "richieheijmans.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "richieheijmans.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "richieheijmans.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "root.vg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rubylabs.am", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sajter.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sanyasingh.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saobancrafts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sarae.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schack.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sensorville.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "serpic.photo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "serviceinconstanta.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sharpe.systems", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shiftsixth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sofiaestado.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "somp-rp.su", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sonderkomission.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soptq.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sorx.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sounavholidays.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sploch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spokesly.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ssrjiedian.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "starorusing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stlouisnativeflute.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sukoyaka-labo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "supersena.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t7ys.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tapety-na-pulpit.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tdyx-china.com.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "techdatapark.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "the-alan-parsons-project.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theoriginalmarkz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thevirtualbookkeepers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tintoria.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tohofc.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomasmoberg.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "torresshop.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tqm1.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "treehole.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trevo-lotofacil.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "twlitek.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "umail2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unicode.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "universidadperu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "update-linthdcp-567app1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "upplay.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vahoshop.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viralify.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visitorslist.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visualproyectos.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vonkuenheim.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w3punkt.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66161.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6619.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6648.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66938.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6969.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wasgigant.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "watchmetech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wattnow.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wb6668.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "we5688.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "we6668.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "we9988.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webcaptive.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webhostingspace.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "werd.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wheretogomyanmar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "win365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xboxachievements.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--90adahrqfmec.xn--p1ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--e1aaavheew.xn--p1ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--e1aaavheewr.xn--p1ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--e1adlfhcdo7h.xn--p1ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--j1aoca.xn--p1ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yuzurisa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl9814.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zlogic.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "010777a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "010kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "010ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "143918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2030411.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3040519.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5060711.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5060715.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "55d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "58d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71787z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "77177.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7sdre.am", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "809kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8208d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8812ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8818ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8819ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8890ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8892ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ac.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bbt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bby.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "98d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aartsplastics.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acg.vc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ae86nb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aghayeva-edler.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "airlock.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "akinix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alexandreguarita.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alfacharlie.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alforto.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "all4nursesksa.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allcoveredbyac.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aloralabs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alteraro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alteraro.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "altonkey.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amusa.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antincendio.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "appizia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asart.bg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "australianstrongmanalliance.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "axin888.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ayvalikgezgini.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baeckerei-wohlgemuth.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bank-tour.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "barca-movie.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "becquerelgroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestsingingbowls.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blogkuliah.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boren.shop", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt0707a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bttt111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buybutton.store", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buycccam.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casinorobots.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cbr-rcb.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "certificato-prevenzione-incendi.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chaboisseau.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chattingorcheating.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "checalaweb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chenx221.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chenx221.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chenx2210.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chrystus.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chun.si", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clare3dx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "claudiney.eti.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cmshangu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cnbibo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cnss.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "col-head.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "commonsenseamericanpolitics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "consertodecelulares.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "correctlydesign.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cosmohit.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "costarellos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coveredinspiders.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crosswords123.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cryptoclix.website", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cyberme.sh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cyberpathogen.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cyllos.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d1ownqs4tcx37f.cloudfront.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8118.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8228.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8787.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d881.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8811.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8816.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8819.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d886.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8864.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d887vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8886.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88877.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8898.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8998.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "davidgreig.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dbplanview.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dealdump.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "definitions360.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "degradarium.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deluxecccam.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dennishzg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "derco.com.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "digihoc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "districtcapital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dockstarter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dor-tak.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dor-tak.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "downunderporn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dr-royaghafourifard.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dranous.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dreamstudio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dresdner-stollen-von-reimann.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drgeadsdavinci.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drivermototaxi.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dryudha.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "duggtec.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "earn99.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ecpic.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "egold-keeper.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ekimma.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ellatotal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elri.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eon.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eradoom.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ero-video.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "estetici.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esyoil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "farm-vacations.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fern.health", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fff-du.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ffmv.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fheuschen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fjco.alsace", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flonharmonymassage.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flowinity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fortygordy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fraplaster.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frasestop.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frosty.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fulibyg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funyirotraktor.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fuvi-clan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getonyx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "glammybabes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goaskrose.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gopayz.com.my", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gopnikman.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gordy.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gordyforty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gpcp.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gpna.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grantpark.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guancha.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gulcinulutuna.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "haehnel.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hawaiiwho.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "healthfitapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "heinrich-kleyer-schule.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hereticle.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "herrschaftlich-durch-dresden.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hks-ffm.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotvideosgalleries.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hudognik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hunngard.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "husqvarnamoped.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hvgg.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ibidyoupeace.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "idirect.com.ng", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ihre-pflege-sachsen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "immortec.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inditoot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infradeep.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inmag.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "integritet.com.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "intensivpflege-sachsen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ips-ihre-pflege-sachsen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ips-sachsen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ird.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ishigurodo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "istdas.lol", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itemorder.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ja-no-me.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jaja.wtf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "janome.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "javaweb.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jcsdevelopment.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jellysquid.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jenniferlucia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jordanhamilton.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "julia-thonig.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jupuglia.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaffeeringe.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaseban.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kashbet.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb9988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kbet168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kensyou.network", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kill.trade", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kleyer.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "klumba.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kommx.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kriptoworld.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks009.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks058.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0788.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks081.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks086.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6658.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6665.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks680.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8802.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8812.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8825.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8831.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks902.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks912.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks921.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kvestiks.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "le-upfitter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "learncrypto.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lewdlist.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lewismcyoutube.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lichform.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "listsothebysrealtyhk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lodus.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long388.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long510.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long8039.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lovingbody.yoga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ltheinrich.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mangowave.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mansarda-life.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marex.host", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "martian.community", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "matchpointusa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mattadams.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mediation-mv.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "merza.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "method.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mfsquad.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mickgrimesgamingpodcast.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "model.earth", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "modul8infinity.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mondonet.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mousemade.art", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mrsheep.win", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "muratatifsayar.com.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "murmashi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n3ro.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n3ro.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nahouw.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nasladko.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "naslovi.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ncascade.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nednex.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "networkmas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newdirectionsolar.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nobleandlore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nodebb-cn.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nolte-imp.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nooben.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "noticiasymas.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "noustramits.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "numeritelefonici.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oncotarget.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onsudoku.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onzerelaties.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "opbedbugcanines.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "openai.community", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "operationsafeescape.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "optimo.com.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ordermygear.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "osterlensyd.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pandiora.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pay.mg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pcr24.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pixelabs.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "planet.live", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "popitsnack.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proctorauth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "programyburian.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proj3ct.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "projectobs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "puntasiho.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raistrick.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reviewcenter.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rfxt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rheijmans.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "richie.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rthsoftware.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ru-e-business.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "russianrandom.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "russianrandom.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saludnutrivida.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "salzerperu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "samuelebencini.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sanctumwealth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "santanderibc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sasquatt.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "savebees.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schneckenhilfe.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scolasti.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sen.bo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sevengang.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "signmycode.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "singer.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smaltimento.salerno.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smartpatika.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smartvita.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smilesondemand.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smtvonline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "snapintegrations.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "softwaresen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spstaticfiles.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "startle.studio", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studyportal.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swdiscount.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "syogainenkin119.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taichichuanyang.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tanshin.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tappezziere.milano.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "techmunchies.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "technotronikcanada.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tentacletank.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "terudon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "texier.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thaimega.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thenewclassics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thooka.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomthorogood.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomthorogood.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toparkinfo.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tourdatenarchiv.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tranvia.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unclebens-specials.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "universovalve.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "upmon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uze-mobility.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uze-mobility.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uzemobility.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vademekum.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "valuecashhomes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "valuecashoffers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "verified.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vipd88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vladimir-chanaev.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wanlieyan.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "waroengkopigazebo.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wav.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webtrek.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wellcareliving.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "westernparts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wheredoi.click", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wieloswiat.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wikijugos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wikiversus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wittywomaniyaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wot-zadrot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wotzadrot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wyckoff.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wyckoff.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--bckerei-wohlgemuth-ltb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xtremealaskainsulation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "youngvoicesmatter.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8193.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zaadnet.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zombie-40th.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ztk.im", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "010888a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "135374.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "17187q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "177ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1ag777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1ag88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1ticks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "233hub.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "233hub.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "23lhb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "291.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "501117.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7893.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7894.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7l00p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82ag88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "89386.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "89386a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "89386b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "89386c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "89386d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "89386e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8ag88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9ag88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acatec.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acquaparrucchieri.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acquire.media", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adidasrunningpartners.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adpkdsim.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adventureworldtour.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aeksistem.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aetherlink.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "afterpay.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag0101g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag0202a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag0707a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag1515a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag1588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag2020a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag3131a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag3232g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag4141a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag4848g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag4949g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag5688.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag6005.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag6016.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag6033.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag6037.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag6072.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag6086.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag6211.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag6215.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag6225.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag6306.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag660.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag698.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag700.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag80808.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag80880.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag855.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag87777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88-guide.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88001.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88018.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88028.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88056.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88068.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88080.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88081.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88089.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88090.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88094.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88098.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88110.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88158.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88220.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88309.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88518.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88550.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88618.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag887.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag8876.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88799.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88801.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag8890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88905.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88906.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag8891.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88dc22.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag89000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag998.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agaa41.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks008.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aglh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agm2525.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agm8383.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agvip168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agvip88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agvip8800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agwin7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agyacht.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ai-media.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aj-foster.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aktca.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alchemy.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allcarespecialty.pharmacy", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allied.sh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alpharail.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amsfoodhk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anora.ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "approval-workflow.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apt-one.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "archina.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aresanel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "as5158.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asaabforever.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atheist-faq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "autospurgo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "axiodl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ba47.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bakersfieldhomeoffer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "becomeabricklayer.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beizsley.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beizsoft.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beizsoft.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "benjaminmarket.com.ar", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bettyweber.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "big-tits-video.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blackstrapsecurity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blaumedia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blenderman.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blogdefarmacia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "botnam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bouwplaatscheckin.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "briangosnell.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brianpagan.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buddy-development-rabodirectconnect-api.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buddytop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buggmedia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buggshop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "byraje.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "caetanoflotas.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cafedelahalle.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carbonating.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casino-cash-flow.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casino-cash-flow.com.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casino-cash-flow.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casino-cash-flow.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casinocash-flow.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casinocashflow.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casinocashflow.su", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casinocashflow.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cdireland.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "centumail.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chataberan.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chaturbate.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cheapautoinsuranceblog.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chicguay.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cifapme.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clinicaltrialpodcast.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cloudclouds.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "colombiajeans.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "connexfilter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "contact.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "copticexchange.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "corriel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creationsgate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creermonsite-wp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crossroads-gmbh.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cuatroymedia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cumnock.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cybersecurity.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "danbergen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dccwiki.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "defensivefirearmsinstruction.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dennisforbes.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "diarionoticia.pe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "diretashop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dnsmate.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "donaldjenkins.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dorfpark-falkenburg.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doublelist.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dreatho.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drogavista.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "droperplus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dsgvo-analyse.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dziaduch.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ebteam.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ecalculator.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "edcaptain.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eet.nu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eikentafels.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eisblau.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elldus.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emrullahsahin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "enodais.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "espaciosdelalma.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eve-ua.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evearly.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "everglow.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "expromo.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "extrawdw.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fapp.tube", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "farmacia-lloret.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fashionflavorph.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fattyink.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fernland.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fhservices.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flywus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frozendurian.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fundkyapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funmountaincanyon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gaganenterprises.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gambling-business.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getcheapinsurancenow.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "glamur-video.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "godan.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goldlevelmarketing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goldlevelprint.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goparity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goswak.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "graviola.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gunlukburc.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gutscheinemagic.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guzdek.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gynem.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hannes.paris", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hellosalmon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "highpressuretech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "holtackersleather.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "horsky.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "housemates.uk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "humanit.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "humaniza.com.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hwxvip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hyncice.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilemonrain.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infosexual.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ingwaz.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "init.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inprotec.com.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "intakesync.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "intellimatica.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "internetstiftelsen.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inwebo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ip6.li", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iperconnessi.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ironfittings.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "irrigadorbucal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itsuki.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ivanaleksandrov.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j-l.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j1879.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jean-luc.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jezeravillage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jezibaba.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jmsjms.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joustsec.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joustsec.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joustsecurity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jouwtechnischecoach.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joyinverse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jpprivatehiretaxis.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jugwallonie.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "justmysocks.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jwr.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k-sails.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kawaiicon.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb0283.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb1717.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb2929.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb3636.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb7272.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb7373.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb848.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb9292.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb9797.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kbcso.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kiokoman.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kk575757.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "konfekcjonowanie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "koreanrandom.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks3636.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks5808.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kusadasiforum.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "labworks.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lamujerquesoy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lelux.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leminhduong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lenafonster.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lesbi-porno-video.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilomatrixcorner.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "linux.pizza", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "little-bird-bayreuth.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lnhydy.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lnrsoft.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "logiccircle.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "loginmailpage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "londontaxipr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "luctam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lueersen.homedns.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "luu.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lxx77.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m23cal.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magestionfinanciere.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magic-photo-events.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maiscelular.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mamaisondefamille.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mamasorganizedchaos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "manelli.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mangabank.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mantuo.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mastermindcesar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "media-soft-pro.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mediamaklumat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mega1.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "menh.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mifarmaciaenbarcelona.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miyatakaikei.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mohot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mohot.fit", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "monitorbox.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "montrealcatadoptions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "movilcelular.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mr-bills.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "msafiri.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "my-news-portal.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myhealthyday.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mynewsspot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "neighborshop.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nekomio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newgraphics.by", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nextstart-staging.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nextstart.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nicht-blau.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "noinghene.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nonglamfarm.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nostalgische-attracties.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "notilus.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ntpana.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nvlocalbusiness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "odensc.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "odysea.cat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "offerhome.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ohioflockcote.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oic-ci.gc.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omega-gaming.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omexcables.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "open.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orbitcleaning.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ouac.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ovejabohemia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "overframe.gg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pagecdn.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paintersgc.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pandit.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pangoly.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parltrack.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parrilladasparaeventos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "partoenagua.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pborn.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pcatv.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peertube.uno", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peniarth.cymru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "perfumestudio.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "philippestudiopro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phone888.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phonemore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "photo-castings.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "photolessya.by", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pirateproxy.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piucellulare.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "planetofwoman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "planetofwomen.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plu-pro.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plusmobile.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pointclickcare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pokeli.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "porkyx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "porno-stars-video.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "posbich.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "potature.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pravaha-elixirs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "presidentialserviceawards.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "privorot-taro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qnickx.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "redpatronus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rodrigoacevedo.com.uy", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roh.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roi.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rotring.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rphyncice.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "russia.wtf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "s-u.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sacaleches.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sagagardencentre.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sampatjewelers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schermkapot.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "searchforbeer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seats2meet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "selfiehome.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "serviciodebarralibreparaeventos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sewing-world.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sharingphotos.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shelvacu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sice-si.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sikademy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skolni-system.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smartplace.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "southernlights.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "speedyjanes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "srb.help", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "srx.sx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stuartbell.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suplments.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "surgenights.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swedentelugucommunity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "synapsepain.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sys-tm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tadamstudio.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "talis-bs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taxi-uslu.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taxichic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "technology.cx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "techzjc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teen-porno-video.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teleport.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "test-allegrodev.pantheonsite.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tetsai.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thehopefuture.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theleap.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thenexteducation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theodeboer.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theperry.group", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theycallmefox.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thingsandcode.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thomaspluschris.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "threatmonitor.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tiendasmart.com.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tinyppt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tncentro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tolmaidis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomkempers.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toolshero.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "top2servers.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topreit.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trianglebruins.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trutopoffer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "twin-tails.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tytod.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ubytovanihyncice.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ukari.hokkaido.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unblocked.lc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "up2mark.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uyen.party", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "veganrecipereviews.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "venditorepoa.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "venetkaarsenovart.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vigorspa.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viki.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vinktwebdesign.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vkwebsite.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vontainment.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "voshod.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wearetuzag.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webdesigngc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wemakeit.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wincasinosmoney.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wongu.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "www63605.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wwwindows.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wzxaini9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapeal.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ystream.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yuzzamatuzz.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zeckenhilfe.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0-24.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0-24.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "067310.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "067313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "067360.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "067361.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "070136.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "070167.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "070183.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "077810.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "077863.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08817z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24onlinereview.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35898f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "44-k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "513x.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "activefootandankle.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adeon.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aesthetikpiercing.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ahj.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aiat.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "airy.host", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alkusin.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amigucrochet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amirasyraf.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anarkhe.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "animehf.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apuyou.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ariyaoil.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arizana.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "assaabloygaragedoors.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asyikbelanja.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "augehost.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aurbrowser.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "austinchase.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "avi12.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "axa.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b-tree.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "banfor.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "banguilacoquette.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "barbe-n-blues.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "basebyte.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bbcomcdn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestcarscyprus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestproductsaudit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bfas237blog.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bhyn.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blackrose-garden.herokuapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blijfbij.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blijfbij.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blomberg.name", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bluestarroofing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bohan.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boresmail.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bpvr.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "breezeairportparking.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buddy-acceptance-authentication-frontend.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buddy-acceptance-backoffice-frontend.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buddy-acceptance-web-frontend.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buddy-development-backoffice-webapp.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bundito.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buttgun-tattoo.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "butz.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bvsa.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "c-3.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "calibra.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cannabislegality.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "capitaoalden.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carontetouristisoleminori.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cga.best", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "charlenew.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chaturbates.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ciudadanosbo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cliqz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comparemymobile.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "confrerie-rp.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "connectium.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "copan.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cosentus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crossnet.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cultureshift.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cumnock.name", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cyberweightloss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d3dev.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dadycandoit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dandia.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "datatruckers.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "datatruckers.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "decipe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deepblue-web.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deltav.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "diegogonzalez.com.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dolcesalatoweb.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doubleglazingmasters.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doyleshamrock.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dphipartner.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dposit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dposit.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dposit.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dposit.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dposit.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dr.mg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drakoacademy.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dranktoomuchlastnight.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drivetonortheast.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dtbw.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dtbw.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dtbw.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dtmbx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dtmbx.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dtmbx.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dtmbx.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dtmbx.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dtmbx.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eddy.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "educativetech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "edwardsgrounds.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "edyou.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elitebasementsohio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ender.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "enter.eco", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ergonova.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "erodvd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "est-keyman.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "etaxigraz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eternalparking.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eternalparking.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eternalparking.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eternalparking.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eth1.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "exeye.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f00f.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f5la.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fenixportal.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "festivaldimouamaroussiou.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fieggen.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fieggen.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "filmcrewdb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "financecontrol.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "floridawaterapparel.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fmm-creative.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forsaleinedmonton.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fossdaily.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freelancemw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "friseur-foerder.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fsavc.org.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fundingrainbows.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fyroeo.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gatewayclub.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gb-repair.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gesunddurchenergie.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gipelpsb.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gisauto.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "go2people-websites.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "golden-kamuy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "googlerecetas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gopostore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gourgouli.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gymnastikfitness.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hackintosh.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "haindlmuehle.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hanying55.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hanying9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hbgshop.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "heartfelttokens.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hiddout.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "himalaya-masala.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "homecareinterio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "homedatacenter.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hopeofmyheart.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "howtutu.click", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "howtutu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "howtutu.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "howtutu.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "howtutu.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "howtutu.link", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "howtutu.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "howtutu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "httpstest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "httpstest.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "httpstest.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "httpswatch.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "httpswatch.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "humdingersnj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hwsw.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ibestproduct.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iccorporateinteriors.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iedcommunications.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iexpert99.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ig.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iitowns.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iloveherb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "immedia.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inclusion.tn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "incosi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indasun.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "individualizedwellness.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inf0sec.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infobot.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infobot.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infobot.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infra-se.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "innovomuebles.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ipcyb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iternalnetworks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itgm-consultants.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itisyourmoney.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j9511.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jaylineko.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jjjj003.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jobs.su", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jpm-inc.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "js0204.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kadro.com.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaitori-goods.shop", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kanootours.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karo.pc.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karopc.com.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karopc.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kativa.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb3939.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kcire.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kennethandersen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "khohangmadeinvietnam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kiomara.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kirklandtriallawyer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kleinhelena.dynv6.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kmnsk.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kotonozaka.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "labavn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "labibikids.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "landassessmentservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lassovideos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "law-iku.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lazerengravingpros.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "learncrypto.live", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "learncrypto.show", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lenovovietnam.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lesgitesdefranca.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lightning-wallet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai6616.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "line.red", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "little-brother.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "losingweight.coach", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "louremedi.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lucasdamasceno.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lucentioluo.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lyax.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "machine.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "makermiles.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "makermiles.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "makermiles.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maritimeseafoods.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "masha.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "masterton.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mawrex.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "megh.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "megh.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meow.plus", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meralda.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meralda.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meralda.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meraldamulder.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meraldamulder.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meraldamulder.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meraldamulder.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meys.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikecameronyyc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "missfuli.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mladamoda.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mondzorgaanzee.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moow.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moowcraft.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moowdesign.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "murmashi.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myexams.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mylifeinsurancechoices.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myplaystation.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nanshy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "natcheflife.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "naturalbijou.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "navroopsahdev.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nerofox.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netdiode.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netdiode.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netdiode.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netdiode.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nethui.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "networkdiode.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "networkdiode.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "networkdiode.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "networkdiode.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newhamyoungbloods.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newlifehempoil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newsdiff.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newsdiff.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newsdiffs.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nfltshirt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ngmx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ngmx.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ngmx.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nickserv.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nickserve.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nickserve.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nickserve.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nickserve.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "niyen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "niyen.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "niyen.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "niyen.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nycfilmcrew.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ocnjapartment.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "okasurfbali.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oliverah.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orebolt.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orged.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ostechnix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "otoma.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oxygenit.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pactandoconlamoda.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "panoramichq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "patriciaandpaul.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "patrikzk.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pcprkolo.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pentechealth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phive.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "physiobiggerawaters.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "physiobroadbeach.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "picka.gift", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pinheirofrio.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pipeuro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pkdhungthinh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plaintextpledge.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plasticstare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plexbpvr.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pozitive.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "poznajrynek.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "premierrange.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prestigesoundandlight.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "products88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "productsblockbuster.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "productsbrandleader.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "productscastle.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "productsmansion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "projectionpictures.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proteh.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psychopersonnalite.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "q8igh228tq.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "que-debo-regalar.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "queenmargaret.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quentinaurat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quichante.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quickbookssupportphonenumber.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quitsmoking.coach", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qybot.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "railto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raketenwolke.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rbt.sx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "redion.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rednumberone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reroboto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reroboto.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reroboto.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reroboto.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "resqdesk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "resumeshoppe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "retro-game.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reviveplumbingmelbourne.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roalogic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rosalindgreenllc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rosecrance.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "royalkitchensandfurniture.co.ug", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rrbt.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rrbt.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rsec.kr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "safetynetwork.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sagenesykkel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sainikbiswas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "salesblackbelt.coach", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saluddecalidad.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sam-cousins.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sampleappservice.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sduconnect.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sellmymobile.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sender.services", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "simplycateringequipment.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sindarina.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sindarina.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sindarina.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "slow.social", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "slowsocial.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "slowsocial.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "slowsocial.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "slowsocial.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "socialsecurityhelpcenters.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "softwaregeek.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soniadoras.pe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sony-psvita.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sparkar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sparklesdelivery.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sphardy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "srsforward.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "srsfwd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "srsfwd.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "srsfwd.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "srsfwd.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "srsfwd.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "startachim.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "statusboard.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "staycurrent.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "staycurrent.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stb-timmler.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stealthmodel.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "steelpoint.com.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sterlingleads.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stmosesbookstore.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "streamspouredout.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sumatphoto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suplments.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suplments.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suplments.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suplments.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suplments.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swhw.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swj.red", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "szurgot.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "technistan.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "telford.codes", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "terabyte-computing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "terminalhrd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tested.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "testmx.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "testmx.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "testmx.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tetr.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "textonly.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thailandlongtime.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thaqfni.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theapplewiki.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thedinnerdetective.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thepillclub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thermalflowtech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "therworth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "therworth.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "therworth.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "therworth.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thesecurityvault.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thirtysixseventy.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tinlook.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tobias-bauer.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tobias-bauer.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tobias-bauer.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomashouzvicka.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomashouzvicka.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topcarehvac.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topproductidea.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topproductsanalysis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trance.im", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trancehost.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trancetronic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trilon.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "troyhuntstress.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trufflepig-forensics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trustnet.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tubepro.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tuingresoonline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ubstudygroups.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ubstudygroups.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uglycat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uglycat.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uglycat.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uglycat.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unadonna.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unityvox.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "upbeatrobot.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "upbeatrobot.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "upbeatrobot.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "upbeatrobot.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urantiabookstudygroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urantiabookstudygroup.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urantiabookstudygroups.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urantiabookstudygroups.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urantiastudygroup.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urantiastudygroups.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urantiastudygroups.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urcentral.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vbestproduct.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vbestseller.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "velvetia.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "videot.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "videozv.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vmconnected.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "voodoocomedy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vreviewbestseller.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vtbs.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vthebest9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vuasinhly.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w-architectes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wanekat.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webcaptive.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webtex.limited", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "whta.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wirekeep.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wit.ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "workplace.tools", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wpcdn.bid", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wsbhvac.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xinqinhai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--80aihgal0apt.xn--p1ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--ikketenkpdet-1cb.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--j8se.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xwf.fyi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yh12366.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yomi.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "your28days.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yumiandryan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yunhu365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yuzulia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zalaxx.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zerocash.msk.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl2020.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0011d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0013d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0014d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0015d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0020d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "002d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "003d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "004d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "005d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "007d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "022kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "02d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "03d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "03d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "04d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "05d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "06d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "06d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "07d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "07d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "09am8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "09d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "09d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0d111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "100up.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "100up.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020301.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020305.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020307.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020309.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020310.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020311.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020312.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020314.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020316.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020317.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020318.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020319.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020320.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120301.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120302.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120303.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120305.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120306.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120307.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120308.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120309.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120311.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120312.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120314.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120315.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120316.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120317.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120319.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120324.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120326.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120327.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120328.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120330.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120331.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120332.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120335.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120336.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120337.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120338.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120339.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120340.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120341.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120342.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120343.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120345.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120346.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120347.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120348.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120349.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120350.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220301.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220302.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220303.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220304.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220305.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220306.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220307.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220308.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220309.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220310.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220311.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220312.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220314.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220316.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220317.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220318.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220319.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220320.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220322.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220325.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220326.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220328.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220329.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220330.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220331.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220332.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220334.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220335.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220336.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220337.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220338.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220339.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220340.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220342.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220343.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220344.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220345.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220347.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220348.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220349.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220350.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "127ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "132kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "136ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "151ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520301.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520302.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520303.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520304.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520305.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520306.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520310.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520316.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520318.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520319.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520320.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520322.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520323.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520324.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520325.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520326.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520327.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520329.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520331.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520332.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520334.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520335.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520336.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520337.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520338.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520339.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520340.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520341.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520342.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520343.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520345.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520346.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520347.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520348.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520349.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520350.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "153z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "156ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620301.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620302.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620303.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620304.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620305.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620306.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620307.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620308.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620309.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620310.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620311.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620312.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620314.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620315.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620316.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620317.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620318.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620319.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620320.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620323.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620324.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620325.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620326.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620328.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620329.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620330.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620331.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620332.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620334.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620335.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620336.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620337.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620338.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620339.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620340.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620341.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620342.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620343.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620350.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1661618.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720301.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720302.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720303.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720304.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720305.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720306.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720307.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720308.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720309.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720310.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720311.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720312.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720314.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720315.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720316.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720317.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720318.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720319.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720322.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720323.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720324.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720325.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720326.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720327.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720329.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720330.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720331.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720334.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720335.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720336.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720337.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720338.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720339.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720340.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720341.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720342.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720343.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720344.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720345.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720346.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720347.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720348.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720349.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720350.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "175ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820301.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820302.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820304.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820305.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820306.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820307.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820308.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820309.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820310.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820311.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820314.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820315.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820316.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820317.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820318.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820319.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820320.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820322.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820323.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820324.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820325.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820326.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820328.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820329.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820330.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820332.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820334.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820335.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820336.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820337.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820338.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820340.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820341.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820342.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820343.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820344.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820345.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820346.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820350.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "182kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "182ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "182zlong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "185zlong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "187kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "188zlong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1920301.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1920302.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1920303.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1920304.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1920305.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2030404.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "222zlong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3040507.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3040508.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3040517.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "333zlong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "33btt.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "35d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "37879.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3dtootmine.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4050601.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4050607.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4050620.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "432web.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "456zlong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "46d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "46d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "47d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "47d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "48d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "518zlong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "555zlong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "588e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "58w66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "618btt.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "61d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "62222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "64d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "64d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "65d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "666zlong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "70872.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "70d88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "74d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7minutemiles.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8001d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8002d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8006d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8006d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8007d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8008d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8010d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8011d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8012d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8013d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8015d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8016d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8017d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8019d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8021d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8022d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8027d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8030d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8038d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8039d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8050d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8051d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8053d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8059d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8060d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8071d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8071d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8072d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8077d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8078d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8092d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8100d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8102d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8109d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8116d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8121d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8153d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8170d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8173d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8197d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8198d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8200d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8202d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8216d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8217d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8222d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8223d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8226d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8227d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8229d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8229d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8230d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8802ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8805ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8809ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8830ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "886666z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88btt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918aah.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918aaj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ahh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918awx.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bio.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918caa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ccb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ccy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cqq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918db.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918dc20.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ddk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ddy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918dgg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918dzz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ess.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ffk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918hs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918hzoz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918og.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918pn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918rh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918tx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ug.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ui.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918vk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918vs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918wv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918za.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91milk.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "999zlong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k228.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k287.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k295.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k586.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k587.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k589.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k632.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k655.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k656.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a2os.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acapadena.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "accadia.academy", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acilicraft.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aftonpravdan.nu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag173168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag2983.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag775.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag81826.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag81867.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag9999.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agefriendlyri.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agencia.barcelona", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agencia.cat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agencia.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ajfite.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alberoraydolap.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "almanssur.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aluminium-express.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alwayswanderlust.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amerion.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amtsinfo.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andrewjphotography.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "animekaizoku.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anxietyspecialistsofatlanta.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anythinggraphic.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aptekakolska.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arco.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arkitextonico.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artera.spb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artifact.spb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asgrd.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asoagroca.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "athens-limousines.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "autocadperfmon.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aviasalon.spb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b886666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bandeiraimoveisitu.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bankapp.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bazqux.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beambdi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bendostore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bernama.com.my", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blueeyedmaid.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bluetomatographics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blumando.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bodybuilding.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bodycaredirect.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bolalocobrews.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bolamarela.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bolamarela.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boughariosbros.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boxtreeclinic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bread.red", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brickadia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btopc.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt043g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt192.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt217.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt285.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt289.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt6262a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt776.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt8383a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt918.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt9292a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt9595.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt99.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btta18.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buysoft.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "byfeldt.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "c886666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cadastroloteamento.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "calendriergn.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "careerdirectionsltd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ccuuu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cheapsharedhost.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cheapsharedhost.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chicourologist.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "childrensfurniture.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chrisseoguy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "christianmoore.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "churchofsaintbenedict.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ciliberto.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "claimflights.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "claimflights.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "claimflights.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "claimflights.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "claimflights.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "claimflights.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "claimflights.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cleary.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clinicamiracueto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cloud-screen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "codedynasty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cointosh.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comedimagrire.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "computerguardians.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "corsisicurezza.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cuteselfie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8812.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8812.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8813.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8815.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8817.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d881vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d882vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d883vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d884vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8850.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d885188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8852.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8853.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8856.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8857.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d885vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8860.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8860.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8861.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8861.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d886119.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8862.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8863.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8863.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8865.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88688.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d886vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8870.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8873.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8876.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8879.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88801.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88808.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d888508.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88870.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88880.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88882.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88886.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88896.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d888vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8890.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8891.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8892.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8893.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8897.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d889vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc01.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc03.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc04.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc07.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc08.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc09.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc12.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc14.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc17.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc18.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc24.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc25.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc26.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc28.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc29.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc30.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88girls.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md01.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md02.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md03.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md05.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md06.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md09.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md12.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md14.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md15.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md17.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md18.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md19.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md20.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md21.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md22.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md23.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md24.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md25.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md26.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md27.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md29.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md30.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88promo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88zl.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "daidr.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "danel.ski", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "danelska.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "danelski.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "datasafeassurance.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "datatypes.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd112d.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd118d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd11d.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd201d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd202d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd203d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd204d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd205d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd207d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd208d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd209d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd210d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd212d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd214d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd215d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd22d.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd33d.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd44d.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd55d.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd66d.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd77d.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deepnet.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dekasegi-supportcenter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dentistryateastpiedmont.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dg68.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "digpath.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "distributore.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "djcatholic.or.kr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doesinfotech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "donghochinhhang.store", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragontours.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dsreal.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dzu.fund", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e901.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eastwesttmc.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "easy-prono.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "easynm.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "easypaymentnow.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eboardsolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ecmatching.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eiadaladel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elranchofeliz.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "enigmadjradio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eos-utvalget.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ermessecurity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "expatfinancial.com.hk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f886666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fayntic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fb.gg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fgsv-heureka.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "filedesc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fireflyiii.spdns.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firerain.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firmajulegaver.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fite.family", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funkydealz.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gardensquaredental.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gay-personal-ads.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "georgiadance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getacrane.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gku-winterling.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "golnet.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "growth-rocket.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gunshyassassin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guzlewski.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hbweb.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "heijmans.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "helpkoil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hhfgaming.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hokenselect.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hp-67.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hsjccconference.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "htb.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "htbplc.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hua-chuan.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hua-chuan.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "icasebr.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iflyi.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ikisser.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilovestickers.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilpl.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imkerverenigingzaanstreek.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imolights.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infosubasta.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "innvision.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "innvisiondesign.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ionplesalexandru.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ipschool.spb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ipsecurelink.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ireaco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "israelil-leumi.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "israelil-leumidev.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "issoexiste.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itdutchie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jaculus.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "japansm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jehelpdesk.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jeps.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jeroendev.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jigsawplanet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "josegdigital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k886666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kanis.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karimunsejahtera.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kartikmohta.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kashbet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb4393.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb866.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb882.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8878.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8885.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc04.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc05.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc12.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc17.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc26.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md12.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md27.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kbk4t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kiousis.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kirkwood-smith.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kisser.name", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "klupper.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "korob-ok.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kreyolgym.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks-29.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks-89.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks068.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks1519.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks162.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks181.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks202.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks204.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks382.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks388.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks5888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks600.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks608.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8787.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8805.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8809.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8810.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8829.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks883.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8832.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8851.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8859.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8860.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8881.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8882.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8883.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks901.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks905.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks907.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks920.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks996.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ksvip15.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kuscheln.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "larpkalender.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "larryandprisca.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lebanonbitcoin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lichtletters-huren.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai2222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai5566.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai838.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai99.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "linosky.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "littles.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lkw-servis.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ll8807.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "llyq8866.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "llyq9988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lofstad.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "loheprobado.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long-8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long008.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long113.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long139.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long18.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long226.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long266.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long288.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long510.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long566.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long68.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long688.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long8085.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long8097.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "loteamentoabertocapivari.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ludovic-frank.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lx-blog.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "macangus-wainwright.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "manawithtea.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "manuelguerra.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marisasitaliankitchen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "markandev.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marsble.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maxmuen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mcstaralliance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mcwrapper.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mdconnect.asia", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mens-health.com.my", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meodihoang.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mercelo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mhcdesignstudio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "micluz.shop", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "microjovem.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "midwayrecovery.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "midyatsaklibahce.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mieresabadus.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikerichards.gallery", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikerichards.photos", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikerichards.pictures", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikerichardsphotography.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mmbhof.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moenew.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "monsitemoncommerce.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moorelawfirmaz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motornaolja.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mrnathanpowell.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mysasiedzi.bialystok.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myunicornshops.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n886666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nclf.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "negativeentropy.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "negocios-imatore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newworldnewlife.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nguyenminhhung.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nhv-vintagelemans.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "noites.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "notariuszprzybylowicz.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "notariuszsych.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "novogradnje.si", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "noys.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nvfoundation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nyerjakekszekkel.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omie.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "on-the-wave.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onecloud.lt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "optizym.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orangecat.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orvitdesign.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "outstandingpromotion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pasarkoin.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paulmarc.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pcgho.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pedago.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pediatersucha.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "performio.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peridotcapitalpartners.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "perini.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pesdacgh.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "petnow.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "petrovich.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "philanima.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phongthuyanthinh.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "photosaloncontest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pignus.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "podsvojostreho.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "poorstock.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pr-news.spb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pro-clean.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "profession.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pvpheroes.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "q886666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qttransformation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quantumcrypto.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raydolap.web.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raydolapfiyat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rbh.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rca2015.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "recrea.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reddited.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "remont-p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "repaik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ressupply.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rhypehost.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ricci-ingenieria.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roachesofficial.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rt1314.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rupostel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ryanfamily.net.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "s886666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "safarimasaimara.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saletzki.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "samandej.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "satario.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saxonsink.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seabehind.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sedlex.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sembyotic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "setptusa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sheilagranger.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shigaben.or.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "simple-e-world.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "siscompt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skelleypiano.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skinstyleglobal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smamunir.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soacompanhantes.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "softwing.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "somefe.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "southside-digital.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "steph.ninja", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stinkefingereinhorn.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stkildaosteopathy.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "styledbysally.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sudocat.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "superpi.noip.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "supplypartnersdecolombia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "susthx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "syquel-systems.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tag-coin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "takb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taptoweb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "techwhisperer.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tecnasa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teenpussypornvid.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "terminationsremembered.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thaiforexfamily.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theagilitychallenge.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theentertainmentcontractor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "therapyroom.rent", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thermowood-bkh.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thoitrangsikimanh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tk2net.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tkbuilders.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "todoenunaweb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomboy.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tq.rs", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "travelzoneshop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trekinafrica.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tritiumdisposal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trix.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "troyhuntstressed.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ttp-shop.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tugafm.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tus-kikishinkyo.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tuzaginside.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tuzagtcs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "twoguyswhoblog.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tytocare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "u886666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uboratz.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uix.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ultrasdesign.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "un-instantpoursoi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unicorndesign.ninja", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "universal-village.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "universityhousemates.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "universityhousemates.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unknown-player.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "untilyouarrive.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uphuntingland.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urbanindustriecoiffure-auray.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uscpaservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uvpress.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uvseh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "va11hal.la", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vamosbien.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vilafloridacapivari.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vinmmo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "voevm.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "volvoconnect.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w0185.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w0189.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w0191.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w0195.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w0198.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w0202w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w4040w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w5050w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6609.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w661122.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66133.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66136.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66138.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6616.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w661616.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66191.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66191.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w662211.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w663w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66918.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6698.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6886.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wallisch.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wearefrantic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "websiteboost.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "websitesmiths.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webx5.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weecarepreschool.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weightlossoutcome.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wlilai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wormhol.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wu6v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xenox-rp.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--agncia-4ua.cat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--prt783d.xn--6qq986b3xl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xrope.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xtremecoatingtechnologies.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xyloefarmoges.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y0bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y1992.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y2212.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y2232.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y2242.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y2252.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y2272.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y2bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y3343.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y3353.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y3bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y4bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y5545.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y5bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y6bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y7bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yamei9955.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yourbetterkitchen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yuer.sytes.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8010.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8011.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8012.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8013.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8015.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8019.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8020.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8021.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8026.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8027.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8028.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8032.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8051.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8052.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8062.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8063.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8066.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8068.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8079.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8081.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8082.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6896.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zi5.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl-49.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl-59.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl-69.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl-79.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl0783.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl0iu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl0sz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl1038.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl16h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl2085.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl2101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl2704.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl3289.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl3597.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl3782.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl4231.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl4290.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl4454.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl4538.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl638.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl6xw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl7393.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl7615.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl9052.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl9372.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zlam2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zlf8h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zllpa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zlong6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zlong6.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zlong888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zlong888.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zls9p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zlvd7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zunlong0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zunlong918.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "glassrom.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0016d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0017d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0019d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "003zl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "006d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "008d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "009d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "009zl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "010203.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "010ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "011zl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "012zl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "013zl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "015zl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "017zl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "018zl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "019zl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "020ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "020ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "022ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "025ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "029kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "029ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "03637.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "05d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0799ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1020302.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365001.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365002.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365003.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365005.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365006.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365007.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365008.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365009.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "103656666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "103658888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10365h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120320.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120323.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120325.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120334.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "113ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "116ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "116vip.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "118vip.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220315.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220324.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220327.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220346.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "122kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "130ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "133ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "135ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "147ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520328.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520330.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1520344.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "154kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "155kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "156ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "158ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "159ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1620349.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1666ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "170ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "171ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720320.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720328.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1720332.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "173ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "180ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "181ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820303.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820327.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820331.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820347.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820348.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1820349.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "183ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "183zlong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "185ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "186kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "186ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "188kb.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "18agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1941-45.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "198ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "199ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1blazing.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1onehouse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "200ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "217778.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "23ks.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "285551.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "288kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "288kb.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "288ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "28agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "28ks.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "299ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2blazing.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "301ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "33kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "355ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506011.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506022.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506033.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506055.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506066.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506077.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506088.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506099.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36506999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3666ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "399ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3elife.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "404ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "428northampton.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "456666365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4761.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4762.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "499ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "51club8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52dashboard.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "58agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "58ks.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "599ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66.tn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "668ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "68agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "698ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "69agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "69ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6wbz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7214.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7214.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8001d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8013d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8057d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8061d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8069d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8083d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8092d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8093d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8109d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8111d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8115d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8130d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8133d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8133d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8135d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8139d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8150d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8151d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8158d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8171d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8176d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8178d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8181d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8182d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8183d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8190d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8191d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8192d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8193d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8193d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8195d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8196d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8197d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8198d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8199d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8207d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8209d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8210d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8211d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8215d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8216d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8217d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8218d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8219d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8219d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8220d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8221d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8223d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8225d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8227d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8228d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8232d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8236d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "83kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "85kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8666ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "866ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "86kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "87kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8805d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8806d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8809d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8815d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8815ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8816d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8816d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8816ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8817d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8822d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8826d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8826d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8827d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8828d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8828ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8829d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8829d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8831ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8832ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8835ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8838ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8850d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8850d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8850ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8851d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8852d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8852ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8855d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8856d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8856d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8856ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8857d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8857d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8858d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8859d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8860d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8860d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8860ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8861ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8862ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8866d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8869ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8880ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8881ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8882ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8887ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8889ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8891ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8895ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8896ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8898ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "889999vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88zl.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8918d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8925d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8926d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8927d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8927d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8928d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8929d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "898ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "89kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d01.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d02.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d03.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d15.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d16.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d17.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d18.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d19.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d20.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d21.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d23.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d26.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d27.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d31.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d32.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d33.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d35.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d36.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d37.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d38.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d39.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d50.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d51.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d52.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d53.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d55.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d56.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d57.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d59.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d60.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d61.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d62.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d63.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d65.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d67.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d68.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d69.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d70.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d71.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d72.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d73.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d77.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d80.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d83.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d85.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d86.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d87.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d90.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d93.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d95.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d96.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d97.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d98.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d99.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "92kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "93kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "95kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9666ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "96kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "98agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "98kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "98ks.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "99agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "99kb88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k223.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k225.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k226.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k227.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k229.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k232.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k235.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k237.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k238.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k252.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k253.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k255.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k256.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k257.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k258.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k262.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k266.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k267.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k268.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k269.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k273.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k275.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k276.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k277.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k278.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k279.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k283.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k285.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k289.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k292.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k296.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k299.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k322.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k323.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k325.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k327.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k329.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k332.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k335.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k336.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k337.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k338.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k339.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k362.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k363.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k366.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k368.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k372.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k373.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k375.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k376.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k378.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k379.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k383.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k386.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k387.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k389.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k392.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k393.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k397.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k398.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k562.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k563.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k568.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k569.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k572.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k573.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k575.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k577.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k579.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k582.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k583.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k585.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k592.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k622.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k623.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k625.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k626.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k627.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k629.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k633.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k635.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k636.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k637.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k639.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k652.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k653.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k657.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k658.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k659.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k662.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k665.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k667.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k669.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k672.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k673.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k675.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k677.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k679.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k682.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k683.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k686.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k689.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k692.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k693.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k696.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k698.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k699.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k822.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k823.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k825.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k826.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k828.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k829.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k833.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k835.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k836.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k838.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k839.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k855.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k857.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k858.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k859.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k862.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k865.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k866.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k867.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k868.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k869.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k872.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k873.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k875.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k877.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k879.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k882.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k883.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k885.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k889.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k892.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k893.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k896.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k898.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aaex.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acacia-gardens.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aceitedelcampo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ad4msan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ad4msan.win", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adonai.eti.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "advens.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag518518.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag58ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag68ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag818818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag818818.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag88ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks006.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks007.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks009.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks06.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks09.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks10.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks112.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks113.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks114.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks115.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks12.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks131.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks132.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks134.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks136.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks137.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks138.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks15.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks150.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks18.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks4.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks68.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks89.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks95.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks96.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks99.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "airanyumi.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allthings.how", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "americorps.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amtcd88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andesnevadotours.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "angelinaangulo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anhqv.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apartmanidano.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aracusbienestar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "archivosmercury.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arcogb.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "areis.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arsenal-charodeya.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artlabdentistry.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "as395.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "as397.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ashtonbromleyceramics.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "assosfi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "athomedeco.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atlanticyellowpages.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "auditready.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "babyboutique.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baka.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "barashek.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "barnettville.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "battleguard.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baudlink.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bbbff.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bdtopshop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beijesweb.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bellebakes.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestmattressforbackpain.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betheredge.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biogiardinaggio.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "birkenwasser.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitking-trading.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bizlatinhub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bk622.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bk725.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blockchainmagazine.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bryanfalchuk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btshenqi.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btsou.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt9797.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "budgetinsurance.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buhex.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "burbankdental.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buzzpop.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "calbertsen.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "californialemonlaw.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "canavilage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "capillary.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cargoguard.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carmatworld.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cartes-voyance.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cashbot.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cathy.lgbt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ccriderlosangeles.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "celebalita.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "centrederessourcement.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chifumi.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clubapk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coachapp-ipass.herokuapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coachsystem.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "combigo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "complex-news.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "consultorioespecializado.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "copyrightcoins.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cranberry-tee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crowter.li", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "csust.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cuanticasocialmedia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cubanross.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cuentamecomopaso.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "curexengine.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cybernetivdigital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d868.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d881.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88118.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8867.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d887.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d8875.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88806.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88811.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88828.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88869.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88871.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88873.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88881.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88883.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88885.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88887.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88889.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc02.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc06.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc10.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc16.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88dc27.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md10.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md16.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md28.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88siteintro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "david-merkel.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "daysinnaustin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd206d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd213d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd99d.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deedyinc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "delvickokolo.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dizzie.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dizzieforums.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "djdeepstate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dmerkel.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doceo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "docmed360.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dogboarding.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dogeboy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "draemar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon00.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon02.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon30.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon53.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon57.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon61.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon63.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon67.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon70.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon75.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon80.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon81.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon85.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon87.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drcp.tokyo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dressingmaternity.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "droidchart.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drthalhammer.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ds915.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dumb-laws.net.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dwilawyer.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e7180.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eichinger-stelzl.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eismaschine-vergleich.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "electrolivefest.spb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elementarewatson.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elitedangerous.wiki", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emergesydney.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "encd.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ep-cortex.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "epilepsiyle.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "es-tools.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "es-tools.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "es-tools.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "es-trade.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "escortaccess.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esmart.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "essayshark.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evohomecare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "exxvip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fabrika.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fabrikafilmes.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "facedack.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "farmtoys.store", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fertigasi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fgsv-kongress.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "filmarchiv-sachsen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fimfiction.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firegeisha.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "foodsoul.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forcelink.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forthvalleykeswick.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "foxhillshotel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fps73.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freefilesync.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fridarestaurantemexicano.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gaestehaus-leipzig.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ganpris.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gemstonz.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "get-quick-bits-fast-2018.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gielectrical.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goeikan.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug10.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug16.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug18.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug4.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug68.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug78.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug89.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug99.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gpfitness.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gqyyingshi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gqyyy.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "greentea.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guaranteedloans.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "havedicewillsave.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hebbet.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "heijmans.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hellocyber.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "herbaldiyeti.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hes.com.cy", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hgmaranatha.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hikarinime.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hiltonsydney.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hiveopolis.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "holidaypackage.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "holunderbluetentee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "homeable.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hosteleriauno.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hostingsrv.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "huabantxt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "huabanxs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "huimiquan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "humanlocation.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hy88win.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "idlewildflowers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "igondola.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "incrementation.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indemnityinsurance.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indianjewellery.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infivalle.gov.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infixegypt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infotelecharge.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ingestion.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "injurylawyer.world", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "innotab.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "innovacoachgroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inoio.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "insanelyelegant.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iryodatumoguide.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ishimen.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j3349.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jackingsolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jarv.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "javiscoffee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jerome.to", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jewelers.expert", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jiangzhuyun.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jiji.co.ke", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jijistatic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jiu99shipin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joorshin.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jppcadvertising.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "juweliervanwillegen.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k81.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaanhaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi002.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi003.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi005.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi009.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi02.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi05.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi07.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi08.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi22.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi55.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karodos.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kashsports.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kathy.lgbt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kawaii.su", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kayit.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb0101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb0202.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb03.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb0404.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb05.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb0505.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb059.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb0606.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb0707.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb0909.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb091.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb096.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb1313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb2121.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb2323.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb2626.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb3030.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb3232.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb367.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb372.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb3737.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb3838.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb4040.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb415.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb4545.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb458.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb4646.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb4783.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb481.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb4949.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb5050.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb514.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb5151.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb545.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb5454.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb5648.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb5757.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb5959.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb6060.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb6161.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb6363.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb6464.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb6565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb659.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb6767.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb709.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb7171.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb750.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb756.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb7575.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb7979.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8181.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8282.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8383.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb840.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8484.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8585.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8802.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8803.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8805.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8806.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8809.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb881.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8810.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8813.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8817.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8819.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8822.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8826.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8831.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8832.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8833.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8838.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8841.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8846.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb885.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8851.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8853.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8855.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8860.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb886119.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8871.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8872.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8880.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb888508.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8889.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8892.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc02.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc06.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc07.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc08.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc09.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc15.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc16.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc25.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc28.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc30.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md01.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md02.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md05.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md06.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md08.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md09.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md10.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md14.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md15.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md16.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md20.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md21.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md22.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md23.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md24.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md25.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md26.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md28.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md29.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8989.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb9090.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb9191.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb9494.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb952.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb9595.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kbjri.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kidonng.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kieskundig.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kimkhisaigon.com.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kinderopvangthuis.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kinfolkcoffee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kitchenwarestore.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kniga-goda.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kokosnusswasser.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kreditkoll.nu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "krumpf.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks168158.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks181.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks208.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ksvip07.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kubabrussel.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kyotokitsune.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lacuerba.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lai.zone", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lapacho-tee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lawfirm.tips", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "learntohack.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lifeonplanetjapan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lignesante.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "limit.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "limnt.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "limstash.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lmvsci.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lohvinau.by", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lolcloud.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lolio.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long-6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long0310.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long0316.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long0317.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long0318.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long186.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long8021.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long8026.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long8040.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long8076.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long8078.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long88.la", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lotc.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lts-tec.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lulua.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lyness.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m271809.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magebrawl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "majormedicalinsurance.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "malond.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "malpracticeattorney.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mamabatataya.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marcberndtgen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mariasilverbutterfly.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mariendistel-tee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "markstevenkirk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marvnet.design", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mastermindbusinesspro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "masternautconnect.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mb-demo.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mealinsider.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "medbreaker.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mediavamp.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "megaron.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meliowebweer.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meloniecharm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metallibrarian.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metz-metropolitain.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mgmd.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miku.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "milieuland.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miniclip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mojleksikon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moosikapp.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moraffpritchard.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mundosuiri.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mygg32235.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mynaturalmood.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mysteriesandmargaritasblogspot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nachrichten-heute.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "naide.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nanaimoneighbourhoods.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "natur-care.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "natureshive.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "necord.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netcials.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netexpatcommunity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "new-jersey-online-casinos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nick-slowinski.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nuoha.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nuovavetro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "officina.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ogkw.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oreadstudios.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orifonline.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oriontravel.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "outwesthunts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "passau-webdesign.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paymyphysician.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peers.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "personalnames.net.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pharmacistinfo.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "philomathiclife.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piedrasblancas.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pikio.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plagiarismcheck.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plaintextpledge.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plaintextpledge.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plaintextpledge.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plaintextpledge.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pmi.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "premrev.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "productliabilityinsurance.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proeski.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proseo4u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prosony.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prosperus.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "providential.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "puteulanus.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raqoo.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ratedever.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "re-crawl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reindersfoodfashion.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "richieheijmans.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rixcloud.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "robertnankervis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rottamazioni.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roughtime.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sacadura.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saifonvillas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sard.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scale.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sccimo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schachtelhalm-tee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schafgarbe-tee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schat.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scislowcy.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scom.org.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sellingsherpa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seyhanlar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shanefagan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shejutu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shoulderpainrelief.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shtaiman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shtaiman.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shtaiman.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shteiman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shteiman.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "simonholst.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sin-el-fil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sinmik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sitempro.com.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smalldogbreeds.dog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smictecniservi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smslodging.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soora.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "speedboost.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "speedwp.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spiegels-op-maat.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sprachenlernen24.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ssmpuc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stanmed24.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "starbaese.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.design", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.digital", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.live", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.ltd", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.network", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.services", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.store", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.website", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stemcellclinic.world", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studay.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sulytics-tool.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suste.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "szs.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tazarelax.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teeautomat-teemaschine.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tempatwisatakeren.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "the1.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thecontentcloud.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thecraftingstrider.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thekiddz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theswimdoctors.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thutucxuatnhapkhau.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tipsdebellezaysalud.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tobimi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomstew.art", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tracknerd.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trainingswiese.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "travelexbiz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "travelexinternational.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "travelround.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trigraph.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "troiaconsultoria.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tunsbergwhiskyfestival.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tutu.green", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tzyingshi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uat-mypfp.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uwe-arzt.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v139.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vazovia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "verbzilla.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viflores.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visionofcolour.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vivaldi.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vvs.spb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w-surgeryhospital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wagenmanswonen.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "waiwaisw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webmail.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weissdorntee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wermuttee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wf336.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "whojoo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "willi-roth-holzbau.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "williejackson.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wism.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "workersshop.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "workthings.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wtprecife.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wxxcxd88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xinetwork.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xlyingyuan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn---35-6cdk1dnenygj.xn--p1ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--babassul-t4a.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--bachblten-tee-1ob.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--brombeerblttertee-zqb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--bucheckernl-0fb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--chrysanthemenbltentee-nic.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--cisowcy-pjb5t.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--eebao6b.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--gstehaus-leipzig-vnb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--heidebltentee-2ob.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--hibiskusbltentee-szb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--lavendelblten-tee-c3b.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--maracujal-77a.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--nide-loa.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--rosenbltentee-2ob.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--schwarzkmmeloel-6vb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--weidenrschen-tee-swb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yourkrabivilla.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yporti.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yuzu-tee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z66.la", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8017.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8023.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8031.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8038.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8056.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8059.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8060.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8067.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8070.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8075.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8078.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8083.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8087.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8089.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8093.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8095.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8097.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8099.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8102.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8105.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8106.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8109.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8113.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8116.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8120.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8121.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8122.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8125.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8130.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8132.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8133.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8137.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8138.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8151.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8155.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8162.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8170.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8182.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8195.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8196.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8199.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8200.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8207.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8208.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8209.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8210.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8212.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8215.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8217.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8225.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8226.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8821.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8829.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8851.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8856.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8860.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8865.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8905.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8906.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8922.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8925.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8929.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zaffke.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zakonu.net.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd0505.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd0606.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd0808.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd1515.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd1616.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd1717.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd202.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd203.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd205.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd206.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd207.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd208.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd209.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd232.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd235.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd236.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd237.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd239.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd252.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd253.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd257.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd258.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd259.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd262.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd265.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd267.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd270.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd2727.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd273.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd275.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd276.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd279.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd280.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd282.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd283.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd286.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd287.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd289.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd290.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd293.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd295.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd297.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd302.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd303.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd305.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd306.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd307.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd3232.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd3535.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd3939.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd4747.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd4848.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd5050.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd5252.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6464.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6862.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6863.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6866.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6867.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6878.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6880.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6883.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6885.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6887.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6889.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6893.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd7575.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8585.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8787.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8826.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8828.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8829.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8832.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8835.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8836.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8839.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8853.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8857.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8858.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8859.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8863.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8878.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8882.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8898.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd9696.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd9797.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zhis.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zhou28d88vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zhuktrans.msk.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zigarn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zinniazorgverlening.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ziqijiang.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zitronengras-tee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl-19.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl-29.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl-89.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl016.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl017.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl019.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl0202.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl026.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl031.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl036.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl0505.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl051.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl056.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl0606.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl071.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl072.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl073.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl076.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl090.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl0909.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl1010.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl1212.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl1616.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl2020.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl236.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl2424.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl2525.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl256.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl2727.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl2828.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl2929.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl335.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl3535.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl3737.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl3838.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl5050.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl5151.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl6161.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl6363.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl6475.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl6565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl6767.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl6868.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl7171.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl738.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl760.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl7979.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8181.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8282.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8484.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl850.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl861.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8686.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8787.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8824.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl883.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8853.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8861.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8862.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8870.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8897.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl9090.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl9191.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl9292.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl969.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl9696.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl9797.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl9898.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zlhgc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zlhuodong.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zltymacau.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00004048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "000a1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "000a2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "000a3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "000a5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "000a6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "000a7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "000a8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "000a9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "000b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "000x2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "000x3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "001yapan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00228.am", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0022bet.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "009597.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "01234048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "012345678365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0123456789365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0138365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0139365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0165365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0175365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0185365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "018663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0195365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "038456.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "038663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0393ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0393gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0393hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0393ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "03region.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "040552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "041552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "042552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "046552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "049552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "050.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "050a1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "050a2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "050a3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "050a4.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "050a5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "050a6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "051552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "054552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "065l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0681z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "068552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "068663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "071552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0737399.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0768ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "078663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "083832.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "084552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "085851.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "093113.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1-345.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1003365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1004233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "100pudov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "100visits.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "107996.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1112365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1116365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1119365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "111b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1120344.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1188bet.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1190america.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1199bet.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "11b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1220323.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "12344048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "12345678365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "123456789365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "123seo.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "12n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365qq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "142552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "146552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "146773.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "148663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1517598.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1517668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1517669.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1517883.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1517886.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1517889.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "153kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "154552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "154922.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16-qw.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16qw.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16region.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "178btt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1831365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1832365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1834365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1837365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "188kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1981365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990ff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990mm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990oo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990rr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990ss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990tt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990uu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990xx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990yy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990zz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1baks.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1cprosto.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1hfree.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1malaysian.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2-678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2012review.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2013review.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2015review.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2018fifaworldcup.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "202jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2033z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "205jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "207ss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "207vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "209vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "20n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2155hg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "216vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "22245j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "22256j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "22267j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "22289j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "222b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "228668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2288bet.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "22b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "23454048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "23732.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "240vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "241552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "242552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "246773.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2484811.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2484822.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2484833.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2484855.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848a.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848b.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848c.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848d.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848e.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848mm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848oo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848pp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848qq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848rr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848ss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848tt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848uu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848v.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848w.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848x.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848xx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848y.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848yy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848z.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848zz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "248663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "25may.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878oo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878pp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878qq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878rr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878ss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878tt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878xx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878yy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "27878zz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "284365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2evip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2kvn.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2lovebirdsblog.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3-789.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3-800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3004233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3006789.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "30n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3165365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3175365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "317811111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "31782222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "317822222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "31783333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "317833333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "31784444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "317844444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "317855555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "31786666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "317866666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178666666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "317877777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178888888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "31789999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "317899999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178aaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178bbb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178ccc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178ddd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178eee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178fff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178iii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178jjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178tt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178xx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3178yy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3265623.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "333b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3344985.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "335a.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "33b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "33n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "348663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "350vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "351365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3539783.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3557365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3558365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3559365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "360365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "362590.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3650607.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3658200.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36588801.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365888012.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36588812.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365888123.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36588823.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365888234.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36588834.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365888345.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36588845.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36588856.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365888567.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36588867.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365888678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36588878.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365888789.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36588889.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365888890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36588890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365888dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365888ddd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365888dddd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3659801.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3659867.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3659868.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3659869.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3659980.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365eib.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365eif.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365eil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365eiq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365eis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365eiv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365eiw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365nnn.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365nnnn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365r.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365rr.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365xxx.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y00.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y22.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y33.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y55.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y77.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365y99.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365ypw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365zg.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365zg.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365zzz.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "369-7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "37987.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3800611.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "380111000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "380111111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "380111222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "380111333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "380111444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "380111555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "380111666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "380111777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "380111888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3809955.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "382228.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3837z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "38irkutsk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "391231.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "392365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3957z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "396301.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "396302.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "396303.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "396304.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "396305.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3963aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3963bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3963cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3963ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3963ff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970100.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970200.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970300.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970400.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970500.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970600.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970700.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970900.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970ff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970mm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970oo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970pp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970qq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970rr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970ss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970tt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970uu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970xx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970yy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970zz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "39news.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3danimation.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3djava.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3w-solutions.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4001365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4002365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4003365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4004233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4004365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4005365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025360.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025361.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025362.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025363.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025364.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025366.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025367.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025368.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025369.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4025y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "40481234.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "40482345.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "40484567.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "40485678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "40486789.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048aaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048ccc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048ddd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048eee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048fff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048ggg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048hhh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048iii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048jjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048kkk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048lll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048mmm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048ooo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048ppp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048qqq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048rrr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048sss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048ttt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048vvv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048www.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048xxx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048yyy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4048zzz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "408663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "40n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "416365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "418663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4233330.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4233331.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4233332.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4233334.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4233335.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4233336.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4233337.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4233338.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4233339.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "426773.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4345.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "436773.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "438663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "443658.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "444b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4455bet.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "44b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "451365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "456-3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "45674048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "458663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "476773.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "486773.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "497552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "498663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4best.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4dillusion.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4evip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4tgw34.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5-600.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5-890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5004233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "500wordessay.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5017503.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5055990.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "51365a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "51365aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "51365b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "51365bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "51365c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "51365cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "51365d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "51365dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "51365ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52002y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "520xpjxpj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "538vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "55554048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "555b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5566bet.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "55b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "55ks.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "55n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "56784048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5898657.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "593-7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "59759vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "59759z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981611.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981622.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981644.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981655.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981667.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981669.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981677.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981699.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981811.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981822.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981833.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981844.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981855.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981866.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981877.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "59859h.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "59859j.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "59859k.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "59859l.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "59859y.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "59859z.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "598877.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "59rus.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5ilg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6-600.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6-800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6004233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "605vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "60n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "611121.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "611125.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "611165.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "611195.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "616675.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "616btt.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "621nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "621vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "628vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "635-488.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "635-588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "635-788.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "635-888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "635-988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365ah.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365am.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365bj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365cq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365fj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365gd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365gs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365gx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365gz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365hb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365hk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365hlj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365hn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365jl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365js.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365jx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365ln.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365nmg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365nx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365qh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365sc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365sd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365sh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365ss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365sx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365tj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365tw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365xj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365xz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365yn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6365zj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "63960000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "63961111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "639611111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "63962222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "639622222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "63963333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "639633333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "63964444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "639644444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "63965555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "639655555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "639666666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "63967777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "639677777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "63968888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "639688888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "63969999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "639699999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396aaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396bbb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396ccc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396ddd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396eee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396fff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396ggg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396hhh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396iii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6396jjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6520265.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "657843.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365a.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365b.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365c.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365d.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365e.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365f.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365g.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365h.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365i.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365j.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "663365k.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "664048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "666111bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "666222bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "666333bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "666555bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66664048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "666777bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "666888bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66689j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6669255.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "666999bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "666b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "666btt.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6671365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6672365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6673365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6677bet.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "677314.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "677340.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "677341.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "677346.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "677347.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "677354.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "677364.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "677384.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "678365cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "678678365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "67894048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "67y7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "681vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "68522.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "68522c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "68522k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "68522m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "68522s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "68622.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "68622a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "68622b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6863070.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "68722.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7-890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7004233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "70365365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "70n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7111365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "71365365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "721aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "733575.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "73365365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "74365365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "753-9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "75365365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "755204.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "755243.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "755245.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "755246.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "755249.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "755274.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "755284.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "755294.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "755a.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "76365365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "76678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "769k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "77018aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "77018bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "77018cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "77018dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "77018ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "77774048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "77789j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "777btt.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7788bet.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "77b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "78365aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "78365app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "78365b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "78365bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "78365c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "78365cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "78365dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "78365ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7888813.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7888815.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7888821.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "78904048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "789451.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "789453.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "789455.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "791188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "792ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "793ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "80365365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "805vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "80651a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "80n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "811121.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "812221.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82781111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82783333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82784444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82785555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82786666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82789999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278aaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278bbb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278ccc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278ddd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278eee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278ff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278fff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278ggg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278hhh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278iii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278jjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278mm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278oo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278pp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278qq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278rr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278ss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278tt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8278yy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8286hg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8289hg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "83365365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "842365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "846773.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "848663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "852-7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8521.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8521.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8602012.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8602013.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "860vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "866300.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "866304.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "866305.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "866308.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "866314.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "866341.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "866346.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "866349.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "866374.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "866394.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "87365365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365mm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878989.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8810ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8836ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8855650.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8855950.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8866012.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8881234j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8882345j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "888234j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8883456j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "888345j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8884567j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "888456j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "888567j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8886789j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "888789j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88884048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "888b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8914499.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8b8888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8btt.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8me.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9009019.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "906vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "908vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "90920.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "90n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9110365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9111365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918-siteinfo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918101.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918aait.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918aav.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918aff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918agr.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918arr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918baa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bba.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bbd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bbg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bdd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bip.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bis.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bit.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bkk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918bzz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cce.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ccq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ccs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cct.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ccu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ccv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ccw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ccz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cdd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cgg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cmm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918crr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918css.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ctt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cvv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918cxx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918dbb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918dcc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918dde.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ddf.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ddj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ddo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ddp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ddq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ddr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ddw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ddx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918dkk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918dpp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ebb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ecc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918edd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eea.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eec.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eed.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eef.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eek.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eem.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918een.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eeq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ees.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eew.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eex.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eey.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eez.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ejj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918emm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918epp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918err.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918euu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918fdd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918fee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ffa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ffb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ffc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ffd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ffe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ffh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ffn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918hi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918hw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918iwo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ji.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918jt.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918jwo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918lwo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918mh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918mo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918mz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918mzoz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918pt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918qg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918qi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918rs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918rt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918sj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918ze.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d91.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "940365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "946773.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "953-7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "956jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "96002.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "961705.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "96678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "966ty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "97736.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "97737.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "97738.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "97739.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9836952.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "988316.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "99123j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "99456j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9977432.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "99789j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9988551.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9988959.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "99994048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "999b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "99n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a365vip1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a365vip2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a365vip3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a365vip5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a365vip7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a365vip9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a66.la", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6619.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6621.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6623.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6627.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6631.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6632.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6651.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6652.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6657.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6659.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6671.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6672.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6673.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6675.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6682.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6683.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6687.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6691.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6692.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a6695.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aa4888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aa7666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aa793.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aadv.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abanilla.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abc-solutions.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abc001.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abcode.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abdullahzubayerofficial.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abdurrahmangazidis.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abdurrehman.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abhishekkabdijain.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abitech.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "about-bangladesh.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aboutshakil.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abrahametalero.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abrightspark.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abth.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "academy-awards.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "accesoriosviaje.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "accordable.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "achinsk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acrobatic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acyclovir-cream.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "addnewsite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "addyourlink.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adrian-riemer.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adriatrans.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adrino.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adsviews.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "advens.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adventry.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "advokat-malinovskii.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "advokaty-onlajn.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "advokaty-yuristy.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "affektblog.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "afganistan.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "afghan.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aflebedevo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "africalebanon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag66321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag878.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agarioforum.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agenux.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agiosthomas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks01.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks116.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks135.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks139.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks158.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks16.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks55.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks688.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks966.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks998.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agrargruppe.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agroplas.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agul.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aido.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "airwolf.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ajman-realty.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ajs5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "akhabar.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alantica.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alargarlavida.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alaskarsbc.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alatkesehatan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "albalatedelarzobispo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "albaniaonline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alcamilo.cloudns.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aleftinka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alevi-forum.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alevi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alexsandrasverden.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alfonsostriano.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alisondavenport.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aliziolaw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alko-stop.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alkor.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allaboutreligions.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allcat.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allenwillis.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allfaucet.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alliance-clan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allo-luxembourg.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allopurinol300mg.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allright.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allwiki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alpha-centauri.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alsops.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "altergalaxy.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "altisnet.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "altos.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amberoad.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ambrosio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amitriptyline-hydrochloride.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amphost.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anachronis.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anagramma.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andrewmcfarlane.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anekdot-pr.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "angepsychedelices.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "animalz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anime-drift.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "animedon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anirvalle.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anonaddy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anonser.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anothermusic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antalyaescortyaren.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antarctica.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antarctida.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antarktida.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anti-nsa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antihistory.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antijob.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antonoff.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apart-hotel-weimar.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aperturelabs.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apkpokemongo.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "appworld.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apustaja.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aquabyte.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aquadecor.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arabia-news.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aral.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arandinacf.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arcanetides.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "archbishop.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "archwood.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "argumentative-essay.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arheh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arielpereira.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ariixmex.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aripiprazolee.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arithmetic.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "armcar.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "armeniaweb.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "armtopnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arpumpsonline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "art-news.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artcaly.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artcar24.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arti-islam.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artificialplants.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artitbe.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asdyx.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asiasmi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asjas.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "assemblage.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "assignacii.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atayia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atfstudios.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "attractieparken.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "augesen.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "australianonlineappliances.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "auto-skills.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "autokeyinaustin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "autorama.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "autoresponder.marketing", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "autoschool.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "autotyreprest.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "autovesti.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aviconverter.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "avto-signal.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "avtoucheba.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "avtoyurist.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "awningsydney.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aypotech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "azenot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "azerinews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "azora.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b-honey.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b0000.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b0305.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b0306.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b0307.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b0308.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b0309.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b03aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b03bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b03cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b0607.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b0708.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b1111.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b3177.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b31aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b31bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b31cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b31dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b31ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b31ff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b3333.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b3390.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b3391.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b3392.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b33app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b36510.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b36512.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b36513.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b36516.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b36517.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b36518.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b36519.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b36520.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b365cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b365ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b365h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b365k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b538.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5706.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5707.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5708.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5709.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b57bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b57cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b58365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b58app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b58appb58app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b58appb58appb58app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5901.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5902.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5903.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5904.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5905.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5906.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5907.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5908.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5909.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5910.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62102.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62103.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62104.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62105.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b62h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b6701.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b6702.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b6703.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b6704.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b6705.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b6710.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b6720.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b6730.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b6740.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b6750.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b67771.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b67772.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b67773.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b67774.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b67775.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b68.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b7306.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b73app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b73bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b73dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b73ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b73ff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b750.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b7501.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b7502.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b7503.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b7505.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b7506.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b7507.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b7508.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b7509.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b83.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b830.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b83aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b83bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b83cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b83dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b83ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b83ff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b83gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b83hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b83ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b83jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b83kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b8831.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b88aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b88cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b88dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b88ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b89ff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b89gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b89hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b960.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9902.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9904.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9905.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9912.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9951.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9954.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9957.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9961.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9962.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9967.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9970.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9973.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9976.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baby-massage.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "babybuddah.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "backgroundscreenersofamerica.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bactrim-antibiotic.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bactrim.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "balaganlimited.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "balakovo-news.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ballast.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baloncestolliria.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baranmovie.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "barao.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "barganhanaweb.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baseerapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "basketball-malavan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bazar.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bb057.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bb087.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bb211.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bb321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bb882.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "be4lead.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beachpoint.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beatuprobot.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beautyspot.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beaver-creek.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beebeads.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bellecarmen.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bellevueowners.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "belquant.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bembee.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "benatherton.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "benazir-reaction.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "benetcasablancas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "berksnetworking.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bernudrebes.lv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "best-book.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestboot.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestechgadgets.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "besthemes.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestkeys.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestmedsmmj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestofbooks.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "besttrade.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestwebcams.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet01vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet02vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet03vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet04vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet05vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet062.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet064.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet06vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet074.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet07vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet08vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet09vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet10vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet261.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet290.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet3602.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet3607.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet3639.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365bc.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cnq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cnr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cnt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cnu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cnv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cnw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cnx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cny.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cnz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365g8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365n1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365n2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365n6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365n8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365n9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365q0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365q6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365q8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365q9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365r8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365vip1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365vip2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365vip3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365vip4.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365vip5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365vip6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365vip7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365vip9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365x0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365x1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365x2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365x3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365x6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365x8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365x9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet599.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet66669999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet666888.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet721.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet916.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betaa0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betaa1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betaa2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betaa3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betaa5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betaa6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betaa8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betaa9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betb33.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betb73.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betxx1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betxx2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beverly.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beylkin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biaxin.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bigdiscounts.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bigprintinglasvegas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bigthunder.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biletvkrym.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "billcompare.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "billcomparison.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "binf.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biodobavki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biomeris.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bionicman.name", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biosearch.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bisix.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitgain-leverage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitmag.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitstage.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biz-secrety.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biz-secrety.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biz-seecrets.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biznes-sekrety.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biznes-sekrety.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biznes-sekrety.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biznet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blackoutzone.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blacktubes.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blic-zajm.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blogaram.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blogcosmeticsurgeon.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bloodpop.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bluesnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bobcoffee.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bodaneiranunez.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boffin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bogwitch.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bolsa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bonaemi.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bookslibrarybooks.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bordo.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boredhousewifeconfessions.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bornreality.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bosattondskap.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boxdropcc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boykovo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bozhok.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brainobeat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brainshare.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "branode.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brasiltopnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bratunaconline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bravica.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "breakcraft.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brest-news.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brestnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brezani.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brianvalente.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brianwilson.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bridalweddingshow.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bringingbackthesweatervest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "britania.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brosay-legko.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bruce-springsteen.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brusselsexpoloft.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brusselsexpostudio.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bryanarmijomd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bt3655.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bt3657.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bt3658.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bta22.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bta88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bte365app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bteapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt0101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt0505.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt0606.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt11.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt1515.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt175.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt187.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt216.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt221.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt222g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt226.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt2323a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt236.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt238.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt2525.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt273g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt2929a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt494g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt583g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt6363a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt6868.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt690g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt7272a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt7878.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt829.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt830g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt8787a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt882.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt888g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt889g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt918958.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt9494.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btta16.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btta26.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bttp7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buddy-acceptance-authentication-api.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buddy-acceptance-profiles-api.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buddy-acceptance-users-api.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "budgetboats.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bulgariablog.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bulgariya.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bulvar.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bungabuket.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buquesdeguerra.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buselefante.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bushland.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "business-secreti.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "business-secreti.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "butterhost.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buy-an-essay.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buy-essay-online.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buy-lasix-without-a-doctor-s-prescription.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buy-los-angeles-auto-insurance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buy-neurontin-online.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buy-seroquel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buy-sildalis.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buy-zofran.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buycitalopram.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buydiflucan.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buydiflucan.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buyfluoxetineonline.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buylasix.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buylevaquin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buymethotrexate.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buyrogaine.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "byemeds.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bystryj-zajm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "c30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cabecera-descendimiento.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cabelgrano.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cabezadelcaballo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cafenix.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "calaverasmedicalcannabis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "calcioragusa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "calposa.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cambodiainfo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cameraslyphotography.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "camisado.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "canhq.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cantosdisidentes.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "car-speed.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carfinans.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "caribuku.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carmeni.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carolicious.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carousel.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carrabiners.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carsshop.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cartfilm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casalcrevillent.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casalinghedisperate.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casalribeiro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "castalie.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "castle.network", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "castleoblivion.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "castrillodelavega.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "catalojic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "caterbing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "catiadecastro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ccblicense.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ccc88.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cctv-supraveghere.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cdlinares.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "celadas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "celebritytopnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "centrum-edukacji.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cesium.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chardik.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chaussurerunning.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chaussuresmarche.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cheap-life-insurance-quote.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cheapmedrol.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chefpablito.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chezbernard.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chinastory.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chispita.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chitinfo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "christianblog.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chrixonline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chuvashia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cilacapnews.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cinemadoma.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cinexmachina.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "city-forums.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clickforum.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clickphobia.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cliffburton.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "climatizzatore.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clipperses.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cloudninelandscapedesign.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "club-leondehuanuco.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cm-loures.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "codeidea.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "codesgroup.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coeurdesushi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coginti.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "colchonminicuna.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "colley.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comeoneileen.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comlipa.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "communist-party.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comprarcarteras.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "compu-ofertas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "compusrit.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "computeradvance.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "condit.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "configurat.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "conflicting.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "consoleuniverse.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coolmath.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coomonte.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "copycenter.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "copywriting-on-demand.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "correctionsfoundation.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "corvee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cosmetique-totale.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coth.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "countrysidemarquees.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cpegypt.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cpsa.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cracksnet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crafttalk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "craig-mullins.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crapmail.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crazyhost.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creditif.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creditor.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cristals.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cristianonascimento.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cross-culture.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crvegas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cubanchino.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cubigames.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cucaracha.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cursomarketingdigitalmx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "customessaystation.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "customradio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cutlinks.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cutmylink.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cyber-yaroslavl.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cybercat-tver.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cybercave.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cybergame-host.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cyberium-planet.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cybermaniac.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cyberpanel.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cyberphoenix.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cyberquest.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cybersound.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cytat.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d-consultant.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d-soft.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d365.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d588.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "daemon-hentai.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dahobo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dailynewsclubs.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dairikab.go.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dajiadu8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dakota-spain.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dale-bancruz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "danceylove.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dannygaidateraelgar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dannyjota.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dapoxetinagenerico.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dassolutions.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dataman.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "datenendlager.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "datingsrit.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dcareer.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "de-mossadeq.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deantiguos.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "debauchery.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "debitterballetjes.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deblocking.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dedmoroz.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "defektologiya.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "defifa.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "defterikebir.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deine-gitarre.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deinelakaien.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deionized.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "delcan.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "delcan.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dellacasapizzasemassas.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dementieva-pennetta.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "demicrofonos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "demirdokum.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "democracy-news.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "denegmnogo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "denejki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dengivdom.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dentals.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "denvernews.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "departmentofoncology.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "depelteau.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "depleteduranium.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "depositomerci.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "derango.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deshevle-net.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "desportvriendenoverijse.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "destroymc.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "detiks.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "detki.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "detreannamaria.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "detyamobuv.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "detyobuv.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "devcore.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "devildog.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "devils-co.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "df5101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "df5102.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "df5103.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "df5104.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "df5105.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "df5aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "df5bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "df5cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "df5dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "df5ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dfc52.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dieta-figura.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "differentgirleveryday.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dimitrovi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "directed.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "directlendingsolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dirk-dogs.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "disabuse.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "discodery.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "disconnect.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "distancelove.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dities.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "divistart.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dixi.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dj16888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dj16888a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dj16888b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dj16888c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dj16888d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "djfafafa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dji-ars.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "djlove.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "djslash.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dlyaribalki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doc-baza.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dockysearch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "docogo.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doctornaima.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doddy.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dodikod.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dolce-vita-mia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doll.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domain-skachat.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domainforfree.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domainhostingcompany.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domlist.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domoset.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "donaldtrump.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doradoscampeon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dorogaminina.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dostav.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dosyanet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doubleness.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "downloadfiles.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doxycyclineprices.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon31.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dranik.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dream-pools.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dreamcrack.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dreamwork.financial", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dreamworldstudio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drianpublishing.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "driv.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drivingacademy.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drunkendropkes.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dubaizone.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dubrava.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "durcal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "duxi-s-feromonami.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dy1d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dynamofanforum.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dzus.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e-diabolo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e-fishing.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e-informatyk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e-peets.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e-yachts.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e007.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e365.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "earningthatis.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "earthcorporation.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "easyshare.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "easywin.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eblog.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eburg.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ecbt.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eco-flowplumbing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eden-project-insight.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "edgarz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "educationtree.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee362.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee367.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee371.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee372.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee373.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee396.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee397.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee575.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee631.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee632.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee651.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee652.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee653.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee735.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee736.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee951.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ee973.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "egonix.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elcin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "electroforum.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "electromagnetism.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "electronicssrit.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "electroworld.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elektromotor.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elephantia.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elikers.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elite-design.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elriacdn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "em888.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emersoncanada.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "endlesswebsite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "enerypa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "englandschool.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eniziolab.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "enoisdaturma.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "enrack.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "enrique-monroy.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "entertainmentblog.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "enwikipedia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "epal.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "epicenter.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "erasure.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "erevan-news.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eridas.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ersinbiltekin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "escueladego.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esmejor.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "essay-writing-topics-fce.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "essaymaker.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "essenerbaeder.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "estaryshop.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "euman.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "euroshop.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eusarse.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evadental.institute", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eveaz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eventosformativos.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "everberg.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "everglowtrading.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "examsite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "examticket.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "exciters.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "exotic-bengal-cattery.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "expert-voronezh.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "expertpaintersvt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "explosionstereo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "expouniverse.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "exsanio.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "extremfrank.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eyetooth.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ezik-ido.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f365.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f51365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f9850.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f9851.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f9852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f9854.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f9855.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f9880.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f9881.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f9882.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f9883.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f9884.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f9885.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "factslider.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fairyth.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fake-show.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fakes-ru.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fakt.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fall.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fanclubrbdmaniaromania.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fantasyfoot.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "farberplasticsurgery.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "farmaspeed.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fashionlistify.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fasturl.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "festivalpopayan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ffvideo.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "filesuffix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fimozin.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fimp.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "finance-news.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "findlocalproduce.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "finestrabatalera.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "finlito.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fioritic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firenews.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fito.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fizadvocaten.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fkraiem.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flamengopi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flashgamedev.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "floorballphilippines.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "florenciasabio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flyawaybirds.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "folar.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fonline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "footballsrit.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ford-mustang.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forfeit.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forum-egypte.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forum-gilee.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forum-noginska.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forumirc.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forumpakistan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fotofon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fourscore.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frail.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fralippolippi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frankieburkeactor.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frankieruiz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "free-bitco.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "free-generate.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "free-traff.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freebegames.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freedogecrypt.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freedombankva.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freedomisslavery.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freemotion.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freetrung.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freifall.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freiwuppertal.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fruit-farm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fukt.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fungomoscow.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "futbol-tv.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fyss.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "g30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "g365.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "g3homefoods.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "g47.web.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "g51365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gablesportsga.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gabryjeluk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gadgetstock.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gaelico.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gagramore.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "galaktika-znakomstv.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "galaxyplex.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gamerspost.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gameserver-admin.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gamingx.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gammaphibeta.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gastronom.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gathegi.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gazoz.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gdesemena.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "genen.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "geoffnussmd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "geonice.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "georgekaraoglanis.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gerbang-singkolo.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "geroiplavska.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "geschaeftsideen-ebook.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "get-california-real-estate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getpromo.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gfac.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gfronline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giovannarossi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "givepenny.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "glebov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gnezdo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "go-kuwait.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "godall.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gogomail.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goldenage.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goquiqstatus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gorodrostov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gosaavd.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goug7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gougeaway.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gpswebsoft.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gpz500s.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grafik.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "greeknewspapers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "greenews.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grekiskagudar.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "griffinsrfc.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grilllness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grokandtonic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grumpyseb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grupdedansa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grupoauxteclic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gruzoperevozki.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gugs.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guidethailande.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guillen.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guitarangel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gunerds.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guzelforum.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gvitebsk.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gymnastic.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gyroscopicinvesting.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h365.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h51365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h6852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h6853.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h6895.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h6913.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h9386.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "habernet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hackthat.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hair-guide.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "haircutideas.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hakimova.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "halilweb.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "handymanbypolli.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hardrock.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hb6365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "health24world.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "healthystyle.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "heijmans.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "helbreath.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "helloafrica.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "herqqq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hexsafe.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hg2018hg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hg61388.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hg62388.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hg67388.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hg67855.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hg67877.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hg72988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hg97188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hg97288.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hg97388.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hg97588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hg97688.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hiddenimage.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hieisuki.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hightechreviews.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hilarious.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hindibaba.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hindu-temple.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "holini.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hollywoodstars.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "homophobia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "honeybrooklibrary.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hongki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hongorw.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hongosdemexico.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hoon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "host4me.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hostingdirectory.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotelsrit.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotmann.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "housedesigninfo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "houstongaragedoorsrepair.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "huaxingui.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hydrasecurity.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hyhy1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hyhy2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hyhy7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hyhy80.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hyhy81.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hyhy82.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hyhy83.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hyhy85.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hyhy89.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hyhy98.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "i30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "i365365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "i36588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "i51365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "i7sas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iamwill.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "icelandic.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ient.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ifconfig.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ifiveglobal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ifolder.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ignatij.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ikari-san.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ikx.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilg.ink", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iligang.com.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iligang.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iligang.net.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilovesamara.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iloveyoutoo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilug-ktm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilumantio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imolights.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inalvittile.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inbound.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indexmarket.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indiafm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indianapolisnews.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indianerschmuck24.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indigobooks.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indigostudios.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indonesian-news.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indospot.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infinitelightofbeing.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "info-bolivia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "informat.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inglesencanada.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inin.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inlineskating.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "innico.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "insiberia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "intercrosse.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "internet42.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "internetmagaz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "intimznakomstvo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ip40.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "irajsingh.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iranfilmcity.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iranonline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iraqinews.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ireland.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "irob.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ironraven.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "isae-supaero.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "isae.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "islamabadcourt.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "islamnewss.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ismadgeintrouble.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "israelnewswire.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "it4sure.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "italiatopnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "italik.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itezu.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ittgame.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itzkavin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iweathernet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j32661.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j32662.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j32663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j32664.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j32665.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j32771.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j32772.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j32773.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j32774.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j32775.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j51365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j5563.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j5573.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j70111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j70222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j70333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j70444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j7051.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j7052.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j7053.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j70555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j8846.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j9943.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jackrussel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "janelle-jamer.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "janellequintana.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "japantravel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "javaexpert.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "javiermascherano.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jennifertilly.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jerisandoval.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jesseonline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jesusvasquez.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jino.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jinsha1234567.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jinsha12345678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jinsha168.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jinsha2228.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jinsha2288.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jinsha66669.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jinsha6969.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jinsha8888888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jinsha99999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "johan-koffeman.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "johnpenny.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "johnpenny.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jolfamarket.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jomsolat.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jongcaxent.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jongtonghapkido.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jose-latino.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joseenriquegonzalez.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "josefernandomorilloardila.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "journeyfitness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jovenescontraelaburrimiento.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jqk918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "js636.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "js637.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "js638.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jsidefox.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "julia-clarete.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jungyonghwa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "juppy.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "just-heberg.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "just-keep-swimming.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "justknigi.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k1958.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaatsen.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kabachok.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kafel-ufa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kai-ruecker.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi001.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi007.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi008.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi03.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi06.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi998.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kak-pohudet-legko.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kalashnikov.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaliningrad.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kalsa.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kandhamal.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karantholdings.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karapuzz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kashbet666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "katalog-serverov.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "katalog-tovarov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kathleendeisher.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb021.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb0303.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb036.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb06.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb07.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb1515.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb2727.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb283.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb3131.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb3434.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb3535.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb4141.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb4242.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb4343.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb4747.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb506.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb5252.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb5656.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb5pt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb656.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb673.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb702.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb7070.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb7474.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb7676.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb786.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb864.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8811.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8815.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8828.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8869.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8881.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8883.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8886.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8887.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb8898.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc01.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc03.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc24.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc27.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88dc29.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md07.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md18.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md19.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb88md30.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb896.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb930.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb963.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb965.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb9696.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb975.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kbhgi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kbty0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kbxlu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kegelschiene.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kemerovo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "keramed.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ketoconazole.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kevinvanderperren.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "keyworth-meadow.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "khakasiya.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "khakasiya.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "khakassia.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "khakassia.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "khakassia.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "khakassia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kilo-files.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kimberleythomson.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kinglier.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kino-doma.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kinodrom.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kinosha.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kinovsem.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kinozone.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kirov.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kirovcity.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kirovgrad.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kismy.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kleinhaneveld.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "koba.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "korancode.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "koroleva.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "korund.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "krakozyabra.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kravmagaangers.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kresimir-blazevic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kryptologie.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks-19.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks-39.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks-49.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks-59.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks-79.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks01.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks016.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks017.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks02.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks023.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0316.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0318.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks038.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0404.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks05.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks051.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0518.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks053.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0566.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks06.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0660.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks07.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0718.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0758.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0766.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0768.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0770.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0778.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks08.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks080.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0812.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks082.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks083.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0833.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0838.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks085.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0855.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks087.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0877.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0878.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0886.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks09.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0977.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0990.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks0996.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks1010.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks143.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks156.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks182.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks191.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks196.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks209.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks210.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks213.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks214.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks256.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks257.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks2626.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks281.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks282.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks285.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks286.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks288.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks2888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks2888.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks296.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks298.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks299.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks299.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks318.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks330.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks335.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks337.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks338.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks338.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks339.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks3535.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks3737.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks380.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks381.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks383.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks385.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks386.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks388.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks3939.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks4040.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks4242.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks5014.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks5050.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks506.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks516.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks5353.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks541.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks549.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks556.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks556.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks5606.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks596.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks597.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks600.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks602.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks626.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6363.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks641.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6690.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6767.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks687.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks69.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks692.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks7272.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks7373.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks79.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8186.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8383.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks88.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8815.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8819.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8820.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8826.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks883.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8839.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8862.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8869.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8884.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8885.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8887.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks89.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8989.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks9.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks915.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks9393.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks960.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks9696.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks9797.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks9888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks99.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks996.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kst-service.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ksvip02.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ksvip04.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ksvip09.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kswinwin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ktuluweb.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kukeri-karlovo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kupislivki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kurd-online.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kurgancity.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kuznica.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kylie-pomada.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kyrylych.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "l30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "l3l365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "la-paco.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "labandadelamente.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lablnet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lada-granta.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "laencina.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "laramewa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lasdelgadas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lavozdelamusicachilena.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lbc-podcast.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ld66999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ld699.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ld6999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "learnhowtoplayguitar.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "learningladderacademy.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lesbianlovers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "letaman.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "letdownloads.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leu365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lg.gz.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "li.gz.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "liberty-city.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "librarium.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "libruis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lifekirov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "liftmastercloud.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lightcraftmc.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lightfoot.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "limbaido.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "limitlessinteractive.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lindgrenracing.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "linestriperdepot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "linkwheel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "linonin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lion7.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lipacom.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lisadelbo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "littlelucifercafe.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "livelink.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "livenewsrussia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "locabir.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lockerroomstories.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "locksmithservice-humble.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "locksmithssanmarcostx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "locksmithstaffordtx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "locomen.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "london-mafia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long8079.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lorimullins.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lorisfnotary.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "loveismystyle.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lucarautti.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ludolust.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "luizlopes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lukaszuk.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lukaszuk.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lukezweb.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lux-house.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "luxhome.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lyna.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m365m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "macon.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "madeira.gov.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "madgeandpaul.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "madgech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "madgeisawesome.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maewongaming.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magaconnection.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maggot.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magic-cheerleading.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magisternegi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mailinabox.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maladie-autoimmune.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "malariaadvice.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maleperformancepills.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maltasite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maltaultrastifo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mangaworld.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marblemosaics.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "margolis.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mariahandnasty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marufmusic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marvaco.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "masalaband.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "masdemariette.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mass.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mathiteia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mati.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "matthieuchedidweb.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "matuslab.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mauriceje.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maveeranpasupathi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max-apk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max-phone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max00365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max0365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max11365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max1365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max22365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max2365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max33365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max3365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max4365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max44365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max5365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max55365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max6365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max66365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max7365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max77365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max8365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max88365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "max9365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maxclean.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mayito.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mayre-idol.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mazavto.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mbetb33.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mbetb73.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mbetbtt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mbte365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mbtt365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "me-news.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "med-line.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "medalofvalor.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mediagetnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "medichat.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "medivox.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "megawebsite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mehibo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "melatonin.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "melda-agustin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meliyb.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mesabi.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metaljournal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metalliran.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metrodemaracaibo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mevsim.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mezedokamomata.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "micontractortraining.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mido.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miguelito.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "milan-news.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "milavica.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "militarysrit.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "milkmoovement.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mill.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "minaio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "minibrewery.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mink-coat.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miragg.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mirkvartir.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mitiad.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mix-channel.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miyanaga.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mkbet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mmcalc.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mobileague.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mobinst.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mobsitin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mobtop.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moburst.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mogica.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moldova-online.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moldovanka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moldovawall.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "molodost.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "momocrats.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moneta-rossii.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mongolbox.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "monkeysorce.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mononom.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moonwolfwiccanschool.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moraldehornuez.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moroccanews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moroccotodaynews.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mortengamstpedersen.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moscow-moscow.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moscow-new.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mosnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mostlymuttz.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motoscascos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motun.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mrlove.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "muhabbet.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mullinsfarms.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "multigamers-net.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "multischool.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "murmansk.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "musicradio.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mutualmoney.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "my-bratsk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "my-tunisia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myarcade.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mychamberlain.co.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mychamberlain.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mychamberlain.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mychemromance.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mygreatwebsite.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mykursumlija.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myliftmaster.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myliftmaster.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mylight.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mylkguys.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mymerlin.co.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mymerlin.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mypenza.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mypfp.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mypvhc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myqbusiness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myraboats.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mystore24.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myxxxsite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "na-kipre.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nabeez.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nabokov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nacocu.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nakedinkas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nameshield.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nameshield.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nancyzone.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nandito.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "napominanie.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "narrabeenlakesbikehire.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "naruto-best.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nataez.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "natasabekvalac.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "naturalcosmetics.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "naturelk.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nay.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nazarenoviso.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nba-officecenter.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "neboley.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "neofilia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "neoverso.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nert.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netrabota.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nevergirl.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "new-smile.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newillusion.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newimage.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newlovers.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newlovers.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newlytricks.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "news-sy.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "news123.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "news12elite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "news53today.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "news54.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newsbali.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newsbusiness.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newscultural.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newsinkansas.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newsinpolitics.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newsireland.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newsuk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newsvideo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newyorknews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nextpost.company", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nicoleta-prestescu.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nightwishchile.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "niituva.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nika-travel.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nikitenko.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nikolahost.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nikolai-schmidt.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nina-woerz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "no-real.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nocturnus.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nokya.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nontonfilem.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nopajam.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "norala.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nordicsrit.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "northkoreainsider.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nou9ta.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "novak.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "novanetwork.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "novokuznetsk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "novoselie.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "now101atm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nullscripts.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "numericall.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nurmio.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "o30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "o365.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "o3c.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oakparkmedicalcentre.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oaktravel.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "obmen-viz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "obnalichka.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "occultisme.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "odysseytraining.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ogamerezine.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oghost.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ogo-knigi.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oimexico.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ok118.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ok7779.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "okpo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oldaine.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oldbkcom.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oldcity.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oldfieldmusic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oldiesmusicguide.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oldriver.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "olesaradio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "olivejs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ollo.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omretreats.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "one-news.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onlineautodealered.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onlinecasinolisboa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onurerhan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ooo-santal.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "operanavigation.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "opncld.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oposicionesprofesores.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orangtua.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orel-sait.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "organise.earth", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ortaev.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "otdyh-v-abhazii.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "otoplenie-ufa.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ouwerling.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oxymail.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ozonstyle.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p2d.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p365.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p58101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p58102.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p58103.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p58104.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p58201.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p58202.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p58203.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p58204.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p58205.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p888010.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p9120.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p9121.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p9125.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p9136.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p9161.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p9162.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p9165.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p9167.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p9195.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p9196.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p91aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p91ab.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p91ac.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p91ad.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p91ae.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p91af.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p91ag.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p91ah.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p91aj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p9cq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paintbrush.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pakistan24.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pamc.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "panamatravel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "panangelium.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pandithaya.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "panoramahurtowni.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "papakonstantinou.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paperplatefun.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paramaquetas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paranoidandroid.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parfumer.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parkefficient.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parrocchiadimeana.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pasnederland.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pasteht.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pastorello.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "patioroof.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pattayafruitgarden.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paulandmadge.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pavelitus.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pcbmarketing.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pcisecuritystandards.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pcissc.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pdc.wales", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peacekeeper.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pearcom.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peliculasonline1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "penholder.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pensioner-1000.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pentamexicali.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "penza-on-line.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "penza-today.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "penzaonline.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "perevedut.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "perevirka.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "perewall.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "perpetual.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "personvernnemnda.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "perulinks.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pervoklass.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "petrotrustlibya.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "petrozavodsk.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peturnashes.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pharmaceuticalcannabis.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "philarmonic-abaza.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "philippinenewsvanguard.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "philosophers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phuket-nash.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pierreterrien.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pigb.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pilesyk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pinchuk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pionieren.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pipenav.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pivbar.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pivotanimation.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pizzariapartiupizza.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21299.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21399.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21499.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21566.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21599.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21677.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21866.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21877.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21886.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21887.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21990.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21991.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21992.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21993.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21994.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21995.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21996.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21997.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21998.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21tt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pj21z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pjshop.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pkq5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "planeta-remontika.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "playingvideojuegos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pleasanton-daycare-childcare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pleasantonmobilenotary.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plenkanaotrez.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "poetenblog.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "poker4all.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pokeram.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "polan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "polimer39.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "polisipati.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "politicsandnews.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "politicsnews.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "polliconstruction.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "polskienewsy.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pomorskibereg.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "popova.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "postoyanstvo.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "potgrowersunion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "potkani.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pozharnyi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pp234.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pradeek.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "praiss.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pravoslavie.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pravoslavnayarus.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pravosudie.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "preference.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "premised.land", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "presidentdirectory.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prevention-formation.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pridnestrovye.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "progeste.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "programmatv.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "projectfreehosting.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prostitutki-narvskaja.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prosto-dengi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "protek.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prototyping-computer.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psihotest.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psixotest.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psixotesty.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psw-training.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ptupapers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "public-measures.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pucogid.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "purchasescooters.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "purrfectlove.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "putana.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "putanypitera.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "q30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "q365.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "q88588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qdrat.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qq6396.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qqq6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qqq63.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qqq67.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quantumfinance.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qubhockey.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "queirozmiotto.adv.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quiqstatus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "r30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raballder.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "racaliz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radioh.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radionrg.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radiopharereims.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radiorainbow.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radmehrco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rainbowsmoothies.win", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rajaealhoceima.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ralix.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rapport.link", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rascals.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ratgeber-guide.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "razgon.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "razvlekuha.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "razvlekuhablog.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rdviitd.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reallycooljobs.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realpaella.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "recherchegruppe.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "redeyeguatemala.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "redunion.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "refluxogastroesofagico.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "regata2015.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "region-vologda.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rejido.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "remedee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reminisceaudio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "remont-kvartirvmoskve.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "requena.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rescuer.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reshka.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "retailing.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reut42.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "revisoronline.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "revizor-online.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rezka-burenie.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rgpdkit.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "riba-lov.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "riddickthemovie.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rido.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ridvan-vllasaliu.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roadtripusa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roamfreun.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "robertoullan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "robuxemporium.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rockslideengineering.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rodinka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rolandozarate.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roofer.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roomee.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rosa-spain.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rosbiznes.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rosstroj-balashiha.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rotaractclubtucuman.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rothbruederlein.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roxburytech.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rssfeedonline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rubbaduckee.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ruchka-mashinka.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ruexpert.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rufartabs.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ruffnecks.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ruknguk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rumenka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "runame.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ruoskachile.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rusexmany.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rushmyessay.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "russian-page.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rust.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ruthiehallarsis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ryabinushka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "s30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sabians.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sacians.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sadoun.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "safefreehost.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "safesoundcounselingllc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sainshand.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saint-peterburg.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saint-petersburg.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saint-petersburg.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saint-petersburg.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saintip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saintpetersburg.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saintpetersburg.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saintpetersburg.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "salesactivities.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "salvadorinfantil.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sambuchanan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "samiratv.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "samvui.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sandwichcouncil.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sanfranciscopersonalinjuryattorney.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sangen.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sanluisdequillota.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "santibanezdetera.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "santjoandevilassar.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sapibatam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saratov24.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saratovlive.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saratovnews.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saratovtime.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sarhua.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sbgroup.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sc21.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scandinaviancorner.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scarinex.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schellebelle.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schoolroom.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schoolstats.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schwarzenberg.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scooter-experts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scotthelmesucks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scoutsanbartolome.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scrapbookdecorations.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scriptomania.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scurtam.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seabrooklocksmith.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "second-life-partner-ichien.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "secretagentclub.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "secumailer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "secumailer.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "secumailer.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "selimcerkezi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "selo-cer.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "senhorst.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seo-obmen.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seo-phpbb.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seo-piar.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seoonline.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seoserfing.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seoviziti50.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seozel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "septonol.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "serverninja.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "serviefectivo.com.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "setevik.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sevastopol.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shadowfight2.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shanhay.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sharik-msk.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shaytan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shechipin.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sheffield-wednesday-fc.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shelehov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shenderman.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shijij.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shirevirtual.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shiriforum.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shiva-temple.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shola.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shop-slivki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shopera.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shost.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shouldbetaught.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "showmethegadgets.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "showslivki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shrapnel.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sidmax.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sikaranbrotherhood.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "silvertorrents.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sim-mobile.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "simsimi.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sincronizateconlosmilagros.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sinews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sinluzvenezuela.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sion-colony.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sirandorung.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "siscompbolivia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "site-ua.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "site.mu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sitekatalog.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sitesdesign.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skaiman.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skante.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skateswagger.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skirts.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sky-live.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "slipknot-site.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smartcover.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smartleads.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smartphone-blog.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smcasino.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smcasino.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smiblog.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sms-pro.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "snatch-note.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sngnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "snowboardforum.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "snsirius.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sochionline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "socialair.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sociedadsostenible.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "softbit.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sokak-sanati.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soldierangels.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "solidsteel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "solunci-loznica.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "someserver.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "somosabc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "son-onlajn.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "son-tolkovatel.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sonodrom.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sosaka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sot-te.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soundtube.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spacewallpaperhd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spaenny.tf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sparkl.fm", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sparklesvt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sparklingessentials.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spartancoin.ooo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spiritous.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sporemasters.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sports-sites.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spotzlight.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "springhow.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sritalaska.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sritcities.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "srithunters.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sritidaho.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sritspanish.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sritvermont.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "standartgost.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "starsandmanifolds.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stealthpressurewashers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stebenkov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stefchapman.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sterlitamak.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stevemario.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stevemason.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stilsvadba.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stonetribute.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stoplossoff.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "storefront.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "strikers.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stroiproect.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studio-abok.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stupidthoughts.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stupino-stroy.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stylebeat.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "subdivider.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "successemails.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sucessclick.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sudanindependent.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sudanindependent.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suecaunitedfc.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sugatime.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sugos.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suicide.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sumatrabarat.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sumatrautara.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sumatriptan365.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "summarized.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sunshilin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sunshinelife.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suomenkielisetnettikasinot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "superbestpalsclub.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "superdrillers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "supermagna.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "superservers.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "superstargossip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "superstarhost.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "supertrade.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "surnganet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "surveer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suseki.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swissurf.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sy635.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8803.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8805.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8807.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8809.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8815.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8817.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8819.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8830.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88mm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88oo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88rr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88ss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88uu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88vip0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88vip1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88vip2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88vip3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88vip4.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88vip5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88vip6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88vip7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88xx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t88yy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taanishsaifu.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tabacundo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tablerocksbestrealtors.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tadalafilindia.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taggigkaktus.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taigamehack.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tambov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tamoxifen-citrate.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tarotistasvidentes.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tatary.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tattoo-art.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tauriscia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taxce.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teamrevolution.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teazer.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "technowise.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "techserve.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "techwalker.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teka.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "telephoni-cdma.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tempdomain.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "templete.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "temporarysanity.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "terengganudaily.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "termoidraulico.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "test-school.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "testthis.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "textpages.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo0000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo0088.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo1111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo2222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo3333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo4444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo456.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo5555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo6688.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo7777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo7788.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo789.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo8899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgo9988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgoaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgoall.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tgoasia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thaiboystory.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thaihotmodels.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thaiportal.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "the51news.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theandroidsoul.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thebacteriafight.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thebestlaos.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thecarpenters.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theknockout.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theminiacs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thenest.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theparoxetine.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theproject.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thetopmovie.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thewashingmachine.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thomastestor.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thomsons.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "threepercentrealty.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thuongtravel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tiagosimao.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tierarzt-karlsruhe-durlach.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tigerfm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tigergroup.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tihvin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tiles-for-facing.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "time-business.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "time-hotel.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "timerace.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "timgame.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "timich.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "timmi6790.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tips4india.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tirteafuera.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "titanforged.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tixio.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tobiasfischer.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tolerance-zero.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomsk.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tonorosario.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "top-russian.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "top10media.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topknot.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topspin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topurls.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tormox.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "torontonews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "torrance.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "totalhost.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "touchka.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tourism-exegetai.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toursinvietnam.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toyschina.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toysplace.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tracking-app.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tradebotcompany.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "traderinside.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trafic-wap.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trapkitchen.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "travelphilippines.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "travelwithsearats.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trazodononline.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "treatmentforkennelcough.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trials.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tribalwarsstyles.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tribistovo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tricountyathome.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tridentmedia.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trilogyforce.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "triplicate.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "troop89medfield.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trotter.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trusthook.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tryingtotakeovertheworld.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt0766.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt0866.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt0966.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt2866.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt2966.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt3666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt3699.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt3766.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt3999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt6396.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt7199.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt7299.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt7399.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt8166.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt8266.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt8366.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tt9799.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tula-city.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tula-news.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tuneotune.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tunisiapress.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "turbosuflantecluj.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "turciya.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "turkey-portal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "turkishhackers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "turkmannews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "turtlehead.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tutdevki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tutorialcoding.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tvoia-dietka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "twainhartehotels.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "twodrinksaway.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty513.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty525.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty529.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty561.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty562.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty573.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty583.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty587.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty593.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty613.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty632.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty637.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty650.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty679.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty705.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty715.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty716.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty723.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty736.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty737.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty739.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty750.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty756.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty767.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty783.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty785.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty791.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty793.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty812.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty835.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty853.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty857.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty927.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty935.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty937.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty953.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty962.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty965.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ty980.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tyumen.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tyva.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tyva.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "u30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uareferat.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uberhorny.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uborka-kvartir-moskva.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ucmatedeveloper.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "udbina.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "udien.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ulsters.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ultimate-fireworks.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ultimatebabyshowergifts.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ultrafine.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unasim.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unbolt.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unboxed.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "undertow.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unexpectedcompany.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unitir.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uniuni.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "universidadcatolica.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unixhost.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unxcoconsulting.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uplinkgame.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uppfinnarenc.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ural-emal.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urlfly.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "usercompare.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "utahrealestatepodcast.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "utbosbeekhuuske.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "utevai.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uu378.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uzbekkizlari.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uzbektumblers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uzhas-uzhasny.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v05666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v1.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v10006.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v10008.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v1951.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v3025.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v33v33.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v44v44.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v5075.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55510.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55520.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55530.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55569.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55580.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55590.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55593.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55v55.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v6021.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v6170.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v6350.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v637.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v6506.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66255.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66557.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66615.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66618.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66619.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66629.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66635.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66638.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v6752.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v6791.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v700a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v700b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v700w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v76555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v88299.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v88511.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v88559.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v88656.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v88799.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v9285.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v9286.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v9289.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v9812.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v9820.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v9821.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v9823.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v9831.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vacati0n.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "valencianisme.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "valeravi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vardenafilhcl.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "varianto25.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "varjo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vasheradio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vatav.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vbm11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vbm22.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vbm33.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vegetarier-sind-moerder.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "veggies.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vektlofting.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "velib.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vendi.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "venezianischemasken.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vengriya.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "veredadelaestrella.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "verstka.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vestlundbolargen.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "veusveus.cat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "victorcarrasco.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "victorhorta.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vidassemfronteiras.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vietnam-tours.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vildlaithailand.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "villablino.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vinit.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vip-moda.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vipcp.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visionxcreative.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visit-thailand.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visiter-tunis.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visual-design.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vitaliyshepotkov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vkarpaty.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vladimir.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vlcentre.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vmf365.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vneftekamske.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns168.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns377a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns377b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns377c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns377d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns377e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns377f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns377g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns377h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns377i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns377j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns5151.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns5353.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns5656.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns5757.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns5858.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns5959.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns6161.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns6262.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns6363.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns6565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns6767.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns68611.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns68655.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns68669.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns6868.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns6868.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns68722.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vns6969.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vnsr112233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "voetbalclubinfo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "volosnet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vovkamagazine.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vremyachko.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vrostove.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs106.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs107.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs1177.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs1717.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs2277.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs2828.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs303.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs5050.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs5151.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs601.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs603.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs6060.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs6161.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs680.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs7711.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs8899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs9911.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vs9977.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vsaratove.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vsem-privet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vstavropole.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vulcancycling.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vulgar-teens.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vysokoe.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w000999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w123123.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w234234.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w365.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w456456.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w567567.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66w66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w678678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w789789.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w888022.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w888033.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w888044.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w888066.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w888077.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w888088.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w888099.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w9710.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w9720.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w9730.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w9740.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w9750.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w97a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w97aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w97app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w97app2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w97app3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w97bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w97cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "waermekabine.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "waimanu.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wajs1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wajs2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wangshengze.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wapbet365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wapnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wash-house.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "water-polo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wealthcreationsolutions.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "web-format.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "web-test.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webdesignersinchennai.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webinator.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weblights.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webmaster16.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webranking.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "websitedesignersmalappuram.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "websitedesignprice.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "websitepromotion.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wellnesshotel-weimar.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "west-raptors.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "whisperwashonline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "whiterabbit.group", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wicontractortraining.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wien52.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wikisorg.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wildandwonderfulbodycare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wildberries.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wilgo.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wing-tsun.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wither.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wizardschool.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wkhs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wns68123.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wns6852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wns6862.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wns68622.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wns6865.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wns68666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wns6872.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wnsr3970.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wolflambert.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wonderlab.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "woorocket.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wordops.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wordpresssetup.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "worldcarding.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "worldoflegion.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wulfrun-invicta.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ww6396.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x10006.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x2816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3515.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3618.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3789.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3801.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3802.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3803.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3804.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3805.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3807.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3815.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3828.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x3927.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x58z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x5901.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x5902.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x5903.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x5904.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x5905.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x5906.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x5907.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x5908.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x5910.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x7008.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x7713.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x7715.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x7716.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x7718.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x7719.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x7782.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x7785.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x7795.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x77dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x77ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x77hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x77jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x77kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x77mm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x77nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x77pp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x77qq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x77tt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x77ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x8100000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x8111111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x8122222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x8133333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x8144444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x8155555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x8166666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x8177777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x8188888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x8199999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81ff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81mm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81oo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81pp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81qq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81rr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81ss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81tt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81uu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81xx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81yy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81zz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x9015.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x9701.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x98z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x993.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x998.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xab123.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xab199.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xab4.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xab456.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xab678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xab678a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xab678b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xab678c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xab678d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xab789.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xab799.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xab899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xaba.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xacker.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xarangallomangallo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xenical.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xerdeso.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7aaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7bbb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7ccc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7ddd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7eee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7fff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7ggg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7hhh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7iii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7jjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xh7xx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xloud.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xmyy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--4brt03c.xn--io0a7i", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--7or43h.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--bcher-bestseller-jzb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--bcherbestseller-zvb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--eebao6b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--schcke-yxa.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpj000444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpj000555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpj000666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpj567088.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpj567288.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpj567388.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpj567888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpj678678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpjai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpjbeting.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpjcs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xucha.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xx6396.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09app.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y09x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y3650.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y36500.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y3651.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y36511.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y3653.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y3654.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y3656.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y36577.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y6180.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68ah.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68am.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68bet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68bj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68cd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68cq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68fj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68gd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68gl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68gs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68gx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68gz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68heb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68hf.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68hk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68hlj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68hn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68hz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68jl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68jn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68jx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68ln.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68nj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68nm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68nx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68qh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68sc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68sd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68sh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68sjz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68sx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68sy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68sz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68tj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68tw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68xg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68xj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68xz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68yn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y68zj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y70101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y70102.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y70103.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y70104.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y70105.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y7091.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y7092.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y7093.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y890000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y891111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y892222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y893333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y894444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y895555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y896666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y897777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y898888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89aaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89bbb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89ccc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89ddd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89eee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89fff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89ggg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89hhh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89iii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89jjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y89zz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yagoda-malina.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yangfamily.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yantox.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan008.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan33.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan365.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan4.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan44.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan55.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan77.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan99.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapanwang.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yaws.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yellowsquid.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yemenlink.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yenbainet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yeniexpo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yepmom.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yerbasbuenas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yesteryear-chronicle.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yiluup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yoloyolo.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yordanisp.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "youcanhelp.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "youla.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "youngmodelsagency.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "your-forum.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "your-greece.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "youreward.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yourmagicstory.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yuandan.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yukoslibrary.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yy153.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yy393.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yy6396.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zackiarfan.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zadrot.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zagruz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zaija.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zaim15min.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zajm-ehkspress.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zajmy-contact.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zajmy-contact.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zajmy-contact.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zajmy-contact.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zala.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zambianewsforum.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zamenim.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zandra.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zappingarahal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zapreaders.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zaruhi.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zcrypto.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd8883.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zegriesalmansa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zemlyaki.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zen-zone.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zepter.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zepter.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zero-knigi.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zhivoj-dom.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zinabnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zindan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ziroux.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zizibook.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8585.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8873.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zloybot.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "znanje.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "znich.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zoepolitics.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zok-ambicija.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zoko.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zonaperu.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zowe.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zsoltbereczki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zumberak.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zverskij-site.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zzzz365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "011ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "015ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "017ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "019ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "026ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "031ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "032ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "033ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "036ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "039ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "050ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "052ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "05am8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1080.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "181lilai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "188188688.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "188lilai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "188wei.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "198wei.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1lc11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1lc22.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1lc55.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1vpns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2000meter.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2018j95.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2019j95.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2020j95.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2021j95.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2022j95.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2023j95.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2024j95.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2025j95.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2026j95.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2226321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "228wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "230110.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "233wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2346321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "253205.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2earn-online.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "308wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "318wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3336321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "333wei.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365888456.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365securitymg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365yapan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "369028.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "369038.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "380wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3963dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3970.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "400wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4566321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5017501.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5017502.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5017504.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5017505.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5017601.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5017602.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5017603.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5017604.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "518wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "52062z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "535wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5536z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5539z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5556321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5676321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "586540.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981688.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5goglobal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "611136.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "611151.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632017.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632025.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632026.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632027.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632040.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632045.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632046.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632047.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6321000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6321007.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6321008.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6321009.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6321222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6321333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632140.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632142.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632143.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632144.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632147.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632148.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "632174.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "65131a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "65131c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "65131e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "65131h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "65131i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "65131m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "65131o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "65131w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "65131x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "65131z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66321o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6638s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6639s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6810app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6830521.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "690918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "690928.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "700wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "707wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "757wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7666321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7776321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7g31.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7win.am", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "800139.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8122d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8191d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8192d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8200d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8220d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8238d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8666321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "868wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8809d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8852d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8859d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "888xpjxpj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88yabo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8900d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "898wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8win.am", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "900823.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "907vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918duu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918eeg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918exx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918izoz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918lzoz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918mwo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "918nwo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d12.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d28.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d30.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d75.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d76.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d78.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d79.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d81.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d82.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "91d92.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "939wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "946321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499060.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499066.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499068.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499113.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499115.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499118.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499125.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499151.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499238.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499263.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499292.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499293.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499369.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499399.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499403.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499459.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499558.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499568.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499575.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499682.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499855.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499869.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499958.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499aaaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499cccc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499dddd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499eeee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499ffff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499gggg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499hhhh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499iiii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499jjjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499kkkk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499llll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499mmmm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499nnnn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499oooo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499pppp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499qqqq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499rrrr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499ssss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499tttt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499uuuu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499vvvv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499wwww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499xxxx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499yyyy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499zzzz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "95am8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "988am8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "998wei.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k236.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k239.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k259.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k265.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k272.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k288.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k297.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k298.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k326.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k328.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k367.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k377.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k382.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k385.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k388.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k395.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k396.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k399.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k566.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k576.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k578.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k628.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k638.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k687.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k827.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k832.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k837.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k856.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k863.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k876.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k878.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k895.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9k897.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ab2web.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abashevo.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abdulawal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abelbarretto.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abogadocriminalorlando.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abusive-host.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "accessibilityguidelines.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "achiksongs.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acronis.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "activescreenshots.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adceuta.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "advantis.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aerorecords.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "affinity.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "africanhosting.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agaveandpine.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks02.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks05.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks20.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks21.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks26.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks30.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks31.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks32.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks36.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks38.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks39.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks46.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks49.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks52.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks53.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks56.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks57.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks59.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks60.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks61.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks69.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks71.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks72.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks75.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks79.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks80.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks82.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks83.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks85.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks86.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks87.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks90.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks92.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks93.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agks97.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agrodronechile.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agweili.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agzlapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aimare-web.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "airmash.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ajaxtime.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alabamacoastalradiology.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aladintechnologies.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alalivre.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alcobendas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alcoholrehab.website", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alcubillas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aldenmiamibeach.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alfa-host.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alfagroup.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alfavit.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alineonline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alkopedia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "all-things.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allfoodrecipes.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allgosts.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allnovosibirsk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alpha-bet.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alternatiwa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alushta-vostorg.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alwayshowher.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am2288m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am5188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am615.am", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am8136.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am8833.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am8883.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amandahamilton.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "americanunicornparty.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amm6610.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amoxil.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amputated.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anabolickdieta.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anabolics.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anandchowdhary.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ananiev.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anarcho-copy.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anarhija.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andreyjuravlev.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andreysmirnov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andrianova.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "angelcorpus.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "angora.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "angorarental.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "animalliberation.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "animamega.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aniviasport.store", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ankaraotokiralama.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anonaddy.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anonymousbitcoinexchange.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anouncer.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antabuse.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antfarm.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antonimos.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "any-download.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "any-download.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "any-download.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "any-download.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apocalypseboard.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "app6810.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "appliquette.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "architectus.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "areacinquentaeum.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arquitet.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artcenter.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "as398.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asabacortoscaseros.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asana.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asdchieti.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ashleyashbee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "associationhorizon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "astrociencia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "astroloeches.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atomnetworks.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "attengo.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "attimec.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aubonheurdeshuiles.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "authanet.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "avangvpn.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "avarcom.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "avengersonlinemovie.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aviationmilitaire.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "avrora-nov.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ayporealestate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "azithromycine.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b70661.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b70663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b70664.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b70665.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b70771.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b70772.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b70773.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b70774.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b70775.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b86255.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b89aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b89bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b89cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b89dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b89ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b89jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b979333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b979555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b979666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b979999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bacanora.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "badodds.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baloch-intelligence.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baptisteplanckaert.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "barcelonawinewalk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "barsukas.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bashkirlife.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "basradio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bassrhymeposse.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bd-media.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "begintravel.co.th", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "behar-selimi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "belgraver.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "belgraver.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beritanow.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestsgadgets.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cn-casino.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cn-game.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cn-keno.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cn-livecasino.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cn-sports.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cn-vegas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betty-baloo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bhavansvidyamandir.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biaggeo-prod.herokuapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bibliatodo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bienvenidoamerica.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bigfatbetty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bigsam.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biolack.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biowtage.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "birthright.host", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitcoin-fauset.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitcoinbot.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitcoinrush.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitjunkiehosting.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blackminds.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blackspark.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blackthrone.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blog-garage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blognews.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bloguser.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bluegifts.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bluetoothspecialist.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bob-dylan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bodas.com.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boevik.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bonbini.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bonusov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "borba-umov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "borein.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "borriquillacuenca.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boscq.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bounouh.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bramois.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bridgedigest.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brigittefontaine.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bromo.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brownwolfstudio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "browsbybecca.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bssolvfagen-pre-storeswa-wap.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btc-alpha.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btc-doge.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt113.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt128.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt229.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt230.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "btt789g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buddy-acceptance-banking-api.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "businesspartner.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "busphotos.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buswiki.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buysildenafil.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bwashing.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "byggonline.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cactuspedia.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "caddyfashionshop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cadifit.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "calandrahosting.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "capitalist.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "capitein.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carapax.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cardiagnostics.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carepan.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carltontownfc.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carolinaoliveira.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carontetourist.hr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carpetcleaning-cypress.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carplus.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carpuya.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casinotokelau.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "castellet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "catalog-underwear.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cernac.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "challengerinvestors.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "channydraws.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cheapsmall.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cheazey.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cheazey.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "checkmin.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "checkwebsiteonline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chelpogoda.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chelyaba.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cheneypartners.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chesterman.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chetanrana.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chicofc.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chiksfashion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "china-online-news.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chocope-peru.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chrisshort.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "citypro.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "citywisdom.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clan-hosting.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clan-wars.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "climatgate.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clomid100mg.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cloudix.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "club-eclipse.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clubatleticonacionalpotosi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clubdeportivocieza.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cluberiks.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clubtamarugal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cola-host.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "commons-mayflower.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "compositedevtec.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comprarparaguas.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "computron.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comumlab.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "conalpedis.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "confiscate.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "conradcartagena.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "construred.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "contratti.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "contrisur.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coolshirt.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coralcanticorumbarcelona.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "corehealthberks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cornitek.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "corruptos.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cosec.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cosmos-software.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cotswoldflatroofing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coworking.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cpchur.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "craftshiponline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "craigdavis.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crazygifts.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creategyx.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creativesectors.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "credit-default-swaps.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "criptomoneylite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "criticalgenesis.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crossfiremovies.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cryptopaste.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cs-algeria.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cs3334.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cs3336.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cs3338.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cs3339.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "css-tricks.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ctir.gov.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "culaneenergycorp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "culturabrasilia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "culturalparadiso.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "custer.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cwaclub.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cybergroup.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cz.ma", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "czprothz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d-vision-web.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88-livechat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d882.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d885.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d886.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88868.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d889.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88agqj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md04.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88md13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d898.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dagrs.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dakinecoupons.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "daniel-leblanc.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "danskoya.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "danzka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dark-crystal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dark-nova.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ddosguard.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deadroot.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deal-runners.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "decode.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "defunct-engineers.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "degrasboom.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "delio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "delta-host.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "demonbuster.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "demopanel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "denatured.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dendelft.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "denkmalsetzung.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "departmentofdefense.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "desish.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "despertartransforma.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deti-vse.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "devopsish.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "diebetriebsraete.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "digitai.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "directorydashboard.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "directorydisc.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "discovermuscatine.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dizayner.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dlyatepla.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doc-baza.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domain-speicher.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domain-speicher.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domain-swiss.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domenaru.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domhos.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dominicandfelixroco.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domowe-potrawy.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doramamusic.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "download-knigi.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doxepin1.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dozor.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon05.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon06.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon07.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon23.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon25.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon26.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon27.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon29.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon59.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon62.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon71.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon72.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon86.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon91.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon92.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon93.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon95.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dragon96.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drogariasantoantonio.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dukeandduchessdrivingschool.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "durin-art.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dx2o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dzu.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dzu.works", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "easyfiles.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "easylogics.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "easytube.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eaugenethomas.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ebookabc.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ebooks-pdf.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eclipseforum.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ed-studios.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "edify.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "edrosd.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eduart.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "edyhenry.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "egomaniaque.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "einsurancetraining.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ekspoint-mods.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "electras.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "electroniko.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elegantlatex.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elektrotango.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elite-nakhodka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elite-tools.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emoforum.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emreaydinfan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emulator.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ep-plus.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "epicentar.mk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "erektion1.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "escortlareryaman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "escovator-records.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esperantio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "european-hospital.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "european-hospital.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "european-hospital.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eva-briegel-fanpage.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evaalordiah.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eventblog2017.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eviction.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evil-empire.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evsinemasistemleri.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "expeditions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f8003.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f8007.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "familleshilton.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fashionusa.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fashionxmas.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fast-cargo.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fastknigi.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fcapollo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fcarsenal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fcic.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "feministreview.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "festesuniversitaries.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fifacup.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "filedoom.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "filmwallpapers.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "financenews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "findautoloan.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "findsingledating.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "finestreview.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "finma.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firstbooks.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firstwebring.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fixfm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flipmusic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flipphotography.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "florausa.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forex-giants.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forexcity.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "formalgrammar.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "formality.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forum-tutorapide.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forumcarriocity.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fotopalacedigitalstudio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "founded.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "foxtrotfm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fran.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "france-news.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fredhook.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freecookies.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freelancerinc.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freelanceunleashed.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freundinnenausflug.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frode.win", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fulige.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funnychristianjokes.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gabriella.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gamingtilltheend.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gaopindy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gastrobox.com.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gazizov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gbthatcher.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "geekyquiz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gemwire.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gennerator.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "germanicvs.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "germantrip.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "germany-board.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "germanytravel.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "germanytravelguide.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gestus.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getpaidclub.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getwork.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gezinnenhilton.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gfxworld.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gibreel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gigasoft.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gigsoupmusic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gimnazjum-miloslaw.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "givemylife.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "globalshippinglimited.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "globalzone.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "go-srx.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "golosok.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gorodabakan.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gosti-dom.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goszakupki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gourmetvitamins.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gps-fleettracking.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grafittikontroll.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grandisco.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grasboomamersfoort.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grasboombinnendoor.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grasboomclophaemer.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grasboomderoos.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grasboomleusden.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grasboommax.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grasboommeerbalans.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grasboomveenendaal.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grasboomvondellaan.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gratisonlinespel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "greeks.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "green-anarchy.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "greendrive.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grupoinassa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guiacursos.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guys-reviews.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "habitable.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hafer.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hairpins.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hakkariradyo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hallcouture.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hamarimarriage.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hamiltonzinelibrary.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hamsystems.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "harabar.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hardcore-bodybuilding.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hbaa.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hbxianghang.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "healthcarereviews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "healthierweight.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "healthylifeelite.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "heijmans.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hentamanga.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hiddenpalms.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hilalnews.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hirel.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "histkult.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hittop.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hoffmancorporation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "holidaylocal.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "holyriders.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "horclan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hosiery.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotelconsulado.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotlog.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "howtechvalley.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "humanidad.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hwjkk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "i-house.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iceshopy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "icetechy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ihuir.men", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "importsign.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imstocker.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inanam.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inbound.menu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inefin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infoland.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "informspb.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ingermany.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inlt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "innovationgarage.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "input.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inspiringfuture.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "integ.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "integsystem.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "interminsk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "internet-tv4u.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "internetk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "investactiv.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iotorq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iptvmaxx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "irandex.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "irkutsk38.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "islamicnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "israelportalk.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itemcreator.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ithot.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itraffic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iubuniversity.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ivahbbiz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ivendi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "izamulhakeem.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "izmirescort.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ja-hypnose.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jabber.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jailfood.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jaimepumarejo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jeans-shopping.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jerrywang.website", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jerusalempersonals.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jewadvert.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jfgselbitztal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jhw3d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jimmiestore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "johncam.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jordanprogrammer.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jordibelgraver.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jordibelgraver.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jordibelgraver.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jose-manuel-benito-alvarez.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "js86.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jucocauca.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "judybai.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "juragan.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jurassicworldfilmen.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "justcalm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "justquoteme.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jvlfinance.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jwimps.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jysk-kornteknik.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kadvi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaishi77.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kalamos.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaliboairport.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kamildrozd.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kapelya.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kareltrans.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karhoo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karimsaadati.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kariyam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kateysagal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "katherineswynford.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kavatasygarety.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb22.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb28.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb35.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb38.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb57.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb65.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb68.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kb99.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kemerovo.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kemerovo.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kemerovo42.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "keniff.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kerrydavisguitars.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "keyhani.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "keyphotojs.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "khmh.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kiahalchemy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kiliframework.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kindergarten-neugnadenfeld.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kinomagia.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kinoshki.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kip-ribbetjes-bestellen.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kirgistan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kitevalley.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "klassika.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kleidermarkt-vintage.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "klub.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "konstanz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "konstructdigital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "konsul.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kopfgeld.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kosmosfestival.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kotuwa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kovachica.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kozlekedes.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "krasnodar24.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kreditzone.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "krossakorven.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "krovatka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks015.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks05.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks06.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks17.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks19.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks2251.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks2298.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks2375.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks2652.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks35.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks3533.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks410.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks5525.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks5531.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks5532.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks56.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks5822.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6872.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks6875.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8112.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8113.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8128.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8129.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8135.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8152.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8176.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8177.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks82.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks82.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8211.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8218.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8266.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8278.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks8281.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks85.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks87.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks96.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ks97.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kudinilam.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kulthist.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kupibilet.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kurdishphotography.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kurido-anime.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kvest-v-moskve.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lada-plus.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ladanmokhtari.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ladocs.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lafansite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lalegria.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lamasacre.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "laminsaho.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "langadeduero.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "laoliang.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lapolvora.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "larasm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "larsnittve.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "laterremotodealcorcon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "laurable.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lavalon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lawda.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lawyer.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lazer.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leak.media", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leeyoungaeph.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lelux.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lenn-blaschke.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leomwilson.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leon-tec.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leontyev.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leshok.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leticia.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lexikon24.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lfyhokk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "li680.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "libportal.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "libreria-ouroboros.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lierohell.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "life-in-hell.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lightsfromspace.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai107.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai116.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai18.ph", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai2211.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai3366.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai520.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai634.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai6677.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai8866.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai9898.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lilai9966.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "limstash.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lince-bonares.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lineshop.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "link-net.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "linko-pomoika.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "linkuva.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "linux-help.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "linux-taganrog.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "liress.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lisasc.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lisius.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lissajouss.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "listach.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "little-news.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "littleyokohamakennel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "liturkey.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "livejh.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "livetopknigi.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "livfcshop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ll8819.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lldy88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "llgj888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "llgw8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "llw0x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "llw2h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "localtownhouses.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "logicdream.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lojadkstore.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lomayko.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lonavla.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long0311.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long8032.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long8059.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "loomis.center", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "losaucas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lossaicos.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "louisdefunes.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "louiza.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "love-books.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lspdonline.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lstlx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lukin.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lyfebotanicals.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lyriksidan.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lyuda.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m-16.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m-beshr.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m1gun.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ma-ze-linux.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "macaroonshindig.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "macosx86.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "macroseo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "madskauts.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magazilla.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magazinecards.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magnetoscopio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maguire.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mailer.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mailinaitor.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mailingproduct.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mailmaster.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mailsend.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mailstart.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mailtobiz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mailwala.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mailxpress.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "malaysianews.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mamanakormit.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mamanura.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mamtapark.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mandela-effect-wiki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mangaboxes.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mangareactor.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "manicur-salon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mantenimientoimpresoras.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "manure.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "manusiasosial.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marbrerie-segur.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marcelabarrozo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marcelofernandez.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marina-tsvetaeva.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marketgrid.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marketgrid.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marketia.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marketingpalace.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marketingsuite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marketking.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marketsearch.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marketvalue.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maroussia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mars.army", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mars.navy", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "martincernac.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "martinho.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marvnet.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marvnetdigit.al", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marvnetdigital.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marvnetdigital.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marvnetdigital.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marvnetdigital.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marvnetdigital.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "masqueradecostumes.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "matejstrnad.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "matematikkulubu.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mathe.digital", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "matrimonio.com.pe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mattaki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maxiservak.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maxrider.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maysambotros.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mcduff.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mdir.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "medifirst.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "medvedivka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "megaherz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "megalithe.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "megaportal.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mein-tortenladen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mekaleskirit.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "melissaofficial.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "memento-mori.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "menn.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mentalcalculations.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mentalcraft.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mercadohype.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meskiukas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mesotheliomacentre.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metacortex.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metal-rock.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metalempire.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metallobaza.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meteobox.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mezinfo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mgonline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mhabdullah.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mica.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "michele.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "micoff.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "midnight-gaming-community.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikechasejr.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikesystems.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mind-books.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "minddrive.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "minikin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "minivehicle.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mir-faktov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mir-multimedia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mir-pressy.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mirknighechek.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mirokon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mistlake.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mithgol.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mixify.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mixmix.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mmwb.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mobilebooster.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mobilityworks.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moda-donna.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "modeldoll.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "modern-gaming.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mohamedhosting.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moltapor.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "molusk.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "money-fast.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moneyreal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "monolithic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "monzo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "morozko.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moscowlove.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mostafabanaei.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motekforcelink.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motichi.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motiv-rechts.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motoclubentresemana.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motoland.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motshop.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mountpost.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moyideal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mpgu.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mrston.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ms295.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mtcpuntosalud.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "muchotrolley.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mudasobwa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mudcomplex.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "musicfactory.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "musiker.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "musketiers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mvpinfo.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mvpower.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mybathroom.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mycam.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mydoxod.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myedcreview.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myeditclub.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myedu.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myfursona.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mygameconsole.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mygomel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mygrodno.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myhoor.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myhostname.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myinsiderplus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mykarelia.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mymkphotography.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mymotherlandstuffs.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myphotonics.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myphotos.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myportal.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myresidence.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myreviews.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mystore24.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n888-qieji.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n888388.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n888599.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n888677.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n888699.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n88890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n888duchang.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n888go.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n888ok.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nadjabenaissa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nadoske.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "naemnuk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nagato.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nahman.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nailshop.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nakim.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nakin.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "narela.com.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "natalia-in-quebec.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "natarius.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "natariusadvokat.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "natashki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "navalarchitect.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nazbol.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "neanderthalia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "neaz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nebohost.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "necromantia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "needfire.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nethealth.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netkigestioncomercial.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netpenge.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netsearch.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "new-tuning.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newblogr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newforms.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newlynamed.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "neworiflame.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "news-novoros.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "news-srilanka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "news-technology.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newsarmenia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newsuzbekistan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newtekstil.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newtons-erben.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nextfm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nicastrosalvatore.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nichesite.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nieuwpoort.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nijniy-novgorod.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ninmegam.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nippel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nipponkempoph.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nipponnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nivoit.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nkorolev.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nl-comunistas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nmx.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nn-vol.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "northscottsdaleloan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "novichok.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "novinkihd.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "novinminer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "novorossiysk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "novorussiya.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nudeimg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nwradio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nymity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nyushikaikaku.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "o15y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oakwood-park.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oasisorthodontics.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "obmen-vizitami.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "obozrevatel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "obzor-znakomstv.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ocachik.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ocenka-nedv.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "odejdamoda.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "offlimo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ofisescort.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oil-heaters.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "okulistiyoruz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oldliverpoolrailways.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "olegrpg.in.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omarsamarah.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omsk-web.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omsknews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omskweb.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oneless.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onlinesports.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "opioneers.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "opraab.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "optimall.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orbits.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ordina.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oriflamesamara.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orikos.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orologidicristina.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ortopertutti.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orvibo.com.ec", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ostankino.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "otdelka56.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "otoplastik.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oussoren-vinetomatoes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "overnetfaq.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "overpb.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "overps.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ovmfinancial.mortgage", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oyunmadeni.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333aaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333bbb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333ccc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333ddd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333eee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333ff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333fff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333ggg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333hhh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333iii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333jjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333kkk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333lll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333mm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333mmm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333nnn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333oo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333ooo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333ppp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333qq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333qqq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333rr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333rrr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333sss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333ttt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "padshah.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paginamaravillosa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "palenque.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "palermoantagonista.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pamm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "panduan-hamil.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "papa---mama.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parket.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parkettdielen.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "partii.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "patriciaramos.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paulocolacino.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pavernosmatao.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paywait.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pbcables.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pcexpress.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pckurzypd.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pecheneg.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peelland-fm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pegundugun.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peredoz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "permaculture.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "perron.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "personaljokes.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "petburial.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "petos.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "petrovitch.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phantomfund.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phero.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "philippinegreenparty.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phonenumberfind.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "photographerforwedding.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pieterbamps.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pimanta.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piranhaattack.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pircher.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pisanpeikot.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pistonkandidatu.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pitbooks.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pl-trans.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plastischechirurgie-linz.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "platter.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pleger.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pmk.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "poemwall.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pointzip.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pokemonargentina.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pokemonguide.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "politvesti.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "polog.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pologalileo.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "popjudge.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "populardogs.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "popupbazaar.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "porelsam.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "porevo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "porinnuotiopojat.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "portable-games.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "portal-books.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "portal-ru.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "portaleldense.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "positiverbeitrag.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "positiverbeitrag.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "positivos.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "postmusicologia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "potolok-brest.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "potomac.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "potterperfect.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "potterybroker.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "potz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "powerlifting.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pozarevac.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pozd.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pozitiffchik.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pozitiffchik.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pranksearch.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pravo911.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "predskazanie.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "premiumplusiptv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prettycities.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prisminfosys.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pritchi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "privacyget.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pro-kemerovo.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proactivenews.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proculsk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "productosfitness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "produkt.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "professionallawyer.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "profuntime.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prog.sh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "programming-solutions.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "propanesale.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proporcer.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proposeinspain.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prostoskidki.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "protectwrap.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "protogenbrainbooster.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "provereno-rabotaet.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "provereno-rabotaet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prushka.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psa-travel-care.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psychologbruksela.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psychologi.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psychologytests.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ptcbooks.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ptmp.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "publishedpaper.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pulcinella.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "punkart.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pupok.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "purpletech.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pursuehappiness.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "put-k-uspekhuy.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "putany.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "queensfactory.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quelle-catalog.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quinmedia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qwantjunior.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qwd.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qwq2333.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ra-jurochnik.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radicaldream.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radio-brest.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radioborges.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radiocartel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radiodiagonal.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radioelectronic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radiowakeup.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radiozetta.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radixsalon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raghughphotography.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raginggaming.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rammsteinzone.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ran-drunken.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "randomsearching.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rapwoyska.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raquelmolinacases.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rarece.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rarename.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rastabooks.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raya.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "razborpoletov.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "razborpoletov.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "razborpoletov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "razrabo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rbunews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reallywild.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "recycling.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "redstarpictures.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "redwiki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reflexionspain.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "releasepoint.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "remodeus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "remont-naushnikov.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "remontpc.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "remoteoffice.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "renovandoingresos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "replikatelefon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "resanebartar.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "restoran.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "restoringhopeberks.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "revizor-online.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "revolutionaryaim-vienna.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rfid-grundlagen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ricordisiciliani.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rilish.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ringofglory.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roadtochina.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rollingstocks.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rommelhuntermusic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "root-books.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "root-books.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rosiervandenbosch.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rosrabota.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roundaboutweb.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roverglobal.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "royalcavaliers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "royalmech.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rs-aktuell.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rtgnews.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rubyonline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rudating.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rukminicarrentals.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "runrocknroll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rurs.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "russia-rp.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "russiahunting.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "russianbearsmotorsport.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "russianbristol.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "russianpunkrock.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ruzaevka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saah.ae", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sabbat-wildfire.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sabedinovski.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sabghijewelers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sabine-dicklberger-massschneiderei-muenchen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sabworldtricks.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "safc.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sagan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saglikhaber.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "samandcatonline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sambot22.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "samiysok.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "samsebe.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sanalaile.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sancaktepehaber.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "santacruzdescargas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "santegra.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "santippolito-borgo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sarah-jane.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "satanspowers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "savatha.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "savemylicence.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saveusfromavril.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "savin.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sc019.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scandalindo.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scfpensante.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schastie.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scholareducation.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schoolantwoorden.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schweizerbanken.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sciencetram.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scooterinaustralia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "screenfox.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seattleshadeandawning.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sebastianjaworecki.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "selebrita.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "self-business.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "selfrealize.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "selfretire.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "semenov.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "semiotika.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "semobr.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "semops.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "senhost.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sentenza.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seo-reality.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seorus.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seowork.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "servicemagicusa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "servtraq-staging.azurewebsites.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "servtraqazure.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sexologist.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shadikhan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shahrsazan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shamans.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shanju.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sharik.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sharking.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shawiah.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shevet-achim.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shgw186.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shielddagger.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shiftpsych.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shilpaonline.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shitnikovo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shkololo.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shoponlinedeals.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shossain.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shownet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "siberia.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sierramusic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "silken-madame.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "silveronline.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "simplecryptoconvert.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "simplelinux.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "simplyowners.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sinavyo.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sinfully.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sisirbatu.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "site2002.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sithijaya.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skazka.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sketchbox.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skiingnewsletter.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skincareagent.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skinseries.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "slavasoloviev.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sleepawaycampseries.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "slogan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "slutty-girls.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smartphonesolution.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smbeermen.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smilecon.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sms72.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "snea-kers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sniffing.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "snipr.gg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sobakasite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "socreates.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "softwarecloud.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "solarfever.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soldarizona.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soloparati.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "somehsara.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soniaferrer.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sophiebbeauty.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spacebestnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spaghettiphreakers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spaghettiwesterns.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spidercrabs.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spikejeon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spilka-dyplomativ.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sports-online.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sriravana.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "srochnozaim.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "srochnyj-zajm.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ss-news.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ss09.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ss9288.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stajka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stalker-eyes.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stangeland.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stardam.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stargatedesign.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "starover.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "starpoles.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "starreview.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "starsoft.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "steam-rewards.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "steamsprays.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "steering-wheel.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stenaro.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "step2web-cms.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stephanao.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stephanieleonidasfan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stevebuck.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stevejobsfollowers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stewonet.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stolarka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stolensheep.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stop-activ.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stoppage.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "storeplus.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stormhub.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stormylegions.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stphilipneripreschool.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "strawberries.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "strl-tunis.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stroimvse.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stuartbeard.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studenti.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studiosql.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "styleelite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sudametrica.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sudanell.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sufarce.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sumcrevillent.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "superbintel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "supercarrot.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "superiordetail.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "supermustang.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "supernatural-fans.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suranganet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "surasak.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suzikogsm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "svorkmofotball.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swallowgateway.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sweat-shirts.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "symetrix.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "syonix.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sywnthkrawft.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t1209.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t1316.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t1317.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t1318.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t1319.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t2181.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t2182.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t2881.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t5881.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t6381.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t6801.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t6810.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t6820.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t6830.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t6850.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t6860.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t6870.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t68app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t7009.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t7119.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t776633.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t7802.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t7803.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t7804.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t7805.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t7807.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t7808.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t7810.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t7880.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8006.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8070.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8110.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t8119.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tadjikistan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taginet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tagungsstaette-usedom.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tagungsstaette-zinnowitz.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taihesy.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taipei-101.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taken.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "talusan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tanveersingh.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tarakan-klopik.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taranagar.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tarija.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tarzanka.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tatiana-kpb.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taxi-domzale.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taxi-zakaz.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taximinvody.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taylorgalleries.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tech-techno.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "technicalproblem.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "technosapien.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tecnikan.com.ar", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teleradio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "terrorblast.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tesdrole.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "test-iq.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "test-online.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "testforce.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "testlabs.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "the-archive.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theaterreichenhall.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theberries.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theconverter.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thedarkfusion.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thefreebay.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thekonsulthub.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thelakedistrict.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thelencystore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theocratic.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theosophic.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theprojectx.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theptclist.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theredsgazette.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thevanishedvoyager.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thimbros.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thwiki.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ticketscol.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "timetrade.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "timothy.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tinnhanhvietnam.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "todayupdates.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toihoctiengtrung.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toolspain.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toopopular.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toothpique.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "top-mining.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topkorea.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "torreconta.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "touchdown.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tovarypochtoj.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toys-robots.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tpress.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tracesteps.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trackify.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trade-platform.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tradesmance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tramikshop.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "transeshairtransplant.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "travelvisit.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trendingdeals.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trendingeducation.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tresmaistres.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trickgsm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "triplethreatband.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tristanhager.i234.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trumanlibrary.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trz.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tulasdeportivasbless.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "turkface.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "turkmistress.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tutorialdb.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tvoyaknighka.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tvplusiptv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "twelvecolonies.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tyc923.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ualove.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ugeek.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "umniy-dom.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "undergrounder.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uniaofraternalraulcury.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unitedarmyofentropia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unpleasant.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "upbatangan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "url1.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "user-agent.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uslugi-voronezh.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v-novosibirske.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v12555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v800a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v800e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v800f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v800k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v800n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v800w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vacontractortraining.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "valencianistas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "valeniidemunte.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "valledeleresma.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "valleystories.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vam-podarok.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vampire-studios.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vasilisa-volodina.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vchelyabinske.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vebbankir-zajm-onlajn.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vecherka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vegtelenchat.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "velacartagena.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "velosipedi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "venlafaxine.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "verdugosxerecistas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viantours.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viewmythoughts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "villadelprado.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "villakarma.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "villalmanzo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vincura.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viphackers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viplilai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viporiflame.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vippclub.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vipw6600.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vipw6603.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vipw6608.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viraljobs.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viraloffer.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viralted.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viralvids.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "virgontech.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "virtualbrestby.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "virtualcomputer.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "virtualmemento.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vitaminmovie.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vkstream.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vnovosibirske.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vodicaknapocitac.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "volchara.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "volqanic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "voss-zaehne.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "voss-zaehne.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vozhatik.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vprotect.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vpswebs.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vremyapervyih-hd.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vse-potolki.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vvvvbrest.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w-ws.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w0102.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w0115.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w0118.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w0138.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w045w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w1010w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w1515w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w158w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w1717w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w233w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w2929w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w3330.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w4141w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w556w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w5858w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w61516.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w61518.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w61616.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6363w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6603.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6612.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66133.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66136.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6631.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66655.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6671.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6673.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66828.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6684.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w668686.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w668866.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w668899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w668989.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66919.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66hao.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6803.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6805.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6808.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w682w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6863.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w6880.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w692w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w696w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w7355.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w7474w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w8093.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w8094.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w8605.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w8609.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w8620.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w8625.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w8626.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w8628.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w8659.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w888055.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w9196.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wa3368.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "waplumber.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wapspaces.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wartimecontracting.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "washburnenglishschool.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "waytofreedom.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wbcme.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wearethreebears.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "web-studio-kzo.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webcam-model.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webcreativa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "websiteguider.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "websitemarketers.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webtaxi.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weili.bet", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weili1111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weili1120.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weili1121.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weili1122.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weili1123.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weili1127.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weili1128.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weili8888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weili88888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weilibet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weilibet.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weilibet.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weilibet.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weiliyule.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weiliyule.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wenhelpdesk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "westhotel.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "whitepen.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "widejeans.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wiki-books.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wikizip.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wildanalysis.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "willdropphoto.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wiskundeonderzoek.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wispmaeksmusic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wl.bet", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wl511.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wl970.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wl971.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wl972.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wl973.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wl974.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wl975.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wl976.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wl977.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wl978.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wlx678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wlx678a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wlx678b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wlx678c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wlx678d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wmsndorgen.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wmsndorgen.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wmsndorgen.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wmsndorgen.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wmsndorgen.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wojciechowka.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wolfteam.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wom-en.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "womensbiz.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wonderfulworldofwalliams.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wooblr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wordregistrar.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "worldix.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "worldsfree4u.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "worldvisa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wormincorporated.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wowlove.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "writers-club.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wvpbs.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wwwwnews.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xakepctbo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xanhdecor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xerezdeportivo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--tagungssttte-usedom-owb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--tagungssttte-zinnowitz-84b.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--uasacrilicas-9gb.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--v4q.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpa.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpj090.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpj100.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpj90.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xtravans.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xurl.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xxxoopz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xybabyshop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yagmursoft.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yak-host.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yamal-online.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yamei1188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yamei2233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yamei8866.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan10.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan22.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yapan9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yardesign.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ybvip789.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yeti.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yinduyy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym063.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym069.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym181.am", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym2121g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym2727.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym966.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ymm234.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yourloan.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yura.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8018.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8025.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8029.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8036.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8039.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8053.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8057.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8061.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8065.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8069.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8071.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8072.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8073.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8077.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8085.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8086.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8091.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8092.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8119.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8127.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8129.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8139.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8150.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8158.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8160.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8161.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8165.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8167.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8172.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8173.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8175.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8176.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8177.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8178.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8179.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8187.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8190.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8192.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8198.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8201.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8202.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8203.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8205.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8206.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8213.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8218.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8219.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8230.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8231.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8251.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8817.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8826.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8875.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8879.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z8918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zaimdengi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zaimexpress.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zajm-bez-poruchitelej.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zajm-bez-spravok.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zajm-na-kivi.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zajm-pod-raspisku.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zajm-pod-zalog.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zakaz.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zaracraft.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zarbis.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zaympodzalog.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd1313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6161.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6363.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6879.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6881.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6886.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6898.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd6899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd7474.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zd9090.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zeanweb.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zentrumfuerchemie.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zetasystem.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zfyl8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zhabababa.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zhestokiemechtyi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zhurnalyu.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zinchenko.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl200.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl2121.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl6060.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl6464.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl7070.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl7272.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8813.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8856.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8857.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8874.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zl8891.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zlatan-ibrahimovic.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zlotykameleon.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "znakomim.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "znanie-sila.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zofran-medication.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zofrancost.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zofranprice.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zoloftmedication.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zoloftpills.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zoloftprice.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zolushka-1950.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zooforum.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zosia.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zovirax-cream.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zrinski.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zrs-meissen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zuitaotu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zwergenfreiheit.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zxfiles.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     // END OF 1-YEAR BULK HSTS ENTRIES
 
     // Only eTLD+1 domains can be submitted automatically to hstspreload.org,
@@ -73023,8 +83164,6 @@
     { "name": "mysa.is", "policy": "custom", "mode": "force-https", "include_subdomains": true },
     { "name": "vensl.org", "policy": "custom", "mode": "force-https", "include_subdomains": true },
     { "name": "aaron-schaal.de", "policy": "custom", "mode": "force-https", "include_subdomains": true },
-    // TLS 1.3
-    { "name": "glassrom.pw", "policy": "custom", "mode": "force-https", "include_subdomains": true },
     // Expect-CT
     {
       "name": "crt.sh", "policy": "custom",
@@ -73316,6 +83455,28 @@
     { "name": "flagriculture.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
     { "name": "floridaconsumerhelp.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
     { "name": "sheriffpawneecountyne.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "tnwildlandfire.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "tnusedoil.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "safeathomeohio.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "sflhidta.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "ohiobusinesscentral.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "schoolsafety.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "solarium.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "cavecreekaz.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "usidfc.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "idfc.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "pbrb.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "leavenworthcounty.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "trpa.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "hudsonwi.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "woodfordcountyky.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "franklincountyny.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "townofhulbertok.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "gilsum-nh.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "ahidta.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "pleasantonca.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "elonma.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "carrolcountyohioelections.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
     { "name": "bmoattachments.org", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
     // END OF ETLD-OWNER REQUESTED ENTRIES
 
diff --git a/chromium/net/http/transport_security_state_unittest.cc b/chromium/net/http/transport_security_state_unittest.cc
index 3c5ca3f1e1c..7ff717fd731 100644
--- a/chromium/net/http/transport_security_state_unittest.cc
+++ b/chromium/net/http/transport_security_state_unittest.cc
@@ -34,12 +34,15 @@
 #include "net/cert/test_root_certs.h"
 #include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_certificate.h"
+#include "net/extras/preload_data/decoder.h"
 #include "net/http/http_status_code.h"
 #include "net/http/http_util.h"
 #include "net/net_buildflags.h"
 #include "net/ssl/ssl_info.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_data_directory.h"
+#include "net/tools/huffman_trie/bit_writer.h"
+#include "net/tools/huffman_trie/trie/trie_bit_buffer.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -3159,6 +3162,44 @@ TEST_F(TransportSecurityStateStaticTest, UMAOnHPKPReportingFailure) {
                                1);
 }
 
+TEST_F(TransportSecurityStateTest, WriteSizeDecodeSize) {
+  for (size_t i = 0; i < 300; ++i) {
+    SCOPED_TRACE(i);
+    huffman_trie::TrieBitBuffer buffer;
+    buffer.WriteSize(i);
+    huffman_trie::BitWriter writer;
+    buffer.WriteToBitWriter(&writer);
+    size_t position = writer.position();
+    writer.Flush();
+    ASSERT_NE(writer.bytes().data(), nullptr);
+    extras::PreloadDecoder::BitReader reader(writer.bytes().data(), position);
+    size_t decoded_size;
+    EXPECT_TRUE(reader.DecodeSize(&decoded_size));
+    EXPECT_EQ(i, decoded_size);
+  }
+}
+
+TEST_F(TransportSecurityStateTest, DecodeSizeFour) {
+  // Test that BitReader::DecodeSize properly handles the number 4, including
+  // not over-reading input bytes. BitReader::Next only fails if there's not
+  // another byte to read from; if it reads past the number of bits in the
+  // buffer but is still in the last byte it will still succeed. For this
+  // reason, this test puts the encoding of 4 at the end of the byte to check
+  // that DecodeSize doesn't over-read.
+  //
+  // 4 is encoded as 0b010. Shifted right to fill one byte, it is 0x02, with 5
+  // bits of padding.
+  uint8_t encoded = 0x02;
+  extras::PreloadDecoder::BitReader reader(&encoded, 8);
+  for (size_t i = 0; i < 5; ++i) {
+    bool unused;
+    ASSERT_TRUE(reader.Next(&unused));
+  }
+  size_t decoded_size;
+  EXPECT_TRUE(reader.DecodeSize(&decoded_size));
+  EXPECT_EQ(4u, decoded_size);
+}
+
 #endif  // BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
 
 }  // namespace net
diff --git a/chromium/net/log/file_net_log_observer.h b/chromium/net/log/file_net_log_observer.h
index 02d9a78aac5..66c80ca9024 100644
--- a/chromium/net/log/file_net_log_observer.h
+++ b/chromium/net/log/file_net_log_observer.h
@@ -23,8 +23,6 @@ class SequencedTaskRunner;
 
 namespace net {
 
-class NetLogCaptureMode;
-
 // FileNetLogObserver watches the NetLog event stream and sends all entries to
 // a file.
 //
diff --git a/chromium/net/log/file_net_log_observer_unittest.cc b/chromium/net/log/file_net_log_observer_unittest.cc
index b5ec383dfe8..669da0d70ff 100644
--- a/chromium/net/log/file_net_log_observer_unittest.cc
+++ b/chromium/net/log/file_net_log_observer_unittest.cc
@@ -24,10 +24,10 @@
 #include "net/base/test_completion_callback.h"
 #include "net/log/net_log_entry.h"
 #include "net/log/net_log_event_type.h"
-#include "net/log/net_log_parameters_callback.h"
 #include "net/log/net_log_source.h"
 #include "net/log/net_log_source_type.h"
 #include "net/log/net_log_util.h"
+#include "net/log/net_log_values.h"
 #include "net/test/test_with_scoped_task_environment.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_context.h"
@@ -55,15 +55,10 @@ void AddEntries(FileNetLogObserver* logger,
                 size_t entry_size) {
   // Get base size of event.
   const int kDummyId = 0;
-  std::string message = "";
-  NetLogParametersCallback callback =
-      NetLog::StringCallback("message", &message);
   NetLogSource source(NetLogSourceType::HTTP2_SESSION, kDummyId);
-  NetLogEntryData base_entry_data(NetLogEventType::PAC_JAVASCRIPT_ERROR, source,
-                                  NetLogEventPhase::BEGIN,
-                                  base::TimeTicks::Now(), &callback);
-  NetLogEntry base_entry(&base_entry_data,
-                         NetLogCaptureMode::IncludeSocketBytes());
+  NetLogEntry base_entry(NetLogEventType::PAC_JAVASCRIPT_ERROR, source,
+                         NetLogEventPhase::BEGIN, base::TimeTicks::Now(),
+                         NetLogParamsWithString("message", ""));
   base::Value value = base_entry.ToValue();
   std::string json;
   base::JSONWriter::Write(value, &json);
@@ -88,12 +83,11 @@ void AddEntries(FileNetLogObserver* logger,
 
     // String size accounts for the number of digits in id so that all events
     // are the same size.
-    message = std::string(entry_size - base_entry_size - id.size() + 1, 'x');
-    callback = NetLog::StringCallback("message", &message);
-    NetLogEntryData entry_data(NetLogEventType::PAC_JAVASCRIPT_ERROR, source,
-                               NetLogEventPhase::BEGIN, base::TimeTicks::Now(),
-                               &callback);
-    NetLogEntry entry(&entry_data, NetLogCaptureMode::IncludeSocketBytes());
+    std::string message =
+        std::string(entry_size - base_entry_size - id.size() + 1, 'x');
+    NetLogEntry entry(NetLogEventType::PAC_JAVASCRIPT_ERROR, source,
+                      NetLogEventPhase::BEGIN, base::TimeTicks::Now(),
+                      NetLogParamsWithString("message", message));
     logger->OnAddEntry(entry);
   }
 }
@@ -253,7 +247,7 @@ class FileNetLogObserverTest : public ::testing::TestWithParam<bool>,
           FileNetLogObserver::CreateUnbounded(log_path_, std::move(constants));
     }
 
-    logger_->StartObserving(&net_log_, NetLogCaptureMode::Default());
+    logger_->StartObserving(&net_log_, NetLogCaptureMode::kDefault);
   }
 
   void CreateAndStartObservingPreExisting(
@@ -275,7 +269,7 @@ class FileNetLogObserverTest : public ::testing::TestWithParam<bool>,
           std::move(file), std::move(constants));
     }
 
-    logger_->StartObserving(&net_log_, NetLogCaptureMode::Default());
+    logger_->StartObserving(&net_log_, NetLogCaptureMode::kDefault);
   }
 
   bool LogFileExists() {
@@ -314,7 +308,7 @@ class FileNetLogObserverBoundedTest : public ::testing::Test,
                                int num_files) {
     logger_ = FileNetLogObserver::CreateBoundedForTests(
         log_path_, total_file_size, num_files, std::move(constants));
-    logger_->StartObserving(&net_log_, NetLogCaptureMode::Default());
+    logger_->StartObserving(&net_log_, NetLogCaptureMode::kDefault);
   }
 
   // Returns the path for an internally directory created for bounded logs (this
@@ -500,7 +494,7 @@ TEST_P(FileNetLogObserverTest, PreExistingFileBroken) {
   else
     logger_ = FileNetLogObserver::CreateUnboundedPreExisting(std::move(file),
                                                              nullptr);
-  logger_->StartObserving(&net_log_, NetLogCaptureMode::Default());
+  logger_->StartObserving(&net_log_, NetLogCaptureMode::kDefault);
 
   // Send dummy event.
   AddEntries(logger_.get(), 1, kDummyEventSize);
@@ -954,7 +948,7 @@ TEST_F(FileNetLogObserverBoundedTest, PreExistingUsesSpecifiedDir) {
 
   logger_ = FileNetLogObserver::CreateBoundedPreExisting(
       scratch_dir.GetPath(), std::move(file), kLargeFileSize, nullptr);
-  logger_->StartObserving(&net_log_, NetLogCaptureMode::Default());
+  logger_->StartObserving(&net_log_, NetLogCaptureMode::kDefault);
 
   base::ThreadPoolInstance::Get()->FlushForTesting();
   EXPECT_TRUE(base::PathExists(log_path_));
diff --git a/chromium/net/log/net_log.cc b/chromium/net/log/net_log.cc
index 88b3fa80475..9fbe4e68351 100644
--- a/chromium/net/log/net_log.cc
+++ b/chromium/net/log/net_log.cc
@@ -4,101 +4,14 @@
 
 #include "net/log/net_log.h"
 
-#include <algorithm>
-#include <memory>
-#include <utility>
-
-#include "base/base64.h"
-#include "base/bind.h"
-#include "base/callback.h"
-#include "base/logging.h"
-#include "base/stl_util.h"
 #include "base/strings/string_number_conversions.h"
-#include "base/strings/string_util.h"
-#include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
-#include "net/base/escape.h"
+#include "net/log/net_log_values.h"
 
 namespace net {
 
-namespace {
-
-base::Value NetLogBoolCallback(const char* name,
-                               bool value,
-                               NetLogCaptureMode /* capture_mode */) {
-  base::DictionaryValue event_params;
-  event_params.SetBoolean(name, value);
-  return std::move(event_params);
-}
-
-base::Value NetLogIntCallback(const char* name,
-                              int value,
-                              NetLogCaptureMode /* capture_mode */) {
-  base::DictionaryValue event_params;
-  event_params.SetInteger(name, value);
-  return std::move(event_params);
-}
-
-base::Value NetLogInt64Callback(const char* name,
-                                int64_t value,
-                                NetLogCaptureMode /* capture_mode */) {
-  base::DictionaryValue event_params;
-  event_params.SetKey(name, NetLogNumberValue(value));
-  return std::move(event_params);
-}
-
-base::Value NetLogStringCallback(const char* name,
-                                 const std::string* value,
-                                 NetLogCaptureMode /* capture_mode */) {
-  base::DictionaryValue event_params;
-  event_params.SetString(name, *value);
-  return std::move(event_params);
-}
-
-base::Value NetLogCharStringCallback(const char* name,
-                                     const char* value,
-                                     NetLogCaptureMode /* capture_mode */) {
-  base::DictionaryValue event_params;
-  event_params.SetString(name, value);
-  return std::move(event_params);
-}
-
-base::Value NetLogString16Callback(const char* name,
-                                   const base::string16* value,
-                                   NetLogCaptureMode /* capture_mode */) {
-  base::DictionaryValue event_params;
-  event_params.SetString(name, *value);
-  return std::move(event_params);
-}
-
-// IEEE 64-bit doubles have a 52-bit mantissa, and can therefore represent
-// 53-bits worth of precision (see also documentation for JavaScript's
-// Number.MAX_SAFE_INTEGER for more discussion on this).
-//
-// If the number can be represented with an int or double use that. Otherwise
-// fallback to encoding it as a string.
-template <typename T>
-base::Value NetLogNumberValueHelper(T num) {
-  // Fits in a (32-bit) int: [-2^31, 2^31 - 1]
-  if ((!std::is_signed<T>::value || (num >= static_cast<T>(-2147483648))) &&
-      (num <= static_cast<T>(2147483647))) {
-    return base::Value(static_cast<int>(num));
-  }
-
-  // Fits in a double: (-2^53, 2^53)
-  if ((!std::is_signed<T>::value ||
-       (num >= static_cast<T>(-9007199254740991))) &&
-      (num <= static_cast<T>(9007199254740991))) {
-    return base::Value(static_cast<double>(num));
-  }
-
-  // Otherwise format as a string.
-  return base::Value(base::NumberToString(num));
-}
-
-}  // namespace
-
-NetLog::ThreadSafeObserver::ThreadSafeObserver() : net_log_(nullptr) {}
+NetLog::ThreadSafeObserver::ThreadSafeObserver()
+    : capture_mode_(NetLogCaptureMode::kDefault), net_log_(nullptr) {}
 
 NetLog::ThreadSafeObserver::~ThreadSafeObserver() {
   // Make sure we aren't watching a NetLog on destruction.  Because the NetLog
@@ -116,26 +29,27 @@ NetLog* NetLog::ThreadSafeObserver::net_log() const {
   return net_log_;
 }
 
-void NetLog::ThreadSafeObserver::OnAddEntryData(
-    const NetLogEntryData& entry_data) {
-  OnAddEntry(NetLogEntry(&entry_data, capture_mode()));
-}
+NetLog::NetLog() : last_id_(0), observer_capture_modes_(0) {}
 
-NetLog::NetLog() : last_id_(0), is_capturing_(0) {
+NetLog::~NetLog() {
+  MarkDead();
 }
 
-NetLog::~NetLog() = default;
+void NetLog::AddEntry(NetLogEventType type,
+                      const NetLogSource& source,
+                      NetLogEventPhase phase) {
+  AddEntry(type, source, phase, [] { return base::Value(); });
+}
 
 void NetLog::AddGlobalEntry(NetLogEventType type) {
   AddEntry(type, NetLogSource(NetLogSourceType::NONE, NextID()),
-           NetLogEventPhase::NONE, nullptr);
+           NetLogEventPhase::NONE);
 }
 
-void NetLog::AddGlobalEntry(
-    NetLogEventType type,
-    const NetLogParametersCallback& parameters_callback) {
-  AddEntry(type, NetLogSource(NetLogSourceType::NONE, NextID()),
-           NetLogEventPhase::NONE, &parameters_callback);
+void NetLog::AddGlobalEntryWithStringParams(NetLogEventType type,
+                                            base::StringPiece name,
+                                            base::StringPiece value) {
+  AddGlobalEntry(type, [&] { return NetLogParamsWithString(name, value); });
 }
 
 uint32_t NetLog::NextID() {
@@ -143,7 +57,8 @@ uint32_t NetLog::NextID() {
 }
 
 bool NetLog::IsCapturing() const {
-  return base::subtle::NoBarrier_Load(&is_capturing_) != 0;
+  CheckAlive();
+  return GetObserverCaptureModes() != 0;
 }
 
 void NetLog::AddObserver(NetLog::ThreadSafeObserver* observer,
@@ -158,16 +73,7 @@ void NetLog::AddObserver(NetLog::ThreadSafeObserver* observer,
 
   observer->net_log_ = this;
   observer->capture_mode_ = capture_mode;
-  UpdateIsCapturing();
-}
-
-void NetLog::SetObserverCaptureMode(NetLog::ThreadSafeObserver* observer,
-                                    NetLogCaptureMode capture_mode) {
-  base::AutoLock lock(lock_);
-
-  DCHECK(HasObserver(observer));
-  DCHECK_EQ(this, observer->net_log_);
-  observer->capture_mode_ = capture_mode;
+  UpdateObserverCaptureModes();
 }
 
 void NetLog::RemoveObserver(NetLog::ThreadSafeObserver* observer) {
@@ -180,18 +86,23 @@ void NetLog::RemoveObserver(NetLog::ThreadSafeObserver* observer) {
   observers_.erase(it);
 
   observer->net_log_ = nullptr;
-  observer->capture_mode_ = NetLogCaptureMode();
-  UpdateIsCapturing();
+  observer->capture_mode_ = NetLogCaptureMode::kDefault;
+  UpdateObserverCaptureModes();
 }
 
-void NetLog::UpdateIsCapturing() {
+void NetLog::UpdateObserverCaptureModes() {
   lock_.AssertAcquired();
-  base::subtle::NoBarrier_Store(&is_capturing_, observers_.size() ? 1 : 0);
+
+  NetLogCaptureModeSet capture_mode_set = 0;
+  for (const auto* observer : observers_)
+    NetLogCaptureModeSetAdd(observer->capture_mode_, &capture_mode_set);
+
+  base::subtle::NoBarrier_Store(&observer_capture_modes_, capture_mode_set);
 }
 
 bool NetLog::HasObserver(ThreadSafeObserver* observer) {
   lock_.AssertAcquired();
-  return base::ContainsValue(observers_, observer);
+  return base::Contains(observers_, observer);
 }
 
 // static
@@ -269,86 +180,45 @@ const char* NetLog::EventPhaseToString(NetLogEventPhase phase) {
   return nullptr;
 }
 
-// static
-NetLogParametersCallback NetLog::BoolCallback(const char* name, bool value) {
-  return base::Bind(&NetLogBoolCallback, name, value);
-}
+void NetLog::AddEntryInternal(NetLogEventType type,
+                              const NetLogSource& source,
+                              NetLogEventPhase phase,
+                              const GetParamsInterface* get_params) {
+  NetLogCaptureModeSet observer_capture_modes = GetObserverCaptureModes();
 
-// static
-NetLogParametersCallback NetLog::IntCallback(const char* name, int value) {
-  return base::Bind(&NetLogIntCallback, name, value);
-}
+  for (int i = 0; i <= static_cast<int>(NetLogCaptureMode::kLast); ++i) {
+    NetLogCaptureMode capture_mode = static_cast<NetLogCaptureMode>(i);
+    if (!NetLogCaptureModeSetContains(capture_mode, observer_capture_modes))
+      continue;
 
-// static
-NetLogParametersCallback NetLog::Int64Callback(const char* name,
-                                               int64_t value) {
-  return base::Bind(&NetLogInt64Callback, name, value);
-}
+    NetLogEntry entry(type, source, phase, base::TimeTicks::Now(),
+                      get_params->GetParams(capture_mode));
 
-// static
-NetLogParametersCallback NetLog::StringCallback(const char* name,
-                                                const std::string* value) {
-  DCHECK(value);
-  return base::Bind(&NetLogStringCallback, name, value);
+    // Notify all of the log observers with |capture_mode|.
+    base::AutoLock lock(lock_);
+    for (auto* observer : observers_) {
+      if (observer->capture_mode() == capture_mode)
+        observer->OnAddEntry(entry);
+    }
+  }
 }
 
-// static
-NetLogParametersCallback NetLog::StringCallback(const char* name,
-                                                const char* value) {
-  DCHECK(value);
-  return base::Bind(&NetLogCharStringCallback, name, value);
+NetLogCaptureModeSet NetLog::GetObserverCaptureModes() const {
+  return base::subtle::NoBarrier_Load(&observer_capture_modes_);
 }
 
-// static
-NetLogParametersCallback NetLog::StringCallback(const char* name,
-                                                const base::string16* value) {
-  DCHECK(value);
-  return base::Bind(&NetLogString16Callback, name, value);
-}
+void NetLog::AddEntryWithMaterializedParams(NetLogEventType type,
+                                            const NetLogSource& source,
+                                            NetLogEventPhase phase,
+                                            base::Value&& params) {
+  NetLogEntry entry(type, source, phase, base::TimeTicks::Now(),
+                    std::move(params));
 
-void NetLog::AddEntry(NetLogEventType type,
-                      const NetLogSource& source,
-                      NetLogEventPhase phase,
-                      const NetLogParametersCallback* parameters_callback) {
-  if (!IsCapturing())
-    return;
-  NetLogEntryData entry_data(type, source, phase, base::TimeTicks::Now(),
-                             parameters_callback);
-
-  // Notify all of the log observers.
+  // Notify all of the log observers with |capture_mode|.
   base::AutoLock lock(lock_);
-  for (auto* observer : observers_)
-    observer->OnAddEntryData(entry_data);
-}
-
-base::Value NetLogStringValue(base::StringPiece raw) {
-  // The common case is that |raw| is ASCII. Represent this directly.
-  if (base::IsStringASCII(raw))
-    return base::Value(raw);
-
-  // For everything else (including valid UTF-8) percent-escape |raw|, and add a
-  // prefix that "tags" the value as being a percent-escaped representation.
-  //
-  // Note that the sequence E2 80 8B is U+200B (zero-width space) in UTF-8. It
-  // is added so the escaped string is not itself also ASCII (otherwise there
-  // would be ambiguity for consumers as to when the value needs to be
-  // unescaped).
-  return base::Value("%ESCAPED:\xE2\x80\x8B " + EscapeNonASCIIAndPercent(raw));
-}
-
-base::Value NetLogBinaryValue(const void* bytes, size_t length) {
-  std::string b64;
-  Base64Encode(base::StringPiece(reinterpret_cast<const char*>(bytes), length),
-               &b64);
-  return base::Value(std::move(b64));
-}
-
-base::Value NetLogNumberValue(int64_t num) {
-  return NetLogNumberValueHelper(num);
-}
-
-base::Value NetLogNumberValue(uint64_t num) {
-  return NetLogNumberValueHelper(num);
+  for (auto* observer : observers_) {
+    observer->OnAddEntry(entry);
+  }
 }
 
 }  // namespace net
diff --git a/chromium/net/log/net_log.h b/chromium/net/log/net_log.h
index 14c9a74e49f..dd04c0ec665 100644
--- a/chromium/net/log/net_log.h
+++ b/chromium/net/log/net_log.h
@@ -13,7 +13,6 @@
 #include "base/atomicops.h"
 #include "base/compiler_specific.h"
 #include "base/macros.h"
-#include "base/strings/string16.h"
 #include "base/synchronization/lock.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
@@ -21,7 +20,6 @@
 #include "net/log/net_log_capture_mode.h"
 #include "net/log/net_log_entry.h"
 #include "net/log/net_log_event_type.h"
-#include "net/log/net_log_parameters_callback.h"
 #include "net/log/net_log_source.h"
 #include "net/log/net_log_source_type.h"
 
@@ -40,12 +38,48 @@ namespace net {
 // is usually accessed through a NetLogWithSource, which will always pass in a
 // specific source ID.
 //
-// All methods are thread safe, with the exception that no NetLog or
+// All methods on NetLog are thread safe, with the exception that no NetLog or
 // NetLog::ThreadSafeObserver functions may be called by an observer's
-// OnAddEntry() method.  Doing so will result in a deadlock.
+// OnAddEntry() method, as doing so will result in a deadlock.
 //
 // For a broader introduction see the design document:
 // https://sites.google.com/a/chromium.org/dev/developers/design-documents/network-stack/netlog
+//
+// ==================================
+// Materializing parameters
+// ==================================
+//
+// Events can contain a JSON serializable base::Value [1] referred to as its
+// "parameters".
+//
+// Functions for emitting events have overloads that take a |get_params|
+// argument for this purpose.
+//
+// |get_params| is essentially a block of code to conditionally execute when
+// the parameters need to be materialized. It is most easily specified as a C++
+// lambda.
+//
+// This idiom for specifying parameters avoids spending time building the
+// base::Value when capturing is off. For instance when specified as a lambda
+// that takes 0 arguments, the inlined code from template expansion roughly
+// does:
+//
+//   if (net_log->IsCapturing()) {
+//     base::Value params = get_params();
+//     net_log->EmitEventToAllObsevers(type, source, phase, std::move(params));
+//   }
+//
+// Alternately, the |get_params| argument could be an invocable that takes a
+// NetLogCaptureMode parameter:
+//
+//   base::Value params = get_params(capture_mode);
+//
+// In this case, |get_params| depends on the logging granularity and would be
+// called once per observed NetLogCaptureMode.
+//
+// [1] Being "JSON serializable" means you cannot use
+//     base::Value::Type::BINARY. Instead use NetLogBinaryValue() to repackage
+//     it as a base::Value::Type::STRING.
 class NET_EXPORT NetLog {
  public:
 
@@ -95,8 +129,6 @@ class NET_EXPORT NetLog {
    private:
     friend class NetLog;
 
-    void OnAddEntryData(const NetLogEntryData& entry_data);
-
     // Both of these values are only modified by the NetLog.
     NetLogCaptureMode capture_mode_;
     NetLog* net_log_;
@@ -107,18 +139,95 @@ class NET_EXPORT NetLog {
   NetLog();
   virtual ~NetLog();
 
+  void AddEntry(NetLogEventType type,
+                const NetLogSource& source,
+                NetLogEventPhase phase);
+
+  // NetLog parameter generators (lambdas) come in two flavors -- those that
+  // take no arguments, and those that take a single NetLogCaptureMode. This
+  // code allows differentiating between the two.
+  template <typename T, typename = void>
+  struct ExpectsCaptureMode : std::false_type {};
+  template <typename T>
+  struct ExpectsCaptureMode<T,
+                            decltype(void(std::declval<T>()(
+                                NetLogCaptureMode::kDefault)))>
+      : std::true_type {};
+
+  // Adds an entry for the given source, phase, and type, whose parameters are
+  // obtained by invoking |get_params()| with no arguments.
+  //
+  // See "Materializing parameters" for details.
+  template <typename ParametersCallback>
+  inline typename std::enable_if<!ExpectsCaptureMode<ParametersCallback>::value,
+                                 void>::type
+  AddEntry(NetLogEventType type,
+           const NetLogSource& source,
+           NetLogEventPhase phase,
+           const ParametersCallback& get_params) {
+    if (LIKELY(!IsCapturing()))
+      return;
+
+    AddEntryWithMaterializedParams(type, source, phase, get_params());
+  }
+
+  // Adds an entry for the given source, phase, and type, whose parameters are
+  // obtained by invoking |get_params(capture_mode)| with a NetLogCaptureMode.
+  //
+  // See "Materializing parameters" for details.
+  template <typename ParametersCallback>
+  inline typename std::enable_if<ExpectsCaptureMode<ParametersCallback>::value,
+                                 void>::type
+  AddEntry(NetLogEventType type,
+           const NetLogSource& source,
+           NetLogEventPhase phase,
+           const ParametersCallback& get_params) {
+    if (LIKELY(!IsCapturing()))
+      return;
+
+    // Indirect through virtual dispatch to reduce code bloat, as this is
+    // inlined in a number of places.
+    class GetParamsImpl : public GetParamsInterface {
+     public:
+      explicit GetParamsImpl(const ParametersCallback& get_params)
+          : get_params_(get_params) {}
+      base::Value GetParams(NetLogCaptureMode mode) const override {
+        return get_params_(mode);
+      }
+
+     private:
+      const ParametersCallback& get_params_;
+    };
+
+    GetParamsImpl wrapper(get_params);
+    AddEntryInternal(type, source, phase, &wrapper);
+  }
+
   // Emits a global event to the log stream, with its own unique source ID.
   void AddGlobalEntry(NetLogEventType type);
+
+  // Overload of AddGlobalEntry() that includes parameters.
+  //
+  // See "Materializing parameters" for details on |get_params|.
+  template <typename ParametersCallback>
   void AddGlobalEntry(NetLogEventType type,
-                      const NetLogParametersCallback& parameters_callback);
+                      const ParametersCallback& get_params) {
+    AddEntry(type, NetLogSource(NetLogSourceType::NONE, NextID()),
+             NetLogEventPhase::NONE, get_params);
+  }
+
+  void AddGlobalEntryWithStringParams(NetLogEventType type,
+                                      base::StringPiece name,
+                                      base::StringPiece value);
 
   // Returns a unique ID which can be used as a source ID.  All returned IDs
   // will be unique and greater than 0.
   uint32_t NextID();
 
-  // Returns true if there are any observers attached to the NetLog. This can be
-  // used as an optimization to avoid emitting log entries when there is no
-  // chance that the data will be consumed.
+  // Returns true if there are any observers attached to the NetLog.
+  //
+  // TODO(eroman): Survey current callsites; most are probably not necessary,
+  // and may even be harmful.
   bool IsCapturing() const;
 
   // Adds an observer and sets its log capture mode.  The observer must not be
@@ -136,12 +245,6 @@ class NET_EXPORT NetLog {
   void AddObserver(ThreadSafeObserver* observer,
                    NetLogCaptureMode capture_mode);
 
-  // Sets the log capture mode of |observer| to |capture_mode|.  |observer| must
-  // be watching |this|.  NetLog implementations must call
-  // NetLog::OnSetObserverCaptureMode to update the observer's internal state.
-  void SetObserverCaptureMode(ThreadSafeObserver* observer,
-                              NetLogCaptureMode capture_mode);
-
   // Removes an observer.
   //
   // For thread safety reasons, it is recommended that this not be called in
@@ -177,60 +280,69 @@ class NET_EXPORT NetLog {
   // Returns a C-String symbolic name for |event_phase|.
   static const char* EventPhaseToString(NetLogEventPhase event_phase);
 
-  // Creates a NetLogParametersCallback that encapsulates a single bool.
-  // Warning: |name| must remain valid for the life of the callback.
-  static NetLogParametersCallback BoolCallback(const char* name, bool value);
-
-  // Warning: |name| must remain valid for the life of the callback.
-  static NetLogParametersCallback IntCallback(const char* name, int value);
-
-  // Creates a NetLogParametersCallback that encapsulates a single int64_t.  The
-  // callback will return the value as a StringValue, since IntegerValues
-  // only support 32-bit values.
-  // Warning: |name| must remain valid for the life of the callback.
-  static NetLogParametersCallback Int64Callback(const char* name,
-                                                int64_t value);
-
-  // Creates a NetLogParametersCallback that encapsulates a single UTF8 string.
-  // Takes
-  // |value| as a pointer to avoid copying, and emphasize it must be valid for
-  // the life of the callback.  |value| may not be NULL.
-  // Warning: |name| and |value| must remain valid for the life of the callback.
-  static NetLogParametersCallback StringCallback(const char* name,
-                                                 const std::string* value);
-  static NetLogParametersCallback StringCallback(const char* name,
-                                                 const char* value);
-
-  // Same as above, but takes in a UTF16 string.
-  static NetLogParametersCallback StringCallback(const char* name,
-                                                 const base::string16* value);
-
  private:
-  friend class NetLogWithSource;
+  class GetParamsInterface {
+   public:
+    virtual base::Value GetParams(NetLogCaptureMode mode) const = 0;
+    virtual ~GetParamsInterface() = default;
+  };
 
-  void AddEntry(NetLogEventType type,
-                const NetLogSource& source,
-                NetLogEventPhase phase,
-                const NetLogParametersCallback* parameters_callback);
+  // Helper for implementing AddEntry() that indirects parameter getting through
+  // virtual dispatch.
+  void AddEntryInternal(NetLogEventType type,
+                        const NetLogSource& source,
+                        NetLogEventPhase phase,
+                        const GetParamsInterface* get_params);
+
+  // Returns the set of all capture modes being observed.
+  NetLogCaptureModeSet GetObserverCaptureModes() const;
+
+  // Adds an entry using already materialized parameters, when it is already
+  // known that the log is capturing (goes straight to acquiring observer lock).
+  //
+  // TODO(eroman): Drop the rvalue-ref on |params| unless can show it improves
+  // the generated code (initial testing suggests it makes no difference in
+  // clang).
+  void AddEntryWithMaterializedParams(NetLogEventType type,
+                                      const NetLogSource& source,
+                                      NetLogEventPhase phase,
+                                      base::Value&& params);
 
   // Called whenever an observer is added or removed, to update
-  // |has_observers_|. Must have acquired |lock_| prior to calling.
-  void UpdateIsCapturing();
+  // |observer_capture_modes_|. Must have acquired |lock_| prior to calling.
+  void UpdateObserverCaptureModes();
 
   // Returns true if |observer| is watching this NetLog. Must
   // be called while |lock_| is already held.
   bool HasObserver(ThreadSafeObserver* observer);
 
+  // In debug and ASAN builds, verify that the NetLog is not used while free.
+  // This is a regression test for https://crbug.com/983298.
+#if defined(ADDRESS_SANITIZER) || !defined(NDEBUG)
+  static constexpr int kAliveToken = 0xDEADBEEF;
+
+  inline void CheckAlive() const { CHECK_EQ(alive_, kAliveToken); }
+  inline void MarkDead() {
+    CheckAlive();
+    alive_ = 0;
+  }
+  int alive_ = kAliveToken;
+#else
+  inline void CheckAlive() const {}
+  inline void MarkDead() {}
+#endif
+
   // |lock_| protects access to |observers_|.
   base::Lock lock_;
 
   // Last assigned source ID.  Incremented to get the next one.
   base::subtle::Atomic32 last_id_;
 
-  // |is_capturing_| will be 0 when there are no observers watching the NetLog,
-  // 1 otherwise. Note that this is stored as an Atomic32 rather than a boolean
-  // so it can be accessed without needing a lock.
-  base::subtle::Atomic32 is_capturing_;
+  // Holds the set of all capture modes that observers are watching the log at.
+  //
+  // Is 0 when there are no observers. Stored as an Atomic32 so it can be
+  // accessed and updated more efficiently.
+  base::subtle::Atomic32 observer_capture_modes_;
 
   // |observers_| is a list of observers, ordered by when they were added.
   // Pointers contained in |observers_| are non-owned, and must
@@ -245,39 +357,6 @@ class NET_EXPORT NetLog {
   DISALLOW_COPY_AND_ASSIGN(NetLog);
 };
 
-// Creates a base::Value() to represent the byte string |raw| when adding it to
-// the NetLog.
-//
-// When |raw| is an ASCII string, the returned value is a base::Value()
-// containing that exact string. Otherwise it is represented by a
-// percent-escaped version of the original string, along with a special prefix.
-//
-// This wrapper exists because base::Value strings are required to be UTF-8.
-// Often times NetLog consumers just want to log a std::string, and that string
-// may not be UTF-8.
-NET_EXPORT base::Value NetLogStringValue(base::StringPiece raw);
-
-// Creates a base::Value() to represent the octets |bytes|. This should be
-// used when adding binary data (i.e. not an ASCII or UTF-8 string) to the
-// NetLog. The resulting base::Value() holds a copy of the input data.
-//
-// This wrapper must be used rather than directly adding base::Value parameters
-// of type BINARY to the NetLog, since the JSON writer does not support
-// serializing them.
-//
-// This wrapper encodes |bytes| as a Base64 encoded string.
-NET_EXPORT base::Value NetLogBinaryValue(const void* bytes, size_t length);
-
-// Creates a base::Value() to represent integers, including 64-bit ones.
-// base::Value() does not directly support 64-bit integers, as it is not
-// representable in JSON.
-//
-// These wrappers will return values that are either numbers, or a string
-// representation of their decimal value, depending on what is needed to ensure
-// no loss of precision when de-serializing from JavaScript.
-NET_EXPORT base::Value NetLogNumberValue(int64_t num);
-NET_EXPORT base::Value NetLogNumberValue(uint64_t num);
-
 }  // namespace net
 
 #endif  // NET_LOG_NET_LOG_H_
diff --git a/chromium/net/log/net_log_capture_mode.cc b/chromium/net/log/net_log_capture_mode.cc
index a2ff3c1b7f1..40b072aa9f8 100644
--- a/chromium/net/log/net_log_capture_mode.cc
+++ b/chromium/net/log/net_log_capture_mode.cc
@@ -4,86 +4,14 @@
 
 #include "net/log/net_log_capture_mode.h"
 
-#include <algorithm>
-
-#include "base/command_line.h"
-#include "base/strings/string_piece.h"
-
 namespace net {
 
-namespace {
-
-// Integer representation for the capture mode. The numeric value is depended on
-// for methods of NetLogCaptureMode, which expect that higher values represent a
-// strict superset of the capabilities of lower values.
-enum InternalValue {
-  // Log all events, but do not include the actual transferred bytes, and
-  // remove cookies and HTTP credentials and HTTP/2 GOAWAY frame debug data.
-  DEFAULT,
-
-  // Log all events, but do not include the actual transferred bytes as
-  // parameters for bytes sent/received events.
-  // TODO(bnc): Consider renaming to INCLUDE_PRIVACY_INFO.
-  INCLUDE_COOKIES_AND_CREDENTIALS,
-
-  // Log everything possible, even if it is slow and memory expensive.
-  // Includes logging of transferred bytes.
-  INCLUDE_SOCKET_BYTES,
-};
-
-}  // namespace
-
-NetLogCaptureMode::NetLogCaptureMode() : NetLogCaptureMode(DEFAULT) {
-}
-
-NetLogCaptureMode NetLogCaptureMode::Default() {
-  return NetLogCaptureMode(DEFAULT);
-}
-
-NetLogCaptureMode NetLogCaptureMode::IncludeCookiesAndCredentials() {
-  return NetLogCaptureMode(INCLUDE_COOKIES_AND_CREDENTIALS);
-}
-
-NetLogCaptureMode NetLogCaptureMode::IncludeSocketBytes() {
-  return NetLogCaptureMode(INCLUDE_SOCKET_BYTES);
+bool NetLogCaptureIncludesSensitive(NetLogCaptureMode capture_mode) {
+  return capture_mode >= NetLogCaptureMode::kIncludeSensitive;
 }
 
-bool NetLogCaptureMode::include_cookies_and_credentials() const {
-  return value_ >= INCLUDE_COOKIES_AND_CREDENTIALS;
-}
-
-bool NetLogCaptureMode::include_socket_bytes() const {
-  return value_ >= INCLUDE_SOCKET_BYTES;
-}
-
-bool NetLogCaptureMode::operator==(NetLogCaptureMode mode) const {
-  return value_ == mode.value_;
-}
-
-bool NetLogCaptureMode::operator!=(NetLogCaptureMode mode) const {
-  return !(*this == mode);
-}
-
-NetLogCaptureMode::NetLogCaptureMode(uint32_t value) : value_(value) {
-}
-
-NetLogCaptureMode GetNetCaptureModeFromCommandLine(
-    const base::CommandLine& command_line,
-    base::StringPiece switch_name) {
-  if (command_line.HasSwitch(switch_name)) {
-    std::string value = command_line.GetSwitchValueASCII(switch_name);
-
-    if (value == "Default")
-      return NetLogCaptureMode::Default();
-    if (value == "IncludeCookiesAndCredentials")
-      return NetLogCaptureMode::IncludeCookiesAndCredentials();
-    if (value == "IncludeSocketBytes")
-      return NetLogCaptureMode::IncludeSocketBytes();
-
-    LOG(ERROR) << "Unrecognized value for --" << switch_name;
-  }
-
-  return net::NetLogCaptureMode::Default();
+bool NetLogCaptureIncludesSocketBytes(NetLogCaptureMode capture_mode) {
+  return capture_mode == NetLogCaptureMode::kEverything;
 }
 
 }  // namespace net
diff --git a/chromium/net/log/net_log_capture_mode.h b/chromium/net/log/net_log_capture_mode.h
index 470a00cb8f3..cef1b25cff1 100644
--- a/chromium/net/log/net_log_capture_mode.h
+++ b/chromium/net/log/net_log_capture_mode.h
@@ -7,67 +7,75 @@
 
 #include <stdint.h>
 
-#include <string>
-
-#include "base/strings/string_piece_forward.h"
 #include "net/base/net_export.h"
 
-namespace base {
-class CommandLine;
-}
-
 namespace net {
 
-// NetLogCaptureMode specifies the granularity of events that should be emitted
-// to the log. It is a simple wrapper around an integer, so it should be passed
-// to functions by value rather than by reference.
-class NET_EXPORT NetLogCaptureMode {
- public:
-  // NOTE: Default assignment and copy constructor are OK.
-
-  // The default constructor creates a capture mode equivalent to
-  // Default().
-  NetLogCaptureMode();
-
-  // Constructs a capture mode which logs basic events and event parameters.
-  //    include_cookies_and_credentials() --> false
-  //    include_socket_bytes() --> false
-  static NetLogCaptureMode Default();
-
-  // Constructs a capture mode which logs basic events, and additionally makes
-  // no effort to strip cookies and credentials.
-  //    include_cookies_and_credentials() --> true
-  //    include_socket_bytes() --> false
-  // TODO(bnc): Consider renaming to IncludePrivacyInfo().
-  static NetLogCaptureMode IncludeCookiesAndCredentials();
-
-  // Constructs a capture mode which logs the data sent/received from sockets.
-  //    include_cookies_and_credentials() --> true
-  //    include_socket_bytes() --> true
-  static NetLogCaptureMode IncludeSocketBytes();
-
-  // If include_cookies_and_credentials() is true , then it is OK to log
-  // events which contain cookies, credentials or other privacy sensitive data.
-  // TODO(bnc): Consider renaming to include_privacy_info().
-  bool include_cookies_and_credentials() const;
-
-  // If include_socket_bytes() is true, then it is OK to output the actual
-  // bytes read/written from the network, even if it contains private data.
-  bool include_socket_bytes() const;
-
-  bool operator==(NetLogCaptureMode mode) const;
-  bool operator!=(NetLogCaptureMode mode) const;
-
- private:
-  explicit NetLogCaptureMode(uint32_t value);
-
-  int32_t value_;
+// NetLogCaptureMode specifies the logging level.
+//
+// It is used to control which events are emitted to the log, and what level of
+// detail is included in their parameters.
+//
+// The capture mode is expressed as a number, where higher values imply more
+// information.
+//
+// Note the numeric values are used in a bitfield (NetLogCaptureModeSet) so must
+// be sequential starting from 0, and not exceed 31.
+enum class NetLogCaptureMode : uint32_t {
+  // Default logging level, which is expected to be light-weight and
+  // does best-effort stripping of privacy/security sensitive data.
+  //
+  //  * Includes most HTTP request/response headers, but strips cookies and
+  //    auth.
+  //  * Does not include the full bytes read/written to sockets.
+  kDefault = 0,
+
+  // Logging level that includes everything from kDefault, plus sensitive data
+  // that it may have strippped.
+  //
+  //  * Includes cookies and authentication headers.
+  //  * Does not include the full bytes read/written to sockets.
+  kIncludeSensitive,
+
+  // Logging level that includes everything that is possible to be logged.
+  //
+  //  * Includes the actual bytes read/written to sockets
+  //  * Will result in large log files.
+  kEverything,
+
+  kLast = kEverything,
 };
 
-// Parses a NetLogCaptureMode given an optional command-line switch.
-NET_EXPORT NetLogCaptureMode
-GetNetCaptureModeFromCommandLine(const base::CommandLine& command_line,
-                                 base::StringPiece switch_name);
+// Bitfield of NetLogCaptureMode, that should be initialized to zero for empty
+// set. Bit "i" being set means that the set contains NetLogCaptureMode with
+// value "i".
+//
+// Use the NetLogCaptureModeSet*() functions to operate on it.
+using NetLogCaptureModeSet = uint32_t;
+
+inline NetLogCaptureModeSet NetLogCaptureModeToBit(
+    NetLogCaptureMode capture_mode) {
+  return 1 << static_cast<uint32_t>(capture_mode);
+}
+
+inline bool NetLogCaptureModeSetContains(NetLogCaptureMode capture_mode,
+                                         NetLogCaptureModeSet set) {
+  return (set & NetLogCaptureModeToBit(capture_mode)) != 0;
+}
+
+inline bool NetLogCaptureModeSetAdd(NetLogCaptureMode value,
+                                    NetLogCaptureModeSet* set) {
+  return *set |= NetLogCaptureModeToBit(value);
+}
+
+// Returns true if |capture_mode| permits logging sensitive values such as
+// cookies and credentials.
+NET_EXPORT bool NetLogCaptureIncludesSensitive(NetLogCaptureMode capture_mode);
+
+// Returns true if |capture_mode| permits logging the full request/response
+// bytes from sockets.
+NET_EXPORT bool NetLogCaptureIncludesSocketBytes(
+    NetLogCaptureMode capture_mode);
 
 }  // namespace net
 
diff --git a/chromium/net/log/net_log_capture_mode_unittest.cc b/chromium/net/log/net_log_capture_mode_unittest.cc
index a249bf1e011..ea4fa30c7c2 100644
--- a/chromium/net/log/net_log_capture_mode_unittest.cc
+++ b/chromium/net/log/net_log_capture_mode_unittest.cc
@@ -10,41 +10,25 @@ namespace net {
 
 namespace {
 
-TEST(NetLogCaptureMode, DefaultConstructor) {
-  EXPECT_EQ(NetLogCaptureMode(), NetLogCaptureMode::Default());
-}
-
 TEST(NetLogCaptureMode, Default) {
-  NetLogCaptureMode mode = NetLogCaptureMode::Default();
-
-  EXPECT_FALSE(mode.include_cookies_and_credentials());
-  EXPECT_FALSE(mode.include_socket_bytes());
+  NetLogCaptureMode mode = NetLogCaptureMode::kDefault;
 
-  EXPECT_EQ(mode, NetLogCaptureMode::Default());
-  EXPECT_NE(mode, NetLogCaptureMode::IncludeCookiesAndCredentials());
-  EXPECT_NE(mode, NetLogCaptureMode::IncludeSocketBytes());
+  EXPECT_FALSE(NetLogCaptureIncludesSensitive(mode));
+  EXPECT_FALSE(NetLogCaptureIncludesSocketBytes(mode));
 }
 
-TEST(NetLogCaptureMode, IncludeCookiesAndCredentials) {
-  NetLogCaptureMode mode = NetLogCaptureMode::IncludeCookiesAndCredentials();
+TEST(NetLogCaptureMode, IncludeSensitive) {
+  NetLogCaptureMode mode = NetLogCaptureMode::kIncludeSensitive;
 
-  EXPECT_TRUE(mode.include_cookies_and_credentials());
-  EXPECT_FALSE(mode.include_socket_bytes());
-
-  EXPECT_NE(mode, NetLogCaptureMode::Default());
-  EXPECT_EQ(mode, NetLogCaptureMode::IncludeCookiesAndCredentials());
-  EXPECT_NE(mode, NetLogCaptureMode::IncludeSocketBytes());
+  EXPECT_TRUE(NetLogCaptureIncludesSensitive(mode));
+  EXPECT_FALSE(NetLogCaptureIncludesSocketBytes(mode));
 }
 
-TEST(NetLogCaptureMode, IncludeSocketBytes) {
-  NetLogCaptureMode mode = NetLogCaptureMode::IncludeSocketBytes();
-
-  EXPECT_TRUE(mode.include_cookies_and_credentials());
-  EXPECT_TRUE(mode.include_socket_bytes());
+TEST(NetLogCaptureMode, Everything) {
+  NetLogCaptureMode mode = NetLogCaptureMode::kEverything;
 
-  EXPECT_NE(mode, NetLogCaptureMode::Default());
-  EXPECT_NE(mode, NetLogCaptureMode::IncludeCookiesAndCredentials());
-  EXPECT_EQ(mode, NetLogCaptureMode::IncludeSocketBytes());
+  EXPECT_TRUE(NetLogCaptureIncludesSensitive(mode));
+  EXPECT_TRUE(NetLogCaptureIncludesSocketBytes(mode));
 }
 
 }  // namespace
diff --git a/chromium/net/log/net_log_entry.cc b/chromium/net/log/net_log_entry.cc
index 16be908a4b3..10c0c98b82e 100644
--- a/chromium/net/log/net_log_entry.cc
+++ b/chromium/net/log/net_log_entry.cc
@@ -4,61 +4,54 @@
 
 #include "net/log/net_log_entry.h"
 
-#include <utility>
-
-#include "base/callback.h"
-#include "base/values.h"
 #include "net/log/net_log.h"
 
 namespace net {
 
+NetLogEntry::NetLogEntry(NetLogEventType type,
+                         NetLogSource source,
+                         NetLogEventPhase phase,
+                         base::TimeTicks time,
+                         base::Value params)
+    : type(type),
+      source(source),
+      phase(phase),
+      time(time),
+      params(std::move(params)) {}
+
+NetLogEntry::~NetLogEntry() = default;
+
+NetLogEntry::NetLogEntry(NetLogEntry&& entry) = default;
+NetLogEntry& NetLogEntry::operator=(NetLogEntry&& entry) = default;
+
 base::Value NetLogEntry::ToValue() const {
   base::DictionaryValue entry_dict;
 
-  entry_dict.SetString("time", NetLog::TickCountToString(data_->time));
+  entry_dict.SetString("time", NetLog::TickCountToString(time));
 
   // Set the entry source.
   base::DictionaryValue source_dict;
-  source_dict.SetInteger("id", data_->source.id);
-  source_dict.SetInteger("type", static_cast<int>(data_->source.type));
+  source_dict.SetInteger("id", source.id);
+  source_dict.SetInteger("type", static_cast<int>(source.type));
   entry_dict.SetKey("source", std::move(source_dict));
 
   // Set the event info.
-  entry_dict.SetInteger("type", static_cast<int>(data_->type));
-  entry_dict.SetInteger("phase", static_cast<int>(data_->phase));
+  entry_dict.SetInteger("type", static_cast<int>(type));
+  entry_dict.SetInteger("phase", static_cast<int>(phase));
 
   // Set the event-specific parameters.
-  base::Value params = ParametersToValue();
   if (!params.is_none())
-    entry_dict.SetKey("params", std::move(params));
+    entry_dict.SetKey("params", params.Clone());
 
   return std::move(entry_dict);
 }
 
-base::Value NetLogEntry::ParametersToValue() const {
-  if (data_->parameters_callback)
-    return data_->parameters_callback->Run(capture_mode_);
-  return base::Value();
+NetLogEntry NetLogEntry::Clone() const {
+  return NetLogEntry(type, source, phase, time, params.Clone());
 }
 
-NetLogEntryData::NetLogEntryData(
-    NetLogEventType type,
-    NetLogSource source,
-    NetLogEventPhase phase,
-    base::TimeTicks time,
-    const NetLogParametersCallback* parameters_callback)
-    : type(type),
-      source(source),
-      phase(phase),
-      time(time),
-      parameters_callback(parameters_callback) {}
-
-NetLogEntryData::~NetLogEntryData() = default;
-
-NetLogEntry::NetLogEntry(const NetLogEntryData* data,
-                         NetLogCaptureMode capture_mode)
-    : data_(data), capture_mode_(capture_mode) {}
-
-NetLogEntry::~NetLogEntry() = default;
+bool NetLogEntry::HasParams() const {
+  return !params.is_none();
+}
 
 }  // namespace net
diff --git a/chromium/net/log/net_log_entry.h b/chromium/net/log/net_log_entry.h
index b9280844261..9de87d7a00a 100644
--- a/chromium/net/log/net_log_entry.h
+++ b/chromium/net/log/net_log_entry.h
@@ -5,14 +5,10 @@
 #ifndef NET_LOG_NET_LOG_ENTRY_H_
 #define NET_LOG_NET_LOG_ENTRY_H_
 
-#include <memory>
-
-#include "base/macros.h"
 #include "base/time/time.h"
+#include "base/values.h"
 #include "net/base/net_export.h"
-#include "net/log/net_log_capture_mode.h"
 #include "net/log/net_log_event_type.h"
-#include "net/log/net_log_parameters_callback.h"
 #include "net/log/net_log_source.h"
 
 namespace base {
@@ -21,52 +17,37 @@ class Value;
 
 namespace net {
 
-struct NET_EXPORT NetLogEntryData {
-  NetLogEntryData(NetLogEventType type,
-                  NetLogSource source,
-                  NetLogEventPhase phase,
-                  base::TimeTicks time,
-                  const NetLogParametersCallback* parameters_callback);
-  ~NetLogEntryData();
-
-  const NetLogEventType type;
-  const NetLogSource source;
-  const NetLogEventPhase phase;
-  const base::TimeTicks time;
-  const NetLogParametersCallback* const parameters_callback;
-};
-
-// A NetLogEntry pre-binds NetLogEntryData to a capture mode, so observers will
-// observe the output of ToValue() and ParametersToValue() at their log
-// capture mode rather than the current maximum.
-class NET_EXPORT NetLogEntry {
+// Represents an event that was sent to a NetLog observer, including the
+// materialized parameters.
+struct NET_EXPORT NetLogEntry {
  public:
-  NetLogEntry(const NetLogEntryData* data, NetLogCaptureMode capture_mode);
+  NetLogEntry(NetLogEventType type,
+              NetLogSource source,
+              NetLogEventPhase phase,
+              base::TimeTicks time,
+              base::Value params);
+
   ~NetLogEntry();
 
-  NetLogEventType type() const { return data_->type; }
-  NetLogSource source() const { return data_->source; }
-  NetLogEventPhase phase() const { return data_->phase; }
+  // Moveable.
+  NetLogEntry(NetLogEntry&& entry);
+  NetLogEntry& operator=(NetLogEntry&& entry);
 
-  // Serializes the specified event to a Value.  The Value also includes the
-  // current time.  Takes in a time to allow back-dating entries.
+  // Serializes the specified event to a Value.
   base::Value ToValue() const;
 
-  // Returns the parameters as a Value.  Returns a none value if there are no
-  // parameters.
-  // TODO(eroman): Make this base::Optional instead?
-  base::Value ParametersToValue() const;
-
- private:
-  const NetLogEntryData* const data_;
+  // NetLogEntry is not copy constructible, however copying is useful for
+  // unittests.
+  NetLogEntry Clone() const;
 
-  // Log capture mode when the event occurred.
-  const NetLogCaptureMode capture_mode_;
+  // Returns true if the entry has value for |params|.
+  bool HasParams() const;
 
-  // It is not safe to copy this class, since |parameters_callback_| may
-  // include pointers that become stale immediately after the event is added,
-  // even if the code were modified to keep its own copy of the callback.
-  DISALLOW_COPY_AND_ASSIGN(NetLogEntry);
+  NetLogEventType type;
+  NetLogSource source;
+  NetLogEventPhase phase;
+  base::TimeTicks time;
+  base::Value params;
 };
 
 }  // namespace net
diff --git a/chromium/net/log/net_log_event_type_list.h b/chromium/net/log/net_log_event_type_list.h
index c7ab2bc7a6d..b6db4a74c7b 100644
--- a/chromium/net/log/net_log_event_type_list.h
+++ b/chromium/net/log/net_log_event_type_list.h
@@ -2169,6 +2169,79 @@ EVENT_TYPE(SOCKS5_HANDSHAKE_READ)
 // ------------------------------------------------------------------------
 // HTTP Authentication
 // ------------------------------------------------------------------------
+//
+// Structure of common GSSAPI / SSPI values.
+// -----------------------------------------
+// For convenience some structured GSSAPI/SSPI values are serialized
+// consistently across different events. They are explained below.
+//
+// ** GSSAPI Status:
+//
+// A major/minor status code returned by a GSSAPI function. The major status
+// code indicates the GSSAPI level error, while the minor code provides a
+// mechanism specific error code if a specific GSSAPI mechanism was involved in
+// the error.
+//
+// The status value has the following structure:
+//   {
+//     "function": <name of GSSAPI function that returned the error>
+//     "major_status": {
+//       "status" : <status value as a number>,
+//       "message": [
+//          <list of strings hopefully explaining what that number means>
+//       ]
+//     },
+//     "minor_status": {
+//       "status" : <status value as a number>,
+//       "message": [
+//          <list of strings hopefully explaining what that number means>
+//       ]
+//     }
+//   }
+//
+// ** OID:
+//
+// An ASN.1 OID that's used for GSSAPI is serialized thusly:
+//   {
+//     "oid":    <symbolic name of OID if it is known>
+//     "length": <length in bytes of serialized OID>,
+//     "bytes":  <serialized bytes of OID encoded via NetLogBinaryValue()>
+//   }
+//
+// ** GSS Display Name:
+//
+// A serialization of GSSAPI principal name to something that can be consumed by
+// humans. If the encoding of the string is not UTF-8 (since there's no
+// requirement that they use any specific encoding) the field is serialized
+// using NetLogBinaryValue().
+//   {
+//     "name" : <GSSAPI principal name>
+//     "type" : <OID indicating type of name. See OID above.>
+//     "error": <If the display name lookup operation failed, then this field
+//               contains the error in the form of a GSSAPI Status.>
+//   }
+//
+// ** GSSAPI Context Description
+//
+// A serialization of the GSSAPI context. It takes the following form:
+//   {
+//     "source"  : <GSS Display Name for the source of the authentication
+//                  attempt.  In practice this is always the user's identity.>
+//     "target"  : <GSS Display Name for the target of the authentication
+//                  attempt.  This the target server or proxy service
+//                  principal.>
+//     "open"    : <Boolean indicating whether the context is "open", which
+//                  means that the handshake is still in progress. In
+//                  particular, the flags, lifetime, and mechanism fields are
+//                  not considered final until "open" is false.
+//     "lifetime": <A decimal string indicating the lifetime in seconds of the
+//                  authentication context. The identity as established by this
+//                  handshake is only valid for this long since the time at
+//                  which it was established.>
+//     "mechanism":<OID indicating inner authentication mechanism.>
+//     "flags"    :<Flags. See RFC 2744 Section 5.19 for meanings. Flag
+//                  bitmasks can be found in RFC 2744 Appendix A.>
+//   }
 
 // Lifetime event for HttpAuthController.
 //
@@ -2212,11 +2285,56 @@ EVENT_TYPE(AUTH_GENERATE_TOKEN)
 //  }
 EVENT_TYPE(AUTH_HANDLE_CHALLENGE)
 
+// An attempt was made to load an authentication library.
+//
+// If the request succeeded, the parameters are:
+//   {
+//     "library_name": <Name of library>
+//   }
+// Otherwise, the parameters are:
+//   {
+//     "library_name": <Name of library>
+//     "load_error": <An error string>
+//   }
+EVENT_TYPE(AUTH_LIBRARY_LOAD)
+
+// A required method was not found while attempting to load an authentication
+// library.
+//
+// Parameters are:
+//   {
+//     "library_name": <Name of the library where the method lookup failed>
+//     "method": <Name of method that was not found>
+//   }
+EVENT_TYPE(AUTH_LIBRARY_BIND_FAILED)
+
+// Construction of the GSSAPI service principal name.
+//
+// Parameters:
+//   {
+//     "spn": <Service principal name as a string>
+//     "status":  <GSSAPI Status. See GSSAPI Status above. This is field is only
+//                 logged if the operation failed.>
+//   }
+EVENT_TYPE(AUTH_LIBRARY_IMPORT_NAME)
+
+// Initialize security context.
+//
+// This operation involves invoking an external library which may perform disk,
+// IPC, and network IO as a part of its work.
+//
+// The END phase has the following parameters.
+//   {
+//     "context": <GSSAPI Context Description>,
+//     "status":  <GSSAPI Status if the operation failed>
+//   }
+EVENT_TYPE(AUTH_LIBRARY_INIT_SEC_CTX)
+
 // The channel bindings generated for the connection.
 //  {
-//       "token": <Hex encoded RFC 5929 'tls-server-endpoint' channel binding
-//                 token. Could be empty if one could not be generated (e.g.
-//                 because the underlying channel was not TLS>
+//     "token": <Hex encoded RFC 5929 'tls-server-endpoint' channel binding
+//               token. Could be empty if one could not be generated (e.g.
+//               because the underlying channel was not TLS.)>
 //  }
 EVENT_TYPE(AUTH_CHANNEL_BINDINGS)
 
@@ -2414,53 +2532,6 @@ EVENT_TYPE(DNS_TRANSACTION_TCP_ATTEMPT)
 EVENT_TYPE(DNS_TRANSACTION_RESPONSE)
 
 // ------------------------------------------------------------------------
-// ChromeExtension
-// ------------------------------------------------------------------------
-
-// TODO(eroman): This is a layering violation. Fix this in the context
-// of http://crbug.com/90674.
-
-// This event is created when a Chrome extension aborts a request.
-//
-//  {
-//    "extension_id": <Extension ID that caused the abortion>
-//  }
-EVENT_TYPE(CHROME_EXTENSION_ABORTED_REQUEST)
-
-// This event is created when a Chrome extension redirects a request.
-//
-//  {
-//    "extension_id": <Extension ID that caused the redirection>
-//  }
-EVENT_TYPE(CHROME_EXTENSION_REDIRECTED_REQUEST)
-
-// This event is created when a Chrome extension modifies the headers of a
-// request.
-//
-//  {
-//    "extension_id":     <Extension ID that caused the modification>,
-//    "modified_headers": [ "<header>: <value>", ... ],
-//    "deleted_headers":  [ "<header>", ... ]
-//  }
-EVENT_TYPE(CHROME_EXTENSION_MODIFIED_HEADERS)
-
-// This event is created when a Chrome extension tried to modify a request
-// but was ignored due to a conflict.
-//
-//  {
-//    "extension_id": <Extension ID that was ignored>
-//  }
-EVENT_TYPE(CHROME_EXTENSION_IGNORED_DUE_TO_CONFLICT)
-
-// This event is created when a Chrome extension provides authentication
-// credentials.
-//
-//  {
-//    "extension_id": <Extension ID that provides credentials>
-//  }
-EVENT_TYPE(CHROME_EXTENSION_PROVIDE_AUTH_CREDENTIALS)
-
-// ------------------------------------------------------------------------
 // CertVerifier
 // ------------------------------------------------------------------------
 
diff --git a/chromium/net/log/net_log_parameters_callback.h b/chromium/net/log/net_log_parameters_callback.h
deleted file mode 100644
index 05ff3ff033d..00000000000
--- a/chromium/net/log/net_log_parameters_callback.h
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_LOG_NET_LOG_PARAMETERS_CALLBACK_H_
-#define NET_LOG_NET_LOG_PARAMETERS_CALLBACK_H_
-
-#include <memory>
-
-#include "base/callback_forward.h"
-#include "net/log/net_log_capture_mode.h"
-
-namespace base {
-class Value;
-}
-
-namespace net {
-
-// A callback that returns a Value representation of the parameters
-// associated with an event.  If called, it will be called synchronously,
-// so it need not have owning references.  May be called more than once, or
-// not at all.  May return a none value to indicate no parameters.
-using NetLogParametersCallback =
-    base::RepeatingCallback<base::Value(NetLogCaptureMode)>;
-
-}  // namespace net
-
-#endif  // NET_LOG_NET_LOG_PARAMETERS_CALLBACK_H_
diff --git a/chromium/net/log/net_log_source.cc b/chromium/net/log/net_log_source.cc
index 09b1daa675e..e9ffa467997 100644
--- a/chromium/net/log/net_log_source.cc
+++ b/chromium/net/log/net_log_source.cc
@@ -17,9 +17,7 @@ namespace net {
 
 namespace {
 
-base::Value SourceEventParametersCallback(
-    const NetLogSource source,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value SourceEventParametersCallback(const NetLogSource source) {
   if (!source.IsValid())
     return base::Value();
   base::DictionaryValue event_params;
@@ -49,15 +47,15 @@ void NetLogSource::AddToEventParameters(base::Value* event_params) const {
   event_params->SetKey("source_dependency", std::move(dict));
 }
 
-NetLogParametersCallback NetLogSource::ToEventParametersCallback() const {
-  return base::Bind(&SourceEventParametersCallback, *this);
+base::Value NetLogSource::ToEventParameters() const {
+  return SourceEventParametersCallback(*this);
 }
 
 // static
-bool NetLogSource::FromEventParameters(base::Value* event_params,
+bool NetLogSource::FromEventParameters(const base::Value* event_params,
                                        NetLogSource* source) {
-  base::DictionaryValue* dict = nullptr;
-  base::DictionaryValue* source_dict = nullptr;
+  const base::DictionaryValue* dict = nullptr;
+  const base::DictionaryValue* source_dict = nullptr;
   int source_id = -1;
   int source_type = static_cast<int>(NetLogSourceType::COUNT);
   if (!event_params || !event_params->GetAsDictionary(&dict) ||
diff --git a/chromium/net/log/net_log_source.h b/chromium/net/log/net_log_source.h
index 87748454e1e..82fa6daaf89 100644
--- a/chromium/net/log/net_log_source.h
+++ b/chromium/net/log/net_log_source.h
@@ -8,7 +8,6 @@
 #include <stdint.h>
 
 #include "net/base/net_export.h"
-#include "net/log/net_log_parameters_callback.h"
 #include "net/log/net_log_source_type.h"
 
 namespace base {
@@ -32,15 +31,15 @@ struct NET_EXPORT NetLogSource {
   // using the name "source_dependency".
   void AddToEventParameters(base::Value* event_params) const;
 
-  // Returns a callback that returns a dictionary with a single entry
-  // named "source_dependency" that describes |this|.
-  NetLogParametersCallback ToEventParametersCallback() const;
+  // Returns a dictionary with a single entry named "source_dependency" that
+  // describes |this|.
+  base::Value ToEventParameters() const;
 
   // Attempts to extract a NetLogSource from a set of event parameters.  Returns
   // true and writes the result to |source| on success.  Returns false and
   // makes |source| an invalid source on failure.
   // TODO(mmenke):  Long term, we want to remove this.
-  static bool FromEventParameters(base::Value* event_params,
+  static bool FromEventParameters(const base::Value* event_params,
                                   NetLogSource* source);
 
   NetLogSourceType type;
diff --git a/chromium/net/log/net_log_unittest.cc b/chromium/net/log/net_log_unittest.cc
index 0169afb63c3..bd7b0f7f1ea 100644
--- a/chromium/net/log/net_log_unittest.cc
+++ b/chromium/net/log/net_log_unittest.cc
@@ -4,23 +4,15 @@
 
 #include "net/log/net_log.h"
 
-#include <limits>
-#include <memory>
-#include <utility>
-
-#include "base/bind.h"
-#include "base/callback.h"
 #include "base/stl_util.h"
 #include "base/synchronization/waitable_event.h"
 #include "base/threading/simple_thread.h"
 #include "base/values.h"
-#include "net/base/net_errors.h"
-#include "net/log/file_net_log_observer.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_source_type.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 
@@ -29,26 +21,15 @@ namespace {
 const int kThreads = 10;
 const int kEvents = 100;
 
-// Under the hood a NetLogCaptureMode is simply an int. But for layering reasons
-// this internal value is not exposed. These tests need to serialize a
-// NetLogCaptureMode to a base::Value, so create our own private mapping.
 int CaptureModeToInt(NetLogCaptureMode capture_mode) {
-  if (capture_mode == NetLogCaptureMode::Default())
-    return 0;
-  if (capture_mode == NetLogCaptureMode::IncludeCookiesAndCredentials())
-    return 1;
-  if (capture_mode == NetLogCaptureMode::IncludeSocketBytes())
-    return 2;
-
-  ADD_FAILURE() << "Unknown capture mode";
-  return -1;
+  return static_cast<int>(capture_mode);
 }
 
 base::Value CaptureModeToValue(NetLogCaptureMode capture_mode) {
   return base::Value(CaptureModeToInt(capture_mode));
 }
 
-base::Value NetCaptureModeCallback(NetLogCaptureMode capture_mode) {
+base::Value NetCaptureModeParams(NetLogCaptureMode capture_mode) {
   base::DictionaryValue dict;
   dict.SetKey("capture_mode", CaptureModeToValue(capture_mode));
   return std::move(dict);
@@ -56,41 +37,41 @@ base::Value NetCaptureModeCallback(NetLogCaptureMode capture_mode) {
 
 TEST(NetLogTest, Basic) {
   TestNetLog net_log;
-  TestNetLogEntry::List entries;
-  net_log.GetEntries(&entries);
+  auto entries = net_log.GetEntries();
   EXPECT_EQ(0u, entries.size());
 
   net_log.AddGlobalEntry(NetLogEventType::CANCELLED);
 
-  net_log.GetEntries(&entries);
+  entries = net_log.GetEntries();
   ASSERT_EQ(1u, entries.size());
   EXPECT_EQ(NetLogEventType::CANCELLED, entries[0].type);
   EXPECT_EQ(NetLogSourceType::NONE, entries[0].source.type);
   EXPECT_NE(NetLogSource::kInvalidId, entries[0].source.id);
   EXPECT_EQ(NetLogEventPhase::NONE, entries[0].phase);
   EXPECT_GE(base::TimeTicks::Now(), entries[0].time);
-  EXPECT_FALSE(entries[0].params);
+  EXPECT_FALSE(entries[0].HasParams());
 }
 
 // Check that the correct CaptureMode is sent to NetLog Value callbacks.
 TEST(NetLogTest, CaptureModes) {
   NetLogCaptureMode kModes[] = {
-      NetLogCaptureMode::Default(),
-      NetLogCaptureMode::IncludeCookiesAndCredentials(),
-      NetLogCaptureMode::IncludeSocketBytes(),
+      NetLogCaptureMode::kDefault,
+      NetLogCaptureMode::kIncludeSensitive,
+      NetLogCaptureMode::kEverything,
   };
 
   TestNetLog net_log;
 
   for (NetLogCaptureMode mode : kModes) {
-    net_log.SetCaptureMode(mode);
+    net_log.SetObserverCaptureMode(mode);
     EXPECT_EQ(mode, net_log.GetObserver()->capture_mode());
 
     net_log.AddGlobalEntry(NetLogEventType::SOCKET_ALIVE,
-                           base::Bind(NetCaptureModeCallback));
+                           [&](NetLogCaptureMode capture_mode) {
+                             return NetCaptureModeParams(capture_mode);
+                           });
 
-    TestNetLogEntry::List entries;
-    net_log.GetEntries(&entries);
+    auto entries = net_log.GetEntries();
 
     ASSERT_EQ(1u, entries.size());
     EXPECT_EQ(NetLogEventType::SOCKET_ALIVE, entries[0].type);
@@ -99,10 +80,8 @@ TEST(NetLogTest, CaptureModes) {
     EXPECT_EQ(NetLogEventPhase::NONE, entries[0].phase);
     EXPECT_GE(base::TimeTicks::Now(), entries[0].time);
 
-    int logged_capture_mode;
-    ASSERT_TRUE(
-        entries[0].GetIntegerValue("capture_mode", &logged_capture_mode));
-    EXPECT_EQ(CaptureModeToInt(mode), logged_capture_mode);
+    ASSERT_EQ(CaptureModeToInt(mode),
+              GetIntegerValueFromParams(entries[0], "capture_mode"));
 
     net_log.Clear();
   }
@@ -152,7 +131,9 @@ class LoggingObserver : public NetLog::ThreadSafeObserver {
 
 void AddEvent(NetLog* net_log) {
   net_log->AddGlobalEntry(NetLogEventType::CANCELLED,
-                          base::Bind(CaptureModeToValue));
+                          [&](NetLogCaptureMode capture_mode) {
+                            return CaptureModeToValue(capture_mode);
+                          });
 }
 
 // A thread that waits until an event has been signalled before calling
@@ -218,17 +199,9 @@ class AddRemoveObserverTestThread : public NetLogTestThread {
     for (int i = 0; i < kEvents; ++i) {
       ASSERT_FALSE(observer_.net_log());
 
-      net_log_->AddObserver(&observer_,
-                            NetLogCaptureMode::IncludeCookiesAndCredentials());
-      ASSERT_EQ(net_log_, observer_.net_log());
-      ASSERT_EQ(NetLogCaptureMode::IncludeCookiesAndCredentials(),
-                observer_.capture_mode());
-
-      net_log_->SetObserverCaptureMode(&observer_,
-                                       NetLogCaptureMode::IncludeSocketBytes());
+      net_log_->AddObserver(&observer_, NetLogCaptureMode::kIncludeSensitive);
       ASSERT_EQ(net_log_, observer_.net_log());
-      ASSERT_EQ(NetLogCaptureMode::IncludeSocketBytes(),
-                observer_.capture_mode());
+      ASSERT_EQ(NetLogCaptureMode::kIncludeSensitive, observer_.capture_mode());
 
       net_log_->RemoveObserver(&observer_);
       ASSERT_TRUE(!observer_.net_log());
@@ -268,7 +241,7 @@ TEST(NetLogTest, NetLogEventThreads) {
   // safely detach themselves on destruction.
   CountingObserver observers[3];
   for (size_t i = 0; i < base::size(observers); ++i) {
-    net_log.AddObserver(&observers[i], NetLogCaptureMode::IncludeSocketBytes());
+    net_log.AddObserver(&observers[i], NetLogCaptureMode::kEverything);
   }
 
   // Run a bunch of threads to completion, each of which will emit events to
@@ -292,24 +265,15 @@ TEST(NetLogTest, NetLogAddRemoveObserver) {
   EXPECT_FALSE(net_log.IsCapturing());
 
   // Add the observer and add an event.
-  net_log.AddObserver(&observer,
-                      NetLogCaptureMode::IncludeCookiesAndCredentials());
+  net_log.AddObserver(&observer, NetLogCaptureMode::kIncludeSensitive);
   EXPECT_TRUE(net_log.IsCapturing());
   EXPECT_EQ(&net_log, observer.net_log());
-  EXPECT_EQ(NetLogCaptureMode::IncludeCookiesAndCredentials(),
-            observer.capture_mode());
+  EXPECT_EQ(NetLogCaptureMode::kIncludeSensitive, observer.capture_mode());
   EXPECT_TRUE(net_log.IsCapturing());
 
   AddEvent(&net_log);
   EXPECT_EQ(1, observer.count());
 
-  // Change the observer's logging level and add an event.
-  net_log.SetObserverCaptureMode(&observer,
-                                 NetLogCaptureMode::IncludeSocketBytes());
-  EXPECT_EQ(&net_log, observer.net_log());
-  EXPECT_EQ(NetLogCaptureMode::IncludeSocketBytes(), observer.capture_mode());
-  EXPECT_TRUE(net_log.IsCapturing());
-
   AddEvent(&net_log);
   EXPECT_EQ(2, observer.count());
 
@@ -321,10 +285,11 @@ TEST(NetLogTest, NetLogAddRemoveObserver) {
   AddEvent(&net_log);
   EXPECT_EQ(2, observer.count());
 
-  // Add the observer a final time, and add an event.
-  net_log.AddObserver(&observer, NetLogCaptureMode::IncludeSocketBytes());
+  // Add the observer a final time, this time with a different capture mdoe, and
+  // add an event.
+  net_log.AddObserver(&observer, NetLogCaptureMode::kEverything);
   EXPECT_EQ(&net_log, observer.net_log());
-  EXPECT_EQ(NetLogCaptureMode::IncludeSocketBytes(), observer.capture_mode());
+  EXPECT_EQ(NetLogCaptureMode::kEverything, observer.capture_mode());
   EXPECT_TRUE(net_log.IsCapturing());
 
   AddEvent(&net_log);
@@ -337,22 +302,18 @@ TEST(NetLogTest, NetLogTwoObservers) {
   LoggingObserver observer[2];
 
   // Add first observer.
-  net_log.AddObserver(&observer[0],
-                      NetLogCaptureMode::IncludeCookiesAndCredentials());
+  net_log.AddObserver(&observer[0], NetLogCaptureMode::kIncludeSensitive);
   EXPECT_EQ(&net_log, observer[0].net_log());
   EXPECT_EQ(NULL, observer[1].net_log());
-  EXPECT_EQ(NetLogCaptureMode::IncludeCookiesAndCredentials(),
-            observer[0].capture_mode());
+  EXPECT_EQ(NetLogCaptureMode::kIncludeSensitive, observer[0].capture_mode());
   EXPECT_TRUE(net_log.IsCapturing());
 
   // Add second observer observer.
-  net_log.AddObserver(&observer[1], NetLogCaptureMode::IncludeSocketBytes());
+  net_log.AddObserver(&observer[1], NetLogCaptureMode::kEverything);
   EXPECT_EQ(&net_log, observer[0].net_log());
   EXPECT_EQ(&net_log, observer[1].net_log());
-  EXPECT_EQ(NetLogCaptureMode::IncludeCookiesAndCredentials(),
-            observer[0].capture_mode());
-  EXPECT_EQ(NetLogCaptureMode::IncludeSocketBytes(),
-            observer[1].capture_mode());
+  EXPECT_EQ(NetLogCaptureMode::kIncludeSensitive, observer[0].capture_mode());
+  EXPECT_EQ(NetLogCaptureMode::kEverything, observer[1].capture_mode());
   EXPECT_TRUE(net_log.IsCapturing());
 
   // Add event and make sure both observers receive it at their respective log
@@ -370,8 +331,7 @@ TEST(NetLogTest, NetLogTwoObservers) {
   net_log.RemoveObserver(&observer[1]);
   EXPECT_EQ(&net_log, observer[0].net_log());
   EXPECT_EQ(NULL, observer[1].net_log());
-  EXPECT_EQ(NetLogCaptureMode::IncludeCookiesAndCredentials(),
-            observer[0].capture_mode());
+  EXPECT_EQ(NetLogCaptureMode::kIncludeSensitive, observer[0].capture_mode());
   EXPECT_TRUE(net_log.IsCapturing());
 
   // Add event and make sure only second observer gets it.
@@ -401,139 +361,15 @@ TEST(NetLogTest, NetLogAddRemoveObserverThreads) {
   RunTestThreads<AddRemoveObserverTestThread>(&net_log);
 }
 
-// Calls NetLogASCIIStringValue() on |raw| and returns the resulting string
-// (rather than the base::Value).
-std::string GetNetLogString(base::StringPiece raw) {
-  base::Value value = NetLogStringValue(raw);
-  std::string result;
-  EXPECT_TRUE(value.GetAsString(&result));
-  return result;
-}
-
-TEST(NetLogTest, NetLogASCIIStringValue) {
-  // ASCII strings should not be transformed.
-  EXPECT_EQ("ascii\nstrin\0g", GetNetLogString("ascii\nstrin\0g"));
-
-  // Non-ASCII UTF-8 strings should be escaped.
-  EXPECT_EQ("%ESCAPED:\xE2\x80\x8B utf-8 string %E2%98%83",
-            GetNetLogString("utf-8 string \xE2\x98\x83"));
-
-  // The presence of percent should not trigger escaping.
-  EXPECT_EQ("%20", GetNetLogString("%20"));
-
-  // However if the value to be escaped contains percent, it should be escaped
-  // (so can unescape to restore the original string).
-  EXPECT_EQ("%ESCAPED:\xE2\x80\x8B %E2%98%83 %2520",
-            GetNetLogString("\xE2\x98\x83 %20"));
-
-  // Test that when percent escaping, no ASCII value is escaped (excluding %).
-  for (uint8_t c = 0; c <= 0x7F; ++c) {
-    if (c == '%')
-      continue;
-
-    std::string s;
-    s.push_back(c);
-
-    EXPECT_EQ("%ESCAPED:\xE2\x80\x8B %E2 " + s, GetNetLogString("\xE2 " + s));
-  }
-}
-
-TEST(NetLogTest, NetLogBinaryValue) {
-  // Test the encoding for empty bytes.
-  auto value1 = NetLogBinaryValue(nullptr, 0);
-  std::string string1;
-  ASSERT_TRUE(value1.GetAsString(&string1));
-  EXPECT_EQ("", string1);
-
-  // Test the encoding for a non-empty sequence (which needs padding).
-  const uint8_t kBytes[] = {0x00, 0xF3, 0xF8, 0xFF};
-  auto value2 = NetLogBinaryValue(kBytes, base::size(kBytes));
-  std::string string2;
-  ASSERT_TRUE(value2.GetAsString(&string2));
-  EXPECT_EQ("APP4/w==", string2);
-}
-
-template <typename T>
-std::string SerializedNetLogNumber(T num) {
-  auto value = NetLogNumberValue(num);
-
-  EXPECT_TRUE(value.is_string() || value.is_int() || value.is_double());
-
-  return SerializeNetLogValueToJson(value);
-}
-
-std::string SerializedNetLogInt64(int64_t num) {
-  return SerializedNetLogNumber(num);
-}
-
-std::string SerializedNetLogUint64(uint64_t num) {
-  return SerializedNetLogNumber(num);
-}
-
-TEST(NetLogTest, NetLogNumberValue) {
-  const int64_t kMinInt = std::numeric_limits<int32_t>::min();
-  const int64_t kMaxInt = std::numeric_limits<int32_t>::max();
-
-  // Numbers which can be represented by an INTEGER base::Value().
-  EXPECT_EQ("0", SerializedNetLogInt64(0));
-  EXPECT_EQ("0", SerializedNetLogUint64(0));
-  EXPECT_EQ("-1", SerializedNetLogInt64(-1));
-  EXPECT_EQ("-2147483648", SerializedNetLogInt64(kMinInt));
-  EXPECT_EQ("2147483647", SerializedNetLogInt64(kMaxInt));
-
-  // Numbers which are outside of the INTEGER range, but fit within a DOUBLE.
-  EXPECT_EQ("-2147483649", SerializedNetLogInt64(kMinInt - 1));
-  EXPECT_EQ("2147483648", SerializedNetLogInt64(kMaxInt + 1));
-  EXPECT_EQ("4294967294", SerializedNetLogInt64(0xFFFFFFFF - 1));
-
-  // kMaxSafeInteger is the same as JavaScript's Numbers.MAX_SAFE_INTEGER.
-  const int64_t kMaxSafeInteger = 9007199254740991;  // 2^53 - 1
-
-  // Numbers that can be represented with full precision by a DOUBLE.
-  EXPECT_EQ("-9007199254740991", SerializedNetLogInt64(-kMaxSafeInteger));
-  EXPECT_EQ("9007199254740991", SerializedNetLogInt64(kMaxSafeInteger));
-  EXPECT_EQ("9007199254740991", SerializedNetLogUint64(kMaxSafeInteger));
-
-  // Numbers that are just outside of the range of a DOUBLE need to be encoded
-  // as strings.
-  EXPECT_EQ("\"-9007199254740992\"",
-            SerializedNetLogInt64(-kMaxSafeInteger - 1));
-  EXPECT_EQ("\"9007199254740992\"", SerializedNetLogInt64(kMaxSafeInteger + 1));
-  EXPECT_EQ("\"9007199254740992\"",
-            SerializedNetLogUint64(kMaxSafeInteger + 1));
-
-  // Test the 64-bit maximums.
-  EXPECT_EQ("\"9223372036854775807\"",
-            SerializedNetLogInt64(std::numeric_limits<int64_t>::max()));
-  EXPECT_EQ("\"18446744073709551615\"",
-            SerializedNetLogUint64(std::numeric_limits<uint64_t>::max()));
-}
-
 // Tests that serializing a NetLogEntry with empty parameters omits a value for
 // "params".
 TEST(NetLogTest, NetLogEntryToValueEmptyParams) {
-  // NetLogEntry with a null parameters callback.
-  NetLogEntryData entry_data1(NetLogEventType::REQUEST_ALIVE, NetLogSource(),
-                              NetLogEventPhase::BEGIN, base::TimeTicks(),
-                              nullptr);
-  NetLogEntry entry1(&entry_data1, NetLogCaptureMode::Default());
-
-  // NetLogEntry with a parameters callback that returns a NONE value.
-  NetLogParametersCallback callback2 =
-      base::BindRepeating([](NetLogCaptureMode) { return base::Value(); });
-  NetLogEntryData entry_data2(NetLogEventType::REQUEST_ALIVE, NetLogSource(),
-                              NetLogEventPhase::BEGIN, base::TimeTicks(),
-                              &callback2);
-  NetLogEntry entry2(&entry_data2, NetLogCaptureMode::Default());
-
-  ASSERT_FALSE(entry_data1.parameters_callback);
-  ASSERT_TRUE(entry_data2.parameters_callback);
-
-  ASSERT_TRUE(entry1.ParametersToValue().is_none());
-  ASSERT_TRUE(entry2.ParametersToValue().is_none());
+  // NetLogEntry with no params.
+  NetLogEntry entry1(NetLogEventType::REQUEST_ALIVE, NetLogSource(),
+                     NetLogEventPhase::BEGIN, base::TimeTicks(), base::Value());
 
+  ASSERT_TRUE(entry1.params.is_none());
   ASSERT_FALSE(entry1.ToValue().FindKey("params"));
-  ASSERT_FALSE(entry2.ToValue().FindKey("params"));
 }
 
 }  // namespace
diff --git a/chromium/net/log/net_log_util.cc b/chromium/net/log/net_log_util.cc
index dcf2fb5d7c2..3ee03937543 100644
--- a/chromium/net/log/net_log_util.cc
+++ b/chromium/net/log/net_log_util.cc
@@ -9,7 +9,6 @@
 #include <utility>
 #include <vector>
 
-#include "base/bind.h"
 #include "base/logging.h"
 #include "base/metrics/field_trial.h"
 #include "base/strings/string_number_conversions.h"
@@ -27,11 +26,10 @@
 #include "net/http/http_network_session.h"
 #include "net/http/http_server_properties.h"
 #include "net/http/http_transaction_factory.h"
-#include "net/log/net_log.h"
 #include "net/log/net_log_capture_mode.h"
 #include "net/log/net_log_entry.h"
 #include "net/log/net_log_event_type.h"
-#include "net/log/net_log_parameters_callback.h"
+#include "net/log/net_log_values.h"
 #include "net/log/net_log_with_source.h"
 #include "net/proxy_resolution/proxy_config.h"
 #include "net/proxy_resolution/proxy_resolution_service.h"
@@ -128,13 +126,6 @@ bool RequestCreatedBefore(const URLRequest* request1,
   return request1->identifier() < request2->identifier();
 }
 
-// Returns a Value representing the state of a pre-existing URLRequest when
-// net-internals was opened.
-base::Value GetRequestStateAsValue(const net::URLRequest* request,
-                                   NetLogCaptureMode capture_mode) {
-  return request->GetStateAsValue();
-}
-
 }  // namespace
 
 std::unique_ptr<base::DictionaryValue> GetNetConstants() {
@@ -504,15 +495,9 @@ NET_EXPORT void CreateNetLogEntriesForActiveObjects(
 
   // Create fake events.
   for (auto* request : requests) {
-    NetLogParametersCallback callback =
-        base::Bind(&GetRequestStateAsValue, base::Unretained(request));
-
-    // Note that passing the hardcoded NetLogCaptureMode::Default() below is
-    // fine, since GetRequestStateAsValue() ignores the capture mode.
-    NetLogEntryData entry_data(
-        NetLogEventType::REQUEST_ALIVE, request->net_log().source(),
-        NetLogEventPhase::BEGIN, request->creation_time(), &callback);
-    NetLogEntry entry(&entry_data, NetLogCaptureMode::Default());
+    NetLogEntry entry(NetLogEventType::REQUEST_ALIVE,
+                      request->net_log().source(), NetLogEventPhase::BEGIN,
+                      request->creation_time(), request->GetStateAsValue());
     observer->OnAddEntry(entry);
   }
 }
diff --git a/chromium/net/log/net_log_util_unittest.cc b/chromium/net/log/net_log_util_unittest.cc
index 9208cd6cedd..165f9f86fb7 100644
--- a/chromium/net/log/net_log_util_unittest.cc
+++ b/chromium/net/log/net_log_util_unittest.cc
@@ -17,7 +17,6 @@
 #include "net/log/net_log_source.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 #include "net/url_request/url_request_test_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -81,8 +80,7 @@ TEST(NetLogUtil, CreateNetLogEntriesForActiveObjectsOneContext) {
     contexts.insert(&context);
     TestNetLog test_net_log;
     CreateNetLogEntriesForActiveObjects(contexts, test_net_log.GetObserver());
-    TestNetLogEntry::List entry_list;
-    test_net_log.GetEntries(&entry_list);
+    auto entry_list = test_net_log.GetEntries();
     ASSERT_EQ(num_requests, entry_list.size());
 
     for (size_t i = 0; i < num_requests; ++i) {
@@ -114,8 +112,7 @@ TEST(NetLogUtil, CreateNetLogEntriesForActiveObjectsMultipleContexts) {
     TestNetLog test_net_log;
     CreateNetLogEntriesForActiveObjects(context_set,
                                         test_net_log.GetObserver());
-    TestNetLogEntry::List entry_list;
-    test_net_log.GetEntries(&entry_list);
+    auto entry_list = test_net_log.GetEntries();
     ASSERT_EQ(num_requests, entry_list.size());
 
     for (size_t i = 0; i < num_requests; ++i) {
diff --git a/chromium/net/log/net_log_values.cc b/chromium/net/log/net_log_values.cc
new file mode 100644
index 00000000000..fdbb443d629
--- /dev/null
+++ b/chromium/net/log/net_log_values.cc
@@ -0,0 +1,99 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/log/net_log_values.h"
+
+#include "base/base64.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
+#include "base/values.h"
+#include "net/base/escape.h"
+
+namespace net {
+
+namespace {
+
+// IEEE 64-bit doubles have a 52-bit mantissa, and can therefore represent
+// 53-bits worth of precision (see also documentation for JavaScript's
+// Number.MAX_SAFE_INTEGER for more discussion on this).
+//
+// If the number can be represented with an int or double use that. Otherwise
+// fallback to encoding it as a string.
+template <typename T>
+base::Value NetLogNumberValueHelper(T num) {
+  // Fits in a (32-bit) int: [-2^31, 2^31 - 1]
+  if ((!std::is_signed<T>::value || (num >= static_cast<T>(-2147483648))) &&
+      (num <= static_cast<T>(2147483647))) {
+    return base::Value(static_cast<int>(num));
+  }
+
+  // Fits in a double: (-2^53, 2^53)
+  if ((!std::is_signed<T>::value ||
+       (num >= static_cast<T>(-9007199254740991))) &&
+      (num <= static_cast<T>(9007199254740991))) {
+    return base::Value(static_cast<double>(num));
+  }
+
+  // Otherwise format as a string.
+  return base::Value(base::NumberToString(num));
+}
+
+}  // namespace
+
+base::Value NetLogStringValue(base::StringPiece raw) {
+  // The common case is that |raw| is ASCII. Represent this directly.
+  if (base::IsStringASCII(raw))
+    return base::Value(raw);
+
+  // For everything else (including valid UTF-8) percent-escape |raw|, and add a
+  // prefix that "tags" the value as being a percent-escaped representation.
+  //
+  // Note that the sequence E2 80 8B is U+200B (zero-width space) in UTF-8. It
+  // is added so the escaped string is not itself also ASCII (otherwise there
+  // would be ambiguity for consumers as to when the value needs to be
+  // unescaped).
+  return base::Value("%ESCAPED:\xE2\x80\x8B " + EscapeNonASCIIAndPercent(raw));
+}
+
+base::Value NetLogBinaryValue(const void* bytes, size_t length) {
+  std::string b64;
+  Base64Encode(base::StringPiece(reinterpret_cast<const char*>(bytes), length),
+               &b64);
+  return base::Value(std::move(b64));
+}
+
+base::Value NetLogNumberValue(int64_t num) {
+  return NetLogNumberValueHelper(num);
+}
+
+base::Value NetLogNumberValue(uint64_t num) {
+  return NetLogNumberValueHelper(num);
+}
+
+base::Value NetLogParamsWithInt(base::StringPiece name, int value) {
+  base::Value params(base::Value::Type::DICTIONARY);
+  params.SetIntKey(name, value);
+  return params;
+}
+
+base::Value NetLogParamsWithInt64(base::StringPiece name, int64_t value) {
+  base::DictionaryValue event_params;
+  event_params.SetKey(name, NetLogNumberValue(value));
+  return std::move(event_params);
+}
+
+base::Value NetLogParamsWithBool(base::StringPiece name, bool value) {
+  base::Value params(base::Value::Type::DICTIONARY);
+  params.SetBoolKey(name, value);
+  return params;
+}
+
+base::Value NetLogParamsWithString(base::StringPiece name,
+                                   base::StringPiece value) {
+  base::Value params(base::Value::Type::DICTIONARY);
+  params.SetStringKey(name, value);
+  return params;
+}
+
+}  // namespace net
diff --git a/chromium/net/log/net_log_values.h b/chromium/net/log/net_log_values.h
new file mode 100644
index 00000000000..a97be0337d2
--- /dev/null
+++ b/chromium/net/log/net_log_values.h
@@ -0,0 +1,63 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_LOG_NET_LOG_VALUES_H_
+#define NET_LOG_NET_LOG_VALUES_H_
+
+#include <stdint.h>
+
+#include "base/strings/string_piece_forward.h"
+#include "net/base/net_export.h"
+
+namespace base {
+class Value;
+}
+
+namespace net {
+
+// Helpers to construct dictionaries with a single key and value. Useful for
+// building parameters to include in a NetLog.
+NET_EXPORT base::Value NetLogParamsWithInt(base::StringPiece name, int value);
+NET_EXPORT base::Value NetLogParamsWithInt64(base::StringPiece name,
+                                             int64_t value);
+NET_EXPORT base::Value NetLogParamsWithBool(base::StringPiece name, bool value);
+NET_EXPORT base::Value NetLogParamsWithString(base::StringPiece name,
+                                              base::StringPiece value);
+
+// Creates a base::Value() to represent the byte string |raw| when adding it to
+// the NetLog.
+//
+// When |raw| is an ASCII string, the returned value is a base::Value()
+// containing that exact string. Otherwise it is represented by a
+// percent-escaped version of the original string, along with a special prefix.
+//
+// This wrapper exists because base::Value strings are required to be UTF-8.
+// Often times NetLog consumers just want to log a std::string, and that string
+// may not be UTF-8.
+NET_EXPORT base::Value NetLogStringValue(base::StringPiece raw);
+
+// Creates a base::Value() to represent the octets |bytes|. This should be
+// used when adding binary data (i.e. not an ASCII or UTF-8 string) to the
+// NetLog. The resulting base::Value() holds a copy of the input data.
+//
+// This wrapper must be used rather than directly adding base::Value parameters
+// of type BINARY to the NetLog, since the JSON writer does not support
+// serializing them.
+//
+// This wrapper encodes |bytes| as a Base64 encoded string.
+NET_EXPORT base::Value NetLogBinaryValue(const void* bytes, size_t length);
+
+// Creates a base::Value() to represent integers, including 64-bit ones.
+// base::Value() does not directly support 64-bit integers, as it is not
+// representable in JSON.
+//
+// These wrappers will return values that are either numbers, or a string
+// representation of their decimal value, depending on what is needed to ensure
+// no loss of precision when de-serializing from JavaScript.
+NET_EXPORT base::Value NetLogNumberValue(int64_t num);
+NET_EXPORT base::Value NetLogNumberValue(uint64_t num);
+
+}  // namespace net
+
+#endif  // NET_LOG_NET_LOG_VALUES_H_
diff --git a/chromium/net/log/net_log_values_unittest.cc b/chromium/net/log/net_log_values_unittest.cc
new file mode 100644
index 00000000000..8810575c60b
--- /dev/null
+++ b/chromium/net/log/net_log_values_unittest.cc
@@ -0,0 +1,123 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/log/net_log_values.h"
+
+#include <limits>
+
+#include "base/values.h"
+#include "net/log/file_net_log_observer.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+// Calls NetLogASCIIStringValue() on |raw| and returns the resulting string
+// (rather than the base::Value).
+std::string GetNetLogString(base::StringPiece raw) {
+  base::Value value = NetLogStringValue(raw);
+  std::string result;
+  EXPECT_TRUE(value.GetAsString(&result));
+  return result;
+}
+
+TEST(NetLogValuesTest, NetLogASCIIStringValue) {
+  // ASCII strings should not be transformed.
+  EXPECT_EQ("ascii\nstrin\0g", GetNetLogString("ascii\nstrin\0g"));
+
+  // Non-ASCII UTF-8 strings should be escaped.
+  EXPECT_EQ("%ESCAPED:\xE2\x80\x8B utf-8 string %E2%98%83",
+            GetNetLogString("utf-8 string \xE2\x98\x83"));
+
+  // The presence of percent should not trigger escaping.
+  EXPECT_EQ("%20", GetNetLogString("%20"));
+
+  // However if the value to be escaped contains percent, it should be escaped
+  // (so can unescape to restore the original string).
+  EXPECT_EQ("%ESCAPED:\xE2\x80\x8B %E2%98%83 %2520",
+            GetNetLogString("\xE2\x98\x83 %20"));
+
+  // Test that when percent escaping, no ASCII value is escaped (excluding %).
+  for (uint8_t c = 0; c <= 0x7F; ++c) {
+    if (c == '%')
+      continue;
+
+    std::string s;
+    s.push_back(c);
+
+    EXPECT_EQ("%ESCAPED:\xE2\x80\x8B %E2 " + s, GetNetLogString("\xE2 " + s));
+  }
+}
+
+TEST(NetLogValuesTest, NetLogBinaryValue) {
+  // Test the encoding for empty bytes.
+  auto value1 = NetLogBinaryValue(nullptr, 0);
+  std::string string1;
+  ASSERT_TRUE(value1.GetAsString(&string1));
+  EXPECT_EQ("", string1);
+
+  // Test the encoding for a non-empty sequence (which needs padding).
+  const uint8_t kBytes[] = {0x00, 0xF3, 0xF8, 0xFF};
+  auto value2 = NetLogBinaryValue(kBytes, base::size(kBytes));
+  std::string string2;
+  ASSERT_TRUE(value2.GetAsString(&string2));
+  EXPECT_EQ("APP4/w==", string2);
+}
+
+template <typename T>
+std::string SerializedNetLogNumber(T num) {
+  auto value = NetLogNumberValue(num);
+
+  EXPECT_TRUE(value.is_string() || value.is_int() || value.is_double());
+
+  return SerializeNetLogValueToJson(value);
+}
+
+std::string SerializedNetLogInt64(int64_t num) {
+  return SerializedNetLogNumber(num);
+}
+
+std::string SerializedNetLogUint64(uint64_t num) {
+  return SerializedNetLogNumber(num);
+}
+
+TEST(NetLogValuesTest, NetLogNumberValue) {
+  const int64_t kMinInt = std::numeric_limits<int32_t>::min();
+  const int64_t kMaxInt = std::numeric_limits<int32_t>::max();
+
+  // Numbers which can be represented by an INTEGER base::Value().
+  EXPECT_EQ("0", SerializedNetLogInt64(0));
+  EXPECT_EQ("0", SerializedNetLogUint64(0));
+  EXPECT_EQ("-1", SerializedNetLogInt64(-1));
+  EXPECT_EQ("-2147483648", SerializedNetLogInt64(kMinInt));
+  EXPECT_EQ("2147483647", SerializedNetLogInt64(kMaxInt));
+
+  // Numbers which are outside of the INTEGER range, but fit within a DOUBLE.
+  EXPECT_EQ("-2147483649", SerializedNetLogInt64(kMinInt - 1));
+  EXPECT_EQ("2147483648", SerializedNetLogInt64(kMaxInt + 1));
+  EXPECT_EQ("4294967294", SerializedNetLogInt64(0xFFFFFFFF - 1));
+
+  // kMaxSafeInteger is the same as JavaScript's Numbers.MAX_SAFE_INTEGER.
+  const int64_t kMaxSafeInteger = 9007199254740991;  // 2^53 - 1
+
+  // Numbers that can be represented with full precision by a DOUBLE.
+  EXPECT_EQ("-9007199254740991", SerializedNetLogInt64(-kMaxSafeInteger));
+  EXPECT_EQ("9007199254740991", SerializedNetLogInt64(kMaxSafeInteger));
+  EXPECT_EQ("9007199254740991", SerializedNetLogUint64(kMaxSafeInteger));
+
+  // Numbers that are just outside of the range of a DOUBLE need to be encoded
+  // as strings.
+  EXPECT_EQ("\"-9007199254740992\"",
+            SerializedNetLogInt64(-kMaxSafeInteger - 1));
+  EXPECT_EQ("\"9007199254740992\"", SerializedNetLogInt64(kMaxSafeInteger + 1));
+  EXPECT_EQ("\"9007199254740992\"",
+            SerializedNetLogUint64(kMaxSafeInteger + 1));
+
+  // Test the 64-bit maximums.
+  EXPECT_EQ("\"9223372036854775807\"",
+            SerializedNetLogInt64(std::numeric_limits<int64_t>::max()));
+  EXPECT_EQ("\"18446744073709551615\"",
+            SerializedNetLogUint64(std::numeric_limits<uint64_t>::max()));
+}
+
+}  // namespace net
diff --git a/chromium/net/log/net_log_with_source.cc b/chromium/net/log/net_log_with_source.cc
index 020c3404baa..5b2742a897a 100644
--- a/chromium/net/log/net_log_with_source.cc
+++ b/chromium/net/log/net_log_with_source.cc
@@ -7,14 +7,12 @@
 #include <memory>
 #include <utility>
 
-#include "base/bind.h"
-#include "base/callback.h"
-#include "base/debug/alias.h"
 #include "base/logging.h"
 #include "base/values.h"
 #include "net/base/net_errors.h"
 #include "net/log/net_log.h"
 #include "net/log/net_log_capture_mode.h"
+#include "net/log/net_log_values.h"
 
 namespace net {
 
@@ -23,12 +21,12 @@ namespace {
 // Returns parameters for logging data transferred events. At a minimum includes
 // the number of bytes transferred. If the capture mode allows logging byte
 // contents and |byte_count| > 0, then will include the actual bytes.
-base::Value BytesTransferredCallback(int byte_count,
-                                     const char* bytes,
-                                     NetLogCaptureMode capture_mode) {
+base::Value BytesTransferredParams(int byte_count,
+                                   const char* bytes,
+                                   NetLogCaptureMode capture_mode) {
   base::DictionaryValue dict;
   dict.SetInteger("byte_count", byte_count);
-  if (capture_mode.include_socket_bytes() && byte_count > 0)
+  if (NetLogCaptureIncludesSocketBytes(capture_mode) && byte_count > 0)
     dict.SetKey("bytes", NetLogBinaryValue(bytes, byte_count));
   return std::move(dict);
 }
@@ -41,46 +39,68 @@ void NetLogWithSource::AddEntry(NetLogEventType type,
                                 NetLogEventPhase phase) const {
   if (!net_log_)
     return;
-  net_log_->AddEntry(type, source_, phase, nullptr);
-}
-
-void NetLogWithSource::AddEntry(
-    NetLogEventType type,
-    NetLogEventPhase phase,
-    const NetLogParametersCallback& get_parameters) const {
-  if (!net_log_)
-    return;
-  net_log_->AddEntry(type, source_, phase, &get_parameters);
+  net_log_->AddEntry(type, source_, phase);
 }
 
 void NetLogWithSource::AddEvent(NetLogEventType type) const {
   AddEntry(type, NetLogEventPhase::NONE);
 }
 
-void NetLogWithSource::AddEvent(
-    NetLogEventType type,
-    const NetLogParametersCallback& get_parameters) const {
-  AddEntry(type, NetLogEventPhase::NONE, get_parameters);
+void NetLogWithSource::AddEventWithStringParams(NetLogEventType type,
+                                                base::StringPiece name,
+                                                base::StringPiece value) const {
+  AddEvent(type, [&] { return NetLogParamsWithString(name, value); });
 }
 
-void NetLogWithSource::BeginEvent(NetLogEventType type) const {
-  AddEntry(type, NetLogEventPhase::BEGIN);
+void NetLogWithSource::AddEventWithIntParams(NetLogEventType type,
+                                             base::StringPiece name,
+                                             int value) const {
+  AddEvent(type, [&] { return NetLogParamsWithInt(name, value); });
+}
+
+void NetLogWithSource::BeginEventWithIntParams(NetLogEventType type,
+                                               base::StringPiece name,
+                                               int value) const {
+  BeginEvent(type, [&] { return NetLogParamsWithInt(name, value); });
+}
+
+void NetLogWithSource::EndEventWithIntParams(NetLogEventType type,
+                                             base::StringPiece name,
+                                             int value) const {
+  EndEvent(type, [&] { return NetLogParamsWithInt(name, value); });
+}
+
+void NetLogWithSource::AddEventWithInt64Params(NetLogEventType type,
+                                               base::StringPiece name,
+                                               int64_t value) const {
+  AddEvent(type, [&] { return NetLogParamsWithInt64(name, value); });
 }
 
-void NetLogWithSource::BeginEvent(
+void NetLogWithSource::BeginEventWithStringParams(
     NetLogEventType type,
-    const NetLogParametersCallback& get_parameters) const {
-  AddEntry(type, NetLogEventPhase::BEGIN, get_parameters);
+    base::StringPiece name,
+    base::StringPiece value) const {
+  BeginEvent(type, [&] { return NetLogParamsWithString(name, value); });
 }
 
-void NetLogWithSource::EndEvent(NetLogEventType type) const {
-  AddEntry(type, NetLogEventPhase::END);
+void NetLogWithSource::AddEventReferencingSource(
+    NetLogEventType type,
+    const NetLogSource& source) const {
+  AddEvent(type, [&] { return source.ToEventParameters(); });
 }
 
-void NetLogWithSource::EndEvent(
+void NetLogWithSource::BeginEventReferencingSource(
     NetLogEventType type,
-    const NetLogParametersCallback& get_parameters) const {
-  AddEntry(type, NetLogEventPhase::END, get_parameters);
+    const NetLogSource& source) const {
+  BeginEvent(type, [&] { return source.ToEventParameters(); });
+}
+
+void NetLogWithSource::BeginEvent(NetLogEventType type) const {
+  AddEntry(type, NetLogEventPhase::BEGIN);
+}
+
+void NetLogWithSource::EndEvent(NetLogEventType type) const {
+  AddEntry(type, NetLogEventPhase::END);
 }
 
 void NetLogWithSource::AddEventWithNetErrorCode(NetLogEventType event_type,
@@ -89,7 +109,7 @@ void NetLogWithSource::AddEventWithNetErrorCode(NetLogEventType event_type,
   if (net_error >= 0) {
     AddEvent(event_type);
   } else {
-    AddEvent(event_type, NetLog::IntCallback("net_error", net_error));
+    AddEventWithIntParams(event_type, "net_error", net_error);
   }
 }
 
@@ -99,14 +119,23 @@ void NetLogWithSource::EndEventWithNetErrorCode(NetLogEventType event_type,
   if (net_error >= 0) {
     EndEvent(event_type);
   } else {
-    EndEvent(event_type, NetLog::IntCallback("net_error", net_error));
+    EndEventWithIntParams(event_type, "net_error", net_error);
   }
 }
 
+void NetLogWithSource::AddEntryWithBoolParams(NetLogEventType type,
+                                              NetLogEventPhase phase,
+                                              base::StringPiece name,
+                                              bool value) const {
+  AddEntry(type, phase, [&] { return NetLogParamsWithBool(name, value); });
+}
+
 void NetLogWithSource::AddByteTransferEvent(NetLogEventType event_type,
                                             int byte_count,
                                             const char* bytes) const {
-  AddEvent(event_type, base::Bind(BytesTransferredCallback, byte_count, bytes));
+  AddEvent(event_type, [&](NetLogCaptureMode capture_mode) {
+    return BytesTransferredParams(byte_count, bytes, capture_mode);
+  });
 }
 
 bool NetLogWithSource::IsCapturing() const {
diff --git a/chromium/net/log/net_log_with_source.h b/chromium/net/log/net_log_with_source.h
index e15d0bae4ae..48627900baf 100644
--- a/chromium/net/log/net_log_with_source.h
+++ b/chromium/net/log/net_log_with_source.h
@@ -6,13 +6,12 @@
 #define NET_LOG_NET_LOG_WITH_SOURCE_H_
 
 #include "net/base/net_export.h"
+#include "net/log/net_log.h"
 #include "net/log/net_log_event_type.h"
-#include "net/log/net_log_parameters_callback.h"
 #include "net/log/net_log_source.h"
 #include "net/log/net_log_source_type.h"
 
 namespace net {
-
 class NetLog;
 
 // Helper that binds a Source to a NetLog, and exposes convenience methods to
@@ -22,25 +21,78 @@ class NET_EXPORT NetLogWithSource {
   NetLogWithSource() : net_log_(nullptr) {}
   ~NetLogWithSource();
 
-  // Add a log entry to the NetLog for the bound source.
+  // Adds a log entry to the NetLog for the bound source.
   void AddEntry(NetLogEventType type, NetLogEventPhase phase) const;
+
+  // See "Materializing parameters" in net_log.h for details on |get_params|.
+  template <typename ParametersCallback>
   void AddEntry(NetLogEventType type,
                 NetLogEventPhase phase,
-                const NetLogParametersCallback& get_parameters) const;
+                const ParametersCallback& get_params) const {
+    // TODO(eroman): Should merge the nullity check with
+    // GetObserverCaptureModes() to reduce expanded code size.
+    if (net_log_)
+      net_log_->AddEntry(type, source_, phase, get_params);
+  }
 
   // Convenience methods that call AddEntry with a fixed "capture phase"
   // (begin, end, or none).
   void BeginEvent(NetLogEventType type) const;
+
+  // See "Materializing parameters" in net_log.h for details on |get_params|.
+  template <typename ParametersCallback>
   void BeginEvent(NetLogEventType type,
-                  const NetLogParametersCallback& get_parameters) const;
+                  const ParametersCallback& get_params) const {
+    AddEntry(type, NetLogEventPhase::BEGIN, get_params);
+  }
 
   void EndEvent(NetLogEventType type) const;
+
+  // See "Materializing parameters" in net_log.h for details on |get_params|.
+  template <typename ParametersCallback>
   void EndEvent(NetLogEventType type,
-                const NetLogParametersCallback& get_parameters) const;
+                const ParametersCallback& get_params) const {
+    AddEntry(type, NetLogEventPhase::END, get_params);
+  }
 
   void AddEvent(NetLogEventType type) const;
+
+  // See "Materializing parameters" in net_log.h for details on |get_params|.
+  template <typename ParametersCallback>
   void AddEvent(NetLogEventType type,
-                const NetLogParametersCallback& get_parameters) const;
+                const ParametersCallback& get_params) const {
+    AddEntry(type, NetLogEventPhase::NONE, get_params);
+  }
+
+  void AddEventWithStringParams(NetLogEventType type,
+                                base::StringPiece name,
+                                base::StringPiece value) const;
+
+  void AddEventWithIntParams(NetLogEventType type,
+                             base::StringPiece name,
+                             int value) const;
+
+  void BeginEventWithIntParams(NetLogEventType type,
+                               base::StringPiece name,
+                               int value) const;
+
+  void EndEventWithIntParams(NetLogEventType type,
+                             base::StringPiece name,
+                             int value) const;
+
+  void AddEventWithInt64Params(NetLogEventType type,
+                               base::StringPiece name,
+                               int64_t value) const;
+
+  void BeginEventWithStringParams(NetLogEventType type,
+                                  base::StringPiece name,
+                                  base::StringPiece value) const;
+
+  void AddEventReferencingSource(NetLogEventType type,
+                                 const NetLogSource& source) const;
+
+  void BeginEventReferencingSource(NetLogEventType type,
+                                   const NetLogSource& source) const;
 
   // Just like AddEvent, except |net_error| is a net error code.  A parameter
   // called "net_error" with the indicated value will be recorded for the event.
@@ -56,6 +108,11 @@ class NET_EXPORT NetLogWithSource {
   void EndEventWithNetErrorCode(NetLogEventType event_type,
                                 int net_error) const;
 
+  void AddEntryWithBoolParams(NetLogEventType type,
+                              NetLogEventPhase phase,
+                              base::StringPiece name,
+                              bool value) const;
+
   // Logs a byte transfer event to the NetLog.  Determines whether to log the
   // received bytes or not based on the current logging level.
   void AddByteTransferEvent(NetLogEventType event_type,
diff --git a/chromium/net/log/test_net_log.cc b/chromium/net/log/test_net_log.cc
index 6814f15116a..0bb9ab11a39 100644
--- a/chromium/net/log/test_net_log.cc
+++ b/chromium/net/log/test_net_log.cc
@@ -14,97 +14,71 @@
 
 namespace net {
 
-// TestNetLog::Observer is an implementation of NetLog::ThreadSafeObserver
-// that saves messages to a buffer.
-class TestNetLog::Observer : public NetLog::ThreadSafeObserver {
- public:
-  Observer() = default;
-  ~Observer() override = default;
-
-  // Returns the list of all entries in the log.
-  void GetEntries(TestNetLogEntry::List* entry_list) const {
-    base::AutoLock lock(lock_);
-    *entry_list = entry_list_;
-  }
-
-  // Fills |entry_list| with all entries in the log from the specified Source.
-  void GetEntriesForSource(NetLogSource source,
-                           TestNetLogEntry::List* entry_list) const {
-    base::AutoLock lock(lock_);
-    entry_list->clear();
-    for (const auto& entry : entry_list_) {
-      if (entry.source.id == source.id)
-        entry_list->push_back(entry);
-    }
-  }
-
-  // Returns the number of entries in the log.
-  size_t GetSize() const {
-    base::AutoLock lock(lock_);
-    return entry_list_.size();
-  }
-
-  void Clear() {
-    base::AutoLock lock(lock_);
-    entry_list_.clear();
-  }
-
- private:
-  // ThreadSafeObserver implementation:
-  void OnAddEntry(const NetLogEntry& entry) override {
-    // Using Dictionaries instead of Values makes checking values a little
-    // simpler.
-    std::unique_ptr<base::DictionaryValue> param_dict =
-        base::DictionaryValue::From(
-            base::Value::ToUniquePtrValue(entry.ParametersToValue()));
-
-    // Only need to acquire the lock when accessing class variables.
-    base::AutoLock lock(lock_);
-    entry_list_.push_back(TestNetLogEntry(entry.type(), base::TimeTicks::Now(),
-                                          entry.source(), entry.phase(),
-                                          std::move(param_dict)));
-  }
-
-  // Needs to be "mutable" to use it in GetEntries().
-  mutable base::Lock lock_;
-
-  TestNetLogEntry::List entry_list_;
-
-  DISALLOW_COPY_AND_ASSIGN(Observer);
-};
-
-TestNetLog::TestNetLog() : observer_(new Observer()) {
-  AddObserver(observer_.get(),
-              NetLogCaptureMode::IncludeCookiesAndCredentials());
+TestNetLog::TestNetLog() {
+  AddObserver(this, NetLogCaptureMode::kIncludeSensitive);
 }
 
 TestNetLog::~TestNetLog() {
-  RemoveObserver(observer_.get());
+  RemoveObserver(this);
 }
 
-void TestNetLog::SetCaptureMode(NetLogCaptureMode capture_mode) {
-  SetObserverCaptureMode(observer_.get(), capture_mode);
+std::vector<NetLogEntry> TestNetLog::GetEntries() const {
+  base::AutoLock lock(lock_);
+  std::vector<NetLogEntry> result;
+  for (const auto& entry : entry_list_)
+    result.push_back(entry.Clone());
+  return result;
 }
 
-void TestNetLog::GetEntries(TestNetLogEntry::List* entry_list) const {
-  observer_->GetEntries(entry_list);
+std::vector<NetLogEntry> TestNetLog::GetEntriesForSource(
+    NetLogSource source) const {
+  base::AutoLock lock(lock_);
+  std::vector<NetLogEntry> result;
+  for (const auto& entry : entry_list_) {
+    if (entry.source.id == source.id)
+      result.push_back(entry.Clone());
+  }
+  return result;
 }
 
-void TestNetLog::GetEntriesForSource(NetLogSource source,
-                                     TestNetLogEntry::List* entry_list) const {
-  observer_->GetEntriesForSource(source, entry_list);
+std::vector<NetLogEntry> TestNetLog::GetEntriesWithType(
+    NetLogEventType type) const {
+  base::AutoLock lock(lock_);
+  std::vector<NetLogEntry> result;
+  for (const auto& entry : entry_list_) {
+    if (entry.type == type)
+      result.push_back(entry.Clone());
+  }
+  return result;
 }
 
 size_t TestNetLog::GetSize() const {
-  return observer_->GetSize();
+  base::AutoLock lock(lock_);
+  return entry_list_.size();
 }
 
 void TestNetLog::Clear() {
-  observer_->Clear();
+  base::AutoLock lock(lock_);
+  entry_list_.clear();
 }
 
-NetLog::ThreadSafeObserver* TestNetLog::GetObserver() const {
-  return observer_.get();
+void TestNetLog::OnAddEntry(const NetLogEntry& entry) {
+  base::Value params = entry.params.Clone();
+  auto time = base::TimeTicks::Now();
+
+  // Only need to acquire the lock when accessing class variables.
+  base::AutoLock lock(lock_);
+  entry_list_.emplace_back(entry.type, entry.source, entry.phase, time,
+                           std::move(params));
+}
+
+NetLog::ThreadSafeObserver* TestNetLog::GetObserver() {
+  return this;
+}
+
+void TestNetLog::SetObserverCaptureMode(NetLogCaptureMode capture_mode) {
+  RemoveObserver(this);
+  AddObserver(this, capture_mode);
 }
 
 BoundTestNetLog::BoundTestNetLog()
@@ -113,14 +87,18 @@ BoundTestNetLog::BoundTestNetLog()
 
 BoundTestNetLog::~BoundTestNetLog() = default;
 
-void BoundTestNetLog::GetEntries(TestNetLogEntry::List* entry_list) const {
-  test_net_log_.GetEntries(entry_list);
+std::vector<NetLogEntry> BoundTestNetLog::GetEntries() const {
+  return test_net_log_.GetEntries();
+}
+
+std::vector<NetLogEntry> BoundTestNetLog::GetEntriesForSource(
+    NetLogSource source) const {
+  return test_net_log_.GetEntriesForSource(source);
 }
 
-void BoundTestNetLog::GetEntriesForSource(
-    NetLogSource source,
-    TestNetLogEntry::List* entry_list) const {
-  test_net_log_.GetEntriesForSource(source, entry_list);
+std::vector<NetLogEntry> BoundTestNetLog::GetEntriesWithType(
+    NetLogEventType type) const {
+  return test_net_log_.GetEntriesWithType(type);
 }
 
 size_t BoundTestNetLog::GetSize() const {
@@ -131,8 +109,8 @@ void BoundTestNetLog::Clear() {
   test_net_log_.Clear();
 }
 
-void BoundTestNetLog::SetCaptureMode(NetLogCaptureMode capture_mode) {
-  test_net_log_.SetCaptureMode(capture_mode);
+void BoundTestNetLog::SetObserverCaptureMode(NetLogCaptureMode capture_mode) {
+  test_net_log_.SetObserverCaptureMode(capture_mode);
 }
 
 }  // namespace net
diff --git a/chromium/net/log/test_net_log.h b/chromium/net/log/test_net_log.h
index f7aff174e6b..96ba8eaa9be 100644
--- a/chromium/net/log/test_net_log.h
+++ b/chromium/net/log/test_net_log.h
@@ -14,40 +14,50 @@
 #include "base/macros.h"
 #include "net/log/net_log.h"
 #include "net/log/net_log_with_source.h"
-#include "net/log/test_net_log_entry.h"
 
 namespace net {
 
-class NetLogCaptureMode;
 struct NetLogSource;
 
-// TestNetLog is NetLog subclass which records all NetLog events that occur and
-// their parameters.  It is intended for testing only, and is part of the
-// net_test_support project.
-class TestNetLog : public NetLog {
+// NetLog subclass that attaches a single observer (this) to record NetLog
+// events and their parameters into an in-memory buffer. The NetLog is observed
+// at kSensitive level by default, however can be changed with
+// SetObserverCaptureMode().
+//
+// This class is for testing only.
+class TestNetLog : public NetLog, public NetLog::ThreadSafeObserver {
  public:
   TestNetLog();
   ~TestNetLog() override;
 
-  void SetCaptureMode(NetLogCaptureMode capture_mode);
+  void SetObserverCaptureMode(NetLogCaptureMode capture_mode);
+
+  // ThreadSafeObserver implementation:
+  void OnAddEntry(const NetLogEntry& entry) override;
+
+  // Returns the list of all observed NetLog entries.
+  std::vector<NetLogEntry> GetEntries() const;
+
+  // Returns all entries in the log from the specified Source.
+  std::vector<NetLogEntry> GetEntriesForSource(NetLogSource source) const;
 
-  // Below methods are forwarded to test_net_log_observer_.
-  void GetEntries(TestNetLogEntry::List* entry_list) const;
-  void GetEntriesForSource(NetLogSource source,
-                           TestNetLogEntry::List* entry_list) const;
+  // Returns all captured entries with the specified type.
+  std::vector<NetLogEntry> GetEntriesWithType(NetLogEventType type) const;
+
+  // Returns the number of entries in the log.
   size_t GetSize() const;
+
+  // Clears the captured entry list.
   void Clear();
 
-  // Returns a NetLog observer that will write entries to the TestNetLog's event
-  // store. For testing code that bypasses NetLogs and adds events directly to
+  // Returns the NetLog observer responsible for recording the NetLog event
+  // stream. For testing code that bypasses NetLogs and adds events directly to
   // an observer.
-  NetLog::ThreadSafeObserver* GetObserver() const;
+  NetLog::ThreadSafeObserver* GetObserver();
 
  private:
-  // The underlying observer class that does all the work.
-  class Observer;
-
-  std::unique_ptr<Observer> observer_;
+  mutable base::Lock lock_;
+  std::vector<NetLogEntry> entry_list_;
 
   DISALLOW_COPY_AND_ASSIGN(TestNetLog);
 };
@@ -65,20 +75,22 @@ class BoundTestNetLog {
   // The returned NetLogWithSource is only valid while |this| is alive.
   NetLogWithSource bound() const { return net_log_; }
 
-  // Fills |entry_list| with all entries in the log.
-  void GetEntries(TestNetLogEntry::List* entry_list) const;
+  // Returns all captured entries.
+  std::vector<NetLogEntry> GetEntries() const;
+
+  // Returns all captured entries for the specified Source.
+  std::vector<NetLogEntry> GetEntriesForSource(NetLogSource source) const;
 
-  // Fills |entry_list| with all entries in the log from the specified Source.
-  void GetEntriesForSource(NetLogSource source,
-                           TestNetLogEntry::List* entry_list) const;
+  // Returns all captured entries with the specified type.
+  std::vector<NetLogEntry> GetEntriesWithType(NetLogEventType type) const;
 
   // Returns number of entries in the log.
   size_t GetSize() const;
 
   void Clear();
 
-  // Sets the capture mode of the underlying TestNetLog.
-  void SetCaptureMode(NetLogCaptureMode capture_mode);
+  // Sets the observer capture mode of the underlying TestNetLog.
+  void SetObserverCaptureMode(NetLogCaptureMode capture_mode);
 
  private:
   TestNetLog test_net_log_;
diff --git a/chromium/net/log/test_net_log_entry.cc b/chromium/net/log/test_net_log_entry.cc
deleted file mode 100644
index d58e4d2bfd9..00000000000
--- a/chromium/net/log/test_net_log_entry.cc
+++ /dev/null
@@ -1,84 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/log/test_net_log_entry.h"
-
-#include <utility>
-
-#include "base/json/json_writer.h"
-#include "base/logging.h"
-#include "base/values.h"
-
-namespace net {
-
-TestNetLogEntry::TestNetLogEntry(NetLogEventType type,
-                                 const base::TimeTicks& time,
-                                 NetLogSource source,
-                                 NetLogEventPhase phase,
-                                 std::unique_ptr<base::DictionaryValue> params)
-    : type(type),
-      time(time),
-      source(source),
-      phase(phase),
-      params(std::move(params)) {
-  // Only entries without a NetLog should have an invalid source.
-  CHECK(source.IsValid());
-}
-
-TestNetLogEntry::TestNetLogEntry(const TestNetLogEntry& entry) {
-  *this = entry;
-}
-
-TestNetLogEntry::~TestNetLogEntry() = default;
-
-TestNetLogEntry& TestNetLogEntry::operator=(const TestNetLogEntry& entry) {
-  type = entry.type;
-  time = entry.time;
-  source = entry.source;
-  phase = entry.phase;
-  params.reset(entry.params ? entry.params->DeepCopy() : nullptr);
-  return *this;
-}
-
-bool TestNetLogEntry::GetStringValue(const std::string& name,
-                                     std::string* value) const {
-  if (!params)
-    return false;
-  return params->GetString(name, value);
-}
-
-bool TestNetLogEntry::GetIntegerValue(const std::string& name,
-                                      int* value) const {
-  if (!params)
-    return false;
-  return params->GetInteger(name, value);
-}
-
-bool TestNetLogEntry::GetBooleanValue(const std::string& name,
-                                      bool* value) const {
-  if (!params)
-    return false;
-  return params->GetBoolean(name, value);
-}
-
-bool TestNetLogEntry::GetListValue(const std::string& name,
-                                   base::ListValue** value) const {
-  if (!params)
-    return false;
-  return params->GetList(name, value);
-}
-
-bool TestNetLogEntry::GetNetErrorCode(int* value) const {
-  return GetIntegerValue("net_error", value);
-}
-
-std::string TestNetLogEntry::GetParamsJson() const {
-  if (!params)
-    return std::string();
-  std::string json;
-  base::JSONWriter::Write(*params, &json);
-  return json;
-}
-
-}  // namespace net
diff --git a/chromium/net/log/test_net_log_entry.h b/chromium/net/log/test_net_log_entry.h
deleted file mode 100644
index 92c0c5e8736..00000000000
--- a/chromium/net/log/test_net_log_entry.h
+++ /dev/null
@@ -1,71 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_LOG_TEST_NET_LOG_ENTRY_H_
-#define NET_LOG_TEST_NET_LOG_ENTRY_H_
-
-#include <memory>
-#include <string>
-#include <vector>
-
-#include "base/time/time.h"
-#include "net/log/net_log_event_type.h"
-#include "net/log/net_log_source.h"
-
-namespace base {
-class DictionaryValue;
-class ListValue;
-}
-
-namespace net {
-
-// TestNetLogEntry is much like NetLogEntry, except it has its own copy of all
-// log data, so a list of entries can be gathered over the course of a test, and
-// then inspected at the end.  It is intended for testing only, and is part of
-// the net_test_support project.
-struct TestNetLogEntry {
-  // Ordered set of logged entries.
-  typedef std::vector<TestNetLogEntry> List;
-
-  TestNetLogEntry(NetLogEventType type,
-                  const base::TimeTicks& time,
-                  NetLogSource source,
-                  NetLogEventPhase phase,
-                  std::unique_ptr<base::DictionaryValue> params);
-  // Copy constructor needed to store in a std::vector because of the
-  // scoped_ptr.
-  TestNetLogEntry(const TestNetLogEntry& entry);
-
-  ~TestNetLogEntry();
-
-  // Equality operator needed to store in a std::vector because of the
-  // scoped_ptr.
-  TestNetLogEntry& operator=(const TestNetLogEntry& entry);
-
-  // Attempt to retrieve an value of the specified type with the given name
-  // from |params|.  Returns true on success, false on failure.  Does not
-  // modify |value| on failure.
-  bool GetStringValue(const std::string& name, std::string* value) const;
-  bool GetIntegerValue(const std::string& name, int* value) const;
-  bool GetBooleanValue(const std::string& name, bool* value) const;
-  bool GetListValue(const std::string& name, base::ListValue** value) const;
-
-  // Same as GetIntegerValue, but returns the error code associated with a
-  // log entry.
-  bool GetNetErrorCode(int* value) const;
-
-  // Returns the parameters as a JSON string, or empty string if there are no
-  // parameters.
-  std::string GetParamsJson() const;
-
-  NetLogEventType type;
-  base::TimeTicks time;
-  NetLogSource source;
-  NetLogEventPhase phase;
-  std::unique_ptr<base::DictionaryValue> params;
-};
-
-}  // namespace net
-
-#endif  // NET_LOG_TEST_NET_LOG_ENTRY_H_
diff --git a/chromium/net/log/test_net_log_util.cc b/chromium/net/log/test_net_log_util.cc
index db79aeea33c..b09dbf3a2aa 100644
--- a/chromium/net/log/test_net_log_util.cc
+++ b/chromium/net/log/test_net_log_util.cc
@@ -15,7 +15,7 @@ namespace {
 // Takes the list of entries and an offset, and returns an index into the array.
 // If |offset| is positive, just returns |offset|.  If it's negative, it
 // indicates a position relative to the end of the array.
-size_t GetIndex(const TestNetLogEntry::List& entries, int offset) {
+size_t GetIndex(const std::vector<NetLogEntry>& entries, int offset) {
   if (offset >= 0)
     return static_cast<size_t>(offset);
 
@@ -30,14 +30,14 @@ size_t GetIndex(const TestNetLogEntry::List& entries, int offset) {
 }  // namespace
 
 ::testing::AssertionResult LogContainsEvent(
-    const TestNetLogEntry::List& entries,
+    const std::vector<NetLogEntry>& entries,
     int offset,
     NetLogEventType expected_event,
     NetLogEventPhase expected_phase) {
   size_t index = GetIndex(entries, offset);
   if (index >= entries.size())
     return ::testing::AssertionFailure() << index << " is out of bounds.";
-  const TestNetLogEntry& entry = entries[index];
+  const NetLogEntry& entry = entries[index];
   if (expected_event != entry.type) {
     return ::testing::AssertionFailure()
            << "Actual event: " << NetLog::EventTypeToString(entry.type)
@@ -53,7 +53,7 @@ size_t GetIndex(const TestNetLogEntry::List& entries, int offset) {
 }
 
 ::testing::AssertionResult LogContainsBeginEvent(
-    const TestNetLogEntry::List& entries,
+    const std::vector<NetLogEntry>& entries,
     int offset,
     NetLogEventType expected_event) {
   return LogContainsEvent(entries, offset, expected_event,
@@ -61,7 +61,7 @@ size_t GetIndex(const TestNetLogEntry::List& entries, int offset) {
 }
 
 ::testing::AssertionResult LogContainsEndEvent(
-    const TestNetLogEntry::List& entries,
+    const std::vector<NetLogEntry>& entries,
     int offset,
     NetLogEventType expected_event) {
   return LogContainsEvent(entries, offset, expected_event,
@@ -69,38 +69,38 @@ size_t GetIndex(const TestNetLogEntry::List& entries, int offset) {
 }
 
 ::testing::AssertionResult LogContainsEntryWithType(
-    const TestNetLogEntry::List& entries,
+    const std::vector<NetLogEntry>& entries,
     int offset,
     NetLogEventType type) {
   size_t index = GetIndex(entries, offset);
   if (index >= entries.size())
     return ::testing::AssertionFailure() << index << " is out of bounds.";
-  const TestNetLogEntry& entry = entries[index];
+  const NetLogEntry& entry = entries[index];
   if (entry.type != type)
     return ::testing::AssertionFailure() << "Type does not match.";
   return ::testing::AssertionSuccess();
 }
 
 ::testing::AssertionResult LogContainsEntryWithTypeAfter(
-    const TestNetLogEntry::List& entries,
+    const std::vector<NetLogEntry>& entries,
     int start_offset,
     NetLogEventType type) {
   for (size_t i = GetIndex(entries, start_offset); i < entries.size(); ++i) {
-    const TestNetLogEntry& entry = entries[i];
+    const NetLogEntry& entry = entries[i];
     if (entry.type == type)
       return ::testing::AssertionSuccess();
   }
   return ::testing::AssertionFailure();
 }
 
-size_t ExpectLogContainsSomewhere(const TestNetLogEntry::List& entries,
+size_t ExpectLogContainsSomewhere(const std::vector<NetLogEntry>& entries,
                                   size_t min_offset,
                                   NetLogEventType expected_event,
                                   NetLogEventPhase expected_phase) {
   size_t min_index = GetIndex(entries, min_offset);
   size_t i = 0;
   for (; i < entries.size(); ++i) {
-    const TestNetLogEntry& entry = entries[i];
+    const NetLogEntry& entry = entries[i];
     if (entry.type == expected_event && entry.phase == expected_phase)
       break;
   }
@@ -109,13 +109,13 @@ size_t ExpectLogContainsSomewhere(const TestNetLogEntry::List& entries,
   return i;
 }
 
-size_t ExpectLogContainsSomewhereAfter(const TestNetLogEntry::List& entries,
+size_t ExpectLogContainsSomewhereAfter(const std::vector<NetLogEntry>& entries,
                                        size_t start_offset,
                                        NetLogEventType expected_event,
                                        NetLogEventPhase expected_phase) {
   size_t i = GetIndex(entries, start_offset);
   for (; i < entries.size(); ++i) {
-    const TestNetLogEntry& entry = entries[i];
+    const NetLogEntry& entry = entries[i];
     if (entry.type == expected_event && entry.phase == expected_phase)
       break;
   }
@@ -123,4 +123,88 @@ size_t ExpectLogContainsSomewhereAfter(const TestNetLogEntry::List& entries,
   return i;
 }
 
+base::Optional<std::string> GetOptionalStringValueFromParams(
+    const NetLogEntry& entry,
+    base::StringPiece name) {
+  if (!entry.params.is_dict())
+    return base::nullopt;
+
+  const std::string* result = entry.params.FindStringKey(name);
+  if (!result)
+    return base::nullopt;
+
+  return *result;
+}
+
+base::Optional<bool> GetOptionalBooleanValueFromParams(const NetLogEntry& entry,
+                                                       base::StringPiece name) {
+  if (!entry.params.is_dict())
+    return base::nullopt;
+  return entry.params.FindBoolKey(name);
+}
+
+base::Optional<int> GetOptionalIntegerValueFromParams(const NetLogEntry& entry,
+                                                      base::StringPiece name) {
+  if (!entry.params.is_dict())
+    return base::nullopt;
+  return entry.params.FindIntKey(name);
+}
+
+base::Optional<int> GetOptionalNetErrorCodeFromParams(
+    const NetLogEntry& entry) {
+  return GetOptionalIntegerValueFromParams(entry, "net_error");
+}
+
+std::string GetStringValueFromParams(const NetLogEntry& entry,
+                                     base::StringPiece name) {
+  auto result = GetOptionalStringValueFromParams(entry, name);
+  if (!result) {
+    ADD_FAILURE() << "No string parameter " << name;
+    return "";
+  }
+  return *result;
+}
+
+int GetIntegerValueFromParams(const NetLogEntry& entry,
+                              base::StringPiece name) {
+  auto result = GetOptionalIntegerValueFromParams(entry, name);
+  if (!result) {
+    ADD_FAILURE() << "No int parameter " << name;
+    return -1;
+  }
+  return *result;
+}
+
+bool GetBooleanValueFromParams(const NetLogEntry& entry,
+                               base::StringPiece name) {
+  auto result = GetOptionalBooleanValueFromParams(entry, name);
+  if (!result) {
+    ADD_FAILURE() << "No bool parameter " << name;
+    return -1;
+  }
+  return *result;
+}
+
+int GetNetErrorCodeFromParams(const NetLogEntry& entry) {
+  auto result = GetOptionalNetErrorCodeFromParams(entry);
+  if (!result) {
+    ADD_FAILURE() << "No net_error parameter";
+    return -1;
+  }
+  return *result;
+}
+
+bool GetListValueFromParams(const NetLogEntry& entry,
+                            base::StringPiece name,
+                            const base::ListValue** value) {
+  if (!entry.params.is_dict())
+    return false;
+
+  const base::Value* list = entry.params.FindListKey(name);
+  if (!list)
+    return false;
+
+  return list->GetAsList(value);
+}
+
 }  // namespace net
diff --git a/chromium/net/log/test_net_log_util.h b/chromium/net/log/test_net_log_util.h
index 4863c46ac44..e3d1e32882a 100644
--- a/chromium/net/log/test_net_log_util.h
+++ b/chromium/net/log/test_net_log_util.h
@@ -7,18 +7,24 @@
 
 #include <stddef.h>
 
+#include "base/optional.h"
 #include "net/log/net_log_event_type.h"
-#include "net/log/test_net_log_entry.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
+namespace base {
+class ListValue;
+}
+
 namespace net {
 
+struct NetLogEntry;
+
 // Checks that the element of |entries| at |offset| has the provided values.
 // A negative |offset| indicates a position relative to the end of |entries|.
 // Checks to make sure |offset| is within bounds, and fails gracefully if it
 // isn't.
 ::testing::AssertionResult LogContainsEvent(
-    const TestNetLogEntry::List& entries,
+    const std::vector<NetLogEntry>& entries,
     int offset,
     NetLogEventType expected_event,
     NetLogEventPhase expected_phase);
@@ -26,19 +32,19 @@ namespace net {
 // Just like LogContainsEvent, but always checks for an EventPhase of
 // PHASE_BEGIN.
 ::testing::AssertionResult LogContainsBeginEvent(
-    const TestNetLogEntry::List& entries,
+    const std::vector<NetLogEntry>& entries,
     int offset,
     NetLogEventType expected_event);
 
 // Just like LogContainsEvent, but always checks for an EventPhase of PHASE_END.
 ::testing::AssertionResult LogContainsEndEvent(
-    const TestNetLogEntry::List& entries,
+    const std::vector<NetLogEntry>& entries,
     int offset,
     NetLogEventType expected_event);
 
 // Just like LogContainsEvent, but does not check phase.
 ::testing::AssertionResult LogContainsEntryWithType(
-    const TestNetLogEntry::List& entries,
+    const std::vector<NetLogEntry>& entries,
     int offset,
     NetLogEventType type);
 
@@ -46,14 +52,14 @@ namespace net {
 // after.  It is not a failure if there's an earlier matching entry.  Negative
 // offsets are relative to the end of the array.
 ::testing::AssertionResult LogContainsEntryWithTypeAfter(
-    const TestNetLogEntry::List& entries,
+    const std::vector<NetLogEntry>& entries,
     int start_offset,
     NetLogEventType type);
 
 // Check if the first entry with the specified values is at |start_offset| or
 // after. It is a failure if there's an earlier matching entry.  Negative
 // offsets are relative to the end of the array.
-size_t ExpectLogContainsSomewhere(const TestNetLogEntry::List& entries,
+size_t ExpectLogContainsSomewhere(const std::vector<NetLogEntry>& entries,
                                   size_t min_offset,
                                   NetLogEventType expected_event,
                                   NetLogEventPhase expected_phase);
@@ -61,11 +67,36 @@ size_t ExpectLogContainsSomewhere(const TestNetLogEntry::List& entries,
 // Check if the log contains an entry with  the given values at |start_offset|
 // or after.  It is not a failure if there's an earlier matching entry.
 // Negative offsets are relative to the end of the array.
-size_t ExpectLogContainsSomewhereAfter(const TestNetLogEntry::List& entries,
+size_t ExpectLogContainsSomewhereAfter(const std::vector<NetLogEntry>& entries,
                                        size_t start_offset,
                                        NetLogEventType expected_event,
                                        NetLogEventPhase expected_phase);
 
+// The following methods return a parameter of the given name and type, or
+// nullopt if there is none.
+base::Optional<std::string> GetOptionalStringValueFromParams(
+    const NetLogEntry& entry,
+    base::StringPiece name);
+base::Optional<bool> GetOptionalBooleanValueFromParams(const NetLogEntry& entry,
+                                                       base::StringPiece name);
+base::Optional<int> GetOptionalIntegerValueFromParams(const NetLogEntry& entry,
+                                                      base::StringPiece name);
+base::Optional<int> GetOptionalNetErrorCodeFromParams(const NetLogEntry& entry);
+
+// Same as the *Optional* versions above, except will add a Gtest failure if the
+// value was not present, and then return some default.
+std::string GetStringValueFromParams(const NetLogEntry& entry,
+                                     base::StringPiece name);
+int GetIntegerValueFromParams(const NetLogEntry& entry, base::StringPiece name);
+bool GetBooleanValueFromParams(const NetLogEntry& entry,
+                               base::StringPiece name);
+int GetNetErrorCodeFromParams(const NetLogEntry& entry);
+
+// TODO(eroman): Remove use of base::ListValue.
+bool GetListValueFromParams(const NetLogEntry& entry,
+                            base::StringPiece name,
+                            const base::ListValue** value);
+
 }  // namespace net
 
 #endif  // NET_LOG_TEST_NET_LOG_UTIL_H_
diff --git a/chromium/net/log/trace_net_log_observer.cc b/chromium/net/log/trace_net_log_observer.cc
index a6ecb034581..c549edb1b7a 100644
--- a/chromium/net/log/trace_net_log_observer.cc
+++ b/chromium/net/log/trace_net_log_observer.cc
@@ -47,8 +47,7 @@ class TracedValue : public base::trace_event::ConvertableToTraceFormat {
 
 }  // namespace
 
-TraceNetLogObserver::TraceNetLogObserver()
-    : net_log_to_watch_(nullptr), weak_factory_(this) {}
+TraceNetLogObserver::TraceNetLogObserver() : net_log_to_watch_(nullptr) {}
 
 TraceNetLogObserver::~TraceNetLogObserver() {
   DCHECK(!net_log_to_watch_);
@@ -56,29 +55,29 @@ TraceNetLogObserver::~TraceNetLogObserver() {
 }
 
 void TraceNetLogObserver::OnAddEntry(const NetLogEntry& entry) {
-  base::Value params(entry.ParametersToValue());
-  switch (entry.phase()) {
+  base::Value params = entry.params.Clone();
+  switch (entry.phase) {
     case NetLogEventPhase::BEGIN:
       TRACE_EVENT_NESTABLE_ASYNC_BEGIN2(
-          kNetLogTracingCategory, NetLog::EventTypeToString(entry.type()),
-          entry.source().id, "source_type",
-          NetLog::SourceTypeToString(entry.source().type), "params",
+          kNetLogTracingCategory, NetLog::EventTypeToString(entry.type),
+          entry.source.id, "source_type",
+          NetLog::SourceTypeToString(entry.source.type), "params",
           std::unique_ptr<base::trace_event::ConvertableToTraceFormat>(
               new TracedValue(std::move(params))));
       break;
     case NetLogEventPhase::END:
       TRACE_EVENT_NESTABLE_ASYNC_END2(
-          kNetLogTracingCategory, NetLog::EventTypeToString(entry.type()),
-          entry.source().id, "source_type",
-          NetLog::SourceTypeToString(entry.source().type), "params",
+          kNetLogTracingCategory, NetLog::EventTypeToString(entry.type),
+          entry.source.id, "source_type",
+          NetLog::SourceTypeToString(entry.source.type), "params",
           std::unique_ptr<base::trace_event::ConvertableToTraceFormat>(
               new TracedValue(std::move(params))));
       break;
     case NetLogEventPhase::NONE:
       TRACE_EVENT_NESTABLE_ASYNC_INSTANT2(
-          kNetLogTracingCategory, NetLog::EventTypeToString(entry.type()),
-          entry.source().id, "source_type",
-          NetLog::SourceTypeToString(entry.source().type), "params",
+          kNetLogTracingCategory, NetLog::EventTypeToString(entry.type),
+          entry.source.id, "source_type",
+          NetLog::SourceTypeToString(entry.source.type), "params",
           std::unique_ptr<base::trace_event::ConvertableToTraceFormat>(
               new TracedValue(std::move(params))));
       break;
@@ -117,7 +116,7 @@ void TraceNetLogObserver::OnTraceLogEnabled() {
   if (!enabled)
     return;
 
-  net_log_to_watch_->AddObserver(this, NetLogCaptureMode::Default());
+  net_log_to_watch_->AddObserver(this, NetLogCaptureMode::kDefault);
 }
 
 void TraceNetLogObserver::OnTraceLogDisabled() {
diff --git a/chromium/net/log/trace_net_log_observer.h b/chromium/net/log/trace_net_log_observer.h
index 0d7d8567ec7..eea49c8a99a 100644
--- a/chromium/net/log/trace_net_log_observer.h
+++ b/chromium/net/log/trace_net_log_observer.h
@@ -41,7 +41,7 @@ class NET_EXPORT TraceNetLogObserver
 
  private:
   NetLog* net_log_to_watch_;
-  base::WeakPtrFactory<TraceNetLogObserver> weak_factory_;
+  base::WeakPtrFactory<TraceNetLogObserver> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(TraceNetLogObserver);
 };
diff --git a/chromium/net/log/trace_net_log_observer_unittest.cc b/chromium/net/log/trace_net_log_observer_unittest.cc
index 3d188e0659f..19ac0cf2220 100644
--- a/chromium/net/log/trace_net_log_observer_unittest.cc
+++ b/chromium/net/log/trace_net_log_observer_unittest.cc
@@ -22,11 +22,9 @@
 #include "base/trace_event/trace_event_impl.h"
 #include "base/values.h"
 #include "net/log/net_log_event_type.h"
-#include "net/log/net_log_parameters_callback.h"
 #include "net/log/net_log_source_type.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/test/test_with_scoped_task_environment.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -205,8 +203,7 @@ TEST_F(TraceNetLogObserverTest, TracingDisabledDuringOnAddEntry) {
 }
 
 TEST_F(TraceNetLogObserverTest, TraceEventCaptured) {
-  TestNetLogEntry::List entries;
-  net_log()->GetEntries(&entries);
+  auto entries = net_log()->GetEntries();
   EXPECT_TRUE(entries.empty());
 
   trace_net_log_observer()->WatchForTraceStart(net_log());
@@ -217,7 +214,7 @@ TEST_F(TraceNetLogObserverTest, TraceEventCaptured) {
   net_log_with_source.BeginEvent(NetLogEventType::URL_REQUEST_START_JOB);
   net_log_with_source.EndEvent(NetLogEventType::REQUEST_ALIVE);
 
-  net_log()->GetEntries(&entries);
+  entries = net_log()->GetEntries();
   EXPECT_EQ(3u, entries.size());
   EndTraceAndFlush();
   trace_net_log_observer()->StopWatchForTraceStart();
@@ -272,8 +269,7 @@ TEST_F(TraceNetLogObserverTest, EnableAndDisableTracing) {
   EndTraceAndFlush();
   trace_net_log_observer()->StopWatchForTraceStart();
 
-  TestNetLogEntry::List entries;
-  net_log()->GetEntries(&entries);
+  auto entries = net_log()->GetEntries();
   EXPECT_EQ(3u, entries.size());
   EXPECT_EQ(2u, trace_events()->GetSize());
   const base::DictionaryValue* item1 = nullptr;
@@ -312,8 +308,7 @@ TEST_F(TraceNetLogObserverTest, DestroyObserverWhileTracing) {
 
   EndTraceAndFlush();
 
-  TestNetLogEntry::List entries;
-  net_log()->GetEntries(&entries);
+  auto entries = net_log()->GetEntries();
   EXPECT_EQ(2u, entries.size());
   EXPECT_EQ(1u, trace_events()->GetSize());
 
@@ -341,8 +336,7 @@ TEST_F(TraceNetLogObserverTest, DestroyObserverWhileNotTracing) {
 
   EndTraceAndFlush();
 
-  TestNetLogEntry::List entries;
-  net_log()->GetEntries(&entries);
+  auto entries = net_log()->GetEntries();
   EXPECT_EQ(3u, entries.size());
   EXPECT_EQ(0u, trace_events()->GetSize());
 }
@@ -359,8 +353,7 @@ TEST_F(TraceNetLogObserverTest, CreateObserverAfterTracingStarts) {
 
   EndTraceAndFlush();
 
-  TestNetLogEntry::List entries;
-  net_log()->GetEntries(&entries);
+  auto entries = net_log()->GetEntries();
   EXPECT_EQ(3u, entries.size());
   EXPECT_EQ(1u, trace_events()->GetSize());
 }
@@ -380,8 +373,7 @@ TEST_F(TraceNetLogObserverTest,
 
   EndTraceAndFlush();
 
-  TestNetLogEntry::List entries;
-  net_log()->GetEntries(&entries);
+  auto entries = net_log()->GetEntries();
   EXPECT_EQ(3u, entries.size());
   EXPECT_EQ(0u, trace_events()->GetSize());
 }
@@ -389,18 +381,15 @@ TEST_F(TraceNetLogObserverTest,
 TEST_F(TraceNetLogObserverTest, EventsWithAndWithoutParameters) {
   trace_net_log_observer()->WatchForTraceStart(net_log());
   EnableTraceLogWithNetLog();
-  NetLogParametersCallback net_log_callback;
-  std::string param = "bar";
-  net_log_callback = NetLog::StringCallback("foo", &param);
 
-  net_log()->AddGlobalEntry(NetLogEventType::CANCELLED, net_log_callback);
+  net_log()->AddGlobalEntryWithStringParams(NetLogEventType::CANCELLED, "foo",
+                                            "bar");
   net_log()->AddGlobalEntry(NetLogEventType::REQUEST_ALIVE);
 
   EndTraceAndFlush();
   trace_net_log_observer()->StopWatchForTraceStart();
 
-  TestNetLogEntry::List entries;
-  net_log()->GetEntries(&entries);
+  auto entries = net_log()->GetEntries();
   EXPECT_EQ(2u, entries.size());
   EXPECT_EQ(2u, trace_events()->GetSize());
   const base::DictionaryValue* item1 = nullptr;
diff --git a/chromium/net/network_error_logging/OWNERS b/chromium/net/network_error_logging/OWNERS
new file mode 100644
index 00000000000..7117a80a72b
--- /dev/null
+++ b/chromium/net/network_error_logging/OWNERS
@@ -0,0 +1 @@
+chlily@chromium.org
diff --git a/chromium/net/network_error_logging/network_error_logging_service.cc b/chromium/net/network_error_logging/network_error_logging_service.cc
index 43c699c8be8..2f849ac056e 100644
--- a/chromium/net/network_error_logging/network_error_logging_service.cc
+++ b/chromium/net/network_error_logging/network_error_logging_service.cc
@@ -22,6 +22,7 @@
 #include "base/values.h"
 #include "net/base/ip_address.h"
 #include "net/base/net_errors.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/log/net_log.h"
 #include "net/reporting/reporting_service.h"
 #include "url/gurl.h"
@@ -109,8 +110,8 @@ const struct {
      "tls.unrecognized_name_alert"},
     // tls.failed?
 
-    {ERR_SPDY_PING_FAILED, kApplicationPhase, "h2.ping_failed"},
-    {ERR_SPDY_PROTOCOL_ERROR, kConnectionPhase, "h2.protocol.error"},
+    {ERR_HTTP2_PING_FAILED, kApplicationPhase, "h2.ping_failed"},
+    {ERR_HTTP2_PROTOCOL_ERROR, kConnectionPhase, "h2.protocol.error"},
 
     {ERR_QUIC_PROTOCOL_ERROR, kConnectionPhase, "h3.protocol.error"},
 
@@ -182,10 +183,7 @@ void RecordSignedExchangeRequestOutcome(
 class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
  public:
   explicit NetworkErrorLoggingServiceImpl(PersistentNelStore* store)
-      : store_(store),
-        started_loading_policies_(false),
-        initialized_(false),
-        weak_factory_(this) {
+      : store_(store), started_loading_policies_(false), initialized_(false) {
     if (!PoliciesArePersisted())
       initialized_ = true;
   }
@@ -345,7 +343,7 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
   // Backlog of tasks waiting on initialization.
   std::vector<base::OnceClosure> task_backlog_;
 
-  base::WeakPtrFactory<NetworkErrorLoggingServiceImpl> weak_factory_;
+  base::WeakPtrFactory<NetworkErrorLoggingServiceImpl> weak_factory_{this};
 
   bool PoliciesArePersisted() const { return store_ != nullptr; }
 
@@ -386,11 +384,20 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
     policy.received_ip_address = received_ip_address;
     policy.last_used = header_received_time;
     HeaderOutcome outcome = ParseHeader(value, clock_->Now(), &policy);
+    // Disallow eTLDs from setting include_subdomains policies.
+    if ((outcome == HeaderOutcome::SET || outcome == HeaderOutcome::REMOVED) &&
+        policy.include_subdomains &&
+        registry_controlled_domains::GetRegistryLength(
+            policy.origin.GetURL(),
+            registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES,
+            registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES) == 0) {
+      outcome = HeaderOutcome::DISCARDED_INCLUDE_SUBDOMAINS_NOT_ALLOWED;
+    }
     RecordHeaderOutcome(outcome);
     if (outcome != HeaderOutcome::SET && outcome != HeaderOutcome::REMOVED)
       return;
 
-    // If a policy for |origin| already existed, remove the old poliicy.
+    // If a policy for |origin| already existed, remove the old policy.
     auto it = policies_.find(origin);
     if (it != policies_.end())
       RemovePolicy(it);
diff --git a/chromium/net/network_error_logging/network_error_logging_service.h b/chromium/net/network_error_logging/network_error_logging_service.h
index 7f38335b83c..df0c4067f33 100644
--- a/chromium/net/network_error_logging/network_error_logging_service.h
+++ b/chromium/net/network_error_logging/network_error_logging_service.h
@@ -169,6 +169,7 @@ class NET_EXPORT NetworkErrorLoggingService {
     SET = 13,
 
     DISCARDED_MISSING_REMOTE_ENDPOINT = 14,
+    DISCARDED_INCLUDE_SUBDOMAINS_NOT_ALLOWED = 15,
 
     MAX
   };
diff --git a/chromium/net/network_error_logging/network_error_logging_service_unittest.cc b/chromium/net/network_error_logging/network_error_logging_service_unittest.cc
index c1203fc9eae..ba7e5fef3f7 100644
--- a/chromium/net/network_error_logging/network_error_logging_service_unittest.cc
+++ b/chromium/net/network_error_logging/network_error_logging_service_unittest.cc
@@ -140,6 +140,7 @@ class NetworkErrorLoggingServiceTest : public ::testing::TestWithParam<bool> {
   const GURL kUrlDifferentPort_ = GURL("https://example.com:4433/path");
   const GURL kUrlSubdomain_ = GURL("https://subdomain.example.com/path");
   const GURL kUrlDifferentHost_ = GURL("https://example2.com/path");
+  const GURL kUrlEtld_ = GURL("https://co.uk/foo.html");
 
   const GURL kInnerUrl_ = GURL("https://example.net/path");
   const GURL kCertUrl_ = GURL("https://example.com/cert_path");
@@ -152,6 +153,7 @@ class NetworkErrorLoggingServiceTest : public ::testing::TestWithParam<bool> {
   const url::Origin kOriginSubdomain_ = url::Origin::Create(kUrlSubdomain_);
   const url::Origin kOriginDifferentHost_ =
       url::Origin::Create(kUrlDifferentHost_);
+  const url::Origin kOriginEtld_ = url::Origin::Create(kUrlEtld_);
 
   const std::string kHeader_ = "{\"report_to\":\"group\",\"max_age\":86400}";
   const std::string kHeaderSuccessFraction0_ =
@@ -237,6 +239,33 @@ TEST_P(NetworkErrorLoggingServiceTest, JsonTooDeep) {
   EXPECT_TRUE(reports().empty());
 }
 
+TEST_P(NetworkErrorLoggingServiceTest, IncludeSubdomainsEtldRejected) {
+  service()->OnHeader(kOriginEtld_, kServerIP_, kHeaderIncludeSubdomains_);
+
+  // Make the rest of the test run synchronously.
+  FinishLoading(true /* load_success */);
+
+  EXPECT_EQ(0u, PolicyCount());
+
+  service()->OnRequest(MakeRequestDetails(kUrlEtld_, ERR_CONNECTION_REFUSED));
+
+  EXPECT_TRUE(reports().empty());
+}
+
+TEST_P(NetworkErrorLoggingServiceTest, NonIncludeSubdomainsEtldAccepted) {
+  service()->OnHeader(kOriginEtld_, kServerIP_, kHeader_);
+
+  // Make the rest of the test run synchronously.
+  FinishLoading(true /* load_success */);
+
+  EXPECT_EQ(1u, PolicyCount());
+
+  service()->OnRequest(MakeRequestDetails(kUrlEtld_, ERR_CONNECTION_REFUSED));
+
+  EXPECT_EQ(1u, reports().size());
+  EXPECT_EQ(kUrlEtld_, reports()[0].url);
+}
+
 TEST_P(NetworkErrorLoggingServiceTest, SuccessReportQueued) {
   service()->OnHeader(kOrigin_, kServerIP_, kHeaderSuccessFraction1_);
 
diff --git a/chromium/net/nqe/event_creator.cc b/chromium/net/nqe/event_creator.cc
index 0161801a570..118e444fd08 100644
--- a/chromium/net/nqe/event_creator.cc
+++ b/chromium/net/nqe/event_creator.cc
@@ -23,12 +23,11 @@ namespace internal {
 
 namespace {
 
-base::Value NetworkQualityChangedNetLogCallback(
+base::Value NetworkQualityChangedNetLogParams(
     base::TimeDelta http_rtt,
     base::TimeDelta transport_rtt,
     int32_t downstream_throughput_kbps,
-    EffectiveConnectionType effective_connection_type,
-    NetLogCaptureMode capture_mode) {
+    EffectiveConnectionType effective_connection_type) {
   base::DictionaryValue dict;
   dict.SetInteger("http_rtt_ms", http_rtt.InMilliseconds());
   dict.SetInteger("transport_rtt_ms", transport_rtt.InMilliseconds());
@@ -107,12 +106,12 @@ void EventCreator::MaybeAddNetworkQualityChangedEventToNetLog(
   past_effective_connection_type_ = effective_connection_type;
   past_network_quality_ = network_quality;
 
-  net_log_.AddEvent(
-      NetLogEventType::NETWORK_QUALITY_CHANGED,
-      base::Bind(&NetworkQualityChangedNetLogCallback,
-                 network_quality.http_rtt(), network_quality.transport_rtt(),
-                 network_quality.downstream_throughput_kbps(),
-                 effective_connection_type));
+  net_log_.AddEvent(NetLogEventType::NETWORK_QUALITY_CHANGED, [&] {
+    return NetworkQualityChangedNetLogParams(
+        network_quality.http_rtt(), network_quality.transport_rtt(),
+        network_quality.downstream_throughput_kbps(),
+        effective_connection_type);
+  });
 }
 
 }  // namespace internal
diff --git a/chromium/net/nqe/event_creator_unittest.cc b/chromium/net/nqe/event_creator_unittest.cc
index ac7a69b08b4..6bb8a49044d 100644
--- a/chromium/net/nqe/event_creator_unittest.cc
+++ b/chromium/net/nqe/event_creator_unittest.cc
@@ -7,7 +7,6 @@
 #include "base/time/time.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/nqe/effective_connection_type.h"
 #include "net/nqe/network_quality.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -23,15 +22,8 @@ namespace {
 // Returns the number of entries in |net_log| that have type set to
 // |NetLogEventType::NETWORK_QUALITY_CHANGED|.
 int GetNetworkQualityChangedEntriesCount(BoundTestNetLog* net_log) {
-  TestNetLogEntry::List entries;
-  net_log->GetEntries(&entries);
-
-  int count = 0;
-  for (const auto& entry : entries) {
-    if (entry.type == NetLogEventType::NETWORK_QUALITY_CHANGED)
-      ++count;
-  }
-  return count;
+  return net_log->GetEntriesWithType(NetLogEventType::NETWORK_QUALITY_CHANGED)
+      .size();
 }
 
 // Verify that the net log events are recorded correctly.
diff --git a/chromium/net/nqe/network_congestion_analyzer.cc b/chromium/net/nqe/network_congestion_analyzer.cc
new file mode 100644
index 00000000000..ada2a652e95
--- /dev/null
+++ b/chromium/net/nqe/network_congestion_analyzer.cc
@@ -0,0 +1,354 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <math.h>
+#include <algorithm>
+
+#include <net/nqe/network_congestion_analyzer.h>
+
+#include "base/metrics/histogram_functions.h"
+#include "base/metrics/histogram_macros.h"
+#include "base/strings/string_number_conversions.h"
+#include "net/nqe/network_quality_estimator.h"
+#include "net/url_request/url_request.h"
+
+namespace net {
+
+namespace {
+
+// The threshold for the observed peak queueing delay in milliseconds.
+// A peak queueing delay is HIGH if it exceeds this threshold. The value is the
+// 98th percentile value of the peak queueing delay observed by all requests.
+static constexpr int64_t kHighQueueingDelayMsec = 5000;
+
+// The minimal time interval between two consecutive empty queue observations
+// when the number of in-flight requests is relatively low (i.e. 2). This time
+// interval is required so that a new measurement period could start.
+static constexpr int64_t kMinEmptyQueueObservingTimeMsec = 1500;
+
+// The min and max values for the peak queueing delay level.
+static constexpr size_t kQueueingDelayLevelMinVal = 1;
+static constexpr size_t kQueueingDelayLevelMaxVal = 10;
+
+// The array of thresholds for bucketizing a peak queueing delay sample.
+constexpr base::TimeDelta kQueueingDelayBucketThresholds[] = {
+    base::TimeDelta::FromMilliseconds(0),
+    base::TimeDelta::FromMilliseconds(30),
+    base::TimeDelta::FromMilliseconds(60),
+    base::TimeDelta::FromMilliseconds(120),
+    base::TimeDelta::FromMilliseconds(250),
+    base::TimeDelta::FromMilliseconds(500),
+    base::TimeDelta::FromMilliseconds(1000),
+    base::TimeDelta::FromMilliseconds(2000),
+    base::TimeDelta::FromMilliseconds(4000),
+    base::TimeDelta::FromMilliseconds(8000)};
+
+// The array of thresholds for determining whether a queueing delay sample is
+// low under different effective connection types (ECTs). Based on the initial
+// measurement, the queueing delay shows different distributions under different
+// ECTs. For example, a 300-msec queueing delay is low in a 2G connection, and
+// indicates the network queue is empty. However, the delay is the 90th
+// percentile value on a 4G connection, and indicates many packets are in the
+// network queue. These thresholds are the 33rd percentile values from these
+// delay distributions. A default value (400 msec) is used when the ECT is
+// UNKNOWN or OFFLINE.
+constexpr base::TimeDelta
+    kLowQueueingDelayThresholds[EFFECTIVE_CONNECTION_TYPE_LAST] = {
+        base::TimeDelta::FromMilliseconds(400),
+        base::TimeDelta::FromMilliseconds(400),
+        base::TimeDelta::FromMilliseconds(400),
+        base::TimeDelta::FromMilliseconds(400),
+        base::TimeDelta::FromMilliseconds(40),
+        base::TimeDelta::FromMilliseconds(15)};
+
+}  // namespace
+
+namespace nqe {
+
+namespace internal {
+
+NetworkCongestionAnalyzer::NetworkCongestionAnalyzer(
+    NetworkQualityEstimator* network_quality_estimator,
+    const base::TickClock* tick_clock)
+    : network_quality_estimator_(network_quality_estimator),
+      tick_clock_(tick_clock),
+      recent_active_hosts_count_(0u),
+      count_inflight_requests_for_peak_queueing_delay_(0u),
+      peak_count_inflight_requests_measurement_period_(0u) {
+  DCHECK(tick_clock_);
+  DCHECK(network_quality_estimator_);
+  DCHECK_EQ(kQueueingDelayLevelMaxVal,
+            base::size(kQueueingDelayBucketThresholds));
+}
+
+NetworkCongestionAnalyzer::~NetworkCongestionAnalyzer() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+}
+
+size_t NetworkCongestionAnalyzer::GetActiveHostsCount() const {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  return recent_active_hosts_count_;
+}
+
+void NetworkCongestionAnalyzer::NotifyStartTransaction(
+    const URLRequest& request) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  // Starts tracking the peak queueing delay after |request| starts.
+  TrackPeakQueueingDelayBegin(&request);
+}
+
+void NetworkCongestionAnalyzer::NotifyRequestCompleted(
+    const URLRequest& request) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  // Ends tracking of the peak queueing delay.
+  base::Optional<base::TimeDelta> peak_observed_delay =
+      TrackPeakQueueingDelayEnd(&request);
+  if (peak_observed_delay.has_value()) {
+    // Records the peak queueing delay keyed by the request priority.
+    base::UmaHistogramMediumTimes(
+        "ResourceScheduler.PeakObservedQueueingDelay.Priority" +
+            base::NumberToString(request.priority()),
+        peak_observed_delay.value());
+
+    // Records the peak queueing delay for all types of requests.
+    UMA_HISTOGRAM_MEDIUM_TIMES("ResourceScheduler.PeakObservedQueueingDelay",
+                               peak_observed_delay.value());
+  }
+}
+
+void NetworkCongestionAnalyzer::TrackPeakQueueingDelayBegin(
+    const URLRequest* request) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  // Returns if |request| has already been tracked.
+  if (request_peak_delay_.find(request) != request_peak_delay_.end())
+    return;
+
+  request_peak_delay_[request] = base::nullopt;
+}
+
+base::Optional<base::TimeDelta>
+NetworkCongestionAnalyzer::TrackPeakQueueingDelayEnd(
+    const URLRequest* request) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  auto request_delay = request_peak_delay_.find(request);
+  if (request_delay == request_peak_delay_.end())
+    return base::nullopt;
+
+  base::Optional<base::TimeDelta> peak_delay = request_delay->second;
+  request_peak_delay_.erase(request_delay);
+  return peak_delay;
+}
+
+void NetworkCongestionAnalyzer::ComputeRecentQueueingDelay(
+    const std::map<nqe::internal::IPHash, nqe::internal::CanonicalStats>&
+        recent_rtt_stats,
+    const std::map<nqe::internal::IPHash, nqe::internal::CanonicalStats>&
+        historical_rtt_stats,
+    const int32_t downlink_kbps) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  // Updates downlink throughput if a new valid observation comes.
+  if (downlink_kbps != nqe::internal::INVALID_RTT_THROUGHPUT)
+    set_recent_downlink_throughput_kbps(downlink_kbps);
+  if (recent_rtt_stats.empty())
+    return;
+
+  int32_t delay_sample_sum = 0;
+  recent_active_hosts_count_ = 0u;
+  for (const auto& host_stats : recent_rtt_stats) {
+    nqe::internal::IPHash host = host_stats.first;
+    // Skip hosts that do not have historical statistics.
+    if (historical_rtt_stats.find(host) == historical_rtt_stats.end())
+      continue;
+
+    // Skip hosts that have one or fewer RTT samples or do not have the min
+    // value. They cannot provide an effective queueing delay sample.
+    if (historical_rtt_stats.at(host).observation_count <= 1 ||
+        historical_rtt_stats.at(host).canonical_pcts.find(kStatVal0p) ==
+            historical_rtt_stats.at(host).canonical_pcts.end())
+      continue;
+
+    ++recent_active_hosts_count_;
+    delay_sample_sum +=
+        recent_rtt_stats.at(host).most_recent_val -
+        historical_rtt_stats.at(host).canonical_pcts.at(kStatVal0p);
+  }
+
+  if (recent_active_hosts_count_ == 0u)
+    return;
+
+  DCHECK_LT(0u, recent_active_hosts_count_);
+
+  int32_t delay_ms =
+      delay_sample_sum / static_cast<int>(recent_active_hosts_count_);
+  recent_queueing_delay_ = base::TimeDelta::FromMilliseconds(delay_ms);
+
+  // Updates the peak queueing delay for all tracked in-flight requests.
+  for (auto& it : request_peak_delay_) {
+    if (it.second.has_value()) {
+      it.second = std::max(it.second.value(), recent_queueing_delay_);
+    } else {
+      it.second = recent_queueing_delay_;
+    }
+  }
+
+  if (recent_downlink_per_packet_time_ms_ != base::nullopt) {
+    recent_queue_length_ = static_cast<float>(delay_ms) /
+                           recent_downlink_per_packet_time_ms_.value();
+  }
+}
+
+size_t NetworkCongestionAnalyzer::ComputePeakQueueingDelayLevel(
+    const base::TimeDelta& peak_queueing_delay) const {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  DCHECK_LE(base::TimeDelta(), peak_queueing_delay);
+
+  // The range of queueing delay buckets includes all non-negative values. Thus,
+  // the non-negative peak queueing delay must be found in one of these buckets.
+  size_t level = kQueueingDelayLevelMaxVal;
+  while (level > kQueueingDelayLevelMinVal) {
+    // Stops searching if the peak queueing delay falls in the current bucket.
+    if (peak_queueing_delay >= kQueueingDelayBucketThresholds[level - 1])
+      break;
+
+    --level;
+  }
+  // The queueing delay level is from 1 (LOWEST) to 10 (HIGHEST).
+  DCHECK_LE(kQueueingDelayLevelMinVal, level);
+  DCHECK_GE(kQueueingDelayLevelMaxVal, level);
+  return level;
+}
+
+bool NetworkCongestionAnalyzer::IsQueueingDelayLow(
+    const base::TimeDelta& delay) const {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  net::EffectiveConnectionType current_ect =
+      network_quality_estimator_->GetEffectiveConnectionType();
+  return delay <= kLowQueueingDelayThresholds[current_ect];
+}
+
+bool NetworkCongestionAnalyzer::ShouldStartNewMeasurement(
+    const base::TimeDelta& delay,
+    size_t count_inflight_requests) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  // The queue is not empty if either the queueing delay is high or the number
+  // of in-flight requests is high.
+  if (!IsQueueingDelayLow(delay) || count_inflight_requests >= 3) {
+    observing_empty_queue_timestamp_ = base::nullopt;
+    return false;
+  }
+
+  // Starts a new measurement period immediately if there is very few number of
+  // in-flight requests.
+  if (count_inflight_requests <= 1) {
+    observing_empty_queue_timestamp_ = base::nullopt;
+    return true;
+  }
+
+  base::TimeTicks now = tick_clock_->NowTicks();
+  // Requires a sufficient time interval between consecutive empty queue
+  // observations to claim the queue is empty.
+  if (observing_empty_queue_timestamp_.has_value()) {
+    if (now - observing_empty_queue_timestamp_.value() >=
+        base::TimeDelta::FromMilliseconds(kMinEmptyQueueObservingTimeMsec)) {
+      observing_empty_queue_timestamp_ = base::nullopt;
+      return true;
+    }
+  } else {
+    observing_empty_queue_timestamp_ = now;
+  }
+  return false;
+}
+
+void NetworkCongestionAnalyzer::UpdatePeakDelayMapping(
+    const base::TimeDelta& delay,
+    size_t count_inflight_requests) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  // Discards an abnormal observation. This high queueing delay is likely
+  // caused by retransmission packets from a previous measurement period.
+  if (delay >= base::TimeDelta::FromSeconds(20))
+    return;
+
+  if (ShouldStartNewMeasurement(delay, count_inflight_requests)) {
+    FinalizeCurrentMeasurementPeriod();
+
+    // Resets the tracked data for the new measurement period.
+    peak_queueing_delay_ = delay;
+    count_inflight_requests_for_peak_queueing_delay_ = count_inflight_requests;
+    peak_count_inflight_requests_measurement_period_ = count_inflight_requests;
+  } else {
+    // This is the logic to update the tracking data.
+    // First, updates the pending peak count of in-flight requests if a higher
+    // number of in-flight requests is observed.
+    // Second, updates the peak queueing delay and the peak count of inflight
+    // requests if a higher queueing delay is observed. The new peak queueing
+    // delay should be mapped to the peak count of in-flight requests that are
+    // observed before within this measurement period.
+    peak_count_inflight_requests_measurement_period_ =
+        std::max(peak_count_inflight_requests_measurement_period_,
+                 count_inflight_requests);
+
+    if (delay > peak_queueing_delay_) {
+      // Updates the peak queueing delay and the count of in-flight requests
+      // that are responsible for the delay.
+      peak_queueing_delay_ = delay;
+      count_inflight_requests_for_peak_queueing_delay_ =
+          peak_count_inflight_requests_measurement_period_;
+    }
+  }
+}
+
+void NetworkCongestionAnalyzer::FinalizeCurrentMeasurementPeriod() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  // Does nothing if the peak count of in-flight requests is less than 3.
+  if (peak_count_inflight_requests_measurement_period_ < 3)
+    return;
+
+  // Exports the tracked mapping data from the current measurement period.
+  // Updates the count of in-flight requests that would likely cause a high
+  // network queueing delay.
+  if (peak_queueing_delay_ >=
+      base::TimeDelta::FromMilliseconds(kHighQueueingDelayMsec)) {
+    count_inflight_requests_causing_high_delay_ =
+        count_inflight_requests_for_peak_queueing_delay_;
+  }
+
+  size_t peak_queueing_delay_level =
+      ComputePeakQueueingDelayLevel(peak_queueing_delay_);
+  DCHECK_GE(kQueueingDelayLevelMaxVal, peak_queueing_delay_level);
+
+  if (peak_queueing_delay_level >= kQueueingDelayLevelMinVal &&
+      peak_queueing_delay_level <= kQueueingDelayLevelMaxVal) {
+    // Records the count of in-flight requests causing the peak queueing delay
+    // within the current measurement period. These samples are bucketized
+    // into 10 peak queueing delay levels.
+    base::UmaHistogramCounts100(
+        "NQE.CongestionAnalyzer.CountInflightRequestsForPeakQueueingDelay."
+        "Level" +
+            base::NumberToString(peak_queueing_delay_level),
+        count_inflight_requests_for_peak_queueing_delay_);
+  }
+}
+
+void NetworkCongestionAnalyzer::set_recent_downlink_throughput_kbps(
+    const int32_t downlink_kbps) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  recent_downlink_throughput_kbps_ = downlink_kbps;
+  // Time in msec to transmit one TCP packet (1500 Bytes).
+  // |recent_downlink_per_packet_time_ms_| = 1500 * 8 /
+  // |recent_downlink_throughput_kbps_|.
+  recent_downlink_per_packet_time_ms_ = 12000 / downlink_kbps;
+}
+
+}  // namespace internal
+
+}  // namespace nqe
+
+}  // namespace net
diff --git a/chromium/net/nqe/network_congestion_analyzer.h b/chromium/net/nqe/network_congestion_analyzer.h
new file mode 100644
index 00000000000..3a6eecd49dd
--- /dev/null
+++ b/chromium/net/nqe/network_congestion_analyzer.h
@@ -0,0 +1,208 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_NQE_NETWORK_CONGESTION_ANALYZER_H_
+#define NET_NQE_NETWORK_CONGESTION_ANALYZER_H_
+
+#include <cmath>
+#include <map>
+#include <unordered_map>
+
+#include "base/gtest_prod_util.h"
+#include "base/macros.h"
+#include "base/optional.h"
+#include "base/sequence_checker.h"
+#include "base/time/time.h"
+#include "net/base/net_export.h"
+#include "net/nqe/effective_connection_type.h"
+#include "net/nqe/network_quality.h"
+#include "net/nqe/network_quality_estimator_util.h"
+#include "net/nqe/observation_buffer.h"
+#include "net/nqe/throughput_analyzer.h"
+
+namespace net {
+
+class NetworkQualityEstimator;
+
+namespace nqe {
+
+namespace internal {
+
+// NetworkCongestionAnalyzer holds the network congestion information, such
+// as the recent packet queue length in the mobile edge, recent queueing delay,
+// recent downlink throughput.
+class NET_EXPORT_PRIVATE NetworkCongestionAnalyzer {
+ public:
+  NetworkCongestionAnalyzer(NetworkQualityEstimator* network_quality_estimator,
+                            const base::TickClock* tick_clock);
+  ~NetworkCongestionAnalyzer();
+
+  // Returns the number of hosts that are involved in the last attempt of
+  // computing the recent queueing delay. These hosts are recent active hosts.
+  size_t GetActiveHostsCount() const;
+
+  // Notifies |this| that the headers of |request| are about to be sent.
+  void NotifyStartTransaction(const URLRequest& request);
+
+  // Notifies |this| that the response body of |request| has been received.
+  void NotifyRequestCompleted(const URLRequest& request);
+
+  // Computes the recent queueing delay. Records the observed queueing delay
+  // samples for all recent active hosts. The mean queueing delay is recorded in
+  // |recent_queueing_delay_|. |recent_rtt_stats| has all canonical statistic
+  // values of recent observations for active hosts. |historical_rtt_stats| has
+  // all canonical statistic values of historical observations for active hosts.
+  // If |downlink_kbps| is valid, updates |recent_downlink_throughput_kbps_| and
+  // |recent_downlink_per_packet_time_ms_| based on its value. If
+  // |recent_downlink_per_packet_time_ms_| has a valid value, updates
+  // |recent_queue_length_| as well.
+  void ComputeRecentQueueingDelay(
+      const std::map<nqe::internal::IPHash, nqe::internal::CanonicalStats>&
+          recent_rtt_stats,
+      const std::map<nqe::internal::IPHash, nqe::internal::CanonicalStats>&
+          historical_rtt_stats,
+      const int32_t downlink_kbps);
+
+  // Updates new observations of queueing delay and count of in-flight requests
+  // in order to track peak queueing delay and peak count of in-flight requests.
+  // |delay| is a newly observed queueing delay. |count_inflight_requests| is a
+  // newly observed count of in-flight requests.
+  void UpdatePeakDelayMapping(const base::TimeDelta& delay,
+                              size_t count_inflight_requests);
+
+  base::Optional<float> recent_queue_length() const {
+    return recent_queue_length_;
+  }
+
+  base::TimeDelta recent_queueing_delay() const {
+    return recent_queueing_delay_;
+  }
+
+ private:
+  FRIEND_TEST_ALL_PREFIXES(NetworkCongestionAnalyzerTest,
+                           TestStartingNewMeasurementPeriod);
+  FRIEND_TEST_ALL_PREFIXES(NetworkCongestionAnalyzerTest,
+                           TestUpdatePeakDelayMapping);
+  FRIEND_TEST_ALL_PREFIXES(NetworkCongestionAnalyzerTest,
+                           TestDetectLowQueueingDelay);
+  FRIEND_TEST_ALL_PREFIXES(NetworkCongestionAnalyzerTest,
+                           TestComputeQueueingDelayLevel);
+
+  // Returns the bucketized value of the peak queueing delay (a.k.a. peak
+  // queueing delay level). |peak_queueing_delay| is peak queueing delay
+  // observation within the current measurement period. The peak queueing delay
+  // level is from 1 to 10. A higher value means a higher peak queueing delay.
+  size_t ComputePeakQueueingDelayLevel(
+      const base::TimeDelta& peak_queueing_delay) const;
+
+  // Returns true if |delay| is less than the low queueing delay threshold
+  // corresponding to the current effective connection type (ECT). The threshold
+  // is the 33rd percentile value of the peak queueing delay samples. Compares
+  // |delay| with the default threshold if the ECT is UNKNOWN or OFFLINE.
+  bool IsQueueingDelayLow(const base::TimeDelta& delay) const;
+
+  // Returns true if a new measurement period should start. A new measurement
+  // period should start when the observed queueing delay is small and there are
+  // few in-flight requests. |delay| is a new queueing delay observation.
+  // |count_inflight_requests| is a new observed count of in-flight requests.
+  bool ShouldStartNewMeasurement(const base::TimeDelta& delay,
+                                 size_t count_inflight_requests);
+
+  // Finalizes the current peak queueing delay measurement period before a new
+  // measurement period starts. It exports the tracked data, such as the peak
+  // queueing delay and the count of in-flight requests causing the peak delay
+  // before they are reset. Only exports data when there are at least 3
+  // concurrent requests within the current measurement period.
+  void FinalizeCurrentMeasurementPeriod();
+
+  // Starts tracking the peak queueing delay for |request|.
+  void TrackPeakQueueingDelayBegin(const URLRequest* request);
+
+  // Returns the peak queueing delay observed by |request|. Also removes the
+  // record that belongs to |request| in the map. If the result is unavailable,
+  // returns nullopt.
+  base::Optional<base::TimeDelta> TrackPeakQueueingDelayEnd(
+      const URLRequest* request);
+
+  // Sets the |recent_downlink_throughput_kbps_| with the estimated downlink
+  // throughput in kbps. Also, computes the time frame (in millisecond) to
+  // transmit one TCP packet (1500 Bytes) under this downlink throughput.
+  void set_recent_downlink_throughput_kbps(const int32_t downlink_kbps);
+
+  base::Optional<int32_t> recent_downlink_throughput_kbps() const {
+    return recent_downlink_throughput_kbps_;
+  }
+
+  base::Optional<size_t> count_inflight_requests_causing_high_delay() const {
+    return count_inflight_requests_causing_high_delay_;
+  }
+
+  // Guaranteed to be non-null during the duration of |this|.
+  NetworkQualityEstimator* network_quality_estimator_;
+
+  // Guaranteed to be non-null during the lifetime of |this|.
+  const base::TickClock* tick_clock_;
+
+  // Recent downstream throughput estimate. It is the median of most recent
+  // downstream throughput observations (in kilobits per second).
+  base::Optional<int32_t> recent_downlink_throughput_kbps_;
+
+  // Time of transmitting one 1500-Byte TCP packet under
+  // |recent_downlink_throughput_kbps_|.
+  base::Optional<int32_t> recent_downlink_per_packet_time_ms_;
+
+  // The estimate of packet queue length. Computation is done based on the last
+  // observed downlink throughput.
+  base::Optional<float> recent_queue_length_;
+
+  // The estimate of queueing delay induced by packet queue.
+  base::TimeDelta recent_queueing_delay_;
+
+  // Mapping between URL requests to the observed queueing delay observations.
+  // The default value is nullopt.
+  typedef std::unordered_map<const URLRequest*, base::Optional<base::TimeDelta>>
+      RequestPeakDelay;
+
+  // This map maintains the mapping from in-flight URL requests to the peak
+  // queueing delay observed by requests.
+  RequestPeakDelay request_peak_delay_;
+
+  // Counts the number of hosts involved in the last attempt of computing the
+  // recent queueing delay.
+  size_t recent_active_hosts_count_;
+
+  // The peak queueing delay that is observed within the current ongoing
+  // measurement period.
+  base::TimeDelta peak_queueing_delay_;
+
+  // The peak number of in-flight requests that are responsible for the peak
+  // queueing delay within the current ongoing measurement period. These
+  // requests should be in-flight before the peak queueing delay is observed.
+  size_t count_inflight_requests_for_peak_queueing_delay_;
+
+  // The peak number of in-flight requests during the current measurement
+  // period. It updates the |count_inflight_requests_for_peak_queueing_delay_|
+  // only if a higher queueing delay is observed later.
+  size_t peak_count_inflight_requests_measurement_period_;
+
+  // Timestamp when the app started observing an empty queue. Resets to nullopt
+  // if the queue is unlikely to be empty or if a new measurement period starts.
+  base::Optional<base::TimeTicks> observing_empty_queue_timestamp_;
+
+  // The count of in-flight requests that would cause a high network queueing
+  // delay.
+  base::Optional<size_t> count_inflight_requests_causing_high_delay_;
+
+  SEQUENCE_CHECKER(sequence_checker_);
+
+  DISALLOW_COPY_AND_ASSIGN(NetworkCongestionAnalyzer);
+};
+
+}  // namespace internal
+
+}  // namespace nqe
+
+}  // namespace net
+
+#endif  // NET_NQE_NETWORK_CONGESTION_ANALYZER_H_
diff --git a/chromium/net/nqe/network_congestion_analyzer_unittest.cc b/chromium/net/nqe/network_congestion_analyzer_unittest.cc
new file mode 100644
index 00000000000..8123acf76b6
--- /dev/null
+++ b/chromium/net/nqe/network_congestion_analyzer_unittest.cc
@@ -0,0 +1,254 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/nqe/network_congestion_analyzer.h"
+#include <map>
+#include <unordered_map>
+
+#include "base/macros.h"
+#include "base/optional.h"
+#include "base/test/simple_test_tick_clock.h"
+#include "base/time/time.h"
+#include "net/nqe/network_quality.h"
+#include "net/nqe/network_quality_estimator_test_util.h"
+#include "net/nqe/observation_buffer.h"
+#include "net/test/test_with_scoped_task_environment.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+namespace nqe {
+
+namespace internal {
+
+using NetworkCongestionAnalyzerTest = TestWithScopedTaskEnvironment;
+
+namespace {
+
+constexpr float kEpsilon = 0.001f;
+
+// These values should remain synchronized with the values in
+// net/nqe/network_congestion_analyzer.cc.
+constexpr int64_t kHighQueueingDelayMsec = 5000;
+constexpr int64_t kMinEmptyQueueObservingTimeMsec = 1500;
+constexpr base::TimeDelta
+    kLowQueueingDelayThresholds[EFFECTIVE_CONNECTION_TYPE_LAST] = {
+        base::TimeDelta::FromMilliseconds(400),
+        base::TimeDelta::FromMilliseconds(400),
+        base::TimeDelta::FromMilliseconds(400),
+        base::TimeDelta::FromMilliseconds(400),
+        base::TimeDelta::FromMilliseconds(40),
+        base::TimeDelta::FromMilliseconds(15)};
+
+// Verifies that the network queueing delay is computed correctly based on RTT
+// and downlink throughput observations.
+TEST_F(NetworkCongestionAnalyzerTest, TestComputingQueueingDelay) {
+  TestNetworkQualityEstimator network_quality_estimator;
+  base::SimpleTestTickClock tick_clock;
+
+  NetworkCongestionAnalyzer analyzer(&network_quality_estimator, &tick_clock);
+  std::map<uint64_t, CanonicalStats> recent_rtt_stats;
+  std::map<uint64_t, CanonicalStats> historical_rtt_stats;
+  int32_t downlink_kbps = nqe::internal::INVALID_RTT_THROUGHPUT;
+
+  // Checks that no result is updated when providing empty RTT observations and
+  // an invalid downlink throughput observation.
+  analyzer.ComputeRecentQueueingDelay(recent_rtt_stats, historical_rtt_stats,
+                                      downlink_kbps);
+  EXPECT_TRUE(analyzer.recent_queueing_delay().is_zero());
+
+  const uint64_t host_1 = 0x101010UL;
+  const uint64_t host_2 = 0x202020UL;
+  // Checks that the queueing delay is updated based on hosts with valid RTT
+  // observations. For example, the computation should be done by using data
+  // from host 1 only because host 2 does not provide a valid min RTT value.
+  std::map<int32_t, int32_t> recent_stat_host_1 = {{kStatVal0p, 1100}};
+  std::map<int32_t, int32_t> historical_stat_host_1 = {{kStatVal0p, 600}};
+  CanonicalStats recent_rtt_host_1 =
+      CanonicalStats(recent_stat_host_1, 1400, 5);
+  CanonicalStats historical_rtt_host_1 =
+      CanonicalStats(historical_stat_host_1, 1400, 15);
+
+  std::map<int32_t, int32_t> recent_stat_host_2 = {{kStatVal0p, 1200}};
+  std::map<int32_t, int32_t> historical_stat_host_2 = {{kStatVal50p, 1200}};
+  CanonicalStats recent_rtt_host_2 =
+      CanonicalStats(recent_stat_host_2, 1600, 3);
+  CanonicalStats historical_rtt_host_2 =
+      CanonicalStats(historical_stat_host_2, 1600, 8);
+  recent_rtt_stats.emplace(host_1, recent_rtt_host_1);
+  recent_rtt_stats.emplace(host_2, recent_rtt_host_2);
+  historical_rtt_stats.emplace(host_1, historical_rtt_host_1);
+  historical_rtt_stats.emplace(host_2, historical_rtt_host_2);
+
+  analyzer.ComputeRecentQueueingDelay(recent_rtt_stats, historical_rtt_stats,
+                                      downlink_kbps);
+  EXPECT_EQ(800, analyzer.recent_queueing_delay().InMilliseconds());
+
+  // Checks that the queueing delay is updated correctly based on all hosts when
+  // RTT observations and the throughput observation are valid.
+  historical_rtt_stats[host_2].canonical_pcts[kStatVal0p] = 1000;
+  downlink_kbps = 120;
+  analyzer.ComputeRecentQueueingDelay(recent_rtt_stats, historical_rtt_stats,
+                                      downlink_kbps);
+  EXPECT_EQ(700, analyzer.recent_queueing_delay().InMilliseconds());
+  EXPECT_NEAR(7.0, analyzer.recent_queue_length().value_or(0), kEpsilon);
+}
+
+}  // namespace
+
+// Verifies that a measurement period starts correctly when an empty queue
+// observation shows up. An empty queue observation is made when the queueing
+// delay is low and the number of in-flight requests is also low.
+TEST_F(NetworkCongestionAnalyzerTest, TestStartingNewMeasurementPeriod) {
+  TestNetworkQualityEstimator network_quality_estimator;
+  base::SimpleTestTickClock tick_clock;
+
+  network_quality_estimator.set_effective_connection_type(
+      EFFECTIVE_CONNECTION_TYPE_2G);
+  NetworkCongestionAnalyzer analyzer(&network_quality_estimator, &tick_clock);
+  base::TimeDelta low_queueing_delay_sample =
+      kLowQueueingDelayThresholds[EFFECTIVE_CONNECTION_TYPE_2G];
+
+  // Checks that a new measurement period starts immediately if the queueing
+  // delay is low and the number of in-flight requests are equal or less than 1.
+  EXPECT_FALSE(
+      analyzer.ShouldStartNewMeasurement(low_queueing_delay_sample, 2));
+  EXPECT_TRUE(analyzer.ShouldStartNewMeasurement(low_queueing_delay_sample, 1));
+  EXPECT_TRUE(analyzer.ShouldStartNewMeasurement(low_queueing_delay_sample, 0));
+
+  // Checks that a new measurement period starts after waiting for a sufficient
+  // time interval when the number of in-flight requests is 2.
+  EXPECT_FALSE(
+      analyzer.ShouldStartNewMeasurement(low_queueing_delay_sample, 2));
+  tick_clock.Advance(
+      base::TimeDelta::FromMilliseconds(kMinEmptyQueueObservingTimeMsec / 2));
+  EXPECT_FALSE(
+      analyzer.ShouldStartNewMeasurement(low_queueing_delay_sample, 2));
+  tick_clock.Advance(
+      base::TimeDelta::FromMilliseconds(kMinEmptyQueueObservingTimeMsec / 2));
+  EXPECT_TRUE(analyzer.ShouldStartNewMeasurement(low_queueing_delay_sample, 2));
+}
+
+// Verifies that the peak queueing delay is correctly mapped to the count of
+// in-flight requests that are responsible for that delay.
+TEST_F(NetworkCongestionAnalyzerTest, TestUpdatePeakDelayMapping) {
+  TestNetworkQualityEstimator network_quality_estimator;
+  base::SimpleTestTickClock tick_clock;
+
+  network_quality_estimator.set_effective_connection_type(
+      EFFECTIVE_CONNECTION_TYPE_2G);
+  NetworkCongestionAnalyzer analyzer(&network_quality_estimator, &tick_clock);
+  EXPECT_EQ(base::nullopt,
+            analyzer.count_inflight_requests_causing_high_delay());
+
+  // Checks that the count of in-flight requests for peak queueing delay is
+  // correctly recorded.
+  // Case #1: the peak queueing delay was observed after the max count (7) of
+  // in-flight requests was observed.
+  const size_t expected_count_requests_1 = 7;
+  std::vector<std::pair<base::TimeDelta, size_t>> queueing_delay_samples_1 = {
+      std::make_pair(base::TimeDelta::FromMilliseconds(10), 1),
+      std::make_pair(base::TimeDelta::FromMilliseconds(10), 3),
+      std::make_pair(base::TimeDelta::FromMilliseconds(400), 5),
+      std::make_pair(base::TimeDelta::FromMilliseconds(800),
+                     expected_count_requests_1),
+      std::make_pair(base::TimeDelta::FromMilliseconds(kHighQueueingDelayMsec),
+                     5),
+      std::make_pair(base::TimeDelta::FromMilliseconds(1000), 3),
+      std::make_pair(base::TimeDelta::FromMilliseconds(700), 3),
+      std::make_pair(base::TimeDelta::FromMilliseconds(600), 1),
+      std::make_pair(base::TimeDelta::FromMilliseconds(300), 0),
+  };
+  for (const auto& sample : queueing_delay_samples_1) {
+    analyzer.UpdatePeakDelayMapping(sample.first, sample.second);
+  }
+  EXPECT_EQ(expected_count_requests_1,
+            analyzer.count_inflight_requests_causing_high_delay().value_or(0));
+
+  // Case #2: the peak queueing delay is observed before the max count (11) of
+  // in-flight requests was observed. The 8 requests should be responsible for
+  // the peak queueing delay.
+  const size_t expected_count_requests_2 = 10;
+  std::vector<std::pair<base::TimeDelta, size_t>> queueing_delay_samples_2 = {
+      std::make_pair(base::TimeDelta::FromMilliseconds(10), 1),
+      std::make_pair(base::TimeDelta::FromMilliseconds(10), 3),
+      std::make_pair(base::TimeDelta::FromMilliseconds(400), 5),
+      std::make_pair(base::TimeDelta::FromMilliseconds(800), 5),
+      std::make_pair(base::TimeDelta::FromMilliseconds(kHighQueueingDelayMsec),
+                     expected_count_requests_2),
+      std::make_pair(base::TimeDelta::FromMilliseconds(3000), 11),
+      std::make_pair(base::TimeDelta::FromMilliseconds(700), 3),
+      std::make_pair(base::TimeDelta::FromMilliseconds(600), 1),
+      std::make_pair(base::TimeDelta::FromMilliseconds(300), 0),
+  };
+  for (const auto& sample : queueing_delay_samples_2) {
+    analyzer.UpdatePeakDelayMapping(sample.first, sample.second);
+  }
+  EXPECT_EQ(expected_count_requests_2,
+            analyzer.count_inflight_requests_causing_high_delay().value_or(0));
+}
+
+// Verifies that the network congestion analyzer can correctly determine whether
+// a queueing delay sample is low or not under different effective connection
+// types (ECTs).
+TEST_F(NetworkCongestionAnalyzerTest, TestDetectLowQueueingDelay) {
+  TestNetworkQualityEstimator network_quality_estimator;
+  base::SimpleTestTickClock tick_clock;
+  NetworkCongestionAnalyzer analyzer(&network_quality_estimator, &tick_clock);
+
+  // Checks that computations are done correctly under all different ECTs.
+  for (int i = 0; i != net::EFFECTIVE_CONNECTION_TYPE_LAST; ++i) {
+    auto type = static_cast<net::EffectiveConnectionType>(i);
+    network_quality_estimator.set_effective_connection_type(type);
+    base::TimeDelta low_queueing_delay = kLowQueueingDelayThresholds[type];
+
+    EXPECT_TRUE(analyzer.IsQueueingDelayLow(low_queueing_delay));
+    EXPECT_FALSE(analyzer.IsQueueingDelayLow(
+        low_queueing_delay + base::TimeDelta::FromMilliseconds(1)));
+  }
+}
+
+// Verifies that the network congestion analyzer can correctly bucketize the
+// peak queueing delay samples, and map the peak queueing delay samples to their
+// corresponding queueing delay levels from Level1 to Level10.
+TEST_F(NetworkCongestionAnalyzerTest, TestComputeQueueingDelayLevel) {
+  TestNetworkQualityEstimator network_quality_estimator;
+  base::SimpleTestTickClock tick_clock;
+  NetworkCongestionAnalyzer analyzer(&network_quality_estimator, &tick_clock);
+
+  std::vector<std::pair<base::TimeDelta, size_t>> queueing_delay_level_samples =
+      {std::make_pair(base::TimeDelta::FromMilliseconds(0), 1),
+       std::make_pair(base::TimeDelta::FromMilliseconds(25), 1),
+       std::make_pair(base::TimeDelta::FromMilliseconds(35), 2),
+       std::make_pair(base::TimeDelta::FromMilliseconds(55), 2),
+       std::make_pair(base::TimeDelta::FromMilliseconds(65), 3),
+       std::make_pair(base::TimeDelta::FromMilliseconds(115), 3),
+       std::make_pair(base::TimeDelta::FromMilliseconds(125), 4),
+       std::make_pair(base::TimeDelta::FromMilliseconds(245), 4),
+       std::make_pair(base::TimeDelta::FromMilliseconds(255), 5),
+       std::make_pair(base::TimeDelta::FromMilliseconds(495), 5),
+       std::make_pair(base::TimeDelta::FromMilliseconds(505), 6),
+       std::make_pair(base::TimeDelta::FromMilliseconds(995), 6),
+       std::make_pair(base::TimeDelta::FromMilliseconds(1005), 7),
+       std::make_pair(base::TimeDelta::FromMilliseconds(1995), 7),
+       std::make_pair(base::TimeDelta::FromMilliseconds(2005), 8),
+       std::make_pair(base::TimeDelta::FromMilliseconds(3995), 8),
+       std::make_pair(base::TimeDelta::FromMilliseconds(4005), 9),
+       std::make_pair(base::TimeDelta::FromMilliseconds(7995), 9),
+       std::make_pair(base::TimeDelta::FromMilliseconds(8005), 10),
+       std::make_pair(base::TimeDelta::FromMilliseconds(20000), 10)};
+
+  // Checks that all queueing delay samples are correctly mapped to
+  // their corresponding levels.
+  for (const auto& sample : queueing_delay_level_samples) {
+    EXPECT_EQ(sample.second,
+              analyzer.ComputePeakQueueingDelayLevel(sample.first));
+  }
+}
+
+}  // namespace internal
+
+}  // namespace nqe
+
+}  // namespace net
\ No newline at end of file
diff --git a/chromium/net/nqe/network_quality_estimator.cc b/chromium/net/nqe/network_quality_estimator.cc
index 4559de2d714..8a67230db5f 100644
--- a/chromium/net/nqe/network_quality_estimator.cc
+++ b/chromium/net/nqe/network_quality_estimator.cc
@@ -60,7 +60,8 @@ namespace {
 // id concurrently.
 base::LazySequencedTaskRunner g_get_network_id_task_runner =
     LAZY_SEQUENCED_TASK_RUNNER_INITIALIZER(
-        base::TaskTraits(base::MayBlock(),
+        base::TaskTraits(base::ThreadPool(),
+                         base::MayBlock(),
                          base::TaskPriority::BEST_EFFORT,
                          base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN));
 #endif
@@ -160,6 +161,7 @@ NetworkQualityEstimator::NetworkQualityEstimator(
               params_->weight_multiplier_per_signal_strength_level())},
       effective_connection_type_at_last_main_frame_(
           EFFECTIVE_CONNECTION_TYPE_UNKNOWN),
+      queueing_delay_update_interval_(base::TimeDelta::FromMilliseconds(2000)),
       effective_connection_type_recomputation_interval_(
           base::TimeDelta::FromSeconds(10)),
       rtt_observations_size_at_last_ect_computation_(0),
@@ -167,13 +169,13 @@ NetworkQualityEstimator::NetworkQualityEstimator(
       transport_rtt_observation_count_last_ect_computation_(0),
       new_rtt_observations_since_last_ect_computation_(0),
       new_throughput_observations_since_last_ect_computation_(0),
+      network_congestion_analyzer_(this, tick_clock_),
       effective_connection_type_(EFFECTIVE_CONNECTION_TYPE_UNKNOWN),
       cached_estimate_applied_(false),
       net_log_(NetLogWithSource::Make(
           net_log,
           net::NetLogSourceType::NETWORK_QUALITY_ESTIMATOR)),
-      event_creator_(net_log_),
-      weak_ptr_factory_(this) {
+      event_creator_(net_log_) {
   DCHECK_EQ(nqe::internal::OBSERVATION_CATEGORY_COUNT,
             base::size(rtt_ms_observations_));
 
@@ -275,6 +277,7 @@ void NetworkQualityEstimator::NotifyStartTransaction(
     MaybeComputeEffectiveConnectionType();
   }
   throughput_analyzer_->NotifyStartTransaction(request);
+  network_congestion_analyzer_.NotifyStartTransaction(request);
 }
 
 bool NetworkQualityEstimator::IsHangingRequest(
@@ -327,7 +330,9 @@ bool NetworkQualityEstimator::IsHangingRequest(
   return true;
 }
 
-void NetworkQualityEstimator::NotifyHeadersReceived(const URLRequest& request) {
+void NetworkQualityEstimator::NotifyHeadersReceived(
+    const URLRequest& request,
+    int64_t prefilter_total_bytes_read) {
   TRACE_EVENT0(NetTracingCategory(),
                "NetworkQualityEstimator::NotifyHeadersReceived");
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
@@ -370,9 +375,13 @@ void NetworkQualityEstimator::NotifyHeadersReceived(const URLRequest& request) {
                                    NETWORK_QUALITY_OBSERVATION_SOURCE_HTTP);
   AddAndNotifyObserversOfRTT(http_rtt_observation);
   throughput_analyzer_->NotifyBytesRead(request);
+  throughput_analyzer_->NotifyExpectedResponseContentSize(
+      request, request.GetExpectedContentSize());
 }
 
-void NetworkQualityEstimator::NotifyBytesRead(const URLRequest& request) {
+void NetworkQualityEstimator::NotifyBytesRead(
+    const URLRequest& request,
+    int64_t prefilter_total_bytes_read) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   throughput_analyzer_->NotifyBytesRead(request);
 }
@@ -387,6 +396,7 @@ void NetworkQualityEstimator::NotifyRequestCompleted(const URLRequest& request,
     return;
 
   throughput_analyzer_->NotifyRequestCompleted(request);
+  network_congestion_analyzer_.NotifyRequestCompleted(request);
 }
 
 void NetworkQualityEstimator::NotifyURLRequestDestroyed(
@@ -715,6 +725,73 @@ void NetworkQualityEstimator::RecordMetricsOnMainFrameRequest() const {
                             EFFECTIVE_CONNECTION_TYPE_LAST);
 }
 
+bool NetworkQualityEstimator::ShouldComputeNetworkQueueingDelay() const {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  const base::TimeTicks now = tick_clock_->NowTicks();
+  // Recomputes the queueing delay estimate if |queueing_delay_update_interval_|
+  // has passed.
+  return (now - last_queueing_delay_computation_ >=
+          queueing_delay_update_interval_);
+}
+
+void NetworkQualityEstimator::ComputeNetworkQueueingDelay() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  if (!ShouldComputeNetworkQueueingDelay())
+    return;
+
+  const base::TimeTicks now = tick_clock_->NowTicks();
+  last_queueing_delay_computation_ = now;
+  // The time after which observations are considered as recent data.
+  const base::TimeTicks recent_start_time =
+      now - base::TimeDelta::FromMilliseconds(1000);
+  // The time after which observations are considered as historical data.
+  const base::TimeTicks historical_start_time =
+      now - base::TimeDelta::FromMilliseconds(30000);
+
+  // Checks if a valid downlink throughput estimation is available.
+  int32_t downlink_kbps = 0;
+  if (!GetRecentDownlinkThroughputKbps(recent_start_time, &downlink_kbps))
+    downlink_kbps = nqe::internal::INVALID_RTT_THROUGHPUT;
+
+  // Gets recent RTT statistic values.
+  std::map<nqe::internal::IPHash, nqe::internal::CanonicalStats>
+      recent_rtt_stats =
+          rtt_ms_observations_[nqe::internal::OBSERVATION_CATEGORY_TRANSPORT]
+              .GetCanonicalStatsKeyedByHosts(recent_start_time,
+                                             std::set<nqe::internal::IPHash>());
+
+  if (recent_rtt_stats.empty())
+    return;
+
+  // Gets the set of active hosts. Only computes the historical stats for recent
+  // active hosts.
+  std::set<nqe::internal::IPHash> active_hosts;
+  for (const auto& host_stat : recent_rtt_stats)
+    active_hosts.insert(host_stat.first);
+
+  std::map<nqe::internal::IPHash, nqe::internal::CanonicalStats>
+      historical_rtt_stats =
+          rtt_ms_observations_[nqe::internal::OBSERVATION_CATEGORY_TRANSPORT]
+              .GetCanonicalStatsKeyedByHosts(historical_start_time,
+                                             active_hosts);
+
+  network_congestion_analyzer_.ComputeRecentQueueingDelay(
+      recent_rtt_stats, historical_rtt_stats, downlink_kbps);
+
+  // Gets the total number of inflight requests including hanging GETs. The app
+  // cannot determine whether a request is hanging or is still in the wire.
+  size_t count_inflight_requests =
+      throughput_analyzer_->CountTotalInFlightRequests();
+
+  // Tracks the mapping between the peak observed queueing delay to the peak
+  // count of in-flight requests.
+  network_congestion_analyzer_.UpdatePeakDelayMapping(
+      network_congestion_analyzer_.recent_queueing_delay(),
+      count_inflight_requests);
+}
+
 void NetworkQualityEstimator::ComputeEffectiveConnectionType() {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
@@ -806,6 +883,11 @@ void NetworkQualityEstimator::ComputeEffectiveConnectionType() {
   new_throughput_observations_since_last_ect_computation_ = 0;
 }
 
+base::Optional<net::EffectiveConnectionType>
+NetworkQualityEstimator::GetOverrideECT() const {
+  return base::nullopt;
+}
+
 void NetworkQualityEstimator::ClampKbpsBasedOnEct() {
   // No need to clamp when ECT is unknown or if the connection speed is fast.
   if (effective_connection_type_ == EFFECTIVE_CONNECTION_TYPE_UNKNOWN ||
@@ -847,32 +929,32 @@ NetworkQualityEstimator::GetCappedECTBasedOnSignalStrength() const {
   if (current_network_id_.signal_strength == INT32_MIN)
     return effective_connection_type_;
 
-  // Capping ECT on WiFi is currently not enabled.
+  if (effective_connection_type_ == EFFECTIVE_CONNECTION_TYPE_UNKNOWN ||
+      effective_connection_type_ == EFFECTIVE_CONNECTION_TYPE_OFFLINE) {
+    return effective_connection_type_;
+  }
+
   if (current_network_id_.type == NetworkChangeNotifier::CONNECTION_WIFI) {
     // The maximum signal strength level is 4.
     UMA_HISTOGRAM_EXACT_LINEAR("NQE.WifiSignalStrength.AtECTComputation",
                                current_network_id_.signal_strength, 4);
+  } else if (current_network_id_.type == NetworkChangeNotifier::CONNECTION_2G ||
+             current_network_id_.type == NetworkChangeNotifier::CONNECTION_3G ||
+             current_network_id_.type == NetworkChangeNotifier::CONNECTION_4G) {
+    // The maximum signal strength level is 4.
+    UMA_HISTOGRAM_EXACT_LINEAR("NQE.CellularSignalStrength.AtECTComputation",
+                               current_network_id_.signal_strength, 4);
+  } else {
+    NOTREACHED();
     return effective_connection_type_;
   }
 
-  if (effective_connection_type_ == EFFECTIVE_CONNECTION_TYPE_UNKNOWN ||
-      effective_connection_type_ == EFFECTIVE_CONNECTION_TYPE_OFFLINE) {
-    return effective_connection_type_;
-  }
-
-  // The maximum signal strength level is 4.
-  UMA_HISTOGRAM_EXACT_LINEAR("NQE.CellularSignalStrength.AtECTComputation",
-                             current_network_id_.signal_strength, 4);
-
   // Do not cap ECT if the signal strength is high.
   if (current_network_id_.signal_strength > 2)
     return effective_connection_type_;
 
   DCHECK_LE(0, current_network_id_.signal_strength);
 
-  DCHECK_LE(NetworkChangeNotifier::CONNECTION_2G, current_network_id_.type);
-  DCHECK_GE(NetworkChangeNotifier::CONNECTION_4G, current_network_id_.type);
-
   // When signal strength is 0, the device is almost offline.
   if (current_network_id_.signal_strength == 0) {
     switch (current_network_id_.type) {
@@ -881,6 +963,7 @@ NetworkQualityEstimator::GetCappedECTBasedOnSignalStrength() const {
         return std::min(effective_connection_type_,
                         EFFECTIVE_CONNECTION_TYPE_SLOW_2G);
       case NetworkChangeNotifier::CONNECTION_4G:
+      case NetworkChangeNotifier::CONNECTION_WIFI:
         return std::min(effective_connection_type_,
                         EFFECTIVE_CONNECTION_TYPE_2G);
       default:
@@ -898,6 +981,7 @@ NetworkQualityEstimator::GetCappedECTBasedOnSignalStrength() const {
         return std::min(effective_connection_type_,
                         EFFECTIVE_CONNECTION_TYPE_2G);
       case NetworkChangeNotifier::CONNECTION_4G:
+      case NetworkChangeNotifier::CONNECTION_WIFI:
         return std::min(effective_connection_type_,
                         EFFECTIVE_CONNECTION_TYPE_3G);
       default:
@@ -915,6 +999,7 @@ NetworkQualityEstimator::GetCappedECTBasedOnSignalStrength() const {
         return std::min(effective_connection_type_,
                         EFFECTIVE_CONNECTION_TYPE_3G);
       case NetworkChangeNotifier::CONNECTION_4G:
+      case NetworkChangeNotifier::CONNECTION_WIFI:
         return std::min(effective_connection_type_,
                         EFFECTIVE_CONNECTION_TYPE_4G);
       default:
@@ -929,6 +1014,11 @@ NetworkQualityEstimator::GetCappedECTBasedOnSignalStrength() const {
 EffectiveConnectionType NetworkQualityEstimator::GetEffectiveConnectionType()
     const {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  base::Optional<net::EffectiveConnectionType> override_ect = GetOverrideECT();
+  if (override_ect) {
+    return override_ect.value();
+  }
   return effective_connection_type_;
 }
 
@@ -1121,6 +1211,27 @@ void NetworkQualityEstimator::RemoveEffectiveConnectionTypeObserver(
   effective_connection_type_observer_list_.RemoveObserver(observer);
 }
 
+void NetworkQualityEstimator::AddPeerToPeerConnectionsCountObserver(
+    PeerToPeerConnectionsCountObserver* observer) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  DCHECK(observer);
+  peer_to_peer_type_observer_list_.AddObserver(observer);
+
+  // Notify the |observer| on the next message pump since |observer| may not
+  // be completely set up for receiving the callbacks.
+  base::ThreadTaskRunnerHandle::Get()->PostTask(
+      FROM_HERE,
+      base::BindOnce(&NetworkQualityEstimator::
+                         NotifyPeerToPeerConnectionsCountObserverIfPresent,
+                     weak_ptr_factory_.GetWeakPtr(), observer));
+}
+
+void NetworkQualityEstimator::RemovePeerToPeerConnectionsCountObserver(
+    PeerToPeerConnectionsCountObserver* observer) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  peer_to_peer_type_observer_list_.RemoveObserver(observer);
+}
+
 void NetworkQualityEstimator::AddRTTAndThroughputEstimatesObserver(
     RTTAndThroughputEstimatesObserver* observer) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
@@ -1308,11 +1419,12 @@ void NetworkQualityEstimator::OnUpdatedTransportRTTAvailable(
     const base::Optional<nqe::internal::IPHash>& host) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK_LT(nqe::internal::INVALID_RTT_THROUGHPUT, rtt.InMilliseconds());
-
   Observation observation(rtt.InMilliseconds(), tick_clock_->NowTicks(),
                           current_network_id_.signal_strength,
                           ProtocolSourceToObservationSource(protocol), host);
   AddAndNotifyObserversOfRTT(observation);
+
+  ComputeNetworkQueueingDelay();
 }
 
 void NetworkQualityEstimator::AddAndNotifyObserversOfRTT(
@@ -1488,10 +1600,12 @@ void NetworkQualityEstimator::
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK_NE(EFFECTIVE_CONNECTION_TYPE_LAST, effective_connection_type_);
 
+  base::Optional<net::EffectiveConnectionType> override_ect = GetOverrideECT();
+
   // TODO(tbansal): Add hysteresis in the notification.
   for (auto& observer : effective_connection_type_observer_list_)
-    observer.OnEffectiveConnectionTypeChanged(effective_connection_type_);
-
+    observer.OnEffectiveConnectionTypeChanged(
+        override_ect ? override_ect.value() : effective_connection_type_);
   // Add the estimates of the current network to the cache store.
   network_quality_store_->Add(current_network_id_,
                               nqe::internal::CachedNetworkQuality(
@@ -1516,11 +1630,26 @@ void NetworkQualityEstimator::NotifyEffectiveConnectionTypeObserverIfPresent(
 
   if (!effective_connection_type_observer_list_.HasObserver(observer))
     return;
+
+  base::Optional<net::EffectiveConnectionType> override_ect = GetOverrideECT();
+  if (override_ect) {
+    observer->OnEffectiveConnectionTypeChanged(override_ect.value());
+    return;
+  }
   if (effective_connection_type_ == EFFECTIVE_CONNECTION_TYPE_UNKNOWN)
     return;
   observer->OnEffectiveConnectionTypeChanged(effective_connection_type_);
 }
 
+void NetworkQualityEstimator::NotifyPeerToPeerConnectionsCountObserverIfPresent(
+    PeerToPeerConnectionsCountObserver* observer) const {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  if (!peer_to_peer_type_observer_list_.HasObserver(observer))
+    return;
+  observer->OnPeerToPeerConnectionsCountChange(p2p_connections_count_);
+}
+
 void NetworkQualityEstimator::NotifyRTTAndThroughputEstimatesObserverIfPresent(
     RTTAndThroughputEstimatesObserver* observer) const {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
@@ -1675,4 +1804,36 @@ void NetworkQualityEstimator::RecordSpdyPingLatency(
   AddAndNotifyObserversOfRTT(observation);
 }
 
+void NetworkQualityEstimator::OnPeerToPeerConnectionsCountChange(
+    uint32_t count) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  if (p2p_connections_count_ == count)
+    return;
+
+  if (p2p_connections_count_ == 0 && count > 0) {
+    DCHECK(!p2p_connections_count_active_timestamp_);
+    p2p_connections_count_active_timestamp_ = tick_clock_->NowTicks();
+  }
+
+  if (p2p_connections_count_ > 0 && count == 0) {
+    DCHECK(p2p_connections_count_active_timestamp_);
+    base::TimeDelta duration = tick_clock_->NowTicks() -
+                               p2p_connections_count_active_timestamp_.value();
+    UMA_HISTOGRAM_LONG_TIMES("NQE.PeerToPeerConnectionsDuration", duration);
+    p2p_connections_count_active_timestamp_ = base::nullopt;
+  }
+
+  p2p_connections_count_ = count;
+
+  for (auto& observer : peer_to_peer_type_observer_list_) {
+    observer.OnPeerToPeerConnectionsCountChange(p2p_connections_count_);
+  }
+}
+
+uint32_t NetworkQualityEstimator::GetPeerToPeerConnectionsCountChange() const {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  return p2p_connections_count_;
+}
+
 }  // namespace net
diff --git a/chromium/net/nqe/network_quality_estimator.h b/chromium/net/nqe/network_quality_estimator.h
index bb2ca133368..b1b9cbd9227 100644
--- a/chromium/net/nqe/network_quality_estimator.h
+++ b/chromium/net/nqe/network_quality_estimator.h
@@ -29,6 +29,7 @@
 #include "net/nqe/effective_connection_type.h"
 #include "net/nqe/effective_connection_type_observer.h"
 #include "net/nqe/event_creator.h"
+#include "net/nqe/network_congestion_analyzer.h"
 #include "net/nqe/network_id.h"
 #include "net/nqe/network_quality.h"
 #include "net/nqe/network_quality_estimator_params.h"
@@ -36,6 +37,7 @@
 #include "net/nqe/network_quality_observation_source.h"
 #include "net/nqe/network_quality_store.h"
 #include "net/nqe/observation_buffer.h"
+#include "net/nqe/peer_to_peer_connections_count_observer.h"
 #include "net/nqe/rtt_throughput_estimates_observer.h"
 #include "net/nqe/socket_watcher_factory.h"
 
@@ -50,8 +52,8 @@ class NetLog;
 namespace nqe {
 namespace internal {
 class ThroughputAnalyzer;
-}
-}
+}  // namespace internal
+}  // namespace nqe
 
 class URLRequest;
 
@@ -135,6 +137,16 @@ class NET_EXPORT_PRIVATE NetworkQualityEstimator
   void RemoveEffectiveConnectionTypeObserver(
       EffectiveConnectionTypeObserver* observer);
 
+  // Adds/Removes |observer| from the list of peer to peer connections count
+  // observers. The observer must register and unregister itself on the same
+  // thread. |observer| would be notified on the thread on which it registered.
+  // |observer| would be notified of the current count of peer to peer
+  // connections in the next message pump.
+  void AddPeerToPeerConnectionsCountObserver(
+      PeerToPeerConnectionsCountObserver* observer);
+  void RemovePeerToPeerConnectionsCountObserver(
+      PeerToPeerConnectionsCountObserver* observer);
+
   // Returns the current HTTP RTT estimate. If the estimate is unavailable,
   // the returned optional value is null. The RTT at the HTTP layer measures the
   // time from when the request was sent (this happens after the connection is
@@ -167,12 +179,16 @@ class NET_EXPORT_PRIVATE NetworkQualityEstimator
       RTTAndThroughputEstimatesObserver* observer);
 
   // Notifies NetworkQualityEstimator that the response header of |request| has
-  // been received.
-  void NotifyHeadersReceived(const URLRequest& request);
+  // been received. Reports the total prefilter network bytes that have been
+  // read for the response of |request|.
+  void NotifyHeadersReceived(const URLRequest& request,
+                             int64_t prefilter_total_bytes_read);
 
   // Notifies NetworkQualityEstimator that unfiltered bytes have been read for
-  // |request|.
-  void NotifyBytesRead(const URLRequest& request);
+  // |request|. Reports the total prefilter network bytes that have been read
+  // for the response of |request|.
+  void NotifyBytesRead(const URLRequest& request,
+                       int64_t prefilter_total_bytes_read);
 
   // Notifies NetworkQualityEstimator that the headers of |request| are about to
   // be sent.
@@ -264,6 +280,13 @@ class NET_EXPORT_PRIVATE NetworkQualityEstimator
   virtual void RecordSpdyPingLatency(const HostPortPair& host_port_pair,
                                      base::TimeDelta rtt);
 
+  // Sets the current count of media connections that require low latency.
+  void OnPeerToPeerConnectionsCountChange(uint32_t count);
+
+  // Returns the current count of peer to peer connections that may require low
+  // latency.
+  uint32_t GetPeerToPeerConnectionsCountChange() const;
+
   typedef nqe::internal::Observation Observation;
   typedef nqe::internal::ObservationBuffer ObservationBuffer;
 
@@ -374,10 +397,20 @@ class NET_EXPORT_PRIVATE NetworkQualityEstimator
   // the signal quality.
   virtual int32_t GetCurrentSignalStrength() const;
 
+  // Computes the recent network queueing delay. It updates the recent
+  // per-packet queueing delay introduced by the packet queue in the mobile
+  // edge. Also, it tracks the recent downlink throughput and computes the
+  // packet queue length. Results are kept in |network_congestion_analyzer_|.
+  void ComputeNetworkQueueingDelay();
+
   // Forces computation of effective connection type, and notifies observers
   // if there is a change in its value.
   void ComputeEffectiveConnectionType();
 
+  // Returns a non-null value if the value of the effective connection type has
+  // been overridden for testing.
+  virtual base::Optional<net::EffectiveConnectionType> GetOverrideECT() const;
+
   // Observer list for RTT or throughput estimates. Protected for testing.
   base::ObserverList<RTTAndThroughputEstimatesObserver>::Unchecked
       rtt_and_throughput_estimates_observer_list_;
@@ -386,12 +419,19 @@ class NET_EXPORT_PRIVATE NetworkQualityEstimator
   base::ObserverList<EffectiveConnectionTypeObserver>::Unchecked
       effective_connection_type_observer_list_;
 
+  // Observer list for changes in peer to peer connections count.
+  base::ObserverList<PeerToPeerConnectionsCountObserver>::Unchecked
+      peer_to_peer_type_observer_list_;
+
   // Params to configure the network quality estimator.
   const std::unique_ptr<NetworkQualityEstimatorParams> params_;
 
   // Number of end to end RTT samples available when the ECT was last computed.
   size_t end_to_end_rtt_observation_count_at_last_ect_computation_;
 
+  // Current count of active peer to peer connections.
+  uint32_t p2p_connections_count_ = 0u;
+
  private:
   FRIEND_TEST_ALL_PREFIXES(NetworkQualityEstimatorTest,
                            AdaptiveRecomputationEffectiveConnectionType);
@@ -413,6 +453,8 @@ class NET_EXPORT_PRIVATE NetworkQualityEstimator
                            ObservationDiscardedIfCachedEstimateAvailable);
   FRIEND_TEST_ALL_PREFIXES(NetworkQualityEstimatorTest,
                            TestRttThroughputObservers);
+  FRIEND_TEST_ALL_PREFIXES(NetworkQualityEstimatorTest,
+                           TestComputingNetworkQueueingDelay);
 
   // Returns the RTT value to be used when the valid RTT is unavailable. Readers
   // should discard RTT if it is set to the value returned by |InvalidRTT()|.
@@ -441,6 +483,9 @@ class NET_EXPORT_PRIVATE NetworkQualityEstimator
   // Returns true only if the |request| can be used for RTT estimation.
   bool RequestProvidesRTTObservation(const URLRequest& request) const;
 
+  // Returns true if the network queueing delay should be evaluated.
+  bool ShouldComputeNetworkQueueingDelay() const;
+
   // Returns true if ECT should be recomputed.
   bool ShouldComputeEffectiveConnectionType() const;
 
@@ -456,6 +501,10 @@ class NET_EXPORT_PRIVATE NetworkQualityEstimator
   void NotifyEffectiveConnectionTypeObserverIfPresent(
       EffectiveConnectionTypeObserver* observer) const;
 
+  // Notifies |observer| of the current count of peer to peer connections.
+  void NotifyPeerToPeerConnectionsCountObserverIfPresent(
+      PeerToPeerConnectionsCountObserver* observer) const;
+
   // Records NQE accuracy metrics. |measuring_duration| should belong to the
   // vector returned by AccuracyRecordingIntervals().
   // RecordAccuracyAfterMainFrame should be called |measuring_duration| after a
@@ -531,6 +580,11 @@ class NET_EXPORT_PRIVATE NetworkQualityEstimator
   // type.
   void ClampKbpsBasedOnEct();
 
+  // Earliest timestamp since when there is at least one active peer to peer
+  // connection count. Set to current timestamp when |p2p_connections_count_|
+  // changes from 0 to 1. Reset to null when |p2p_connections_count_| becomes 0.
+  base::Optional<base::TimeTicks> p2p_connections_count_active_timestamp_;
+
   // Determines if the requests to local host can be used in estimating the
   // network quality. Set to true only for tests.
   bool use_localhost_requests_;
@@ -581,6 +635,13 @@ class NET_EXPORT_PRIVATE NetworkQualityEstimator
   // estimating the throughput.
   std::unique_ptr<nqe::internal::ThroughputAnalyzer> throughput_analyzer_;
 
+  // Minimum duration between two consecutive attampts of computing the network
+  // queueing delay.
+  const base::TimeDelta queueing_delay_update_interval_;
+
+  // Time when the computation of network queueing delay was last attempted.
+  base::TimeTicks last_queueing_delay_computation_;
+
   // Minimum duration between two consecutive computations of effective
   // connection type. Set to non-zero value as a performance optimization.
   const base::TimeDelta effective_connection_type_recomputation_interval_;
@@ -608,6 +669,10 @@ class NET_EXPORT_PRIVATE NetworkQualityEstimator
   nqe::internal::NetworkQuality network_quality_;
   base::Optional<base::TimeDelta> end_to_end_rtt_;
 
+  // Recent network congestion status cache. It has methods to update
+  // information related to network congestion.
+  nqe::internal::NetworkCongestionAnalyzer network_congestion_analyzer_;
+
   // Current effective connection type. It is updated on connection change
   // events. It is also updated every time there is network traffic (provided
   // the last computation was more than
@@ -641,7 +706,7 @@ class NET_EXPORT_PRIVATE NetworkQualityEstimator
   bool get_network_id_asynchronously_ = false;
 #endif
 
-  base::WeakPtrFactory<NetworkQualityEstimator> weak_ptr_factory_;
+  base::WeakPtrFactory<NetworkQualityEstimator> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(NetworkQualityEstimator);
 };
diff --git a/chromium/net/nqe/network_quality_estimator_test_util.cc b/chromium/net/nqe/network_quality_estimator_test_util.cc
index 4ee7b4fbc0f..86d571d5be0 100644
--- a/chromium/net/nqe/network_quality_estimator_test_util.cc
+++ b/chromium/net/nqe/network_quality_estimator_test_util.cc
@@ -8,7 +8,7 @@
 #include "base/run_loop.h"
 #include "net/base/load_flags.h"
 #include "net/log/net_log_with_source.h"
-#include "net/log/test_net_log_entry.h"
+#include "net/log/test_net_log_util.h"
 #include "net/nqe/network_quality_estimator_params.h"
 #include "net/test/embedded_test_server/http_response.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
@@ -255,47 +255,37 @@ base::TimeDelta TestNetworkQualityEstimator::GetRTTEstimateInternal(
 }
 
 int TestNetworkQualityEstimator::GetEntriesCount(NetLogEventType type) const {
-  TestNetLogEntry::List entries;
-  net_log_->GetEntries(&entries);
-
-  int count = 0;
-  for (const auto& entry : entries) {
-    if (entry.type == type)
-      ++count;
-  }
-  return count;
+  return net_log_->GetEntriesWithType(type).size();
 }
 
 std::string TestNetworkQualityEstimator::GetNetLogLastStringValue(
     NetLogEventType type,
     const std::string& key) const {
-  std::string return_value;
-  TestNetLogEntry::List entries;
-  net_log_->GetEntries(&entries);
+  auto entries = net_log_->GetEntries();
 
   for (int i = entries.size() - 1; i >= 0; --i) {
-    if (entries[i].type == type &&
-        entries[i].GetStringValue(key, &return_value)) {
-      return return_value;
+    if (entries[i].type == type) {
+      auto value = GetOptionalStringValueFromParams(entries[i], key);
+      if (value)
+        return *value;
     }
   }
-  return return_value;
+  return std::string();
 }
 
 int TestNetworkQualityEstimator::GetNetLogLastIntegerValue(
     NetLogEventType type,
     const std::string& key) const {
-  int return_value = 0;
-  TestNetLogEntry::List entries;
-  net_log_->GetEntries(&entries);
+  auto entries = net_log_->GetEntries();
 
   for (int i = entries.size() - 1; i >= 0; --i) {
-    if (entries[i].type == type &&
-        entries[i].GetIntegerValue(key, &return_value)) {
-      return return_value;
+    if (entries[i].type == type) {
+      auto value = GetOptionalIntegerValueFromParams(entries[i], key);
+      if (value)
+        return *value;
     }
   }
-  return return_value;
+  return 0;
 }
 
 void TestNetworkQualityEstimator::
@@ -316,6 +306,18 @@ void TestNetworkQualityEstimator::
     observer.OnEffectiveConnectionTypeChanged(type);
 }
 
+base::Optional<net::EffectiveConnectionType>
+TestNetworkQualityEstimator::GetOverrideECT() const {
+  return effective_connection_type_;
+}
+
+void TestNetworkQualityEstimator::
+    SetAndNotifyObserversOfP2PActiveConnectionsCountChange(uint32_t count) {
+  p2p_connections_count_ = count;
+  for (auto& observer : peer_to_peer_type_observer_list_)
+    observer.OnPeerToPeerConnectionsCountChange(count);
+}
+
 void TestNetworkQualityEstimator::RecordSpdyPingLatency(
     const HostPortPair& host_port_pair,
     base::TimeDelta rtt) {
diff --git a/chromium/net/nqe/network_quality_estimator_test_util.h b/chromium/net/nqe/network_quality_estimator_test_util.h
index 5786f91840f..09568baf6df 100644
--- a/chromium/net/nqe/network_quality_estimator_test_util.h
+++ b/chromium/net/nqe/network_quality_estimator_test_util.h
@@ -209,6 +209,11 @@ class TestNetworkQualityEstimator : public NetworkQualityEstimator {
   void SetAndNotifyObserversOfEffectiveConnectionType(
       EffectiveConnectionType type);
 
+  // Updates the count of active P2P connections to |count| and notifies the
+  // registered observers that the active P2P connection counts has changed to
+  // |count|.
+  void SetAndNotifyObserversOfP2PActiveConnectionsCountChange(uint32_t count);
+
   void SetTransportRTTAtastECTSampleCount(size_t count) {
     transport_rtt_observation_count_last_ect_computation_ = count;
   }
@@ -245,6 +250,8 @@ class TestNetworkQualityEstimator : public NetworkQualityEstimator {
   nqe::internal::NetworkID GetCurrentNetworkID() const override;
   int32_t GetCurrentSignalStrength() const override;
 
+  base::Optional<net::EffectiveConnectionType> GetOverrideECT() const override;
+
   // Net log provided to network quality estimator.
   std::unique_ptr<net::BoundTestNetLog> net_log_;
 
diff --git a/chromium/net/nqe/network_quality_estimator_unittest.cc b/chromium/net/nqe/network_quality_estimator_unittest.cc
index 168c42575db..3caaffd0dfb 100644
--- a/chromium/net/nqe/network_quality_estimator_unittest.cc
+++ b/chromium/net/nqe/network_quality_estimator_unittest.cc
@@ -89,6 +89,20 @@ class TestEffectiveConnectionTypeObserver
   std::vector<EffectiveConnectionType> effective_connection_types_;
 };
 
+class TestPeerToPeerConnectionsCountObserver
+    : public PeerToPeerConnectionsCountObserver {
+ public:
+  uint32_t count() { return count_; }
+
+ private:
+  // PeerToPeerConnectionsCountObserver:
+  void OnPeerToPeerConnectionsCountChange(uint32_t count) override {
+    count_ = count;
+  }
+
+  uint32_t count_ = 0u;
+};
+
 class TestRTTAndThroughputEstimatesObserver
     : public RTTAndThroughputEstimatesObserver {
  public:
@@ -188,6 +202,7 @@ class TestThroughputObserver
 
 }  // namespace
 
+constexpr float kEpsilon = 0.001f;
 using NetworkQualityEstimatorTest = TestWithScopedTaskEnvironment;
 
 TEST_F(NetworkQualityEstimatorTest, TestKbpsRTTUpdates) {
@@ -551,6 +566,88 @@ TEST_F(NetworkQualityEstimatorTest, CachingDisabled) {
   EXPECT_EQ(0U, throughput_observer.observations().size());
 }
 
+// Tests that the network queueing delay is updated correctly.
+TEST_F(NetworkQualityEstimatorTest, TestComputingNetworkQueueingDelay) {
+  base::SimpleTestTickClock tick_clock;
+  std::map<std::string, std::string> variation_params;
+  variation_params["add_default_platform_observations"] = "false";
+  TestNetworkQualityEstimator estimator(variation_params);
+  estimator.SetTickClockForTesting(&tick_clock);
+
+  // Adds historical and recent RTT observations. Active hosts are
+  // 0x101010-0x303030. Host 0x404040 did not receive any transport RTT sample
+  // recently. Host 0x505050 did not have enough RTT samples.
+  tick_clock.Advance(base::TimeDelta::FromMilliseconds(1000));
+  const base::TimeTicks history = tick_clock.NowTicks();
+
+  std::map<uint64_t, base::TimeDelta> historical_rtts = {
+      {0x101010UL, base::TimeDelta::FromMilliseconds(600)},
+      {0x202020UL, base::TimeDelta::FromMilliseconds(1000)},
+      {0x303030UL, base::TimeDelta::FromMilliseconds(1400)},
+      {0x303030UL, base::TimeDelta::FromMilliseconds(1600)},
+      {0x303030UL, base::TimeDelta::FromMilliseconds(1800)},
+      {0x404040UL, base::TimeDelta::FromMilliseconds(3000)}};
+  for (const auto& host_rtt : historical_rtts) {
+    const uint64_t host = host_rtt.first;
+    NetworkQualityEstimator::Observation historical_rtt(
+        historical_rtts[host].InMilliseconds(), history, INT32_MIN,
+        NETWORK_QUALITY_OBSERVATION_SOURCE_TCP, host);
+    estimator.AddAndNotifyObserversOfRTT(historical_rtt);
+  }
+
+  // Sets the start time of the current window for computing queueing delay.
+  tick_clock.Advance(base::TimeDelta::FromMilliseconds(28000));
+  const base::TimeTicks window_start_time = tick_clock.NowTicks();
+  estimator.last_queueing_delay_computation_ = window_start_time;
+
+  tick_clock.Advance(base::TimeDelta::FromMilliseconds(1000));
+  const base::TimeTicks recent = tick_clock.NowTicks();
+
+  std::map<uint64_t, base::TimeDelta> recent_rtts = {
+      {0x101010UL, base::TimeDelta::FromMilliseconds(1500)},
+      {0x202020UL, base::TimeDelta::FromMilliseconds(2000)},
+      {0x303030UL, base::TimeDelta::FromMilliseconds(2500)},
+      {0x505050UL, base::TimeDelta::FromMilliseconds(2000)}};
+  for (const auto& host_rtt : recent_rtts) {
+    const uint64_t host = host_rtt.first;
+    NetworkQualityEstimator::Observation recent_rtt(
+        recent_rtts[host].InMilliseconds(), recent, INT32_MIN,
+        NETWORK_QUALITY_OBSERVATION_SOURCE_TCP, host);
+    estimator.AddAndNotifyObserversOfRTT(recent_rtt);
+  }
+
+  // Checks that the queueing delay should not be updated because the last
+  // computation was done within the last 2 seconds.
+  EXPECT_FALSE(estimator.ShouldComputeNetworkQueueingDelay());
+
+  // Checks that the number of active hosts is 3. Also, checks that the queueing
+  // delay is computed correctly based on their RTT observations.
+  tick_clock.Advance(base::TimeDelta::FromMilliseconds(1000));
+  EXPECT_TRUE(estimator.ShouldComputeNetworkQueueingDelay());
+  estimator.ComputeNetworkQueueingDelay();
+  EXPECT_EQ(3u, estimator.network_congestion_analyzer_.GetActiveHostsCount());
+  EXPECT_EQ(base::TimeDelta::FromMilliseconds(1000),
+            estimator.network_congestion_analyzer_.recent_queueing_delay());
+  EXPECT_EQ(base::nullopt,
+            estimator.network_congestion_analyzer_.recent_queue_length());
+
+  // Adds a recent throughput observation.
+  NetworkQualityEstimator::Observation throughput_observation(
+      120, recent, INT32_MIN, NETWORK_QUALITY_OBSERVATION_SOURCE_HTTP,
+      base::nullopt);
+  estimator.AddAndNotifyObserversOfThroughput(throughput_observation);
+  int32_t downlink_kbps = 0;
+  EXPECT_TRUE(
+      estimator.GetRecentDownlinkThroughputKbps(recent, &downlink_kbps));
+
+  // Checks the queue length is updated when the downlink throughput is valid.
+  estimator.last_queueing_delay_computation_ = window_start_time;
+  estimator.ComputeNetworkQueueingDelay();
+  EXPECT_NEAR(
+      estimator.network_congestion_analyzer_.recent_queue_length().value_or(0),
+      10.0, kEpsilon);
+}
+
 TEST_F(NetworkQualityEstimatorTest, QuicObservations) {
   base::HistogramTester histogram_tester;
   std::map<std::string, std::string> variation_params;
@@ -1100,22 +1197,33 @@ TEST_F(NetworkQualityEstimatorTest, DefaultHttpRTTBasedThresholds) {
 TEST_F(NetworkQualityEstimatorTest, SignalStrengthBasedCapping) {
   const struct {
     bool enable_signal_strength_capping_experiment;
+    NetworkChangeNotifier::ConnectionType device_connection_type;
     int32_t signal_strength_level;
     int32_t http_rtt_msec;
     EffectiveConnectionType expected_ect;
     bool expected_http_rtt_overridden;
   } tests[] = {
       // Signal strength is unavailable.
-      {true, INT32_MIN, 20, EFFECTIVE_CONNECTION_TYPE_4G, false},
+      {true, NetworkChangeNotifier::CONNECTION_4G, INT32_MIN, 20,
+       EFFECTIVE_CONNECTION_TYPE_4G, false},
 
-      // Signal strength is too low. Even though RTT is reported as low,
+      // 4G device connection type: Signal strength is too low. Even though RTT
+      // is reported as low,
       // ECT is expected to be capped to 2G.
-      {true, 0, 20, EFFECTIVE_CONNECTION_TYPE_2G, true},
+      {true, NetworkChangeNotifier::CONNECTION_4G, 0, 20,
+       EFFECTIVE_CONNECTION_TYPE_2G, true},
+
+      // WiFi device connection type: Signal strength is too low. Even though
+      // RTT is reported as low, ECT is expected to be capped to 2G.
+      {true, NetworkChangeNotifier::CONNECTION_WIFI, 0, 20,
+       EFFECTIVE_CONNECTION_TYPE_2G, true},
 
       // When the signal strength based capping experiment is not enabled,
       // ECT should be computed only on the based of |http_rtt_msec|.
-      {false, INT32_MIN, 20, EFFECTIVE_CONNECTION_TYPE_4G, false},
-      {false, 0, 20, EFFECTIVE_CONNECTION_TYPE_4G, false},
+      {false, NetworkChangeNotifier::CONNECTION_4G, INT32_MIN, 20,
+       EFFECTIVE_CONNECTION_TYPE_4G, false},
+      {false, NetworkChangeNotifier::CONNECTION_4G, 0, 20,
+       EFFECTIVE_CONNECTION_TYPE_4G, false},
   };
 
   for (const auto& test : tests) {
@@ -1130,8 +1238,7 @@ TEST_F(NetworkQualityEstimatorTest, SignalStrengthBasedCapping) {
     // does not return Offline if the device is offline.
     estimator.SetCurrentSignalStrength(test.signal_strength_level);
 
-    estimator.SimulateNetworkChange(NetworkChangeNotifier::CONNECTION_4G,
-                                    "test");
+    estimator.SimulateNetworkChange(test.device_connection_type, "test");
 
     estimator.SetStartTimeNullHttpRtt(
         base::TimeDelta::FromMilliseconds(test.http_rtt_msec));
@@ -2942,4 +3049,46 @@ TEST_F(NetworkQualityEstimatorTest, HangingRequestUsingTransportAndHttpOnly) {
   }
 }
 
+TEST_F(NetworkQualityEstimatorTest, PeerToPeerConnectionCounts) {
+  TestNetworkQualityEstimator estimator;
+  base::SimpleTestTickClock tick_clock;
+  estimator.SetTickClockForTesting(&tick_clock);
+  base::HistogramTester histogram_tester;
+
+  estimator.OnPeerToPeerConnectionsCountChange(3u);
+  base::TimeDelta advance_1 = base::TimeDelta::FromMinutes(4);
+  tick_clock.Advance(advance_1);
+  histogram_tester.ExpectTotalCount("NQE.PeerToPeerConnectionsDuration", 0);
+
+  estimator.OnPeerToPeerConnectionsCountChange(1u);
+  base::TimeDelta advance_2 = base::TimeDelta::FromMinutes(6);
+  tick_clock.Advance(advance_2);
+  histogram_tester.ExpectTotalCount("NQE.PeerToPeerConnectionsDuration", 0);
+
+  estimator.OnPeerToPeerConnectionsCountChange(0u);
+  histogram_tester.ExpectUniqueSample("NQE.PeerToPeerConnectionsDuration",
+                                      (advance_1 + advance_2).InMilliseconds(),
+                                      1);
+}
+
+TEST_F(NetworkQualityEstimatorTest, TestPeerToPeerConnectionsCountObserver) {
+  TestPeerToPeerConnectionsCountObserver observer;
+  TestNetworkQualityEstimator estimator;
+
+  EXPECT_EQ(0u, observer.count());
+  estimator.OnPeerToPeerConnectionsCountChange(5u);
+  base::RunLoop().RunUntilIdle();
+  // |observer| has not yet registered with |estimator|.
+  EXPECT_EQ(0u, observer.count());
+
+  // |observer| should be notified of the current count on registration.
+  estimator.AddPeerToPeerConnectionsCountObserver(&observer);
+  base::RunLoop().RunUntilIdle();
+  EXPECT_EQ(5u, observer.count());
+
+  estimator.OnPeerToPeerConnectionsCountChange(3u);
+  base::RunLoop().RunUntilIdle();
+  EXPECT_EQ(3u, observer.count());
+}
+
 }  // namespace net
diff --git a/chromium/net/nqe/network_quality_store.cc b/chromium/net/nqe/network_quality_store.cc
index aa444b0560d..102ad4bedfb 100644
--- a/chromium/net/nqe/network_quality_store.cc
+++ b/chromium/net/nqe/network_quality_store.cc
@@ -15,7 +15,7 @@ namespace nqe {
 
 namespace internal {
 
-NetworkQualityStore::NetworkQualityStore() : weak_ptr_factory_(this) {
+NetworkQualityStore::NetworkQualityStore() {
   static_assert(kMaximumNetworkQualityCacheSize > 0,
                 "Size of the network quality cache must be > 0");
   // This limit should not be increased unless the logic for removing the
diff --git a/chromium/net/nqe/network_quality_store.h b/chromium/net/nqe/network_quality_store.h
index 5250e525999..a1aedc35d61 100644
--- a/chromium/net/nqe/network_quality_store.h
+++ b/chromium/net/nqe/network_quality_store.h
@@ -99,7 +99,7 @@ class NET_EXPORT_PRIVATE NetworkQualityStore {
 
   SEQUENCE_CHECKER(sequence_checker_);
 
-  base::WeakPtrFactory<NetworkQualityStore> weak_ptr_factory_;
+  base::WeakPtrFactory<NetworkQualityStore> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(NetworkQualityStore);
 };
diff --git a/chromium/net/nqe/observation_buffer.cc b/chromium/net/nqe/observation_buffer.cc
index 8332ba3e727..4633ea1460c 100644
--- a/chromium/net/nqe/observation_buffer.cc
+++ b/chromium/net/nqe/observation_buffer.cc
@@ -21,6 +21,24 @@ namespace net {
 namespace nqe {
 
 namespace internal {
+CanonicalStats::CanonicalStats() = default;
+
+CanonicalStats::CanonicalStats(std::map<int32_t, int32_t>& canonical_pcts,
+                               int32_t most_recent_val,
+                               size_t observation_count)
+    : canonical_pcts(canonical_pcts),
+      most_recent_val(most_recent_val),
+      observation_count(observation_count) {}
+
+CanonicalStats::CanonicalStats(const CanonicalStats& other)
+    : canonical_pcts(other.canonical_pcts),
+      most_recent_val(other.most_recent_val),
+      observation_count(other.observation_count) {}
+
+CanonicalStats::~CanonicalStats() = default;
+
+CanonicalStats& CanonicalStats::operator=(const CanonicalStats& other) =
+    default;
 
 ObservationBuffer::ObservationBuffer(
     const NetworkQualityEstimatorParams* params,
@@ -112,6 +130,65 @@ base::Optional<int32_t> ObservationBuffer::GetPercentile(
   return weighted_observations.at(weighted_observations.size() - 1).value;
 }
 
+std::map<IPHash, CanonicalStats>
+ObservationBuffer::GetCanonicalStatsKeyedByHosts(
+    const base::TimeTicks& begin_timestamp,
+    const std::set<IPHash>& target_hosts) const {
+  DCHECK_GE(Capacity(), Size());
+
+  // Computes for all hosts if |target_hosts| is empty. Otherwise, only
+  // updates map entries for hosts in |target_hosts| and ignores observations
+  // from other hosts.
+  bool filter_on_target_hosts = !(target_hosts.empty());
+
+  // Split observations into several subgroups keyed by their corresponding
+  // hosts. Skip observations without a host tag. Filter observations based
+  // on begin_timestamp. If |target_hosts| is not empty, filter obesrvations
+  // that do not belong to any host in the set.
+  std::map<IPHash, std::vector<int32_t>> host_keyed_observations;
+  for (const auto& observation : observations_) {
+    if (!observation.host())
+      continue;
+    if (observation.timestamp() < begin_timestamp)
+      continue;
+    // Skip zero values. Transport RTTs can have zero values in the beginning
+    // of a connection. It happens because the implementation of TCP's
+    // Exponentially Weighted Moving Average (EWMA) starts from zero.
+    if (observation.value() < 1)
+      continue;
+
+    IPHash host = observation.host().value();
+    if (filter_on_target_hosts && target_hosts.find(host) == target_hosts.end())
+      continue;
+
+    // Create the map entry if it did not already exist.
+    host_keyed_observations.emplace(host, std::vector<int32_t>());
+    host_keyed_observations[host].push_back(observation.value());
+  }
+
+  std::map<IPHash, CanonicalStats> host_keyed_stats;
+  if (host_keyed_observations.empty())
+    return host_keyed_stats;
+
+  // Calculate the canonical percentile values for each host.
+  for (auto& host_observations : host_keyed_observations) {
+    const IPHash& host = host_observations.first;
+    auto& observations = host_observations.second;
+    host_keyed_stats.emplace(host, CanonicalStats());
+    size_t count = observations.size();
+
+    std::sort(observations.begin(), observations.end());
+    for (size_t i = 0; i < base::size(kCanonicalPercentiles); ++i) {
+      int pct_index = (count - 1) * kCanonicalPercentiles[i] / 100;
+      host_keyed_stats[host].canonical_pcts[kCanonicalPercentiles[i]] =
+          observations[pct_index];
+    }
+    host_keyed_stats[host].most_recent_val = observations.back();
+    host_keyed_stats[host].observation_count = count;
+  }
+  return host_keyed_stats;
+}
+
 void ObservationBuffer::RemoveObservationsWithSource(
     bool deleted_observation_sources[NETWORK_QUALITY_OBSERVATION_SOURCE_MAX]) {
   base::EraseIf(observations_,
diff --git a/chromium/net/nqe/observation_buffer.h b/chromium/net/nqe/observation_buffer.h
index d352658131f..300f7b34621 100644
--- a/chromium/net/nqe/observation_buffer.h
+++ b/chromium/net/nqe/observation_buffer.h
@@ -33,7 +33,34 @@ class NetworkQualityEstimatorParams;
 namespace nqe {
 
 namespace internal {
-
+constexpr int32_t kStatVal0p = 0;
+constexpr int32_t kStatVal5p = 5;
+constexpr int32_t kStatVal50p = 50;
+constexpr int32_t kStatVal95p = 95;
+constexpr int32_t kStatVal99p = 99;
+constexpr int32_t kCanonicalPercentiles[] = {
+    kStatVal0p, kStatVal5p, kStatVal50p, kStatVal95p, kStatVal99p};
+
+struct NET_EXPORT_PRIVATE CanonicalStats {
+  CanonicalStats();
+  CanonicalStats(std::map<int32_t, int32_t>& canonical_pcts,
+                 int32_t most_recent_val,
+                 size_t observation_count);
+  CanonicalStats(const CanonicalStats& other);
+  ~CanonicalStats();
+
+  CanonicalStats& operator=(const CanonicalStats& other);
+
+  // Canonical percentiles values for a distribution.
+  std::map<int32_t, int32_t> canonical_pcts;
+
+  // The most recent value.
+  int32_t most_recent_val = 0;
+
+  // Counts the number of observations that were available for
+  // computing these results.
+  size_t observation_count = 0;
+};
 struct WeightedObservation;
 
 // Stores observations sorted by time and provides utility functions for
@@ -79,6 +106,16 @@ class NET_EXPORT_PRIVATE ObservationBuffer {
                                         int percentile,
                                         size_t* observations_count) const;
 
+  // Computes canonical statistic values of the observations for all hosts if
+  // |target_hosts| is empty. Otherwise, computes canonical statistic values
+  // only for hosts that are in the |target_hosts| set. Only observations made
+  // on or after |begin_timestamp| are considered. Returns all canonical
+  // statistics keyed by hosts. These include canonical percentile values, the
+  // most recent value, and the number of observations to compute these values.
+  std::map<IPHash, CanonicalStats> GetCanonicalStatsKeyedByHosts(
+      const base::TimeTicks& begin_timestamp,
+      const std::set<IPHash>& target_hosts) const;
+
   void SetTickClockForTesting(const base::TickClock* tick_clock) {
     tick_clock_ = tick_clock;
   }
diff --git a/chromium/net/nqe/observation_buffer_unittest.cc b/chromium/net/nqe/observation_buffer_unittest.cc
index f5d946f2839..4ccd9b50883 100644
--- a/chromium/net/nqe/observation_buffer_unittest.cc
+++ b/chromium/net/nqe/observation_buffer_unittest.cc
@@ -87,6 +87,91 @@ TEST(NetworkQualityObservationBufferTest, GetPercentileWithWeights) {
   EXPECT_LT(result_lowest, result_highest);
 }
 
+// Verifies that the percentiles are correctly computed when results must be
+// update for each individual host. All observations can have the same timestamp
+// or different timestamps.
+TEST(NetworkQualityObservationBufferTest, GetPercentileStatsForAllHosts) {
+  std::map<std::string, std::string> variation_params;
+  NetworkQualityEstimatorParams params(variation_params);
+  base::SimpleTestTickClock tick_clock;
+  tick_clock.Advance(base::TimeDelta::FromMinutes(1));
+  // The observation buffer holds mixed observations for different hosts.
+  ObservationBuffer mixed_buffer(&params, &tick_clock, 0.5, 1.0);
+  const base::TimeTicks now = tick_clock.NowTicks();
+  const base::TimeTicks history = now - base::TimeDelta::FromMilliseconds(1);
+  const base::TimeTicks future = now + base::TimeDelta::FromMilliseconds(1);
+  const uint64_t host_1 = 0x101010UL;
+  const uint64_t host_2 = 0x202020UL;
+  const size_t total_observaions_count = 100;
+
+  // Inserts samples from {1,2,3,...,100} for |host_1|. Insert samples from
+  // {1,1,2,2,3,3,...,50,50} for |host_2|. Verifies all percentiles are
+  // computed correctly for both hosts.
+  for (size_t i = 1; i <= total_observaions_count; ++i) {
+    mixed_buffer.AddObservation(Observation(
+        i, now, INT32_MIN, NETWORK_QUALITY_OBSERVATION_SOURCE_TCP, host_1));
+    mixed_buffer.AddObservation(
+        Observation((i + 1) / 2, now, INT32_MIN,
+                    NETWORK_QUALITY_OBSERVATION_SOURCE_TCP, host_2));
+  }
+  EXPECT_EQ(total_observaions_count * 2, mixed_buffer.Size());
+
+  std::set<uint64_t> empty_hosts_set;
+  std::map<uint64_t, CanonicalStats> recent_rtt_stats =
+      mixed_buffer.GetCanonicalStatsKeyedByHosts(history, empty_hosts_set);
+
+  // All observations are categories into two groups keyed by two hosts.
+  // In each group, all percentile statistics are updated and the number of
+  // available observations are also updated correctly.
+  EXPECT_EQ(2u, recent_rtt_stats.size());
+  EXPECT_EQ(total_observaions_count,
+            recent_rtt_stats[host_1].observation_count);
+  EXPECT_EQ(total_observaions_count,
+            recent_rtt_stats[host_2].observation_count);
+
+  // Checks all canonical percentile values are correct.
+  // For |host_1|, percentile_val = percentile.
+  EXPECT_EQ(1, recent_rtt_stats[host_1].canonical_pcts[kStatVal0p]);
+  EXPECT_EQ(5, recent_rtt_stats[host_1].canonical_pcts[kStatVal5p]);
+  EXPECT_EQ(50, recent_rtt_stats[host_1].canonical_pcts[kStatVal50p]);
+  EXPECT_EQ(95, recent_rtt_stats[host_1].canonical_pcts[kStatVal95p]);
+  EXPECT_EQ(99, recent_rtt_stats[host_1].canonical_pcts[kStatVal99p]);
+  // For |host_2|, percentile_val = (percentile + 1) / 2.
+  EXPECT_EQ(1, recent_rtt_stats[host_2].canonical_pcts[kStatVal0p]);
+  EXPECT_EQ(3, recent_rtt_stats[host_2].canonical_pcts[kStatVal5p]);
+  EXPECT_EQ(25, recent_rtt_stats[host_2].canonical_pcts[kStatVal50p]);
+  EXPECT_EQ(48, recent_rtt_stats[host_2].canonical_pcts[kStatVal95p]);
+  EXPECT_EQ(50, recent_rtt_stats[host_2].canonical_pcts[kStatVal99p]);
+
+  // Checks results are cleared because all buffered observations expire.
+  // Expects the result map is empty.
+  recent_rtt_stats =
+      mixed_buffer.GetCanonicalStatsKeyedByHosts(future, empty_hosts_set);
+
+  EXPECT_TRUE(recent_rtt_stats.empty());
+
+  // Checks results contain stats only for hosts that were in the set.
+  std::set<uint64_t> target_hosts_set = {host_1};
+  recent_rtt_stats =
+      mixed_buffer.GetCanonicalStatsKeyedByHosts(history, target_hosts_set);
+  EXPECT_EQ(1u, recent_rtt_stats.size());
+  EXPECT_EQ(total_observaions_count,
+            recent_rtt_stats[host_1].observation_count);
+  EXPECT_EQ(1, recent_rtt_stats[host_1].canonical_pcts[kStatVal0p]);
+  EXPECT_EQ(5, recent_rtt_stats[host_1].canonical_pcts[kStatVal5p]);
+  EXPECT_EQ(50, recent_rtt_stats[host_1].canonical_pcts[kStatVal50p]);
+  EXPECT_EQ(95, recent_rtt_stats[host_1].canonical_pcts[kStatVal95p]);
+  EXPECT_EQ(99, recent_rtt_stats[host_1].canonical_pcts[kStatVal99p]);
+  // Checks that host 2 does not present in the results.
+  EXPECT_TRUE(recent_rtt_stats.find(host_2) == recent_rtt_stats.end());
+
+  bool deleted_observation_sources[NETWORK_QUALITY_OBSERVATION_SOURCE_MAX] = {
+      false};
+  deleted_observation_sources[NETWORK_QUALITY_OBSERVATION_SOURCE_TCP] = true;
+  mixed_buffer.RemoveObservationsWithSource(deleted_observation_sources);
+  EXPECT_EQ(0u, mixed_buffer.Size());
+}
+
 // Verifies that the percentiles are correctly computed. All observations have
 // the same timestamp.
 TEST(NetworkQualityObservationBufferTest, PercentileSameTimestamps) {
diff --git a/chromium/net/nqe/peer_to_peer_connections_count_observer.h b/chromium/net/nqe/peer_to_peer_connections_count_observer.h
new file mode 100644
index 00000000000..64b1818ae88
--- /dev/null
+++ b/chromium/net/nqe/peer_to_peer_connections_count_observer.h
@@ -0,0 +1,29 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_NQE_PEER_TO_PEER_CONNECTIONS_COUNT_OBSERVER_H_
+#define NET_NQE_PEER_TO_PEER_CONNECTIONS_COUNT_OBSERVER_H_
+
+#include "base/macros.h"
+#include "net/base/net_export.h"
+
+namespace net {
+
+// Observes changes in the count of peer to peer connections.
+class NET_EXPORT_PRIVATE PeerToPeerConnectionsCountObserver {
+ public:
+  // Called when there is a change in the count of peer to peer connections.
+  virtual void OnPeerToPeerConnectionsCountChange(uint32_t count) = 0;
+
+ protected:
+  PeerToPeerConnectionsCountObserver() {}
+  virtual ~PeerToPeerConnectionsCountObserver() {}
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(PeerToPeerConnectionsCountObserver);
+};
+
+}  // namespace net
+
+#endif  // NET_NQE_PEER_TO_PEER_CONNECTIONS_COUNT_OBSERVER_H_
diff --git a/chromium/net/nqe/throughput_analyzer.cc b/chromium/net/nqe/throughput_analyzer.cc
index f34bc1b1edd..250ba9f5c7e 100644
--- a/chromium/net/nqe/throughput_analyzer.cc
+++ b/chromium/net/nqe/throughput_analyzer.cc
@@ -41,6 +41,9 @@ bool ShouldDiscardRequest(const URLRequest& request) {
 namespace nqe {
 
 namespace internal {
+// The default content size of a HTML response body. It is set to the median
+// HTML response content size, i.e. 1.8kB.
+constexpr int64_t kDefaultContentSizeBytes = 1800;
 
 ThroughputAnalyzer::ThroughputAnalyzer(
     const NetworkQualityEstimator* network_quality_estimator,
@@ -57,6 +60,7 @@ ThroughputAnalyzer::ThroughputAnalyzer(
       last_connection_change_(tick_clock_->NowTicks()),
       window_start_time_(base::TimeTicks()),
       bits_received_at_window_start_(0),
+      total_response_content_size_(0),
       disable_throughput_measurements_(false),
       use_localhost_requests_for_tests_(false),
       net_log_(net_log) {
@@ -126,9 +130,25 @@ void ThroughputAnalyzer::SetTickClockForTesting(
   DCHECK(tick_clock_);
 }
 
+void ThroughputAnalyzer::UpdateResponseContentSize(const URLRequest* request,
+                                                   int64_t response_size) {
+  DCHECK_LE(0, response_size);
+  // Updates the map and the counter. Subtracts the previous stored response
+  // content size if an old record exists in the map.
+  if (response_content_sizes_.find(request) != response_content_sizes_.end()) {
+    total_response_content_size_ +=
+        response_size - response_content_sizes_[request];
+  } else {
+    total_response_content_size_ += response_size;
+  }
+  response_content_sizes_[request] = response_size;
+}
+
 void ThroughputAnalyzer::NotifyStartTransaction(const URLRequest& request) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
+  UpdateResponseContentSize(&request, kDefaultContentSizeBytes);
+
   if (disable_throughput_measurements_)
     return;
 
@@ -173,6 +193,12 @@ void ThroughputAnalyzer::NotifyBytesRead(const URLRequest& request) {
 void ThroughputAnalyzer::NotifyRequestCompleted(const URLRequest& request) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
+  // Remove the request from the inflight requests if it presents in the map.
+  if (response_content_sizes_.find(&request) != response_content_sizes_.end()) {
+    total_response_content_size_ -= response_content_sizes_[&request];
+    response_content_sizes_.erase(&request);
+  }
+
   if (disable_throughput_measurements_)
     return;
 
@@ -224,6 +250,16 @@ void ThroughputAnalyzer::NotifyRequestCompleted(const URLRequest& request) {
   MaybeStartThroughputObservationWindow();
 }
 
+void ThroughputAnalyzer::NotifyExpectedResponseContentSize(
+    const URLRequest& request,
+    int64_t expected_content_size) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  // Updates when the value is valid.
+  if (expected_content_size >= 0) {
+    UpdateResponseContentSize(&request, expected_content_size);
+  }
+}
+
 bool ThroughputAnalyzer::IsHangingWindow(int64_t bits_received,
                                          base::TimeDelta duration,
                                          double downstream_kbps_double) const {
@@ -349,11 +385,22 @@ int64_t ThroughputAnalyzer::GetBitsReceived() const {
   return NetworkActivityMonitor::GetInstance()->GetBytesReceived() * 8;
 }
 
-size_t ThroughputAnalyzer::CountInFlightRequests() const {
+size_t ThroughputAnalyzer::CountActiveInFlightRequests() const {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   return requests_.size();
 }
 
+size_t ThroughputAnalyzer::CountTotalInFlightRequests() const {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  return response_content_sizes_.size();
+}
+
+int64_t ThroughputAnalyzer::CountTotalContentSizeBytes() const {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  return total_response_content_size_;
+}
+
 bool ThroughputAnalyzer::DegradesAccuracy(const URLRequest& request) const {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
diff --git a/chromium/net/nqe/throughput_analyzer.h b/chromium/net/nqe/throughput_analyzer.h
index 22ee68fdab1..5e3e14cc8d4 100644
--- a/chromium/net/nqe/throughput_analyzer.h
+++ b/chromium/net/nqe/throughput_analyzer.h
@@ -13,6 +13,7 @@
 #include "base/callback.h"
 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
+#include "base/optional.h"
 #include "base/sequence_checker.h"
 #include "base/time/time.h"
 #include "net/base/net_export.h"
@@ -78,6 +79,13 @@ class NET_EXPORT_PRIVATE ThroughputAnalyzer {
   // Notifies |this| that |request| has completed.
   void NotifyRequestCompleted(const URLRequest& request);
 
+  // Notifies |this| that |request| has an expected response body size in octets
+  // (8-bit bytes). |expected_content_size| is an estimate of total body length
+  // based on the Content-Length header field when available or a general size
+  // estimate when the Content-Length is not provided.
+  void NotifyExpectedResponseContentSize(const URLRequest& request,
+                                         int64_t expected_content_size);
+
   // Notifies |this| of a change in connection type.
   void OnConnectionTypeChanged();
 
@@ -93,12 +101,6 @@ class NET_EXPORT_PRIVATE ThroughputAnalyzer {
   // Overrides the tick clock used by |this| for testing.
   void SetTickClockForTesting(const base::TickClock* tick_clock);
 
- protected:
-  // Exposed for testing.
-  bool disable_throughput_measurements() const {
-    return disable_throughput_measurements_;
-  }
-
   // Returns the number of bits received by Chromium so far. The count may not
   // start from zero, so the caller should only look at difference from a prior
   // call. The count is obtained by polling TrafficStats on Android, and
@@ -108,7 +110,22 @@ class NET_EXPORT_PRIVATE ThroughputAnalyzer {
 
   // Returns the number of in-flight requests that can be used for computing
   // throughput.
-  size_t CountInFlightRequests() const;
+  size_t CountActiveInFlightRequests() const;
+
+  // Returns the total number of in-flight requests. This also includes hanging
+  // requests.
+  size_t CountTotalInFlightRequests() const;
+
+  // Returns the sum of expected response content size in bytes for all inflight
+  // requests. Request with an unknown response content size have the default
+  // response content size.
+  int64_t CountTotalContentSizeBytes() const;
+
+ protected:
+  // Exposed for testing.
+  bool disable_throughput_measurements_for_testing() const {
+    return disable_throughput_measurements_;
+  }
 
   // Removes hanging requests from |requests_|. If any hanging requests are
   // detected to be in-flight, the observation window is ended. Protected for
@@ -124,6 +141,11 @@ class NET_EXPORT_PRIVATE ThroughputAnalyzer {
  private:
   friend class TestThroughputAnalyzer;
 
+  // Mapping from URL request to the expected content size of the response body
+  // for that request. The map tracks all inflight requests. If the expected
+  // content size is not available, the value is set to the default value.
+  typedef std::unordered_map<const URLRequest*, int64_t> ResponseContentSizes;
+
   // Mapping from URL request to the last time data was received for that
   // request.
   typedef std::unordered_map<const URLRequest*, base::TimeTicks> Requests;
@@ -133,6 +155,12 @@ class NET_EXPORT_PRIVATE ThroughputAnalyzer {
   // computation.
   typedef std::unordered_set<const URLRequest*> AccuracyDegradingRequests;
 
+  // Updates the response content size map for |request|. Also keeps the total
+  // response content size counter updated. Adds an new entry if there is no
+  // matching record in the map.
+  void UpdateResponseContentSize(const URLRequest* request,
+                                 int64_t response_size);
+
   // Returns true if downstream throughput can be recorded. In that case,
   // |downstream_kbps| is set to the computed downstream throughput (in
   // kilobits per second). If a downstream throughput observation is taken,
@@ -197,6 +225,13 @@ class NET_EXPORT_PRIVATE ThroughputAnalyzer {
   // throughput computation. These requests are used in throughput computation.
   Requests requests_;
 
+  // Container that holds inflight request sizes. These requests are used in
+  // computing the total of response content size for all inflight requests.
+  ResponseContentSizes response_content_sizes_;
+
+  // The running total of response content size for all inflight requests.
+  int64_t total_response_content_size_;
+
   // Last time when the check for hanging requests was run.
   base::TimeTicks last_hanging_request_check_;
 
diff --git a/chromium/net/nqe/throughput_analyzer_unittest.cc b/chromium/net/nqe/throughput_analyzer_unittest.cc
index 6d5c32b76e6..ebcb2248c80 100644
--- a/chromium/net/nqe/throughput_analyzer_unittest.cc
+++ b/chromium/net/nqe/throughput_analyzer_unittest.cc
@@ -87,8 +87,9 @@ class TestThroughputAnalyzer : public internal::ThroughputAnalyzer {
     context->set_host_resolver(&mock_host_resolver_);
   }
 
-  using internal::ThroughputAnalyzer::disable_throughput_measurements;
-  using internal::ThroughputAnalyzer::CountInFlightRequests;
+  using internal::ThroughputAnalyzer::CountActiveInFlightRequests;
+  using internal::ThroughputAnalyzer::
+      disable_throughput_measurements_for_testing;
   using internal::ThroughputAnalyzer::EraseHangingRequests;
   using internal::ThroughputAnalyzer::IsHangingWindow;
 
@@ -126,7 +127,8 @@ TEST_F(ThroughputAnalyzerTest, MaximumRequests) {
     TestURLRequestContext context;
     throughput_analyzer.AddIPAddressResolution(&context);
 
-    ASSERT_FALSE(throughput_analyzer.disable_throughput_measurements());
+    ASSERT_FALSE(
+        throughput_analyzer.disable_throughput_measurements_for_testing());
     base::circular_deque<std::unique_ptr<URLRequest>> requests;
 
     // Start more requests than the maximum number of requests that can be held
@@ -313,18 +315,18 @@ TEST_F(ThroughputAnalyzerTest, TestHangingRequests) {
     if (test.requests_hang_duration >= base::TimeDelta())
       base::PlatformThread::Sleep(test.requests_hang_duration);
 
-    EXPECT_EQ(num_requests, throughput_analyzer.CountInFlightRequests());
+    EXPECT_EQ(num_requests, throughput_analyzer.CountActiveInFlightRequests());
 
     for (size_t i = 0; i < num_requests; ++i) {
       throughput_analyzer.NotifyRequestCompleted(*requests_not_local.at(i));
       if (!test.expect_throughput_observation) {
         // All in-flight requests should be marked as hanging, and thus should
         // be deleted from the set of in-flight requests.
-        EXPECT_EQ(0u, throughput_analyzer.CountInFlightRequests());
+        EXPECT_EQ(0u, throughput_analyzer.CountActiveInFlightRequests());
       } else {
         // One request should be deleted at one time.
         EXPECT_EQ(requests_not_local.size() - i - 1,
-                  throughput_analyzer.CountInFlightRequests());
+                  throughput_analyzer.CountActiveInFlightRequests());
       }
     }
 
@@ -377,35 +379,35 @@ TEST_F(ThroughputAnalyzerTest, TestHangingRequestsCheckedOnlyPeriodically) {
     throughput_analyzer.NotifyStartTransaction(*requests_not_local.at(i));
   }
 
-  EXPECT_EQ(2u, throughput_analyzer.CountInFlightRequests());
+  EXPECT_EQ(2u, throughput_analyzer.CountActiveInFlightRequests());
   tick_clock.Advance(base::TimeDelta::FromMilliseconds(3500));
   // Current time is t = 5.5 seconds.
   throughput_analyzer.EraseHangingRequests(*some_other_request);
-  EXPECT_EQ(2u, throughput_analyzer.CountInFlightRequests());
+  EXPECT_EQ(2u, throughput_analyzer.CountActiveInFlightRequests());
 
   tick_clock.Advance(base::TimeDelta::FromMilliseconds(1000));
   // Current time is t = 6.5 seconds.  One request should be marked as hanging.
   throughput_analyzer.EraseHangingRequests(*some_other_request);
-  EXPECT_EQ(1u, throughput_analyzer.CountInFlightRequests());
+  EXPECT_EQ(1u, throughput_analyzer.CountActiveInFlightRequests());
 
   // Current time is t = 6.5 seconds. Calling NotifyBytesRead again should not
   // run the hanging request checker since the last check was at t=6.5 seconds.
   throughput_analyzer.EraseHangingRequests(*some_other_request);
-  EXPECT_EQ(1u, throughput_analyzer.CountInFlightRequests());
+  EXPECT_EQ(1u, throughput_analyzer.CountActiveInFlightRequests());
 
   tick_clock.Advance(base::TimeDelta::FromMilliseconds(600));
   // Current time is t = 7.1 seconds. Calling NotifyBytesRead again should not
   // run the hanging request checker since the last check was at t=6.5 seconds
   // (less than 1 second ago).
   throughput_analyzer.EraseHangingRequests(*some_other_request);
-  EXPECT_EQ(1u, throughput_analyzer.CountInFlightRequests());
+  EXPECT_EQ(1u, throughput_analyzer.CountActiveInFlightRequests());
 
   tick_clock.Advance(base::TimeDelta::FromMilliseconds(400));
   // Current time is t = 7.5 seconds. Calling NotifyBytesRead again should run
   // the hanging request checker since the last check was at t=6.5 seconds (at
   // least 1 second ago).
   throughput_analyzer.EraseHangingRequests(*some_other_request);
-  EXPECT_EQ(0u, throughput_analyzer.CountInFlightRequests());
+  EXPECT_EQ(0u, throughput_analyzer.CountActiveInFlightRequests());
 }
 
 // Tests that the last received time for a request is updated when data is
@@ -447,19 +449,19 @@ TEST_F(ThroughputAnalyzerTest, TestLastReceivedTimeIsUpdated) {
   // Current time is t=4.0 seconds.
 
   throughput_analyzer.EraseHangingRequests(*some_other_request);
-  EXPECT_EQ(1u, throughput_analyzer.CountInFlightRequests());
+  EXPECT_EQ(1u, throughput_analyzer.CountActiveInFlightRequests());
 
   //  The request will be marked as hanging at t=9 seconds.
   throughput_analyzer.NotifyBytesRead(*request_not_local);
   tick_clock.Advance(base::TimeDelta::FromMilliseconds(4000));
   // Current time is t=8 seconds.
   throughput_analyzer.EraseHangingRequests(*some_other_request);
-  EXPECT_EQ(1u, throughput_analyzer.CountInFlightRequests());
+  EXPECT_EQ(1u, throughput_analyzer.CountActiveInFlightRequests());
 
   tick_clock.Advance(base::TimeDelta::FromMilliseconds(2000));
   // Current time is t=10 seconds.
   throughput_analyzer.EraseHangingRequests(*some_other_request);
-  EXPECT_EQ(0u, throughput_analyzer.CountInFlightRequests());
+  EXPECT_EQ(0u, throughput_analyzer.CountActiveInFlightRequests());
 }
 
 // Test that a request that has been hanging for a long time is deleted
@@ -492,19 +494,19 @@ TEST_F(ThroughputAnalyzerTest, TestRequestDeletedImmediately) {
   // Start time for the request is t=0 second. The request will be marked as
   // hanging at t=2 seconds.
   throughput_analyzer.NotifyStartTransaction(*request_not_local);
-  EXPECT_EQ(1u, throughput_analyzer.CountInFlightRequests());
+  EXPECT_EQ(1u, throughput_analyzer.CountActiveInFlightRequests());
 
   tick_clock.Advance(base::TimeDelta::FromMilliseconds(2900));
   // Current time is t=2.9 seconds.
 
   throughput_analyzer.EraseHangingRequests(*request_not_local);
-  EXPECT_EQ(1u, throughput_analyzer.CountInFlightRequests());
+  EXPECT_EQ(1u, throughput_analyzer.CountActiveInFlightRequests());
 
   // |request_not_local| should be deleted since it has been idle for 2.4
   // seconds.
   tick_clock.Advance(base::TimeDelta::FromMilliseconds(500));
   throughput_analyzer.NotifyBytesRead(*request_not_local);
-  EXPECT_EQ(0u, throughput_analyzer.CountInFlightRequests());
+  EXPECT_EQ(0u, throughput_analyzer.CountActiveInFlightRequests());
 }
 
 // Tests if the throughput observation is taken correctly when local and network
diff --git a/chromium/net/ntlm/ntlm_client.h b/chromium/net/ntlm/ntlm_client.h
index 317f40d85ae..16f4833a4bf 100644
--- a/chromium/net/ntlm/ntlm_client.h
+++ b/chromium/net/ntlm/ntlm_client.h
@@ -148,7 +148,7 @@ class NET_EXPORT_PRIVATE NtlmClient {
   // |negotiate_message_|.
   void GenerateNegotiateMessage();
 
-  NtlmFeatures features_;
+  const NtlmFeatures features_;
   NegotiateFlags negotiate_flags_;
   std::vector<uint8_t> negotiate_message_;
 
diff --git a/chromium/net/ntlm/ntlm_client_fuzzer.cc b/chromium/net/ntlm/ntlm_client_fuzzer.cc
index 89977fdacd2..0990e3ce4a2 100644
--- a/chromium/net/ntlm/ntlm_client_fuzzer.cc
+++ b/chromium/net/ntlm/ntlm_client_fuzzer.cc
@@ -9,20 +9,19 @@
 #include <vector>
 
 #include "base/containers/span.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "net/ntlm/ntlm_client.h"
 #include "net/ntlm/ntlm_test_data.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
-base::string16 ConsumeRandomLengthString16(
-    base::FuzzedDataProvider& data_provider,
-    size_t max_chars) {
+base::string16 ConsumeRandomLengthString16(FuzzedDataProvider& data_provider,
+                                           size_t max_chars) {
   std::string bytes = data_provider.ConsumeRandomLengthString(max_chars * 2);
   return base::string16(reinterpret_cast<const base::char16*>(bytes.data()),
                         bytes.size() / 2);
 }
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  base::FuzzedDataProvider fdp(data, size);
+  FuzzedDataProvider fdp(data, size);
   bool is_v2 = fdp.ConsumeBool();
   uint64_t client_time = fdp.ConsumeIntegral<uint64_t>();
   net::ntlm::NtlmClient client((net::ntlm::NtlmFeatures(is_v2)));
@@ -41,7 +40,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   std::string channel_bindings = fdp.ConsumeRandomLengthString(150);
   std::string spn =
       fdp.ConsumeRandomLengthString(net::ntlm::kMaxFqdnLen + 5 + 1);
-  std::vector<uint8_t> challenge_msg_bytes = fdp.ConsumeRemainingBytes();
+  std::vector<uint8_t> challenge_msg_bytes =
+      fdp.ConsumeRemainingBytes<uint8_t>();
 
   client.GenerateAuthenticateMessage(
       domain, username, password, hostname, channel_bindings, spn, client_time,
diff --git a/chromium/net/proxy_resolution/dhcp_pac_file_fetcher.h b/chromium/net/proxy_resolution/dhcp_pac_file_fetcher.h
index 433538458a1..b12c048ac2b 100644
--- a/chromium/net/proxy_resolution/dhcp_pac_file_fetcher.h
+++ b/chromium/net/proxy_resolution/dhcp_pac_file_fetcher.h
@@ -67,9 +67,9 @@ class NET_EXPORT_PRIVATE DhcpPacFileFetcher {
   // Aborts the in-progress fetch (if any).
   virtual void Cancel() = 0;
 
-  // Fails the in-progress fetch (if any) and future requests will fail
-  // immediately. Must be called before the URLRequestContext the fetcher was
-  // created with is torn down.
+  // Cancels the in-progress fetch (if any), without invoking its callback.
+  // Future requests will fail immediately. Must be called before the
+  // URLRequestContext the fetcher was created with is torn down.
   virtual void OnShutdown() = 0;
 
   // After successful completion of |Fetch()|, this will return the URL
diff --git a/chromium/net/proxy_resolution/dhcp_pac_file_fetcher_win.cc b/chromium/net/proxy_resolution/dhcp_pac_file_fetcher_win.cc
index 704b6727abe..13c950406fb 100644
--- a/chromium/net/proxy_resolution/dhcp_pac_file_fetcher_win.cc
+++ b/chromium/net/proxy_resolution/dhcp_pac_file_fetcher_win.cc
@@ -202,9 +202,7 @@ class TaskRunnerWithCap : public base::TaskRunner {
   DISALLOW_COPY_AND_ASSIGN(TaskRunnerWithCap);
 };
 
-base::Value NetLogGetAdaptersDoneCallback(
-    DhcpAdapterNamesLoggingInfo* info,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogGetAdaptersDoneParams(DhcpAdapterNamesLoggingInfo* info) {
   base::Value result(base::Value::Type::DICTIONARY);
 
   // Add information on each of the adapters enumerated (including those that
@@ -246,9 +244,7 @@ base::Value NetLogGetAdaptersDoneCallback(
   return result;
 }
 
-base::Value NetLogFetcherDoneCallback(int fetcher_index,
-                                      int net_error,
-                                      NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogFetcherDoneParams(int fetcher_index, int net_error) {
   base::Value result(base::Value::Type::DICTIONARY);
 
   result.SetIntKey("fetcher_index", fetcher_index);
@@ -323,18 +319,11 @@ void DhcpPacFileFetcherWin::Cancel() {
 void DhcpPacFileFetcherWin::OnShutdown() {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
-  // Back up callback, if there is one, as CancelImpl() will destroy it.
-  net::CompletionOnceCallback callback = std::move(callback_);
-
   // Cancel current request, if there is one.
   CancelImpl();
 
   // Prevent future network requests.
   url_request_context_ = nullptr;
-
-  // Invoke callback with error, if present.
-  if (callback)
-    std::move(callback).Run(ERR_CONTEXT_SHUT_DOWN);
 }
 
 void DhcpPacFileFetcherWin::CancelImpl() {
@@ -370,8 +359,7 @@ void DhcpPacFileFetcherWin::OnGetCandidateAdapterNamesDone(
   logging_info->origin_thread_end_time = base::TimeTicks::Now();
 
   net_log_.EndEvent(NetLogEventType::WPAD_DHCP_WIN_GET_ADAPTERS,
-                    base::Bind(&NetLogGetAdaptersDoneCallback,
-                               base::Unretained(logging_info)));
+                    [&] { return NetLogGetAdaptersDoneParams(logging_info); });
 
   // Enable unit tests to wait for this to happen; in production this function
   // call is a no-op.
@@ -419,9 +407,9 @@ void DhcpPacFileFetcherWin::OnFetcherDone(size_t fetcher_index,
                                           int result) {
   DCHECK(state_ == STATE_NO_RESULTS || state_ == STATE_SOME_RESULTS);
 
-  net_log_.AddEvent(
-      NetLogEventType::WPAD_DHCP_WIN_ON_FETCHER_DONE,
-      base::Bind(&NetLogFetcherDoneCallback, fetcher_index, result));
+  net_log_.AddEvent(NetLogEventType::WPAD_DHCP_WIN_ON_FETCHER_DONE, [&] {
+    return NetLogFetcherDoneParams(fetcher_index, result);
+  });
 
   if (--num_pending_fetchers_ == 0) {
     TransitionToDone();
@@ -502,9 +490,9 @@ void DhcpPacFileFetcherWin::TransitionToDone() {
   DCHECK_EQ(state_, STATE_DONE);
   DCHECK(fetchers_.empty());
 
-  net_log_.EndEvent(
-      NetLogEventType::WPAD_DHCP_WIN_FETCH,
-      base::Bind(&NetLogFetcherDoneCallback, used_fetcher_index, result));
+  net_log_.EndEvent(NetLogEventType::WPAD_DHCP_WIN_FETCH, [&] {
+    return NetLogFetcherDoneParams(used_fetcher_index, result);
+  });
 
   // We may be deleted re-entrantly within this outcall.
   std::move(callback).Run(result);
diff --git a/chromium/net/proxy_resolution/dhcp_pac_file_fetcher_win_unittest.cc b/chromium/net/proxy_resolution/dhcp_pac_file_fetcher_win_unittest.cc
index b47d84bb17a..718738ac148 100644
--- a/chromium/net/proxy_resolution/dhcp_pac_file_fetcher_win_unittest.cc
+++ b/chromium/net/proxy_resolution/dhcp_pac_file_fetcher_win_unittest.cc
@@ -689,8 +689,8 @@ TEST(DhcpPacFileFetcherWin, OnShutdown) {
   client.RunTest();
 
   client.fetcher_.OnShutdown();
-  EXPECT_TRUE(client.finished_);
-  EXPECT_THAT(client.result_, IsError(ERR_CONTEXT_SHUT_DOWN));
+  base::RunLoop().RunUntilIdle();
+  EXPECT_FALSE(client.finished_);
 
   client.ResetTestState();
   EXPECT_THAT(client.RunTestThatMayFailSync(), IsError(ERR_CONTEXT_SHUT_DOWN));
diff --git a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.cc b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.cc
index 479c9c53f5f..e8623497dd2 100644
--- a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.cc
+++ b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.cc
@@ -294,9 +294,9 @@ class MultiThreadedProxyResolver::GetProxyForURLJob : public Job {
       net_log_.EndEvent(NetLogEventType::WAITING_FOR_PROXY_RESOLVER_THREAD);
     }
 
-    net_log_.AddEvent(
-        NetLogEventType::SUBMITTED_TO_RESOLVER_THREAD,
-        NetLog::IntCallback("thread_number", executor()->thread_number()));
+    net_log_.AddEventWithIntParams(
+        NetLogEventType::SUBMITTED_TO_RESOLVER_THREAD, "thread_number",
+        executor()->thread_number());
   }
 
   // Runs on the worker thread.
diff --git a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver_unittest.cc b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver_unittest.cc
index 6c93f5d6c9a..a1a3c3b0347 100644
--- a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver_unittest.cc
+++ b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver_unittest.cc
@@ -22,7 +22,6 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/proxy_resolution/mock_proxy_resolver.h"
 #include "net/proxy_resolution/proxy_info.h"
@@ -273,8 +272,7 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_Basic) {
   // on completion, this should have been copied into |log0|.
   // We also have 1 log entry that was emitted by the
   // MultiThreadedProxyResolver.
-  TestNetLogEntry::List entries0;
-  log0.GetEntries(&entries0);
+  auto entries0 = log0.GetEntries();
 
   ASSERT_EQ(2u, entries0.size());
   EXPECT_EQ(NetLogEventType::SUBMITTED_TO_RESOLVER_THREAD, entries0[0].type);
@@ -366,8 +364,7 @@ TEST_F(MultiThreadedProxyResolverTest,
   EXPECT_EQ(0, callback0.WaitForResult());
   EXPECT_EQ("PROXY request0:80", results0.ToPacString());
 
-  TestNetLogEntry::List entries0;
-  log0.GetEntries(&entries0);
+  auto entries0 = log0.GetEntries();
 
   ASSERT_EQ(2u, entries0.size());
   EXPECT_EQ(NetLogEventType::SUBMITTED_TO_RESOLVER_THREAD, entries0[0].type);
@@ -376,8 +373,7 @@ TEST_F(MultiThreadedProxyResolverTest,
   EXPECT_EQ(1, callback1.WaitForResult());
   EXPECT_EQ("PROXY request1:80", results1.ToPacString());
 
-  TestNetLogEntry::List entries1;
-  log1.GetEntries(&entries1);
+  auto entries1 = log1.GetEntries();
 
   ASSERT_EQ(4u, entries1.size());
   EXPECT_TRUE(LogContainsBeginEvent(
@@ -389,8 +385,7 @@ TEST_F(MultiThreadedProxyResolverTest,
   EXPECT_EQ(2, callback2.WaitForResult());
   EXPECT_EQ("PROXY request2:80", results2.ToPacString());
 
-  TestNetLogEntry::List entries2;
-  log2.GetEntries(&entries2);
+  auto entries2 = log2.GetEntries();
 
   ASSERT_EQ(4u, entries2.size());
   EXPECT_TRUE(LogContainsBeginEvent(
diff --git a/chromium/net/proxy_resolution/pac_file_decider.cc b/chromium/net/proxy_resolution/pac_file_decider.cc
index d90e3bf15cf..8c5fc8d644a 100644
--- a/chromium/net/proxy_resolution/pac_file_decider.cc
+++ b/chromium/net/proxy_resolution/pac_file_decider.cc
@@ -66,9 +66,8 @@ PacFileDataWithSource::PacFileDataWithSource(const PacFileDataWithSource&) =
 PacFileDataWithSource& PacFileDataWithSource::operator=(
     const PacFileDataWithSource&) = default;
 
-base::Value PacFileDecider::PacSource::NetLogCallback(
-    const GURL* effective_pac_url,
-    NetLogCaptureMode /* capture_mode */) const {
+base::Value PacFileDecider::PacSource::NetLogParams(
+    const GURL& effective_pac_url) const {
   base::Value dict(base::Value::Type::DICTIONARY);
   std::string source;
   switch (type) {
@@ -77,11 +76,11 @@ base::Value PacFileDecider::PacSource::NetLogCallback(
       break;
     case PacSource::WPAD_DNS:
       source = "WPAD DNS: ";
-      source += effective_pac_url->possibly_invalid_spec();
+      source += effective_pac_url.possibly_invalid_spec();
       break;
     case PacSource::CUSTOM:
       source = "Custom PAC URL: ";
-      source += effective_pac_url->possibly_invalid_spec();
+      source += effective_pac_url.possibly_invalid_spec();
       break;
   }
   dict.SetStringKey("source", source);
@@ -147,13 +146,8 @@ void PacFileDecider::OnShutdown() {
   if (next_state_ == STATE_NONE)
     return;
 
-  CompletionOnceCallback callback = std::move(callback_);
-
   // Just cancel any pending work.
   Cancel();
-
-  if (callback)
-    std::move(callback).Run(ERR_CONTEXT_SHUT_DOWN);
 }
 
 const ProxyConfigWithAnnotation& PacFileDecider::effective_config() const {
@@ -317,10 +311,9 @@ int PacFileDecider::DoFetchPacScript() {
   GURL effective_pac_url;
   DetermineURL(pac_source, &effective_pac_url);
 
-  net_log_.BeginEvent(
-      NetLogEventType::PAC_FILE_DECIDER_FETCH_PAC_SCRIPT,
-      base::Bind(&PacSource::NetLogCallback, base::Unretained(&pac_source),
-                 &effective_pac_url));
+  net_log_.BeginEvent(NetLogEventType::PAC_FILE_DECIDER_FETCH_PAC_SCRIPT, [&] {
+    return pac_source.NetLogParams(effective_pac_url);
+  });
 
   if (pac_source.type == PacSource::WPAD_DHCP) {
     if (!dhcp_pac_file_fetcher_) {
diff --git a/chromium/net/proxy_resolution/pac_file_decider.h b/chromium/net/proxy_resolution/pac_file_decider.h
index 24002bbc303..a6d4fdb2cc4 100644
--- a/chromium/net/proxy_resolution/pac_file_decider.h
+++ b/chromium/net/proxy_resolution/pac_file_decider.h
@@ -32,7 +32,6 @@ namespace net {
 
 class DhcpPacFileFetcher;
 class NetLog;
-class NetLogCaptureMode;
 class ProxyResolver;
 class PacFileFetcher;
 
@@ -100,7 +99,8 @@ class NET_EXPORT_PRIVATE PacFileDecider {
             CompletionOnceCallback callback);
 
   // Shuts down any in-progress DNS requests, and cancels any ScriptFetcher
-  // requests.  Does not call OnShutdown on the [Dhcp]PacFileFetcher.
+  // requests. Does not call OnShutdown() on the [Dhcp]PacFileFetcher. Any
+  // pending callback will not be invoked.
   void OnShutdown();
 
   const ProxyConfigWithAnnotation& effective_config() const;
@@ -119,11 +119,10 @@ class NET_EXPORT_PRIVATE PacFileDecider {
 
     PacSource(Type type, const GURL& url) : type(type), url(url) {}
 
-    // Returns a Value representing the PacSource.  |effective_pac_url| must
-    // be non-NULL and point to the URL derived from information contained in
+    // Returns a Value representing the PacSource.  |effective_pac_url| is the
+    // URL derived from information contained in
     // |this|, if Type is not WPAD_DHCP.
-    base::Value NetLogCallback(const GURL* effective_pac_url,
-                               NetLogCaptureMode capture_mode) const;
+    base::Value NetLogParams(const GURL& effective_pac_url) const;
 
     Type type;
     GURL url;  // Empty unless |type == PAC_SOURCE_CUSTOM|.
diff --git a/chromium/net/proxy_resolution/pac_file_decider_unittest.cc b/chromium/net/proxy_resolution/pac_file_decider_unittest.cc
index cd3d212cde9..8a89c513526 100644
--- a/chromium/net/proxy_resolution/pac_file_decider_unittest.cc
+++ b/chromium/net/proxy_resolution/pac_file_decider_unittest.cc
@@ -20,7 +20,6 @@
 #include "net/dns/mock_host_resolver.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/proxy_resolution/dhcp_pac_file_fetcher.h"
 #include "net/proxy_resolution/mock_pac_file_fetcher.h"
@@ -219,8 +218,7 @@ TEST(PacFileDeciderTest, CustomPacSucceeds) {
   EXPECT_FALSE(decider.script_data().from_auto_detect);
 
   // Check the NetLog was filled correctly.
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_EQ(4u, entries.size());
   EXPECT_TRUE(
@@ -257,8 +255,7 @@ TEST(PacFileDeciderTest, CustomPacFails1) {
   EXPECT_FALSE(decider.script_data().data);
 
   // Check the NetLog was filled correctly.
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_EQ(4u, entries.size());
   EXPECT_TRUE(
@@ -473,7 +470,8 @@ TEST_F(PacFileDeciderQuickCheckTest, ShutdownDuringResolve) {
 
   decider_->OnShutdown();
   EXPECT_FALSE(resolver_.has_pending_requests());
-  EXPECT_THAT(callback_.WaitForResult(), IsError(ERR_CONTEXT_SHUT_DOWN));
+  base::RunLoop().RunUntilIdle();
+  EXPECT_FALSE(callback_.have_result());
 }
 
 // Regression test for http://crbug.com/409698.
@@ -545,8 +543,7 @@ TEST(PacFileDeciderTest, AutodetectFailCustomSuccess2) {
   // Check the NetLog was filled correctly.
   // (Note that various states are repeated since both WPAD and custom
   // PAC scripts are tried).
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_EQ(10u, entries.size());
   EXPECT_TRUE(
@@ -651,8 +648,7 @@ TEST(PacFileDeciderTest, CustomPacFails1_WithPositiveDelay) {
   EXPECT_FALSE(decider.script_data().data);
 
   // Check the NetLog was filled correctly.
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_EQ(6u, entries.size());
   EXPECT_TRUE(
@@ -693,8 +689,7 @@ TEST(PacFileDeciderTest, CustomPacFails1_WithNegativeDelay) {
   EXPECT_FALSE(decider.script_data().data);
 
   // Check the NetLog was filled correctly.
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_EQ(4u, entries.size());
   EXPECT_TRUE(
diff --git a/chromium/net/proxy_resolution/pac_file_fetcher_impl.cc b/chromium/net/proxy_resolution/pac_file_fetcher_impl.cc
index da10413fe1b..506eeac9732 100644
--- a/chromium/net/proxy_resolution/pac_file_fetcher_impl.cc
+++ b/chromium/net/proxy_resolution/pac_file_fetcher_impl.cc
@@ -335,8 +335,7 @@ PacFileFetcherImpl::PacFileFetcherImpl(URLRequestContext* url_request_context,
       result_text_(nullptr),
       max_response_bytes_(kDefaultMaxResponseBytes),
       max_duration_(kDefaultMaxDuration),
-      allow_file_url_(allow_file_url),
-      weak_factory_(this) {
+      allow_file_url_(allow_file_url) {
   DCHECK(url_request_context);
 }
 
diff --git a/chromium/net/proxy_resolution/pac_file_fetcher_impl.h b/chromium/net/proxy_resolution/pac_file_fetcher_impl.h
index 7bc1daaacf1..397bf228020 100644
--- a/chromium/net/proxy_resolution/pac_file_fetcher_impl.h
+++ b/chromium/net/proxy_resolution/pac_file_fetcher_impl.h
@@ -161,7 +161,7 @@ class NET_EXPORT PacFileFetcherImpl : public PacFileFetcher,
 
   // Factory for creating the time-out task. This takes care of revoking
   // outstanding tasks when |this| is deleted.
-  base::WeakPtrFactory<PacFileFetcherImpl> weak_factory_;
+  base::WeakPtrFactory<PacFileFetcherImpl> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(PacFileFetcherImpl);
 };
diff --git a/chromium/net/proxy_resolution/pac_library_unittest.cc b/chromium/net/proxy_resolution/pac_library_unittest.cc
index 1b166805ce3..9337c5b9568 100644
--- a/chromium/net/proxy_resolution/pac_library_unittest.cc
+++ b/chromium/net/proxy_resolution/pac_library_unittest.cc
@@ -254,10 +254,10 @@ class MockSocketFactory : public ClientSocketFactory {
     return nullptr;
   }
   std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
+      SSLClientContext* context,
       std::unique_ptr<StreamSocket> stream_socket,
       const HostPortPair& host_and_port,
-      const SSLConfig& ssl_config,
-      const SSLClientSocketContext& context) override {
+      const SSLConfig& ssl_config) override {
     ADD_FAILURE() << "Called CreateSSLClientSocket()";
     return nullptr;
   }
diff --git a/chromium/net/proxy_resolution/proxy_config_service_android.cc b/chromium/net/proxy_resolution/proxy_config_service_android.cc
index 8c04674c208..81d70aba5f2 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_android.cc
+++ b/chromium/net/proxy_resolution/proxy_config_service_android.cc
@@ -20,8 +20,8 @@
 #include "base/strings/string_tokenizer.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
-#include "jni/ProxyChangeListener_jni.h"
 #include "net/base/host_port_pair.h"
+#include "net/net_jni_headers/ProxyChangeListener_jni.h"
 #include "net/proxy_resolution/proxy_config_with_annotation.h"
 #include "url/third_party/mozilla/url_parse.h"
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_android_unittest.cc b/chromium/net/proxy_resolution/proxy_config_service_android_unittest.cc
index 7052903e2a0..6283c448f98 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_android_unittest.cc
+++ b/chromium/net/proxy_resolution/proxy_config_service_android_unittest.cc
@@ -13,7 +13,7 @@
 #include "base/compiler_specific.h"
 #include "base/run_loop.h"
 #include "base/threading/thread_task_runner_handle.h"
-#include "jni/AndroidProxyConfigServiceTestUtil_jni.h"
+#include "net/net_test_jni_headers/AndroidProxyConfigServiceTestUtil_jni.h"
 #include "net/proxy_resolution/proxy_config_with_annotation.h"
 #include "net/proxy_resolution/proxy_info.h"
 #include "net/test/test_with_scoped_task_environment.h"
diff --git a/chromium/net/proxy_resolution/proxy_info.cc b/chromium/net/proxy_resolution/proxy_info.cc
index 762756d9a4e..cb0bf4eb0f6 100644
--- a/chromium/net/proxy_resolution/proxy_info.cc
+++ b/chromium/net/proxy_resolution/proxy_info.cc
@@ -8,10 +8,7 @@
 
 namespace net {
 
-ProxyInfo::ProxyInfo()
-    : did_bypass_proxy_(false),
-      did_use_pac_script_(false),
-      did_use_auto_detected_pac_script_(false) {}
+ProxyInfo::ProxyInfo() : did_bypass_proxy_(false), did_use_pac_script_(false) {}
 
 ProxyInfo::ProxyInfo(const ProxyInfo& other) = default;
 
@@ -25,7 +22,6 @@ void ProxyInfo::Use(const ProxyInfo& other) {
   traffic_annotation_ = other.traffic_annotation_;
   did_bypass_proxy_ = other.did_bypass_proxy_;
   did_use_pac_script_ = other.did_use_pac_script_;
-  did_use_auto_detected_pac_script_ = other.did_use_auto_detected_pac_script_;
 }
 
 void ProxyInfo::UseDirect() {
@@ -92,7 +88,6 @@ void ProxyInfo::Reset() {
   traffic_annotation_.reset();
   did_bypass_proxy_ = false;
   did_use_pac_script_ = false;
-  did_use_auto_detected_pac_script_ = false;
 }
 
 }  // namespace net
diff --git a/chromium/net/proxy_resolution/proxy_info.h b/chromium/net/proxy_resolution/proxy_info.h
index daa5862ebda..e3ea8da6a07 100644
--- a/chromium/net/proxy_resolution/proxy_info.h
+++ b/chromium/net/proxy_resolution/proxy_info.h
@@ -127,12 +127,6 @@ class NET_EXPORT ProxyInfo {
     return did_use_pac_script_;
   }
 
-  // Returns true if the proxy list was obtained from a PAC script that
-  // was auto-detected.
-  bool did_use_auto_detected_pac_script() const {
-    return did_use_auto_detected_pac_script_;
-  }
-
   // Returns the first valid proxy server. is_empty() must be false to be able
   // to call this function.
   const ProxyServer& proxy_server() const { return proxy_list_.Get(); }
@@ -209,7 +203,6 @@ class NET_EXPORT ProxyInfo {
 
   // Whether we used a PAC script for resolving the proxy.
   bool did_use_pac_script_;
-  bool did_use_auto_detected_pac_script_;
 
   // How long it took to resolve the proxy.  Times are both null if proxy was
   // determined synchronously without running a PAC.
diff --git a/chromium/net/proxy_resolution/proxy_list.cc b/chromium/net/proxy_resolution/proxy_list.cc
index b2e9071a0be..eb7b7d8800a 100644
--- a/chromium/net/proxy_resolution/proxy_list.cc
+++ b/chromium/net/proxy_resolution/proxy_list.cc
@@ -183,8 +183,8 @@ void ProxyList::AddProxyToRetryList(ProxyRetryInfoMap* proxy_retry_info,
     retry_info.net_error = net_error;
     (*proxy_retry_info)[proxy_key] = retry_info;
   }
-  net_log.AddEvent(NetLogEventType::PROXY_LIST_FALLBACK,
-                   NetLog::StringCallback("bad_proxy", &proxy_key));
+  net_log.AddEventWithStringParams(NetLogEventType::PROXY_LIST_FALLBACK,
+                                   "bad_proxy", proxy_key);
 }
 
 void ProxyList::UpdateRetryInfoOnFallback(
diff --git a/chromium/net/proxy_resolution/proxy_resolution_service.cc b/chromium/net/proxy_resolution/proxy_resolution_service.cc
index 9f906ae1939..fc422b4390c 100644
--- a/chromium/net/proxy_resolution/proxy_resolution_service.cc
+++ b/chromium/net/proxy_resolution/proxy_resolution_service.cc
@@ -314,10 +314,9 @@ class ProxyResolverFactoryForPacResult : public ProxyResolverFactory {
 };
 
 // Returns NetLog parameters describing a proxy configuration change.
-base::Value NetLogProxyConfigChangedCallback(
+base::Value NetLogProxyConfigChangedParams(
     const base::Optional<ProxyConfigWithAnnotation>* old_config,
-    const ProxyConfigWithAnnotation* new_config,
-    NetLogCaptureMode /* capture_mode */) {
+    const ProxyConfigWithAnnotation* new_config) {
   base::Value dict(base::Value::Type::DICTIONARY);
   // The "old_config" is optional -- the first notification will not have
   // any "previous" configuration.
@@ -327,8 +326,7 @@ base::Value NetLogProxyConfigChangedCallback(
   return dict;
 }
 
-base::Value NetLogBadProxyListCallback(const ProxyRetryInfoMap* retry_info,
-                                       NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogBadProxyListParams(const ProxyRetryInfoMap* retry_info) {
   base::Value dict(base::Value::Type::DICTIONARY);
   base::Value list(base::Value::Type::LIST);
 
@@ -339,9 +337,7 @@ base::Value NetLogBadProxyListCallback(const ProxyRetryInfoMap* retry_info,
 }
 
 // Returns NetLog parameters on a successfuly proxy resolution.
-base::Value NetLogFinishedResolvingProxyCallback(
-    const ProxyInfo* result,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogFinishedResolvingProxyParams(const ProxyInfo* result) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetStringKey("pac_string", result->ToPacString());
   return dict;
@@ -441,7 +437,6 @@ class ProxyResolutionService::InitProxyResolver {
   InitProxyResolver()
       : proxy_resolver_factory_(nullptr),
         proxy_resolver_(nullptr),
-        resolver_using_auto_detected_script_(nullptr),
         next_state_(STATE_NONE),
         quick_check_enabled_(true) {}
 
@@ -453,11 +448,7 @@ class ProxyResolutionService::InitProxyResolver {
   // Begins initializing the proxy resolver; calls |callback| when done. A
   // ProxyResolver instance will be created using |proxy_resolver_factory| and
   // assigned to |*proxy_resolver| if the final result is OK.
-  // |*resolver_using_auto_detected_script| will be set to true if
-  // |proxy_resolver| was initialized using script data that originates from
-  // proxy auto-detection.
   int Start(std::unique_ptr<ProxyResolver>* proxy_resolver,
-            bool* resolver_using_auto_detected_script,
             ProxyResolverFactory* proxy_resolver_factory,
             PacFileFetcher* pac_file_fetcher,
             DhcpPacFileFetcher* dhcp_pac_file_fetcher,
@@ -467,7 +458,6 @@ class ProxyResolutionService::InitProxyResolver {
             CompletionOnceCallback callback) {
     DCHECK_EQ(STATE_NONE, next_state_);
     proxy_resolver_ = proxy_resolver;
-    resolver_using_auto_detected_script_ = resolver_using_auto_detected_script;
     proxy_resolver_factory_ = proxy_resolver_factory;
 
     decider_.reset(
@@ -486,11 +476,7 @@ class ProxyResolutionService::InitProxyResolver {
   // inputs for initializing the ProxyResolver. A ProxyResolver instance will
   // be created using |proxy_resolver_factory| and assigned to
   // |*proxy_resolver| if the final result is OK.
-  // |*resolver_using_auto_detected_script| will be set to true if
-  // |proxy_resolver| was initialized using script data that originates from
-  // proxy auto-detection.
   int StartSkipDecider(std::unique_ptr<ProxyResolver>* proxy_resolver,
-                       bool* resolver_using_auto_detected_script,
                        ProxyResolverFactory* proxy_resolver_factory,
                        const ProxyConfigWithAnnotation& effective_config,
                        int decider_result,
@@ -498,7 +484,6 @@ class ProxyResolutionService::InitProxyResolver {
                        CompletionOnceCallback callback) {
     DCHECK_EQ(STATE_NONE, next_state_);
     proxy_resolver_ = proxy_resolver;
-    resolver_using_auto_detected_script_ = resolver_using_auto_detected_script;
     proxy_resolver_factory_ = proxy_resolver_factory;
 
     effective_config_ = effective_config;
@@ -613,11 +598,8 @@ class ProxyResolutionService::InitProxyResolver {
   }
 
   int DoCreateResolverComplete(int result) {
-    if (result == OK) {
-      *resolver_using_auto_detected_script_ = script_data_.from_auto_detect;
-    } else {
+    if (result != OK)
       proxy_resolver_->reset();
-    }
     return result;
   }
 
@@ -636,7 +618,6 @@ class ProxyResolutionService::InitProxyResolver {
   ProxyResolverFactory* proxy_resolver_factory_;
   std::unique_ptr<ProxyResolverFactory::Request> create_resolver_request_;
   std::unique_ptr<ProxyResolver>* proxy_resolver_;
-  bool* resolver_using_auto_detected_script_;
   CompletionOnceCallback callback_;
   State next_state_;
   bool quick_check_enabled_;
@@ -691,8 +672,7 @@ class ProxyResolutionService::PacFileDeciderPoller {
         dhcp_pac_file_fetcher_(dhcp_pac_file_fetcher),
         last_error_(init_net_error),
         last_script_data_(init_script_data),
-        last_poll_time_(TimeTicks::Now()),
-        weak_factory_(this) {
+        last_poll_time_(TimeTicks::Now()) {
     // Set the initial poll delay.
     next_poll_mode_ = poll_policy()->GetNextDelay(
         last_error_, TimeDelta::FromSeconds(-1), &next_poll_delay_);
@@ -846,7 +826,7 @@ class ProxyResolutionService::PacFileDeciderPoller {
 
   bool quick_check_enabled_;
 
-  base::WeakPtrFactory<PacFileDeciderPoller> weak_factory_;
+  base::WeakPtrFactory<PacFileDeciderPoller> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(PacFileDeciderPoller);
 };
@@ -905,7 +885,6 @@ class ProxyResolutionService::RequestImpl
   // Outstanding requests are cancelled during ~ProxyResolutionService, so this
   // is guaranteed to be valid throughout our lifetime.
   ProxyResolutionService* service_;
-  bool resolver_using_auto_detected_script_;
   CompletionOnceCallback user_callback_;
   ProxyInfo* results_;
   GURL url_;
@@ -964,8 +943,6 @@ int ProxyResolutionService::RequestImpl::Start() {
   if (service_->ApplyPacBypassRules(url_, results_))
     return OK;
 
-  resolver_using_auto_detected_script_ =
-      service_->resolver_using_auto_detected_script_;
   return resolver()->GetProxyForURL(
       url_, results_,
       base::Bind(&ProxyResolutionService::RequestImpl::QueryComplete,
@@ -1003,8 +980,6 @@ int ProxyResolutionService::RequestImpl::QueryDidComplete(int result_code) {
   // Make a note in the results which configuration was in use at the
   // time of the resolve.
   results_->did_use_pac_script_ = true;
-  results_->did_use_auto_detected_pac_script_ =
-      resolver_using_auto_detected_script_;
   results_->proxy_resolve_start_time_ = creation_time_;
   results_->proxy_resolve_end_time_ = TimeTicks::Now();
 
@@ -1066,8 +1041,7 @@ ProxyResolutionService::ProxyResolutionService(
       net_log_(net_log),
       stall_proxy_auto_config_delay_(
           TimeDelta::FromMilliseconds(kDelayAfterNetworkChangesMs)),
-      quick_check_enabled_(true),
-      weak_ptr_factory_(this) {
+      quick_check_enabled_(true) {
   NetworkChangeNotifier::AddIPAddressObserver(this);
   NetworkChangeNotifier::AddDNSObserver(this);
   config_service_->AddObserver(this);
@@ -1411,9 +1385,9 @@ void ProxyResolutionService::ReportSuccess(const ProxyInfo& result) {
       existing->second.bad_until = iter->second.bad_until;
   }
   if (net_log_) {
-    net_log_->AddGlobalEntry(
-        NetLogEventType::BAD_PROXY_LIST_REPORTED,
-        base::Bind(&NetLogBadProxyListCallback, &new_retry_info));
+    net_log_->AddGlobalEntry(NetLogEventType::BAD_PROXY_LIST_REPORTED, [&] {
+      return NetLogBadProxyListParams(&new_retry_info);
+    });
   }
 }
 
@@ -1443,7 +1417,7 @@ int ProxyResolutionService::DidFinishResolvingProxy(
 
     net_log.AddEvent(
         NetLogEventType::PROXY_RESOLUTION_SERVICE_RESOLVED_PROXY_LIST,
-        base::Bind(&NetLogFinishedResolvingProxyCallback, result));
+        [&] { return NetLogFinishedResolvingProxyParams(result); });
 
     // This check is done to only log the NetLog event when necessary, it's
     // not a performance optimization.
@@ -1451,7 +1425,7 @@ int ProxyResolutionService::DidFinishResolvingProxy(
       result->DeprioritizeBadProxies(proxy_retry_info_);
       net_log.AddEvent(
           NetLogEventType::PROXY_RESOLUTION_SERVICE_DEPRIORITIZED_BAD_PROXIES,
-          base::Bind(&NetLogFinishedResolvingProxyCallback, result));
+          [&] { return NetLogFinishedResolvingProxyParams(result); });
     }
   } else {
     net_log.AddEventWithNetErrorCode(
@@ -1638,9 +1612,10 @@ void ProxyResolutionService::OnProxyConfigChanged(
 
   // Emit the proxy settings change to the NetLog stream.
   if (net_log_) {
-    net_log_->AddGlobalEntry(NetLogEventType::PROXY_CONFIG_CHANGED,
-                             base::Bind(&NetLogProxyConfigChangedCallback,
-                                        &fetched_config_, &effective_config));
+    net_log_->AddGlobalEntry(NetLogEventType::PROXY_CONFIG_CHANGED, [&] {
+      return NetLogProxyConfigChangedParams(&fetched_config_,
+                                            &effective_config);
+    });
   }
 
   if (config.value().has_pac_url()) {
@@ -1686,8 +1661,7 @@ void ProxyResolutionService::InitializeUsingLastFetchedConfig() {
   init_proxy_resolver_.reset(new InitProxyResolver());
   init_proxy_resolver_->set_quick_check_enabled(quick_check_enabled_);
   int rv = init_proxy_resolver_->Start(
-      &resolver_, &resolver_using_auto_detected_script_,
-      resolver_factory_.get(), pac_file_fetcher_.get(),
+      &resolver_, resolver_factory_.get(), pac_file_fetcher_.get(),
       dhcp_pac_file_fetcher_.get(), net_log_, fetched_config_.value(),
       wait_delay,
       base::Bind(&ProxyResolutionService::OnInitProxyResolverComplete,
@@ -1710,8 +1684,8 @@ void ProxyResolutionService::InitializeUsingDecidedConfig(
 
   init_proxy_resolver_.reset(new InitProxyResolver());
   int rv = init_proxy_resolver_->StartSkipDecider(
-      &resolver_, &resolver_using_auto_detected_script_,
-      resolver_factory_.get(), effective_config, decider_result, script_data,
+      &resolver_, resolver_factory_.get(), effective_config, decider_result,
+      script_data,
       base::Bind(&ProxyResolutionService::OnInitProxyResolverComplete,
                  base::Unretained(this)));
 
diff --git a/chromium/net/proxy_resolution/proxy_resolution_service.h b/chromium/net/proxy_resolution/proxy_resolution_service.h
index d2f1edcd658..4af3df269d4 100644
--- a/chromium/net/proxy_resolution/proxy_resolution_service.h
+++ b/chromium/net/proxy_resolution/proxy_resolution_service.h
@@ -373,11 +373,8 @@ class NET_EXPORT ProxyResolutionService
   std::unique_ptr<ProxyConfigService> config_service_;
   std::unique_ptr<ProxyResolverFactory> resolver_factory_;
 
-  // If non-null, the initialized ProxyResolver to use for requests, and a
-  // boolean indicating whether it was initialized using an auto-detected
-  // script.
+  // If non-null, the initialized ProxyResolver to use for requests.
   std::unique_ptr<ProxyResolver> resolver_;
-  bool resolver_using_auto_detected_script_;
 
   // We store the proxy configuration that was last fetched from the
   // ProxyConfigService, as well as the resulting "effective" configuration.
@@ -443,7 +440,7 @@ class NET_EXPORT ProxyResolutionService
 
   // Flag used by |SetReady()| to check if |this| has been deleted by a
   // synchronous callback.
-  base::WeakPtrFactory<ProxyResolutionService> weak_ptr_factory_;
+  base::WeakPtrFactory<ProxyResolutionService> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(ProxyResolutionService);
 };
diff --git a/chromium/net/proxy_resolution/proxy_resolution_service_unittest.cc b/chromium/net/proxy_resolution/proxy_resolution_service_unittest.cc
index b00fe1239f2..ff284401b86 100644
--- a/chromium/net/proxy_resolution/proxy_resolution_service_unittest.cc
+++ b/chromium/net/proxy_resolution/proxy_resolution_service_unittest.cc
@@ -24,7 +24,6 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/proxy_resolution/dhcp_pac_file_fetcher.h"
 #include "net/proxy_resolution/mock_pac_file_fetcher.h"
@@ -409,8 +408,7 @@ TEST_F(ProxyResolutionServiceTest, Direct) {
   EXPECT_TRUE(info.proxy_resolve_end_time().is_null());
 
   // Check the NetLog was filled correctly.
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_EQ(3u, entries.size());
   EXPECT_TRUE(LogContainsBeginEvent(entries, 0,
@@ -915,8 +913,7 @@ TEST_F(ProxyResolutionServiceTest, PAC) {
   EXPECT_LE(info.proxy_resolve_start_time(), info.proxy_resolve_end_time());
 
   // Check the NetLog was filled correctly.
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_EQ(5u, entries.size());
   EXPECT_TRUE(LogContainsBeginEvent(entries, 0,
@@ -2494,8 +2491,7 @@ TEST_F(ProxyResolutionServiceTest, CancelWhilePACFetching) {
   EXPECT_FALSE(callback1.have_result());  // Cancelled.
   EXPECT_FALSE(callback2.have_result());  // Cancelled.
 
-  TestNetLogEntry::List entries1;
-  log1.GetEntries(&entries1);
+  auto entries1 = log1.GetEntries();
 
   // Check the NetLog for request 1 (which was cancelled) got filled properly.
   EXPECT_EQ(4u, entries1.size());
@@ -3037,8 +3033,7 @@ TEST_F(ProxyResolutionServiceTest, NetworkChangeTriggersPacRefetch) {
   // Check that the expected events were output to the log stream. In particular
   // PROXY_CONFIG_CHANGED should have only been emitted once (for the initial
   // setup), and NOT a second time when the IP address changed.
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_TRUE(LogContainsEntryWithType(entries, 0,
                                        NetLogEventType::PROXY_CONFIG_CHANGED));
@@ -3854,9 +3849,9 @@ TEST_F(ProxyResolutionServiceTest, OnShutdownWithLiveRequest) {
   EXPECT_EQ(GURL("http://foopy/proxy.pac"), fetcher->pending_request_url());
 
   service.OnShutdown();
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
+  base::RunLoop().RunUntilIdle();
+  EXPECT_FALSE(callback.have_result());
   EXPECT_FALSE(fetcher->has_pending_request());
-  EXPECT_TRUE(info.is_direct());
 }
 
 TEST_F(ProxyResolutionServiceTest, OnShutdownFollowedByRequest) {
diff --git a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing.cc b/chromium/net/proxy_resolution/proxy_resolver_v8_tracing.cc
index 3f7b5e810a5..b2f36ba8088 100644
--- a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing.cc
+++ b/chromium/net/proxy_resolution/proxy_resolver_v8_tracing.cc
@@ -14,7 +14,7 @@
 #include "base/macros.h"
 #include "base/single_thread_task_runner.h"
 #include "base/strings/stringprintf.h"
-#include "base/synchronization/cancellation_flag.h"
+#include "base/synchronization/atomic_flag.h"
 #include "base/synchronization/waitable_event.h"
 #include "base/threading/thread.h"
 #include "base/threading/thread_checker.h"
@@ -220,7 +220,7 @@ class Job : public base::RefCountedThreadSafe<Job>,
   CompletionOnceCallback callback_;
 
   // Flag to indicate whether the request has been cancelled.
-  base::CancellationFlag cancelled_;
+  base::AtomicFlag cancelled_;
 
   // The operation that this Job is running.
   // Initialized on origin thread and then accessed from both threads.
diff --git a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing_wrapper.cc b/chromium/net/proxy_resolution/proxy_resolver_v8_tracing_wrapper.cc
deleted file mode 100644
index 879756e3118..00000000000
--- a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing_wrapper.cc
+++ /dev/null
@@ -1,190 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/proxy_resolution/proxy_resolver_v8_tracing_wrapper.h"
-
-#include <string>
-#include <utility>
-
-#include "base/bind.h"
-#include "base/macros.h"
-#include "base/values.h"
-#include "net/base/net_errors.h"
-#include "net/log/net_log.h"
-#include "net/log/net_log_capture_mode.h"
-#include "net/log/net_log_event_type.h"
-#include "net/log/net_log_parameters_callback.h"
-#include "net/log/net_log_with_source.h"
-#include "net/proxy_resolution/proxy_host_resolver.h"
-#include "net/proxy_resolution/proxy_resolver_error_observer.h"
-
-namespace net {
-
-namespace {
-
-// Returns event parameters for a PAC error message (line number + message).
-base::Value NetLogErrorCallback(int line_number,
-                                const base::string16* message,
-                                NetLogCaptureMode /* capture_mode */) {
-  base::Value dict(base::Value::Type::DICTIONARY);
-  dict.SetIntKey("line_number", line_number);
-  dict.SetStringKey("message", *message);
-  return dict;
-}
-
-class BindingsImpl : public ProxyResolverV8Tracing::Bindings {
- public:
-  BindingsImpl(ProxyResolverErrorObserver* error_observer,
-               ProxyHostResolver* host_resolver,
-               NetLog* net_log,
-               const NetLogWithSource& net_log_with_source)
-      : error_observer_(error_observer),
-        host_resolver_(host_resolver),
-        net_log_(net_log),
-        net_log_with_source_(net_log_with_source) {}
-
-  // ProxyResolverV8Tracing::Bindings overrides.
-  void Alert(const base::string16& message) override {
-    // Send to the NetLog.
-    LogEventToCurrentRequestAndGlobally(
-        NetLogEventType::PAC_JAVASCRIPT_ALERT,
-        NetLog::StringCallback("message", &message));
-  }
-
-  void OnError(int line_number, const base::string16& message) override {
-    // Send the error to the NetLog.
-    LogEventToCurrentRequestAndGlobally(
-        NetLogEventType::PAC_JAVASCRIPT_ERROR,
-        base::Bind(&NetLogErrorCallback, line_number, &message));
-    if (error_observer_)
-      error_observer_->OnPACScriptError(line_number, message);
-  }
-
-  ProxyHostResolver* GetHostResolver() override { return host_resolver_; }
-
-  NetLogWithSource GetNetLogWithSource() override {
-    return net_log_with_source_;
-  }
-
- private:
-  void LogEventToCurrentRequestAndGlobally(
-      NetLogEventType type,
-      const NetLogParametersCallback& parameters_callback) {
-    net_log_with_source_.AddEvent(type, parameters_callback);
-
-    // Emit to the global NetLog event stream.
-    if (net_log_)
-      net_log_->AddGlobalEntry(type, parameters_callback);
-  }
-
-  ProxyResolverErrorObserver* error_observer_;
-  ProxyHostResolver* host_resolver_;
-  NetLog* net_log_;
-  NetLogWithSource net_log_with_source_;
-};
-
-class ProxyResolverV8TracingWrapper : public ProxyResolver {
- public:
-  ProxyResolverV8TracingWrapper(
-      std::unique_ptr<ProxyResolverV8Tracing> resolver_impl,
-      NetLog* net_log,
-      ProxyHostResolver* host_resolver,
-      std::unique_ptr<ProxyResolverErrorObserver> error_observer);
-
-  int GetProxyForURL(const GURL& url,
-                     ProxyInfo* results,
-                     CompletionOnceCallback callback,
-                     std::unique_ptr<Request>* request,
-                     const NetLogWithSource& net_log) override;
-
- private:
-  std::unique_ptr<ProxyResolverV8Tracing> resolver_impl_;
-  NetLog* net_log_;
-  ProxyHostResolver* host_resolver_;
-  std::unique_ptr<ProxyResolverErrorObserver> error_observer_;
-
-  DISALLOW_COPY_AND_ASSIGN(ProxyResolverV8TracingWrapper);
-};
-
-ProxyResolverV8TracingWrapper::ProxyResolverV8TracingWrapper(
-    std::unique_ptr<ProxyResolverV8Tracing> resolver_impl,
-    NetLog* net_log,
-    ProxyHostResolver* host_resolver,
-    std::unique_ptr<ProxyResolverErrorObserver> error_observer)
-    : resolver_impl_(std::move(resolver_impl)),
-      net_log_(net_log),
-      host_resolver_(host_resolver),
-      error_observer_(std::move(error_observer)) {}
-
-int ProxyResolverV8TracingWrapper::GetProxyForURL(
-    const GURL& url,
-    ProxyInfo* results,
-    CompletionOnceCallback callback,
-    std::unique_ptr<Request>* request,
-    const NetLogWithSource& net_log) {
-  resolver_impl_->GetProxyForURL(
-      url, results, std::move(callback), request,
-      std::make_unique<BindingsImpl>(error_observer_.get(), host_resolver_,
-                                     net_log_, net_log));
-  return ERR_IO_PENDING;
-}
-
-}  // namespace
-
-ProxyResolverFactoryV8TracingWrapper::ProxyResolverFactoryV8TracingWrapper(
-    ProxyHostResolver* host_resolver,
-    NetLog* net_log,
-    const base::Callback<std::unique_ptr<ProxyResolverErrorObserver>()>&
-        error_observer_factory)
-    : ProxyResolverFactory(true),
-      factory_impl_(ProxyResolverV8TracingFactory::Create()),
-      host_resolver_(host_resolver),
-      net_log_(net_log),
-      error_observer_factory_(error_observer_factory) {}
-
-ProxyResolverFactoryV8TracingWrapper::~ProxyResolverFactoryV8TracingWrapper() =
-    default;
-
-int ProxyResolverFactoryV8TracingWrapper::CreateProxyResolver(
-    const scoped_refptr<PacFileData>& pac_script,
-    std::unique_ptr<ProxyResolver>* resolver,
-    CompletionOnceCallback callback,
-    std::unique_ptr<Request>* request) {
-  std::unique_ptr<std::unique_ptr<ProxyResolverV8Tracing>> v8_resolver(
-      new std::unique_ptr<ProxyResolverV8Tracing>);
-  std::unique_ptr<ProxyResolverErrorObserver> error_observer =
-      error_observer_factory_.Run();
-  // Note: Argument evaluation order is unspecified, so make copies before
-  // passing |v8_resolver| and |error_observer|.
-  std::unique_ptr<ProxyResolverV8Tracing>* v8_resolver_local =
-      v8_resolver.get();
-  ProxyResolverErrorObserver* error_observer_local = error_observer.get();
-  factory_impl_->CreateProxyResolverV8Tracing(
-      pac_script,
-      std::make_unique<BindingsImpl>(error_observer_local, host_resolver_,
-                                     net_log_, NetLogWithSource()),
-      v8_resolver_local,
-      base::BindOnce(
-          &ProxyResolverFactoryV8TracingWrapper::OnProxyResolverCreated,
-          base::Unretained(this), base::Passed(&v8_resolver), resolver,
-          std::move(callback), base::Passed(&error_observer)),
-      request);
-  return ERR_IO_PENDING;
-}
-
-void ProxyResolverFactoryV8TracingWrapper::OnProxyResolverCreated(
-    std::unique_ptr<std::unique_ptr<ProxyResolverV8Tracing>> v8_resolver,
-    std::unique_ptr<ProxyResolver>* resolver,
-    CompletionOnceCallback callback,
-    std::unique_ptr<ProxyResolverErrorObserver> error_observer,
-    int error) {
-  if (error == OK) {
-    resolver->reset(new ProxyResolverV8TracingWrapper(
-        std::move(*v8_resolver), net_log_, host_resolver_,
-        std::move(error_observer)));
-  }
-  std::move(callback).Run(error);
-}
-
-}  // namespace net
diff --git a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing_wrapper.h b/chromium/net/proxy_resolution/proxy_resolver_v8_tracing_wrapper.h
deleted file mode 100644
index 3b876153992..00000000000
--- a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing_wrapper.h
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_PROXY_RESOLUTION_PROXY_RESOLVER_V8_TRACING_WRAPPER_H_
-#define NET_PROXY_RESOLUTION_PROXY_RESOLVER_V8_TRACING_WRAPPER_H_
-
-#include <memory>
-
-#include "base/macros.h"
-#include "base/memory/ref_counted.h"
-#include "net/base/completion_once_callback.h"
-#include "net/base/net_export.h"
-#include "net/proxy_resolution/proxy_resolver.h"
-#include "net/proxy_resolution/proxy_resolver_factory.h"
-#include "net/proxy_resolution/proxy_resolver_v8_tracing.h"
-
-namespace net {
-
-class NetLog;
-class ProxyHostResolver;
-class ProxyResolverErrorObserver;
-
-// A wrapper for ProxyResolverV8TracingFactory that implements the
-// ProxyResolverFactory interface.
-class NET_EXPORT ProxyResolverFactoryV8TracingWrapper
-    : public ProxyResolverFactory {
- public:
-  // Note that |host_resolver| and |net_log| are expected to outlive |this| and
-  // any ProxyResolver instances created using |this|. |error_observer_factory|
-  // will be invoked once per CreateProxyResolver() call to create a
-  // ProxyResolverErrorObserver to be used by the ProxyResolver instance
-  // returned by that call.
-  ProxyResolverFactoryV8TracingWrapper(
-      ProxyHostResolver* host_resolver,
-      NetLog* net_log,
-      const base::Callback<std::unique_ptr<ProxyResolverErrorObserver>()>&
-          error_observer_factory);
-  ~ProxyResolverFactoryV8TracingWrapper() override;
-
-  // ProxyResolverFactory override.
-  int CreateProxyResolver(const scoped_refptr<PacFileData>& pac_script,
-                          std::unique_ptr<ProxyResolver>* resolver,
-                          CompletionOnceCallback callback,
-                          std::unique_ptr<Request>* request) override;
-
- private:
-  void OnProxyResolverCreated(
-      std::unique_ptr<std::unique_ptr<ProxyResolverV8Tracing>> v8_resolver,
-      std::unique_ptr<ProxyResolver>* resolver,
-      CompletionOnceCallback callback,
-      std::unique_ptr<ProxyResolverErrorObserver> error_observer,
-      int error);
-
-  std::unique_ptr<ProxyResolverV8TracingFactory> factory_impl_;
-  ProxyHostResolver* const host_resolver_;
-  NetLog* const net_log_;
-  const base::Callback<std::unique_ptr<ProxyResolverErrorObserver>()>
-      error_observer_factory_;
-
-  DISALLOW_COPY_AND_ASSIGN(ProxyResolverFactoryV8TracingWrapper);
-};
-
-}  // namespace net
-
-#endif  // NET_PROXY_RESOLUTION_PROXY_RESOLVER_V8_TRACING_WRAPPER_H_
diff --git a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing_wrapper_unittest.cc b/chromium/net/proxy_resolution/proxy_resolver_v8_tracing_wrapper_unittest.cc
deleted file mode 100644
index 13b4cd12077..00000000000
--- a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing_wrapper_unittest.cc
+++ /dev/null
@@ -1,1088 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/proxy_resolution/proxy_resolver_v8_tracing_wrapper.h"
-
-#include <string>
-
-#include "base/bind.h"
-#include "base/files/file_util.h"
-#include "base/memory/ptr_util.h"
-#include "base/path_service.h"
-#include "base/run_loop.h"
-#include "base/stl_util.h"
-#include "base/strings/string_util.h"
-#include "base/strings/stringprintf.h"
-#include "base/strings/utf_string_conversions.h"
-#include "base/synchronization/waitable_event.h"
-#include "base/threading/platform_thread.h"
-#include "base/values.h"
-#include "net/base/net_errors.h"
-#include "net/base/network_interfaces.h"
-#include "net/base/test_completion_callback.h"
-#include "net/log/net_log_event_type.h"
-#include "net/log/net_log_with_source.h"
-#include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
-#include "net/log/test_net_log_util.h"
-#include "net/proxy_resolution/mock_proxy_host_resolver.h"
-#include "net/proxy_resolution/proxy_info.h"
-#include "net/proxy_resolution/proxy_resolve_dns_operation.h"
-#include "net/proxy_resolution/proxy_resolver_error_observer.h"
-#include "net/test/event_waiter.h"
-#include "net/test/gtest_util.h"
-#include "net/test/test_with_scoped_task_environment.h"
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
-#include "url/gurl.h"
-
-using net::test::IsError;
-using net::test::IsOk;
-
-namespace net {
-
-namespace {
-
-class ProxyResolverV8TracingWrapperTest : public TestWithScopedTaskEnvironment {
- public:
-  void TearDown() override {
-    // Drain any pending messages, which may be left over from cancellation.
-    // This way they get reliably run as part of the current test, rather than
-    // spilling into the next test's execution.
-    base::RunLoop().RunUntilIdle();
-  }
-};
-
-scoped_refptr<PacFileData> LoadScriptData(const char* filename) {
-  base::FilePath path;
-  base::PathService::Get(base::DIR_SOURCE_ROOT, &path);
-  path = path.AppendASCII("net");
-  path = path.AppendASCII("data");
-  path = path.AppendASCII("proxy_resolver_v8_tracing_unittest");
-  path = path.AppendASCII(filename);
-
-  // Try to read the file from disk.
-  std::string file_contents;
-  bool ok = base::ReadFileToString(path, &file_contents);
-
-  // If we can't load the file from disk, something is misconfigured.
-  EXPECT_TRUE(ok) << "Failed to read file: " << path.value();
-
-  // Load the PAC script into the ProxyResolver.
-  return PacFileData::FromUTF8(file_contents);
-}
-
-std::unique_ptr<ProxyResolverErrorObserver> ReturnErrorObserver(
-    std::unique_ptr<ProxyResolverErrorObserver> error_observer) {
-  return error_observer;
-}
-
-std::unique_ptr<ProxyResolver> CreateResolver(
-    NetLog* net_log,
-    ProxyHostResolver* host_resolver,
-    std::unique_ptr<ProxyResolverErrorObserver> error_observer,
-    const char* filename) {
-  std::unique_ptr<ProxyResolver> resolver;
-  ProxyResolverFactoryV8TracingWrapper factory(
-      host_resolver, net_log,
-      base::Bind(&ReturnErrorObserver, base::Passed(&error_observer)));
-  TestCompletionCallback callback;
-  std::unique_ptr<ProxyResolverFactory::Request> request;
-  int rv = factory.CreateProxyResolver(LoadScriptData(filename), &resolver,
-                                       callback.callback(), &request);
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-  EXPECT_TRUE(resolver);
-  return resolver;
-}
-
-class MockErrorObserver : public ProxyResolverErrorObserver {
- public:
-  void OnPACScriptError(int line_number, const base::string16& error) override {
-    output += base::StringPrintf("Error: line %d: %s\n", line_number,
-                                 base::UTF16ToASCII(error).c_str());
-    waiter_.NotifyEvent(EVENT_ERROR);
-    if (!error_callback_.is_null())
-      error_callback_.Run();
-  }
-
-  std::string GetOutput() {
-    return output;
-  }
-
-  void RunOnError(const base::Closure& callback) {
-    error_callback_ = callback;
-    waiter_.WaitForEvent(EVENT_ERROR);
-  }
-
- private:
-  enum Event {
-    EVENT_ERROR,
-  };
-  std::string output;
-
-  base::Closure error_callback_;
-  EventWaiter<Event> waiter_;
-};
-
-TEST_F(ProxyResolverV8TracingWrapperTest, Simple) {
-  TestNetLog log;
-  BoundTestNetLog request_log;
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  std::unique_ptr<ProxyResolver> resolver = CreateResolver(
-      &log, &host_resolver, base::WrapUnique(error_observer), "simple.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  int rv =
-      resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                               callback.callback(), &req, request_log.bound());
-
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  EXPECT_EQ("foo:99", proxy_info.proxy_server().ToURI());
-
-  EXPECT_EQ(0u, host_resolver.num_resolve());
-
-  // There were no errors.
-  EXPECT_EQ("", error_observer->GetOutput());
-
-  // Check the NetLogs -- nothing was logged.
-  EXPECT_EQ(0u, log.GetSize());
-  EXPECT_EQ(0u, request_log.GetSize());
-}
-
-TEST_F(ProxyResolverV8TracingWrapperTest, JavascriptError) {
-  TestNetLog log;
-  BoundTestNetLog request_log;
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  std::unique_ptr<ProxyResolver> resolver = CreateResolver(
-      &log, &host_resolver, base::WrapUnique(error_observer), "error.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  int rv =
-      resolver->GetProxyForURL(GURL("http://throw-an-error/"), &proxy_info,
-                               callback.callback(), &req, request_log.bound());
-
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsError(ERR_PAC_SCRIPT_FAILED));
-
-  EXPECT_EQ(0u, host_resolver.num_resolve());
-
-  EXPECT_EQ(
-      "Error: line 5: Uncaught TypeError: Cannot read property 'split' "
-      "of null\n",
-      error_observer->GetOutput());
-
-  // Check the NetLogs -- there was 1 alert and 1 javascript error, and they
-  // were output to both the global log, and per-request log.
-  TestNetLogEntry::List entries_list[2];
-  log.GetEntries(&entries_list[0]);
-  request_log.GetEntries(&entries_list[1]);
-
-  for (size_t list_i = 0; list_i < base::size(entries_list); list_i++) {
-    const TestNetLogEntry::List& entries = entries_list[list_i];
-    EXPECT_EQ(2u, entries.size());
-    EXPECT_TRUE(LogContainsEvent(entries, 0,
-                                 NetLogEventType::PAC_JAVASCRIPT_ALERT,
-                                 NetLogEventPhase::NONE));
-    EXPECT_TRUE(LogContainsEvent(entries, 1,
-                                 NetLogEventType::PAC_JAVASCRIPT_ERROR,
-                                 NetLogEventPhase::NONE));
-
-    EXPECT_EQ("{\"message\":\"Prepare to DIE!\"}", entries[0].GetParamsJson());
-    EXPECT_EQ(
-        "{\"line_number\":5,\"message\":\"Uncaught TypeError: Cannot "
-        "read property 'split' of null\"}",
-        entries[1].GetParamsJson());
-  }
-}
-
-TEST_F(ProxyResolverV8TracingWrapperTest, TooManyAlerts) {
-  TestNetLog log;
-  BoundTestNetLog request_log;
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  std::unique_ptr<ProxyResolver> resolver =
-      CreateResolver(&log, &host_resolver, base::WrapUnique(error_observer),
-                     "too_many_alerts.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  int rv =
-      resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                               callback.callback(), &req, request_log.bound());
-
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  // Iteration1 does a DNS resolve
-  // Iteration2 exceeds the alert buffer
-  // Iteration3 runs in blocking mode and completes
-  EXPECT_EQ("foo:3", proxy_info.proxy_server().ToURI());
-
-  EXPECT_EQ(1u, host_resolver.num_resolve());
-
-  // No errors.
-  EXPECT_EQ("", error_observer->GetOutput());
-
-  // Check the NetLogs -- the script generated 50 alerts, which were mirrored
-  // to both the global and per-request logs.
-  TestNetLogEntry::List entries_list[2];
-  log.GetEntries(&entries_list[0]);
-  request_log.GetEntries(&entries_list[1]);
-
-  for (size_t list_i = 0; list_i < base::size(entries_list); list_i++) {
-    const TestNetLogEntry::List& entries = entries_list[list_i];
-    EXPECT_EQ(50u, entries.size());
-    for (size_t i = 0; i < entries.size(); ++i) {
-      ASSERT_TRUE(LogContainsEvent(entries, i,
-                                   NetLogEventType::PAC_JAVASCRIPT_ALERT,
-                                   NetLogEventPhase::NONE));
-    }
-  }
-}
-
-// Verify that buffered alerts cannot grow unboundedly, even when the message is
-// empty string.
-TEST_F(ProxyResolverV8TracingWrapperTest, TooManyEmptyAlerts) {
-  TestNetLog log;
-  BoundTestNetLog request_log;
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  std::unique_ptr<ProxyResolver> resolver =
-      CreateResolver(&log, &host_resolver, base::WrapUnique(error_observer),
-                     "too_many_empty_alerts.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  int rv =
-      resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                               callback.callback(), &req, request_log.bound());
-
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  EXPECT_EQ("foo:3", proxy_info.proxy_server().ToURI());
-
-  EXPECT_EQ(1u, host_resolver.num_resolve());
-
-  // No errors.
-  EXPECT_EQ("", error_observer->GetOutput());
-
-  // Check the NetLogs -- the script generated 50 alerts, which were mirrored
-  // to both the global and per-request logs.
-  TestNetLogEntry::List entries_list[2];
-  log.GetEntries(&entries_list[0]);
-  request_log.GetEntries(&entries_list[1]);
-
-  for (size_t list_i = 0; list_i < base::size(entries_list); list_i++) {
-    const TestNetLogEntry::List& entries = entries_list[list_i];
-    EXPECT_EQ(1000u, entries.size());
-    for (size_t i = 0; i < entries.size(); ++i) {
-      ASSERT_TRUE(LogContainsEvent(entries, i,
-                                   NetLogEventType::PAC_JAVASCRIPT_ALERT,
-                                   NetLogEventPhase::NONE));
-    }
-  }
-}
-
-// This test runs a PAC script that issues a sequence of DNS resolves. The test
-// verifies the final result, and that the underlying DNS resolver received
-// the correct set of queries.
-TEST_F(ProxyResolverV8TracingWrapperTest, Dns) {
-  TestNetLog log;
-  BoundTestNetLog request_log;
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  host_resolver.SetResult(GetHostName(),
-                          ProxyResolveDnsOperation::MY_IP_ADDRESS,
-                          {IPAddress(122, 133, 144, 155)});
-  host_resolver.SetResult(GetHostName(),
-                          ProxyResolveDnsOperation::MY_IP_ADDRESS_EX,
-                          {IPAddress(133, 122, 100, 200)});
-  host_resolver.SetError("", ProxyResolveDnsOperation::DNS_RESOLVE);
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 44)});
-  IPAddress v6_local;
-  ASSERT_TRUE(v6_local.AssignFromIPLiteral("::1"));
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE_EX,
-                          {v6_local, IPAddress(192, 168, 1, 1)});
-  host_resolver.SetError("host2", ProxyResolveDnsOperation::DNS_RESOLVE);
-  host_resolver.SetResult("host3", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 33)});
-  host_resolver.SetError("host6", ProxyResolveDnsOperation::DNS_RESOLVE_EX);
-
-  std::unique_ptr<ProxyResolver> resolver = CreateResolver(
-      &log, &host_resolver, base::WrapUnique(error_observer), "dns.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  int rv =
-      resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                               callback.callback(), &req, request_log.bound());
-
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  // The test does 13 DNS resolution, however only 7 of them are unique.
-  EXPECT_EQ(7u, host_resolver.num_resolve());
-
-  const char* kExpectedResult =
-      "122.133.144.155-"  // myIpAddress()
-      "null-"             // dnsResolve('')
-      "__1_192.168.1.1-"  // dnsResolveEx('host1')
-      "null-"             // dnsResolve('host2')
-      "166.155.144.33-"   // dnsResolve('host3')
-      "122.133.144.155-"  // myIpAddress()
-      "166.155.144.33-"   // dnsResolve('host3')
-      "__1_192.168.1.1-"  // dnsResolveEx('host1')
-      "122.133.144.155-"  // myIpAddress()
-      "null-"             // dnsResolve('host2')
-      "-"                 // dnsResolveEx('host6')
-      "133.122.100.200-"  // myIpAddressEx()
-      "166.155.144.44"    // dnsResolve('host1')
-      ":99";
-
-  EXPECT_EQ(kExpectedResult, proxy_info.proxy_server().ToURI());
-
-  // No errors.
-  EXPECT_EQ("", error_observer->GetOutput());
-
-  // Check the NetLogs -- the script generated 1 alert, mirrored to both
-  // the per-request and global logs.
-  TestNetLogEntry::List entries_list[2];
-  log.GetEntries(&entries_list[0]);
-  request_log.GetEntries(&entries_list[1]);
-
-  for (size_t list_i = 0; list_i < base::size(entries_list); list_i++) {
-    const TestNetLogEntry::List& entries = entries_list[list_i];
-    EXPECT_EQ(1u, entries.size());
-    EXPECT_TRUE(LogContainsEvent(entries, 0,
-                                 NetLogEventType::PAC_JAVASCRIPT_ALERT,
-                                 NetLogEventPhase::NONE));
-    EXPECT_EQ("{\"message\":\"iteration: 7\"}", entries[0].GetParamsJson());
-  }
-}
-
-// This test runs a weird PAC script that was designed to defeat the DNS tracing
-// optimization. The proxy resolver should detect the inconsistency and
-// fall-back to synchronous mode execution.
-TEST_F(ProxyResolverV8TracingWrapperTest, FallBackToSynchronous1) {
-  TestNetLog log;
-  BoundTestNetLog request_log;
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 11)});
-  host_resolver.SetResult("crazy4", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(133, 199, 111, 4)});
-
-  std::unique_ptr<ProxyResolver> resolver =
-      CreateResolver(&log, &host_resolver, base::WrapUnique(error_observer),
-                     "global_sideffects1.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  int rv =
-      resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                               callback.callback(), &req, request_log.bound());
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  // The script itself only does 2 DNS resolves per execution, however it
-  // constructs the hostname using a global counter which changes on each
-  // invocation.
-  EXPECT_EQ(3u, host_resolver.num_resolve());
-
-  EXPECT_EQ("166.155.144.11-133.199.111.4:100",
-            proxy_info.proxy_server().ToURI());
-
-  // No errors.
-  EXPECT_EQ("", error_observer->GetOutput());
-
-  // Check the NetLogs -- the script generated 1 alert, mirrored to both
-  // the per-request and global logs.
-  TestNetLogEntry::List entries_list[2];
-  log.GetEntries(&entries_list[0]);
-  request_log.GetEntries(&entries_list[1]);
-
-  for (size_t list_i = 0; list_i < base::size(entries_list); list_i++) {
-    const TestNetLogEntry::List& entries = entries_list[list_i];
-    EXPECT_EQ(1u, entries.size());
-    EXPECT_TRUE(LogContainsEvent(entries, 0,
-                                 NetLogEventType::PAC_JAVASCRIPT_ALERT,
-                                 NetLogEventPhase::NONE));
-    EXPECT_EQ("{\"message\":\"iteration: 4\"}", entries[0].GetParamsJson());
-  }
-}
-
-// This test runs a weird PAC script that was designed to defeat the DNS tracing
-// optimization. The proxy resolver should detect the inconsistency and
-// fall-back to synchronous mode execution.
-TEST_F(ProxyResolverV8TracingWrapperTest, FallBackToSynchronous2) {
-  TestNetLog log;
-  BoundTestNetLog request_log;
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 11)});
-  host_resolver.SetResult("host2", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 22)});
-  host_resolver.SetResult("host3", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 33)});
-  host_resolver.SetResult("host4", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 44)});
-
-  std::unique_ptr<ProxyResolver> resolver =
-      CreateResolver(&log, &host_resolver, base::WrapUnique(error_observer),
-                     "global_sideffects2.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  int rv =
-      resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                               callback.callback(), &req, request_log.bound());
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  EXPECT_EQ(3u, host_resolver.num_resolve());
-
-  EXPECT_EQ("166.155.144.44:100", proxy_info.proxy_server().ToURI());
-
-  // No errors.
-  EXPECT_EQ("", error_observer->GetOutput());
-
-  // Check the NetLogs -- nothing was logged.
-  EXPECT_EQ(0u, log.GetSize());
-  EXPECT_EQ(0u, request_log.GetSize());
-}
-
-// This test runs a weird PAC script that yields a never ending sequence
-// of DNS resolves when restarting. Running it will hit the maximum
-// DNS resolves per request limit (20) after which every DNS resolve will
-// fail.
-TEST_F(ProxyResolverV8TracingWrapperTest, InfiniteDNSSequence) {
-  TestNetLog log;
-  BoundTestNetLog request_log;
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  for (int i = 0; i < 21; ++i) {
-    host_resolver.SetResult("host" + std::to_string(i),
-                            ProxyResolveDnsOperation::DNS_RESOLVE,
-                            {IPAddress(166, 155, 144, 11)});
-  }
-
-  std::unique_ptr<ProxyResolver> resolver =
-      CreateResolver(&log, &host_resolver, base::WrapUnique(error_observer),
-                     "global_sideffects3.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  int rv =
-      resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-
-                               callback.callback(), &req, request_log.bound());
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  EXPECT_EQ(20u, host_resolver.num_resolve());
-
-  EXPECT_EQ(
-      "166.155.144.11-166.155.144.11-166.155.144.11-166.155.144.11-"
-      "166.155.144.11-166.155.144.11-166.155.144.11-166.155.144.11-"
-      "166.155.144.11-166.155.144.11-166.155.144.11-166.155.144.11-"
-      "166.155.144.11-166.155.144.11-166.155.144.11-166.155.144.11-"
-      "166.155.144.11-166.155.144.11-166.155.144.11-166.155.144.11-"
-      "null:21",
-      proxy_info.proxy_server().ToURI());
-
-  // No errors.
-  EXPECT_EQ("", error_observer->GetOutput());
-
-  // Check the NetLogs -- 1 alert was logged.
-  EXPECT_EQ(1u, log.GetSize());
-  EXPECT_EQ(1u, request_log.GetSize());
-}
-
-// This test runs a weird PAC script that yields a never ending sequence
-// of DNS resolves when restarting. Running it will hit the maximum
-// DNS resolves per request limit (20) after which every DNS resolve will
-// fail.
-TEST_F(ProxyResolverV8TracingWrapperTest, InfiniteDNSSequence2) {
-  TestNetLog log;
-  BoundTestNetLog request_log;
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  host_resolver.SetResult(GetHostName(),
-                          ProxyResolveDnsOperation::MY_IP_ADDRESS,
-                          {IPAddress(122, 133, 144, 155)});
-  for (int i = 0; i < 21; ++i) {
-    host_resolver.SetResult("host" + std::to_string(i),
-                            ProxyResolveDnsOperation::DNS_RESOLVE,
-                            {IPAddress(166, 155, 144, 11)});
-  }
-
-  std::unique_ptr<ProxyResolver> resolver =
-      CreateResolver(&log, &host_resolver, base::WrapUnique(error_observer),
-                     "global_sideffects4.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  int rv =
-      resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                               callback.callback(), &req, request_log.bound());
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  EXPECT_EQ(20u, host_resolver.num_resolve());
-
-  EXPECT_EQ("null21:34", proxy_info.proxy_server().ToURI());
-
-  // No errors.
-  EXPECT_EQ("", error_observer->GetOutput());
-
-  // Check the NetLogs -- 1 alert was logged.
-  EXPECT_EQ(1u, log.GetSize());
-  EXPECT_EQ(1u, request_log.GetSize());
-}
-
-void DnsDuringInitHelper(bool synchronous_host_resolver) {
-  TestNetLog log;
-  BoundTestNetLog request_log;
-  MockProxyHostResolver host_resolver(synchronous_host_resolver);
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(91, 13, 12, 1)});
-  host_resolver.SetResult("host2", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(91, 13, 12, 2)});
-
-  std::unique_ptr<ProxyResolver> resolver =
-      CreateResolver(&log, &host_resolver, base::WrapUnique(error_observer),
-                     "dns_during_init.js");
-
-  // Initialization did 2 dnsResolves.
-  EXPECT_EQ(2u, host_resolver.num_resolve());
-
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(145, 88, 13, 3)});
-  host_resolver.SetResult("host2", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(137, 89, 8, 45)});
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  int rv =
-      resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                               callback.callback(), &req, request_log.bound());
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  // Fetched host1 and host2 again, since the ones done during initialization
-  // should not have been cached.
-  EXPECT_EQ(4u, host_resolver.num_resolve());
-
-  EXPECT_EQ("91.13.12.1-91.13.12.2-145.88.13.3-137.89.8.45:99",
-            proxy_info.proxy_server().ToURI());
-
-  // Check the NetLogs -- the script generated 2 alerts during initialization.
-  EXPECT_EQ(0u, request_log.GetSize());
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
-
-  ASSERT_EQ(2u, entries.size());
-  EXPECT_TRUE(LogContainsEvent(entries, 0,
-                               NetLogEventType::PAC_JAVASCRIPT_ALERT,
-                               NetLogEventPhase::NONE));
-  EXPECT_TRUE(LogContainsEvent(entries, 1,
-                               NetLogEventType::PAC_JAVASCRIPT_ALERT,
-                               NetLogEventPhase::NONE));
-
-  EXPECT_EQ("{\"message\":\"Watsup\"}", entries[0].GetParamsJson());
-  EXPECT_EQ("{\"message\":\"Watsup2\"}", entries[1].GetParamsJson());
-}
-
-// Tests a PAC script which does DNS resolves during initialization.
-TEST_F(ProxyResolverV8TracingWrapperTest, DnsDuringInit) {
-  // Test with both both a host resolver that always completes asynchronously,
-  // and then again with one that completes synchronously.
-  DnsDuringInitHelper(false);
-  DnsDuringInitHelper(true);
-}
-
-void CrashCallback(int) {
-  // Be extra sure that if the callback ever gets invoked, the test will fail.
-  CHECK(false);
-}
-
-// Start some requests, cancel them all, and then destroy the resolver.
-// Note the execution order for this test can vary. Since multiple
-// threads are involved, the cancellation may be received a different
-// times.
-TEST_F(ProxyResolverV8TracingWrapperTest, CancelAll) {
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  host_resolver.FailAll();
-
-  std::unique_ptr<ProxyResolver> resolver = CreateResolver(
-      nullptr, &host_resolver, base::WrapUnique(error_observer), "dns.js");
-
-  const size_t kNumRequests = 5;
-  ProxyInfo proxy_info[kNumRequests];
-  std::unique_ptr<ProxyResolver::Request> request[kNumRequests];
-
-  for (size_t i = 0; i < kNumRequests; ++i) {
-    int rv = resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info[i],
-                                      base::Bind(&CrashCallback), &request[i],
-                                      NetLogWithSource());
-    EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  }
-
-  for (size_t i = 0; i < kNumRequests; ++i) {
-    request[i].reset();
-  }
-}
-
-// Note the execution order for this test can vary. Since multiple
-// threads are involved, the cancellation may be received a different
-// times.
-TEST_F(ProxyResolverV8TracingWrapperTest, CancelSome) {
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  host_resolver.FailAll();
-
-  std::unique_ptr<ProxyResolver> resolver = CreateResolver(
-      nullptr, &host_resolver, base::WrapUnique(error_observer), "dns.js");
-
-  ProxyInfo proxy_info1;
-  ProxyInfo proxy_info2;
-  std::unique_ptr<ProxyResolver::Request> request1;
-  std::unique_ptr<ProxyResolver::Request> request2;
-  TestCompletionCallback callback;
-
-  int rv = resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info1,
-                                    base::Bind(&CrashCallback), &request1,
-                                    NetLogWithSource());
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-
-  rv = resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info2,
-                                callback.callback(), &request2,
-                                NetLogWithSource());
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-
-  request1.reset();
-
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-}
-
-// Cancel a request after it has finished running on the worker thread, and has
-// posted a task the completion task back to origin thread.
-TEST_F(ProxyResolverV8TracingWrapperTest, CancelWhilePendingCompletionTask) {
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  host_resolver.FailAll();
-
-  std::unique_ptr<ProxyResolver> resolver = CreateResolver(
-      nullptr, &host_resolver, base::WrapUnique(error_observer), "error.js");
-
-  ProxyInfo proxy_info1;
-  ProxyInfo proxy_info2;
-  std::unique_ptr<ProxyResolver::Request> request1;
-  std::unique_ptr<ProxyResolver::Request> request2;
-  TestCompletionCallback callback;
-
-  int rv = resolver->GetProxyForURL(GURL("http://throw-an-error/"),
-                                    &proxy_info1, base::Bind(&CrashCallback),
-                                    &request1, NetLogWithSource());
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-
-  // Wait until the first request has finished running on the worker thread.
-  // Cancel the first request, while it has a pending completion task on
-  // the origin thread. Reset deletes Request object which cancels the request.
-  error_observer->RunOnError(
-      base::Bind(&std::unique_ptr<ProxyResolver::Request>::reset,
-                 base::Unretained(&request1), nullptr));
-
-  // Start another request, to make sure it is able to complete.
-  rv = resolver->GetProxyForURL(GURL("http://i-have-no-idea-what-im-doing/"),
-                                &proxy_info2, callback.callback(), &request2,
-                                NetLogWithSource());
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  EXPECT_EQ("i-approve-this-message:42", proxy_info2.proxy_server().ToURI());
-}
-
-// This cancellation test exercises a more predictable cancellation codepath --
-// when the request has an outstanding DNS request in flight.
-TEST_F(ProxyResolverV8TracingWrapperTest,
-       CancelWhileOutstandingNonBlockingDns) {
-  base::RunLoop run_loop1;
-  HangingProxyHostResolver host_resolver(run_loop1.QuitClosure());
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  std::unique_ptr<ProxyResolver> resolver = CreateResolver(
-      nullptr, &host_resolver, base::WrapUnique(error_observer), "dns.js");
-
-  ProxyInfo proxy_info1;
-  ProxyInfo proxy_info2;
-  std::unique_ptr<ProxyResolver::Request> request1;
-  std::unique_ptr<ProxyResolver::Request> request2;
-
-  int rv = resolver->GetProxyForURL(GURL("http://foo/req1"), &proxy_info1,
-                                    base::Bind(&CrashCallback), &request1,
-                                    NetLogWithSource());
-
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-
-  run_loop1.Run();
-
-  base::RunLoop run_loop2;
-  host_resolver.set_hang_callback(run_loop2.QuitClosure());
-  rv = resolver->GetProxyForURL(GURL("http://foo/req2"), &proxy_info2,
-                                base::Bind(&CrashCallback), &request2,
-                                NetLogWithSource());
-
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-
-  run_loop2.Run();
-
-  request1.reset();
-  request2.reset();
-
-  EXPECT_EQ(2, host_resolver.num_cancelled_requests());
-
-  // After leaving this scope, the ProxyResolver is destroyed.
-  // This should not cause any problems, as the outstanding work
-  // should have been cancelled.
-}
-
-void CancelRequestAndPause(std::unique_ptr<ProxyResolver::Request>* request,
-                           base::RunLoop* run_loop) {
-  request->reset();
-
-  // Sleep for a little bit. This makes it more likely for the worker
-  // thread to have returned from its call, and serves as a regression
-  // test for http://crbug.com/173373.
-  base::PlatformThread::Sleep(base::TimeDelta::FromMilliseconds(30));
-
-  run_loop->Quit();
-}
-
-// In non-blocking mode, the worker thread actually does block for
-// a short time to see if the result is in the DNS cache. Test
-// cancellation while the worker thread is waiting on this event.
-TEST_F(ProxyResolverV8TracingWrapperTest, CancelWhileBlockedInNonBlockingDns) {
-  HangingProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  std::unique_ptr<ProxyResolver> resolver = CreateResolver(
-      nullptr, &host_resolver, base::WrapUnique(error_observer), "dns.js");
-
-  ProxyInfo proxy_info;
-  std::unique_ptr<ProxyResolver::Request> request;
-
-  base::RunLoop run_loop;
-  host_resolver.set_hang_callback(
-      base::BindRepeating(&CancelRequestAndPause, &request, &run_loop));
-
-  int rv = resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                                    base::Bind(&CrashCallback), &request,
-                                    NetLogWithSource());
-
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-
-  run_loop.Run();
-}
-
-// Cancel the request while there is a pending DNS request, however before
-// the request is sent to the host resolver.
-TEST_F(ProxyResolverV8TracingWrapperTest, CancelWhileBlockedInNonBlockingDns2) {
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  std::unique_ptr<ProxyResolver> resolver = CreateResolver(
-      nullptr, &host_resolver, base::WrapUnique(error_observer), "dns.js");
-
-  ProxyInfo proxy_info;
-  std::unique_ptr<ProxyResolver::Request> request;
-
-  int rv = resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                                    base::Bind(&CrashCallback), &request,
-                                    NetLogWithSource());
-
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-
-  // Wait a bit, so the DNS task has hopefully been posted. The test will
-  // work whatever the delay is here, but it is most useful if the delay
-  // is large enough to allow a task to be posted back.
-  base::PlatformThread::Sleep(base::TimeDelta::FromMilliseconds(10));
-  request.reset();
-
-  EXPECT_EQ(0u, host_resolver.num_resolve());
-}
-
-TEST_F(ProxyResolverV8TracingWrapperTest,
-       CancelCreateResolverWhileOutstandingBlockingDns) {
-  base::RunLoop run_loop;
-  HangingProxyHostResolver host_resolver(run_loop.QuitClosure());
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  ProxyResolverFactoryV8TracingWrapper factory(
-      &host_resolver, nullptr,
-      base::Bind(&ReturnErrorObserver,
-                 base::Passed(base::WrapUnique(error_observer))));
-
-  std::unique_ptr<ProxyResolver> resolver;
-  std::unique_ptr<ProxyResolverFactory::Request> request;
-  int rv = factory.CreateProxyResolver(LoadScriptData("dns_during_init.js"),
-                                       &resolver, base::Bind(&CrashCallback),
-                                       &request);
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-
-  run_loop.Run();
-
-  request.reset();
-  EXPECT_EQ(1, host_resolver.num_cancelled_requests());
-}
-
-TEST_F(ProxyResolverV8TracingWrapperTest,
-       DeleteFactoryWhileOutstandingBlockingDns) {
-  base::RunLoop run_loop;
-  HangingProxyHostResolver host_resolver(run_loop.QuitClosure());
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  std::unique_ptr<ProxyResolver> resolver;
-  std::unique_ptr<ProxyResolverFactory::Request> request;
-  {
-    ProxyResolverFactoryV8TracingWrapper factory(
-        &host_resolver, nullptr,
-        base::Bind(&ReturnErrorObserver,
-                   base::Passed(base::WrapUnique(error_observer))));
-
-    int rv = factory.CreateProxyResolver(LoadScriptData("dns_during_init.js"),
-                                         &resolver, base::Bind(&CrashCallback),
-                                         &request);
-    EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-    run_loop.Run();
-  }
-  EXPECT_EQ(1, host_resolver.num_cancelled_requests());
-}
-
-TEST_F(ProxyResolverV8TracingWrapperTest, ErrorLoadingScript) {
-  HangingProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  ProxyResolverFactoryV8TracingWrapper factory(
-      &host_resolver, nullptr,
-      base::Bind(&ReturnErrorObserver,
-                 base::Passed(base::WrapUnique(error_observer))));
-
-  std::unique_ptr<ProxyResolver> resolver;
-  std::unique_ptr<ProxyResolverFactory::Request> request;
-  TestCompletionCallback callback;
-  int rv =
-      factory.CreateProxyResolver(LoadScriptData("error_on_load.js"), &resolver,
-                                  callback.callback(), &request);
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsError(ERR_PAC_SCRIPT_FAILED));
-  EXPECT_FALSE(resolver);
-}
-
-// This tests that the execution of a PAC script is terminated when the DNS
-// dependencies are missing. If the test fails, then it will hang.
-TEST_F(ProxyResolverV8TracingWrapperTest, Terminate) {
-  TestNetLog log;
-  BoundTestNetLog request_log;
-  MockProxyHostResolver host_resolver;
-  MockErrorObserver* error_observer = new MockErrorObserver;
-
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(182, 111, 0, 222)});
-  host_resolver.SetResult("host2", ProxyResolveDnsOperation::DNS_RESOLVE_EX,
-                          {IPAddress(111, 33, 44, 55)});
-
-  std::unique_ptr<ProxyResolver> resolver = CreateResolver(
-      &log, &host_resolver, base::WrapUnique(error_observer), "terminate.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  int rv =
-      resolver->GetProxyForURL(GURL("http://foopy/req1"), &proxy_info,
-                               callback.callback(), &req, request_log.bound());
-
-  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  // The test does 2 DNS resolutions.
-  EXPECT_EQ(2u, host_resolver.num_resolve());
-
-  EXPECT_EQ("foopy:3", proxy_info.proxy_server().ToURI());
-
-  // No errors.
-  EXPECT_EQ("", error_observer->GetOutput());
-
-  EXPECT_EQ(0u, log.GetSize());
-  EXPECT_EQ(0u, request_log.GetSize());
-}
-
-// Tests that multiple instances of ProxyResolverV8TracingWrapper can coexist
-// and run correctly at the same time. This is relevant because at the moment
-// (time this test was written) each ProxyResolverV8TracingWrapper creates its
-// own thread to run V8 on, however each thread is operating on the same
-// v8::Isolate.
-TEST_F(ProxyResolverV8TracingWrapperTest, MultipleResolvers) {
-  // ------------------------
-  // Setup resolver0
-  // ------------------------
-  MockProxyHostResolver host_resolver0;
-  host_resolver0.SetResult(GetHostName(),
-                           ProxyResolveDnsOperation::MY_IP_ADDRESS,
-                           {IPAddress(122, 133, 144, 155)});
-  host_resolver0.SetResult(GetHostName(),
-                           ProxyResolveDnsOperation::MY_IP_ADDRESS_EX,
-                           {IPAddress(133, 122, 100, 200)});
-  host_resolver0.SetError("", ProxyResolveDnsOperation::DNS_RESOLVE);
-  host_resolver0.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                           {IPAddress(166, 155, 144, 44)});
-  IPAddress v6_local;
-  ASSERT_TRUE(v6_local.AssignFromIPLiteral("::1"));
-  host_resolver0.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE_EX,
-                           {v6_local, IPAddress(192, 168, 1, 1)});
-  host_resolver0.SetError("host2", ProxyResolveDnsOperation::DNS_RESOLVE);
-  host_resolver0.SetResult("host3", ProxyResolveDnsOperation::DNS_RESOLVE,
-                           {IPAddress(166, 155, 144, 33)});
-  host_resolver0.SetError("host6", ProxyResolveDnsOperation::DNS_RESOLVE_EX);
-  std::unique_ptr<ProxyResolver> resolver0 =
-      CreateResolver(nullptr, &host_resolver0,
-                     std::make_unique<MockErrorObserver>(), "dns.js");
-
-  // ------------------------
-  // Setup resolver1
-  // ------------------------
-  std::unique_ptr<ProxyResolver> resolver1 =
-      CreateResolver(nullptr, &host_resolver0,
-                     std::make_unique<MockErrorObserver>(), "dns.js");
-
-  // ------------------------
-  // Setup resolver2
-  // ------------------------
-  std::unique_ptr<ProxyResolver> resolver2 =
-      CreateResolver(nullptr, &host_resolver0,
-                     std::make_unique<MockErrorObserver>(), "simple.js");
-
-  // ------------------------
-  // Setup resolver3
-  // ------------------------
-  MockProxyHostResolver host_resolver3;
-  host_resolver3.SetResult("foo", ProxyResolveDnsOperation::DNS_RESOLVE,
-                           {IPAddress(166, 155, 144, 33)});
-  std::unique_ptr<ProxyResolver> resolver3 =
-      CreateResolver(nullptr, &host_resolver3,
-                     std::make_unique<MockErrorObserver>(), "simple_dns.js");
-
-  // ------------------------
-  // Queue up work for each resolver (which will be running in parallel).
-  // ------------------------
-
-  ProxyResolver* resolver[] = {
-      resolver0.get(), resolver1.get(), resolver2.get(), resolver3.get(),
-  };
-
-  const size_t kNumResolvers = base::size(resolver);
-  const size_t kNumIterations = 20;
-  const size_t kNumResults = kNumResolvers * kNumIterations;
-  TestCompletionCallback callback[kNumResults];
-  ProxyInfo proxy_info[kNumResults];
-  std::unique_ptr<ProxyResolver::Request> request[kNumResults];
-
-  for (size_t i = 0; i < kNumResults; ++i) {
-    size_t resolver_i = i % kNumResolvers;
-    int rv = resolver[resolver_i]->GetProxyForURL(
-        GURL("http://foo/"), &proxy_info[i], callback[i].callback(),
-        &request[i], NetLogWithSource());
-    EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  }
-
-  // ------------------------
-  // Verify all of the results.
-  // ------------------------
-
-  const char* kExpectedForDnsJs =
-      "122.133.144.155-"  // myIpAddress()
-      "null-"             // dnsResolve('')
-      "__1_192.168.1.1-"  // dnsResolveEx('host1')
-      "null-"             // dnsResolve('host2')
-      "166.155.144.33-"   // dnsResolve('host3')
-      "122.133.144.155-"  // myIpAddress()
-      "166.155.144.33-"   // dnsResolve('host3')
-      "__1_192.168.1.1-"  // dnsResolveEx('host1')
-      "122.133.144.155-"  // myIpAddress()
-      "null-"             // dnsResolve('host2')
-      "-"                 // dnsResolveEx('host6')
-      "133.122.100.200-"  // myIpAddressEx()
-      "166.155.144.44"    // dnsResolve('host1')
-      ":99";
-
-  for (size_t i = 0; i < kNumResults; ++i) {
-    size_t resolver_i = i % kNumResolvers;
-    EXPECT_THAT(callback[i].WaitForResult(), IsOk());
-
-    std::string proxy_uri = proxy_info[i].proxy_server().ToURI();
-
-    if (resolver_i == 0 || resolver_i == 1) {
-      EXPECT_EQ(kExpectedForDnsJs, proxy_uri);
-    } else if (resolver_i == 2) {
-      EXPECT_EQ("foo:99", proxy_uri);
-    } else if (resolver_i == 3) {
-      EXPECT_EQ("166.155.144.33:",
-                proxy_uri.substr(0, proxy_uri.find(':') + 1));
-    } else {
-      NOTREACHED();
-    }
-  }
-}
-
-}  // namespace
-
-}  // namespace net
diff --git a/chromium/net/quic/OWNERS b/chromium/net/quic/OWNERS
index 1835f5bdf9a..6fd222f2f72 100644
--- a/chromium/net/quic/OWNERS
+++ b/chromium/net/quic/OWNERS
@@ -1,3 +1,4 @@
+nharper@chromium.org
 rch@chromium.org
 zhongyi@chromium.org
 
diff --git a/chromium/net/quic/address_utils.h b/chromium/net/quic/address_utils.h
index f067db7f9b0..286146ccd73 100644
--- a/chromium/net/quic/address_utils.h
+++ b/chromium/net/quic/address_utils.h
@@ -1,7 +1,12 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
 #ifndef NET_QUIC_ADDRESS_UTILS_H_
 #define NET_QUIC_ADDRESS_UTILS_H_
 
 #include "net/base/ip_address.h"
+#include "net/base/ip_endpoint.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ip_address.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ip_address_family.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
@@ -43,6 +48,39 @@ inline IPAddress ToIPAddress(quic::QuicIpAddress address) {
   }
 }
 
+inline quic::QuicSocketAddress ToQuicSocketAddress(IPEndPoint address) {
+  if (address.address().empty()) {
+    return quic::QuicSocketAddress();
+  }
+
+  sockaddr_storage result;
+  socklen_t size = sizeof(result);
+  bool success =
+      address.ToSockAddr(reinterpret_cast<sockaddr*>(&result), &size);
+  DCHECK(success);
+  return quic::QuicSocketAddress(result);
+}
+
+inline quic::QuicIpAddress ToQuicIpAddress(net::IPAddress address) {
+  if (address.IsIPv4()) {
+    in_addr result;
+    static_assert(sizeof(result) == IPAddress::kIPv4AddressSize,
+                  "Address size mismatch");
+    memcpy(&result, address.bytes().data(), IPAddress::kIPv4AddressSize);
+    return quic::QuicIpAddress(result);
+  }
+  if (address.IsIPv6()) {
+    in6_addr result;
+    static_assert(sizeof(result) == IPAddress::kIPv6AddressSize,
+                  "Address size mismatch");
+    memcpy(&result, address.bytes().data(), IPAddress::kIPv6AddressSize);
+    return quic::QuicIpAddress(result);
+  }
+
+  DCHECK(address.empty());
+  return quic::QuicIpAddress();
+}
+
 }  // namespace net
 
 #endif  // NET_QUIC_ADDRESS_UTILS_H_
diff --git a/chromium/net/quic/bidirectional_stream_quic_impl.cc b/chromium/net/quic/bidirectional_stream_quic_impl.cc
index 7fde6013a53..444544501f3 100644
--- a/chromium/net/quic/bidirectional_stream_quic_impl.cc
+++ b/chromium/net/quic/bidirectional_stream_quic_impl.cc
@@ -54,8 +54,7 @@ BidirectionalStreamQuicImpl::BidirectionalStreamQuicImpl(
       closed_is_first_stream_(false),
       has_sent_headers_(false),
       send_request_headers_automatically_(true),
-      may_invoke_callbacks_(true),
-      weak_factory_(this) {}
+      may_invoke_callbacks_(true) {}
 
 BidirectionalStreamQuicImpl::~BidirectionalStreamQuicImpl() {
   if (stream_) {
@@ -180,7 +179,7 @@ void BidirectionalStreamQuicImpl::SendvData(
   }
 
   std::unique_ptr<quic::QuicConnection::ScopedPacketFlusher> bundler(
-      session_->CreatePacketBundler(quic::QuicConnection::SEND_ACK_IF_PENDING));
+      session_->CreatePacketBundler());
   if (!has_sent_headers_) {
     DCHECK(!send_request_headers_automatically_);
     int rv = WriteHeaders();
@@ -210,15 +209,34 @@ NextProto BidirectionalStreamQuicImpl::GetProtocol() const {
 }
 
 int64_t BidirectionalStreamQuicImpl::GetTotalReceivedBytes() const {
-  if (stream_)
-    return headers_bytes_received_ + stream_->stream_bytes_read();
-  return headers_bytes_received_ + closed_stream_received_bytes_;
+  // When QPACK is enabled, headers are sent and received on the stream, so
+  // the headers bytes do not need to be accounted for independently.
+  int64_t total_received_bytes =
+      quic::VersionUsesQpack(session_->GetQuicVersion())
+          ? 0
+          : headers_bytes_received_;
+  if (stream_) {
+    DCHECK_LE(stream_->NumBytesConsumed(), stream_->stream_bytes_read());
+    // Only count the uniquely received bytes.
+    total_received_bytes += stream_->NumBytesConsumed();
+  } else {
+    total_received_bytes += closed_stream_received_bytes_;
+  }
+  return total_received_bytes;
 }
 
 int64_t BidirectionalStreamQuicImpl::GetTotalSentBytes() const {
-  if (stream_)
-    return headers_bytes_sent_ + stream_->stream_bytes_written();
-  return headers_bytes_sent_ + closed_stream_sent_bytes_;
+  // When QPACK is enabled, headers are sent and received on the stream, so
+  // the headers bytes do not need to be accounted for independently.
+  int64_t total_sent_bytes = quic::VersionUsesQpack(session_->GetQuicVersion())
+                                 ? 0
+                                 : headers_bytes_sent_;
+  if (stream_) {
+    total_sent_bytes += stream_->stream_bytes_written();
+  } else {
+    total_sent_bytes += closed_stream_sent_bytes_;
+  }
+  return total_sent_bytes;
 }
 
 bool BidirectionalStreamQuicImpl::GetLoadTimingInfo(
diff --git a/chromium/net/quic/bidirectional_stream_quic_impl.h b/chromium/net/quic/bidirectional_stream_quic_impl.h
index aa5f938d5be..cb3927bcacc 100644
--- a/chromium/net/quic/bidirectional_stream_quic_impl.h
+++ b/chromium/net/quic/bidirectional_stream_quic_impl.h
@@ -128,7 +128,7 @@ class NET_EXPORT_PRIVATE BidirectionalStreamQuicImpl
   // True when callbacks to the delegate may be invoked synchronously.
   bool may_invoke_callbacks_;
 
-  base::WeakPtrFactory<BidirectionalStreamQuicImpl> weak_factory_;
+  base::WeakPtrFactory<BidirectionalStreamQuicImpl> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(BidirectionalStreamQuicImpl);
 };
diff --git a/chromium/net/quic/bidirectional_stream_quic_impl_unittest.cc b/chromium/net/quic/bidirectional_stream_quic_impl_unittest.cc
index 3256fa84450..f969027582a 100644
--- a/chromium/net/quic/bidirectional_stream_quic_impl_unittest.cc
+++ b/chromium/net/quic/bidirectional_stream_quic_impl_unittest.cc
@@ -23,7 +23,9 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/test_net_log.h"
 #include "net/log/test_net_log_util.h"
+#include "net/quic/address_utils.h"
 #include "net/quic/mock_crypto_client_stream_factory.h"
+#include "net/quic/platform/impl/quic_test_impl.h"
 #include "net/quic/quic_chromium_alarm_factory.h"
 #include "net/quic/quic_chromium_connection_helper.h"
 #include "net/quic/quic_chromium_packet_reader.h"
@@ -32,6 +34,7 @@
 #include "net/quic/quic_server_info.h"
 #include "net/quic/quic_stream_factory.h"
 #include "net/quic/quic_test_packet_maker.h"
+#include "net/quic/quic_test_packet_printer.h"
 #include "net/quic/test_task_runner.h"
 #include "net/socket/socket_test_util.h"
 #include "net/test/gtest_util.h"
@@ -42,7 +45,6 @@
 #include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
 #include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
@@ -413,8 +415,8 @@ class BidirectionalStreamQuicImplTest
   BidirectionalStreamQuicImplTest()
       : version_(std::get<0>(GetParam())),
         client_headers_include_h2_stream_dependency_(std::get<1>(GetParam())),
-        crypto_config_(quic::test::crypto_test_utils::ProofVerifierForTesting(),
-                       quic::TlsClientHandshaker::CreateSslCtx()),
+        crypto_config_(
+            quic::test::crypto_test_utils::ProofVerifierForTesting()),
         read_buffer_(base::MakeRefCounted<IOBufferWithSize>(4096)),
         connection_id_(quic::test::TestConnectionId(2)),
         stream_id_(GetNthClientInitiatedBidirectionalStreamId(0)),
@@ -424,6 +426,7 @@ class BidirectionalStreamQuicImplTest
                       kDefaultServerHostName,
                       quic::Perspective::IS_CLIENT,
                       client_headers_include_h2_stream_dependency_),
+        packet_number_(0),
         server_maker_(version_,
                       connection_id_,
                       &clock_,
@@ -431,7 +434,9 @@ class BidirectionalStreamQuicImplTest
                       quic::Perspective::IS_SERVER,
                       false),
         random_generator_(0),
+        printer_(version_),
         destination_(kDefaultServerHostName, kDefaultServerPort) {
+    SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
     IPAddress ip(192, 0, 2, 33);
     peer_addr_ = IPEndPoint(ip, 443);
     self_addr_ = IPEndPoint(ip, 8435);
@@ -462,10 +467,8 @@ class BidirectionalStreamQuicImplTest
   }
 
   void ProcessPacket(std::unique_ptr<quic::QuicReceivedPacket> packet) {
-    connection_->ProcessUdpPacket(
-        quic::QuicSocketAddress(quic::QuicSocketAddressImpl(self_addr_)),
-        quic::QuicSocketAddress(quic::QuicSocketAddressImpl(peer_addr_)),
-        *packet);
+    connection_->ProcessUdpPacket(ToQuicSocketAddress(self_addr_),
+                                  ToQuicSocketAddress(peer_addr_), *packet);
   }
 
   // Configures the test fixture to use the list of expected writes.
@@ -485,6 +488,7 @@ class BidirectionalStreamQuicImplTest
     socket_data_.reset(new StaticSocketDataProvider(
         base::span<MockRead>(),
         base::make_span(mock_writes_.get(), writes_.size())));
+    socket_data_->set_printer(&printer_);
 
     std::unique_ptr<MockUDPClientSocket> socket(new MockUDPClientSocket(
         socket_data_.get(), net_log().bound().net_log()));
@@ -494,9 +498,8 @@ class BidirectionalStreamQuicImplTest
         new QuicChromiumConnectionHelper(&clock_, &random_generator_));
     alarm_factory_.reset(new QuicChromiumAlarmFactory(runner_.get(), &clock_));
     connection_ = new quic::QuicConnection(
-        connection_id_,
-        quic::QuicSocketAddress(quic::QuicSocketAddressImpl(peer_addr_)),
-        helper_.get(), alarm_factory_.get(),
+        connection_id_, ToQuicSocketAddress(peer_addr_), helper_.get(),
+        alarm_factory_.get(),
         new QuicChromiumPacketWriter(socket.get(), runner_.get()),
         true /* owns_writer */, quic::Perspective::IS_CLIENT,
         quic::test::SupportedVersions(version_));
@@ -515,14 +518,15 @@ class BidirectionalStreamQuicImplTest
         base::WrapUnique(static_cast<QuicServerInfo*>(nullptr)),
         QuicSessionKey(kDefaultServerHostName, kDefaultServerPort,
                        PRIVACY_MODE_DISABLED, SocketTag()),
-        /*require_confirmation=*/false, /*migrate_session_early_v2=*/false,
+        /*require_confirmation=*/false,
+        /*max_allowed_push_id=*/0,
+        /*migrate_session_early_v2=*/false,
         /*migrate_session_on_network_change_v2=*/false,
         /*default_network=*/NetworkChangeNotifier::kInvalidNetworkHandle,
         quic::QuicTime::Delta::FromMilliseconds(
-            kDefaultRetransmittableOnWireTimeoutMillisecs),
-        /*migrate_idle_session=*/false,
-        base::TimeDelta::FromSeconds(kDefaultIdleSessionMigrationPeriodSeconds),
-        base::TimeDelta::FromSeconds(kMaxTimeOnNonDefaultNetworkSecs),
+            kDefaultRetransmittableOnWireTimeout.InMilliseconds()),
+        /*migrate_idle_session=*/false, kDefaultIdleSessionMigrationPeriod,
+        kMaxTimeOnNonDefaultNetwork,
         kMaxMigrationsToNonDefaultNetworkOnWriteError,
         kMaxMigrationsToNonDefaultNetworkOnPathDegrading,
         kQuicYieldAfterPacketsRead,
@@ -557,105 +561,83 @@ class BidirectionalStreamQuicImplTest
     return server_maker_.GetResponseHeaders(response_code);
   }
 
-  std::unique_ptr<quic::QuicReceivedPacket> ConstructDataPacket(
-      uint64_t packet_number,
-      bool should_include_version,
-      bool fin,
-      quic::QuicStreamOffset offset,
-      quic::QuicStringPiece data,
-      QuicTestPacketMaker* maker) {
-    std::unique_ptr<quic::QuicReceivedPacket> packet(maker->MakeDataPacket(
-        packet_number, stream_id_, should_include_version, fin, offset, data));
-    DVLOG(2) << "packet(" << packet_number << "): " << std::endl
-             << quic::QuicTextUtils::HexDump(packet->AsStringPiece());
-    return packet;
-  }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructServerDataPacket(
       uint64_t packet_number,
       bool should_include_version,
       bool fin,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data) {
-    return ConstructDataPacket(packet_number, should_include_version, fin,
-                               offset, data, &server_maker_);
+    std::unique_ptr<quic::QuicReceivedPacket> packet(
+        server_maker_.MakeDataPacket(packet_number, stream_id_,
+                                     should_include_version, fin, data));
+    DVLOG(2) << "packet(" << packet_number << "): " << std::endl
+             << quic::QuicTextUtils::HexDump(packet->AsStringPiece());
+    return packet;
   }
 
   // Construct a data packet with multiple data frames
   std::unique_ptr<quic::QuicReceivedPacket>
   ConstructClientMultipleDataFramesPacket(
-      uint64_t packet_number,
       bool should_include_version,
       bool fin,
-      quic::QuicStreamOffset offset,
       const std::vector<std::string>& data_writes) {
     std::unique_ptr<quic::QuicReceivedPacket> packet(
-        client_maker_.MakeMultipleDataFramesPacket(packet_number, stream_id_,
+        client_maker_.MakeMultipleDataFramesPacket(++packet_number_, stream_id_,
                                                    should_include_version, fin,
-                                                   offset, data_writes));
-    DVLOG(2) << "packet(" << packet_number << "): " << std::endl
+                                                   data_writes));
+    DVLOG(2) << "packet(" << packet_number_ << "): " << std::endl
              << quic::QuicTextUtils::HexDump(packet->AsStringPiece());
     return packet;
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructRequestHeadersPacket(
-      uint64_t packet_number,
       bool fin,
       RequestPriority request_priority,
       size_t* spdy_headers_frame_length) {
-    return ConstructRequestHeadersPacketInner(
-        packet_number, stream_id_, fin, request_priority,
-        spdy_headers_frame_length, /*offset=*/nullptr);
+    return ConstructRequestHeadersPacketInner(stream_id_, fin, request_priority,
+                                              spdy_headers_frame_length);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructRequestHeadersPacketInner(
-      uint64_t packet_number,
       quic::QuicStreamId stream_id,
       bool fin,
       RequestPriority request_priority,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset) {
-    return ConstructRequestHeadersPacketInner(
-        packet_number, stream_id, fin, request_priority, 0,
-        spdy_headers_frame_length, offset);
+      size_t* spdy_headers_frame_length) {
+    return ConstructRequestHeadersPacketInner(stream_id, fin, request_priority,
+                                              0, spdy_headers_frame_length);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructRequestHeadersPacketInner(
-      uint64_t packet_number,
       quic::QuicStreamId stream_id,
       bool fin,
       RequestPriority request_priority,
       quic::QuicStreamId parent_stream_id,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset) {
+      size_t* spdy_headers_frame_length) {
     spdy::SpdyPriority priority =
         ConvertRequestPriorityToQuicPriority(request_priority);
     std::unique_ptr<quic::QuicReceivedPacket> packet(
         client_maker_.MakeRequestHeadersPacket(
-            packet_number, stream_id, kIncludeVersion, fin, priority,
+            ++packet_number_, stream_id, kIncludeVersion, fin, priority,
             std::move(request_headers_), parent_stream_id,
-            spdy_headers_frame_length, offset));
-    DVLOG(2) << "packet(" << packet_number << "): " << std::endl
+            spdy_headers_frame_length));
+    DVLOG(2) << "packet(" << packet_number_ << "): " << std::endl
              << quic::QuicTextUtils::HexDump(packet->AsStringPiece());
     return packet;
   }
 
   std::unique_ptr<quic::QuicReceivedPacket>
   ConstructRequestHeadersAndMultipleDataFramesPacket(
-      uint64_t packet_number,
       bool fin,
       RequestPriority request_priority,
-      quic::QuicStreamOffset* header_stream_offset,
       size_t* spdy_headers_frame_length,
       const std::vector<std::string>& data) {
     spdy::SpdyPriority priority =
         ConvertRequestPriorityToQuicPriority(request_priority);
     std::unique_ptr<quic::QuicReceivedPacket> packet(
         client_maker_.MakeRequestHeadersAndMultipleDataFramesPacket(
-            packet_number, stream_id_, kIncludeVersion, fin, priority,
-            std::move(request_headers_), 0, header_stream_offset,
-            spdy_headers_frame_length, data));
-    DVLOG(2) << "packet(" << packet_number << "): " << std::endl
+            ++packet_number_, stream_id_, kIncludeVersion, fin, priority,
+            std::move(request_headers_), 0, spdy_headers_frame_length, data));
+    DVLOG(2) << "packet(" << packet_number_ << "): " << std::endl
              << quic::QuicTextUtils::HexDump(packet->AsStringPiece());
     return packet;
   }
@@ -664,11 +646,10 @@ class BidirectionalStreamQuicImplTest
       uint64_t packet_number,
       bool fin,
       spdy::SpdyHeaderBlock response_headers,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset) {
-    return ConstructResponseHeadersPacketInner(
-        packet_number, stream_id_, fin, std::move(response_headers),
-        spdy_headers_frame_length, offset);
+      size_t* spdy_headers_frame_length) {
+    return ConstructResponseHeadersPacketInner(packet_number, stream_id_, fin,
+                                               std::move(response_headers),
+                                               spdy_headers_frame_length);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructResponseHeadersPacketInner(
@@ -676,63 +657,57 @@ class BidirectionalStreamQuicImplTest
       quic::QuicStreamId stream_id,
       bool fin,
       spdy::SpdyHeaderBlock response_headers,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset) {
+      size_t* spdy_headers_frame_length) {
     return server_maker_.MakeResponseHeadersPacket(
         packet_number, stream_id, !kIncludeVersion, fin,
-        std::move(response_headers), spdy_headers_frame_length, offset);
+        std::move(response_headers), spdy_headers_frame_length);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructResponseTrailersPacket(
       uint64_t packet_number,
       bool fin,
       spdy::SpdyHeaderBlock trailers,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset) {
+      size_t* spdy_headers_frame_length) {
     return server_maker_.MakeResponseHeadersPacket(
         packet_number, stream_id_, !kIncludeVersion, fin, std::move(trailers),
-        spdy_headers_frame_length, offset);
+        spdy_headers_frame_length);
   }
 
-  std::unique_ptr<quic::QuicReceivedPacket> ConstructClientRstStreamPacket(
-      uint64_t packet_number) {
-    return ConstructRstStreamCancelledPacket(packet_number, !kIncludeVersion, 0,
+  std::unique_ptr<quic::QuicReceivedPacket> ConstructClientRstStreamPacket() {
+    return ConstructRstStreamCancelledPacket(++packet_number_, !kIncludeVersion,
                                              &client_maker_);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructServerRstStreamPacket(
       uint64_t packet_number) {
-    return ConstructRstStreamCancelledPacket(packet_number, !kIncludeVersion, 0,
+    return ConstructRstStreamCancelledPacket(packet_number, !kIncludeVersion,
                                              &server_maker_);
   }
 
-  std::unique_ptr<quic::QuicReceivedPacket> ConstructClientEarlyRstStreamPacket(
-      uint64_t packet_number) {
-    return ConstructRstStreamCancelledPacket(packet_number, kIncludeVersion, 0,
+  std::unique_ptr<quic::QuicReceivedPacket>
+  ConstructClientEarlyRstStreamPacket() {
+    return ConstructRstStreamCancelledPacket(++packet_number_, kIncludeVersion,
                                              &client_maker_);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructRstStreamCancelledPacket(
       uint64_t packet_number,
       bool include_version,
-      size_t bytes_written,
       QuicTestPacketMaker* maker) {
-    std::unique_ptr<quic::QuicReceivedPacket> packet(
-        maker->MakeRstPacket(packet_number, include_version, stream_id_,
-                             quic::QUIC_STREAM_CANCELLED, bytes_written,
-                             /*include_stop_sending_if_v99=*/true));
+    std::unique_ptr<quic::QuicReceivedPacket> packet(maker->MakeRstPacket(
+        packet_number, include_version, stream_id_, quic::QUIC_STREAM_CANCELLED,
+        /*include_stop_sending_if_v99=*/true));
     DVLOG(2) << "packet(" << packet_number << "): " << std::endl
              << quic::QuicTextUtils::HexDump(packet->AsStringPiece());
     return packet;
   }
 
   std::unique_ptr<quic::QuicReceivedPacket>
-  ConstructClientAckAndRstStreamPacket(uint64_t packet_number,
-                                       uint64_t largest_received,
+  ConstructClientAckAndRstStreamPacket(uint64_t largest_received,
                                        uint64_t smallest_received,
                                        uint64_t least_unacked) {
     return client_maker_.MakeAckAndRstPacket(
-        packet_number, !kIncludeVersion, stream_id_,
+        ++packet_number_, !kIncludeVersion, stream_id_,
         quic::QUIC_STREAM_CANCELLED, largest_received, smallest_received,
         least_unacked, !kIncludeCongestionFeedback);
   }
@@ -744,13 +719,12 @@ class BidirectionalStreamQuicImplTest
       uint64_t smallest_received,
       uint64_t least_unacked,
       bool fin,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data,
       QuicTestPacketMaker* maker) {
     std::unique_ptr<quic::QuicReceivedPacket> packet(
         maker->MakeAckAndDataPacket(
             packet_number, should_include_version, stream_id_, largest_received,
-            smallest_received, least_unacked, fin, offset, data));
+            smallest_received, least_unacked, fin, data));
     DVLOG(2) << "packet(" << packet_number << "): " << std::endl
              << quic::QuicTextUtils::HexDump(packet->AsStringPiece());
     return packet;
@@ -758,29 +732,27 @@ class BidirectionalStreamQuicImplTest
 
   std::unique_ptr<quic::QuicReceivedPacket>
   ConstructAckAndMultipleDataFramesPacket(
-      uint64_t packet_number,
       bool should_include_version,
       uint64_t largest_received,
       uint64_t smallest_received,
       uint64_t least_unacked,
       bool fin,
-      quic::QuicStreamOffset offset,
       const std::vector<std::string> data_writes) {
     std::unique_ptr<quic::QuicReceivedPacket> packet(
         client_maker_.MakeAckAndMultipleDataFramesPacket(
-            packet_number, should_include_version, stream_id_, largest_received,
-            smallest_received, least_unacked, fin, offset, data_writes));
-    DVLOG(2) << "packet(" << packet_number << "): " << std::endl
+            ++packet_number_, should_include_version, stream_id_,
+            largest_received, smallest_received, least_unacked, fin,
+            data_writes));
+    DVLOG(2) << "packet(" << packet_number_ << "): " << std::endl
              << quic::QuicTextUtils::HexDump(packet->AsStringPiece());
     return packet;
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructClientAckPacket(
-      uint64_t packet_number,
       uint64_t largest_received,
       uint64_t smallest_received,
       uint64_t least_unacked) {
-    return client_maker_.MakeAckPacket(packet_number, largest_received,
+    return client_maker_.MakeAckPacket(++packet_number_, largest_received,
                                        smallest_received, least_unacked,
                                        !kIncludeCongestionFeedback);
   }
@@ -795,10 +767,8 @@ class BidirectionalStreamQuicImplTest
                                        !kIncludeCongestionFeedback);
   }
 
-  std::unique_ptr<quic::QuicReceivedPacket> ConstructInitialSettingsPacket(
-      uint64_t packet_number,
-      quic::QuicStreamOffset* offset) {
-    return client_maker_.MakeInitialSettingsPacket(packet_number, offset);
+  std::unique_ptr<quic::QuicReceivedPacket> ConstructInitialSettingsPacket() {
+    return client_maker_.MakeInitialSettingsPacket(++packet_number_);
   }
 
   void ExpectLoadTimingValid(const LoadTimingInfo& load_timing_info,
@@ -835,6 +805,7 @@ class BidirectionalStreamQuicImplTest
   }
 
  protected:
+  QuicFlagSaver saver_;
   const quic::ParsedQuicVersion version_;
   const bool client_headers_include_h2_stream_dependency_;
   BoundTestNetLog net_log_;
@@ -854,10 +825,12 @@ class BidirectionalStreamQuicImplTest
   const quic::QuicConnectionId connection_id_;
   const quic::QuicStreamId stream_id_;
   QuicTestPacketMaker client_maker_;
+  uint64_t packet_number_;
   QuicTestPacketMaker server_maker_;
   IPEndPoint self_addr_;
   IPEndPoint peer_addr_;
   quic::test::MockRandom random_generator_;
+  QuicPacketPrinter printer_;
   MockCryptoClientStreamFactory crypto_client_stream_factory_;
   std::unique_ptr<StaticSocketDataProvider> socket_data_;
   std::vector<PacketToWrite> writes_;
@@ -865,23 +838,36 @@ class BidirectionalStreamQuicImplTest
   HostPortPair destination_;
 };
 
+// TODO(nharper): Make these tests work with TLS.
+quic::ParsedQuicVersionVector AllSupportedVersionsWithQuicCrypto() {
+  quic::ParsedQuicVersionVector versions;
+  for (const auto& version : quic::AllSupportedVersions()) {
+    if (version.handshake_protocol == quic::PROTOCOL_QUIC_CRYPTO) {
+      versions.push_back(version);
+    }
+  }
+  return versions;
+}
+
 INSTANTIATE_TEST_SUITE_P(
     Version,
     BidirectionalStreamQuicImplTest,
-    ::testing::Combine(::testing::ValuesIn(quic::AllVersionsExcept99()),
-                       ::testing::Bool()));
+    ::testing::Combine(
+        ::testing::ValuesIn(AllSupportedVersionsWithQuicCrypto()),
+        ::testing::Bool()));
 
 TEST_P(BidirectionalStreamQuicImplTest, GetRequest) {
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   AddWrite(ConstructRequestHeadersPacketInner(
-      1, GetNthClientInitiatedBidirectionalStreamId(0), kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
+      GetNthClientInitiatedBidirectionalStreamId(0), kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  AddWrite(ConstructInitialSettingsPacket(2, &header_stream_offset));
-  AddWrite(ConstructClientAckPacket(3, 3, 1, 2));
+  if (!quic::VersionUsesQpack(version_.transport_version)) {
+    AddWrite(ConstructInitialSettingsPacket());
+  }
+  AddWrite(ConstructClientAckPacket(3, 1, 2));
 
   Initialize();
 
@@ -908,10 +894,9 @@ TEST_P(BidirectionalStreamQuicImplTest, GetRequest) {
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
 
   size_t spdy_response_headers_frame_length;
-  quic::QuicStreamOffset offset = 0;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, &offset));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
   LoadTimingInfo load_timing_info;
@@ -924,7 +909,7 @@ TEST_P(BidirectionalStreamQuicImplTest, GetRequest) {
   const char kResponseBody[] = "Hello world!";
   // Server sends data.
   std::string header = ConstructDataHeader(strlen(kResponseBody));
-  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin, 0,
+  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin,
                                           header + kResponseBody));
   EXPECT_EQ(12, cb.WaitForResult());
 
@@ -935,11 +920,13 @@ TEST_P(BidirectionalStreamQuicImplTest, GetRequest) {
   spdy::SpdyHeaderBlock trailers;
   size_t spdy_trailers_frame_length;
   trailers["foo"] = "bar";
-  trailers[quic::kFinalOffsetHeaderKey] =
-      base::NumberToString(strlen(kResponseBody));
+  if (!quic::VersionUsesQpack(version_.transport_version)) {
+    trailers[quic::kFinalOffsetHeaderKey] =
+        base::NumberToString(strlen(kResponseBody));
+  }
   // Server sends trailers.
-  ProcessPacket(ConstructResponseTrailersPacket(
-      4, kFin, trailers.Clone(), &spdy_trailers_frame_length, &offset));
+  ProcessPacket(ConstructResponseTrailersPacket(4, kFin, trailers.Clone(),
+                                                &spdy_trailers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnTrailersReceived);
   EXPECT_THAT(cb2.WaitForResult(), IsOk());
@@ -959,8 +946,7 @@ TEST_P(BidirectionalStreamQuicImplTest, GetRequest) {
                                  spdy_trailers_frame_length),
             delegate->GetTotalReceivedBytes());
   // Check that NetLog was filled as expected.
-  TestNetLogEntry::List entries;
-  net_log().GetEntries(&entries);
+  auto entries = net_log().GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, /*min_offset=*/0,
       NetLogEventType::QUIC_CHROMIUM_CLIENT_STREAM_SEND_REQUEST_HEADERS,
@@ -977,19 +963,20 @@ TEST_P(BidirectionalStreamQuicImplTest, GetRequest) {
 
 TEST_P(BidirectionalStreamQuicImplTest, LoadTimingTwoRequests) {
   SetRequest("GET", "/", DEFAULT_PRIORITY);
-  quic::QuicStreamOffset offset = 0;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   AddWrite(ConstructRequestHeadersPacketInner(
-      1, GetNthClientInitiatedBidirectionalStreamId(0), kFin, DEFAULT_PRIORITY,
-      nullptr, &offset));
+      GetNthClientInitiatedBidirectionalStreamId(0), kFin, DEFAULT_PRIORITY,
+      nullptr));
   // SetRequest() again for second request as |request_headers_| was moved.
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   AddWrite(ConstructRequestHeadersPacketInner(
-      2, GetNthClientInitiatedBidirectionalStreamId(1), kFin, DEFAULT_PRIORITY,
-      GetNthClientInitiatedBidirectionalStreamId(0), nullptr, &offset));
+      GetNthClientInitiatedBidirectionalStreamId(1), kFin, DEFAULT_PRIORITY,
+      GetNthClientInitiatedBidirectionalStreamId(0), nullptr));
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  AddWrite(ConstructInitialSettingsPacket(3, &offset));
-  AddWrite(ConstructClientAckPacket(4, 3, 1, 2));
+  if (!quic::VersionUsesQpack(version_.transport_version)) {
+    AddWrite(ConstructInitialSettingsPacket());
+  }
+  AddWrite(ConstructClientAckPacket(3, 1, 2));
   Initialize();
 
   BidirectionalStreamRequestInfo request;
@@ -1022,14 +1009,13 @@ TEST_P(BidirectionalStreamQuicImplTest, LoadTimingTwoRequests) {
   ProcessPacket(ConstructServerAckPacket(1, 1, 1, 1));
 
   // Server sends the response headers.
-  offset = 0;
   ProcessPacket(ConstructResponseHeadersPacketInner(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kFin,
-      ConstructResponseHeaders("200"), nullptr, &offset));
+      ConstructResponseHeaders("200"), nullptr));
 
   ProcessPacket(ConstructResponseHeadersPacketInner(
       3, GetNthClientInitiatedBidirectionalStreamId(1), kFin,
-      ConstructResponseHeaders("200"), nullptr, &offset));
+      ConstructResponseHeaders("200"), nullptr));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
   delegate2->WaitUntilNextCallback(kOnHeadersReceived);
@@ -1053,40 +1039,37 @@ TEST_P(BidirectionalStreamQuicImplTest, LoadTimingTwoRequests) {
 TEST_P(BidirectionalStreamQuicImplTest, CoalesceDataBuffersNotHeadersFrame) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   const char kBody1[] = "here are some data";
   const char kBody2[] = "data keep coming";
   std::string header = ConstructDataHeader(strlen(kBody1));
   std::string header2 = ConstructDataHeader(strlen(kBody2));
   std::vector<std::string> two_writes = {kBody1, kBody2};
   AddWrite(ConstructRequestHeadersPacketInner(
-      2, GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
+      GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
   if (version_.transport_version != quic::QUIC_VERSION_99) {
-    AddWrite(ConstructClientMultipleDataFramesPacket(3, kIncludeVersion, !kFin,
-                                                     0, {kBody1, kBody2}));
+    AddWrite(ConstructClientMultipleDataFramesPacket(kIncludeVersion, !kFin,
+                                                     {kBody1, kBody2}));
   } else {
     AddWrite(ConstructClientMultipleDataFramesPacket(
-        3, kIncludeVersion, !kFin, 0, {header, kBody1, header2, kBody2}));
+        kIncludeVersion, !kFin, {header, kBody1, header2, kBody2}));
   }
 
   // Ack server's data packet.
-  AddWrite(ConstructClientAckPacket(4, 3, 1, 2));
+  AddWrite(ConstructClientAckPacket(3, 1, 2));
   const char kBody3[] = "hello there";
   const char kBody4[] = "another piece of small data";
   const char kBody5[] = "really small";
   std::string header3 = ConstructDataHeader(strlen(kBody3));
   std::string header4 = ConstructDataHeader(strlen(kBody4));
   std::string header5 = ConstructDataHeader(strlen(kBody5));
-  quic::QuicStreamOffset data_offset =
-      strlen(kBody1) + strlen(kBody2) + header.length() + header2.length();
   if (version_.transport_version != quic::QUIC_VERSION_99) {
-    AddWrite(ConstructClientMultipleDataFramesPacket(
-        5, !kIncludeVersion, kFin, data_offset, {kBody3, kBody4, kBody5}));
+    AddWrite(ConstructClientMultipleDataFramesPacket(!kIncludeVersion, kFin,
+                                                     {kBody3, kBody4, kBody5}));
   } else {
     AddWrite(ConstructClientMultipleDataFramesPacket(
-        5, !kIncludeVersion, kFin, data_offset,
+        !kIncludeVersion, kFin,
         {header3, kBody3, header4, kBody4, header5, kBody5}));
   }
 
@@ -1129,10 +1112,9 @@ TEST_P(BidirectionalStreamQuicImplTest, CoalesceDataBuffersNotHeadersFrame) {
   // Server sends the response headers.
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
   size_t spdy_response_headers_frame_length;
-  quic::QuicStreamOffset offset = 0;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, &offset));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
   TestCompletionCallback cb;
@@ -1142,7 +1124,7 @@ TEST_P(BidirectionalStreamQuicImplTest, CoalesceDataBuffersNotHeadersFrame) {
   const char kResponseBody[] = "Hello world!";
   std::string header6 = ConstructDataHeader(strlen(kResponseBody));
   // Server sends data.
-  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin, 0,
+  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin,
                                           header6 + kResponseBody));
 
   EXPECT_EQ(static_cast<int>(strlen(kResponseBody)), cb.WaitForResult());
@@ -1162,11 +1144,13 @@ TEST_P(BidirectionalStreamQuicImplTest, CoalesceDataBuffersNotHeadersFrame) {
   size_t spdy_trailers_frame_length;
   spdy::SpdyHeaderBlock trailers;
   trailers["foo"] = "bar";
-  trailers[quic::kFinalOffsetHeaderKey] =
-      base::NumberToString(strlen(kResponseBody));
+  if (!quic::VersionUsesQpack(version_.transport_version)) {
+    trailers[quic::kFinalOffsetHeaderKey] =
+        base::NumberToString(strlen(kResponseBody));
+  }
   // Server sends trailers.
-  ProcessPacket(ConstructResponseTrailersPacket(
-      4, kFin, trailers.Clone(), &spdy_trailers_frame_length, &offset));
+  ProcessPacket(ConstructResponseTrailersPacket(4, kFin, trailers.Clone(),
+                                                &spdy_trailers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnTrailersReceived);
   trailers.erase(quic::kFinalOffsetHeaderKey);
@@ -1194,31 +1178,28 @@ TEST_P(BidirectionalStreamQuicImplTest,
        SendDataCoalesceDataBufferAndHeaderFrame) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   const char kBody1[] = "here are some data";
   std::string header = ConstructDataHeader(strlen(kBody1));
   if (version_.transport_version == quic::QUIC_VERSION_99) {
     AddWrite(ConstructRequestHeadersAndMultipleDataFramesPacket(
-        2, !kFin, DEFAULT_PRIORITY, &header_stream_offset,
-        &spdy_request_headers_frame_length, {header, kBody1}));
+        !kFin, DEFAULT_PRIORITY, &spdy_request_headers_frame_length,
+        {header, kBody1}));
   } else {
     AddWrite(ConstructRequestHeadersAndMultipleDataFramesPacket(
-        2, !kFin, DEFAULT_PRIORITY, &header_stream_offset,
-        &spdy_request_headers_frame_length, {kBody1}));
+        !kFin, DEFAULT_PRIORITY, &spdy_request_headers_frame_length, {kBody1}));
   }
 
   // Ack server's data packet.
-  AddWrite(ConstructClientAckPacket(3, 3, 1, 2));
+  AddWrite(ConstructClientAckPacket(3, 1, 2));
   const char kBody2[] = "really small";
   std::string header2 = ConstructDataHeader(strlen(kBody2));
-  quic::QuicStreamOffset data_offset = strlen(kBody1) + header.length();
   if (version_.transport_version == quic::QUIC_VERSION_99) {
-    AddWrite(ConstructClientMultipleDataFramesPacket(
-        4, !kIncludeVersion, kFin, data_offset, {header2, kBody2}));
+    AddWrite(ConstructClientMultipleDataFramesPacket(!kIncludeVersion, kFin,
+                                                     {header2, kBody2}));
   } else {
-    AddWrite(ConstructClientMultipleDataFramesPacket(4, !kIncludeVersion, kFin,
-                                                     data_offset, {kBody2}));
+    AddWrite(ConstructClientMultipleDataFramesPacket(!kIncludeVersion, kFin,
+                                                     {kBody2}));
   }
 
   Initialize();
@@ -1252,10 +1233,9 @@ TEST_P(BidirectionalStreamQuicImplTest,
   // Server sends the response headers.
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
   size_t spdy_response_headers_frame_length;
-  quic::QuicStreamOffset offset = 0;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, &offset));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
   TestCompletionCallback cb;
@@ -1265,7 +1245,7 @@ TEST_P(BidirectionalStreamQuicImplTest,
   const char kResponseBody[] = "Hello world!";
   // Server sends data.
   std::string header3 = ConstructDataHeader(strlen(kResponseBody));
-  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin, 0,
+  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin,
                                           header3 + kResponseBody));
 
   EXPECT_EQ(static_cast<int>(strlen(kResponseBody)), cb.WaitForResult());
@@ -1280,11 +1260,13 @@ TEST_P(BidirectionalStreamQuicImplTest,
   size_t spdy_trailers_frame_length;
   spdy::SpdyHeaderBlock trailers;
   trailers["foo"] = "bar";
-  trailers[quic::kFinalOffsetHeaderKey] =
-      base::NumberToString(strlen(kResponseBody));
+  if (!quic::VersionUsesQpack(version_.transport_version)) {
+    trailers[quic::kFinalOffsetHeaderKey] =
+        base::NumberToString(strlen(kResponseBody));
+  }
   // Server sends trailers.
-  ProcessPacket(ConstructResponseTrailersPacket(
-      4, kFin, trailers.Clone(), &spdy_trailers_frame_length, &offset));
+  ProcessPacket(ConstructResponseTrailersPacket(4, kFin, trailers.Clone(),
+                                                &spdy_trailers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnTrailersReceived);
   trailers.erase(quic::kFinalOffsetHeaderKey);
@@ -1310,8 +1292,7 @@ TEST_P(BidirectionalStreamQuicImplTest,
        SendvDataCoalesceDataBuffersAndHeaderFrame) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   const char kBody1[] = "here are some data";
   const char kBody2[] = "data keep coming";
   std::string header = ConstructDataHeader(strlen(kBody1));
@@ -1319,31 +1300,29 @@ TEST_P(BidirectionalStreamQuicImplTest,
 
   if (version_.transport_version == quic::QUIC_VERSION_99) {
     AddWrite(ConstructRequestHeadersAndMultipleDataFramesPacket(
-        2, !kFin, DEFAULT_PRIORITY, &header_stream_offset,
-        &spdy_request_headers_frame_length, {header, kBody1, header2, kBody2}));
+        !kFin, DEFAULT_PRIORITY, &spdy_request_headers_frame_length,
+        {header, kBody1, header2, kBody2}));
   } else {
     AddWrite(ConstructRequestHeadersAndMultipleDataFramesPacket(
-        2, !kFin, DEFAULT_PRIORITY, &header_stream_offset,
-        &spdy_request_headers_frame_length, {kBody1, kBody2}));
+        !kFin, DEFAULT_PRIORITY, &spdy_request_headers_frame_length,
+        {kBody1, kBody2}));
   }
 
   // Ack server's data packet.
-  AddWrite(ConstructClientAckPacket(3, 3, 1, 2));
+  AddWrite(ConstructClientAckPacket(3, 1, 2));
   const char kBody3[] = "hello there";
   const char kBody4[] = "another piece of small data";
   const char kBody5[] = "really small";
   std::string header3 = ConstructDataHeader(strlen(kBody3));
   std::string header4 = ConstructDataHeader(strlen(kBody4));
   std::string header5 = ConstructDataHeader(strlen(kBody5));
-  quic::QuicStreamOffset data_offset =
-      strlen(kBody1) + strlen(kBody2) + header.length() + header2.length();
   if (version_.transport_version == quic::QUIC_VERSION_99) {
     AddWrite(ConstructClientMultipleDataFramesPacket(
-        4, !kIncludeVersion, kFin, data_offset,
+        !kIncludeVersion, kFin,
         {header3, kBody3, header4, kBody4, header5, kBody5}));
   } else {
-    AddWrite(ConstructClientMultipleDataFramesPacket(
-        4, !kIncludeVersion, kFin, data_offset, {kBody3, kBody4, kBody5}));
+    AddWrite(ConstructClientMultipleDataFramesPacket(!kIncludeVersion, kFin,
+                                                     {kBody3, kBody4, kBody5}));
   }
 
   Initialize();
@@ -1380,10 +1359,9 @@ TEST_P(BidirectionalStreamQuicImplTest,
   // Server sends the response headers.
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
   size_t spdy_response_headers_frame_length;
-  quic::QuicStreamOffset offset = 0;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, &offset));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
   TestCompletionCallback cb;
@@ -1393,7 +1371,7 @@ TEST_P(BidirectionalStreamQuicImplTest,
   const char kResponseBody[] = "Hello world!";
   std::string header6 = ConstructDataHeader(strlen(kResponseBody));
   // Server sends data.
-  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin, 0,
+  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin,
                                           header6 + kResponseBody));
 
   EXPECT_EQ(static_cast<int>(strlen(kResponseBody)), cb.WaitForResult());
@@ -1413,11 +1391,13 @@ TEST_P(BidirectionalStreamQuicImplTest,
   size_t spdy_trailers_frame_length;
   spdy::SpdyHeaderBlock trailers;
   trailers["foo"] = "bar";
-  trailers[quic::kFinalOffsetHeaderKey] =
-      base::NumberToString(strlen(kResponseBody));
+  if (!quic::VersionUsesQpack(version_.transport_version)) {
+    trailers[quic::kFinalOffsetHeaderKey] =
+        base::NumberToString(strlen(kResponseBody));
+  }
   // Server sends trailers.
-  ProcessPacket(ConstructResponseTrailersPacket(
-      4, kFin, trailers.Clone(), &spdy_trailers_frame_length, &offset));
+  ProcessPacket(ConstructResponseTrailersPacket(4, kFin, trailers.Clone(),
+                                                &spdy_trailers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnTrailersReceived);
   trailers.erase(quic::kFinalOffsetHeaderKey);
@@ -1443,8 +1423,7 @@ TEST_P(BidirectionalStreamQuicImplTest,
 // headers to be sent, if that write fails the stream does not crash.
 TEST_P(BidirectionalStreamQuicImplTest,
        SendDataWriteErrorCoalesceDataBufferAndHeaderFrame) {
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWriteError(SYNCHRONOUS, ERR_CONNECTION_REFUSED);
 
   Initialize();
@@ -1479,8 +1458,7 @@ TEST_P(BidirectionalStreamQuicImplTest,
 // headers to be sent, if that write fails the stream does not crash.
 TEST_P(BidirectionalStreamQuicImplTest,
        SendvDataWriteErrorCoalesceDataBufferAndHeaderFrame) {
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWriteError(SYNCHRONOUS, ERR_CONNECTION_REFUSED);
 
   Initialize();
@@ -1518,21 +1496,20 @@ TEST_P(BidirectionalStreamQuicImplTest,
 TEST_P(BidirectionalStreamQuicImplTest, PostRequest) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(ConstructRequestHeadersPacketInner(
-      2, GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
+      GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
   std::string header = ConstructDataHeader(strlen(kUploadData));
   if (version_.transport_version == quic::QUIC_VERSION_99) {
-    AddWrite(ConstructClientMultipleDataFramesPacket(3, kIncludeVersion, kFin,
-                                                     0, {header, kUploadData}));
+    AddWrite(ConstructClientMultipleDataFramesPacket(kIncludeVersion, kFin,
+                                                     {header, kUploadData}));
   } else {
-    AddWrite(ConstructClientMultipleDataFramesPacket(3, kIncludeVersion, kFin,
-                                                     0, {kUploadData}));
+    AddWrite(ConstructClientMultipleDataFramesPacket(kIncludeVersion, kFin,
+                                                     {kUploadData}));
   }
 
-  AddWrite(ConstructClientAckPacket(4, 3, 1, 2));
+  AddWrite(ConstructClientAckPacket(3, 1, 2));
 
   Initialize();
 
@@ -1564,10 +1541,9 @@ TEST_P(BidirectionalStreamQuicImplTest, PostRequest) {
   // Server sends the response headers.
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
   size_t spdy_response_headers_frame_length;
-  quic::QuicStreamOffset offset = 0;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, &offset));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
   TestCompletionCallback cb;
@@ -1577,7 +1553,7 @@ TEST_P(BidirectionalStreamQuicImplTest, PostRequest) {
   const char kResponseBody[] = "Hello world!";
   std::string header2 = ConstructDataHeader(strlen(kResponseBody));
   // Server sends data.
-  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin, 0,
+  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin,
                                           header2 + kResponseBody));
 
   EXPECT_EQ(static_cast<int>(strlen(kResponseBody)), cb.WaitForResult());
@@ -1585,11 +1561,13 @@ TEST_P(BidirectionalStreamQuicImplTest, PostRequest) {
   size_t spdy_trailers_frame_length;
   spdy::SpdyHeaderBlock trailers;
   trailers["foo"] = "bar";
-  trailers[quic::kFinalOffsetHeaderKey] =
-      base::NumberToString(strlen(kResponseBody));
+  if (!quic::VersionUsesQpack(version_.transport_version)) {
+    trailers[quic::kFinalOffsetHeaderKey] =
+        base::NumberToString(strlen(kResponseBody));
+  }
   // Server sends trailers.
-  ProcessPacket(ConstructResponseTrailersPacket(
-      4, kFin, trailers.Clone(), &spdy_trailers_frame_length, &offset));
+  ProcessPacket(ConstructResponseTrailersPacket(4, kFin, trailers.Clone(),
+                                                &spdy_trailers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnTrailersReceived);
   trailers.erase(quic::kFinalOffsetHeaderKey);
@@ -1611,21 +1589,20 @@ TEST_P(BidirectionalStreamQuicImplTest, PostRequest) {
 TEST_P(BidirectionalStreamQuicImplTest, EarlyDataOverrideRequest) {
   SetRequest("PUT", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(ConstructRequestHeadersPacketInner(
-      2, GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
+      GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
   std::string header = ConstructDataHeader(strlen(kUploadData));
   if (version_.transport_version == quic::QUIC_VERSION_99) {
-    AddWrite(ConstructClientMultipleDataFramesPacket(3, kIncludeVersion, kFin,
-                                                     0, {header, kUploadData}));
+    AddWrite(ConstructClientMultipleDataFramesPacket(kIncludeVersion, kFin,
+                                                     {header, kUploadData}));
   } else {
-    AddWrite(ConstructClientMultipleDataFramesPacket(3, kIncludeVersion, kFin,
-                                                     0, {kUploadData}));
+    AddWrite(ConstructClientMultipleDataFramesPacket(kIncludeVersion, kFin,
+                                                     {kUploadData}));
   }
 
-  AddWrite(ConstructClientAckPacket(4, 3, 1, 2));
+  AddWrite(ConstructClientAckPacket(3, 1, 2));
 
   Initialize();
 
@@ -1658,10 +1635,9 @@ TEST_P(BidirectionalStreamQuicImplTest, EarlyDataOverrideRequest) {
   // Server sends the response headers.
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
   size_t spdy_response_headers_frame_length;
-  quic::QuicStreamOffset offset = 0;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, &offset));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
   TestCompletionCallback cb;
@@ -1671,7 +1647,7 @@ TEST_P(BidirectionalStreamQuicImplTest, EarlyDataOverrideRequest) {
   const char kResponseBody[] = "Hello world!";
   // Server sends data.
   std::string header2 = ConstructDataHeader(strlen(kResponseBody));
-  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin, 0,
+  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin,
                                           header2 + kResponseBody));
 
   EXPECT_EQ(static_cast<int>(strlen(kResponseBody)), cb.WaitForResult());
@@ -1679,11 +1655,13 @@ TEST_P(BidirectionalStreamQuicImplTest, EarlyDataOverrideRequest) {
   size_t spdy_trailers_frame_length;
   spdy::SpdyHeaderBlock trailers;
   trailers["foo"] = "bar";
-  trailers[quic::kFinalOffsetHeaderKey] =
-      base::NumberToString(strlen(kResponseBody));
+  if (!quic::VersionUsesQpack(version_.transport_version)) {
+    trailers[quic::kFinalOffsetHeaderKey] =
+        base::NumberToString(strlen(kResponseBody));
+  }
   // Server sends trailers.
-  ProcessPacket(ConstructResponseTrailersPacket(
-      4, kFin, trailers.Clone(), &spdy_trailers_frame_length, &offset));
+  ProcessPacket(ConstructResponseTrailersPacket(4, kFin, trailers.Clone(),
+                                                &spdy_trailers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnTrailersReceived);
   trailers.erase(quic::kFinalOffsetHeaderKey);
@@ -1705,25 +1683,22 @@ TEST_P(BidirectionalStreamQuicImplTest, EarlyDataOverrideRequest) {
 TEST_P(BidirectionalStreamQuicImplTest, InterleaveReadDataAndSendData) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(ConstructRequestHeadersPacketInner(
-      2, GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
+      GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
 
   std::string header = ConstructDataHeader(strlen(kUploadData));
   if (version_.transport_version != quic::QUIC_VERSION_99) {
-    AddWrite(ConstructAckAndDataPacket(3, !kIncludeVersion, 2, 1, 2, !kFin, 0,
-                                       kUploadData, &client_maker_));
-    AddWrite(ConstructAckAndDataPacket(4, !kIncludeVersion, 3, 3, 3, kFin,
-                                       strlen(kUploadData), kUploadData,
-                                       &client_maker_));
+    AddWrite(ConstructAckAndDataPacket(++packet_number_, !kIncludeVersion, 2, 1,
+                                       2, !kFin, kUploadData, &client_maker_));
+    AddWrite(ConstructAckAndDataPacket(++packet_number_, !kIncludeVersion, 3, 3,
+                                       3, kFin, kUploadData, &client_maker_));
   } else {
     AddWrite(ConstructAckAndMultipleDataFramesPacket(
-        3, !kIncludeVersion, 2, 1, 1, !kFin, 0, {header, kUploadData}));
+        !kIncludeVersion, 2, 1, 1, !kFin, {header, kUploadData}));
     AddWrite(ConstructAckAndMultipleDataFramesPacket(
-        4, !kIncludeVersion, 3, 3, 3, kFin,
-        strlen(kUploadData) + header.length(), {header, kUploadData}));
+        !kIncludeVersion, 3, 3, 3, kFin, {header, kUploadData}));
   }
   Initialize();
 
@@ -1748,9 +1723,9 @@ TEST_P(BidirectionalStreamQuicImplTest, InterleaveReadDataAndSendData) {
   // Server sends the response headers.
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
   size_t spdy_response_headers_frame_length;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, nullptr));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
   EXPECT_EQ("200", delegate->response_headers().find(":status")->second);
@@ -1770,7 +1745,7 @@ TEST_P(BidirectionalStreamQuicImplTest, InterleaveReadDataAndSendData) {
   std::string header2 = ConstructDataHeader(strlen(kResponseBody));
   // Server sends a data packet.
   ProcessPacket(ConstructAckAndDataPacket(3, !kIncludeVersion, 2, 1, 1, !kFin,
-                                          0, header2 + kResponseBody,
+                                          header2 + kResponseBody,
                                           &server_maker_));
 
   EXPECT_EQ(static_cast<int64_t>(strlen(kResponseBody)), cb.WaitForResult());
@@ -1783,10 +1758,10 @@ TEST_P(BidirectionalStreamQuicImplTest, InterleaveReadDataAndSendData) {
   TestCompletionCallback cb2;
   rv = delegate->ReadData(cb2.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  ProcessPacket(
-      ConstructAckAndDataPacket(4, !kIncludeVersion, 3, 1, 1, kFin,
-                                strlen(kResponseBody) + header2.length(),
-                                header2 + kResponseBody, &server_maker_));
+  ProcessPacket(ConstructAckAndDataPacket(4, !kIncludeVersion, 3, 1, 1, kFin,
+
+                                          header2 + kResponseBody,
+                                          &server_maker_));
 
   EXPECT_EQ(static_cast<int64_t>(strlen(kResponseBody)), cb2.WaitForResult());
 
@@ -1810,13 +1785,14 @@ TEST_P(BidirectionalStreamQuicImplTest, InterleaveReadDataAndSendData) {
 TEST_P(BidirectionalStreamQuicImplTest, ServerSendsRstAfterHeaders) {
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   AddWrite(ConstructRequestHeadersPacketInner(
-      1, GetNthClientInitiatedBidirectionalStreamId(0), kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
+      GetNthClientInitiatedBidirectionalStreamId(0), kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  AddWrite(ConstructInitialSettingsPacket(2, &header_stream_offset));
+  if (!quic::VersionUsesQpack(version_.transport_version)) {
+    AddWrite(ConstructInitialSettingsPacket());
+  }
   Initialize();
 
   BidirectionalStreamRequestInfo request;
@@ -1856,15 +1832,16 @@ TEST_P(BidirectionalStreamQuicImplTest, ServerSendsRstAfterHeaders) {
 TEST_P(BidirectionalStreamQuicImplTest, ServerSendsRstAfterReadData) {
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   AddWrite(ConstructRequestHeadersPacketInner(
-      1, GetNthClientInitiatedBidirectionalStreamId(0), kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
+      GetNthClientInitiatedBidirectionalStreamId(0), kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  AddWrite(ConstructInitialSettingsPacket(2, &header_stream_offset));
+  if (!quic::VersionUsesQpack(version_.transport_version)) {
+    AddWrite(ConstructInitialSettingsPacket());
+  }
   // Why does QUIC ack Rst? Is this expected?
-  AddWrite(ConstructClientAckPacket(3, 3, 1, 2));
+  AddWrite(ConstructClientAckPacket(3, 1, 2));
 
   Initialize();
 
@@ -1890,10 +1867,9 @@ TEST_P(BidirectionalStreamQuicImplTest, ServerSendsRstAfterReadData) {
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
 
   size_t spdy_response_headers_frame_length;
-  quic::QuicStreamOffset offset = 0;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, &offset));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
   EXPECT_EQ("200", delegate->response_headers().find(":status")->second);
@@ -1921,11 +1897,10 @@ TEST_P(BidirectionalStreamQuicImplTest, ServerSendsRstAfterReadData) {
 TEST_P(BidirectionalStreamQuicImplTest, SessionClosedBeforeReadData) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(ConstructRequestHeadersPacketInner(
-      2, GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
+      GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
   Initialize();
 
   BidirectionalStreamRequestInfo request;
@@ -1950,10 +1925,9 @@ TEST_P(BidirectionalStreamQuicImplTest, SessionClosedBeforeReadData) {
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
 
   size_t spdy_response_headers_frame_length;
-  quic::QuicStreamOffset offset = 0;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, &offset));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
   TestCompletionCallback cb;
@@ -2031,8 +2005,7 @@ TEST_P(BidirectionalStreamQuicImplTest, SessionClosedBeforeStartNotConfirmed) {
 
 TEST_P(BidirectionalStreamQuicImplTest, SessionCloseDuringOnStreamReady) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWriteError(SYNCHRONOUS, ERR_CONNECTION_REFUSED);
 
   Initialize();
@@ -2059,12 +2032,11 @@ TEST_P(BidirectionalStreamQuicImplTest, SessionCloseDuringOnStreamReady) {
 TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnStreamReady) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(ConstructRequestHeadersPacketInner(
-      2, GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
-  AddWrite(ConstructClientEarlyRstStreamPacket(3));
+      GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
+  AddWrite(ConstructClientEarlyRstStreamPacket());
 
   Initialize();
 
@@ -2091,12 +2063,11 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnStreamReady) {
 TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamAfterReadData) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(ConstructRequestHeadersPacketInner(
-      2, GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
-  AddWrite(ConstructClientAckAndRstStreamPacket(3, 2, 1, 2));
+      GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
+  AddWrite(ConstructClientAckAndRstStreamPacket(2, 1, 2));
 
   Initialize();
 
@@ -2121,9 +2092,9 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamAfterReadData) {
   // Server sends the response headers.
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
   size_t spdy_response_headers_frame_length;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, nullptr));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
   EXPECT_EQ("200", delegate->response_headers().find(":status")->second);
@@ -2147,12 +2118,11 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamAfterReadData) {
 TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnHeadersReceived) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(ConstructRequestHeadersPacketInner(
-      2, GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
-  AddWrite(ConstructClientAckAndRstStreamPacket(3, 2, 1, 2));
+      GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
+  AddWrite(ConstructClientAckAndRstStreamPacket(2, 1, 2));
 
   Initialize();
 
@@ -2179,9 +2149,9 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnHeadersReceived) {
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
 
   size_t spdy_response_headers_frame_length;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, nullptr));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
   EXPECT_EQ("200", delegate->response_headers().find(":status")->second);
@@ -2195,13 +2165,12 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnHeadersReceived) {
 TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnDataRead) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(ConstructRequestHeadersPacketInner(
-      2, GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
-  AddWrite(ConstructClientAckPacket(3, 3, 1, 2));
-  AddWrite(ConstructClientRstStreamPacket(4));
+      GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
+  AddWrite(ConstructClientAckPacket(3, 1, 2));
+  AddWrite(ConstructClientRstStreamPacket());
 
   Initialize();
 
@@ -2227,9 +2196,9 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnDataRead) {
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
 
   size_t spdy_response_headers_frame_length;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, nullptr));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
 
@@ -2241,7 +2210,7 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnDataRead) {
   const char kResponseBody[] = "Hello world!";
   std::string header = ConstructDataHeader(strlen(kResponseBody));
   // Server sends data.
-  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin, 0,
+  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin,
                                           header + kResponseBody));
   EXPECT_EQ(static_cast<int64_t>(strlen(kResponseBody)), cb.WaitForResult());
 
@@ -2255,20 +2224,19 @@ TEST_P(BidirectionalStreamQuicImplTest, AsyncFinRead) {
   const char kBody[] = "here is some data";
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(1, &header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(ConstructRequestHeadersPacketInner(
-      2, GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
-      &spdy_request_headers_frame_length, &header_stream_offset));
+      GetNthClientInitiatedBidirectionalStreamId(0), !kFin, DEFAULT_PRIORITY,
+      &spdy_request_headers_frame_length));
   std::string header = ConstructDataHeader(strlen(kBody));
   if (version_.transport_version == quic::QUIC_VERSION_99) {
-    AddWrite(ConstructClientMultipleDataFramesPacket(3, kIncludeVersion, kFin,
-                                                     0, {header, kBody}));
+    AddWrite(ConstructClientMultipleDataFramesPacket(kIncludeVersion, kFin,
+                                                     {header, kBody}));
   } else {
-    AddWrite(ConstructClientMultipleDataFramesPacket(3, kIncludeVersion, kFin,
-                                                     0, {kBody}));
+    AddWrite(ConstructClientMultipleDataFramesPacket(kIncludeVersion, kFin,
+                                                     {kBody}));
   }
-  AddWrite(ConstructClientAckPacket(4, 3, 1, 2));
+  AddWrite(ConstructClientAckPacket(3, 1, 2));
 
   Initialize();
 
@@ -2301,9 +2269,9 @@ TEST_P(BidirectionalStreamQuicImplTest, AsyncFinRead) {
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
 
   size_t spdy_response_headers_frame_length;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, nullptr));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
 
@@ -2318,7 +2286,7 @@ TEST_P(BidirectionalStreamQuicImplTest, AsyncFinRead) {
 
   // Server sends data with the fin set, which should result in the stream
   // being closed and hence no RST_STREAM will be sent.
-  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, kFin, 0,
+  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, kFin,
                                           header2 + kResponseBody));
   EXPECT_EQ(static_cast<int64_t>(strlen(kResponseBody)), cb.WaitForResult());
 
@@ -2332,10 +2300,10 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnTrailersReceived) {
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
-  AddWrite(ConstructRequestHeadersPacket(1, kFin, DEFAULT_PRIORITY,
+  AddWrite(ConstructRequestHeadersPacket(kFin, DEFAULT_PRIORITY,
                                          &spdy_request_headers_frame_length));
-  AddWrite(ConstructClientAckPacket(2, 3, 1, 2));  // Ack the data packet
-  AddWrite(ConstructClientAckAndRstStreamPacket(3, 4, 4, 2));
+  AddWrite(ConstructClientAckPacket(3, 1, 2));  // Ack the data packet
+  AddWrite(ConstructClientAckAndRstStreamPacket(4, 4, 2));
 
   Initialize();
 
@@ -2360,11 +2328,10 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnTrailersReceived) {
   // Server sends the response headers.
   spdy::SpdyHeaderBlock response_headers = ConstructResponseHeaders("200");
 
-  quic::QuicStreamOffset offset = 0;
   size_t spdy_response_headers_frame_length;
-  ProcessPacket(ConstructResponseHeadersPacket(
-      2, !kFin, std::move(response_headers),
-      &spdy_response_headers_frame_length, &offset));
+  ProcessPacket(
+      ConstructResponseHeadersPacket(2, !kFin, std::move(response_headers),
+                                     &spdy_response_headers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnHeadersReceived);
 
@@ -2377,7 +2344,7 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnTrailersReceived) {
 
   // Server sends data.
   std::string header = ConstructDataHeader(strlen(kResponseBody));
-  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin, 0,
+  ProcessPacket(ConstructServerDataPacket(3, !kIncludeVersion, !kFin,
                                           header + kResponseBody));
 
   EXPECT_EQ(static_cast<int64_t>(strlen(kResponseBody)), cb.WaitForResult());
@@ -2386,11 +2353,13 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnTrailersReceived) {
   size_t spdy_trailers_frame_length;
   spdy::SpdyHeaderBlock trailers;
   trailers["foo"] = "bar";
-  trailers[quic::kFinalOffsetHeaderKey] =
-      base::NumberToString(strlen(kResponseBody));
+  if (!quic::VersionUsesQpack(version_.transport_version)) {
+    trailers[quic::kFinalOffsetHeaderKey] =
+        base::NumberToString(strlen(kResponseBody));
+  }
   // Server sends trailers.
-  ProcessPacket(ConstructResponseTrailersPacket(
-      4, kFin, trailers.Clone(), &spdy_trailers_frame_length, &offset));
+  ProcessPacket(ConstructResponseTrailersPacket(4, kFin, trailers.Clone(),
+                                                &spdy_trailers_frame_length));
 
   delegate->WaitUntilNextCallback(kOnTrailersReceived);
   trailers.erase(quic::kFinalOffsetHeaderKey);
diff --git a/chromium/net/quic/crypto_test_utils_chromium.cc b/chromium/net/quic/crypto_test_utils_chromium.cc
index f1c2d89f00c..e63cdc8da5b 100644
--- a/chromium/net/quic/crypto_test_utils_chromium.cc
+++ b/chromium/net/quic/crypto_test_utils_chromium.cc
@@ -59,7 +59,7 @@ class TestProofVerifierChromium : public ProofVerifierChromium {
     // Load and install the root for the validated chain.
     scoped_refptr<X509Certificate> root_cert =
         ImportCertFromFile(GetTestCertsDirectory(), cert_file);
-    scoped_root_.Reset(root_cert.get());
+    scoped_root_.Reset({root_cert});
   }
 
   ~TestProofVerifierChromium() override {}
diff --git a/chromium/net/quic/mock_quic_data.cc b/chromium/net/quic/mock_quic_data.cc
index 28e0a5f6305..9c71eff9c95 100644
--- a/chromium/net/quic/mock_quic_data.cc
+++ b/chromium/net/quic/mock_quic_data.cc
@@ -7,7 +7,8 @@
 namespace net {
 namespace test {
 
-MockQuicData::MockQuicData() : sequence_number_(0) {}
+MockQuicData::MockQuicData(quic::ParsedQuicVersion version)
+    : sequence_number_(0), printer_(version) {}
 
 MockQuicData::~MockQuicData() {}
 
@@ -36,6 +37,13 @@ void MockQuicData::AddWrite(IoMode mode, int rv) {
   writes_.push_back(MockWrite(mode, rv, sequence_number_++));
 }
 
+void MockQuicData::AddWrite(IoMode mode,
+                            int rv,
+                            std::unique_ptr<quic::QuicEncryptedPacket> packet) {
+  writes_.push_back(MockWrite(mode, rv, sequence_number_++));
+  packets_.push_back(std::move(packet));
+}
+
 void MockQuicData::AddSocketDataToFactory(MockClientSocketFactory* factory) {
   factory->AddSocketDataProvider(InitializeAndGetSequencedSocketData());
 }
@@ -54,6 +62,7 @@ void MockQuicData::Resume() {
 
 SequencedSocketData* MockQuicData::InitializeAndGetSequencedSocketData() {
   socket_data_.reset(new SequencedSocketData(reads_, writes_));
+  socket_data_->set_printer(&printer_);
   if (connect_ != nullptr)
     socket_data_->set_connect_data(*connect_);
 
diff --git a/chromium/net/quic/mock_quic_data.h b/chromium/net/quic/mock_quic_data.h
index 62109c002b7..6c7deff7177 100644
--- a/chromium/net/quic/mock_quic_data.h
+++ b/chromium/net/quic/mock_quic_data.h
@@ -5,6 +5,7 @@
 #ifndef NET_QUIC_MOCK_QUIC_DATA_H_
 #define NET_QUIC_MOCK_QUIC_DATA_H_
 
+#include "net/quic/quic_test_packet_printer.h"
 #include "net/socket/socket_test_util.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 
@@ -15,7 +16,7 @@ namespace test {
 // Simplify ownership issues and the interaction with the MockSocketFactory.
 class MockQuicData {
  public:
-  MockQuicData();
+  explicit MockQuicData(quic::ParsedQuicVersion version);
   ~MockQuicData();
 
   // Makes the Connect() call return |rv| either
@@ -38,6 +39,12 @@ class MockQuicData {
   // synchronously or asynchronously based on |mode|.
   void AddWrite(IoMode mode, int rv);
 
+  // Adds a write at the next sequence number which will write |packet|
+  // synchronously or asynchronously based on |mode| and return |rv|.
+  void AddWrite(IoMode mode,
+                int rv,
+                std::unique_ptr<quic::QuicEncryptedPacket> packet);
+
   // Adds the reads and writes to |factory|.
   void AddSocketDataToFactory(MockClientSocketFactory* factory);
 
@@ -63,6 +70,7 @@ class MockQuicData {
   std::vector<MockRead> reads_;
   size_t sequence_number_;
   std::unique_ptr<SequencedSocketData> socket_data_;
+  QuicPacketPrinter printer_;
 };
 
 }  // namespace test
diff --git a/chromium/net/quic/platform/impl/quic_bbr2_sender_impl.h b/chromium/net/quic/platform/impl/quic_bbr2_sender_impl.h
new file mode 100644
index 00000000000..df919dc6be0
--- /dev/null
+++ b/chromium/net/quic/platform/impl/quic_bbr2_sender_impl.h
@@ -0,0 +1,16 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_QUIC_PLATFORM_IMPL_QUIC_BBR2_SENDER_IMPL_H_
+#define NET_QUIC_PLATFORM_IMPL_QUIC_BBR2_SENDER_IMPL_H_
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.h"
+
+namespace quic {
+
+using QuicBbr2SenderImpl = BbrSender;
+
+}  // namespace quic
+
+#endif  // NET_QUIC_PLATFORM_IMPL_QUIC_BBR2_SENDER_IMPL_H_
diff --git a/chromium/net/quic/platform/impl/quic_chromium_clock.cc b/chromium/net/quic/platform/impl/quic_chromium_clock.cc
index 7e3ff3b572a..f6be6b29448 100644
--- a/chromium/net/quic/platform/impl/quic_chromium_clock.cc
+++ b/chromium/net/quic/platform/impl/quic_chromium_clock.cc
@@ -4,13 +4,14 @@
 
 #include "net/quic/platform/impl/quic_chromium_clock.h"
 
-#include "base/memory/singleton.h"
+#include "base/no_destructor.h"
 #include "base/time/time.h"
 
 namespace quic {
 
 QuicChromiumClock* QuicChromiumClock::GetInstance() {
-  return base::Singleton<QuicChromiumClock>::get();
+  static base::NoDestructor<QuicChromiumClock> instance;
+  return instance.get();
 }
 QuicChromiumClock::QuicChromiumClock() {}
 
diff --git a/chromium/net/quic/platform/impl/quic_flags_impl.cc b/chromium/net/quic/platform/impl/quic_flags_impl.cc
index 3cd9d447e09..d2c719d08bd 100644
--- a/chromium/net/quic/platform/impl/quic_flags_impl.cc
+++ b/chromium/net/quic/platform/impl/quic_flags_impl.cc
@@ -203,7 +203,7 @@ std::vector<std::string> QuicParseCommandLineFlagsImpl(
   }
 
   logging::LoggingSettings settings;
-  settings.logging_dest = logging::LOG_TO_SYSTEM_DEBUG_LOG;
+  settings.logging_dest = logging::LOG_TO_STDERR;
   CHECK(logging::InitLogging(settings));
 
   return result.non_flag_args;
diff --git a/chromium/net/quic/platform/impl/quic_fuzzed_data_provider_impl.h b/chromium/net/quic/platform/impl/quic_fuzzed_data_provider_impl.h
index 4689fef3290..bfd3ab8bd2a 100644
--- a/chromium/net/quic/platform/impl/quic_fuzzed_data_provider_impl.h
+++ b/chromium/net/quic/platform/impl/quic_fuzzed_data_provider_impl.h
@@ -5,11 +5,11 @@
 #ifndef NET_QUIC_PLATFORM_IMPL_QUIC_FUZZED_DATA_PROVIDER_IMPL_H_
 #define NET_QUIC_PLATFORM_IMPL_QUIC_FUZZED_DATA_PROVIDER_IMPL_H_
 
-#include "base/test/fuzzed_data_provider.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 namespace quic {
 
-using QuicFuzzedDataProviderImpl = base::FuzzedDataProvider;
+using QuicFuzzedDataProviderImpl = FuzzedDataProvider;
 
 }  // namespace quic
 
diff --git a/chromium/net/quic/platform/impl/quic_ip_address_impl.cc b/chromium/net/quic/platform/impl/quic_ip_address_impl.cc
deleted file mode 100644
index 37fa7427277..00000000000
--- a/chromium/net/quic/platform/impl/quic_ip_address_impl.cc
+++ /dev/null
@@ -1,153 +0,0 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/quic/platform/impl/quic_ip_address_impl.h"
-
-#include "build/build_config.h"
-#include "net/base/address_family.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
-
-#if defined(OS_WIN)
-#include <winsock2.h>
-#include <ws2bth.h>
-#elif defined(OS_POSIX) || defined(OS_FUCHSIA)
-#include <netinet/in.h>
-#endif
-
-using std::string;
-
-namespace quic {
-
-QuicIpAddressImpl QuicIpAddressImpl::Loopback4() {
-  return QuicIpAddressImpl(net::IPAddress::IPv4Localhost());
-}
-
-QuicIpAddressImpl QuicIpAddressImpl::Loopback6() {
-  return QuicIpAddressImpl(net::IPAddress::IPv6Localhost());
-}
-
-QuicIpAddressImpl QuicIpAddressImpl::Any4() {
-  return QuicIpAddressImpl(net::IPAddress::IPv4AllZeros());
-}
-
-QuicIpAddressImpl QuicIpAddressImpl::Any6() {
-  return QuicIpAddressImpl(net::IPAddress::IPv6AllZeros());
-}
-
-QuicIpAddressImpl::QuicIpAddressImpl(const net::IPAddress& addr)
-    : ip_address_(addr) {}
-
-static_assert(sizeof(in_addr) == 32 / 8, "in_addr must be 32-bit long");
-QuicIpAddressImpl::QuicIpAddressImpl(const in_addr& ipv4_address)
-    : ip_address_(reinterpret_cast<const uint8_t*>(&ipv4_address),
-                  sizeof(in_addr)) {}
-
-static_assert(sizeof(in6_addr) == 128 / 8, "in6_addr must be 128-bit long");
-QuicIpAddressImpl::QuicIpAddressImpl(const in6_addr& ipv6_address)
-    : ip_address_(reinterpret_cast<const uint8_t*>(&ipv6_address),
-                  sizeof(in6_addr)) {}
-
-bool operator==(QuicIpAddressImpl lhs, QuicIpAddressImpl rhs) {
-  return lhs.ip_address_ == rhs.ip_address_;
-}
-
-bool operator!=(QuicIpAddressImpl lhs, QuicIpAddressImpl rhs) {
-  return !(lhs == rhs);
-}
-
-bool QuicIpAddressImpl::IsInitialized() const {
-  return net::GetAddressFamily(ip_address_) != net::ADDRESS_FAMILY_UNSPECIFIED;
-}
-
-IpAddressFamily QuicIpAddressImpl::address_family() const {
-  switch (net::GetAddressFamily(ip_address_)) {
-    case net::ADDRESS_FAMILY_IPV4:
-      return IpAddressFamily::IP_V4;
-    case net::ADDRESS_FAMILY_IPV6:
-      return IpAddressFamily::IP_V6;
-    case net::ADDRESS_FAMILY_UNSPECIFIED:
-      break;
-    default:
-      QUIC_BUG << "Invalid address family "
-               << net::GetAddressFamily(ip_address_);
-  }
-  return IpAddressFamily::IP_UNSPEC;
-}
-
-int QuicIpAddressImpl::AddressFamilyToInt() const {
-  switch (ip_address_.size()) {
-    case net::IPAddress::kIPv4AddressSize:
-      return AF_INET;
-    case net::IPAddress::kIPv6AddressSize:
-      return AF_INET6;
-    default:
-      NOTREACHED() << "Bad IP address";
-      return AF_UNSPEC;
-  }
-}
-
-string QuicIpAddressImpl::ToPackedString() const {
-  return net::IPAddressToPackedString(ip_address_);
-}
-
-string QuicIpAddressImpl::ToString() const {
-  if (!IsInitialized()) {
-    return "Uninitialized address";
-  }
-  return ip_address_.ToString();
-}
-
-QuicIpAddressImpl QuicIpAddressImpl::Normalized() const {
-  if (ip_address_.IsIPv4MappedIPv6()) {
-    return QuicIpAddressImpl(ConvertIPv4MappedIPv6ToIPv4(ip_address_));
-  }
-  return QuicIpAddressImpl(ip_address_);
-}
-
-QuicIpAddressImpl QuicIpAddressImpl::DualStacked() const {
-  if (ip_address_.IsIPv4()) {
-    return QuicIpAddressImpl(ConvertIPv4ToIPv4MappedIPv6(ip_address_));
-  }
-  return QuicIpAddressImpl(ip_address_);
-}
-
-bool QuicIpAddressImpl::FromPackedString(const char* data, size_t length) {
-  if (length != net::IPAddress::kIPv4AddressSize &&
-      length != net::IPAddress::kIPv6AddressSize) {
-    QUIC_BUG << "Invalid packed IP address of length " << length;
-    return false;
-  }
-  ip_address_ = net::IPAddress(reinterpret_cast<const uint8_t*>(data), length);
-  return true;
-}
-
-bool QuicIpAddressImpl::FromString(string str) {
-  return ip_address_.AssignFromIPLiteral(str);
-}
-
-bool QuicIpAddressImpl::IsIPv4() const {
-  return ip_address_.IsIPv4();
-}
-
-bool QuicIpAddressImpl::IsIPv6() const {
-  return ip_address_.IsIPv6();
-}
-
-bool QuicIpAddressImpl::InSameSubnet(const QuicIpAddressImpl& other,
-                                     int subnet_length) {
-  return net::IPAddressMatchesPrefix(ip_address_, other.ip_address(),
-                                     subnet_length);
-}
-
-in_addr QuicIpAddressImpl::GetIPv4() const {
-  DCHECK_EQ(sizeof(in_addr), ip_address_.bytes().size());
-  return *(reinterpret_cast<const in_addr*>(ip_address_.bytes().data()));
-}
-
-in6_addr QuicIpAddressImpl::GetIPv6() const {
-  DCHECK_EQ(sizeof(in6_addr), ip_address_.bytes().size());
-  return *(reinterpret_cast<const in6_addr*>(ip_address_.bytes().data()));
-}
-
-}  // namespace quic
diff --git a/chromium/net/quic/platform/impl/quic_ip_address_impl.h b/chromium/net/quic/platform/impl/quic_ip_address_impl.h
deleted file mode 100644
index 84579fe06b7..00000000000
--- a/chromium/net/quic/platform/impl/quic_ip_address_impl.h
+++ /dev/null
@@ -1,71 +0,0 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_QUIC_PLATFORM_IMPL_QUIC_IP_ADDRESS_IMPL_H_
-#define NET_QUIC_PLATFORM_IMPL_QUIC_IP_ADDRESS_IMPL_H_
-
-#include "build/build_config.h"
-
-#include <string>
-
-#if defined(_WIN32)
-#include <winsock2.h>
-#include <ws2tcpip.h>
-#else
-#include <netinet/in.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#endif
-
-#include "net/base/ip_address.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_ip_address_family.h"
-
-namespace quic {
-
-class QUIC_EXPORT_PRIVATE QuicIpAddressImpl {
- public:
-  enum : size_t {
-    kIPv4AddressSize = net::IPAddress::kIPv4AddressSize,
-    kIPv6AddressSize = net::IPAddress::kIPv6AddressSize
-  };
-  static QuicIpAddressImpl Loopback4();
-  static QuicIpAddressImpl Loopback6();
-  static QuicIpAddressImpl Any4();
-  static QuicIpAddressImpl Any6();
-
-  QuicIpAddressImpl() = default;
-  QuicIpAddressImpl(const QuicIpAddressImpl& other) = default;
-  explicit QuicIpAddressImpl(const net::IPAddress& addr);
-  explicit QuicIpAddressImpl(const in_addr& ipv4_address);
-  explicit QuicIpAddressImpl(const in6_addr& ipv6_address);
-  QuicIpAddressImpl& operator=(const QuicIpAddressImpl& other) = default;
-  QuicIpAddressImpl& operator=(QuicIpAddressImpl&& other) = default;
-  friend bool operator==(QuicIpAddressImpl lhs, QuicIpAddressImpl rhs);
-  friend bool operator!=(QuicIpAddressImpl lhs, QuicIpAddressImpl rhs);
-
-  bool IsInitialized() const;
-  IpAddressFamily address_family() const;
-  int AddressFamilyToInt() const;
-  std::string ToPackedString() const;
-  std::string ToString() const;
-  QuicIpAddressImpl Normalized() const;
-  QuicIpAddressImpl DualStacked() const;
-  bool FromPackedString(const char* data, size_t length);
-  bool FromString(std::string str);
-  bool IsIPv4() const;
-  bool IsIPv6() const;
-  bool InSameSubnet(const QuicIpAddressImpl& other, int subnet_length);
-
-  in_addr GetIPv4() const;
-  in6_addr GetIPv6() const;
-  const net::IPAddress& ip_address() const { return ip_address_; }
-
- private:
-  net::IPAddress ip_address_;
-};
-
-}  // namespace quic
-
-#endif  // NET_QUIC_PLATFORM_IMPL_QUIC_IP_ADDRESS_IMPL_H_
diff --git a/chromium/net/quic/platform/impl/quic_map_util_impl.h b/chromium/net/quic/platform/impl/quic_map_util_impl.h
index 2efde2473bf..c25e1c41128 100644
--- a/chromium/net/quic/platform/impl/quic_map_util_impl.h
+++ b/chromium/net/quic/platform/impl/quic_map_util_impl.h
@@ -11,12 +11,12 @@ namespace quic {
 
 template <class Collection, class Key>
 bool QuicContainsKeyImpl(const Collection& collection, const Key& key) {
-  return base::ContainsKey(collection, key);
+  return base::Contains(collection, key);
 }
 
 template <typename Collection, typename Value>
 bool QuicContainsValueImpl(const Collection& collection, const Value& value) {
-  return base::ContainsValue(collection, value);
+  return base::Contains(collection, value);
 }
 
 }  // namespace quic
diff --git a/chromium/net/quic/platform/impl/quic_mem_slice_storage_impl.cc b/chromium/net/quic/platform/impl/quic_mem_slice_storage_impl.cc
index f0c4fe941c1..420b675f195 100644
--- a/chromium/net/quic/platform/impl/quic_mem_slice_storage_impl.cc
+++ b/chromium/net/quic/platform/impl/quic_mem_slice_storage_impl.cc
@@ -35,6 +35,11 @@ QuicMemSliceStorageImpl::QuicMemSliceStorageImpl(
   }
 }
 
+void QuicMemSliceStorageImpl::Append(QuicMemSliceImpl mem_slice) {
+  buffers_.push_back(*mem_slice.impl());
+  lengths_.push_back(mem_slice.length());
+}
+
 QuicMemSliceStorageImpl::QuicMemSliceStorageImpl(
     const QuicMemSliceStorageImpl& other) = default;
 QuicMemSliceStorageImpl::QuicMemSliceStorageImpl(
diff --git a/chromium/net/quic/platform/impl/quic_mem_slice_storage_impl.h b/chromium/net/quic/platform/impl/quic_mem_slice_storage_impl.h
index 9e91fff9a37..3b56cd07688 100644
--- a/chromium/net/quic/platform/impl/quic_mem_slice_storage_impl.h
+++ b/chromium/net/quic/platform/impl/quic_mem_slice_storage_impl.h
@@ -33,6 +33,8 @@ class QUIC_EXPORT_PRIVATE QuicMemSliceStorageImpl {
         buffers_.data(), lengths_.data(), buffers_.size()));
   }
 
+  void Append(QuicMemSliceImpl mem_slice);
+
  private:
   std::vector<scoped_refptr<net::IOBuffer>> buffers_;
   std::vector<size_t> lengths_;
diff --git a/chromium/net/quic/platform/impl/quic_socket_address_impl.cc b/chromium/net/quic/platform/impl/quic_socket_address_impl.cc
index 952a1823f1d..9b7a67080aa 100644
--- a/chromium/net/quic/platform/impl/quic_socket_address_impl.cc
+++ b/chromium/net/quic/platform/impl/quic_socket_address_impl.cc
@@ -31,11 +31,12 @@ QuicSocketAddressImpl::QuicSocketAddressImpl(
   }
 }
 
-QuicSocketAddressImpl::QuicSocketAddressImpl(const struct sockaddr& saddr) {
-  if (saddr.sa_family == AF_INET) {
-    CHECK(socket_address_.FromSockAddr(&saddr, sizeof(struct sockaddr_in)));
-  } else if (saddr.sa_family == AF_INET6) {
-    CHECK(socket_address_.FromSockAddr(&saddr, sizeof(struct sockaddr_in6)));
+QuicSocketAddressImpl::QuicSocketAddressImpl(const sockaddr* saddr,
+                                             socklen_t len) {
+  if (saddr->sa_family == AF_INET) {
+    CHECK(socket_address_.FromSockAddr(saddr, len));
+  } else if (saddr->sa_family == AF_INET6) {
+    CHECK(socket_address_.FromSockAddr(saddr, len));
   }
 }
 
@@ -78,8 +79,8 @@ QuicSocketAddressImpl QuicSocketAddressImpl::Normalized() const {
   return QuicSocketAddressImpl();
 }
 
-QuicIpAddressImpl QuicSocketAddressImpl::host() const {
-  return QuicIpAddressImpl(socket_address_.address());
+QuicIpAddress QuicSocketAddressImpl::host() const {
+  return ToQuicIpAddress(socket_address_.address());
 }
 
 uint16_t QuicSocketAddressImpl::port() const {
diff --git a/chromium/net/quic/platform/impl/quic_socket_address_impl.h b/chromium/net/quic/platform/impl/quic_socket_address_impl.h
index a6fa5439fe5..e6006baea8b 100644
--- a/chromium/net/quic/platform/impl/quic_socket_address_impl.h
+++ b/chromium/net/quic/platform/impl/quic_socket_address_impl.h
@@ -17,7 +17,7 @@ class QUIC_EXPORT_PRIVATE QuicSocketAddressImpl {
   explicit QuicSocketAddressImpl(const net::IPEndPoint& addr);
   QuicSocketAddressImpl(QuicIpAddress address, uint16_t port);
   explicit QuicSocketAddressImpl(const struct sockaddr_storage& saddr);
-  explicit QuicSocketAddressImpl(const struct sockaddr& saddr);
+  explicit QuicSocketAddressImpl(const sockaddr* saddr, socklen_t len);
   QuicSocketAddressImpl(const QuicSocketAddressImpl& other) = default;
   QuicSocketAddressImpl& operator=(const QuicSocketAddressImpl& other) =
       default;
@@ -32,7 +32,7 @@ class QUIC_EXPORT_PRIVATE QuicSocketAddressImpl {
   int FromSocket(int fd);
   QuicSocketAddressImpl Normalized() const;
 
-  QuicIpAddressImpl host() const;
+  QuicIpAddress host() const;
   uint16_t port() const;
 
   sockaddr_storage generic_address() const;
diff --git a/chromium/net/quic/platform/impl/quic_system_event_loop_impl.h b/chromium/net/quic/platform/impl/quic_system_event_loop_impl.h
index e4654c59c36..05439c225f0 100644
--- a/chromium/net/quic/platform/impl/quic_system_event_loop_impl.h
+++ b/chromium/net/quic/platform/impl/quic_system_event_loop_impl.h
@@ -5,8 +5,8 @@
 #ifndef NET_QUIC_PLATFORM_IMPL_QUIC_SYSTEM_EVENT_LOOP_IMPL_H_
 #define NET_QUIC_PLATFORM_IMPL_QUIC_SYSTEM_EVENT_LOOP_IMPL_H_
 
-#include "base/message_loop/message_loop.h"
 #include "base/run_loop.h"
+#include "base/task/single_thread_task_executor.h"
 #include "base/task/thread_pool/thread_pool.h"
 
 inline void QuicRunSystemEventLoopIterationImpl() {
@@ -20,7 +20,7 @@ class QuicSystemEventLoopImpl {
   }
 
  private:
-  base::MessageLoopForIO message_loop_;
+  base::SingleThreadTaskExecutor io_task_executor_{base::MessagePump::Type::IO};
 };
 
 #endif  // NET_QUIC_PLATFORM_IMPL_QUIC_SYSTEM_EVENT_LOOP_IMPL_H_
diff --git a/chromium/net/quic/platform/impl/quic_test_loopback_impl.cc b/chromium/net/quic/platform/impl/quic_test_loopback_impl.cc
index 878a31f2d28..f339bf1a12c 100644
--- a/chromium/net/quic/platform/impl/quic_test_loopback_impl.cc
+++ b/chromium/net/quic/platform/impl/quic_test_loopback_impl.cc
@@ -11,20 +11,22 @@ IpAddressFamily AddressFamilyUnderTestImpl() {
 }
 
 QuicIpAddress TestLoopback4Impl() {
-  return QuicIpAddress(QuicIpAddressImpl(net::IPAddress::IPv4Localhost()));
+  return QuicIpAddress::Loopback4();
 }
 
 QuicIpAddress TestLoopback6Impl() {
-  return QuicIpAddress(QuicIpAddressImpl(net::IPAddress::IPv6Localhost()));
+  return QuicIpAddress::Loopback6();
 }
 
 QuicIpAddress TestLoopbackImpl() {
-  return QuicIpAddress(QuicIpAddressImpl(net::IPAddress::IPv4Localhost()));
+  return QuicIpAddress::Loopback4();
 }
 
 QuicIpAddress TestLoopbackImpl(int index) {
-  const uint8_t kLocalhostIPv4[] = {127, 0, 0, index};
-  return QuicIpAddress(QuicIpAddressImpl(net::IPAddress(kLocalhostIPv4)));
+  const char kLocalhostIPv4[] = {127, 0, 0, index};
+  QuicIpAddress address;
+  address.FromPackedString(kLocalhostIPv4, 4);
+  return address;
 }
 
 }  // namespace quic
diff --git a/chromium/net/quic/quic_chromium_alarm_factory.cc b/chromium/net/quic/quic_chromium_alarm_factory.cc
index 9124fb0ee97..2eaf0bf7d71 100644
--- a/chromium/net/quic/quic_chromium_alarm_factory.cc
+++ b/chromium/net/quic/quic_chromium_alarm_factory.cc
@@ -23,8 +23,7 @@ class QuicChromeAlarm : public quic::QuicAlarm {
       : quic::QuicAlarm(std::move(delegate)),
         clock_(clock),
         task_runner_(task_runner),
-        task_deadline_(quic::QuicTime::Zero()),
-        weak_factory_(this) {}
+        task_deadline_(quic::QuicTime::Zero()) {}
 
  protected:
   void SetImpl() override {
@@ -84,7 +83,7 @@ class QuicChromeAlarm : public quic::QuicAlarm {
   // post a new task when the new deadline now earlier than when
   // previously posted.
   quic::QuicTime task_deadline_;
-  base::WeakPtrFactory<QuicChromeAlarm> weak_factory_;
+  base::WeakPtrFactory<QuicChromeAlarm> weak_factory_{this};
 };
 
 }  // namespace
@@ -92,7 +91,7 @@ class QuicChromeAlarm : public quic::QuicAlarm {
 QuicChromiumAlarmFactory::QuicChromiumAlarmFactory(
     base::TaskRunner* task_runner,
     const quic::QuicClock* clock)
-    : task_runner_(task_runner), clock_(clock), weak_factory_(this) {}
+    : task_runner_(task_runner), clock_(clock) {}
 
 QuicChromiumAlarmFactory::~QuicChromiumAlarmFactory() {}
 
diff --git a/chromium/net/quic/quic_chromium_alarm_factory.h b/chromium/net/quic/quic_chromium_alarm_factory.h
index 1e478335654..d190a05b23c 100644
--- a/chromium/net/quic/quic_chromium_alarm_factory.h
+++ b/chromium/net/quic/quic_chromium_alarm_factory.h
@@ -40,7 +40,7 @@ class NET_EXPORT_PRIVATE QuicChromiumAlarmFactory
  private:
   base::TaskRunner* task_runner_;
   const quic::QuicClock* clock_;
-  base::WeakPtrFactory<QuicChromiumAlarmFactory> weak_factory_;
+  base::WeakPtrFactory<QuicChromiumAlarmFactory> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicChromiumAlarmFactory);
 };
diff --git a/chromium/net/quic/quic_chromium_client_session.cc b/chromium/net/quic/quic_chromium_client_session.cc
index dfd04101031..b85a00a75b9 100644
--- a/chromium/net/quic/quic_chromium_client_session.cc
+++ b/chromium/net/quic/quic_chromium_client_session.cc
@@ -7,6 +7,7 @@
 #include <utility>
 
 #include "base/bind.h"
+#include "base/feature_list.h"
 #include "base/location.h"
 #include "base/memory/ptr_util.h"
 #include "base/metrics/histogram_functions.h"
@@ -20,9 +21,11 @@
 #include "base/time/tick_clock.h"
 #include "base/trace_event/memory_usage_estimator.h"
 #include "base/values.h"
+#include "net/base/features.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/network_activity_monitor.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/url_util.h"
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log_event_type.h"
@@ -42,7 +45,7 @@
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_info.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_client_promised_info.h"
-#include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
+#include "net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
@@ -71,9 +74,6 @@ const size_t kMinRetryTimeForDefaultNetworkSecs = 1;
 // network.
 const int kDefaultRTTMilliSecs = 300;
 
-// The maximum size of uncompressed QUIC headers that will be allowed.
-const size_t kMaxUncompressedHeaderSize = 256 * 1024;
-
 // Histograms for tracking down the crashes from http://crbug.com/354669
 // Note: these values must be kept in sync with the corresponding values in:
 // tools/metrics/histograms/histograms.xml
@@ -134,34 +134,26 @@ void RecordConnectionCloseErrorCode(quic::QuicErrorCode error,
   }
 }
 
-NetLogParametersCallback NetLogQuicConnectionMigrationTriggerCallback(
-    const char* trigger) {
-  return NetLog::StringCallback("trigger", trigger);
-}
-
-base::Value NetLogQuicConnectionMigrationFailureCallback(
+base::Value NetLogQuicConnectionMigrationFailureParams(
     quic::QuicConnectionId connection_id,
-    std::string reason,
-    NetLogCaptureMode capture_mode) {
+    const std::string& reason) {
   base::DictionaryValue dict;
   dict.SetString("connection_id", connection_id.ToString());
   dict.SetString("reason", reason);
   return std::move(dict);
 }
 
-base::Value NetLogQuicConnectionMigrationSuccessCallback(
-    quic::QuicConnectionId connection_id,
-    NetLogCaptureMode capture_mode) {
+base::Value NetLogQuicConnectionMigrationSuccessParams(
+    quic::QuicConnectionId connection_id) {
   base::DictionaryValue dict;
   dict.SetString("connection_id", connection_id.ToString());
   return std::move(dict);
 }
 
-base::Value NetLogProbingResultCallback(
+base::Value NetLogProbingResultParams(
     NetworkChangeNotifier::NetworkHandle network,
     const quic::QuicSocketAddress* peer_address,
-    bool is_success,
-    NetLogCaptureMode capture_mode) {
+    bool is_success) {
   base::DictionaryValue dict;
   dict.SetString("network", base::NumberToString(network));
   dict.SetString("peer address", peer_address->ToString());
@@ -222,11 +214,9 @@ std::string ConnectionMigrationCauseToString(ConnectionMigrationCause cause) {
   return "InvalidCause";
 }
 
-base::Value NetLogQuicClientSessionCallback(
-    const quic::QuicServerId* server_id,
-    int cert_verify_flags,
-    bool require_confirmation,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicClientSessionParams(const quic::QuicServerId* server_id,
+                                          int cert_verify_flags,
+                                          bool require_confirmation) {
   base::DictionaryValue dict;
   dict.SetString("host", server_id->host());
   dict.SetInteger("port", server_id->port());
@@ -236,7 +226,7 @@ base::Value NetLogQuicClientSessionCallback(
   return std::move(dict);
 }
 
-base::Value NetLogQuicPushPromiseReceivedCallback(
+base::Value NetLogQuicPushPromiseReceivedParams(
     const spdy::SpdyHeaderBlock* headers,
     spdy::SpdyStreamId stream_id,
     spdy::SpdyStreamId promised_stream_id,
@@ -392,13 +382,12 @@ void QuicChromiumClientSession::Handle::ResetPromised(
 }
 
 std::unique_ptr<quic::QuicConnection::ScopedPacketFlusher>
-QuicChromiumClientSession::Handle::CreatePacketBundler(
-    quic::QuicConnection::AckBundling bundling_mode) {
+QuicChromiumClientSession::Handle::CreatePacketBundler() {
   if (!session_)
     return nullptr;
 
   return std::make_unique<quic::QuicConnection::ScopedPacketFlusher>(
-      session_->connection(), bundling_mode);
+      session_->connection());
 }
 
 bool QuicChromiumClientSession::Handle::SharesSameSession(
@@ -564,8 +553,7 @@ QuicChromiumClientSession::StreamRequest::StreamRequest(
     : session_(session),
       requires_confirmation_(requires_confirmation),
       stream_(nullptr),
-      traffic_annotation_(traffic_annotation),
-      weak_factory_(this) {}
+      traffic_annotation_(traffic_annotation) {}
 
 QuicChromiumClientSession::StreamRequest::~StreamRequest() {
   if (stream_)
@@ -706,6 +694,7 @@ QuicChromiumClientSession::QuicChromiumClientSession(
     std::unique_ptr<QuicServerInfo> server_info,
     const QuicSessionKey& session_key,
     bool require_confirmation,
+    quic::QuicStreamId max_allowed_push_id,
     bool migrate_session_early_v2,
     bool migrate_sessions_on_network_change_v2,
     NetworkChangeNotifier::NetworkHandle default_network,
@@ -787,11 +776,12 @@ QuicChromiumClientSession::QuicChromiumClientSession(
       ignore_read_error_(false),
       headers_include_h2_stream_dependency_(
           headers_include_h2_stream_dependency &&
-          this->connection()->transport_version() >= quic::QUIC_VERSION_43),
-      weak_factory_(this) {
+          this->connection()->transport_version() >= quic::QUIC_VERSION_43) {
   // Make sure connection migration and goaway on path degrading are not turned
   // on at the same time.
   DCHECK(!(migrate_session_early_v2_ && go_away_on_path_degrading_));
+
+  quic::QuicSpdyClientSessionBase::set_max_allowed_push_id(max_allowed_push_id);
   default_network_ = default_network;
   auto* socket_raw = socket.get();
   sockets_.push_back(std::move(socket));
@@ -807,10 +797,10 @@ QuicChromiumClientSession::QuicChromiumClientSession(
   connection->set_debug_visitor(logger_.get());
   connection->set_creator_debug_delegate(logger_.get());
   migrate_back_to_default_timer_.SetTaskRunner(task_runner_);
-  net_log_.BeginEvent(
-      NetLogEventType::QUIC_SESSION,
-      base::Bind(NetLogQuicClientSessionCallback, &session_key.server_id(),
-                 cert_verify_flags, require_confirmation_));
+  net_log_.BeginEvent(NetLogEventType::QUIC_SESSION, [&] {
+    return NetLogQuicClientSessionParams(
+        &session_key.server_id(), cert_verify_flags, require_confirmation_);
+  });
   IPEndPoint address;
   if (socket_raw && socket_raw->GetLocalAddress(&address) == OK &&
       address.GetFamily() == ADDRESS_FAMILY_IPV6) {
@@ -852,7 +842,7 @@ QuicChromiumClientSession::~QuicChromiumClientSession() {
   if (connection()->connected()) {
     // Ensure that the connection is closed by the time the session is
     // destroyed.
-    connection()->CloseConnection(quic::QUIC_INTERNAL_ERROR,
+    connection()->CloseConnection(quic::QUIC_PEER_GOING_AWAY,
                                   "session torn down",
                                   quic::ConnectionCloseBehavior::SILENT_CLOSE);
   }
@@ -939,10 +929,10 @@ QuicChromiumClientSession::~QuicChromiumClientSession() {
 }
 
 void QuicChromiumClientSession::Initialize() {
+  set_max_inbound_header_list_size(kQuicMaxHeaderListSize);
   quic::QuicSpdyClientSessionBase::Initialize();
   SetHpackEncoderDebugVisitor(std::make_unique<HpackEncoderDebugVisitor>());
   SetHpackDecoderDebugVisitor(std::make_unique<HpackDecoderDebugVisitor>());
-  set_max_uncompressed_header_bytes(kMaxUncompressedHeaderSize);
 }
 
 size_t QuicChromiumClientSession::WriteHeadersOnHeadersStream(
@@ -979,11 +969,23 @@ void QuicChromiumClientSession::UnregisterStreamPriority(quic::QuicStreamId id,
 void QuicChromiumClientSession::UpdateStreamPriority(
     quic::QuicStreamId id,
     spdy::SpdyPriority new_priority) {
-  if (headers_include_h2_stream_dependency_) {
+  if (headers_include_h2_stream_dependency_ ||
+      VersionHasStreamType(connection()->transport_version())) {
     auto updates = priority_dependency_state_.OnStreamUpdate(id, new_priority);
     for (auto update : updates) {
-      WritePriority(update.id, update.parent_stream_id, update.weight,
-                    update.exclusive);
+      if (!VersionHasStreamType(connection()->transport_version())) {
+        WritePriority(update.id, update.parent_stream_id, update.weight,
+                      update.exclusive);
+      } else {
+        quic::PriorityFrame frame;
+        frame.weight = update.weight;
+        frame.exclusive = update.exclusive;
+        frame.prioritized_element_id = update.id;
+        frame.prioritized_type = quic::REQUEST_STREAM;
+        frame.dependency_type = quic::REQUEST_STREAM;
+        frame.element_dependency_id = update.parent_stream_id;
+        WriteH3Priority(frame);
+      }
     }
   }
   quic::QuicSpdySession::UpdateStreamPriority(id, new_priority);
@@ -1009,12 +1011,12 @@ void QuicChromiumClientSession::AddHandle(Handle* handle) {
     return;
   }
 
-  DCHECK(!base::ContainsKey(handles_, handle));
+  DCHECK(!base::Contains(handles_, handle));
   handles_.insert(handle);
 }
 
 void QuicChromiumClientSession::RemoveHandle(Handle* handle) {
-  DCHECK(base::ContainsKey(handles_, handle));
+  DCHECK(base::Contains(handles_, handle));
   handles_.erase(handle);
 }
 
@@ -1285,12 +1287,17 @@ int QuicChromiumClientSession::GetNumSentClientHellos() const {
   return crypto_stream_->num_sent_client_hellos();
 }
 
-bool QuicChromiumClientSession::CanPool(const std::string& hostname,
-                                        PrivacyMode privacy_mode,
-                                        const SocketTag& socket_tag) const {
+bool QuicChromiumClientSession::CanPool(
+    const std::string& hostname,
+    PrivacyMode privacy_mode,
+    const SocketTag& socket_tag,
+    const NetworkIsolationKey& network_isolation_key) const {
   DCHECK(connection()->connected());
   if (privacy_mode != session_key_.privacy_mode() ||
-      socket_tag != session_key_.socket_tag()) {
+      socket_tag != session_key_.socket_tag() ||
+      (network_isolation_key != session_key_.network_isolation_key() &&
+       base::FeatureList::IsEnabled(
+           features::kPartitionConnectionsByNetworkIsolationKey))) {
     // Privacy mode and socket tag must always match.
     return false;
   }
@@ -1364,7 +1371,7 @@ QuicChromiumClientStream* QuicChromiumClientSession::CreateIncomingStream(
 }
 
 QuicChromiumClientStream* QuicChromiumClientSession::CreateIncomingStream(
-    quic::PendingStream pending) {
+    quic::PendingStream* pending) {
   net::NetworkTrafficAnnotationTag traffic_annotation =
       net::DefineNetworkTrafficAnnotation(
           "quic_chromium_incoming_pending_session", R"(
@@ -1388,8 +1395,7 @@ QuicChromiumClientStream* QuicChromiumClientSession::CreateIncomingStream(
           "Essential for network access."
       }
   )");
-  return CreateIncomingReliableStreamImpl(std::move(pending),
-                                          traffic_annotation);
+  return CreateIncomingReliableStreamImpl(pending, traffic_annotation);
 }
 
 QuicChromiumClientStream*
@@ -1407,13 +1413,12 @@ QuicChromiumClientSession::CreateIncomingReliableStreamImpl(
 
 QuicChromiumClientStream*
 QuicChromiumClientSession::CreateIncomingReliableStreamImpl(
-    quic::PendingStream pending,
+    quic::PendingStream* pending,
     const NetworkTrafficAnnotationTag& traffic_annotation) {
   DCHECK(connection()->connected());
 
   QuicChromiumClientStream* stream = new QuicChromiumClientStream(
-      std::move(pending), this, quic::READ_UNIDIRECTIONAL, net_log_,
-      traffic_annotation);
+      pending, this, quic::READ_UNIDIRECTIONAL, net_log_, traffic_annotation);
   ActivateStream(base::WrapUnique(stream));
   ++num_total_streams_;
   return stream;
@@ -1421,13 +1426,14 @@ QuicChromiumClientSession::CreateIncomingReliableStreamImpl(
 
 void QuicChromiumClientSession::CloseStream(quic::QuicStreamId stream_id) {
   most_recent_stream_close_time_ = tick_clock_->NowTicks();
-  quic::QuicStream* stream = GetOrCreateStream(stream_id);
-  if (stream) {
-    logger_->UpdateReceivedFrameCounts(stream_id, stream->num_frames_received(),
-                                       stream->num_duplicate_frames_received());
+  auto it = stream_map().find(stream_id);
+  if (it != stream_map().end()) {
+    logger_->UpdateReceivedFrameCounts(
+        stream_id, it->second->num_frames_received(),
+        it->second->num_duplicate_frames_received());
     if (quic::QuicUtils::IsServerInitiatedStreamId(
             connection()->transport_version(), stream_id)) {
-      bytes_pushed_count_ += stream->stream_bytes_read();
+      bytes_pushed_count_ += it->second->stream_bytes_read();
     }
   }
   quic::QuicSpdySession::CloseStream(stream_id);
@@ -1439,16 +1445,17 @@ void QuicChromiumClientSession::SendRstStream(
     quic::QuicStreamOffset bytes_written) {
   if (quic::QuicUtils::IsServerInitiatedStreamId(
           connection()->transport_version(), id)) {
-    quic::QuicStream* stream = GetOrCreateStream(id);
-    if (stream) {
-      bytes_pushed_count_ += stream->stream_bytes_read();
+    auto it = stream_map().find(id);
+    if (it != stream_map().end()) {
+      bytes_pushed_count_ += it->second->stream_bytes_read();
     }
   }
 
   quic::QuicSpdySession::SendRstStream(id, error, bytes_written);
 }
 
-void QuicChromiumClientSession::OnCanCreateNewOutgoingStream() {
+void QuicChromiumClientSession::OnCanCreateNewOutgoingStream(
+    bool unidirectional) {
   if (CanOpenNextOutgoingBidirectionalStream() && !stream_requests_.empty() &&
       crypto_stream_->encryption_established() && !goaway_received() &&
       !going_away_ && connection()->connected()) {
@@ -1582,11 +1589,14 @@ void QuicChromiumClientSession::OnRstStream(
 }
 
 void QuicChromiumClientSession::OnConnectionClosed(
-    quic::QuicErrorCode error,
-    const std::string& error_details,
+    const quic::QuicConnectionCloseFrame& frame,
     quic::ConnectionCloseSource source) {
   DCHECK(!connection()->connected());
-  logger_->OnConnectionClosed(error, error_details, source);
+
+  logger_->OnConnectionClosed(frame, source);
+
+  const quic::QuicErrorCode error = frame.quic_error_code;
+  const std::string& error_details = frame.error_details;
 
   RecordConnectionCloseErrorCode(error, source, session_key_.host(),
                                  IsCryptoHandshakeConfirmed());
@@ -1705,7 +1715,7 @@ void QuicChromiumClientSession::OnConnectionClosed(
   base::UmaHistogramSparse("Net.QuicSession.QuicVersion",
                            connection()->transport_version());
   NotifyFactoryOfSessionGoingAway();
-  quic::QuicSession::OnConnectionClosed(error, error_details, source);
+  quic::QuicSession::OnConnectionClosed(frame, source);
 
   if (!callback_.is_null()) {
     std::move(callback_).Run(ERR_QUIC_PROTOCOL_ERROR);
@@ -1758,8 +1768,9 @@ int QuicChromiumClientSession::HandleWriteError(
   NetworkChangeNotifier::NetworkHandle current_network =
       GetDefaultSocket()->GetBoundNetwork();
 
-  net_log_.AddEvent(NetLogEventType::QUIC_CONNECTION_MIGRATION_ON_WRITE_ERROR,
-                    NetLog::Int64Callback("network", current_network));
+  net_log_.AddEventWithInt64Params(
+      NetLogEventType::QUIC_CONNECTION_MIGRATION_ON_WRITE_ERROR, "network",
+      current_network);
 
   DCHECK(packet != nullptr);
   DCHECK_NE(ERR_IO_PENDING, error_code);
@@ -1859,9 +1870,9 @@ void QuicChromiumClientSession::MigrateSessionOnWriteError(
 
   const NetLogWithSource migration_net_log = NetLogWithSource::Make(
       net_log_.net_log(), NetLogSourceType::QUIC_CONNECTION_MIGRATION);
-  migration_net_log.BeginEvent(
-      NetLogEventType::QUIC_CONNECTION_MIGRATION_TRIGGERED,
-      NetLogQuicConnectionMigrationTriggerCallback("WriteError"));
+  migration_net_log.BeginEventWithStringParams(
+      NetLogEventType::QUIC_CONNECTION_MIGRATION_TRIGGERED, "trigger",
+      "WriteError");
   MigrationResult result =
       Migrate(new_network, ToIPEndPoint(connection()->peer_address()),
               /*close_session_on_error=*/false, migration_net_log);
@@ -1938,8 +1949,10 @@ void QuicChromiumClientSession::OnProbeSucceeded(
   DCHECK(reader);
 
   net_log_.AddEvent(NetLogEventType::QUIC_SESSION_CONNECTIVITY_PROBING_FINISHED,
-                    base::Bind(&NetLogProbingResultCallback, network,
-                               &peer_address, /*is_success=*/true));
+                    [&] {
+                      return NetLogProbingResultParams(network, &peer_address,
+                                                       /*is_success=*/true);
+                    });
 
   if (network != NetworkChangeNotifier::kInvalidNetworkHandle) {
     OnProbeNetworkSucceeded(network, peer_address, self_address,
@@ -1991,9 +2004,9 @@ void QuicChromiumClientSession::OnProbeNetworkSucceeded(
     return;
   }
 
-  net_log_.AddEvent(
+  net_log_.AddEventWithInt64Params(
       NetLogEventType::QUIC_CONNECTION_MIGRATION_SUCCESS_AFTER_PROBING,
-      NetLog::Int64Callback("migrate_to_network", network));
+      "migrate_to_network", network);
   if (network == default_network_) {
     DVLOG(1) << "Client successfully migrated to default network.";
     CancelMigrateBackToDefaultNetworkTimer();
@@ -2016,8 +2029,10 @@ void QuicChromiumClientSession::OnProbeFailed(
     NetworkChangeNotifier::NetworkHandle network,
     const quic::QuicSocketAddress& peer_address) {
   net_log_.AddEvent(NetLogEventType::QUIC_SESSION_CONNECTIVITY_PROBING_FINISHED,
-                    base::Bind(&NetLogProbingResultCallback, network,
-                               &peer_address, /*is_success=*/false));
+                    [&] {
+                      return NetLogProbingResultParams(network, &peer_address,
+                                                       /*is_success=*/false);
+                    });
 
   if (network != NetworkChangeNotifier::kInvalidNetworkHandle)
     OnProbeNetworkFailed(network, peer_address);
@@ -2046,9 +2061,9 @@ void QuicChromiumClientSession::OnNetworkConnected(
     NetworkChangeNotifier::NetworkHandle network,
     const NetLogWithSource& net_log) {
   DCHECK(migrate_session_on_network_change_v2_);
-  net_log_.AddEvent(
+  net_log_.AddEventWithInt64Params(
       NetLogEventType::QUIC_CONNECTION_MIGRATION_ON_NETWORK_CONNECTED,
-      NetLog::Int64Callback("connected_network", network));
+      "connected_network", network);
   // If there was no migration waiting for new network and the path is not
   // degrading, ignore this signal.
   if (!wait_for_new_network_ && !connection()->IsPathDegrading())
@@ -2076,9 +2091,9 @@ void QuicChromiumClientSession::OnNetworkDisconnectedV2(
     NetworkChangeNotifier::NetworkHandle disconnected_network,
     const NetLogWithSource& migration_net_log) {
   DCHECK(migrate_session_on_network_change_v2_);
-  net_log_.AddEvent(
+  net_log_.AddEventWithInt64Params(
       NetLogEventType::QUIC_CONNECTION_MIGRATION_ON_NETWORK_DISCONNECTED,
-      NetLog::Int64Callback("disconnected_network", disconnected_network));
+      "disconnected_network", disconnected_network);
   LogMetricsOnNetworkDisconnected();
 
   // Stop probing the disconnected network if there is one.
@@ -2126,9 +2141,9 @@ void QuicChromiumClientSession::OnNetworkMadeDefault(
     NetworkChangeNotifier::NetworkHandle new_network,
     const NetLogWithSource& migration_net_log) {
   DCHECK(migrate_session_on_network_change_v2_);
-  net_log_.AddEvent(
+  net_log_.AddEventWithInt64Params(
       NetLogEventType::QUIC_CONNECTION_MIGRATION_ON_NETWORK_MADE_DEFAULT,
-      NetLog::Int64Callback("new_default_network", new_network));
+      "new_default_network", new_network);
   LogMetricsOnNetworkMadeDefault();
 
   DCHECK_NE(NetworkChangeNotifier::kInvalidNetworkHandle, new_network);
@@ -2312,9 +2327,9 @@ void QuicChromiumClientSession::OnPathDegrading() {
 
   const NetLogWithSource migration_net_log = NetLogWithSource::Make(
       net_log_.net_log(), NetLogSourceType::QUIC_CONNECTION_MIGRATION);
-  migration_net_log.BeginEvent(
-      NetLogEventType::QUIC_CONNECTION_MIGRATION_TRIGGERED,
-      NetLogQuicConnectionMigrationTriggerCallback("PathDegrading"));
+  migration_net_log.BeginEventWithStringParams(
+      NetLogEventType::QUIC_CONNECTION_MIGRATION_TRIGGERED, "trigger",
+      "PathDegrading");
   // Probe the alternative network, session will migrate to the probed
   // network and decide whether it wants to migrate back to the default
   // network on success.
@@ -2381,8 +2396,8 @@ void QuicChromiumClientSession::CloseSessionOnError(
 
   CloseAllStreams(net_error);
 
-  net_log_.AddEvent(NetLogEventType::QUIC_SESSION_CLOSE_ON_ERROR,
-                    NetLog::IntCallback("net_error", net_error));
+  net_log_.AddEventWithIntParams(NetLogEventType::QUIC_SESSION_CLOSE_ON_ERROR,
+                                 "net_error", net_error);
 
   if (connection()->connected())
     connection()->CloseConnection(quic_error, "net error", behavior);
@@ -2403,8 +2418,8 @@ void QuicChromiumClientSession::CloseSessionOnErrorLater(
   }
   CloseAllStreams(net_error);
   CloseAllHandles(net_error);
-  net_log_.AddEvent(NetLogEventType::QUIC_SESSION_CLOSE_ON_ERROR,
-                    NetLog::IntCallback("net_error", net_error));
+  net_log_.AddEventWithIntParams(NetLogEventType::QUIC_SESSION_CLOSE_ON_ERROR,
+                                 "net_error", net_error);
 
   if (connection()->connected())
     connection()->CloseConnection(quic_error, "net error", behavior);
@@ -2414,17 +2429,9 @@ void QuicChromiumClientSession::CloseSessionOnErrorLater(
 }
 
 void QuicChromiumClientSession::CloseAllStreams(int net_error) {
-  if (!eliminate_static_stream_map()) {
-    while (!dynamic_streams().empty()) {
-      quic::QuicStream* stream = dynamic_streams().begin()->second.get();
-      quic::QuicStreamId id = stream->id();
-      static_cast<QuicChromiumClientStream*>(stream)->OnError(net_error);
-      CloseStream(id);
-    }
-  } else {
     quic::QuicSmallMap<quic::QuicStreamId, quic::QuicStream*, 10>
         non_static_streams;
-    for (const auto& stream : dynamic_streams()) {
+    for (const auto& stream : stream_map()) {
       if (!stream.second->is_static()) {
         non_static_streams[stream.first] = stream.second.get();
       }
@@ -2434,7 +2441,6 @@ void QuicChromiumClientSession::CloseAllStreams(int net_error) {
       static_cast<QuicChromiumClientStream*>(stream.second)->OnError(net_error);
       CloseStream(id);
     }
-  }
 }
 
 void QuicChromiumClientSession::CloseAllHandles(int net_error) {
@@ -2567,9 +2573,9 @@ void QuicChromiumClientSession::TryMigrateBackToDefaultNetwork(
     return;
   }
 
-  net_log_.AddEvent(NetLogEventType::QUIC_CONNECTION_MIGRATION_ON_MIGRATE_BACK,
-                    base::Bind(NetLog::Int64Callback(
-                        "retry_count", retry_migrate_back_count_)));
+  net_log_.AddEventWithInt64Params(
+      NetLogEventType::QUIC_CONNECTION_MIGRATION_ON_MIGRATE_BACK, "retry_count",
+      retry_migrate_back_count_);
   // Start probe default network immediately, if manager is probing
   // the same network, this will be a no-op. Otherwise, previous probe
   // will be cancelled and manager starts to probe |default_network_|
@@ -2639,10 +2645,10 @@ bool QuicChromiumClientSession::CheckIdleTimeExceedsIdleMigrationPeriod() {
 void QuicChromiumClientSession::ResetNonMigratableStreams() {
   // TODO(zhongyi): may close non-migratable draining streams as well to avoid
   // sending additional data on alternate networks.
-  auto it = dynamic_streams().begin();
+  auto it = stream_map().begin();
   // Stream may be deleted when iterating through the map.
-  while (it != dynamic_streams().end()) {
-    if (eliminate_static_stream_map() && it->second->is_static()) {
+  while (it != stream_map().end()) {
+    if (it->second->is_static()) {
       it++;
       continue;
     }
@@ -2744,18 +2750,18 @@ void QuicChromiumClientSession::HistogramAndLogMigrationFailure(
     quic::QuicConnectionId connection_id,
     const std::string& reason) {
   LogConnectionMigrationResultToHistogram(status);
-  net_log.AddEvent(NetLogEventType::QUIC_CONNECTION_MIGRATION_FAILURE,
-                   base::Bind(&NetLogQuicConnectionMigrationFailureCallback,
-                              connection_id, reason));
+  net_log.AddEvent(NetLogEventType::QUIC_CONNECTION_MIGRATION_FAILURE, [&] {
+    return NetLogQuicConnectionMigrationFailureParams(connection_id, reason);
+  });
 }
 
 void QuicChromiumClientSession::HistogramAndLogMigrationSuccess(
     const NetLogWithSource& net_log,
     quic::QuicConnectionId connection_id) {
   LogConnectionMigrationResultToHistogram(MIGRATION_STATUS_SUCCESS);
-  net_log.AddEvent(
-      NetLogEventType::QUIC_CONNECTION_MIGRATION_SUCCESS,
-      base::Bind(&NetLogQuicConnectionMigrationSuccessCallback, connection_id));
+  net_log.AddEvent(NetLogEventType::QUIC_CONNECTION_MIGRATION_SUCCESS, [&] {
+    return NetLogQuicConnectionMigrationSuccessParams(connection_id);
+  });
 }
 
 base::Value QuicChromiumClientSession::GetInfoAsValue(
@@ -2765,10 +2771,11 @@ base::Value QuicChromiumClientSession::GetInfoAsValue(
                  QuicVersionToString(connection()->transport_version()));
   dict.SetInteger("open_streams", GetNumOpenOutgoingStreams());
   std::unique_ptr<base::ListValue> stream_list(new base::ListValue());
-  for (DynamicStreamMap::const_iterator it = dynamic_streams().begin();
-       it != dynamic_streams().end(); ++it) {
-    if (eliminate_static_stream_map() && it->second->is_static())
+  for (StreamMap::const_iterator it = stream_map().begin();
+       it != stream_map().end(); ++it) {
+    if (it->second->is_static()) {
       continue;
+    }
     stream_list->AppendString(base::NumberToString(it->second->id()));
   }
   dict.Set("active_streams", std::move(stream_list));
@@ -3012,7 +3019,8 @@ const DatagramClientSocket* QuicChromiumClientSession::GetDefaultSocket()
 
 bool QuicChromiumClientSession::IsAuthorized(const std::string& hostname) {
   bool result =
-      CanPool(hostname, session_key_.privacy_mode(), session_key_.socket_tag());
+      CanPool(hostname, session_key_.privacy_mode(), session_key_.socket_tag(),
+              session_key_.network_isolation_key());
   if (result)
     streams_pushed_count_++;
   return result;
@@ -3029,12 +3037,13 @@ bool QuicChromiumClientSession::HandlePromised(
     // promise has been received.
     if (push_delegate_) {
       std::string pushed_url =
-          quic::SpdyUtils::GetPromisedUrlFromHeaders(headers);
+          quic::SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers);
       push_delegate_->OnPush(std::make_unique<QuicServerPushHelper>(
                                  weak_factory_.GetWeakPtr(), GURL(pushed_url)),
                              net_log_);
     }
-    if (headers_include_h2_stream_dependency_) {
+    if (headers_include_h2_stream_dependency_ ||
+        VersionHasStreamType(connection()->transport_version())) {
       // Even though the promised stream will not be created until after the
       // push promise headers are received, send a PRIORITY frame for the
       // promised stream ID. Send |kDefaultPriority| since that will be the
@@ -3045,12 +3054,25 @@ bool QuicChromiumClientSession::HandlePromised(
       bool exclusive = false;
       priority_dependency_state_.OnStreamCreation(
           promised_id, priority, &parent_stream_id, &weight, &exclusive);
-      WritePriority(promised_id, parent_stream_id, weight, exclusive);
+      if (!VersionHasStreamType(connection()->transport_version())) {
+        WritePriority(promised_id, parent_stream_id, weight, exclusive);
+      } else {
+        quic::PriorityFrame frame;
+        frame.weight = weight;
+        frame.exclusive = exclusive;
+        frame.prioritized_type = quic::PUSH_STREAM;
+        frame.prioritized_element_id = promised_id;
+        frame.dependency_type = quic::REQUEST_STREAM;
+        frame.element_dependency_id = parent_stream_id;
+        WriteH3Priority(frame);
+      }
     }
   }
   net_log_.AddEvent(NetLogEventType::QUIC_SESSION_PUSH_PROMISE_RECEIVED,
-                    base::Bind(&NetLogQuicPushPromiseReceivedCallback, &headers,
-                               id, promised_id));
+                    [&](NetLogCaptureMode capture_mode) {
+                      return NetLogQuicPushPromiseReceivedParams(
+                          &headers, id, promised_id, capture_mode);
+                    });
   return result;
 }
 
diff --git a/chromium/net/quic/quic_chromium_client_session.h b/chromium/net/quic/quic_chromium_client_session.h
index 51111ee9542..c8ca8a15546 100644
--- a/chromium/net/quic/quic_chromium_client_session.h
+++ b/chromium/net/quic/quic_chromium_client_session.h
@@ -52,6 +52,7 @@ namespace net {
 class CertVerifyResult;
 class DatagramClientSocket;
 class NetLog;
+class NetworkIsolationKey;
 class QuicCryptoClientStreamFactory;
 class QuicServerInfo;
 class QuicStreamFactory;
@@ -63,6 +64,10 @@ namespace test {
 class QuicChromiumClientSessionPeer;
 }  // namespace test
 
+// SETTINGS_MAX_HEADERS_LIST_SIZE, the maximum size of uncompressed QUIC headers
+// that the server is allowed to send.
+const size_t kQuicMaxHeaderListSize = 256 * 1024;
+
 // Result of a session migration attempt.
 enum class MigrationResult {
   SUCCESS,         // Migration succeeded.
@@ -182,7 +187,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
     // Returns a new packet bundler while will cause writes to be batched up
     // until a packet is full, or the last bundler is destroyed.
     std::unique_ptr<quic::QuicConnection::ScopedPacketFlusher>
-    CreatePacketBundler(quic::QuicConnection::AckBundling bundling_mode);
+    CreatePacketBundler();
 
     // Populates network error details for this session.
     void PopulateNetErrorDetails(NetErrorDetails* details) const;
@@ -354,7 +359,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
 
     const NetworkTrafficAnnotationTag traffic_annotation_;
 
-    base::WeakPtrFactory<StreamRequest> weak_factory_;
+    base::WeakPtrFactory<StreamRequest> weak_factory_{this};
 
     DISALLOW_COPY_AND_ASSIGN(StreamRequest);
   };
@@ -373,6 +378,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
       std::unique_ptr<QuicServerInfo> server_info,
       const QuicSessionKey& session_key,
       bool require_confirmation,
+      quic::QuicStreamId max_allowed_push_id,
       bool migrate_sesion_early_v2,
       bool migrate_session_on_network_change_v2,
       NetworkChangeNotifier::NetworkHandle default_network,
@@ -483,7 +489,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
       const quic::CryptoHandshakeMessage& message) override;
   void OnGoAway(const quic::QuicGoAwayFrame& frame) override;
   void OnRstStream(const quic::QuicRstStreamFrame& frame) override;
-  void OnCanCreateNewOutgoingStream() override;
+  void OnCanCreateNewOutgoingStream(bool unidirectional) override;
 
   // QuicClientSessionBase methods:
   void OnConfigNegotiated() override;
@@ -493,8 +499,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
       const quic::ProofVerifyDetails& verify_details) override;
 
   // quic::QuicConnectionVisitorInterface methods:
-  void OnConnectionClosed(quic::QuicErrorCode error,
-                          const std::string& error_details,
+  void OnConnectionClosed(const quic::QuicConnectionCloseFrame& frame,
                           quic::ConnectionCloseSource source) override;
   void OnSuccessfulVersionNegotiation(
       const quic::ParsedQuicVersion& version) override;
@@ -555,12 +560,15 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
   // presented during the handshake.
   bool CanPool(const std::string& hostname,
                PrivacyMode privacy_mode,
-               const SocketTag& socket_tag) const;
+               const SocketTag& socket_tag,
+               const NetworkIsolationKey& network_isolation_key) const;
 
   const quic::QuicServerId& server_id() const {
     return session_key_.server_id();
   }
 
+  const QuicSessionKey& quic_session_key() const { return session_key_; }
+
   // Attempts to migrate session when |writer| encounters a write error.
   // If |writer| is no longer actively used, abort migration.
   void MigrateSessionOnWriteError(int error_code,
@@ -658,7 +666,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
   QuicChromiumClientStream* CreateIncomingStream(
       quic::QuicStreamId id) override;
   QuicChromiumClientStream* CreateIncomingStream(
-      quic::PendingStream pending) override;
+      quic::PendingStream* pending) override;
 
  private:
   friend class test::QuicChromiumClientSessionPeer;
@@ -674,7 +682,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
       quic::QuicStreamId id,
       const NetworkTrafficAnnotationTag& traffic_annotation);
   QuicChromiumClientStream* CreateIncomingReliableStreamImpl(
-      quic::PendingStream pending,
+      quic::PendingStream* pending,
       const NetworkTrafficAnnotationTag& traffic_annotation);
   // A completion callback invoked when a read completes.
   void OnReadComplete(int result);
@@ -837,7 +845,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
   bool headers_include_h2_stream_dependency_;
   Http2PriorityDependencies priority_dependency_state_;
 
-  base::WeakPtrFactory<QuicChromiumClientSession> weak_factory_;
+  base::WeakPtrFactory<QuicChromiumClientSession> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicChromiumClientSession);
 };
diff --git a/chromium/net/quic/quic_chromium_client_session_test.cc b/chromium/net/quic/quic_chromium_client_session_test.cc
index 830144abf82..89a321d4022 100644
--- a/chromium/net/quic/quic_chromium_client_session_test.cc
+++ b/chromium/net/quic/quic_chromium_client_session_test.cc
@@ -11,15 +11,19 @@
 #include "base/run_loop.h"
 #include "base/stl_util.h"
 #include "base/test/metrics/histogram_tester.h"
+#include "base/test/scoped_feature_list.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/time/default_tick_clock.h"
 #include "build/build_config.h"
+#include "net/base/features.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/http/transport_security_state.h"
 #include "net/http/transport_security_state_test_util.h"
 #include "net/log/net_log_source.h"
 #include "net/log/test_net_log.h"
+#include "net/quic/address_utils.h"
 #include "net/quic/crypto/proof_verifier_chromium.h"
 #include "net/quic/mock_crypto_client_stream_factory.h"
 #include "net/quic/mock_quic_data.h"
@@ -47,7 +51,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_connection_id.h"
 #include "net/third_party/quiche/src/quic/core/quic_packet_writer.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
@@ -89,8 +92,8 @@ class QuicChromiumClientSessionTest
   QuicChromiumClientSessionTest()
       : version_(std::get<0>(GetParam())),
         client_headers_include_h2_stream_dependency_(std::get<1>(GetParam())),
-        crypto_config_(quic::test::crypto_test_utils::ProofVerifierForTesting(),
-                       quic::TlsClientHandshaker::CreateSslCtx()),
+        crypto_config_(
+            quic::test::crypto_test_utils::ProofVerifierForTesting()),
         default_read_(new MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)),
         socket_data_(
             new SequencedSocketData(base::make_span(default_read_.get(), 1),
@@ -115,6 +118,7 @@ class QuicChromiumClientSessionTest
                       quic::Perspective::IS_SERVER,
                       false),
         migrate_session_early_v2_(false) {
+    SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
     // Advance the time, because timers do not like uninitialized times.
     clock_.AdvanceTime(quic::QuicTime::Delta::FromSeconds(1));
   }
@@ -138,22 +142,22 @@ class QuicChromiumClientSessionTest
         socket.get(), base::ThreadTaskRunnerHandle::Get().get());
     quic::QuicConnection* connection = new quic::QuicConnection(
         quic::QuicUtils::CreateRandomConnectionId(&random_),
-        quic::QuicSocketAddress(quic::QuicSocketAddressImpl(kIpEndPoint)),
-        &helper_, &alarm_factory_, writer, true, quic::Perspective::IS_CLIENT,
+        ToQuicSocketAddress(kIpEndPoint), &helper_, &alarm_factory_, writer,
+        true, quic::Perspective::IS_CLIENT,
         quic::test::SupportedVersions(version_));
     session_.reset(new TestingQuicChromiumClientSession(
         connection, std::move(socket),
         /*stream_factory=*/nullptr, &crypto_client_stream_factory_, &clock_,
         &transport_security_state_, /*ssl_config_service=*/nullptr,
         base::WrapUnique(static_cast<QuicServerInfo*>(nullptr)), session_key_,
-        /*require_confirmation=*/false, migrate_session_early_v2_,
+        /*require_confirmation=*/false,
+        /*max_allowed_push_id=*/0, migrate_session_early_v2_,
         /*migrate_session_on_network_change_v2=*/false,
         /*defaulet_network=*/NetworkChangeNotifier::kInvalidNetworkHandle,
         quic::QuicTime::Delta::FromMilliseconds(
-            kDefaultRetransmittableOnWireTimeoutMillisecs),
-        /*migrate_idle_session=*/false,
-        base::TimeDelta::FromSeconds(kDefaultIdleSessionMigrationPeriodSeconds),
-        base::TimeDelta::FromSeconds(kMaxTimeOnNonDefaultNetworkSecs),
+            kDefaultRetransmittableOnWireTimeout.InMilliseconds()),
+        /*migrate_idle_session=*/false, kDefaultIdleSessionMigrationPeriod,
+        kMaxTimeOnNonDefaultNetwork,
         kMaxMigrationsToNonDefaultNetworkOnWriteError,
         kMaxMigrationsToNonDefaultNetworkOnPathDegrading,
         kQuicYieldAfterPacketsRead,
@@ -256,10 +260,13 @@ INSTANTIATE_TEST_SUITE_P(
     ::testing::Combine(::testing::ValuesIn(quic::AllSupportedVersions()),
                        ::testing::Bool()));
 
+// TODO(950069): Add testing for frame_origin in NetworkIsolationKey using
+// kAppendInitiatingFrameOriginToNetworkIsolationKey.
+
 TEST_P(QuicChromiumClientSessionTest, IsFatalErrorNotSetForNonFatalError) {
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite writes[] = {
       MockWrite(ASYNC, settings_packet->data(), settings_packet->length(), 1)};
   socket_data_.reset(new SequencedSocketData(reads, writes));
@@ -282,7 +289,7 @@ TEST_P(QuicChromiumClientSessionTest, IsFatalErrorNotSetForNonFatalError) {
 TEST_P(QuicChromiumClientSessionTest, IsFatalErrorSetForFatalError) {
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite writes[] = {
       MockWrite(ASYNC, settings_packet->data(), settings_packet->length(), 1)};
   socket_data_.reset(new SequencedSocketData(reads, writes));
@@ -304,7 +311,7 @@ TEST_P(QuicChromiumClientSessionTest, IsFatalErrorSetForFatalError) {
 TEST_P(QuicChromiumClientSessionTest, CryptoConnect) {
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite writes[] = {
       MockWrite(ASYNC, settings_packet->data(), settings_packet->length(), 1)};
   socket_data_.reset(new SequencedSocketData(reads, writes));
@@ -313,9 +320,8 @@ TEST_P(QuicChromiumClientSessionTest, CryptoConnect) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, Handle) {
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);
   quic_data.AddRead(ASYNC, OK);  // EOF
   quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -338,8 +344,7 @@ TEST_P(QuicChromiumClientSessionTest, Handle) {
   IPEndPoint address;
   EXPECT_EQ(OK, handle->GetPeerAddress(&address));
   EXPECT_EQ(kIpEndPoint, address);
-  EXPECT_TRUE(handle->CreatePacketBundler(quic::QuicConnection::NO_ACK).get() !=
-              nullptr);
+  EXPECT_TRUE(handle->CreatePacketBundler().get() != nullptr);
 
   CompleteCryptoHandshake();
 
@@ -365,8 +370,7 @@ TEST_P(QuicChromiumClientSessionTest, Handle) {
   EXPECT_EQ(session_net_log.source().id, handle->net_log().source().id);
   EXPECT_EQ(session_net_log.net_log(), handle->net_log().net_log());
   EXPECT_EQ(ERR_CONNECTION_CLOSED, handle->GetPeerAddress(&address));
-  EXPECT_TRUE(handle->CreatePacketBundler(quic::QuicConnection::NO_ACK).get() ==
-              nullptr);
+  EXPECT_TRUE(handle->CreatePacketBundler().get() == nullptr);
   {
     // Verify that CreateHandle() works even after the session is closed.
     std::unique_ptr<QuicChromiumClientSession::Handle> handle2 =
@@ -390,8 +394,7 @@ TEST_P(QuicChromiumClientSessionTest, Handle) {
   EXPECT_EQ(session_net_log.source().id, handle->net_log().source().id);
   EXPECT_EQ(session_net_log.net_log(), handle->net_log().net_log());
   EXPECT_EQ(ERR_CONNECTION_CLOSED, handle->GetPeerAddress(&address));
-  EXPECT_TRUE(handle->CreatePacketBundler(quic::QuicConnection::NO_ACK).get() ==
-              nullptr);
+  EXPECT_TRUE(handle->CreatePacketBundler().get() == nullptr);
   ASSERT_EQ(
       ERR_CONNECTION_CLOSED,
       handle->RequestStream(/*requires_confirmation=*/false,
@@ -399,9 +402,8 @@ TEST_P(QuicChromiumClientSessionTest, Handle) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, StreamRequest) {
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);
   quic_data.AddRead(ASYNC, OK);  // EOF
   quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -424,9 +426,8 @@ TEST_P(QuicChromiumClientSessionTest, StreamRequest) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, ConfirmationRequiredStreamRequest) {
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);
   quic_data.AddRead(ASYNC, OK);  // EOF
   quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -449,9 +450,8 @@ TEST_P(QuicChromiumClientSessionTest, ConfirmationRequiredStreamRequest) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, StreamRequestBeforeConfirmation) {
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);
   quic_data.AddRead(ASYNC, OK);  // EOF
   quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -479,9 +479,8 @@ TEST_P(QuicChromiumClientSessionTest, StreamRequestBeforeConfirmation) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, CancelStreamRequestBeforeRelease) {
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   quic_data.AddWrite(SYNCHRONOUS,
                      client_maker_.MakeRstPacket(
                          2, true, GetNthClientInitiatedBidirectionalStreamId(0),
@@ -508,9 +507,8 @@ TEST_P(QuicChromiumClientSessionTest, CancelStreamRequestBeforeRelease) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, AsyncStreamRequest) {
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   if (version_.transport_version == quic::QUIC_VERSION_99) {
     // The open stream limit is set to 50 by
     // MockCryptoClientStream::SetConfigNegotiated() so when the 51st stream is
@@ -522,7 +520,7 @@ TEST_P(QuicChromiumClientSessionTest, AsyncStreamRequest) {
     quic_data.AddWrite(
         SYNCHRONOUS, client_maker_.MakeRstPacket(
                          3, true, GetNthClientInitiatedBidirectionalStreamId(0),
-                         quic::QUIC_STREAM_CANCELLED, 0,
+                         quic::QUIC_STREAM_CANCELLED,
                          /*include_stop_sending_if_v99=*/false));
     // After the STREAMS_BLOCKED is sent, receive a MAX_STREAMS to increase
     // the limit to 53.
@@ -585,9 +583,8 @@ TEST_P(QuicChromiumClientSessionTest, AsyncStreamRequest) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, ClosedWithAsyncStreamRequest) {
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   if (version_.transport_version == quic::QUIC_VERSION_99) {
     // The open stream limit is set to 50 by
     // MockCryptoClientStream::SetConfigNegotiated() so when the 51st stream is
@@ -648,9 +645,8 @@ TEST_P(QuicChromiumClientSessionTest, ClosedWithAsyncStreamRequest) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, CancelPendingStreamRequest) {
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   if (version_.transport_version == quic::QUIC_VERSION_99) {
     // The open stream limit is set to 50 by
     // MockCryptoClientStream::SetConfigNegotiated() so when the 51st stream is
@@ -663,7 +659,7 @@ TEST_P(QuicChromiumClientSessionTest, CancelPendingStreamRequest) {
     quic_data.AddWrite(
         SYNCHRONOUS, client_maker_.MakeRstPacket(
                          3, true, GetNthClientInitiatedBidirectionalStreamId(0),
-                         quic::QUIC_STREAM_CANCELLED, 0,
+                         quic::QUIC_STREAM_CANCELLED,
                          /*include_stop_sending_if_v99=*/false));
   } else {
     quic_data.AddWrite(
@@ -720,9 +716,8 @@ TEST_P(QuicChromiumClientSessionTest, CancelPendingStreamRequest) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, ConnectionCloseBeforeStreamRequest) {
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   quic_data.AddRead(
       ASYNC,
       server_maker_.MakeConnectionClosePacket(
@@ -749,10 +744,16 @@ TEST_P(QuicChromiumClientSessionTest, ConnectionCloseBeforeStreamRequest) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, ConnectionCloseBeforeHandshakeConfirmed) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
   // Force the connection close packet to use long headers with connection ID.
   server_maker_.SetEncryptionLevel(quic::ENCRYPTION_INITIAL);
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);
   quic_data.AddRead(
       ASYNC,
@@ -783,9 +784,8 @@ TEST_P(QuicChromiumClientSessionTest, ConnectionCloseBeforeHandshakeConfirmed) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, ConnectionCloseWithPendingStreamRequest) {
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   if (version_.transport_version == quic::QUIC_VERSION_99) {
     quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeStreamsBlockedPacket(
                                         2, true, 51,
@@ -830,9 +830,8 @@ TEST_P(QuicChromiumClientSessionTest, ConnectionCloseWithPendingStreamRequest) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, MaxNumStreams) {
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   if (version_.transport_version == quic::QUIC_VERSION_99) {
     // Initial configuration is 50 dynamic streams. Taking into account
     // the static stream (headers), expect to block on when hitting the limit
@@ -901,7 +900,7 @@ TEST_P(QuicChromiumClientSessionTest, PushStreamTimedOutNoResponse) {
   base::HistogramTester histogram_tester;
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   std::unique_ptr<quic::QuicEncryptedPacket> client_rst(
       client_maker_.MakeRstPacket(
           2, true, GetNthServerInitiatedUnidirectionalStreamId(0),
@@ -953,7 +952,7 @@ TEST_P(QuicChromiumClientSessionTest, PushStreamTimedOutWithResponse) {
   base::HistogramTester histogram_tester;
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   std::unique_ptr<quic::QuicEncryptedPacket> client_rst(
       client_maker_.MakeRstPacket(
           2, true, GetNthServerInitiatedUnidirectionalStreamId(0),
@@ -1006,10 +1005,69 @@ TEST_P(QuicChromiumClientSessionTest, PushStreamTimedOutWithResponse) {
                     session_.get()));
 }
 
+// Regression test for crbug.com/968621.
+TEST_P(QuicChromiumClientSessionTest, PendingStreamOnRst) {
+  if (!quic::VersionHasStreamType(version_.transport_version))
+    return;
+
+  MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
+  std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
+      client_maker_.MakeInitialSettingsPacket(1));
+  std::unique_ptr<quic::QuicEncryptedPacket> client_rst(
+      client_maker_.MakeRstPacket(
+          2, true, GetNthServerInitiatedUnidirectionalStreamId(0),
+          quic::QUIC_RST_ACKNOWLEDGEMENT));
+
+  MockWrite writes[] = {
+      MockWrite(ASYNC, settings_packet->data(), settings_packet->length(), 1),
+      MockWrite(ASYNC, client_rst->data(), client_rst->length(), 2)};
+  socket_data_.reset(new SequencedSocketData(reads, writes));
+
+  Initialize();
+  CompleteCryptoHandshake();
+
+  quic::QuicStreamFrame data(GetNthServerInitiatedUnidirectionalStreamId(0),
+                             false, 1, quic::QuicStringPiece("SP"));
+  session_->OnStreamFrame(data);
+  EXPECT_EQ(0u, session_->GetNumOpenIncomingStreams());
+  quic::QuicRstStreamFrame rst(quic::kInvalidControlFrameId,
+                               GetNthServerInitiatedUnidirectionalStreamId(0),
+                               quic::QUIC_STREAM_CANCELLED, 0);
+  session_->OnRstStream(rst);
+}
+
+// Regression test for crbug.com/971361.
+TEST_P(QuicChromiumClientSessionTest, ClosePendingStream) {
+  if (!quic::VersionHasStreamType(version_.transport_version))
+    return;
+
+  MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
+  std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
+      client_maker_.MakeInitialSettingsPacket(1));
+  std::unique_ptr<quic::QuicEncryptedPacket> client_rst(
+      client_maker_.MakeRstPacket(
+          2, true, GetNthServerInitiatedUnidirectionalStreamId(0),
+          quic::QUIC_RST_ACKNOWLEDGEMENT));
+
+  MockWrite writes[] = {
+      MockWrite(ASYNC, settings_packet->data(), settings_packet->length(), 1),
+      MockWrite(ASYNC, client_rst->data(), client_rst->length(), 2)};
+  socket_data_.reset(new SequencedSocketData(reads, writes));
+
+  Initialize();
+  CompleteCryptoHandshake();
+
+  quic::QuicStreamId id = GetNthServerInitiatedUnidirectionalStreamId(0);
+  quic::QuicStreamFrame data(id, false, 1, quic::QuicStringPiece("SP"));
+  session_->OnStreamFrame(data);
+  EXPECT_EQ(0u, session_->GetNumOpenIncomingStreams());
+  session_->CloseStream(id);
+}
+
 TEST_P(QuicChromiumClientSessionTest, CancelPushWhenPendingValidation) {
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   std::unique_ptr<quic::QuicEncryptedPacket> client_rst(
       client_maker_.MakeRstPacket(2, true,
                                   GetNthClientInitiatedBidirectionalStreamId(0),
@@ -1066,7 +1124,7 @@ TEST_P(QuicChromiumClientSessionTest, CancelPushBeforeReceivingResponse) {
   base::HistogramTester histogram_tester;
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   std::unique_ptr<quic::QuicEncryptedPacket> client_rst(
       client_maker_.MakeRstPacket(
           2, true, GetNthServerInitiatedUnidirectionalStreamId(0),
@@ -1118,7 +1176,7 @@ TEST_P(QuicChromiumClientSessionTest, CancelPushAfterReceivingResponse) {
   base::HistogramTester histogram_tester;
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   std::unique_ptr<quic::QuicEncryptedPacket> client_rst(
       client_maker_.MakeRstPacket(
           2, true, GetNthServerInitiatedUnidirectionalStreamId(0),
@@ -1174,9 +1232,8 @@ TEST_P(QuicChromiumClientSessionTest, CancelPushAfterReceivingResponse) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, MaxNumStreamsViaRequest) {
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   if (version_.transport_version == quic::QUIC_VERSION_99) {
     quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeStreamsBlockedPacket(
                                         2, true, 51,
@@ -1233,7 +1290,7 @@ TEST_P(QuicChromiumClientSessionTest, MaxNumStreamsViaRequest) {
 TEST_P(QuicChromiumClientSessionTest, GoAwayReceived) {
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite writes[] = {
       MockWrite(ASYNC, settings_packet->data(), settings_packet->length(), 1)};
   socket_data_.reset(new SequencedSocketData(reads, writes));
@@ -1252,7 +1309,7 @@ TEST_P(QuicChromiumClientSessionTest, GoAwayReceived) {
 TEST_P(QuicChromiumClientSessionTest, CanPool) {
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite writes[] = {
       MockWrite(ASYNC, settings_packet->data(), settings_packet->length(), 1)};
   socket_data_.reset(new SequencedSocketData(reads, writes));
@@ -1270,24 +1327,104 @@ TEST_P(QuicChromiumClientSessionTest, CanPool) {
   CompleteCryptoHandshake();
   session_->OnProofVerifyDetailsAvailable(details);
 
-  EXPECT_TRUE(
-      session_->CanPool("www.example.org", PRIVACY_MODE_DISABLED, SocketTag()));
-  EXPECT_FALSE(
-      session_->CanPool("www.example.org", PRIVACY_MODE_ENABLED, SocketTag()));
+  EXPECT_TRUE(session_->CanPool("www.example.org", PRIVACY_MODE_DISABLED,
+                                SocketTag(), NetworkIsolationKey()));
+  EXPECT_FALSE(session_->CanPool("www.example.org", PRIVACY_MODE_ENABLED,
+                                 SocketTag(), NetworkIsolationKey()));
 #if defined(OS_ANDROID)
   SocketTag tag1(SocketTag::UNSET_UID, 0x12345678);
   SocketTag tag2(getuid(), 0x87654321);
-  EXPECT_FALSE(
-      session_->CanPool("www.example.org", PRIVACY_MODE_DISABLED, tag1));
-  EXPECT_FALSE(
-      session_->CanPool("www.example.org", PRIVACY_MODE_DISABLED, tag2));
+  EXPECT_FALSE(session_->CanPool("www.example.org", PRIVACY_MODE_DISABLED, tag1,
+                                 NetworkIsolationKey()));
+  EXPECT_FALSE(session_->CanPool("www.example.org", PRIVACY_MODE_DISABLED, tag2,
+                                 NetworkIsolationKey()));
 #endif
   EXPECT_TRUE(session_->CanPool("mail.example.org", PRIVACY_MODE_DISABLED,
-                                SocketTag()));
+                                SocketTag(), NetworkIsolationKey()));
   EXPECT_TRUE(session_->CanPool("mail.example.com", PRIVACY_MODE_DISABLED,
-                                SocketTag()));
-  EXPECT_FALSE(
-      session_->CanPool("mail.google.com", PRIVACY_MODE_DISABLED, SocketTag()));
+                                SocketTag(), NetworkIsolationKey()));
+  EXPECT_FALSE(session_->CanPool("mail.google.com", PRIVACY_MODE_DISABLED,
+                                 SocketTag(), NetworkIsolationKey()));
+
+  const auto kOriginFoo = url::Origin::Create(GURL("http://foo.test/"));
+
+  // Check that NetworkIsolationKey is respected when feature is enabled.
+  {
+    base::test::ScopedFeatureList feature_list;
+    feature_list.InitAndDisableFeature(
+        features::kPartitionConnectionsByNetworkIsolationKey);
+    EXPECT_TRUE(session_->CanPool("mail.example.com", PRIVACY_MODE_DISABLED,
+                                  SocketTag(),
+                                  NetworkIsolationKey(kOriginFoo, kOriginFoo)));
+  }
+  {
+    base::test::ScopedFeatureList feature_list;
+    feature_list.InitAndEnableFeature(
+        features::kPartitionConnectionsByNetworkIsolationKey);
+    EXPECT_FALSE(session_->CanPool(
+        "mail.example.com", PRIVACY_MODE_DISABLED, SocketTag(),
+        NetworkIsolationKey(kOriginFoo, kOriginFoo)));
+  }
+}
+
+// Much as above, but uses a non-empty NetworkIsolationKey.
+TEST_P(QuicChromiumClientSessionTest, CanPoolWithNetworkIsolationKey) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      features::kPartitionConnectionsByNetworkIsolationKey);
+
+  const auto kOriginFoo = url::Origin::Create(GURL("http://foo.test/"));
+  const auto kOriginBar = url::Origin::Create(GURL("http://bar.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey1(kOriginFoo, kOriginFoo);
+  const NetworkIsolationKey kNetworkIsolationKey2(kOriginBar, kOriginBar);
+
+  session_key_ =
+      QuicSessionKey(kServerHostname, kServerPort, PRIVACY_MODE_DISABLED,
+                     SocketTag(), kNetworkIsolationKey1);
+
+  MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
+  std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
+      client_maker_.MakeInitialSettingsPacket(1));
+  MockWrite writes[] = {
+      MockWrite(ASYNC, settings_packet->data(), settings_packet->length(), 1)};
+  socket_data_.reset(new SequencedSocketData(reads, writes));
+  Initialize();
+  // Load a cert that is valid for:
+  //   www.example.org
+  //   mail.example.org
+  //   www.example.com
+
+  ProofVerifyDetailsChromium details;
+  details.cert_verify_result.verified_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem");
+  ASSERT_TRUE(details.cert_verify_result.verified_cert.get());
+
+  CompleteCryptoHandshake();
+  session_->OnProofVerifyDetailsAvailable(details);
+
+  EXPECT_TRUE(session_->CanPool("www.example.org", PRIVACY_MODE_DISABLED,
+                                SocketTag(), kNetworkIsolationKey1));
+  EXPECT_FALSE(session_->CanPool("www.example.org", PRIVACY_MODE_ENABLED,
+                                 SocketTag(), kNetworkIsolationKey1));
+#if defined(OS_ANDROID)
+  SocketTag tag1(SocketTag::UNSET_UID, 0x12345678);
+  SocketTag tag2(getuid(), 0x87654321);
+  EXPECT_FALSE(session_->CanPool("www.example.org", PRIVACY_MODE_DISABLED, tag1,
+                                 kNetworkIsolationKey1));
+  EXPECT_FALSE(session_->CanPool("www.example.org", PRIVACY_MODE_DISABLED, tag2,
+                                 kNetworkIsolationKey1));
+#endif
+  EXPECT_TRUE(session_->CanPool("mail.example.org", PRIVACY_MODE_DISABLED,
+                                SocketTag(), kNetworkIsolationKey1));
+  EXPECT_TRUE(session_->CanPool("mail.example.com", PRIVACY_MODE_DISABLED,
+                                SocketTag(), kNetworkIsolationKey1));
+  EXPECT_FALSE(session_->CanPool("mail.google.com", PRIVACY_MODE_DISABLED,
+                                 SocketTag(), kNetworkIsolationKey1));
+
+  EXPECT_FALSE(session_->CanPool("mail.example.com", PRIVACY_MODE_DISABLED,
+                                 SocketTag(), kNetworkIsolationKey2));
+  EXPECT_FALSE(session_->CanPool("mail.example.com", PRIVACY_MODE_DISABLED,
+                                 SocketTag(), NetworkIsolationKey()));
 }
 
 TEST_P(QuicChromiumClientSessionTest, ConnectionNotPooledWithDifferentPin) {
@@ -1305,7 +1442,7 @@ TEST_P(QuicChromiumClientSessionTest, ConnectionNotPooledWithDifferentPin) {
 
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite writes[] = {
       MockWrite(ASYNC, settings_packet->data(), settings_packet->length(), 1)};
   socket_data_.reset(new SequencedSocketData(reads, writes));
@@ -1327,8 +1464,8 @@ TEST_P(QuicChromiumClientSessionTest, ConnectionNotPooledWithDifferentPin) {
   session_->OnProofVerifyDetailsAvailable(details);
   QuicChromiumClientSessionPeer::SetHostname(session_.get(), kNoPinsHost);
 
-  EXPECT_FALSE(
-      session_->CanPool(kPreloadedPKPHost, PRIVACY_MODE_DISABLED, SocketTag()));
+  EXPECT_FALSE(session_->CanPool(kPreloadedPKPHost, PRIVACY_MODE_DISABLED,
+                                 SocketTag(), NetworkIsolationKey()));
 }
 
 TEST_P(QuicChromiumClientSessionTest, ConnectionPooledWithMatchingPin) {
@@ -1336,7 +1473,7 @@ TEST_P(QuicChromiumClientSessionTest, ConnectionPooledWithMatchingPin) {
 
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite writes[] = {
       MockWrite(ASYNC, settings_packet->data(), settings_packet->length(), 1)};
   socket_data_.reset(new SequencedSocketData(reads, writes));
@@ -1360,13 +1497,13 @@ TEST_P(QuicChromiumClientSessionTest, ConnectionPooledWithMatchingPin) {
   QuicChromiumClientSessionPeer::SetHostname(session_.get(), "www.example.org");
 
   EXPECT_TRUE(session_->CanPool("mail.example.org", PRIVACY_MODE_DISABLED,
-                                SocketTag()));
+                                SocketTag(), NetworkIsolationKey()));
 }
 
 TEST_P(QuicChromiumClientSessionTest, MigrateToSocket) {
   MockRead old_reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite old_writes[] = {
       MockWrite(ASYNC, settings_packet->data(), settings_packet->length(), 1)};
   socket_data_.reset(new SequencedSocketData(old_reads, old_writes));
@@ -1378,7 +1515,7 @@ TEST_P(QuicChromiumClientSessionTest, MigrateToSocket) {
   std::unique_ptr<quic::QuicEncryptedPacket> ack_and_data_out;
   client_ping = client_maker_.MakeAckAndPingPacket(2, false, 1, 1, 1);
   ack_and_data_out = client_maker_.MakeDataPacket(
-      3, GetNthClientInitiatedBidirectionalStreamId(0), false, false, 0,
+      3, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
       quic::QuicStringPiece(data));
   std::unique_ptr<quic::QuicEncryptedPacket> server_ping(
       server_maker_.MakePingPacket(1, /*include_version=*/false));
@@ -1431,7 +1568,7 @@ TEST_P(QuicChromiumClientSessionTest, MigrateToSocket) {
 TEST_P(QuicChromiumClientSessionTest, MigrateToSocketMaxReaders) {
   MockRead old_reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite old_writes[] = {
       MockWrite(ASYNC, settings_packet->data(), settings_packet->length(), 1)};
   socket_data_.reset(new SequencedSocketData(old_reads, old_writes));
@@ -1484,7 +1621,7 @@ TEST_P(QuicChromiumClientSessionTest, MigrateToSocketMaxReaders) {
 
 TEST_P(QuicChromiumClientSessionTest, MigrateToSocketReadError) {
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   std::unique_ptr<quic::QuicEncryptedPacket> client_ping;
   client_ping = client_maker_.MakeAckAndPingPacket(2, false, 1, 1, 1);
   std::unique_ptr<quic::QuicEncryptedPacket> server_ping(
@@ -1551,9 +1688,14 @@ TEST_P(QuicChromiumClientSessionTest, MigrateToSocketReadError) {
 }
 
 TEST_P(QuicChromiumClientSessionTest, DetectPathDegradingDuringHandshake) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   migrate_session_early_v2_ = true;
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read
   quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeDummyCHLOPacket(1));
   quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeDummyCHLOPacket(2));
@@ -1612,9 +1754,8 @@ TEST_P(QuicChromiumClientSessionTest, DetectPathDegradingDuringHandshake) {
 TEST_P(QuicChromiumClientSessionTest, RetransmittableOnWireTimeout) {
   migrate_session_early_v2_ = true;
 
-  MockQuicData quic_data;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacket(1, nullptr));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
   quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakePingPacket(2, true));
   quic_data.AddRead(ASYNC, server_maker_.MakeAckPacket(1, 2, 1, 1, false));
 
diff --git a/chromium/net/quic/quic_chromium_client_stream.cc b/chromium/net/quic/quic_chromium_client_stream.cc
index 45e4b802118..1a29107b532 100644
--- a/chromium/net/quic/quic_chromium_client_stream.cc
+++ b/chromium/net/quic/quic_chromium_client_stream.cc
@@ -46,8 +46,7 @@ QuicChromiumClientStream::Handle::Handle(QuicChromiumClientStream* stream)
       read_headers_buffer_(nullptr),
       read_body_buffer_len_(0),
       net_error_(ERR_UNEXPECTED),
-      net_log_(stream->net_log()),
-      weak_factory_(this) {
+      net_log_(stream->net_log()) {
   SaveState();
 }
 
@@ -414,16 +413,15 @@ QuicChromiumClientStream::QuicChromiumClientStream(
       quic_version_(session->connection()->transport_version()),
       can_migrate_to_cellular_network_(true),
       initial_headers_frame_len_(0),
-      trailing_headers_frame_len_(0),
-      weak_factory_(this) {}
+      trailing_headers_frame_len_(0) {}
 
 QuicChromiumClientStream::QuicChromiumClientStream(
-    quic::PendingStream pending,
+    quic::PendingStream* pending,
     quic::QuicSpdyClientSessionBase* session,
     quic::StreamType type,
     const NetLogWithSource& net_log,
     const NetworkTrafficAnnotationTag& traffic_annotation)
-    : quic::QuicSpdyStream(std::move(pending), session, type),
+    : quic::QuicSpdyStream(pending, session, type),
       net_log_(net_log),
       handle_(nullptr),
       headers_delivered_(false),
@@ -432,8 +430,7 @@ QuicChromiumClientStream::QuicChromiumClientStream(
       quic_version_(session->connection()->transport_version()),
       can_migrate_to_cellular_network_(true),
       initial_headers_frame_len_(0),
-      trailing_headers_frame_len_(0),
-      weak_factory_(this) {}
+      trailing_headers_frame_len_(0) {}
 
 QuicChromiumClientStream::~QuicChromiumClientStream() {
   if (handle_)
@@ -544,7 +541,10 @@ size_t QuicChromiumClientStream::WriteHeaders(
   }
   net_log_.AddEvent(
       NetLogEventType::QUIC_CHROMIUM_CLIENT_STREAM_SEND_REQUEST_HEADERS,
-      base::Bind(&QuicRequestNetLogCallback, id(), &header_block, priority()));
+      [&](NetLogCaptureMode capture_mode) {
+        return QuicRequestNetLogParams(id(), &header_block, priority(),
+                                       capture_mode);
+      });
   size_t len = quic::QuicSpdyStream::WriteHeaders(std::move(header_block), fin,
                                                   std::move(ack_listener));
   initial_headers_sent_ = true;
@@ -661,8 +661,10 @@ bool QuicChromiumClientStream::DeliverInitialHeaders(
   headers_delivered_ = true;
   net_log_.AddEvent(
       NetLogEventType::QUIC_CHROMIUM_CLIENT_STREAM_READ_RESPONSE_HEADERS,
-      base::BindRepeating(&QuicResponseNetLogCallback, id(), fin_received(),
-                          &initial_headers_));
+      [&](NetLogCaptureMode capture_mode) {
+        return QuicResponseNetLogParams(id(), fin_received(), &initial_headers_,
+                                        capture_mode);
+      });
 
   *headers = std::move(initial_headers_);
   *frame_len = initial_headers_frame_len_;
@@ -677,8 +679,10 @@ bool QuicChromiumClientStream::DeliverTrailingHeaders(
 
   net_log_.AddEvent(
       NetLogEventType::QUIC_CHROMIUM_CLIENT_STREAM_READ_RESPONSE_TRAILERS,
-      base::BindRepeating(&QuicResponseNetLogCallback, id(), fin_received(),
-                          &received_trailers()));
+      [&](NetLogCaptureMode capture_mode) {
+        return QuicResponseNetLogParams(id(), fin_received(),
+                                        &received_trailers(), capture_mode);
+      });
 
   *headers = received_trailers().Clone();
   *frame_len = trailing_headers_frame_len_;
diff --git a/chromium/net/quic/quic_chromium_client_stream.h b/chromium/net/quic/quic_chromium_client_stream.h
index 25c8afde859..30baf2a5bbf 100644
--- a/chromium/net/quic/quic_chromium_client_stream.h
+++ b/chromium/net/quic/quic_chromium_client_stream.h
@@ -192,7 +192,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientStream
 
     NetLogWithSource net_log_;
 
-    base::WeakPtrFactory<Handle> weak_factory_;
+    base::WeakPtrFactory<Handle> weak_factory_{this};
 
     DISALLOW_COPY_AND_ASSIGN(Handle);
   };
@@ -204,7 +204,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientStream
       const NetLogWithSource& net_log,
       const NetworkTrafficAnnotationTag& traffic_annotation);
   QuicChromiumClientStream(
-      quic::PendingStream pending,
+      quic::PendingStream* pending,
       quic::QuicSpdyClientSessionBase* session,
       quic::StreamType type,
       const NetLogWithSource& net_log,
@@ -311,7 +311,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientStream
   // Length of the HEADERS frame containing trailing headers.
   size_t trailing_headers_frame_len_;
 
-  base::WeakPtrFactory<QuicChromiumClientStream> weak_factory_;
+  base::WeakPtrFactory<QuicChromiumClientStream> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicChromiumClientStream);
 };
diff --git a/chromium/net/quic/quic_chromium_client_stream_test.cc b/chromium/net/quic/quic_chromium_client_stream_test.cc
index 7fc2ffe1507..f696e423b42 100644
--- a/chromium/net/quic/quic_chromium_client_stream_test.cc
+++ b/chromium/net/quic/quic_chromium_client_stream_test.cc
@@ -21,7 +21,6 @@
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.h"
 #include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.h"
@@ -56,14 +55,13 @@ class MockQuicClientSessionBase : public quic::QuicSpdyClientSessionBase {
   }
 
   // From quic::QuicSession.
-  MOCK_METHOD3(OnConnectionClosed,
-               void(quic::QuicErrorCode error,
-                    const std::string& error_details,
+  MOCK_METHOD2(OnConnectionClosed,
+               void(const quic::QuicConnectionCloseFrame& frame,
                     quic::ConnectionCloseSource source));
   MOCK_METHOD1(CreateIncomingStream,
                quic::QuicSpdyStream*(quic::QuicStreamId id));
   MOCK_METHOD1(CreateIncomingStream,
-               quic::QuicSpdyStream*(quic::PendingStream pending));
+               quic::QuicSpdyStream*(quic::PendingStream* pending));
   MOCK_METHOD0(CreateOutgoingBidirectionalStream, QuicChromiumClientStream*());
   MOCK_METHOD0(CreateOutgoingUnidirectionalStream, QuicChromiumClientStream*());
   MOCK_METHOD5(WritevData,
@@ -161,8 +159,8 @@ class QuicChromiumClientStreamTest
       public WithScopedTaskEnvironment {
  public:
   QuicChromiumClientStreamTest()
-      : crypto_config_(quic::test::crypto_test_utils::ProofVerifierForTesting(),
-                       quic::TlsClientHandshaker::CreateSslCtx()),
+      : crypto_config_(
+            quic::test::crypto_test_utils::ProofVerifierForTesting()),
         session_(new quic::test::MockQuicConnection(
                      &helper_,
                      &alarm_factory_,
diff --git a/chromium/net/quic/quic_chromium_packet_reader.cc b/chromium/net/quic/quic_chromium_packet_reader.cc
index 36083a43212..c0c2bc70774 100644
--- a/chromium/net/quic/quic_chromium_packet_reader.cc
+++ b/chromium/net/quic/quic_chromium_packet_reader.cc
@@ -10,6 +10,7 @@
 #include "base/single_thread_task_runner.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/net_errors.h"
+#include "net/quic/address_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_clock.h"
 
 namespace net {
@@ -31,8 +32,7 @@ QuicChromiumPacketReader::QuicChromiumPacketReader(
       yield_after_(quic::QuicTime::Infinite()),
       read_buffer_(base::MakeRefCounted<IOBufferWithSize>(
           static_cast<size_t>(quic::kMaxOutgoingPacketSize))),
-      net_log_(net_log),
-      weak_factory_(this) {}
+      net_log_(net_log) {}
 
 QuicChromiumPacketReader::~QuicChromiumPacketReader() {}
 
@@ -93,10 +93,8 @@ bool QuicChromiumPacketReader::ProcessReadResult(int result) {
   IPEndPoint peer_address;
   socket_->GetLocalAddress(&local_address);
   socket_->GetPeerAddress(&peer_address);
-  return visitor_->OnPacket(
-      packet,
-      quic::QuicSocketAddress(quic::QuicSocketAddressImpl(local_address)),
-      quic::QuicSocketAddress(quic::QuicSocketAddressImpl(peer_address)));
+  return visitor_->OnPacket(packet, ToQuicSocketAddress(local_address),
+                            ToQuicSocketAddress(peer_address));
 }
 
 void QuicChromiumPacketReader::OnReadComplete(int result) {
diff --git a/chromium/net/quic/quic_chromium_packet_reader.h b/chromium/net/quic/quic_chromium_packet_reader.h
index 5734aa72711..b4d25070816 100644
--- a/chromium/net/quic/quic_chromium_packet_reader.h
+++ b/chromium/net/quic/quic_chromium_packet_reader.h
@@ -70,7 +70,7 @@ class NET_EXPORT_PRIVATE QuicChromiumPacketReader {
   scoped_refptr<IOBufferWithSize> read_buffer_;
   NetLogWithSource net_log_;
 
-  base::WeakPtrFactory<QuicChromiumPacketReader> weak_factory_;
+  base::WeakPtrFactory<QuicChromiumPacketReader> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicChromiumPacketReader);
 };
diff --git a/chromium/net/quic/quic_chromium_packet_writer.cc b/chromium/net/quic/quic_chromium_packet_writer.cc
index 4cb3be9f13a..7c38674e702 100644
--- a/chromium/net/quic/quic_chromium_packet_writer.cc
+++ b/chromium/net/quic/quic_chromium_packet_writer.cc
@@ -81,7 +81,7 @@ void QuicChromiumPacketWriter::ReusableIOBuffer::Set(const char* buffer,
   std::memcpy(data(), buffer, buf_len);
 }
 
-QuicChromiumPacketWriter::QuicChromiumPacketWriter() : weak_factory_(this) {}
+QuicChromiumPacketWriter::QuicChromiumPacketWriter() {}
 
 QuicChromiumPacketWriter::QuicChromiumPacketWriter(
     DatagramClientSocket* socket,
@@ -92,8 +92,7 @@ QuicChromiumPacketWriter::QuicChromiumPacketWriter(
           base::MakeRefCounted<ReusableIOBuffer>(quic::kMaxOutgoingPacketSize)),
       write_in_progress_(false),
       force_write_blocked_(false),
-      retry_count_(0),
-      weak_factory_(this) {
+      retry_count_(0) {
   retry_timer_.SetTaskRunner(task_runner);
   write_callback_ = base::BindRepeating(
       &QuicChromiumPacketWriter::OnWriteComplete, weak_factory_.GetWeakPtr());
diff --git a/chromium/net/quic/quic_chromium_packet_writer.h b/chromium/net/quic/quic_chromium_packet_writer.h
index 1a667f2911e..82acb30f367 100644
--- a/chromium/net/quic/quic_chromium_packet_writer.h
+++ b/chromium/net/quic/quic_chromium_packet_writer.h
@@ -126,7 +126,7 @@ class NET_EXPORT_PRIVATE QuicChromiumPacketWriter
   base::OneShotTimer retry_timer_;
 
   CompletionRepeatingCallback write_callback_;
-  base::WeakPtrFactory<QuicChromiumPacketWriter> weak_factory_;
+  base::WeakPtrFactory<QuicChromiumPacketWriter> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicChromiumPacketWriter);
 };
diff --git a/chromium/net/quic/quic_connection_logger.cc b/chromium/net/quic/quic_connection_logger.cc
index 0e6cf4223cb..cdae0879fa7 100644
--- a/chromium/net/quic/quic_connection_logger.cc
+++ b/chromium/net/quic/quic_connection_logger.cc
@@ -10,18 +10,15 @@
 #include <utility>
 #include <vector>
 
-#include "base/bind.h"
-#include "base/callback.h"
 #include "base/metrics/histogram_base.h"
 #include "base/metrics/histogram_functions.h"
 #include "base/metrics/histogram_macros.h"
-#include "base/strings/string_number_conversions.h"
 #include "base/values.h"
 #include "net/base/ip_address.h"
 #include "net/cert/x509_certificate.h"
-#include "net/log/net_log.h"
 #include "net/log/net_log_capture_mode.h"
 #include "net/log/net_log_event_type.h"
+#include "net/log/net_log_values.h"
 #include "net/quic/address_utils.h"
 #include "net/quic/quic_address_mismatch.h"
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.h"
@@ -39,23 +36,20 @@ namespace net {
 
 namespace {
 
-base::Value NetLogQuicPacketCallback(
-    const quic::QuicSocketAddress* self_address,
-    const quic::QuicSocketAddress* peer_address,
-    size_t packet_size,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicPacketParams(const quic::QuicSocketAddress& self_address,
+                                   const quic::QuicSocketAddress& peer_address,
+                                   size_t packet_size) {
   base::DictionaryValue dict;
-  dict.SetString("self_address", self_address->ToString());
-  dict.SetString("peer_address", peer_address->ToString());
+  dict.SetString("self_address", self_address.ToString());
+  dict.SetString("peer_address", peer_address.ToString());
   dict.SetInteger("size", packet_size);
   return std::move(dict);
 }
 
-base::Value NetLogQuicPacketSentCallback(
+base::Value NetLogQuicPacketSentParams(
     const quic::SerializedPacket& serialized_packet,
     quic::TransmissionType transmission_type,
-    quic::QuicTime sent_time,
-    NetLogCaptureMode /* capture_mode */) {
+    quic::QuicTime sent_time) {
   base::DictionaryValue dict;
   dict.SetInteger("transmission_type", transmission_type);
   dict.SetKey("packet_number",
@@ -65,10 +59,9 @@ base::Value NetLogQuicPacketSentCallback(
   return std::move(dict);
 }
 
-base::Value NetLogQuicPacketRetransmittedCallback(
+base::Value NetLogQuicPacketRetransmittedParams(
     quic::QuicPacketNumber old_packet_number,
-    quic::QuicPacketNumber new_packet_number,
-    NetLogCaptureMode /* capture_mode */) {
+    quic::QuicPacketNumber new_packet_number) {
   base::DictionaryValue dict;
   dict.SetKey("old_packet_number",
               NetLogNumberValue(old_packet_number.ToUint64()));
@@ -77,11 +70,9 @@ base::Value NetLogQuicPacketRetransmittedCallback(
   return std::move(dict);
 }
 
-base::Value NetLogQuicPacketLostCallback(
-    quic::QuicPacketNumber packet_number,
-    quic::TransmissionType transmission_type,
-    quic::QuicTime detection_time,
-    NetLogCaptureMode /*capture_mode*/) {
+base::Value NetLogQuicPacketLostParams(quic::QuicPacketNumber packet_number,
+                                       quic::TransmissionType transmission_type,
+                                       quic::QuicTime detection_time) {
   base::DictionaryValue dict;
   dict.SetInteger("transmission_type", transmission_type);
   dict.SetKey("packet_number", NetLogNumberValue(packet_number.ToUint64()));
@@ -90,17 +81,14 @@ base::Value NetLogQuicPacketLostCallback(
   return std::move(dict);
 }
 
-base::Value NetLogQuicDuplicatePacketCallback(
-    quic::QuicPacketNumber packet_number,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicDuplicatePacketParams(
+    quic::QuicPacketNumber packet_number) {
   base::DictionaryValue dict;
   dict.SetKey("packet_number", NetLogNumberValue(packet_number.ToUint64()));
   return std::move(dict);
 }
 
-base::Value NetLogQuicPacketHeaderCallback(
-    const quic::QuicPacketHeader* header,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicPacketHeaderParams(const quic::QuicPacketHeader* header) {
   base::DictionaryValue dict;
   dict.SetString("connection_id", header->destination_connection_id.ToString());
   dict.SetInteger("reset_flag", header->reset_flag);
@@ -110,9 +98,7 @@ base::Value NetLogQuicPacketHeaderCallback(
   return std::move(dict);
 }
 
-base::Value NetLogQuicStreamFrameCallback(
-    const quic::QuicStreamFrame& frame,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicStreamFrameParams(const quic::QuicStreamFrame& frame) {
   base::DictionaryValue dict;
   dict.SetInteger("stream_id", frame.stream_id);
   dict.SetBoolean("fin", frame.fin);
@@ -121,8 +107,7 @@ base::Value NetLogQuicStreamFrameCallback(
   return std::move(dict);
 }
 
-base::Value NetLogQuicAckFrameCallback(const quic::QuicAckFrame* frame,
-                                       NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicAckFrameParams(const quic::QuicAckFrame* frame) {
   base::DictionaryValue dict;
   dict.SetKey("largest_observed",
               NetLogNumberValue(frame->largest_acked.ToUint64()));
@@ -155,44 +140,37 @@ base::Value NetLogQuicAckFrameCallback(const quic::QuicAckFrame* frame,
   return std::move(dict);
 }
 
-base::Value NetLogQuicRstStreamFrameCallback(
-    const quic::QuicRstStreamFrame* frame,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicRstStreamFrameParams(
+    const quic::QuicRstStreamFrame* frame) {
   base::DictionaryValue dict;
   dict.SetInteger("stream_id", frame->stream_id);
   dict.SetInteger("quic_rst_stream_error", frame->error_code);
   return std::move(dict);
 }
 
-base::Value NetLogQuicConnectionCloseFrameCallback(
-    const quic::QuicConnectionCloseFrame* frame,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicConnectionCloseFrameParams(
+    const quic::QuicConnectionCloseFrame* frame) {
   base::DictionaryValue dict;
   dict.SetInteger("quic_error", frame->quic_error_code);
   dict.SetString("details", frame->error_details);
   return std::move(dict);
 }
 
-base::Value NetLogQuicWindowUpdateFrameCallback(
-    const quic::QuicWindowUpdateFrame* frame,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicWindowUpdateFrameParams(
+    const quic::QuicWindowUpdateFrame* frame) {
   base::DictionaryValue dict;
   dict.SetInteger("stream_id", frame->stream_id);
   dict.SetKey("byte_offset", NetLogNumberValue(frame->byte_offset));
   return std::move(dict);
 }
 
-base::Value NetLogQuicBlockedFrameCallback(
-    const quic::QuicBlockedFrame* frame,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicBlockedFrameParams(const quic::QuicBlockedFrame* frame) {
   base::DictionaryValue dict;
   dict.SetInteger("stream_id", frame->stream_id);
   return std::move(dict);
 }
 
-base::Value NetLogQuicGoAwayFrameCallback(
-    const quic::QuicGoAwayFrame* frame,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicGoAwayFrameParams(const quic::QuicGoAwayFrame* frame) {
   base::DictionaryValue dict;
   dict.SetInteger("quic_error", frame->error_code);
   dict.SetInteger("last_good_stream_id", frame->last_good_stream_id);
@@ -200,9 +178,8 @@ base::Value NetLogQuicGoAwayFrameCallback(
   return std::move(dict);
 }
 
-base::Value NetLogQuicStopWaitingFrameCallback(
-    const quic::QuicStopWaitingFrame* frame,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicStopWaitingFrameParams(
+    const quic::QuicStopWaitingFrame* frame) {
   base::DictionaryValue dict;
   auto sent_info = std::make_unique<base::DictionaryValue>();
   sent_info->SetKey("least_unacked",
@@ -211,9 +188,8 @@ base::Value NetLogQuicStopWaitingFrameCallback(
   return std::move(dict);
 }
 
-base::Value NetLogQuicVersionNegotiationPacketCallback(
-    const quic::QuicVersionNegotiationPacket* packet,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicVersionNegotiationPacketParams(
+    const quic::QuicVersionNegotiationPacket* packet) {
   base::DictionaryValue dict;
   auto versions = std::make_unique<base::ListValue>();
   for (auto it = packet->versions.begin(); it != packet->versions.end(); ++it) {
@@ -223,29 +199,26 @@ base::Value NetLogQuicVersionNegotiationPacketCallback(
   return std::move(dict);
 }
 
-base::Value NetLogQuicPublicResetPacketCallback(
-    const IPEndPoint* server_hello_address,
-    const quic::QuicSocketAddress* public_reset_address,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicPublicResetPacketParams(
+    const IPEndPoint& server_hello_address,
+    const quic::QuicSocketAddress& public_reset_address) {
   base::DictionaryValue dict;
-  dict.SetString("server_hello_address", server_hello_address->ToString());
-  dict.SetString("public_reset_address", public_reset_address->ToString());
+  dict.SetString("server_hello_address", server_hello_address.ToString());
+  dict.SetString("public_reset_address", public_reset_address.ToString());
   return std::move(dict);
 }
 
-base::Value NetLogQuicCryptoHandshakeMessageCallback(
-    const quic::CryptoHandshakeMessage* message,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicCryptoHandshakeMessageParams(
+    const quic::CryptoHandshakeMessage* message) {
   base::DictionaryValue dict;
   dict.SetString("quic_crypto_handshake_message", message->DebugString());
   return std::move(dict);
 }
 
-base::Value NetLogQuicOnConnectionClosedCallback(
+base::Value NetLogQuicOnConnectionClosedParams(
     quic::QuicErrorCode error,
     string error_details,
-    quic::ConnectionCloseSource source,
-    NetLogCaptureMode /* capture_mode */) {
+    quic::ConnectionCloseSource source) {
   base::DictionaryValue dict;
   dict.SetInteger("quic_error", error);
   dict.SetString("details", error_details);
@@ -255,9 +228,8 @@ base::Value NetLogQuicOnConnectionClosedCallback(
   return std::move(dict);
 }
 
-base::Value NetLogQuicCertificateVerifiedCallback(
-    scoped_refptr<X509Certificate> cert,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogQuicCertificateVerifiedParams(
+    scoped_refptr<X509Certificate> cert) {
   // Only the subjects are logged so that we can investigate connection pooling.
   // More fields could be logged in the future.
   std::vector<std::string> dns_names;
@@ -421,48 +393,52 @@ void QuicConnectionLogger::OnFrameAddedToPacket(const quic::QuicFrame& frame) {
     case quic::PADDING_FRAME:
       break;
     case quic::STREAM_FRAME:
-      net_log_.AddEvent(
-          NetLogEventType::QUIC_SESSION_STREAM_FRAME_SENT,
-          base::Bind(&NetLogQuicStreamFrameCallback, frame.stream_frame));
+      net_log_.AddEvent(NetLogEventType::QUIC_SESSION_STREAM_FRAME_SENT, [&] {
+        return NetLogQuicStreamFrameParams(frame.stream_frame);
+      });
       break;
     case quic::ACK_FRAME: {
-      net_log_.AddEvent(
-          NetLogEventType::QUIC_SESSION_ACK_FRAME_SENT,
-          base::Bind(&NetLogQuicAckFrameCallback, frame.ack_frame));
+      net_log_.AddEvent(NetLogEventType::QUIC_SESSION_ACK_FRAME_SENT, [&] {
+        return NetLogQuicAckFrameParams(frame.ack_frame);
+      });
       break;
     }
     case quic::RST_STREAM_FRAME:
       base::UmaHistogramSparse("Net.QuicSession.RstStreamErrorCodeClient",
                                frame.rst_stream_frame->error_code);
-      net_log_.AddEvent(NetLogEventType::QUIC_SESSION_RST_STREAM_FRAME_SENT,
-                        base::Bind(&NetLogQuicRstStreamFrameCallback,
-                                   frame.rst_stream_frame));
+      net_log_.AddEvent(
+          NetLogEventType::QUIC_SESSION_RST_STREAM_FRAME_SENT, [&] {
+            return NetLogQuicRstStreamFrameParams(frame.rst_stream_frame);
+          });
       break;
     case quic::CONNECTION_CLOSE_FRAME:
       net_log_.AddEvent(
-          NetLogEventType::QUIC_SESSION_CONNECTION_CLOSE_FRAME_SENT,
-          base::Bind(&NetLogQuicConnectionCloseFrameCallback,
-                     frame.connection_close_frame));
+          NetLogEventType::QUIC_SESSION_CONNECTION_CLOSE_FRAME_SENT, [&] {
+            return NetLogQuicConnectionCloseFrameParams(
+                frame.connection_close_frame);
+          });
       break;
     case quic::GOAWAY_FRAME:
-      net_log_.AddEvent(
-          NetLogEventType::QUIC_SESSION_GOAWAY_FRAME_SENT,
-          base::Bind(&NetLogQuicGoAwayFrameCallback, frame.goaway_frame));
+      net_log_.AddEvent(NetLogEventType::QUIC_SESSION_GOAWAY_FRAME_SENT, [&] {
+        return NetLogQuicGoAwayFrameParams(frame.goaway_frame);
+      });
       break;
     case quic::WINDOW_UPDATE_FRAME:
-      net_log_.AddEvent(NetLogEventType::QUIC_SESSION_WINDOW_UPDATE_FRAME_SENT,
-                        base::Bind(&NetLogQuicWindowUpdateFrameCallback,
-                                   frame.window_update_frame));
+      net_log_.AddEvent(
+          NetLogEventType::QUIC_SESSION_WINDOW_UPDATE_FRAME_SENT, [&] {
+            return NetLogQuicWindowUpdateFrameParams(frame.window_update_frame);
+          });
       break;
     case quic::BLOCKED_FRAME:
-      net_log_.AddEvent(
-          NetLogEventType::QUIC_SESSION_BLOCKED_FRAME_SENT,
-          base::Bind(&NetLogQuicBlockedFrameCallback, frame.blocked_frame));
+      net_log_.AddEvent(NetLogEventType::QUIC_SESSION_BLOCKED_FRAME_SENT, [&] {
+        return NetLogQuicBlockedFrameParams(frame.blocked_frame);
+      });
       break;
     case quic::STOP_WAITING_FRAME:
-      net_log_.AddEvent(NetLogEventType::QUIC_SESSION_STOP_WAITING_FRAME_SENT,
-                        base::Bind(&NetLogQuicStopWaitingFrameCallback,
-                                   &frame.stop_waiting_frame));
+      net_log_.AddEvent(
+          NetLogEventType::QUIC_SESSION_STOP_WAITING_FRAME_SENT, [&] {
+            return NetLogQuicStopWaitingFrameParams(&frame.stop_waiting_frame);
+          });
       break;
     case quic::PING_FRAME:
       UMA_HISTOGRAM_BOOLEAN("Net.QuicSession.ConnectionFlowControlBlocked",
@@ -509,15 +485,15 @@ void QuicConnectionLogger::OnPacketSent(
   if (!net_log_is_capturing_)
     return;
   if (!original_packet_number.IsInitialized()) {
-    net_log_.AddEvent(
-        NetLogEventType::QUIC_SESSION_PACKET_SENT,
-        base::Bind(&NetLogQuicPacketSentCallback, serialized_packet,
-                   transmission_type, sent_time));
+    net_log_.AddEvent(NetLogEventType::QUIC_SESSION_PACKET_SENT, [&] {
+      return NetLogQuicPacketSentParams(serialized_packet, transmission_type,
+                                        sent_time);
+    });
   } else {
-    net_log_.AddEvent(
-        NetLogEventType::QUIC_SESSION_PACKET_RETRANSMITTED,
-        base::Bind(&NetLogQuicPacketRetransmittedCallback,
-                   original_packet_number, serialized_packet.packet_number));
+    net_log_.AddEvent(NetLogEventType::QUIC_SESSION_PACKET_RETRANSMITTED, [&] {
+      return NetLogQuicPacketRetransmittedParams(
+          original_packet_number, serialized_packet.packet_number);
+    });
   }
 }
 
@@ -527,10 +503,10 @@ void QuicConnectionLogger::OnPacketLoss(
     quic::QuicTime detection_time) {
   if (!net_log_is_capturing_)
     return;
-  net_log_.AddEvent(
-      NetLogEventType::QUIC_SESSION_PACKET_LOST,
-      base::Bind(&NetLogQuicPacketLostCallback, lost_packet_number,
-                 transmission_type, detection_time));
+  net_log_.AddEvent(NetLogEventType::QUIC_SESSION_PACKET_LOST, [&] {
+    return NetLogQuicPacketLostParams(lost_packet_number, transmission_type,
+                                      detection_time);
+  });
 }
 
 void QuicConnectionLogger::OnPingSent() {
@@ -553,9 +529,9 @@ void QuicConnectionLogger::OnPacketReceived(
   last_received_packet_size_ = packet.length();
   if (!net_log_is_capturing_)
     return;
-  net_log_.AddEvent(NetLogEventType::QUIC_SESSION_PACKET_RECEIVED,
-                    base::Bind(&NetLogQuicPacketCallback, &self_address,
-                               &peer_address, packet.length()));
+  net_log_.AddEvent(NetLogEventType::QUIC_SESSION_PACKET_RECEIVED, [&] {
+    return NetLogQuicPacketParams(self_address, peer_address, packet.length());
+  });
 }
 
 void QuicConnectionLogger::OnUnauthenticatedHeader(
@@ -564,7 +540,7 @@ void QuicConnectionLogger::OnUnauthenticatedHeader(
     return;
   net_log_.AddEvent(
       NetLogEventType::QUIC_SESSION_UNAUTHENTICATED_PACKET_HEADER_RECEIVED,
-      base::Bind(&NetLogQuicPacketHeaderCallback, &header));
+      [&] { return NetLogQuicPacketHeaderParams(&header); });
 }
 
 void QuicConnectionLogger::OnIncorrectConnectionId(
@@ -583,7 +559,7 @@ void QuicConnectionLogger::OnDuplicatePacket(
     return;
   net_log_.AddEvent(
       NetLogEventType::QUIC_SESSION_DUPLICATE_PACKET_RECEIVED,
-      base::Bind(&NetLogQuicDuplicatePacketCallback, packet_number));
+      [&] { return NetLogQuicDuplicatePacketParams(packet_number); });
 }
 
 void QuicConnectionLogger::OnProtocolVersionMismatch(
@@ -648,10 +624,11 @@ void QuicConnectionLogger::OnStreamFrame(const quic::QuicStreamFrame& frame) {
   if (!net_log_is_capturing_)
     return;
   net_log_.AddEvent(NetLogEventType::QUIC_SESSION_STREAM_FRAME_RECEIVED,
-                    base::Bind(&NetLogQuicStreamFrameCallback, frame));
+                    [&] { return NetLogQuicStreamFrameParams(frame); });
 }
 
 void QuicConnectionLogger::OnIncomingAck(
+    quic::QuicPacketNumber ack_packet_number,
     const quic::QuicAckFrame& frame,
     quic::QuicTime ack_receive_time,
     quic::QuicPacketNumber largest_observed,
@@ -668,7 +645,7 @@ void QuicConnectionLogger::OnIncomingAck(
   if (!net_log_is_capturing_)
     return;
   net_log_.AddEvent(NetLogEventType::QUIC_SESSION_ACK_FRAME_RECEIVED,
-                    base::Bind(&NetLogQuicAckFrameCallback, &frame));
+                    [&] { return NetLogQuicAckFrameParams(&frame); });
 
   // TODO(rch, rtenneti) sort out histograms for QUIC_VERSION_34 and above.
 }
@@ -678,7 +655,7 @@ void QuicConnectionLogger::OnStopWaitingFrame(
   if (!net_log_is_capturing_)
     return;
   net_log_.AddEvent(NetLogEventType::QUIC_SESSION_STOP_WAITING_FRAME_RECEIVED,
-                    base::Bind(&NetLogQuicStopWaitingFrameCallback, &frame));
+                    [&] { return NetLogQuicStopWaitingFrameParams(&frame); });
 }
 
 void QuicConnectionLogger::OnRstStreamFrame(
@@ -688,7 +665,7 @@ void QuicConnectionLogger::OnRstStreamFrame(
   if (!net_log_is_capturing_)
     return;
   net_log_.AddEvent(NetLogEventType::QUIC_SESSION_RST_STREAM_FRAME_RECEIVED,
-                    base::Bind(&NetLogQuicRstStreamFrameCallback, &frame));
+                    [&] { return NetLogQuicRstStreamFrameParams(&frame); });
 }
 
 void QuicConnectionLogger::OnConnectionCloseFrame(
@@ -697,7 +674,7 @@ void QuicConnectionLogger::OnConnectionCloseFrame(
     return;
   net_log_.AddEvent(
       NetLogEventType::QUIC_SESSION_CONNECTION_CLOSE_FRAME_RECEIVED,
-      base::Bind(&NetLogQuicConnectionCloseFrameCallback, &frame));
+      [&] { return NetLogQuicConnectionCloseFrameParams(&frame); });
 }
 
 void QuicConnectionLogger::OnWindowUpdateFrame(
@@ -706,7 +683,7 @@ void QuicConnectionLogger::OnWindowUpdateFrame(
   if (!net_log_is_capturing_)
     return;
   net_log_.AddEvent(NetLogEventType::QUIC_SESSION_WINDOW_UPDATE_FRAME_RECEIVED,
-                    base::Bind(&NetLogQuicWindowUpdateFrameCallback, &frame));
+                    [&] { return NetLogQuicWindowUpdateFrameParams(&frame); });
 }
 
 void QuicConnectionLogger::OnBlockedFrame(const quic::QuicBlockedFrame& frame) {
@@ -714,7 +691,7 @@ void QuicConnectionLogger::OnBlockedFrame(const quic::QuicBlockedFrame& frame) {
   if (!net_log_is_capturing_)
     return;
   net_log_.AddEvent(NetLogEventType::QUIC_SESSION_BLOCKED_FRAME_RECEIVED,
-                    base::Bind(&NetLogQuicBlockedFrameCallback, &frame));
+                    [&] { return NetLogQuicBlockedFrameParams(&frame); });
 }
 
 void QuicConnectionLogger::OnGoAwayFrame(const quic::QuicGoAwayFrame& frame) {
@@ -724,7 +701,7 @@ void QuicConnectionLogger::OnGoAwayFrame(const quic::QuicGoAwayFrame& frame) {
   if (!net_log_is_capturing_)
     return;
   net_log_.AddEvent(NetLogEventType::QUIC_SESSION_GOAWAY_FRAME_RECEIVED,
-                    base::Bind(&NetLogQuicGoAwayFrameCallback, &frame));
+                    [&] { return NetLogQuicGoAwayFrameParams(&frame); });
 }
 
 void QuicConnectionLogger::OnPingFrame(const quic::QuicPingFrame& frame) {
@@ -740,10 +717,11 @@ void QuicConnectionLogger::OnPublicResetPacket(
       local_address_from_shlo_, ToIPEndPoint(packet.client_address));
   if (!net_log_is_capturing_)
     return;
-  net_log_.AddEvent(
-      NetLogEventType::QUIC_SESSION_PUBLIC_RESET_PACKET_RECEIVED,
-      base::Bind(&NetLogQuicPublicResetPacketCallback,
-                 &local_address_from_shlo_, &packet.client_address));
+  net_log_.AddEvent(NetLogEventType::QUIC_SESSION_PUBLIC_RESET_PACKET_RECEIVED,
+                    [&] {
+                      return NetLogQuicPublicResetPacketParams(
+                          local_address_from_shlo_, packet.client_address);
+                    });
 }
 
 void QuicConnectionLogger::OnVersionNegotiationPacket(
@@ -752,7 +730,7 @@ void QuicConnectionLogger::OnVersionNegotiationPacket(
     return;
   net_log_.AddEvent(
       NetLogEventType::QUIC_SESSION_VERSION_NEGOTIATION_PACKET_RECEIVED,
-      base::Bind(&NetLogQuicVersionNegotiationPacketCallback, &packet));
+      [&] { return NetLogQuicVersionNegotiationPacketParams(&packet); });
 }
 
 void QuicConnectionLogger::OnCryptoHandshakeMessageReceived(
@@ -768,13 +746,23 @@ void QuicConnectionLogger::OnCryptoHandshakeMessageReceived(
           "Net.QuicSession.ConnectionTypeFromPeer",
           GetRealAddressFamily(local_address_from_shlo_.address()),
           ADDRESS_FAMILY_LAST);
+
+      int sample = GetAddressMismatch(local_address_from_shlo_,
+                                      local_address_from_self_);
+      // We are seemingly talking to an older server that does not support the
+      // feature, so we can't report the results in the histogram.
+      if (sample >= 0) {
+        UMA_HISTOGRAM_ENUMERATION("Net.QuicSession.SelfShloAddressMismatch",
+                                  static_cast<QuicAddressMismatch>(sample),
+                                  QUIC_ADDRESS_MISMATCH_MAX);
+      }
     }
   }
   if (!net_log_is_capturing_)
     return;
   net_log_.AddEvent(
       NetLogEventType::QUIC_SESSION_CRYPTO_HANDSHAKE_MESSAGE_RECEIVED,
-      base::Bind(&NetLogQuicCryptoHandshakeMessageCallback, &message));
+      [&] { return NetLogQuicCryptoHandshakeMessageParams(&message); });
 }
 
 void QuicConnectionLogger::OnCryptoHandshakeMessageSent(
@@ -783,18 +771,18 @@ void QuicConnectionLogger::OnCryptoHandshakeMessageSent(
     return;
   net_log_.AddEvent(
       NetLogEventType::QUIC_SESSION_CRYPTO_HANDSHAKE_MESSAGE_SENT,
-      base::Bind(&NetLogQuicCryptoHandshakeMessageCallback, &message));
+      [&] { return NetLogQuicCryptoHandshakeMessageParams(&message); });
 }
 
 void QuicConnectionLogger::OnConnectionClosed(
-    quic::QuicErrorCode error,
-    const string& error_details,
+    const quic::QuicConnectionCloseFrame& frame,
     quic::ConnectionCloseSource source) {
   if (!net_log_is_capturing_)
     return;
-  net_log_.AddEvent(NetLogEventType::QUIC_SESSION_CLOSED,
-                    base::Bind(&NetLogQuicOnConnectionClosedCallback, error,
-                               error_details, source));
+  net_log_.AddEvent(NetLogEventType::QUIC_SESSION_CLOSED, [&] {
+    return NetLogQuicOnConnectionClosedParams(frame.quic_error_code,
+                                              frame.error_details, source);
+  });
 }
 
 void QuicConnectionLogger::OnSuccessfulVersionNegotiation(
@@ -802,8 +790,9 @@ void QuicConnectionLogger::OnSuccessfulVersionNegotiation(
   if (!net_log_is_capturing_)
     return;
   string quic_version = QuicVersionToString(version.transport_version);
-  net_log_.AddEvent(NetLogEventType::QUIC_SESSION_VERSION_NEGOTIATED,
-                    NetLog::StringCallback("version", &quic_version));
+  net_log_.AddEventWithStringParams(
+      NetLogEventType::QUIC_SESSION_VERSION_NEGOTIATED, "version",
+      quic_version);
 }
 
 void QuicConnectionLogger::UpdateReceivedFrameCounts(
@@ -825,9 +814,9 @@ void QuicConnectionLogger::OnCertificateVerified(
     net_log_.AddEvent(NetLogEventType::QUIC_SESSION_CERTIFICATE_VERIFY_FAILED);
     return;
   }
-  net_log_.AddEvent(
-      NetLogEventType::QUIC_SESSION_CERTIFICATE_VERIFIED,
-      base::Bind(&NetLogQuicCertificateVerifiedCallback, result.verified_cert));
+  net_log_.AddEvent(NetLogEventType::QUIC_SESSION_CERTIFICATE_VERIFIED, [&] {
+    return NetLogQuicCertificateVerifiedParams(result.verified_cert);
+  });
 }
 
 base::HistogramBase* QuicConnectionLogger::Get6PacketHistogram(
diff --git a/chromium/net/quic/quic_connection_logger.h b/chromium/net/quic/quic_connection_logger.h
index 4ae3ebf5db5..d987bf5e65c 100644
--- a/chromium/net/quic/quic_connection_logger.h
+++ b/chromium/net/quic/quic_connection_logger.h
@@ -12,6 +12,7 @@
 
 #include "base/macros.h"
 #include "base/timer/timer.h"
+#include "net/base/ip_endpoint.h"
 #include "net/base/net_export.h"
 #include "net/base/network_change_notifier.h"
 #include "net/cert/cert_verify_result.h"
@@ -50,7 +51,8 @@ class NET_EXPORT_PRIVATE QuicConnectionLogger
                     quic::QuicPacketNumber original_packet_number,
                     quic::TransmissionType transmission_type,
                     quic::QuicTime sent_time) override;
-  void OnIncomingAck(const quic::QuicAckFrame& frame,
+  void OnIncomingAck(quic::QuicPacketNumber ack_packet_number,
+                     const quic::QuicAckFrame& frame,
                      quic::QuicTime ack_receive_time,
                      quic::QuicPacketNumber largest_observed,
                      bool rtt_updated,
@@ -81,8 +83,7 @@ class NET_EXPORT_PRIVATE QuicConnectionLogger
   void OnPublicResetPacket(const quic::QuicPublicResetPacket& packet) override;
   void OnVersionNegotiationPacket(
       const quic::QuicVersionNegotiationPacket& packet) override;
-  void OnConnectionClosed(quic::QuicErrorCode error,
-                          const std::string& error_details,
+  void OnConnectionClosed(const quic::QuicConnectionCloseFrame& frame,
                           quic::ConnectionCloseSource source) override;
   void OnSuccessfulVersionNegotiation(
       const quic::ParsedQuicVersion& version) override;
diff --git a/chromium/net/quic/quic_connectivity_probing_manager.cc b/chromium/net/quic/quic_connectivity_probing_manager.cc
index 7f335131789..c4f838014c2 100644
--- a/chromium/net/quic/quic_connectivity_probing_manager.cc
+++ b/chromium/net/quic/quic_connectivity_probing_manager.cc
@@ -8,7 +8,7 @@
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/values.h"
-#include "net/log/net_log.h"
+#include "net/log/net_log_values.h"
 #include "net/quic/address_utils.h"
 
 namespace net {
@@ -18,11 +18,10 @@ namespace {
 // Default to 2 seconds timeout as the maximum timeout.
 const int64_t kMaxProbingTimeoutMs = 2000;
 
-base::Value NetLogStartProbingCallback(
+base::Value NetLogStartProbingParams(
     NetworkChangeNotifier::NetworkHandle network,
     const quic::QuicSocketAddress* peer_address,
-    base::TimeDelta initial_timeout,
-    NetLogCaptureMode capture_mode) {
+    base::TimeDelta initial_timeout) {
   base::DictionaryValue dict;
   dict.SetKey("network", NetLogNumberValue(network));
   dict.SetString("peer address", peer_address->ToString());
@@ -31,11 +30,10 @@ base::Value NetLogStartProbingCallback(
   return std::move(dict);
 }
 
-base::Value NetLogProbeReceivedCallback(
+base::Value NetLogProbeReceivedParams(
     NetworkChangeNotifier::NetworkHandle network,
     const IPEndPoint* self_address,
-    const quic::QuicSocketAddress* peer_address,
-    NetLogCaptureMode capture_mode) {
+    const quic::QuicSocketAddress* peer_address) {
   base::DictionaryValue dict;
   dict.SetKey("network", NetLogNumberValue(network));
   dict.SetString("self address", self_address->ToString());
@@ -43,10 +41,9 @@ base::Value NetLogProbeReceivedCallback(
   return std::move(dict);
 }
 
-base::Value NetLogProbingDestinationCallback(
+base::Value NetLogProbingDestinationParams(
     NetworkChangeNotifier::NetworkHandle network,
-    const quic::QuicSocketAddress* peer_address,
-    NetLogCaptureMode capture_mode) {
+    const quic::QuicSocketAddress* peer_address) {
   base::DictionaryValue dict;
   dict.SetString("network", base::NumberToString(network));
   dict.SetString("peer address", peer_address->ToString());
@@ -63,8 +60,7 @@ QuicConnectivityProbingManager::QuicConnectivityProbingManager(
       network_(NetworkChangeNotifier::kInvalidNetworkHandle),
       retry_count_(0),
       probe_start_time_(base::TimeTicks()),
-      task_runner_(task_runner),
-      weak_factory_(this) {
+      task_runner_(task_runner) {
   retransmit_timer_.SetTaskRunner(task_runner_);
 }
 
@@ -103,9 +99,9 @@ void QuicConnectivityProbingManager::CancelProbing(
 void QuicConnectivityProbingManager::CancelProbingIfAny() {
   if (is_running_) {
     net_log_.AddEvent(
-        NetLogEventType::QUIC_CONNECTIVITY_PROBING_MANAGER_CANCEL_PROBING,
-        base::Bind(&NetLogProbingDestinationCallback, network_,
-                   &peer_address_));
+        NetLogEventType::QUIC_CONNECTIVITY_PROBING_MANAGER_CANCEL_PROBING, [&] {
+          return NetLogProbingDestinationParams(network_, &peer_address_);
+        });
   }
   is_running_ = false;
   network_ = NetworkChangeNotifier::kInvalidNetworkHandle;
@@ -150,9 +146,10 @@ void QuicConnectivityProbingManager::StartProbing(
   initial_timeout_ = initial_timeout;
 
   net_log_.AddEvent(
-      NetLogEventType::QUIC_CONNECTIVITY_PROBING_MANAGER_START_PROBING,
-      base::Bind(&NetLogStartProbingCallback, network_, &peer_address_,
-                 initial_timeout_));
+      NetLogEventType::QUIC_CONNECTIVITY_PROBING_MANAGER_START_PROBING, [&] {
+        return NetLogStartProbingParams(network_, &peer_address_,
+                                        initial_timeout_);
+      });
 
   reader_->StartReading();
   SendConnectivityProbingPacket(initial_timeout_);
@@ -183,9 +180,10 @@ void QuicConnectivityProbingManager::OnConnectivityProbingReceived(
   }
 
   net_log_.AddEvent(
-      NetLogEventType::QUIC_CONNECTIVITY_PROBING_MANAGER_PROBE_RECEIVED,
-      base::Bind(&NetLogProbeReceivedCallback, network_, &local_address,
-                 &peer_address_));
+      NetLogEventType::QUIC_CONNECTIVITY_PROBING_MANAGER_PROBE_RECEIVED, [&] {
+        return NetLogProbeReceivedParams(network_, &local_address,
+                                         &peer_address_);
+      });
 
   UMA_HISTOGRAM_COUNTS_100("Net.QuicSession.ProbingRetryCountUntilSuccess",
                            retry_count_);
@@ -202,9 +200,9 @@ void QuicConnectivityProbingManager::OnConnectivityProbingReceived(
 
 void QuicConnectivityProbingManager::SendConnectivityProbingPacket(
     base::TimeDelta timeout) {
-  net_log_.AddEvent(
+  net_log_.AddEventWithInt64Params(
       NetLogEventType::QUIC_CONNECTIVITY_PROBING_MANAGER_PROBE_SENT,
-      NetLog::Int64Callback("sent_count", retry_count_));
+      "sent_count", retry_count_);
   if (!delegate_->OnSendConnectivityProbingPacket(writer_.get(),
                                                   peer_address_)) {
     NotifyDelegateProbeFailed();
diff --git a/chromium/net/quic/quic_connectivity_probing_manager.h b/chromium/net/quic/quic_connectivity_probing_manager.h
index e18ae034978..aa5bc7a1a52 100644
--- a/chromium/net/quic/quic_connectivity_probing_manager.h
+++ b/chromium/net/quic/quic_connectivity_probing_manager.h
@@ -128,7 +128,7 @@ class NET_EXPORT_PRIVATE QuicConnectivityProbingManager
 
   base::SequencedTaskRunner* task_runner_;
 
-  base::WeakPtrFactory<QuicConnectivityProbingManager> weak_factory_;
+  base::WeakPtrFactory<QuicConnectivityProbingManager> weak_factory_{this};
   DISALLOW_COPY_AND_ASSIGN(QuicConnectivityProbingManager);
 };
 
diff --git a/chromium/net/quic/quic_connectivity_probing_manager_test.cc b/chromium/net/quic/quic_connectivity_probing_manager_test.cc
index 2d4f7fe0bab..b4a17de50b5 100644
--- a/chromium/net/quic/quic_connectivity_probing_manager_test.cc
+++ b/chromium/net/quic/quic_connectivity_probing_manager_test.cc
@@ -7,6 +7,7 @@
 #include "base/stl_util.h"
 #include "base/test/test_mock_time_task_runner.h"
 #include "net/log/test_net_log.h"
+#include "net/quic/address_utils.h"
 #include "net/socket/socket_test_util.h"
 #include "net/test/gtest_util.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_clock.h"
@@ -26,12 +27,12 @@ const NetworkChangeNotifier::NetworkHandle testNetworkHandle = 1;
 const IPEndPoint kIpEndPoint =
     IPEndPoint(IPAddress::IPv4AllZeros(), quic::test::kTestPort);
 const quic::QuicSocketAddress testPeerAddress =
-    quic::QuicSocketAddress(quic::QuicSocketAddressImpl(kIpEndPoint));
+    ToQuicSocketAddress(kIpEndPoint);
 
 const IPEndPoint newIpEndPoint =
     IPEndPoint(IPAddress::IPv4AllZeros(), quic::test::kTestPort + 1);
 const quic::QuicSocketAddress newPeerAddress =
-    quic::QuicSocketAddress(quic::QuicSocketAddressImpl(newIpEndPoint));
+    ToQuicSocketAddress(newIpEndPoint);
 }  // anonymous namespace
 
 class MockQuicChromiumClientSession
@@ -39,7 +40,8 @@ class MockQuicChromiumClientSession
       public QuicChromiumPacketReader::Visitor {
  public:
   MockQuicChromiumClientSession()
-      : probed_network_(NetworkChangeNotifier::kInvalidNetworkHandle) {}
+      : probed_network_(NetworkChangeNotifier::kInvalidNetworkHandle),
+        is_successfully_probed_(false) {}
   ~MockQuicChromiumClientSession() override {}
 
   // QuicChromiumPacketReader::Visitor interface.
@@ -66,21 +68,29 @@ class MockQuicChromiumClientSession
       std::unique_ptr<DatagramClientSocket> socket,
       std::unique_ptr<QuicChromiumPacketWriter> writer,
       std::unique_ptr<QuicChromiumPacketReader> reader) override {
+    is_successfully_probed_ = true;
     probed_network_ = network;
     probed_peer_address_ = peer_address;
+    probed_self_address_ = self_address;
   }
 
-  NetworkChangeNotifier::NetworkHandle probed_network() const {
-    return probed_network_;
-  }
+  bool IsProbedPathMatching(NetworkChangeNotifier::NetworkHandle network,
+                            const quic::QuicSocketAddress& peer_address,
+                            const quic::QuicSocketAddress& self_address) const {
+    if (!is_successfully_probed_)
+      return false;
 
-  quic::QuicSocketAddress probed_peer_address() const {
-    return probed_peer_address_;
+    return probed_network_ == network && probed_peer_address_ == peer_address &&
+           probed_self_address_ == self_address;
   }
 
+  bool is_successfully_probed() const { return is_successfully_probed_; }
+
  private:
   NetworkChangeNotifier::NetworkHandle probed_network_;
   quic::QuicSocketAddress probed_peer_address_;
+  quic::QuicSocketAddress probed_self_address_;
+  bool is_successfully_probed_;
 
   DISALLOW_COPY_AND_ASSIGN(MockQuicChromiumClientSession);
 };
@@ -102,8 +112,7 @@ class QuicConnectivityProbingManagerTest : public ::testing::Test {
     EXPECT_THAT(socket_->Connect(kIpEndPoint), IsOk());
     IPEndPoint self_address;
     socket_->GetLocalAddress(&self_address);
-    self_address_ =
-        quic::QuicSocketAddress(quic::QuicSocketAddressImpl(self_address));
+    self_address_ = ToQuicSocketAddress(self_address);
     // Create packet writer and reader for probing.
     writer_.reset(
         new QuicChromiumPacketWriter(socket_.get(), test_task_runner_.get()));
@@ -138,10 +147,13 @@ class QuicConnectivityProbingManagerTest : public ::testing::Test {
 };
 
 TEST_F(QuicConnectivityProbingManagerTest, ReceiveProbingResponseOnSamePath) {
+  EXPECT_FALSE(session_.is_successfully_probed());
   int initial_timeout_ms = 100;
 
   EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
       .WillOnce(Return(true));
+
+  // Target probing path: <testNetworkHandle, testPeerAddress>.
   probing_manager_.StartProbing(
       testNetworkHandle, testPeerAddress, std::move(socket_),
       std::move(writer_), std::move(reader_),
@@ -150,7 +162,7 @@ TEST_F(QuicConnectivityProbingManagerTest, ReceiveProbingResponseOnSamePath) {
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
 
   // Fast forward initial_timeout_ms, timeout the first connectivity probing
-  // packet, introduce another probing packet to sent out with timeout set to
+  // packet, cause another probing packet to be sent with timeout set to
   // 2 * initial_timeout_ms.
   EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
       .WillOnce(Return(true));
@@ -165,6 +177,7 @@ TEST_F(QuicConnectivityProbingManagerTest, ReceiveProbingResponseOnSamePath) {
   test_task_runner_->FastForwardBy(
       base::TimeDelta::FromMilliseconds(initial_timeout_ms));
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
+  EXPECT_FALSE(session_.is_successfully_probed());
 
   // Notify the manager a connectivity probing packet is received from
   // testPeerAddress to |self_address_|, manager should decalre probing as
@@ -174,7 +187,9 @@ TEST_F(QuicConnectivityProbingManagerTest, ReceiveProbingResponseOnSamePath) {
       .Times(0);
   probing_manager_.OnConnectivityProbingReceived(self_address_,
                                                  testPeerAddress);
-  EXPECT_EQ(session_.probed_network(), testNetworkHandle);
+  EXPECT_TRUE(session_.is_successfully_probed());
+  EXPECT_TRUE(session_.IsProbedPathMatching(testNetworkHandle, testPeerAddress,
+                                            self_address_));
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
 
   // Verify there's nothing to send.
@@ -187,10 +202,13 @@ TEST_F(QuicConnectivityProbingManagerTest, ReceiveProbingResponseOnSamePath) {
 
 TEST_F(QuicConnectivityProbingManagerTest,
        ReceiveProbingResponseOnDifferentPath) {
+  EXPECT_FALSE(session_.is_successfully_probed());
   int initial_timeout_ms = 100;
 
   EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
       .WillOnce(Return(true));
+
+  // Target probing path: <testNetworkHandle, testPeerAddress>.
   probing_manager_.StartProbing(
       testNetworkHandle, testPeerAddress, std::move(socket_),
       std::move(writer_), std::move(reader_),
@@ -199,7 +217,7 @@ TEST_F(QuicConnectivityProbingManagerTest,
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
 
   // Fast forward initial_timeout_ms, timeout the first connectivity probing
-  // packet, introduce another probing packet to sent out with timeout set to
+  // packet, cause another probing packet to be sent with timeout set to
   // 2 * initial_timeout_ms.
   EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
       .WillOnce(Return(true));
@@ -221,7 +239,7 @@ TEST_F(QuicConnectivityProbingManagerTest,
       .Times(0);
   probing_manager_.OnConnectivityProbingReceived(quic::QuicSocketAddress(),
                                                  testPeerAddress);
-  EXPECT_NE(session_.probed_network(), testNetworkHandle);
+  EXPECT_FALSE(session_.is_successfully_probed());
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
 
   // Fast forward another initial_timeout_ms, another probing packet will be
@@ -237,7 +255,83 @@ TEST_F(QuicConnectivityProbingManagerTest,
       .Times(0);
   probing_manager_.OnConnectivityProbingReceived(self_address_,
                                                  testPeerAddress);
-  EXPECT_EQ(session_.probed_network(), testNetworkHandle);
+  EXPECT_TRUE(session_.is_successfully_probed());
+  EXPECT_TRUE(session_.IsProbedPathMatching(testNetworkHandle, testPeerAddress,
+                                            self_address_));
+  EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
+
+  // Verify there's nothing to send.
+  EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
+      .Times(0);
+  test_task_runner_->RunUntilIdle();
+}
+
+TEST_F(QuicConnectivityProbingManagerTest,
+       ReceiveProbingResponseOnDifferentPort) {
+  EXPECT_FALSE(session_.is_successfully_probed());
+  int initial_timeout_ms = 100;
+
+  EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
+      .WillOnce(Return(true));
+
+  // Target probing path: <NetworkChangeNotifier::kInvalidNetworkHandle,
+  //                       testPeerAddress>.
+  probing_manager_.StartProbing(
+      NetworkChangeNotifier::kInvalidNetworkHandle, testPeerAddress,
+      std::move(socket_), std::move(writer_), std::move(reader_),
+      base::TimeDelta::FromMilliseconds(initial_timeout_ms),
+      bound_test_net_log_.bound());
+  EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
+
+  // Fast forward initial_timeout_ms, timeout the first connectivity probing
+  // packet, cause another probing packet to be sent with timeout set to
+  // 2 * initial_timeout_ms.
+  EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
+      .WillOnce(Return(true));
+  test_task_runner_->FastForwardBy(
+      base::TimeDelta::FromMilliseconds(initial_timeout_ms));
+  EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
+
+  // Fast forward initial_timeout_ms, should be no-op.
+  EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
+      .Times(0);
+  test_task_runner_->FastForwardBy(
+      base::TimeDelta::FromMilliseconds(initial_timeout_ms));
+  EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
+
+  // Notify the manager a connectivity probing packet is received from
+  // testPeerAddress to a different self address (which only differs in the
+  // port), manager should ignore the probing response and continue waiting.
+  EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
+      .Times(0);
+  uint16_t different_port = self_address_.port() + 1;
+  quic::QuicSocketAddress different_self_address(self_address_.host(),
+                                                 different_port);
+  probing_manager_.OnConnectivityProbingReceived(different_self_address,
+                                                 testPeerAddress);
+  EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
+  // Verify that session's probed network is still not valid.
+  EXPECT_FALSE(session_.is_successfully_probed());
+
+  // Fast forward another initial_timeout_ms, another probing packet will be
+  // sent.
+  EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
+      .WillOnce(Return(true));
+  test_task_runner_->FastForwardBy(
+      base::TimeDelta::FromMilliseconds(initial_timeout_ms));
+  EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
+
+  // Finally receive the probing response on the same self address and peer
+  // address.
+  EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
+      .Times(0);
+  probing_manager_.OnConnectivityProbingReceived(self_address_,
+                                                 testPeerAddress);
+  // Verify that session's probed network is not valid yet.
+  EXPECT_TRUE(session_.is_successfully_probed());
+  EXPECT_TRUE(session_.IsProbedPathMatching(
+      NetworkChangeNotifier::kInvalidNetworkHandle, testPeerAddress,
+      self_address_));
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
 
   // Verify there's nothing to send.
@@ -292,7 +386,7 @@ TEST_F(QuicConnectivityProbingManagerTest, CancelProbing) {
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
 
   // Fast forward initial_timeout_ms, timeout the first connectivity probing
-  // packet, introduce another probing packet to sent out with timeout set to
+  // packet, cause another probing packet to be sent with timeout set to
   // 2 * initial_timeout_ms.
   EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
       .WillOnce(Return(true));
@@ -369,7 +463,7 @@ TEST_F(QuicConnectivityProbingManagerTest, ProbingWriterError) {
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
 
   // Fast forward initial_timeout_ms, timeout the first connectivity probing
-  // packet, introduce another probing packet to sent out with timeout set to
+  // packet, cause another probing packet to be sent with timeout set to
   // 2 * initial_timeout_ms.
   EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
       .WillOnce(Return(true));
@@ -435,9 +529,10 @@ TEST_F(QuicConnectivityProbingManagerTest,
 
   // Verify that session marked <kInvalidNetworkHandle, testPeerAddress> as
   // successfully probed.
-  EXPECT_EQ(session_.probed_network(),
-            NetworkChangeNotifier::kInvalidNetworkHandle);
-  EXPECT_EQ(session_.probed_peer_address(), testPeerAddress);
+  EXPECT_TRUE(session_.is_successfully_probed());
+  EXPECT_TRUE(session_.IsProbedPathMatching(
+      NetworkChangeNotifier::kInvalidNetworkHandle, testPeerAddress,
+      self_address_));
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
 
   EXPECT_CALL(session_, OnSendConnectivityProbingPacket(_, testPeerAddress))
diff --git a/chromium/net/quic/quic_end_to_end_unittest.cc b/chromium/net/quic/quic_end_to_end_unittest.cc
index 85dabee8522..fa860122285 100644
--- a/chromium/net/quic/quic_end_to_end_unittest.cc
+++ b/chromium/net/quic/quic_end_to_end_unittest.cc
@@ -141,7 +141,7 @@ class QuicEndToEndTest : public ::testing::Test,
 
     // To simplify the test, and avoid the race with the HTTP request, we force
     // QUIC for these requests.
-    session_params_.origins_to_force_quic_on.insert(
+    session_params_.quic_params.origins_to_force_quic_on.insert(
         HostPortPair::FromString("test.example.com:443"));
 
     transaction_factory_.reset(
diff --git a/chromium/net/quic/quic_flags_list.h b/chromium/net/quic/quic_flags_list.h
index 9f68e2cf365..16590ee9c3f 100644
--- a/chromium/net/quic/quic_flags_list.h
+++ b/chromium/net/quic/quic_flags_list.h
@@ -25,11 +25,6 @@ QUIC_FLAG(int64_t, FLAGS_quic_time_wait_list_seconds, 200)
 // no configured limit.
 QUIC_FLAG(int64_t, FLAGS_quic_time_wait_list_max_connections, 600000)
 
-// Enables server-side support for QUIC stateless rejects.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_enable_quic_stateless_reject_support,
-          false)
-
 // If true, require handshake confirmation for QUIC connections, functionally
 // disabling 0-rtt handshakes.
 // TODO(rtenneti): Enable this flag after CryptoServerTest's are fixed.
@@ -43,12 +38,6 @@ QUIC_FLAG(bool, FLAGS_quic_disable_pacing_for_perf_tests, false)
 // If true, enforce that QUIC CHLOs fit in one packet.
 QUIC_FLAG(bool, FLAGS_quic_enforce_single_packet_chlo, true)
 
-// If true, QUIC will use cheap stateless rejects without creating a full
-// connection.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_use_cheap_stateless_rejects,
-          false)
-
 // If true, allows packets to be buffered in anticipation of a future CHLO, and
 // allow CHLO packets to be buffered until next iteration of the event loop.
 QUIC_FLAG(bool, FLAGS_quic_allow_chlo_buffering, true)
@@ -72,6 +61,10 @@ QUIC_FLAG(bool,
 // When true, defaults to BBR congestion control instead of Cubic.
 QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_default_to_bbr, false)
 
+// If true, use BBRv2 as the default congestion controller.
+// Takes precedence over --quic_default_to_bbr.
+QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_default_to_bbr_v2, false)
+
 // If buffered data in QUIC stream is less than this threshold, buffers all
 // provided data or asks upper layer for more data.
 QUIC_FLAG(uint32_t, FLAGS_quic_buffered_data_threshold, 8192u)
@@ -83,9 +76,6 @@ QUIC_FLAG(uint32_t, FLAGS_quic_send_buffer_max_data_slice_size, 4096u)
 // protocol.
 QUIC_FLAG(bool, FLAGS_quic_supports_tls_handshake, false)
 
-// Allow QUIC to accept initial packet numbers that are random, not 1.
-QUIC_FLAG(bool, FLAGS_quic_restart_flag_quic_enable_accept_random_ipn, true)
-
 // Enables 3 new connection options to make PROBE_RTT more aggressive
 QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_bbr_less_probe_rtt, false)
 
@@ -103,12 +93,6 @@ QUIC_FLAG(int32_t, FLAGS_quic_lumpy_pacing_size, 1)
 // pacing.
 QUIC_FLAG(double, FLAGS_quic_lumpy_pacing_cwnd_fraction, 0.25f)
 
-// If true, static streams in a QuicSession will be stored inside dynamic
-// stream map. static_stream_map will no longer be used.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_eliminate_static_stream_map_3,
-          false)
-
 // Default enables QUIC ack decimation and adds a connection option to disable
 // it.
 QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_ack_decimation, false)
@@ -125,17 +109,6 @@ QUIC_FLAG(double, FLAGS_quic_pace_time_into_future_srtt_fraction, 0.125f)
 // Mechanism to override version label and ALPN for IETF interop.
 QUIC_FLAG(int32_t, FLAGS_quic_ietf_draft_version, 0)
 
-// If true, enable QUIC v44.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_version_44, true)
-
-// Stop checking QuicUnackedPacketMap::HasUnackedRetransmittableFrames and
-// instead rely on the existing check that bytes_in_flight > 0
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_optimize_inflight_check, false)
-
-// When you\'re app-limited entering recovery, stay app-limited until you exit
-// recovery in QUIC BBR.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_bbr_app_limited_recovery, false)
-
 // If true, stop resetting ideal_next_packet_send_time_ in pacing sender.
 QUIC_FLAG(
     bool,
@@ -149,10 +122,6 @@ QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_pcc3, false)
 // ACK in packet conservation.
 QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_bbr_one_mss_conservation, false)
 
-// Add 3 connection options to decrease the pacing and CWND gain in QUIC BBR
-// STARTUP.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_bbr_slower_startup3, true)
-
 // When true, the LOSS connection option allows for 1/8 RTT of reording instead
 // of the current 1/8th threshold which has been found to be too large for fast
 // loss recovery.
@@ -174,33 +143,10 @@ QUIC_FLAG(bool,
           FLAGS_quic_reloadable_flag_quic_stop_reading_when_level_triggered,
           false)
 
-// If true, QuicSession::HasPendingCryptoData checks whether the crypto stream's
-// send buffer is empty. This flag fixes a bug where the retransmission alarm
-// mode is wrong for the first CHLO packet.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_fix_has_pending_crypto_data,
-          true)
-
-// When true, fix initialization and updating of
-// |time_of_first_packet_sent_after_receiving_| in QuicConnection.
-QUIC_FLAG(
-    bool,
-    FLAGS_quic_reloadable_flag_quic_fix_time_of_first_packet_sent_after_receiving,
-    true)
-
 // When the STMP connection option is sent by the client, timestamps in the QUIC
 // ACK frame are sent and processed.
 QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_send_timestamps, false)
 
-// If true, dispatcher passes in a single version when creating a server
-// connection, such that version negotiation is not supported in connection.
-QUIC_FLAG(bool,
-          FLAGS_quic_restart_flag_quic_no_server_conn_ver_negotiation2,
-          true)
-
-// If true, enable QUIC version 46.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_version_46, true)
-
 // When in STARTUP and recovery, do not add bytes_acked to QUIC BBR's CWND in
 // CalculateCongestionWindow()
 QUIC_FLAG(
@@ -217,21 +163,11 @@ QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_use_common_stream_check, false)
 // packets as no longer inflight when they're retransmitted.
 QUIC_FLAG(bool,
           FLAGS_quic_reloadable_flag_quic_loss_removes_from_inflight,
-          false)
+          true)
 
 // If true, QuicEpollClock::Now() will monotonically increase.
 QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_monotonic_epoll_clock, false)
 
-// If true, a client connection would be closed when a version negotiation
-// packet is received. It would be the higher layer's responsibility to do the
-// reconnection.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_no_client_conn_ver_negotiation,
-          false)
-
-// If true, public reset packets sent from GFE will include a kEPID tag.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_fix_spurious_ack_alarm, false)
-
 // If true, enables the BBS4 and BBS5 connection options, which reduce BBR's
 // pacing rate in STARTUP as more losses occur as a fraction of CWND.
 QUIC_FLAG(bool,
@@ -243,53 +179,15 @@ QUIC_FLAG(bool,
           FLAGS_quic_reloadable_flag_quic_log_cert_name_for_empty_sct,
           true)
 
-// If true, enable QUIC version 47 which adds CRYPTO frames.
+// If true, enable QUIC version 47.
 QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_version_47, false)
 
+// If true, enable QUIC version 48.
+QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_version_48, false)
+
 // If true, disable QUIC version 39.
 QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_disable_version_39, false)
 
-// If true, use one loss algorithm per encryption level.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_use_uber_loss_algorithm, true)
-
-// If true, QuicStreamSequencerBuffer will switch to a new
-// QuicIntervalSet::AddOptimizedForAppend method in OnStreamData().
-QUIC_FLAG(
-    bool,
-    FLAGS_quic_reloadable_flag_quic_faster_interval_add_in_sequence_buffer,
-    true)
-
-// If true, GFE time wait list will send termination packets based on current
-// packet's encryption level.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_fix_termination_packets, true)
-
-// If true, stop using AckBundling mode to send ACK, also deprecate ack_queued
-// from QuicConnection.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_deprecate_ack_bundling_mode,
-          true)
-
-// If both this flag and gfe2_reloadable_flag_quic_deprecate_ack_bundling_mode
-// are true, QuicReceivedPacketManager decides when to send ACKs.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_rpm_decides_when_to_send_acks,
-          true)
-
-// In QUIC, do not close connection if received an in-order ACK with decreased
-// largest_acked.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_tolerate_reneging, true)
-
-QUIC_FLAG(
-    bool,
-    FLAGS_quic_reloadable_flag_quic_validate_packet_number_post_decryption,
-    true)
-
-// If this flag and quic_rpm_decides_when_to_send_acks is true, use uber
-// received packet manager instead of the single received packet manager.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_use_uber_received_packet_manager,
-          true)
-
 // If true and using Leto for QUIC shared-key calculations, GFE will react to a
 // failure to contact Leto by sending a REJ containing a fallback ServerConfig,
 // allowing the client to continue the handshake.
@@ -304,82 +202,141 @@ QUIC_FLAG(bool,
           FLAGS_quic_restart_flag_dont_fetch_quic_private_keys_from_leto,
           false)
 
-// If true, disable lumpy pacing for low bandwidth flows.
+// In v44 and above, where STOP_WAITING is never sent, close the connection if
+// it's received.
 QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_no_lumpy_pacing_at_low_bw,
+          FLAGS_quic_reloadable_flag_quic_do_not_accept_stop_waiting,
           false)
 
-// If true, in BbrSender, always get a bandwidth sample when a packet is acked,
-// even if packet.bytes_acked is zero.
+// If true, set burst token to 2 in cwnd bootstrapping experiment.
+QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_conservative_bursts, false)
+
+// When true, QuicFramer will not override connection IDs in headers and will
+// instead respect the source/destination direction as expected by IETF QUIC.
 QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_always_get_bw_sample_when_acked,
+          FLAGS_quic_restart_flag_quic_do_not_override_connection_id,
           true)
 
-// If true, ignore TLPR for retransmission delay when sending pings from ping
-// alarm.
+// If true, export number of packets written per write operation histogram.")
+QUIC_FLAG(bool, FLAGS_quic_export_server_num_packets_per_write_histogram, false)
+
+// If true, uses conservative cwnd gain and pacing gain.
 QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_ignore_tlpr_if_sending_ping,
-          true)
+          FLAGS_quic_reloadable_flag_quic_conservative_cwnd_and_pacing_gains,
+          false)
 
-// If true, non-ASCII QUIC tags are printed as hex instead of integers."
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_print_tag_hex, false)
+// When true, QuicConnectionId will allocate long connection IDs on the heap
+// instead of inline in the object.
+QUIC_FLAG(bool, FLAGS_quic_restart_flag_quic_use_allocated_connection_ids, true)
 
-// If true, terminate Google QUIC connections similary as IETF QUIC.
+// If enabled, do not call OnStreamFrame() with empty frame after receiving
+// empty or too large headers with FIN.
 QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_terminate_gquic_connection_as_ietf,
+          FLAGS_quic_reloadable_flag_quic_avoid_empty_frame_after_empty_headers,
           true)
 
-// If true, disable QUIC trial decryption in V44 and above.
+// If true, disable QUIC version 44.
+QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_disable_version_44, true)
+
+// If true, ignore TLPR if there is no pending stream data.
 QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_v44_disable_trial_decryption,
-          false)
+          FLAGS_quic_reloadable_flag_quic_ignore_tlpr_if_no_pending_stream_data,
+          true)
 
-// In v44 and above, where STOP_WAITING is never sent, close the connection if
-// it's received.
+// If true, when detecting losses, use packets_acked of corresponding packet
+// number space.
+QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_fix_packets_acked, true)
+
+// QUIC version 99 will use this stream ID for the headers stream.
+QUIC_FLAG(int64_t, FLAGS_quic_headers_stream_id_in_v99, 0)
+
+// When true, QuicDispatcher will drop packets that have an initial destination
+// connection ID that is too short, instead of responding with a Version
+// Negotiation packet to reject it.
+QUIC_FLAG(
+    bool,
+    FLAGS_quic_reloadable_flag_quic_drop_invalid_small_initial_connection_id,
+    true)
+
+// When true, QUIC Version Negotiation packets will randomly include fake
+// versions.
 QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_do_not_accept_stop_waiting,
+          FLAGS_quic_reloadable_flag_quic_version_negotiation_grease,
           false)
 
-// If true, deprecate queued_control_frames_ from QuicPacketGenerator.
+// If true, use predictable version negotiation versions.
+QUIC_FLAG(bool, FLAGS_quic_disable_version_negotiation_grease_randomness, false)
+
+// Fixes quic::GetPacketHeaderSize and callsites when
+// QuicVersionHasLongHeaderLengths is false.
 QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_deprecate_queued_control_frames,
-          false)
+          FLAGS_quic_reloadable_flag_quic_fix_get_packet_header_size,
+          true)
 
-// When true, QUIC server will drop IETF QUIC Version Negotiation packets.
+// Calls ClearQueuedPackets after sending a connection close packet.
+QUIC_FLAG(
+    bool,
+    FLAGS_quic_reloadable_flag_quic_clear_queued_packets_on_connection_close,
+    true)
+
+// If true, QuicConnection will be closed if a WindowUpdate frame is received on
+// a READ_UNIDIRECTIONAL stream.
 QUIC_FLAG(bool,
-          FLAGS_quic_restart_flag_quic_server_drop_version_negotiation,
+          FLAGS_quic_reloadable_flag_quic_no_window_update_on_read_only_stream,
           false)
 
-// When true, version negotiation packets sent by the server will set the fixed
-// bit.
+// If true and --quic_lumpy_pacing_size is 1, QUIC will use a lumpy size of two
+// for pacing.
+QUIC_FLAG(
+    bool,
+    FLAGS_quic_reloadable_flag_quic_change_default_lumpy_pacing_size_to_two,
+    false)
+
+// If true, QuicSpdySession::GetSpdyDataStream() will close the connection
+// if the returned stream is static.
 QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_send_version_negotiation_fixed_bit,
+          FLAGS_quic_reloadable_flag_quic_handle_staticness_for_spdy_stream,
           false)
 
-// When true, allow variable length QUIC connection IDs for unsupported
-// versions. This allows performing version negotiation when the client-chosen
-// server connection ID length is not 8.
+// If true, do not add connection ID of packets with unknown connection ID
+// and no version to time wait list, instead, send appropriate responses
+// depending on the packets' sizes and drop them.
 QUIC_FLAG(
     bool,
-    FLAGS_quic_restart_flag_quic_allow_variable_length_connection_id_for_negotiation,
+    FLAGS_quic_reloadable_flag_quic_reject_unprocessable_packets_statelessly,
     false)
 
-// If true, set burst token to 2 in cwnd bootstrapping experiment.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_conservative_bursts, false)
+// When true, QuicConnectionId::Hash uses SipHash instead of XOR.
+QUIC_FLAG(bool, FLAGS_quic_restart_flag_quic_connection_id_use_siphash, false)
 
-// If true, make QuicDispatcher no longer have an instance of QuicFramer.
-QUIC_FLAG(bool,
-          FLAGS_quic_restart_flag_quic_no_framer_object_in_dispatcher,
-          false)
+// If true, when RTO fires and there is no packet to be RTOed, let connection
+// send.
+QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_fix_rto_retransmission, true)
 
-// When true, QuicFramer will not override connection IDs in headers and will
-// instead respect the source/destination direction as expected by IETF QUIC.
+// If true, QuicSession::GetOrCreateDynamicStream() is deprecated, and its
+// contents are moved to GetOrCreateStream().
 QUIC_FLAG(bool,
-          FLAGS_quic_restart_flag_quic_do_not_override_connection_id,
+          FLAGS_quic_reloadable_flag_quic_inline_getorcreatedynamicstream,
           false)
 
-// Do not send STOP_WAITING if no_stop_waiting_frame_ is true.
+// Maximum number of tracked packets.
+QUIC_FLAG(int64_t, FLAGS_quic_max_tracked_packet_count, 10000)
+
+// If true, HTTP request header names sent from QuicSpdyClientBase(and
+// descendents) will be automatically converted to lower case.
+QUIC_FLAG(bool, FLAGS_quic_client_convert_http_header_name_to_lowercase, true)
+
+// If true, do not send STOP_WAITING if no_stop_waiting_frame_.
 QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_simplify_stop_waiting, false)
 
-// If true, export number of packets written per write operation histogram.")
-QUIC_FLAG(bool, FLAGS_quic_export_server_num_packets_per_write_histogram, false)
+// If true, allow client to enable BBRv2 on server via connection option 'B2ON'.
+QUIC_FLAG(bool,
+          FLAGS_quic_reloadable_flag_quic_allow_client_enabled_bbr_v2,
+          false)
+
+// When true, QuicDispatcher will pass the version from the packet to the
+// ChloExtractor instead of all supported versions.
+QUIC_FLAG(
+    bool,
+    FLAGS_quic_restart_flag_quic_dispatcher_hands_chlo_extractor_one_version,
+    true)
diff --git a/chromium/net/quic/quic_http_stream.cc b/chromium/net/quic/quic_http_stream.cc
index 740f2298f8e..fe7c0a8961b 100644
--- a/chromium/net/quic/quic_http_stream.cc
+++ b/chromium/net/quic/quic_http_stream.cc
@@ -34,15 +34,25 @@ namespace net {
 
 namespace {
 
-base::Value NetLogQuicPushStreamCallback(quic::QuicStreamId stream_id,
-                                         const GURL* url,
-                                         NetLogCaptureMode capture_mode) {
+base::Value NetLogQuicPushStreamParams(quic::QuicStreamId stream_id,
+                                       const GURL& url) {
   base::DictionaryValue dict;
   dict.SetInteger("stream_id", stream_id);
-  dict.SetString("url", url->spec());
+  dict.SetString("url", url.spec());
   return std::move(dict);
 }
 
+void NetLogQuicPushStream(const NetLogWithSource& net_log1,
+                          const NetLogWithSource& net_log2,
+                          NetLogEventType type,
+                          quic::QuicStreamId stream_id,
+                          const GURL& url) {
+  net_log1.AddEvent(type,
+                    [&] { return NetLogQuicPushStreamParams(stream_id, url); });
+  net_log2.AddEvent(type,
+                    [&] { return NetLogQuicPushStreamParams(stream_id, url); });
+}
+
 }  // namespace
 
 QuicHttpStream::QuicHttpStream(
@@ -67,8 +77,7 @@ QuicHttpStream::QuicHttpStream(
       user_buffer_len_(0),
       session_error_(ERR_UNEXPECTED),
       found_promise_(false),
-      in_loop_(false),
-      weak_factory_(this) {}
+      in_loop_(false) {}
 
 QuicHttpStream::~QuicHttpStream() {
   CHECK(!in_loop_);
@@ -90,6 +99,8 @@ HttpResponseInfo::ConnectionInfo QuicHttpStream::ConnectionInfoFromQuicVersion(
       return HttpResponseInfo::CONNECTION_INFO_QUIC_46;
     case quic::QUIC_VERSION_47:
       return HttpResponseInfo::CONNECTION_INFO_QUIC_47;
+    case quic::QUIC_VERSION_48:
+      return HttpResponseInfo::CONNECTION_INFO_QUIC_48;
     case quic::QUIC_VERSION_99:
       return HttpResponseInfo::CONNECTION_INFO_QUIC_99;
     case quic::QUIC_VERSION_RESERVED_FOR_NEGOTIATION:
@@ -115,14 +126,13 @@ int QuicHttpStream::InitializeStream(const HttpRequestInfo* request_info,
   if (!quic_session()->IsConnected())
     return GetResponseStatus();
 
-  stream_net_log.AddEvent(
+  stream_net_log.AddEventReferencingSource(
       NetLogEventType::HTTP_STREAM_REQUEST_BOUND_TO_QUIC_SESSION,
-      quic_session()->net_log().source().ToEventParametersCallback());
-  stream_net_log.AddEvent(
+      quic_session()->net_log().source());
+  stream_net_log.AddEventWithIntParams(
       NetLogEventType::QUIC_CONNECTION_MIGRATION_MODE,
-      NetLog::IntCallback(
-          "connection_migration_mode",
-          static_cast<int>(quic_session()->connection_migration_mode())));
+      "connection_migration_mode",
+      static_cast<int>(quic_session()->connection_migration_mode()));
 
   stream_net_log_ = stream_net_log;
   request_info_ = request_info;
@@ -137,14 +147,10 @@ int QuicHttpStream::InitializeStream(const HttpRequestInfo* request_info,
       quic_session()->GetPushPromiseIndex()->GetPromised(url);
   if (promised) {
     found_promise_ = true;
-    stream_net_log_.AddEvent(
+    NetLogQuicPushStream(
+        stream_net_log_, quic_session()->net_log(),
         NetLogEventType::QUIC_HTTP_STREAM_PUSH_PROMISE_RENDEZVOUS,
-        base::Bind(&NetLogQuicPushStreamCallback, promised->id(),
-                   &request_info_->url));
-    quic_session()->net_log().AddEvent(
-        NetLogEventType::QUIC_HTTP_STREAM_PUSH_PROMISE_RENDEZVOUS,
-        base::Bind(&NetLogQuicPushStreamCallback, promised->id(),
-                   &request_info_->url));
+        promised->id(), request_info_->url);
     return OK;
   }
 
@@ -179,14 +185,9 @@ int QuicHttpStream::DoHandlePromiseComplete(int rv) {
   stream_->SetPriority(spdy_priority);
 
   next_state_ = STATE_OPEN;
-  stream_net_log_.AddEvent(
-      NetLogEventType::QUIC_HTTP_STREAM_ADOPTED_PUSH_STREAM,
-      base::Bind(&NetLogQuicPushStreamCallback, stream_->id(),
-                 &request_info_->url));
-  quic_session()->net_log().AddEvent(
-      NetLogEventType::QUIC_HTTP_STREAM_ADOPTED_PUSH_STREAM,
-      base::Bind(&NetLogQuicPushStreamCallback, stream_->id(),
-                 &request_info_->url));
+  NetLogQuicPushStream(stream_net_log_, quic_session()->net_log(),
+                       NetLogEventType::QUIC_HTTP_STREAM_ADOPTED_PUSH_STREAM,
+                       stream_->id(), request_info_->url);
   return OK;
 }
 
@@ -345,9 +346,12 @@ bool QuicHttpStream::IsConnectionReused() const {
 }
 
 int64_t QuicHttpStream::GetTotalReceivedBytes() const {
-  // TODO(sclittle): Currently, this only includes headers and response body
-  // bytes. Change this to include QUIC overhead as well.
-  int64_t total_received_bytes = headers_bytes_received_;
+  // When QPACK is enabled, headers are sent and received on the stream, so
+  // the headers bytes do not need to be accounted for independently.
+  int64_t total_received_bytes =
+      quic::VersionUsesQpack(quic_session()->GetQuicVersion())
+          ? 0
+          : headers_bytes_received_;
   if (stream_) {
     DCHECK_LE(stream_->NumBytesConsumed(), stream_->stream_bytes_read());
     // Only count the uniquely received bytes.
@@ -359,9 +363,12 @@ int64_t QuicHttpStream::GetTotalReceivedBytes() const {
 }
 
 int64_t QuicHttpStream::GetTotalSentBytes() const {
-  // TODO(sclittle): Currently, this only includes request headers and body
-  // bytes. Change this to include QUIC overhead as well.
-  int64_t total_sent_bytes = headers_bytes_sent_;
+  // When QPACK is enabled, headers are sent and received on the stream, so
+  // the headers bytes do not need to be accounted for independently.
+  int64_t total_sent_bytes =
+      quic::VersionUsesQpack(quic_session()->GetQuicVersion())
+          ? 0
+          : headers_bytes_sent_;
   if (stream_) {
     total_sent_bytes += stream_->stream_bytes_written();
   } else {
@@ -463,8 +470,7 @@ int QuicHttpStream::DoLoop(int rv) {
   CHECK(!in_loop_);
   base::AutoReset<bool> auto_reset_in_loop(&in_loop_, true);
   std::unique_ptr<quic::QuicConnection::ScopedPacketFlusher> packet_flusher =
-      quic_session()->CreatePacketBundler(
-          quic::QuicConnection::AckBundling::SEND_ACK_IF_QUEUED);
+      quic_session()->CreatePacketBundler();
   do {
     State state = next_state_;
     next_state_ = STATE_NONE;
@@ -575,8 +581,10 @@ int QuicHttpStream::DoSendHeaders() {
   // Log the actual request with the URL Request's net log.
   stream_net_log_.AddEvent(
       NetLogEventType::HTTP_TRANSACTION_QUIC_SEND_REQUEST_HEADERS,
-      base::Bind(&QuicRequestNetLogCallback, stream_->id(), &request_headers_,
-                 priority_));
+      [&](NetLogCaptureMode capture_mode) {
+        return QuicRequestNetLogParams(stream_->id(), &request_headers_,
+                                       priority_, capture_mode);
+      });
   DispatchRequestHeadersCallback(request_headers_);
   bool has_upload_data = request_body_stream_ != nullptr;
 
diff --git a/chromium/net/quic/quic_http_stream.h b/chromium/net/quic/quic_http_stream.h
index babc2a1690f..0440c765387 100644
--- a/chromium/net/quic/quic_http_stream.h
+++ b/chromium/net/quic/quic_http_stream.h
@@ -218,7 +218,7 @@ class NET_EXPORT_PRIVATE QuicHttpStream : public MultiplexedHttpStream {
   // Session connect timing info.
   LoadTimingInfo::ConnectTiming connect_timing_;
 
-  base::WeakPtrFactory<QuicHttpStream> weak_factory_;
+  base::WeakPtrFactory<QuicHttpStream> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicHttpStream);
 };
diff --git a/chromium/net/quic/quic_http_stream_test.cc b/chromium/net/quic/quic_http_stream_test.cc
index 51384856d78..1ba21685cc9 100644
--- a/chromium/net/quic/quic_http_stream_test.cc
+++ b/chromium/net/quic/quic_http_stream_test.cc
@@ -19,6 +19,7 @@
 #include "base/time/time.h"
 #include "net/base/chunked_upload_data_stream.h"
 #include "net/base/elements_upload_data_stream.h"
+#include "net/base/load_flags.h"
 #include "net/base/load_timing_info.h"
 #include "net/base/load_timing_info_test_util.h"
 #include "net/base/net_errors.h"
@@ -29,8 +30,10 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/test_net_log.h"
 #include "net/log/test_net_log_util.h"
+#include "net/quic/address_utils.h"
 #include "net/quic/crypto/proof_verifier_chromium.h"
 #include "net/quic/mock_crypto_client_stream_factory.h"
+#include "net/quic/platform/impl/quic_test_impl.h"
 #include "net/quic/quic_chromium_alarm_factory.h"
 #include "net/quic/quic_chromium_connection_helper.h"
 #include "net/quic/quic_chromium_packet_reader.h"
@@ -39,6 +42,7 @@
 #include "net/quic/quic_server_info.h"
 #include "net/quic/quic_stream_factory.h"
 #include "net/quic/quic_test_packet_maker.h"
+#include "net/quic/quic_test_packet_printer.h"
 #include "net/quic/test_task_runner.h"
 #include "net/socket/socket_performance_watcher.h"
 #include "net/socket/socket_test_util.h"
@@ -51,11 +55,12 @@
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_decrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
-#include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
+#include "net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_write_blocked_list.h"
 #include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_clock.h"
@@ -91,15 +96,14 @@ class TestQuicConnection : public quic::QuicConnection {
                      QuicChromiumConnectionHelper* helper,
                      QuicChromiumAlarmFactory* alarm_factory,
                      quic::QuicPacketWriter* writer)
-      : quic::QuicConnection(
-            connection_id,
-            quic::QuicSocketAddress(quic::QuicSocketAddressImpl(address)),
-            helper,
-            alarm_factory,
-            writer,
-            true /* owns_writer */,
-            quic::Perspective::IS_CLIENT,
-            versions) {}
+      : quic::QuicConnection(connection_id,
+                             ToQuicSocketAddress(address),
+                             helper,
+                             alarm_factory,
+                             writer,
+                             true /* owns_writer */,
+                             quic::Perspective::IS_CLIENT,
+                             versions) {}
 
   void SetSendAlgorithm(quic::SendAlgorithmInterface* send_algorithm) {
     quic::test::QuicConnectionPeer::SetSendAlgorithm(this, send_algorithm);
@@ -112,7 +116,7 @@ class ReadErrorUploadDataStream : public UploadDataStream {
   enum class FailureMode { SYNC, ASYNC };
 
   explicit ReadErrorUploadDataStream(FailureMode mode)
-      : UploadDataStream(true, 0), async_(mode), weak_factory_(this) {}
+      : UploadDataStream(true, 0), async_(mode) {}
   ~ReadErrorUploadDataStream() override {}
 
  private:
@@ -135,7 +139,7 @@ class ReadErrorUploadDataStream : public UploadDataStream {
 
   const FailureMode async_;
 
-  base::WeakPtrFactory<ReadErrorUploadDataStream> weak_factory_;
+  base::WeakPtrFactory<ReadErrorUploadDataStream> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(ReadErrorUploadDataStream);
 };
@@ -195,8 +199,8 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
   QuicHttpStreamTest()
       : version_(std::get<0>(GetParam())),
         client_headers_include_h2_stream_dependency_(std::get<1>(GetParam())),
-        crypto_config_(quic::test::crypto_test_utils::ProofVerifierForTesting(),
-                       quic::TlsClientHandshaker::CreateSslCtx()),
+        crypto_config_(
+            quic::test::crypto_test_utils::ProofVerifierForTesting()),
         read_buffer_(base::MakeRefCounted<IOBufferWithSize>(4096)),
         promise_id_(GetNthServerInitiatedUnidirectionalStreamId(0)),
         stream_id_(GetNthClientInitiatedBidirectionalStreamId(0)),
@@ -214,7 +218,8 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
                       quic::Perspective::IS_SERVER,
                       false),
         random_generator_(0),
-        response_offset_(0) {
+        printer_(version_) {
+    SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
     IPAddress ip(192, 0, 2, 33);
     peer_addr_ = IPEndPoint(ip, 443);
     self_addr_ = IPEndPoint(ip, 8435);
@@ -249,10 +254,8 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
   }
 
   void ProcessPacket(std::unique_ptr<quic::QuicReceivedPacket> packet) {
-    connection_->ProcessUdpPacket(
-        quic::QuicSocketAddress(quic::QuicSocketAddressImpl(self_addr_)),
-        quic::QuicSocketAddress(quic::QuicSocketAddressImpl(peer_addr_)),
-        *packet);
+    connection_->ProcessUdpPacket(ToQuicSocketAddress(self_addr_),
+                                  ToQuicSocketAddress(peer_addr_), *packet);
   }
 
   // Configures the test fixture to use the list of expected writes.
@@ -270,6 +273,7 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
     socket_data_.reset(new StaticSocketDataProvider(
         base::span<MockRead>(),
         base::make_span(mock_writes_.get(), writes_.size())));
+    socket_data_->set_printer(&printer_);
 
     std::unique_ptr<MockUDPClientSocket> socket(new MockUDPClientSocket(
         socket_data_.get(), net_log_.bound().net_log()));
@@ -280,6 +284,8 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
     EXPECT_CALL(*send_algorithm_, InSlowStart()).WillRepeatedly(Return(false));
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _))
         .Times(testing::AtLeast(1));
+    EXPECT_CALL(*send_algorithm_, OnCongestionEvent(_, _, _, _, _))
+        .Times(AnyNumber());
     EXPECT_CALL(*send_algorithm_, GetCongestionWindow())
         .WillRepeatedly(Return(quic::kMaxOutgoingPacketSize));
     EXPECT_CALL(*send_algorithm_, PacingRate(_))
@@ -321,14 +327,15 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
         base::WrapUnique(static_cast<QuicServerInfo*>(nullptr)),
         QuicSessionKey(kDefaultServerHostName, kDefaultServerPort,
                        PRIVACY_MODE_DISABLED, SocketTag()),
-        /*require_confirmation=*/false, /*migrate_session_early_v2=*/false,
+        /*require_confirmation=*/false,
+        /*max_allowed_push_id=*/0,
+        /*migrate_session_early_v2=*/false,
         /*migrate_session_on_network_change_v2=*/false,
         /*default_network=*/NetworkChangeNotifier::kInvalidNetworkHandle,
         quic::QuicTime::Delta::FromMilliseconds(
-            kDefaultRetransmittableOnWireTimeoutMillisecs),
-        /*migrate_idle_session=*/false,
-        base::TimeDelta::FromSeconds(kDefaultIdleSessionMigrationPeriodSeconds),
-        base::TimeDelta::FromSeconds(kMaxTimeOnNonDefaultNetworkSecs),
+            kDefaultRetransmittableOnWireTimeout.InMilliseconds()),
+        /*migrate_idle_session=*/false, kDefaultIdleSessionMigrationPeriod,
+        kMaxTimeOnNonDefaultNetwork,
         kMaxMigrationsToNonDefaultNetworkOnWriteError,
         kMaxMigrationsToNonDefaultNetworkOnPathDegrading,
         kQuicYieldAfterPacketsRead,
@@ -359,7 +366,8 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
     promised_response_[":version"] = "HTTP/1.1";
     promised_response_["content-type"] = "text/plain";
 
-    promise_url_ = quic::SpdyUtils::GetPromisedUrlFromHeaders(push_promise_);
+    promise_url_ =
+        quic::SpdyServerPushUtils::GetPromisedUrlFromHeaders(push_promise_);
   }
 
   void SetRequest(const string& method,
@@ -378,22 +386,19 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
       quic::QuicStreamId stream_id,
       bool should_include_version,
       bool fin,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data,
       QuicTestPacketMaker* maker) {
     return maker->MakeDataPacket(packet_number, stream_id,
-                                 should_include_version, fin, offset, data);
+                                 should_include_version, fin, data);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructClientDataPacket(
       uint64_t packet_number,
       bool should_include_version,
       bool fin,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data) {
-    return InnerConstructDataPacket(packet_number, stream_id_,
-                                    should_include_version, fin, offset, data,
-                                    &client_maker_);
+    return client_maker_.MakeDataPacket(packet_number, stream_id_,
+                                        should_include_version, fin, data);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket>
@@ -401,21 +406,18 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
       uint64_t packet_number,
       bool should_include_version,
       bool fin,
-      quic::QuicStreamOffset offset,
       const std::vector<std::string>& data) {
     return client_maker_.MakeMultipleDataFramesPacket(
-        packet_number, stream_id_, should_include_version, fin, offset, data);
+        packet_number, stream_id_, should_include_version, fin, data);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructServerDataPacket(
       uint64_t packet_number,
       bool should_include_version,
       bool fin,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data) {
-    return InnerConstructDataPacket(packet_number, stream_id_,
-                                    should_include_version, fin, offset, data,
-                                    &server_maker_);
+    return server_maker_.MakeDataPacket(packet_number, stream_id_,
+                                        should_include_version, fin, data);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> InnerConstructRequestHeadersPacket(
@@ -424,11 +426,10 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
       bool should_include_version,
       bool fin,
       RequestPriority request_priority,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset) {
+      size_t* spdy_headers_frame_length) {
     return InnerConstructRequestHeadersPacket(
         packet_number, stream_id, should_include_version, fin, request_priority,
-        0, spdy_headers_frame_length, offset);
+        0, spdy_headers_frame_length);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> InnerConstructRequestHeadersPacket(
@@ -438,14 +439,13 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
       bool fin,
       RequestPriority request_priority,
       quic::QuicStreamId parent_stream_id,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset) {
+      size_t* spdy_headers_frame_length) {
     spdy::SpdyPriority priority =
         ConvertRequestPriorityToQuicPriority(request_priority);
     return client_maker_.MakeRequestHeadersPacket(
         packet_number, stream_id, should_include_version, fin, priority,
         std::move(request_headers_), parent_stream_id,
-        spdy_headers_frame_length, offset);
+        spdy_headers_frame_length);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket>
@@ -456,14 +456,13 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
       bool fin,
       RequestPriority request_priority,
       quic::QuicStreamId parent_stream_id,
-      quic::QuicStreamOffset* offset,
       size_t* spdy_headers_frame_length,
       const std::vector<std::string>& data_writes) {
     spdy::SpdyPriority priority =
         ConvertRequestPriorityToQuicPriority(request_priority);
     return client_maker_.MakeRequestHeadersAndMultipleDataFramesPacket(
         packet_number, stream_id, should_include_version, fin, priority,
-        std::move(request_headers_), parent_stream_id, offset,
+        std::move(request_headers_), parent_stream_id,
         spdy_headers_frame_length, data_writes);
   }
 
@@ -475,16 +474,13 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
       RequestPriority request_priority,
       quic::QuicStreamId parent_stream_id,
       size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* header_stream_offset,
-      quic::QuicRstStreamErrorCode error_code,
-      size_t bytes_written) {
+      quic::QuicRstStreamErrorCode error_code) {
     spdy::SpdyPriority priority =
         ConvertRequestPriorityToQuicPriority(request_priority);
     return client_maker_.MakeRequestHeadersAndRstPacket(
         packet_number, stream_id, should_include_version, fin, priority,
         std::move(request_headers_), parent_stream_id,
-        spdy_headers_frame_length, header_stream_offset, error_code,
-        bytes_written);
+        spdy_headers_frame_length, error_code);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructRequestHeadersPacket(
@@ -494,7 +490,7 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
       size_t* spdy_headers_frame_length) {
     return InnerConstructRequestHeadersPacket(
         packet_number, stream_id_, kIncludeVersion, fin, request_priority,
-        spdy_headers_frame_length, nullptr);
+        spdy_headers_frame_length);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> InnerConstructResponseHeadersPacket(
@@ -504,8 +500,7 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
       size_t* spdy_headers_frame_length) {
     return server_maker_.MakeResponseHeadersPacket(
         packet_number, stream_id, !kIncludeVersion, fin,
-        std::move(response_headers_), spdy_headers_frame_length,
-        &response_offset_);
+        std::move(response_headers_), spdy_headers_frame_length);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructResponseHeadersPacket(
@@ -516,25 +511,14 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
                                                spdy_headers_frame_length);
   }
 
-  std::unique_ptr<quic::QuicReceivedPacket>
-  ConstructResponseHeadersPacketWithOffset(uint64_t packet_number,
-                                           bool fin,
-                                           size_t* spdy_headers_frame_length,
-                                           quic::QuicStreamOffset* offset) {
-    return server_maker_.MakeResponseHeadersPacket(
-        packet_number, stream_id_, !kIncludeVersion, fin,
-        std::move(response_headers_), spdy_headers_frame_length, offset);
-  }
-
   std::unique_ptr<quic::QuicReceivedPacket> ConstructResponseTrailersPacket(
       uint64_t packet_number,
       bool fin,
       spdy::SpdyHeaderBlock trailers,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset) {
+      size_t* spdy_headers_frame_length) {
     return server_maker_.MakeResponseHeadersPacket(
         packet_number, stream_id_, !kIncludeVersion, fin, std::move(trailers),
-        spdy_headers_frame_length, offset);
+        spdy_headers_frame_length);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructClientRstStreamPacket(
@@ -564,15 +548,14 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
       bool fin,
       RequestPriority request_priority,
       quic::QuicStreamId parent_stream_id,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset) {
+      size_t* spdy_headers_frame_length) {
     spdy::SpdyPriority priority =
         ConvertRequestPriorityToQuicPriority(request_priority);
     return client_maker_.MakeRstAndRequestHeadersPacket(
         packet_number, should_include_version, promise_id_,
         quic::QUIC_PROMISE_VARY_MISMATCH, stream_id, fin, priority,
         std::move(request_headers_), parent_stream_id,
-        spdy_headers_frame_length, offset);
+        spdy_headers_frame_length);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructAckAndRstStreamPacket(
@@ -624,17 +607,14 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
       bool should_include_version,
       quic::QuicStreamId id,
       quic::QuicStreamId parent_stream_id,
-      RequestPriority request_priority,
-      quic::QuicStreamOffset* header_stream_offset) {
+      RequestPriority request_priority) {
     return client_maker_.MakePriorityPacket(
         packet_number, should_include_version, id, parent_stream_id,
-        ConvertRequestPriorityToQuicPriority(request_priority),
-        header_stream_offset);
+        ConvertRequestPriorityToQuicPriority(request_priority));
   }
 
-  std::unique_ptr<quic::QuicReceivedPacket> ConstructInitialSettingsPacket(
-      quic::QuicStreamOffset* offset) {
-    return client_maker_.MakeInitialSettingsPacket(1, offset);
+  std::unique_ptr<quic::QuicReceivedPacket> ConstructInitialSettingsPacket() {
+    return client_maker_.MakeInitialSettingsPacket(1);
   }
 
   std::string ConstructDataHeader(size_t body_len) {
@@ -678,6 +658,8 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
         version_.transport_version, n);
   }
 
+  QuicFlagSaver saver_;
+
   const quic::ParsedQuicVersion version_;
   const bool client_headers_include_h2_stream_dependency_;
 
@@ -723,14 +705,14 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<
   ProofVerifyDetailsChromium verify_details_;
   MockCryptoClientStreamFactory crypto_client_stream_factory_;
   std::unique_ptr<StaticSocketDataProvider> socket_data_;
+  QuicPacketPrinter printer_;
   std::vector<PacketToWrite> writes_;
-  quic::QuicStreamOffset response_offset_;
 };
 
 INSTANTIATE_TEST_SUITE_P(
     VersionIncludeStreamDependencySequence,
     QuicHttpStreamTest,
-    ::testing::Combine(::testing::ValuesIn(quic::AllVersionsExcept99()),
+    ::testing::Combine(::testing::ValuesIn(quic::AllSupportedVersions()),
                        ::testing::Bool()));
 
 TEST_P(QuicHttpStreamTest, RenewStreamForAuth) {
@@ -757,12 +739,10 @@ TEST_P(QuicHttpStreamTest, DisableConnectionMigrationForStream) {
 TEST_P(QuicHttpStreamTest, GetRequest) {
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_header_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(InnerConstructRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-      DEFAULT_PRIORITY, &spdy_request_header_frame_length,
-      &header_stream_offset));
+      DEFAULT_PRIORITY, &spdy_request_header_frame_length));
 
   Initialize();
 
@@ -820,18 +800,17 @@ TEST_P(QuicHttpStreamTest, LoadTimingTwoRequests) {
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_header_frame_length;
 
-  quic::QuicStreamOffset offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(InnerConstructRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-      DEFAULT_PRIORITY, &spdy_request_header_frame_length, &offset));
+      DEFAULT_PRIORITY, &spdy_request_header_frame_length));
 
   // SetRequest() again for second request as |request_headers_| was moved.
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   AddWrite(InnerConstructRequestHeadersPacket(
       3, GetNthClientInitiatedBidirectionalStreamId(1), kIncludeVersion, kFin,
       DEFAULT_PRIORITY, GetNthClientInitiatedBidirectionalStreamId(0),
-      &spdy_request_header_frame_length, &offset));
+      &spdy_request_header_frame_length));
   AddWrite(ConstructClientAckPacket(4, 3, 1, 2));  // Ack the responses.
 
   Initialize();
@@ -907,12 +886,10 @@ TEST_P(QuicHttpStreamTest, LoadTimingTwoRequests) {
 TEST_P(QuicHttpStreamTest, GetRequestWithTrailers) {
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_header_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(InnerConstructRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-      DEFAULT_PRIORITY, &spdy_request_header_frame_length,
-      &header_stream_offset));
+      DEFAULT_PRIORITY, &spdy_request_header_frame_length));
   AddWrite(ConstructClientAckPacket(3, 3, 1, 2));  // Ack the data packet.
 
   Initialize();
@@ -936,9 +913,8 @@ TEST_P(QuicHttpStreamTest, GetRequestWithTrailers) {
 
   // Send the response headers.
   size_t spdy_response_header_frame_length;
-  quic::QuicStreamOffset offset = 0;
-  ProcessPacket(ConstructResponseHeadersPacketWithOffset(
-      2, !kFin, &spdy_response_header_frame_length, &offset));
+  ProcessPacket(ConstructResponseHeadersPacket(
+      2, !kFin, &spdy_response_header_frame_length));
   // Now that the headers have been processed, the callback will return.
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
   ASSERT_TRUE(response_.headers.get());
@@ -950,15 +926,17 @@ TEST_P(QuicHttpStreamTest, GetRequestWithTrailers) {
   // Send the response body.
   const char kResponseBody[] = "Hello world!";
   std::string header = ConstructDataHeader(strlen(kResponseBody));
-  ProcessPacket(ConstructServerDataPacket(3, false, !kFin, /*offset=*/0,
-                                          header + kResponseBody));
+  ProcessPacket(
+      ConstructServerDataPacket(3, false, !kFin, header + kResponseBody));
   spdy::SpdyHeaderBlock trailers;
   size_t spdy_trailers_frame_length;
   trailers["foo"] = "bar";
-  trailers[quic::kFinalOffsetHeaderKey] =
-      base::NumberToString(strlen(kResponseBody) + header.length());
-  ProcessPacket(ConstructResponseTrailersPacket(
-      4, kFin, std::move(trailers), &spdy_trailers_frame_length, &offset));
+  if (!quic::VersionUsesQpack(version_.transport_version)) {
+    trailers[quic::kFinalOffsetHeaderKey] =
+        base::NumberToString(strlen(kResponseBody) + header.length());
+  }
+  ProcessPacket(ConstructResponseTrailersPacket(4, kFin, std::move(trailers),
+                                                &spdy_trailers_frame_length));
 
   // Make sure trailers are processed.
   base::RunLoop().RunUntilIdle();
@@ -984,8 +962,7 @@ TEST_P(QuicHttpStreamTest, GetRequestWithTrailers) {
                                  +spdy_trailers_frame_length),
             stream_->GetTotalReceivedBytes());
   // Check that NetLog was filled as expected.
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
   size_t pos = ExpectLogContainsSomewhere(
       entries, /*min_offset=*/0,
       NetLogEventType::QUIC_CHROMIUM_CLIENT_STREAM_SEND_REQUEST_HEADERS,
@@ -1004,12 +981,10 @@ TEST_P(QuicHttpStreamTest, GetRequestWithTrailers) {
 TEST_P(QuicHttpStreamTest, GetRequestLargeResponse) {
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(InnerConstructRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-      DEFAULT_PRIORITY, &spdy_request_headers_frame_length,
-      &header_stream_offset));
+      DEFAULT_PRIORITY, &spdy_request_headers_frame_length));
   Initialize();
 
   request_.method = "GET";
@@ -1132,12 +1107,10 @@ TEST_P(QuicHttpStreamTest, GetAlternativeService) {
 TEST_P(QuicHttpStreamTest, LogGranularQuicConnectionError) {
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(InnerConstructRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-      DEFAULT_PRIORITY, &spdy_request_headers_frame_length,
-      &header_stream_offset));
+      DEFAULT_PRIORITY, &spdy_request_headers_frame_length));
   AddWrite(ConstructAckAndRstStreamPacket(3));
   Initialize();
 
@@ -1166,6 +1139,14 @@ TEST_P(QuicHttpStreamTest, LogGranularQuicConnectionError) {
 }
 
 TEST_P(QuicHttpStreamTest, LogGranularQuicErrorIfHandshakeNotConfirmed) {
+  // TODO(nharper): Figure out why this test does not send packets
+  // when TLS is used.
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    Initialize();
+
+    return;
+  }
+
   // By default the test setup defaults handshake to be confirmed. Manually set
   // it to be not confirmed.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1173,12 +1154,10 @@ TEST_P(QuicHttpStreamTest, LogGranularQuicErrorIfHandshakeNotConfirmed) {
 
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   AddWrite(InnerConstructRequestHeadersPacket(
       1, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-      DEFAULT_PRIORITY, &spdy_request_headers_frame_length,
-      &header_stream_offset));
+      DEFAULT_PRIORITY, &spdy_request_headers_frame_length));
   Initialize();
 
   request_.method = "GET";
@@ -1208,12 +1187,10 @@ TEST_P(QuicHttpStreamTest, LogGranularQuicErrorIfHandshakeNotConfirmed) {
 TEST_P(QuicHttpStreamTest, SessionClosedBeforeReadResponseHeaders) {
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(InnerConstructRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-      DEFAULT_PRIORITY, &spdy_request_headers_frame_length,
-      &header_stream_offset));
+      DEFAULT_PRIORITY, &spdy_request_headers_frame_length));
   Initialize();
 
   request_.method = "GET";
@@ -1241,20 +1218,19 @@ TEST_P(QuicHttpStreamTest, SessionClosedBeforeReadResponseHeaders) {
 TEST_P(QuicHttpStreamTest, SendPostRequest) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
 
   std::string header = ConstructDataHeader(strlen(kUploadData));
   if (version_.transport_version != quic::QUIC_VERSION_99) {
     AddWrite(ConstructRequestHeadersAndDataFramesPacket(
         2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-        DEFAULT_PRIORITY, 0, &header_stream_offset,
-        &spdy_request_headers_frame_length, {kUploadData}));
+        DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
+        {kUploadData}));
   } else {
     AddWrite(ConstructRequestHeadersAndDataFramesPacket(
         2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-        DEFAULT_PRIORITY, 0, &header_stream_offset,
-        &spdy_request_headers_frame_length, {header, kUploadData}));
+        DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
+        {header, kUploadData}));
   }
 
   AddWrite(ConstructClientAckPacket(3, 3, 1, 2));
@@ -1298,7 +1274,7 @@ TEST_P(QuicHttpStreamTest, SendPostRequest) {
   const char kResponseBody[] = "Hello world!";
   std::string header2 = ConstructDataHeader(strlen(kResponseBody));
   ProcessPacket(
-      ConstructServerDataPacket(3, false, kFin, 0, header2 + kResponseBody));
+      ConstructServerDataPacket(3, false, kFin, header2 + kResponseBody));
   // Since the body has already arrived, this should return immediately.
   EXPECT_EQ(static_cast<int>(strlen(kResponseBody)),
             stream_->ReadResponseBody(read_buffer_.get(), read_buffer_->size(),
@@ -1323,19 +1299,18 @@ TEST_P(QuicHttpStreamTest, SendPostRequest) {
 TEST_P(QuicHttpStreamTest, SendPostRequestAndReceiveSoloFin) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   std::string header = ConstructDataHeader(strlen(kUploadData));
   if (version_.transport_version != quic::QUIC_VERSION_99) {
     AddWrite(ConstructRequestHeadersAndDataFramesPacket(
         2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-        DEFAULT_PRIORITY, 0, &header_stream_offset,
-        &spdy_request_headers_frame_length, {kUploadData}));
+        DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
+        {kUploadData}));
   } else {
     AddWrite(ConstructRequestHeadersAndDataFramesPacket(
         2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-        DEFAULT_PRIORITY, 0, &header_stream_offset,
-        &spdy_request_headers_frame_length, {header, kUploadData}));
+        DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
+        {header, kUploadData}));
   }
 
   AddWrite(ConstructClientAckPacket(3, 3, 1, 2));
@@ -1379,13 +1354,12 @@ TEST_P(QuicHttpStreamTest, SendPostRequestAndReceiveSoloFin) {
   const char kResponseBody[] = "Hello world!";
   std::string header2 = ConstructDataHeader(strlen(kResponseBody));
   ProcessPacket(
-      ConstructServerDataPacket(3, false, !kFin, 0, header2 + kResponseBody));
+      ConstructServerDataPacket(3, false, !kFin, header2 + kResponseBody));
   // Since the body has already arrived, this should return immediately.
   EXPECT_EQ(static_cast<int>(strlen(kResponseBody)),
             stream_->ReadResponseBody(read_buffer_.get(), read_buffer_->size(),
                                       callback_.callback()));
-  ProcessPacket(ConstructServerDataPacket(
-      4, false, kFin, base::size(kResponseBody) - 1 + header2.length(), ""));
+  ProcessPacket(ConstructServerDataPacket(4, false, kFin, ""));
   EXPECT_EQ(0,
             stream_->ReadResponseBody(read_buffer_.get(), read_buffer_->size(),
                                       callback_.callback()));
@@ -1407,24 +1381,21 @@ TEST_P(QuicHttpStreamTest, SendChunkedPostRequest) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t chunk_size = strlen(kUploadData);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   std::string header = ConstructDataHeader(chunk_size);
   if (version_.transport_version == quic::QUIC_VERSION_99) {
     AddWrite(ConstructRequestHeadersAndDataFramesPacket(
         2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion,
-        !kFin, DEFAULT_PRIORITY, 0, &header_stream_offset,
-        &spdy_request_headers_frame_length, {header, kUploadData}));
-    AddWrite(ConstructClientMultipleDataFramesPacket(
-        3, kIncludeVersion, kFin, header.length() + chunk_size,
+        !kFin, DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
         {header, kUploadData}));
+    AddWrite(ConstructClientMultipleDataFramesPacket(3, kIncludeVersion, kFin,
+                                                     {header, kUploadData}));
   } else {
     AddWrite(ConstructRequestHeadersAndDataFramesPacket(
         2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion,
-        !kFin, DEFAULT_PRIORITY, 0, &header_stream_offset,
-        &spdy_request_headers_frame_length, {kUploadData}));
-    AddWrite(ConstructClientDataPacket(3, kIncludeVersion, kFin, chunk_size,
-                                       kUploadData));
+        !kFin, DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
+        {kUploadData}));
+    AddWrite(ConstructClientDataPacket(3, kIncludeVersion, kFin, kUploadData));
   }
 
   AddWrite(ConstructClientAckPacket(4, 3, 1, 2));
@@ -1468,8 +1439,8 @@ TEST_P(QuicHttpStreamTest, SendChunkedPostRequest) {
   // Send the response body.
   const char kResponseBody[] = "Hello world!";
   std::string header2 = ConstructDataHeader(strlen(kResponseBody));
-  ProcessPacket(ConstructServerDataPacket(
-      3, false, kFin, response_data_.length(), header2 + kResponseBody));
+  ProcessPacket(
+      ConstructServerDataPacket(3, false, kFin, header2 + kResponseBody));
 
   // Since the body has already arrived, this should return immediately.
   ASSERT_EQ(static_cast<int>(strlen(kResponseBody)),
@@ -1493,23 +1464,21 @@ TEST_P(QuicHttpStreamTest, SendChunkedPostRequestWithFinalEmptyDataPacket) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t chunk_size = strlen(kUploadData);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   std::string header = ConstructDataHeader(chunk_size);
 
   if (version_.transport_version != quic::QUIC_VERSION_99) {
     AddWrite(ConstructRequestHeadersAndDataFramesPacket(
         2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion,
-        !kFin, DEFAULT_PRIORITY, 0, &header_stream_offset,
-        &spdy_request_headers_frame_length, {kUploadData}));
+        !kFin, DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
+        {kUploadData}));
   } else {
     AddWrite(ConstructRequestHeadersAndDataFramesPacket(
         2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion,
-        !kFin, DEFAULT_PRIORITY, 0, &header_stream_offset,
-        &spdy_request_headers_frame_length, {header, kUploadData}));
+        !kFin, DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
+        {header, kUploadData}));
   }
-  AddWrite(ConstructClientDataPacket(3, kIncludeVersion, kFin,
-                                     chunk_size + header.length(), ""));
+  AddWrite(ConstructClientDataPacket(3, kIncludeVersion, kFin, ""));
   AddWrite(ConstructClientAckPacket(4, 3, 1, 2));
   Initialize();
 
@@ -1550,8 +1519,8 @@ TEST_P(QuicHttpStreamTest, SendChunkedPostRequestWithFinalEmptyDataPacket) {
   // Send the response body.
   const char kResponseBody[] = "Hello world!";
   std::string header2 = ConstructDataHeader(strlen(kResponseBody));
-  ProcessPacket(ConstructServerDataPacket(
-      3, false, kFin, response_data_.length(), header2 + kResponseBody));
+  ProcessPacket(
+      ConstructServerDataPacket(3, false, kFin, header2 + kResponseBody));
 
   // The body has arrived, but it is delivered asynchronously
   ASSERT_EQ(static_cast<int>(strlen(kResponseBody)),
@@ -1573,13 +1542,11 @@ TEST_P(QuicHttpStreamTest, SendChunkedPostRequestWithFinalEmptyDataPacket) {
 TEST_P(QuicHttpStreamTest, SendChunkedPostRequestWithOneEmptyDataPacket) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(InnerConstructRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, !kFin,
-      DEFAULT_PRIORITY, &spdy_request_headers_frame_length,
-      &header_stream_offset));
-  AddWrite(ConstructClientDataPacket(3, kIncludeVersion, kFin, 0, ""));
+      DEFAULT_PRIORITY, &spdy_request_headers_frame_length));
+  AddWrite(ConstructClientDataPacket(3, kIncludeVersion, kFin, ""));
   AddWrite(ConstructClientAckPacket(4, 3, 1, 2));
   Initialize();
 
@@ -1619,8 +1586,8 @@ TEST_P(QuicHttpStreamTest, SendChunkedPostRequestWithOneEmptyDataPacket) {
   // Send the response body.
   const char kResponseBody[] = "Hello world!";
   std::string header = ConstructDataHeader(strlen(kResponseBody));
-  ProcessPacket(ConstructServerDataPacket(
-      3, false, kFin, response_data_.length(), header + kResponseBody));
+  ProcessPacket(
+      ConstructServerDataPacket(3, false, kFin, header + kResponseBody));
 
   // The body has arrived, but it is delivered asynchronously
   ASSERT_EQ(static_cast<int>(strlen(kResponseBody)),
@@ -1642,12 +1609,10 @@ TEST_P(QuicHttpStreamTest, SendChunkedPostRequestWithOneEmptyDataPacket) {
 TEST_P(QuicHttpStreamTest, DestroyedEarly) {
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(InnerConstructRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-      DEFAULT_PRIORITY, &spdy_request_headers_frame_length,
-      &header_stream_offset));
+      DEFAULT_PRIORITY, &spdy_request_headers_frame_length));
   AddWrite(ConstructAckAndRstStreamPacket(3));
   Initialize();
 
@@ -1689,11 +1654,10 @@ TEST_P(QuicHttpStreamTest, DestroyedEarly) {
 TEST_P(QuicHttpStreamTest, Priority) {
   SetRequest("GET", "/", MEDIUM);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(InnerConstructRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, kFin,
-      MEDIUM, &spdy_request_headers_frame_length, &header_stream_offset));
+      MEDIUM, &spdy_request_headers_frame_length));
   Initialize();
 
   request_.method = "GET";
@@ -1731,19 +1695,18 @@ TEST_P(QuicHttpStreamTest, Priority) {
 TEST_P(QuicHttpStreamTest, SessionClosedDuringDoLoop) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   std::string header = ConstructDataHeader(strlen(kUploadData));
   if (version_.transport_version != quic::QUIC_VERSION_99) {
     AddWrite(ConstructRequestHeadersAndDataFramesPacket(
         2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion,
-        !kFin, DEFAULT_PRIORITY, 0, &header_stream_offset,
-        &spdy_request_headers_frame_length, {kUploadData}));
+        !kFin, DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
+        {kUploadData}));
   } else {
     AddWrite(ConstructRequestHeadersAndDataFramesPacket(
         2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion,
-        !kFin, DEFAULT_PRIORITY, 0, &header_stream_offset,
-        &spdy_request_headers_frame_length, {header, kUploadData}));
+        !kFin, DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
+        {header, kUploadData}));
   }
 
   // Second data write will result in a synchronous failure which will close
@@ -1783,8 +1746,7 @@ TEST_P(QuicHttpStreamTest, SessionClosedDuringDoLoop) {
 
 TEST_P(QuicHttpStreamTest, SessionClosedBeforeSendHeadersComplete) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(SYNCHRONOUS, ERR_FAILED);
   Initialize();
 
@@ -1815,8 +1777,7 @@ TEST_P(QuicHttpStreamTest, SessionClosedBeforeSendHeadersComplete) {
 
 TEST_P(QuicHttpStreamTest, SessionClosedBeforeSendHeadersCompleteReadResponse) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(SYNCHRONOUS, ERR_FAILED);
   Initialize();
 
@@ -1851,12 +1812,10 @@ TEST_P(QuicHttpStreamTest, SessionClosedBeforeSendHeadersCompleteReadResponse) {
 TEST_P(QuicHttpStreamTest, SessionClosedBeforeSendBodyComplete) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(InnerConstructRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, !kFin,
-      DEFAULT_PRIORITY, &spdy_request_headers_frame_length,
-      &header_stream_offset));
+      DEFAULT_PRIORITY, &spdy_request_headers_frame_length));
   AddWrite(SYNCHRONOUS, ERR_FAILED);
   Initialize();
 
@@ -1892,19 +1851,18 @@ TEST_P(QuicHttpStreamTest, SessionClosedBeforeSendBodyComplete) {
 TEST_P(QuicHttpStreamTest, SessionClosedBeforeSendBundledBodyComplete) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   std::string header = ConstructDataHeader(strlen(kUploadData));
   if (version_.transport_version != quic::QUIC_VERSION_99) {
     AddWrite(ConstructRequestHeadersAndDataFramesPacket(
         2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion,
-        !kFin, DEFAULT_PRIORITY, 0, &header_stream_offset,
-        &spdy_request_headers_frame_length, {kUploadData}));
+        !kFin, DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
+        {kUploadData}));
   } else {
     AddWrite(ConstructRequestHeadersAndDataFramesPacket(
         2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion,
-        !kFin, DEFAULT_PRIORITY, 0, &header_stream_offset,
-        &spdy_request_headers_frame_length, {header, kUploadData}));
+        !kFin, DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
+        {header, kUploadData}));
   }
 
   AddWrite(SYNCHRONOUS, ERR_FAILED);
@@ -1977,12 +1935,12 @@ TEST_P(QuicHttpStreamTest, ServerPushGetRequest) {
   // Receive the promised response body.
   const char kResponseBody[] = "Hello world!";
   std::string header = ConstructDataHeader(strlen(kResponseBody));
-  ProcessPacket(InnerConstructDataPacket(
-      2, promise_id_, false, kFin, 0, header + kResponseBody, &server_maker_));
+  ProcessPacket(server_maker_.MakeDataPacket(2, promise_id_, false, kFin,
+                                             header + kResponseBody));
 
   // Now sending a matching request will have successful rendezvous
   // with the promised stream.
-  EXPECT_EQ(OK, promised_stream_->SendRequest(headers_, &response_,
+  ASSERT_EQ(OK, promised_stream_->SendRequest(headers_, &response_,
                                               callback_.callback()));
 
   EXPECT_EQ(
@@ -2049,8 +2007,8 @@ TEST_P(QuicHttpStreamTest, ServerPushGetRequestSlowResponse) {
   // Receive the promised response body.
   const char kResponseBody[] = "Hello world!";
   std::string header = ConstructDataHeader(strlen(kResponseBody));
-  ProcessPacket(InnerConstructDataPacket(
-      2, promise_id_, false, kFin, 0, header + kResponseBody, &server_maker_));
+  ProcessPacket(server_maker_.MakeDataPacket(2, promise_id_, false, kFin,
+                                             header + kResponseBody));
 
   base::RunLoop().RunUntilIdle();
 
@@ -2143,7 +2101,8 @@ TEST_P(QuicHttpStreamTest, ServerPushCrossOriginOK) {
   // packet, but does it matter?
 
   push_promise_[":authority"] = "mail.example.org";
-  promise_url_ = quic::SpdyUtils::GetPromisedUrlFromHeaders(push_promise_);
+  promise_url_ =
+      quic::SpdyServerPushUtils::GetPromisedUrlFromHeaders(push_promise_);
 
   ReceivePromise(promise_id_);
   EXPECT_NE(session_->GetPromisedByUrl(promise_url_), nullptr);
@@ -2165,8 +2124,8 @@ TEST_P(QuicHttpStreamTest, ServerPushCrossOriginOK) {
   // Receive the promised response body.
   const char kResponseBody[] = "Hello world!";
   std::string header = ConstructDataHeader(strlen(kResponseBody));
-  ProcessPacket(InnerConstructDataPacket(
-      2, promise_id_, false, kFin, 0, header + kResponseBody, &server_maker_));
+  ProcessPacket(server_maker_.MakeDataPacket(2, promise_id_, false, kFin,
+                                             header + kResponseBody));
 
   // Now sending a matching request will have successful rendezvous
   // with the promised stream.
@@ -2213,7 +2172,8 @@ TEST_P(QuicHttpStreamTest, ServerPushCrossOriginFail) {
   // TODO(ckrasic) - could do this via constructing a PUSH_PROMISE
   // packet, but does it matter?
   push_promise_[":authority"] = "www.notexample.org";
-  promise_url_ = quic::SpdyUtils::GetPromisedUrlFromHeaders(push_promise_);
+  promise_url_ =
+      quic::SpdyServerPushUtils::GetPromisedUrlFromHeaders(push_promise_);
 
   ReceivePromise(promise_id_);
   // The promise will have been rejected because the cert doesn't
@@ -2265,8 +2225,8 @@ TEST_P(QuicHttpStreamTest, ServerPushVaryCheckOK) {
   // Receive the promised response body.
   const char kResponseBody[] = "Hello world!";
   std::string header = ConstructDataHeader(strlen(kResponseBody));
-  ProcessPacket(InnerConstructDataPacket(
-      2, promise_id_, false, kFin, 0, header + kResponseBody, &server_maker_));
+  ProcessPacket(server_maker_.MakeDataPacket(2, promise_id_, false, kFin,
+                                             header + kResponseBody));
 
   base::RunLoop().RunUntilIdle();
 
@@ -2307,21 +2267,21 @@ TEST_P(QuicHttpStreamTest, ServerPushVaryCheckFail) {
   request_headers_["accept-encoding"] = "sdch";
 
   size_t spdy_request_header_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
 
   uint64_t client_packet_number = 2;
-  if (client_headers_include_h2_stream_dependency_ &&
-      version_.transport_version >= quic::QUIC_VERSION_43) {
-    AddWrite(ConstructClientPriorityPacket(
-        client_packet_number++, kIncludeVersion, promise_id_, 0,
-        DEFAULT_PRIORITY, &header_stream_offset));
+  if ((client_headers_include_h2_stream_dependency_ &&
+       version_.transport_version >= quic::QUIC_VERSION_43) ||
+      VersionHasStreamType(version_.transport_version)) {
+    AddWrite(ConstructClientPriorityPacket(client_packet_number++,
+                                           kIncludeVersion, promise_id_, 0,
+                                           DEFAULT_PRIORITY));
   }
   AddWrite(ConstructClientRstStreamVaryMismatchAndRequestHeadersPacket(
       client_packet_number++,
       stream_id_ + quic::QuicUtils::StreamIdDelta(version_.transport_version),
       !kIncludeVersion, kFin, DEFAULT_PRIORITY, promise_id_,
-      &spdy_request_header_frame_length, &header_stream_offset));
+      &spdy_request_header_frame_length));
   AddWrite(ConstructClientAckPacket(client_packet_number++, 3, 1, 2));
   AddWrite(ConstructClientRstStreamCancelledPacket(client_packet_number++));
 
@@ -2430,12 +2390,11 @@ TEST_P(QuicHttpStreamTest, ServerPushVaryCheckFail) {
 TEST_P(QuicHttpStreamTest, DataReadErrorSynchronous) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(ConstructRequestAndRstPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, !kFin,
       DEFAULT_PRIORITY, 0, &spdy_request_headers_frame_length,
-      &header_stream_offset, quic::QUIC_ERROR_PROCESSING_STREAM, 0));
+      quic::QUIC_ERROR_PROCESSING_STREAM));
 
   Initialize();
 
@@ -2465,12 +2424,10 @@ TEST_P(QuicHttpStreamTest, DataReadErrorSynchronous) {
 TEST_P(QuicHttpStreamTest, DataReadErrorAsynchronous) {
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  AddWrite(ConstructInitialSettingsPacket(&header_stream_offset));
+  AddWrite(ConstructInitialSettingsPacket());
   AddWrite(InnerConstructRequestHeadersPacket(
       2, GetNthClientInitiatedBidirectionalStreamId(0), kIncludeVersion, !kFin,
-      DEFAULT_PRIORITY, &spdy_request_headers_frame_length,
-      &header_stream_offset));
+      DEFAULT_PRIORITY, &spdy_request_headers_frame_length));
   AddWrite(ConstructClientRstStreamErrorPacket(3, !kIncludeVersion));
 
   Initialize();
diff --git a/chromium/net/quic/quic_http_utils.cc b/chromium/net/quic/quic_http_utils.cc
index 1f1f2762c80..9b2e63c2b91 100644
--- a/chromium/net/quic/quic_http_utils.cc
+++ b/chromium/net/quic/quic_http_utils.cc
@@ -36,22 +36,22 @@ RequestPriority ConvertQuicPriorityToRequestPriority(
                          : static_cast<RequestPriority>(HIGHEST - priority);
 }
 
-base::Value QuicRequestNetLogCallback(quic::QuicStreamId stream_id,
-                                      const spdy::SpdyHeaderBlock* headers,
-                                      spdy::SpdyPriority priority,
-                                      NetLogCaptureMode capture_mode) {
-  base::Value dict = SpdyHeaderBlockNetLogCallback(headers, capture_mode);
+base::Value QuicRequestNetLogParams(quic::QuicStreamId stream_id,
+                                    const spdy::SpdyHeaderBlock* headers,
+                                    spdy::SpdyPriority priority,
+                                    NetLogCaptureMode capture_mode) {
+  base::Value dict = SpdyHeaderBlockNetLogParams(headers, capture_mode);
   DCHECK(dict.is_dict());
   dict.SetIntKey("quic_priority", static_cast<int>(priority));
   dict.SetIntKey("quic_stream_id", static_cast<int>(stream_id));
   return dict;
 }
 
-base::Value QuicResponseNetLogCallback(quic::QuicStreamId stream_id,
-                                       bool fin_received,
-                                       const spdy::SpdyHeaderBlock* headers,
-                                       NetLogCaptureMode capture_mode) {
-  base::Value dict = SpdyHeaderBlockNetLogCallback(headers, capture_mode);
+base::Value QuicResponseNetLogParams(quic::QuicStreamId stream_id,
+                                     bool fin_received,
+                                     const spdy::SpdyHeaderBlock* headers,
+                                     NetLogCaptureMode capture_mode) {
+  base::Value dict = SpdyHeaderBlockNetLogParams(headers, capture_mode);
   dict.SetIntKey("quic_stream_id", static_cast<int>(stream_id));
   dict.SetBoolKey("fin", fin_received);
   return dict;
diff --git a/chromium/net/quic/quic_http_utils.h b/chromium/net/quic/quic_http_utils.h
index 3fe19fcce64..f495bdb07f0 100644
--- a/chromium/net/quic/quic_http_utils.h
+++ b/chromium/net/quic/quic_http_utils.h
@@ -23,14 +23,14 @@ ConvertQuicPriorityToRequestPriority(spdy::SpdyPriority priority);
 
 // Converts a spdy::SpdyHeaderBlock, stream_id and priority into NetLog event
 // parameters.
-NET_EXPORT base::Value QuicRequestNetLogCallback(
+NET_EXPORT base::Value QuicRequestNetLogParams(
     quic::QuicStreamId stream_id,
     const spdy::SpdyHeaderBlock* headers,
     spdy::SpdyPriority priority,
     NetLogCaptureMode capture_mode);
 
 // Converts a spdy::SpdyHeaderBlock and stream into NetLog event parameters.
-NET_EXPORT base::Value QuicResponseNetLogCallback(
+NET_EXPORT base::Value QuicResponseNetLogParams(
     quic::QuicStreamId stream_id,
     bool fin_received,
     const spdy::SpdyHeaderBlock* headers,
diff --git a/chromium/net/quic/quic_http_utils_test.cc b/chromium/net/quic/quic_http_utils_test.cc
index 8a92955fa74..f9c13dfd041 100644
--- a/chromium/net/quic/quic_http_utils_test.cc
+++ b/chromium/net/quic/quic_http_utils_test.cc
@@ -44,16 +44,16 @@ TEST(QuicHttpUtilsTest, FilterSupportedAltSvcVersions) {
   quic::ParsedQuicVersionVector supported_versions = {
       ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_46),
       ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_39),
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_44)};
+  };
 
-  std::vector<uint32_t> alt_svc_versions_google = {quic::QUIC_VERSION_44,
+  std::vector<uint32_t> alt_svc_versions_google = {quic::QUIC_VERSION_46,
                                                    quic::QUIC_VERSION_43};
   std::vector<uint32_t> alt_svc_versions_ietf = {
-      QuicVersionToQuicVersionLabel(quic::QUIC_VERSION_44),
+      QuicVersionToQuicVersionLabel(quic::QUIC_VERSION_46),
       QuicVersionToQuicVersionLabel(quic::QUIC_VERSION_43)};
 
   quic::ParsedQuicVersionVector supported_alt_svc_versions = {
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_44)};
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_46)};
   spdy::SpdyAltSvcWireFormat::AlternativeService altsvc;
 
   altsvc.protocol_id = "quic";
diff --git a/chromium/net/quic/quic_network_transaction_unittest.cc b/chromium/net/quic/quic_network_transaction_unittest.cc
index ca519c5d65c..2a24deba49f 100644
--- a/chromium/net/quic/quic_network_transaction_unittest.cc
+++ b/chromium/net/quic/quic_network_transaction_unittest.cc
@@ -17,8 +17,10 @@
 #include "base/strings/string_piece.h"
 #include "base/strings/stringprintf.h"
 #include "base/test/metrics/histogram_tester.h"
+#include "base/test/scoped_feature_list.h"
 #include "net/base/chunked_upload_data_stream.h"
 #include "net/base/completion_once_callback.h"
+#include "net/base/features.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/mock_network_change_notifier.h"
 #include "net/base/test_completion_callback.h"
@@ -38,7 +40,6 @@
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/proxy_resolution/proxy_config_service_fixed.h"
 #include "net/proxy_resolution/proxy_resolution_service.h"
@@ -157,14 +158,17 @@ std::string GenerateQuicVersionsListForAltSvcHeader(
 std::vector<PoolingTestParams> GetPoolingTestParams() {
   std::vector<PoolingTestParams> params;
   quic::ParsedQuicVersionVector all_supported_versions =
-      quic::AllVersionsExcept99();
+      quic::AllSupportedVersions();
   for (const quic::ParsedQuicVersion version : all_supported_versions) {
-    params.push_back(PoolingTestParams{version, SAME_AS_FIRST, false});
-    params.push_back(PoolingTestParams{version, SAME_AS_FIRST, true});
-    params.push_back(PoolingTestParams{version, SAME_AS_SECOND, false});
-    params.push_back(PoolingTestParams{version, SAME_AS_SECOND, true});
-    params.push_back(PoolingTestParams{version, DIFFERENT, false});
-    params.push_back(PoolingTestParams{version, DIFFERENT, true});
+    // TODO(rch): crbug.com/978745 - Make this work with TLS
+    if (version.handshake_protocol != quic::PROTOCOL_TLS1_3) {
+      params.push_back(PoolingTestParams{version, SAME_AS_FIRST, false});
+      params.push_back(PoolingTestParams{version, SAME_AS_FIRST, true});
+      params.push_back(PoolingTestParams{version, SAME_AS_SECOND, false});
+      params.push_back(PoolingTestParams{version, SAME_AS_SECOND, true});
+      params.push_back(PoolingTestParams{version, DIFFERENT, false});
+      params.push_back(PoolingTestParams{version, DIFFERENT, true});
+    }
   }
   return params;
 }
@@ -369,10 +373,8 @@ class QuicNetworkTransactionTest
   std::unique_ptr<quic::QuicEncryptedPacket> ConstructClientRstPacket(
       uint64_t num,
       quic::QuicStreamId stream_id,
-      quic::QuicRstStreamErrorCode error_code,
-      size_t bytes_written) {
+      quic::QuicRstStreamErrorCode error_code) {
     return client_maker_.MakeRstPacket(num, false, stream_id, error_code,
-                                       bytes_written,
                                        /*include_stop_sending_if_v99=*/true);
   }
 
@@ -409,9 +411,8 @@ class QuicNetworkTransactionTest
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructInitialSettingsPacket(
-      uint64_t packet_number,
-      quic::QuicStreamOffset* offset) {
-    return client_maker_.MakeInitialSettingsPacket(packet_number, offset);
+      uint64_t packet_number) {
+    return client_maker_.MakeInitialSettingsPacket(packet_number);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructServerAckPacket(
@@ -428,11 +429,10 @@ class QuicNetworkTransactionTest
       bool should_include_version,
       quic::QuicStreamId id,
       quic::QuicStreamId parent_stream_id,
-      RequestPriority request_priority,
-      quic::QuicStreamOffset* offset) {
+      RequestPriority request_priority) {
     return client_maker_.MakePriorityPacket(
         packet_number, should_include_version, id, parent_stream_id,
-        ConvertRequestPriorityToQuicPriority(request_priority), offset);
+        ConvertRequestPriorityToQuicPriority(request_priority));
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket>
@@ -443,11 +443,10 @@ class QuicNetworkTransactionTest
       uint64_t smallest_received,
       uint64_t least_unacked,
       const std::vector<QuicTestPacketMaker::Http2StreamDependency>&
-          priority_frames,
-      quic::QuicStreamOffset* offset) {
+          priority_frames) {
     return client_maker_.MakeAckAndMultiplePriorityFramesPacket(
         packet_number, should_include_version, largest_received,
-        smallest_received, least_unacked, priority_frames, offset);
+        smallest_received, least_unacked, priority_frames);
   }
 
   // Uses default QuicTestPacketMaker.
@@ -484,10 +483,9 @@ class QuicNetworkTransactionTest
       quic::QuicStreamId stream_id,
       bool should_include_version,
       bool fin,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data) {
-    return server_maker_.MakeDataPacket(
-        packet_number, stream_id, should_include_version, fin, offset, data);
+    return server_maker_.MakeDataPacket(packet_number, stream_id,
+                                        should_include_version, fin, data);
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket> ConstructClientDataPacket(
@@ -495,10 +493,9 @@ class QuicNetworkTransactionTest
       quic::QuicStreamId stream_id,
       bool should_include_version,
       bool fin,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data) {
-    return client_maker_.MakeDataPacket(
-        packet_number, stream_id, should_include_version, fin, offset, data);
+    return client_maker_.MakeDataPacket(packet_number, stream_id,
+                                        should_include_version, fin, data);
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket>
@@ -507,11 +504,9 @@ class QuicNetworkTransactionTest
       quic::QuicStreamId stream_id,
       bool should_include_version,
       bool fin,
-      quic::QuicStreamOffset offset,
       const std::vector<std::string> data_writes) {
-    return client_maker_.MakeMultipleDataFramesPacket(packet_number, stream_id,
-                                                      should_include_version,
-                                                      fin, offset, data_writes);
+    return client_maker_.MakeMultipleDataFramesPacket(
+        packet_number, stream_id, should_include_version, fin, data_writes);
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket> ConstructClientAckAndDataPacket(
@@ -522,11 +517,10 @@ class QuicNetworkTransactionTest
       uint64_t smallest_received,
       uint64_t least_unacked,
       bool fin,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data) {
     return client_maker_.MakeAckAndDataPacket(
         packet_number, include_version, stream_id, largest_received,
-        smallest_received, least_unacked, fin, offset, data);
+        smallest_received, least_unacked, fin, data);
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket>
@@ -538,11 +532,10 @@ class QuicNetworkTransactionTest
       uint64_t smallest_received,
       uint64_t least_unacked,
       bool fin,
-      quic::QuicStreamOffset offset,
       const std::vector<std::string> data_writes) {
     return client_maker_.MakeAckAndMultipleDataFramesPacket(
         packet_number, include_version, stream_id, largest_received,
-        smallest_received, least_unacked, fin, offset, data_writes);
+        smallest_received, least_unacked, fin, data_writes);
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket> ConstructClientForceHolDataPacket(
@@ -564,19 +557,7 @@ class QuicNetworkTransactionTest
                                       spdy::SpdyHeaderBlock headers) {
     return ConstructClientRequestHeadersPacket(packet_number, stream_id,
                                                should_include_version, fin,
-                                               std::move(headers), nullptr);
-  }
-
-  std::unique_ptr<quic::QuicEncryptedPacket>
-  ConstructClientRequestHeadersPacket(uint64_t packet_number,
-                                      quic::QuicStreamId stream_id,
-                                      bool should_include_version,
-                                      bool fin,
-                                      spdy::SpdyHeaderBlock headers,
-                                      quic::QuicStreamOffset* offset) {
-    return ConstructClientRequestHeadersPacket(packet_number, stream_id,
-                                               should_include_version, fin,
-                                               std::move(headers), 0, offset);
+                                               std::move(headers), 0);
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket>
@@ -585,11 +566,10 @@ class QuicNetworkTransactionTest
                                       bool should_include_version,
                                       bool fin,
                                       spdy::SpdyHeaderBlock headers,
-                                      quic::QuicStreamId parent_stream_id,
-                                      quic::QuicStreamOffset* offset) {
+                                      quic::QuicStreamId parent_stream_id) {
     return ConstructClientRequestHeadersPacket(
         packet_number, stream_id, should_include_version, fin, DEFAULT_PRIORITY,
-        std::move(headers), parent_stream_id, offset);
+        std::move(headers), parent_stream_id);
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket>
@@ -599,13 +579,12 @@ class QuicNetworkTransactionTest
                                       bool fin,
                                       RequestPriority request_priority,
                                       spdy::SpdyHeaderBlock headers,
-                                      quic::QuicStreamId parent_stream_id,
-                                      quic::QuicStreamOffset* offset) {
+                                      quic::QuicStreamId parent_stream_id) {
     spdy::SpdyPriority priority =
         ConvertRequestPriorityToQuicPriority(request_priority);
-    return client_maker_.MakeRequestHeadersPacketWithOffsetTracking(
+    return client_maker_.MakeRequestHeadersPacket(
         packet_number, stream_id, should_include_version, fin, priority,
-        std::move(headers), parent_stream_id, offset);
+        std::move(headers), parent_stream_id, nullptr);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket>
@@ -617,39 +596,26 @@ class QuicNetworkTransactionTest
       RequestPriority request_priority,
       spdy::SpdyHeaderBlock headers,
       quic::QuicStreamId parent_stream_id,
-      quic::QuicStreamOffset* offset,
       size_t* spdy_headers_frame_length,
       const std::vector<std::string>& data_writes) {
     spdy::SpdyPriority priority =
         ConvertRequestPriorityToQuicPriority(request_priority);
     return client_maker_.MakeRequestHeadersAndMultipleDataFramesPacket(
         packet_number, stream_id, should_include_version, fin, priority,
-        std::move(headers), parent_stream_id, offset, spdy_headers_frame_length,
+        std::move(headers), parent_stream_id, spdy_headers_frame_length,
         data_writes);
   }
 
-  std::unique_ptr<quic::QuicEncryptedPacket>
-  ConstructClientMultipleDataFramesPacket(uint64_t packet_number,
-                                          quic::QuicStreamId stream_id,
-                                          bool should_include_version,
-                                          bool fin,
-                                          const std::vector<std::string>& data,
-                                          quic::QuicStreamOffset offset) {
-    return client_maker_.MakeMultipleDataFramesPacket(
-        packet_number, stream_id, should_include_version, fin, offset, data);
-  }
-
   std::unique_ptr<quic::QuicEncryptedPacket> ConstructServerPushPromisePacket(
       uint64_t packet_number,
       quic::QuicStreamId stream_id,
       quic::QuicStreamId promised_stream_id,
       bool should_include_version,
       spdy::SpdyHeaderBlock headers,
-      quic::QuicStreamOffset* offset,
       QuicTestPacketMaker* maker) {
     return maker->MakePushPromisePacket(
         packet_number, stream_id, promised_stream_id, should_include_version,
-        false, std::move(headers), nullptr, offset);
+        false, std::move(headers), nullptr);
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket>
@@ -658,21 +624,9 @@ class QuicNetworkTransactionTest
                                        bool should_include_version,
                                        bool fin,
                                        spdy::SpdyHeaderBlock headers) {
-    return ConstructServerResponseHeadersPacket(packet_number, stream_id,
-                                                should_include_version, fin,
-                                                std::move(headers), nullptr);
-  }
-
-  std::unique_ptr<quic::QuicEncryptedPacket>
-  ConstructServerResponseHeadersPacket(uint64_t packet_number,
-                                       quic::QuicStreamId stream_id,
-                                       bool should_include_version,
-                                       bool fin,
-                                       spdy::SpdyHeaderBlock headers,
-                                       quic::QuicStreamOffset* offset) {
-    return server_maker_.MakeResponseHeadersPacketWithOffsetTracking(
-        packet_number, stream_id, should_include_version, fin,
-        std::move(headers), offset);
+    return server_maker_.MakeResponseHeadersPacket(packet_number, stream_id,
+                                                   should_include_version, fin,
+                                                   std::move(headers), nullptr);
   }
 
   std::string ConstructDataHeader(size_t body_len) {
@@ -687,8 +641,9 @@ class QuicNetworkTransactionTest
 
   void CreateSession(const quic::ParsedQuicVersionVector& supported_versions) {
     session_params_.enable_quic = true;
-    session_params_.quic_supported_versions = supported_versions;
-    session_params_.quic_headers_include_h2_stream_dependency =
+    session_params_.quic_params.supported_versions = supported_versions;
+    session_params_.quic_params.max_allowed_push_id = quic::kMaxQuicStreamId;
+    session_params_.quic_params.headers_include_h2_stream_dependency =
         client_headers_include_h2_stream_dependency_;
 
     session_context_.quic_clock = &clock_;
@@ -863,9 +818,10 @@ class QuicNetworkTransactionTest
   }
 
   void SetUpTestForRetryConnectionOnAlternateNetwork() {
-    session_params_.quic_migrate_sessions_on_network_change_v2 = true;
-    session_params_.quic_migrate_sessions_early_v2 = true;
-    session_params_.quic_retry_on_alternate_network_before_handshake = true;
+    session_params_.quic_params.migrate_sessions_on_network_change_v2 = true;
+    session_params_.quic_params.migrate_sessions_early_v2 = true;
+    session_params_.quic_params.retry_on_alternate_network_before_handshake =
+        true;
     scoped_mock_change_notifier_.reset(new ScopedMockNetworkChangeNotifier());
     MockNetworkChangeNotifier* mock_ncn =
         scoped_mock_change_notifier_->mock_network_change_notifier();
@@ -1005,24 +961,36 @@ class QuicNetworkTransactionTest
   }
 };
 
+quic::ParsedQuicVersionVector AllSupportedVersionsWithoutTls() {
+  quic::ParsedQuicVersionVector versions;
+  for (auto version : quic::AllSupportedVersions()) {
+    // TODO(rch): crbug.com/978745 - Make this work with TLS
+    if (version.handshake_protocol != quic::PROTOCOL_TLS1_3) {
+      versions.push_back(version);
+    }
+  }
+  return versions;
+}
+
 INSTANTIATE_TEST_SUITE_P(
     VersionIncludeStreamDependencySequence,
     QuicNetworkTransactionTest,
-    ::testing::Combine(::testing::ValuesIn(quic::AllVersionsExcept99()),
+    ::testing::Combine(::testing::ValuesIn(AllSupportedVersionsWithoutTls()),
                        ::testing::Bool()));
 
+// TODO(950069): Add testing for frame_origin in NetworkIsolationKey using
+// kAppendInitiatingFrameOriginToNetworkIsolationKey.
+
 TEST_P(QuicNetworkTransactionTest, WriteErrorHandshakeConfirmed) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
   base::HistogramTester histograms;
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::CONFIRM_HANDSHAKE);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(SYNCHRONOUS, ERR_INTERNET_DISCONNECTED);
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   mock_quic_data.AddRead(ASYNC, OK);              // No more data to read
@@ -1044,17 +1012,15 @@ TEST_P(QuicNetworkTransactionTest, WriteErrorHandshakeConfirmed) {
 }
 
 TEST_P(QuicNetworkTransactionTest, WriteErrorHandshakeConfirmedAsync) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
   base::HistogramTester histograms;
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::CONFIRM_HANDSHAKE);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(ASYNC, ERR_INTERNET_DISCONNECTED);
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   mock_quic_data.AddRead(ASYNC, OK);              // No more data to read
@@ -1076,18 +1042,15 @@ TEST_P(QuicNetworkTransactionTest, WriteErrorHandshakeConfirmedAsync) {
 }
 
 TEST_P(QuicNetworkTransactionTest, SocketWatcherEnabled) {
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -1096,7 +1059,7 @@ TEST_P(QuicNetworkTransactionTest, SocketWatcherEnabled) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
 
@@ -1113,18 +1076,15 @@ TEST_P(QuicNetworkTransactionTest, SocketWatcherEnabled) {
 }
 
 TEST_P(QuicNetworkTransactionTest, SocketWatcherDisabled) {
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -1133,7 +1093,7 @@ TEST_P(QuicNetworkTransactionTest, SocketWatcherDisabled) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
 
@@ -1150,18 +1110,15 @@ TEST_P(QuicNetworkTransactionTest, SocketWatcherDisabled) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ForceQuic) {
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -1170,7 +1127,7 @@ TEST_P(QuicNetworkTransactionTest, ForceQuic) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
 
@@ -1181,8 +1138,7 @@ TEST_P(QuicNetworkTransactionTest, ForceQuic) {
   SendRequestAndExpectQuicResponse("hello!");
 
   // Check that the NetLog was filled reasonably.
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
   EXPECT_LT(0u, entries.size());
 
   // Check that we logged a QUIC_SESSION_PACKET_RECEIVED.
@@ -1198,9 +1154,7 @@ TEST_P(QuicNetworkTransactionTest, ForceQuic) {
       NetLogEventPhase::NONE);
   EXPECT_LT(0, pos);
 
-  int packet_number;
-  ASSERT_TRUE(entries[pos].GetIntegerValue("packet_number", &packet_number));
-  EXPECT_EQ(1, packet_number);
+  EXPECT_EQ(1, GetIntegerValueFromParams(entries[pos], "packet_number"));
 
   // ... and also a TYPE_QUIC_SESSION_PACKET_AUTHENTICATED.
   pos = ExpectLogContainsSomewhere(
@@ -1214,25 +1168,30 @@ TEST_P(QuicNetworkTransactionTest, ForceQuic) {
       NetLogEventPhase::NONE);
   EXPECT_LT(0, pos);
 
-  int log_stream_id;
-  ASSERT_TRUE(entries[pos].GetIntegerValue("stream_id", &log_stream_id));
-  EXPECT_EQ(quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-            static_cast<quic::QuicStreamId>(log_stream_id));
+  int log_stream_id = GetIntegerValueFromParams(entries[pos], "stream_id");
+  if (quic::VersionUsesQpack(version_.transport_version)) {
+    EXPECT_EQ(GetNthClientInitiatedBidirectionalStreamId(0),
+              static_cast<quic::QuicStreamId>(log_stream_id));
+  } else {
+    EXPECT_EQ(quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
+              static_cast<quic::QuicStreamId>(log_stream_id));
+  }
 }
 
 TEST_P(QuicNetworkTransactionTest, LargeResponseHeaders) {
-  session_params_.origins_to_force_quic_on.insert(
+  // TODO(rch): honor the max header list size. b/136108828
+  if (quic::VersionUsesQpack(version_.transport_version))
+    return;
+
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   spdy::SpdyHeaderBlock response_headers = GetResponseHeaders("200 OK");
   response_headers["key1"] = std::string(30000, 'A');
   response_headers["key2"] = std::string(30000, 'A');
@@ -1242,31 +1201,42 @@ TEST_P(QuicNetworkTransactionTest, LargeResponseHeaders) {
   response_headers["key6"] = std::string(30000, 'A');
   response_headers["key7"] = std::string(30000, 'A');
   response_headers["key8"] = std::string(30000, 'A');
-  spdy::SpdyHeadersIR headers_frame(
-      GetNthClientInitiatedBidirectionalStreamId(0),
-      std::move(response_headers));
-  spdy::SpdyFramer response_framer(spdy::SpdyFramer::ENABLE_COMPRESSION);
-  spdy::SpdySerializedFrame spdy_frame =
-      response_framer.SerializeFrame(headers_frame);
+  quic::QuicStreamId stream_id;
+  std::string response_data;
+  if (quic::VersionUsesQpack(version_.transport_version)) {
+    stream_id = GetNthClientInitiatedBidirectionalStreamId(0);
+    std::vector<std::string> encoded = server_maker_.QpackEncodeHeaders(
+        stream_id, std::move(response_headers), nullptr);
+    for (const auto& e : encoded) {
+      response_data += e;
+    }
+  } else {
+    stream_id = quic::QuicUtils::GetHeadersStreamId(version_.transport_version);
+    spdy::SpdyHeadersIR headers_frame(
+        GetNthClientInitiatedBidirectionalStreamId(0),
+        std::move(response_headers));
+    spdy::SpdyFramer response_framer(spdy::SpdyFramer::ENABLE_COMPRESSION);
+    spdy::SpdySerializedFrame spdy_frame =
+        response_framer.SerializeFrame(headers_frame);
+    response_data = std::string(spdy_frame.data(), spdy_frame.size());
+  }
 
   uint64_t packet_number = 1;
   size_t chunk_size = 1200;
-  for (size_t offset = 0; offset < spdy_frame.size(); offset += chunk_size) {
-    size_t len = std::min(chunk_size, spdy_frame.size() - offset);
+  for (size_t offset = 0; offset < response_data.length();
+       offset += chunk_size) {
+    size_t len = std::min(chunk_size, response_data.length() - offset);
     mock_quic_data.AddRead(
-        ASYNC,
-        ConstructServerDataPacket(
-            packet_number++,
-            quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-            false, false, offset,
-            base::StringPiece(spdy_frame.data() + offset, len)));
+        ASYNC, ConstructServerDataPacket(
+                   packet_number++, stream_id, false, false,
+                   base::StringPiece(response_data.data() + offset, len)));
   }
 
   std::string header = ConstructDataHeader(6);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  packet_number, GetNthClientInitiatedBidirectionalStreamId(0),
-                 false, true, 0, header + "hello!"));
+                 false, true, header + "hello!"));
   mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddWrite(ASYNC, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddWrite(ASYNC,
@@ -1282,19 +1252,17 @@ TEST_P(QuicNetworkTransactionTest, LargeResponseHeaders) {
 }
 
 TEST_P(QuicNetworkTransactionTest, TooLargeResponseHeaders) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
+
   spdy::SpdyHeaderBlock response_headers = GetResponseHeaders("200 OK");
   response_headers["key1"] = std::string(30000, 'A');
   response_headers["key2"] = std::string(30000, 'A');
@@ -1305,24 +1273,36 @@ TEST_P(QuicNetworkTransactionTest, TooLargeResponseHeaders) {
   response_headers["key7"] = std::string(30000, 'A');
   response_headers["key8"] = std::string(30000, 'A');
   response_headers["key9"] = std::string(30000, 'A');
-  spdy::SpdyHeadersIR headers_frame(
-      GetNthClientInitiatedBidirectionalStreamId(0),
-      std::move(response_headers));
-  spdy::SpdyFramer response_framer(spdy::SpdyFramer::ENABLE_COMPRESSION);
-  spdy::SpdySerializedFrame spdy_frame =
-      response_framer.SerializeFrame(headers_frame);
+
+  quic::QuicStreamId stream_id;
+  std::string response_data;
+  if (quic::VersionUsesQpack(version_.transport_version)) {
+    stream_id = GetNthClientInitiatedBidirectionalStreamId(0);
+    std::vector<std::string> encoded = server_maker_.QpackEncodeHeaders(
+        stream_id, std::move(response_headers), nullptr);
+    for (const auto& e : encoded) {
+      response_data += e;
+    }
+  } else {
+    stream_id = quic::QuicUtils::GetHeadersStreamId(version_.transport_version);
+    spdy::SpdyHeadersIR headers_frame(
+        GetNthClientInitiatedBidirectionalStreamId(0),
+        std::move(response_headers));
+    spdy::SpdyFramer response_framer(spdy::SpdyFramer::ENABLE_COMPRESSION);
+    spdy::SpdySerializedFrame spdy_frame =
+        response_framer.SerializeFrame(headers_frame);
+    response_data = std::string(spdy_frame.data(), spdy_frame.size());
+  }
 
   uint64_t packet_number = 1;
   size_t chunk_size = 1200;
-  for (size_t offset = 0; offset < spdy_frame.size(); offset += chunk_size) {
-    size_t len = std::min(chunk_size, spdy_frame.size() - offset);
+  for (size_t offset = 0; offset < response_data.length();
+       offset += chunk_size) {
+    size_t len = std::min(chunk_size, response_data.length() - offset);
     mock_quic_data.AddRead(
-        ASYNC,
-        ConstructServerDataPacket(
-            packet_number++,
-            quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-            false, false, offset,
-            base::StringPiece(spdy_frame.data() + offset, len)));
+        ASYNC, ConstructServerDataPacket(
+                   packet_number++, stream_id, false, false,
+                   base::StringPiece(response_data.data() + offset, len)));
   }
 
   std::string header = ConstructDataHeader(6);
@@ -1330,7 +1310,7 @@ TEST_P(QuicNetworkTransactionTest, TooLargeResponseHeaders) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  packet_number, GetNthClientInitiatedBidirectionalStreamId(0),
-                 false, true, 0, header + "hello!"));
+                 false, true, header + "hello!"));
   mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddWrite(ASYNC, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddWrite(
@@ -1350,19 +1330,16 @@ TEST_P(QuicNetworkTransactionTest, TooLargeResponseHeaders) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ForceQuicForAll) {
-  session_params_.origins_to_force_quic_on.insert(HostPortPair());
+  session_params_.quic_params.origins_to_force_quic_on.insert(HostPortPair());
 
   AddQuicAlternateProtocolMapping(MockCryptoClientStream::CONFIRM_HANDSHAKE);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -1371,7 +1348,7 @@ TEST_P(QuicNetworkTransactionTest, ForceQuicForAll) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
 
@@ -1389,15 +1366,12 @@ TEST_P(QuicNetworkTransactionTest, QuicProxy) {
   proxy_resolution_service_ = ProxyResolutionService::CreateFixedFromPacResult(
       "QUIC mail.example.org:70", TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "http", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "http", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -1406,7 +1380,7 @@ TEST_P(QuicNetworkTransactionTest, QuicProxy) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -1438,15 +1412,12 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyWithCert) {
       "QUIC " + proxy_host + ":70", TRAFFIC_ANNOTATION_FOR_TESTS);
 
   client_maker_.set_hostname(origin_host);
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "http", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "http", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -1455,7 +1426,7 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyWithCert) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);
@@ -1482,7 +1453,7 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyWithCert) {
 }
 
 TEST_P(QuicNetworkTransactionTest, AlternativeServicesDifferentHost) {
-  session_params_.quic_allow_remote_alt_svc = true;
+  session_params_.quic_params.allow_remote_alt_svc = true;
   HostPortPair origin("www.example.org", 443);
   HostPortPair alternative("mail.example.org", 443);
 
@@ -1499,15 +1470,13 @@ TEST_P(QuicNetworkTransactionTest, AlternativeServicesDifferentHost) {
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
   client_maker_.set_hostname(origin.host());
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -1516,7 +1485,7 @@ TEST_P(QuicNetworkTransactionTest, AlternativeServicesDifferentHost) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);
@@ -1568,8 +1537,14 @@ TEST_P(QuicNetworkTransactionTest, DoNotUseQuicForUnsupportedVersion) {
   // in the stored AlternativeService is not supported by the client. However,
   // the response from the server will advertise new Alt-Svc with supported
   // versions.
+  quic::ParsedQuicVersionVector versions;
+  for (quic::QuicTransportVersion version :
+       quic::AllSupportedTransportVersions()) {
+    versions.push_back(
+        quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO, version));
+  }
   std::string advertised_versions_list_str =
-      GenerateQuicVersionsListForAltSvcHeader(quic::AllSupportedVersions());
+      GenerateQuicVersionsListForAltSvcHeader(versions);
   std::string altsvc_header =
       base::StringPrintf("Alt-Svc: quic=\":443\"; v=\"%s\"\r\n\r\n",
                          advertised_versions_list_str.c_str());
@@ -1586,15 +1561,12 @@ TEST_P(QuicNetworkTransactionTest, DoNotUseQuicForUnsupportedVersion) {
 
   // Second request should be sent via QUIC as a new list of verions supported
   // by the client has been advertised by the server.
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -1603,7 +1575,7 @@ TEST_P(QuicNetworkTransactionTest, DoNotUseQuicForUnsupportedVersion) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -1658,19 +1630,16 @@ TEST_P(QuicNetworkTransactionTest, RetryMisdirectedRequest) {
   // |http_data| exits the socket pool before the main job is aborted
   // deterministic. The first main job gets aborted without the socket pool ever
   // dispensing the socket, making it available for the second try.
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset request_header_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &request_header_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &request_header_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 GetResponseHeaders("421"), nullptr));
+                 GetResponseHeaders("421")));
   mock_quic_data.AddRead(ASYNC, OK);
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
 
@@ -1715,18 +1684,15 @@ TEST_P(QuicNetworkTransactionTest, RetryMisdirectedRequest) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ForceQuicWithErrorConnecting) {
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data1.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data1(version_);
+  mock_quic_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data1.AddRead(ASYNC, ERR_SOCKET_NOT_CONNECTED);
-  MockQuicData mock_quic_data2;
-  header_stream_offset = 0;
-  mock_quic_data2.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  client_maker_.Reset();
+  MockQuicData mock_quic_data2(version_);
+  mock_quic_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details_);
   mock_quic_data2.AddRead(ASYNC, ERR_SOCKET_NOT_CONNECTED);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details_);
@@ -1753,7 +1719,7 @@ TEST_P(QuicNetworkTransactionTest, ForceQuicWithErrorConnecting) {
 
 TEST_P(QuicNetworkTransactionTest, DoNotForceQuicForHttps) {
   // Attempt to "force" quic on 443, which will not be honored.
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("www.google.com:443"));
 
   MockRead http_reads[] = {
@@ -1784,15 +1750,12 @@ TEST_P(QuicNetworkTransactionTest, UseAlternativeServiceForQuic) {
   AddCertificate(&ssl_data_);
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -1801,7 +1764,7 @@ TEST_P(QuicNetworkTransactionTest, UseAlternativeServiceForQuic) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -1851,15 +1814,12 @@ TEST_P(QuicNetworkTransactionTest, UseAlternativeServiceWithVersionForQuic1) {
   AddCertificate(&ssl_data_);
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -1868,7 +1828,7 @@ TEST_P(QuicNetworkTransactionTest, UseAlternativeServiceWithVersionForQuic1) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -1914,15 +1874,12 @@ TEST_P(QuicNetworkTransactionTest, UseAlternativeServiceWithVersionForQuic2) {
   AddCertificate(&ssl_data_);
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -1931,7 +1888,7 @@ TEST_P(QuicNetworkTransactionTest, UseAlternativeServiceWithVersionForQuic2) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -1959,15 +1916,12 @@ TEST_P(QuicNetworkTransactionTest,
   AddCertificate(&ssl_data_);
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -1976,7 +1930,7 @@ TEST_P(QuicNetworkTransactionTest,
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -2066,8 +2020,14 @@ TEST_P(QuicNetworkTransactionTest,
     break;
   }
 
+  quic::ParsedQuicVersionVector versions;
+  for (quic::QuicTransportVersion version :
+       quic::AllSupportedTransportVersions()) {
+    versions.push_back(
+        quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO, version));
+  }
   std::string advertised_versions_list_str =
-      GenerateQuicVersionsListForAltSvcHeader(quic::AllSupportedVersions());
+      GenerateQuicVersionsListForAltSvcHeader(versions);
   std::string altsvc_header =
       base::StringPrintf("Alt-Svc: quic=\":443\"; v=\"%s\"\r\n\r\n",
                          advertised_versions_list_str.c_str());
@@ -2082,15 +2042,12 @@ TEST_P(QuicNetworkTransactionTest,
   AddCertificate(&ssl_data_);
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -2099,7 +2056,7 @@ TEST_P(QuicNetworkTransactionTest,
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -2147,15 +2104,12 @@ TEST_P(QuicNetworkTransactionTest, UseAlternativeServiceAllSupportedVersion) {
   AddCertificate(&ssl_data_);
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -2164,7 +2118,7 @@ TEST_P(QuicNetworkTransactionTest, UseAlternativeServiceAllSupportedVersion) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -2183,15 +2137,12 @@ TEST_P(QuicNetworkTransactionTest, GoAwayWithConnectionMigrationOnPortsOnly) {
     // Not available under version 99
     return;
   }
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -2207,7 +2158,7 @@ TEST_P(QuicNetworkTransactionTest, GoAwayWithConnectionMigrationOnPortsOnly) {
   mock_quic_data.AddRead(
       SYNCHRONOUS, ConstructServerDataPacket(
                        3, GetNthClientInitiatedBidirectionalStreamId(0), false,
-                       true, 0, header + "hello!"));
+                       true, header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS,
                           ConstructClientAckAndRstPacket(
                               4, GetNthClientInitiatedBidirectionalStreamId(0),
@@ -2259,11 +2210,10 @@ TEST_P(QuicNetworkTransactionTest, GoAwayWithConnectionMigrationOnPortsOnly) {
 TEST_P(QuicNetworkTransactionTest, QuicFailsOnBothNetworksWhileTCPSucceeds) {
   SetUpTestForRetryConnectionOnAlternateNetwork();
 
-  std::string request_data;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
 
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read
   int packet_num = 1;
   quic_data.AddWrite(SYNCHRONOUS,
@@ -2304,7 +2254,7 @@ TEST_P(QuicNetworkTransactionTest, QuicFailsOnBothNetworksWhileTCPSucceeds) {
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
   // Add data for the second QUIC connection to fail.
-  MockQuicData quic_data2;
+  MockQuicData quic_data2(version_);
   quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data2.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);  // Write error.
   quic_data2.AddSocketDataToFactory(&socket_factory_);
@@ -2338,12 +2288,6 @@ TEST_P(QuicNetworkTransactionTest, QuicFailsOnBothNetworksWhileTCPSucceeds) {
   EXPECT_THAT(callback.WaitForResult(), IsOk());
   CheckResponseData(&trans, "TCP succeeds");
 
-  // Fire the retransmission alarm, from this point, connection will idle
-  // timeout after 4 seconds.
-  if (!GetQuicReloadableFlag(
-          quic_fix_time_of_first_packet_sent_after_receiving)) {
-    quic_task_runner_->RunNextTask();
-  }
   // Fast forward to idle timeout the original connection. A new connection will
   // be kicked off on the alternate network.
   quic_task_runner_->FastForwardBy(quic::QuicTime::Delta::FromSeconds(4));
@@ -2374,11 +2318,10 @@ TEST_P(QuicNetworkTransactionTest, QuicFailsOnBothNetworksWhileTCPSucceeds) {
 TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPSucceeds) {
   SetUpTestForRetryConnectionOnAlternateNetwork();
 
-  std::string request_data;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
 
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read
   int packet_num = 1;
   quic_data.AddWrite(SYNCHRONOUS,
@@ -2420,15 +2363,13 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPSucceeds) {
 
   // Quic connection will be retried on the alternate network after the initial
   // one fails on the default network.
-  MockQuicData quic_data2;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data2(version_);
   quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Handing read.
   quic_data2.AddWrite(SYNCHRONOUS,
                       client_maker_.MakeDummyCHLOPacket(1));  // CHLO
 
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  quic_data2.AddWrite(SYNCHRONOUS,
-                      ConstructInitialSettingsPacket(2, &header_stream_offset));
+  quic_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(2));
   quic_data2.AddSocketDataToFactory(&socket_factory_);
 
   // Resolve the host resolution synchronously.
@@ -2460,12 +2401,6 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPSucceeds) {
   EXPECT_THAT(callback.WaitForResult(), IsOk());
   CheckResponseData(&trans, "TCP succeeds");
 
-  // Fire the retransmission alarm, after which connection will idle
-  // timeout after 4 seconds.
-  if (!GetQuicReloadableFlag(
-          quic_fix_time_of_first_packet_sent_after_receiving)) {
-    quic_task_runner_->RunNextTask();
-  }
   // Fast forward to idle timeout the original connection. A new connection will
   // be kicked off on the alternate network.
   quic_task_runner_->FastForwardBy(quic::QuicTime::Delta::FromSeconds(4));
@@ -2503,11 +2438,10 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPSucceeds) {
 TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPHanging) {
   SetUpTestForRetryConnectionOnAlternateNetwork();
 
-  std::string request_data;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
 
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read
   int packet_num = 1;
   quic_data.AddWrite(SYNCHRONOUS,
@@ -2538,8 +2472,7 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPHanging) {
   AddHangingNonAlternateProtocolSocketData();
 
   // Quic connection will then be retried on the alternate network.
-  MockQuicData quic_data2;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data2(version_);
   quic_data2.AddWrite(SYNCHRONOUS,
                       client_maker_.MakeDummyCHLOPacket(1));  // CHLO
 
@@ -2547,13 +2480,11 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPHanging) {
   std::string header = ConstructDataHeader(body.length());
 
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  quic_data2.AddWrite(SYNCHRONOUS,
-                      ConstructInitialSettingsPacket(2, &header_stream_offset));
+  quic_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(2));
   quic_data2.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          3, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       3, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   quic_data2.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -2561,7 +2492,7 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPHanging) {
   quic_data2.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + body));
+                 header + body));
   quic_data2.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(4, 2, 1, 1));
   quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
   quic_data2.AddSocketDataToFactory(&socket_factory_);
@@ -2591,10 +2522,6 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPHanging) {
 
   // Pump the message loop to get the request started.
   base::RunLoop().RunUntilIdle();
-  if (!GetQuicReloadableFlag(
-          quic_fix_time_of_first_packet_sent_after_receiving)) {
-    quic_task_runner_->RunNextTask();
-  }
 
   // Fast forward to idle timeout the original connection. A new connection will
   // be kicked off on the alternate network.
@@ -2625,78 +2552,76 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPHanging) {
 // Verify that if a QUIC connection times out, the QuicHttpStream will
 // return QUIC_PROTOCOL_ERROR.
 TEST_P(QuicNetworkTransactionTest, TimeoutAfterHandshakeConfirmed) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.quic_idle_connection_timeout_seconds = 5;
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  session_params_.quic_params.idle_connection_timeout =
+      base::TimeDelta::FromSeconds(5);
 
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data(version_);
   spdy::SpdyPriority priority =
       ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
 
-  std::string request_data;
+  client_maker_.set_save_packet_frames(true);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRequestHeadersPacketAndSaveData(
-                         1, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                         true, priority, GetRequestHeaders("GET", "https", "/"),
-                         0, nullptr, &header_stream_offset, &request_data));
-
-  std::string settings_data;
-  quic::QuicStreamOffset settings_offset = header_stream_offset;
-  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacketAndSaveData(
-                         2, &header_stream_offset, &settings_data));
-  // TLP 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          3, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  // TLP 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          4, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          5, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          6, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          7, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          8, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 3
   quic_data.AddWrite(
       SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          9, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          10, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
+      client_maker_.MakeRequestHeadersPacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
+          priority, GetRequestHeaders("GET", "https", "/"), 0, nullptr));
 
-  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeConnectionClosePacket(
-                                      11, true, quic::QUIC_NETWORK_IDLE_TIMEOUT,
-                                      "No recent network activity."));
+  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
+    quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(2));
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 4, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 6, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 7, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 8, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 9, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 10, true));
+
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeConnectionClosePacket(
+                           11, true, quic::QUIC_NETWORK_IDLE_TIMEOUT,
+                           "No recent network activity."));
+  } else {
+    // Settings were sent in the request packet so there is only 1 packet to
+    // retransmit.
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 2, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 4, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 6, true));
+
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeConnectionClosePacket(
+                           7, true, quic::QUIC_NETWORK_IDLE_TIMEOUT,
+                           "No recent network activity."));
+  }
 
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);
   quic_data.AddRead(ASYNC, OK);
@@ -2742,89 +2667,81 @@ TEST_P(QuicNetworkTransactionTest, TimeoutAfterHandshakeConfirmed) {
 // Verify that if a QUIC connection RTOs, the QuicHttpStream will
 // return QUIC_PROTOCOL_ERROR.
 TEST_P(QuicNetworkTransactionTest, TooManyRtosAfterHandshakeConfirmed) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.quic_connection_options.push_back(quic::k5RTO);
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  session_params_.quic_params.connection_options.push_back(quic::k5RTO);
 
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data(version_);
   spdy::SpdyPriority priority =
       ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
 
-  std::string request_data;
+  client_maker_.set_save_packet_frames(true);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRequestHeadersPacketAndSaveData(
-                         1, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                         true, priority, GetRequestHeaders("GET", "https", "/"),
-                         0, nullptr, &header_stream_offset, &request_data));
-
-  std::string settings_data;
-  quic::QuicStreamOffset settings_offset = header_stream_offset;
-  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacketAndSaveData(
-                         2, &header_stream_offset, &settings_data));
-  // TLP 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          3, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  // TLP 2
   quic_data.AddWrite(
       SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          4, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          5, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          6, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          7, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          8, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 3
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          9, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          10, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 4
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          11, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          12, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 5
-  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeConnectionClosePacket(
-                                      13, true, quic::QUIC_TOO_MANY_RTOS,
-                                      "5 consecutive retransmission timeouts"));
+      client_maker_.MakeRequestHeadersPacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
+          priority, GetRequestHeaders("GET", "https", "/"), 0, nullptr));
+
+  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
+    quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(2));
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 4, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 6, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 7, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 8, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 9, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 10, true));
+    // RTO 4
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 11, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 12, true));
+    // RTO 5
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeConnectionClosePacket(
+                           13, true, quic::QUIC_TOO_MANY_RTOS,
+                           "5 consecutive retransmission timeouts"));
+  } else {
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 2, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 4, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 6, true));
+    // RTO 4
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 7, true));
+    // RTO 5
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeConnectionClosePacket(
+                           8, true, quic::QUIC_TOO_MANY_RTOS,
+                           "5 consecutive retransmission timeouts"));
+  }
 
   quic_data.AddRead(ASYNC, OK);
   quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -2870,90 +2787,102 @@ TEST_P(QuicNetworkTransactionTest, TooManyRtosAfterHandshakeConfirmed) {
 // QUIC will not be marked as broken.
 TEST_P(QuicNetworkTransactionTest,
        TooManyRtosAfterHandshakeConfirmedAndStreamReset) {
-  session_params_.quic_connection_options.push_back(quic::k5RTO);
+  session_params_.quic_params.connection_options.push_back(quic::k5RTO);
 
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data(version_);
   spdy::SpdyPriority priority =
       ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
 
-  std::string request_data;
+  client_maker_.set_save_packet_frames(true);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRequestHeadersPacketAndSaveData(
-                         1, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                         true, priority, GetRequestHeaders("GET", "https", "/"),
-                         0, nullptr, &header_stream_offset, &request_data));
+  quic_data.AddWrite(
+      SYNCHRONOUS,
+      client_maker_.MakeRequestHeadersPacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
+          priority, GetRequestHeaders("GET", "https", "/"), 0, nullptr));
 
-  std::string settings_data;
-  quic::QuicStreamOffset settings_offset = header_stream_offset;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacketAndSaveData(
-                         2, &header_stream_offset, &settings_data));
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
+    quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(2));
+  }
 
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRstPacket(
-                         3, true, GetNthClientInitiatedBidirectionalStreamId(0),
-                         quic::QUIC_STREAM_CANCELLED));
-  // TLP 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          4, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  // TLP 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          5, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 1
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRstPacket(
-                         6, true, GetNthClientInitiatedBidirectionalStreamId(0),
+  if (quic::VersionUsesQpack(version_.transport_version)) {
+    quic_data.AddWrite(
+        SYNCHRONOUS, client_maker_.MakeRstPacket(
+                         2, true, GetNthClientInitiatedBidirectionalStreamId(0),
                          quic::QUIC_STREAM_CANCELLED));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          7, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  // RTO 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          8, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRstPacket(
-                         9, true, GetNthClientInitiatedBidirectionalStreamId(0),
+    // Since the headers are sent on the data stream, when the stream is reset
+    // the headers are no longer retransmitted.
+    client_maker_.RemoveSavedStreamFrames(
+        GetNthClientInitiatedBidirectionalStreamId(0));
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 4, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 6, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 7, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 8, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 9, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 10, true));
+    // RTO 4
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 11, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 12, true));
+    // RTO 5
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeConnectionClosePacket(
+                           13, true, quic::QUIC_TOO_MANY_RTOS,
+                           "5 consecutive retransmission timeouts"));
+  } else {
+    quic_data.AddWrite(
+        SYNCHRONOUS, client_maker_.MakeRstPacket(
+                         3, true, GetNthClientInitiatedBidirectionalStreamId(0),
                          quic::QUIC_STREAM_CANCELLED));
-  // RTO 3
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          10, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          11, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 4
-  quic_data.AddWrite(
-      SYNCHRONOUS, client_maker_.MakeRstPacket(
-                       12, true, GetNthClientInitiatedBidirectionalStreamId(0),
-                       quic::QUIC_STREAM_CANCELLED));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          13, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 4, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 5, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(3, 6, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 7, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 8, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(3, 9, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 10, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 11, true));
+    // RTO 4
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(3, 12, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 13, true));
   // RTO 5
   quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeConnectionClosePacket(
                                       14, true, quic::QUIC_TOO_MANY_RTOS,
                                       "5 consecutive retransmission timeouts"));
+  }
 
   quic_data.AddRead(ASYNC, OK);
   quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -3002,19 +2931,21 @@ TEST_P(QuicNetworkTransactionTest,
 // Verify that if a QUIC protocol error occurs after the handshake is confirmed
 // the request fails with QUIC_PROTOCOL_ERROR.
 TEST_P(QuicNetworkTransactionTest, ProtocolErrorAfterHandshakeConfirmed) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data(version_);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
-  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
   quic_data.AddWrite(SYNCHRONOUS,
-                     ConstructInitialSettingsPacket(2, &header_stream_offset));
+                     ConstructClientRequestHeadersPacket(
+                         1, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                         true, GetRequestHeaders("GET", "https", "/")));
+  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
+  uint64_t packet_number = 2;
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
+    quic_data.AddWrite(SYNCHRONOUS,
+                       ConstructInitialSettingsPacket(packet_number++));
+  }
+  quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   // Peer sending data from an non-existing stream causes this end to raise
   // error and close connection.
   quic_data.AddRead(
@@ -3022,10 +2953,10 @@ TEST_P(QuicNetworkTransactionTest, ProtocolErrorAfterHandshakeConfirmed) {
                  1, false, GetNthClientInitiatedBidirectionalStreamId(47),
                  quic::QUIC_STREAM_LAST_ERROR));
   std::string quic_error_details = "Data for nonexistent stream";
-  quic_data.AddWrite(SYNCHRONOUS,
-                     ConstructClientAckAndConnectionClosePacket(
-                         3, quic::QuicTime::Delta::Zero(), 1, 1, 1,
-                         quic::QUIC_INVALID_STREAM_ID, quic_error_details));
+  quic_data.AddWrite(
+      SYNCHRONOUS, ConstructClientAckAndConnectionClosePacket(
+                       packet_number++, quic::QuicTime::Delta::Zero(), 1, 1, 1,
+                       quic::QUIC_INVALID_STREAM_ID, quic_error_details));
   quic_data.AddSocketDataToFactory(&socket_factory_);
 
   // In order for a new QUIC session to be established via alternate-protocol
@@ -3053,6 +2984,7 @@ TEST_P(QuicNetworkTransactionTest, ProtocolErrorAfterHandshakeConfirmed) {
       quic::QuicSession::HANDSHAKE_CONFIRMED);
 
   ASSERT_FALSE(quic_data.AllReadDataConsumed());
+  quic_data.Resume();
 
   // Run the QUIC session to completion.
   base::RunLoop().RunUntilIdle();
@@ -3068,78 +3000,76 @@ TEST_P(QuicNetworkTransactionTest, ProtocolErrorAfterHandshakeConfirmed) {
 // connection times out, then QUIC will be marked as broken and the request
 // retried over TCP.
 TEST_P(QuicNetworkTransactionTest, TimeoutAfterHandshakeConfirmedThenBroken) {
-  session_params_.mark_quic_broken_when_network_blackholes = true;
-  session_params_.quic_idle_connection_timeout_seconds = 5;
+  session_params_.quic_params.mark_quic_broken_when_network_blackholes = true;
+  session_params_.quic_params.idle_connection_timeout =
+      base::TimeDelta::FromSeconds(5);
 
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data(version_);
   spdy::SpdyPriority priority =
       ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
 
-  std::string request_data;
+  client_maker_.set_save_packet_frames(true);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRequestHeadersPacketAndSaveData(
-                         1, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                         true, priority, GetRequestHeaders("GET", "https", "/"),
-                         0, nullptr, &header_stream_offset, &request_data));
-
-  std::string settings_data;
-  quic::QuicStreamOffset settings_offset = header_stream_offset;
-  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacketAndSaveData(
-                         2, &header_stream_offset, &settings_data));
-  // TLP 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          3, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  // TLP 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          4, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          5, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          6, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          7, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
   quic_data.AddWrite(
       SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          8, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 3
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          9, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          10, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
+      client_maker_.MakeRequestHeadersPacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
+          priority, GetRequestHeaders("GET", "https", "/"), 0, nullptr));
 
-  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeConnectionClosePacket(
-                                      11, true, quic::QUIC_NETWORK_IDLE_TIMEOUT,
-                                      "No recent network activity."));
+  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
+    quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(2));
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 4, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 6, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 7, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 8, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 9, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 10, true));
+
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeConnectionClosePacket(
+                           11, true, quic::QUIC_NETWORK_IDLE_TIMEOUT,
+                           "No recent network activity."));
+  } else {
+    // Settings were sent in the request packet so there is only 1 packet to
+    // retransmit.
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 2, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 4, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 6, true));
+
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeConnectionClosePacket(
+                           7, true, quic::QUIC_NETWORK_IDLE_TIMEOUT,
+                           "No recent network activity."));
+  }
 
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);
   quic_data.AddRead(ASYNC, OK);
@@ -3210,77 +3140,75 @@ TEST_P(QuicNetworkTransactionTest, TimeoutAfterHandshakeConfirmedThenBroken) {
 // connection times out, then QUIC will be marked as broken and the request
 // retried over TCP.
 TEST_P(QuicNetworkTransactionTest, TimeoutAfterHandshakeConfirmedThenBroken2) {
-  session_params_.quic_idle_connection_timeout_seconds = 5;
+  session_params_.quic_params.idle_connection_timeout =
+      base::TimeDelta::FromSeconds(5);
 
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data(version_);
   spdy::SpdyPriority priority =
       ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
 
-  std::string request_data;
+  client_maker_.set_save_packet_frames(true);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRequestHeadersPacketAndSaveData(
-                         1, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                         true, priority, GetRequestHeaders("GET", "https", "/"),
-                         0, nullptr, &header_stream_offset, &request_data));
-
-  std::string settings_data;
-  quic::QuicStreamOffset settings_offset = header_stream_offset;
-  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacketAndSaveData(
-                         2, &header_stream_offset, &settings_data));
-  // TLP 1
   quic_data.AddWrite(
       SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          3, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  // TLP 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          4, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          5, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          6, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          7, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          8, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 3
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          9, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          10, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
+      client_maker_.MakeRequestHeadersPacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
+          priority, GetRequestHeaders("GET", "https", "/"), 0, nullptr));
 
-  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeConnectionClosePacket(
-                                      11, true, quic::QUIC_NETWORK_IDLE_TIMEOUT,
-                                      "No recent network activity."));
+  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
+    quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(2));
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 4, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 6, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 7, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 8, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 9, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 10, true));
+
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeConnectionClosePacket(
+                           11, true, quic::QUIC_NETWORK_IDLE_TIMEOUT,
+                           "No recent network activity."));
+  } else {
+    // Settings were sent in the request packet so there is only 1 packet to
+    // retransmit.
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 2, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 4, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 6, true));
+
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeConnectionClosePacket(
+                           7, true, quic::QUIC_NETWORK_IDLE_TIMEOUT,
+                           "No recent network activity."));
+  }
 
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);
   quic_data.AddRead(ASYNC, OK);
@@ -3354,98 +3282,97 @@ TEST_P(QuicNetworkTransactionTest, TimeoutAfterHandshakeConfirmedThenBroken2) {
 // will not be retried over TCP.
 TEST_P(QuicNetworkTransactionTest,
        TimeoutAfterHandshakeConfirmedAndHeadersThenBrokenNotRetried) {
-  session_params_.mark_quic_broken_when_network_blackholes = true;
-  session_params_.quic_idle_connection_timeout_seconds = 5;
+  session_params_.quic_params.mark_quic_broken_when_network_blackholes = true;
+  session_params_.quic_params.idle_connection_timeout =
+      base::TimeDelta::FromSeconds(5);
 
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data(version_);
   spdy::SpdyPriority priority =
       ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
 
-  std::string request_data;
+  client_maker_.set_save_packet_frames(true);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRequestHeadersPacketAndSaveData(
-                         1, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                         true, priority, GetRequestHeaders("GET", "https", "/"),
-                         0, nullptr, &header_stream_offset, &request_data));
+  quic_data.AddWrite(
+      SYNCHRONOUS,
+      client_maker_.MakeRequestHeadersPacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
+          priority, GetRequestHeaders("GET", "https", "/"), 0, nullptr));
 
-  std::string settings_data;
-  quic::QuicStreamOffset settings_offset = header_stream_offset;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacketAndSaveData(
-                         2, &header_stream_offset, &settings_data));
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
+    quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(2));
 
-  quic_data.AddRead(ASYNC, ConstructServerResponseHeadersPacket(
-                               1, GetNthClientInitiatedBidirectionalStreamId(0),
-                               false, false, GetResponseHeaders("200 OK")));
-  // quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 1, 1));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientAckPacket(3, 1, 1, 1,
-                               quic::QuicTime::Delta::FromMilliseconds(25)));
+    quic_data.AddRead(
+        ASYNC, ConstructServerResponseHeadersPacket(
+                   1, GetNthClientInitiatedBidirectionalStreamId(0), false,
+                   false, GetResponseHeaders("200 OK")));
+    // quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 1, 1));
+    quic_data.AddWrite(
+        SYNCHRONOUS,
+        ConstructClientAckPacket(3, 1, 1, 1,
+                                 quic::QuicTime::Delta::FromMilliseconds(25)));
 
-  // TLP 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          4, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          false, false, 0, request_data));
-  // TLP 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          5, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          false, false, settings_offset, settings_data));
-  // RTO 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          6, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          false, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          7, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          false, false, settings_offset, settings_data));
-  // RTO 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          8, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          false, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          9, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          false, false, settings_offset, settings_data));
-  // RTO 3
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          10, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          false, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          11, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          false, false, settings_offset, settings_data));
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 4, false));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 5, false));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 6, false));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 7, false));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 8, false));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 9, false));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 10, false));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 11, false));
 
-  if (GetQuicReloadableFlag(
-          quic_fix_time_of_first_packet_sent_after_receiving)) {
     quic_data.AddWrite(
         SYNCHRONOUS,
         client_maker_.MakeAckAndConnectionClosePacket(
             12, false, quic::QuicTime::Delta::FromMilliseconds(4000), 1, 1, 1,
             quic::QUIC_NETWORK_IDLE_TIMEOUT, "No recent network activity."));
-
   } else {
+    // Settings were sent in the request packet so there is only 1 packet to
+    // retransmit.
+    quic_data.AddRead(
+        ASYNC, ConstructServerResponseHeadersPacket(
+                   1, GetNthClientInitiatedBidirectionalStreamId(0), false,
+                   false, GetResponseHeaders("200 OK")));
+    // quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 1, 1));
+    quic_data.AddWrite(
+        SYNCHRONOUS,
+        ConstructClientAckPacket(2, 1, 1, 1,
+                                 quic::QuicTime::Delta::FromMilliseconds(25)));
+
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, false));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 4, false));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, false));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 6, false));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 7, false));
+
     quic_data.AddWrite(
         SYNCHRONOUS,
         client_maker_.MakeAckAndConnectionClosePacket(
-            12, false, quic::QuicTime::Delta::FromMilliseconds(4200), 1, 1, 1,
+            8, false, quic::QuicTime::Delta::FromMilliseconds(4000), 1, 1, 1,
             quic::QUIC_NETWORK_IDLE_TIMEOUT, "No recent network activity."));
   }
 
@@ -3506,90 +3433,84 @@ TEST_P(QuicNetworkTransactionTest,
 // over TCP.
 TEST_P(QuicNetworkTransactionTest,
        TooManyRtosAfterHandshakeConfirmedThenBroken) {
-  session_params_.mark_quic_broken_when_network_blackholes = true;
-  session_params_.quic_connection_options.push_back(quic::k5RTO);
+  session_params_.quic_params.mark_quic_broken_when_network_blackholes = true;
+  session_params_.quic_params.connection_options.push_back(quic::k5RTO);
 
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data(version_);
   spdy::SpdyPriority priority =
       ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
 
-  std::string request_data;
+  client_maker_.set_save_packet_frames(true);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRequestHeadersPacketAndSaveData(
-                         1, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                         true, priority, GetRequestHeaders("GET", "https", "/"),
-                         0, nullptr, &header_stream_offset, &request_data));
-
-  std::string settings_data;
-  quic::QuicStreamOffset settings_offset = header_stream_offset;
-  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacketAndSaveData(
-                         2, &header_stream_offset, &settings_data));
-  // TLP 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          3, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  // TLP 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          4, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          5, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
   quic_data.AddWrite(
       SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          6, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          7, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          8, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 3
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          9, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          10, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 4
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          11, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          12, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
+      client_maker_.MakeRequestHeadersPacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
+          priority, GetRequestHeaders("GET", "https", "/"), 0, nullptr));
 
-  quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeConnectionClosePacket(
-                                      13, true, quic::QUIC_TOO_MANY_RTOS,
-                                      "5 consecutive retransmission timeouts"));
+  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
+    quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(2));
 
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 4, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 6, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 7, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 8, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 9, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 10, true));
+    // RTO 4
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 11, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 12, true));
+
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeConnectionClosePacket(
+                           13, true, quic::QUIC_TOO_MANY_RTOS,
+                           "5 consecutive retransmission timeouts"));
+  } else {
+    // Settings were sent in the request packet so there is only 1 packet to
+    // retransmit.
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 2, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 4, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 6, true));
+    // RTO 4
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 7, true));
+
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeConnectionClosePacket(
+                           8, true, quic::QUIC_TOO_MANY_RTOS,
+                           "5 consecutive retransmission timeouts"));
+  }
   quic_data.AddRead(ASYNC, OK);
   quic_data.AddSocketDataToFactory(&socket_factory_);
 
@@ -3658,91 +3579,101 @@ TEST_P(QuicNetworkTransactionTest,
 // QUIC will be marked as broken.
 TEST_P(QuicNetworkTransactionTest,
        TooManyRtosAfterHandshakeConfirmedAndStreamResetThenBroken) {
-  session_params_.mark_quic_broken_when_network_blackholes = true;
-  session_params_.quic_connection_options.push_back(quic::k5RTO);
+  session_params_.quic_params.mark_quic_broken_when_network_blackholes = true;
+  session_params_.quic_params.connection_options.push_back(quic::k5RTO);
 
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data(version_);
   spdy::SpdyPriority priority =
       ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
 
-  std::string request_data;
+  client_maker_.set_save_packet_frames(true);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRequestHeadersPacketAndSaveData(
-                         1, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                         true, priority, GetRequestHeaders("GET", "https", "/"),
-                         0, nullptr, &header_stream_offset, &request_data));
+  quic_data.AddWrite(
+      SYNCHRONOUS,
+      client_maker_.MakeRequestHeadersPacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
+          priority, GetRequestHeaders("GET", "https", "/"), 0, nullptr));
 
-  std::string settings_data;
-  quic::QuicStreamOffset settings_offset = header_stream_offset;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacketAndSaveData(
-                         2, &header_stream_offset, &settings_data));
 
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRstPacket(
-                         3, true, GetNthClientInitiatedBidirectionalStreamId(0),
-                         quic::QUIC_STREAM_CANCELLED));
-  // TLP 1
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          4, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  // TLP 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          5, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 1
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRstPacket(
-                         6, true, GetNthClientInitiatedBidirectionalStreamId(0),
+  if (quic::VersionUsesQpack(version_.transport_version)) {
+    quic_data.AddWrite(
+        SYNCHRONOUS, client_maker_.MakeRstPacket(
+                         2, true, GetNthClientInitiatedBidirectionalStreamId(0),
                          quic::QUIC_STREAM_CANCELLED));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          7, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  // RTO 2
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          8, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRstPacket(
-                         9, true, GetNthClientInitiatedBidirectionalStreamId(0),
+    // Since the headers are sent on the data stream, when the stream is reset
+    // the headers are no longer retransmitted.
+    client_maker_.RemoveSavedStreamFrames(
+        GetNthClientInitiatedBidirectionalStreamId(0));
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 3, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 4, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 5, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 6, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 7, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 8, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 9, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 10, true));
+    // RTO 4
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 11, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 12, true));
+    // RTO 5
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeConnectionClosePacket(
+                           13, true, quic::QUIC_TOO_MANY_RTOS,
+                           "5 consecutive retransmission timeouts"));
+  } else {
+    quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(2));
+    quic_data.AddWrite(
+        SYNCHRONOUS, client_maker_.MakeRstPacket(
+                         3, true, GetNthClientInitiatedBidirectionalStreamId(0),
                          quic::QUIC_STREAM_CANCELLED));
-  // RTO 3
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          10, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          11, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, settings_offset, settings_data));
-  // RTO 4
-  quic_data.AddWrite(
-      SYNCHRONOUS, client_maker_.MakeRstPacket(
-                       12, true, GetNthClientInitiatedBidirectionalStreamId(0),
-                       quic::QUIC_STREAM_CANCELLED));
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          13, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          true, false, 0, request_data));
+    // TLP 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 4, true));
+    // TLP 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 5, true));
+    // RTO 1
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(3, 6, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 7, true));
+    // RTO 2
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 8, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(3, 9, true));
+    // RTO 3
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 10, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(2, 11, true));
+    // RTO 4
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(3, 12, true));
+    quic_data.AddWrite(SYNCHRONOUS,
+                       client_maker_.MakeRetransmissionPacket(1, 13, true));
   // RTO 5
   quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeConnectionClosePacket(
                                       14, true, quic::QUIC_TOO_MANY_RTOS,
                                       "5 consecutive retransmission timeouts"));
+  }
 
   quic_data.AddRead(ASYNC, OK);
   quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -3793,20 +3724,24 @@ TEST_P(QuicNetworkTransactionTest,
 // retried over TCP and the QUIC will be marked as broken.
 TEST_P(QuicNetworkTransactionTest,
        ProtocolErrorAfterHandshakeConfirmedThenBroken) {
-  session_params_.quic_idle_connection_timeout_seconds = 5;
+  session_params_.quic_params.idle_connection_timeout =
+      base::TimeDelta::FromSeconds(5);
 
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data(version_);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
-  quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
-  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
   quic_data.AddWrite(SYNCHRONOUS,
-                     ConstructInitialSettingsPacket(2, &header_stream_offset));
+                     ConstructClientRequestHeadersPacket(
+                         1, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                         true, GetRequestHeaders("GET", "https", "/")));
+  client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
+  uint64_t packet_number = 2;
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
+    quic_data.AddWrite(SYNCHRONOUS,
+                       ConstructInitialSettingsPacket(packet_number++));
+  }
+  quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
+
   // Peer sending data from an non-existing stream causes this end to raise
   // error and close connection.
   quic_data.AddRead(
@@ -3814,10 +3749,10 @@ TEST_P(QuicNetworkTransactionTest,
                  1, false, GetNthClientInitiatedBidirectionalStreamId(47),
                  quic::QUIC_STREAM_LAST_ERROR));
   std::string quic_error_details = "Data for nonexistent stream";
-  quic_data.AddWrite(SYNCHRONOUS,
-                     ConstructClientAckAndConnectionClosePacket(
-                         3, quic::QuicTime::Delta::Zero(), 1, 1, 1,
-                         quic::QUIC_INVALID_STREAM_ID, quic_error_details));
+  quic_data.AddWrite(
+      SYNCHRONOUS, ConstructClientAckAndConnectionClosePacket(
+                       packet_number++, quic::QuicTime::Delta::Zero(), 1, 1, 1,
+                       quic::QUIC_INVALID_STREAM_ID, quic_error_details));
   quic_data.AddSocketDataToFactory(&socket_factory_);
 
   // After that fails, it will be resent via TCP.
@@ -3857,6 +3792,7 @@ TEST_P(QuicNetworkTransactionTest,
   // Explicitly confirm the handshake.
   crypto_client_stream_factory_.last_stream()->SendOnCryptoHandshakeEvent(
       quic::QuicSession::HANDSHAKE_CONFIRMED);
+  quic_data.Resume();
 
   // Run the QUIC session to completion.
   base::RunLoop().RunUntilIdle();
@@ -3883,25 +3819,22 @@ TEST_P(QuicNetworkTransactionTest,
 // retried over TCP.
 TEST_P(QuicNetworkTransactionTest, ResetAfterHandshakeConfirmedThenBroken) {
   // The request will initially go out over QUIC.
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data(version_);
   spdy::SpdyPriority priority =
       ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
 
-  std::string request_data;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeRequestHeadersPacketAndSaveData(
-                         1, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                         true, priority, GetRequestHeaders("GET", "https", "/"),
-                         0, nullptr, &header_stream_offset, &request_data));
+  quic_data.AddWrite(
+      SYNCHRONOUS,
+      client_maker_.MakeRequestHeadersPacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
+          priority, GetRequestHeaders("GET", "https", "/"), 0, nullptr));
 
-  std::string settings_data;
-  // quic::QuicStreamOffset settings_offset = header_stream_offset;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  quic_data.AddWrite(SYNCHRONOUS,
-                     client_maker_.MakeInitialSettingsPacketAndSaveData(
-                         2, &header_stream_offset, &settings_data));
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
+    quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(2));
+  }
+  quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   quic_data.AddRead(ASYNC,
                     ConstructServerRstPacket(
@@ -3948,6 +3881,7 @@ TEST_P(QuicNetworkTransactionTest, ResetAfterHandshakeConfirmedThenBroken) {
   // Explicitly confirm the handshake.
   crypto_client_stream_factory_.last_stream()->SendOnCryptoHandshakeEvent(
       quic::QuicSession::HANDSHAKE_CONFIRMED);
+  quic_data.Resume();
 
   // Run the QUIC session to completion.
   ASSERT_TRUE(quic_data.AllWriteDataConsumed());
@@ -3973,7 +3907,7 @@ TEST_P(QuicNetworkTransactionTest, ResetAfterHandshakeConfirmedThenBroken) {
 // the remote Alt-Svc.
 // This is a regression test for crbug/825646.
 TEST_P(QuicNetworkTransactionTest, RemoteAltSvcWorkingWhileLocalAltSvcBroken) {
-  session_params_.quic_allow_remote_alt_svc = true;
+  session_params_.quic_params.allow_remote_alt_svc = true;
 
   GURL origin1 = request_.url;  // mail.example.org
   GURL origin2("https://www.example.org/");
@@ -3989,31 +3923,27 @@ TEST_P(QuicNetworkTransactionTest, RemoteAltSvcWorkingWhileLocalAltSvcBroken) {
   verify_details.cert_verify_result.is_issued_by_known_root = true;
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset request_header_offset(0);
-  quic::QuicStreamOffset response_header_offset(0);
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &request_header_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &request_header_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 GetResponseHeaders("200 OK"), &response_header_offset));
+                 GetResponseHeaders("200 OK")));
   std::string header = ConstructDataHeader(6);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
 
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
-  MockQuicData mock_quic_data2;
+  MockQuicData mock_quic_data2(version_);
   mock_quic_data2.AddSocketDataToFactory(&socket_factory_);
   AddHangingNonAlternateProtocolSocketData();
 
@@ -4027,11 +3957,11 @@ TEST_P(QuicNetworkTransactionTest, RemoteAltSvcWorkingWhileLocalAltSvcBroken) {
   alternative_services.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           local_alternative, expiration,
-          session_->params().quic_supported_versions));
+          session_->params().quic_params.supported_versions));
   alternative_services.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           remote_alternative, expiration,
-          session_->params().quic_supported_versions));
+          session_->params().quic_params.supported_versions));
   http_server_properties_.SetAlternativeServices(url::SchemeHostPort(origin1),
                                                  alternative_services);
 
@@ -4047,15 +3977,13 @@ TEST_P(QuicNetworkTransactionTest, RemoteAltSvcWorkingWhileLocalAltSvcBroken) {
 // This is a regression tests for crbug/731303.
 TEST_P(QuicNetworkTransactionTest,
        ResetPooledAfterHandshakeConfirmedThenBroken) {
-  session_params_.quic_allow_remote_alt_svc = true;
+  session_params_.quic_params.allow_remote_alt_svc = true;
 
   GURL origin1 = request_.url;
   GURL origin2("https://www.example.org/");
   ASSERT_NE(origin1.host(), origin2.host());
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset request_header_offset(0);
-  quic::QuicStreamOffset response_header_offset(0);
+  MockQuicData mock_quic_data(version_);
 
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "wildcard.pem"));
@@ -4067,23 +3995,21 @@ TEST_P(QuicNetworkTransactionTest,
   verify_details.cert_verify_result.is_issued_by_known_root = true;
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &request_header_offset));
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   // First request.
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &request_header_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 GetResponseHeaders("200 OK"), &response_header_offset));
+                 GetResponseHeaders("200 OK")));
   std::string header = ConstructDataHeader(6);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
 
   // Second request will go over the pooled QUIC connection, but will be
@@ -4100,8 +4026,7 @@ TEST_P(QuicNetworkTransactionTest,
       ConstructClientRequestHeadersPacket(
           4, GetNthClientInitiatedBidirectionalStreamId(1), false, true,
           GetRequestHeaders("GET", "https", "/", &client_maker2),
-          GetNthClientInitiatedBidirectionalStreamId(0),
-          &request_header_offset));
+          GetNthClientInitiatedBidirectionalStreamId(0)));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerRstPacket(
                  3, false, GetNthClientInitiatedBidirectionalStreamId(1),
@@ -4195,7 +4120,7 @@ TEST_P(QuicNetworkTransactionTest,
 // If no existing QUIC session can be used, use the first alternative service
 // from the list.
 TEST_P(QuicNetworkTransactionTest, UseExistingAlternativeServiceForQuic) {
-  session_params_.quic_allow_remote_alt_svc = true;
+  session_params_.quic_params.allow_remote_alt_svc = true;
   MockRead http_reads[] = {
       MockRead("HTTP/1.1 200 OK\r\n"),
       MockRead("Alt-Svc: quic=\"foo.example.org:443\", quic=\":444\"\r\n\r\n"),
@@ -4208,33 +4133,28 @@ TEST_P(QuicNetworkTransactionTest, UseExistingAlternativeServiceForQuic) {
   AddCertificate(&ssl_data_);
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
-  quic::QuicStreamOffset request_header_offset = 0;
-  quic::QuicStreamOffset response_header_offset = 0;
   // First QUIC request data.
   // Open a session to foo.example.org:443 using the first entry of the
   // alternative service list.
-  MockQuicData mock_quic_data;
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &request_header_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &request_header_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
 
   std::string alt_svc_list =
       "quic=\"mail.example.org:444\", quic=\"foo.example.org:443\", "
       "quic=\"bar.example.org:445\"";
   mock_quic_data.AddRead(
-      ASYNC,
-      ConstructServerResponseHeadersPacket(
-          1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-          GetResponseHeaders("200 OK", alt_svc_list), &response_header_offset));
+      ASYNC, ConstructServerResponseHeadersPacket(
+                 1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 GetResponseHeaders("200 OK", alt_svc_list)));
   std::string header = ConstructDataHeader(6);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
 
   // Second QUIC request data.
@@ -4244,16 +4164,15 @@ TEST_P(QuicNetworkTransactionTest, UseExistingAlternativeServiceForQuic) {
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        4, GetNthClientInitiatedBidirectionalStreamId(1), false,
                        true, GetRequestHeaders("GET", "https", "/"),
-                       GetNthClientInitiatedBidirectionalStreamId(0),
-                       &request_header_offset));
+                       GetNthClientInitiatedBidirectionalStreamId(0)));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
-                 GetResponseHeaders("200 OK"), &response_header_offset));
+                 GetResponseHeaders("200 OK")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  4, GetNthClientInitiatedBidirectionalStreamId(1), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckAndConnectionClosePacket(5, 4, 3, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
@@ -4279,31 +4198,26 @@ TEST_P(QuicNetworkTransactionTest, UseExistingAlternativeServiceForQuic) {
 TEST_P(QuicNetworkTransactionTest, UseExistingQUICAlternativeProxy) {
   base::HistogramTester histogram_tester;
 
-  quic::QuicStreamOffset request_header_offset = 0;
-  quic::QuicStreamOffset response_header_offset = 0;
   // First QUIC request data.
   // Open a session to foo.example.org:443 using the first entry of the
   // alternative service list.
-  MockQuicData mock_quic_data;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &request_header_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "http", "/"), &request_header_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "http", "/")));
 
   std::string alt_svc_list;
   mock_quic_data.AddRead(
-      ASYNC,
-      ConstructServerResponseHeadersPacket(
-          1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-          GetResponseHeaders("200 OK", alt_svc_list), &response_header_offset));
+      ASYNC, ConstructServerResponseHeadersPacket(
+                 1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 GetResponseHeaders("200 OK", alt_svc_list)));
   std::string header = ConstructDataHeader(6);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
 
   // Second QUIC request data.
@@ -4313,16 +4227,15 @@ TEST_P(QuicNetworkTransactionTest, UseExistingQUICAlternativeProxy) {
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        4, GetNthClientInitiatedBidirectionalStreamId(1), false,
                        true, GetRequestHeaders("GET", "http", "/"),
-                       GetNthClientInitiatedBidirectionalStreamId(0),
-                       &request_header_offset));
+                       GetNthClientInitiatedBidirectionalStreamId(0)));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
-                 GetResponseHeaders("200 OK"), &response_header_offset));
+                 GetResponseHeaders("200 OK")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  4, GetNthClientInitiatedBidirectionalStreamId(1), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckAndConnectionClosePacket(5, 4, 3, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
@@ -4364,28 +4277,24 @@ TEST_P(QuicNetworkTransactionTest, UseExistingQUICAlternativeProxy) {
 // Pool to existing session with matching quic::QuicServerId
 // even if alternative service destination is different.
 TEST_P(QuicNetworkTransactionTest, PoolByOrigin) {
-  session_params_.quic_allow_remote_alt_svc = true;
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset request_header_offset(0);
-  quic::QuicStreamOffset response_header_offset(0);
+  session_params_.quic_params.allow_remote_alt_svc = true;
+  MockQuicData mock_quic_data(version_);
 
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &request_header_offset));
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   // First request.
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &request_header_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 GetResponseHeaders("200 OK"), &response_header_offset));
+                 GetResponseHeaders("200 OK")));
   std::string header = ConstructDataHeader(6);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
 
   // Second request.
@@ -4393,16 +4302,15 @@ TEST_P(QuicNetworkTransactionTest, PoolByOrigin) {
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        4, GetNthClientInitiatedBidirectionalStreamId(1), false,
                        true, GetRequestHeaders("GET", "https", "/"),
-                       GetNthClientInitiatedBidirectionalStreamId(0),
-                       &request_header_offset));
+                       GetNthClientInitiatedBidirectionalStreamId(0)));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
-                 GetResponseHeaders("200 OK"), &response_header_offset));
+                 GetResponseHeaders("200 OK")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  4, GetNthClientInitiatedBidirectionalStreamId(1), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckAndConnectionClosePacket(5, 4, 3, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
@@ -4445,32 +4353,28 @@ TEST_P(QuicNetworkTransactionTest, PoolByOrigin) {
 // even if origin is different, and even if the alternative service with
 // matching destination is not the first one on the list.
 TEST_P(QuicNetworkTransactionTest, PoolByDestination) {
-  session_params_.quic_allow_remote_alt_svc = true;
+  session_params_.quic_params.allow_remote_alt_svc = true;
   GURL origin1 = request_.url;
   GURL origin2("https://www.example.org/");
   ASSERT_NE(origin1.host(), origin2.host());
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset request_header_offset(0);
-  quic::QuicStreamOffset response_header_offset(0);
+  MockQuicData mock_quic_data(version_);
 
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &request_header_offset));
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   // First request.
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &request_header_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 GetResponseHeaders("200 OK"), &response_header_offset));
+                 GetResponseHeaders("200 OK")));
   std::string header = ConstructDataHeader(6);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
 
   // Second request.
@@ -4486,16 +4390,15 @@ TEST_P(QuicNetworkTransactionTest, PoolByDestination) {
       ConstructClientRequestHeadersPacket(
           4, GetNthClientInitiatedBidirectionalStreamId(1), false, true,
           GetRequestHeaders("GET", "https", "/", &client_maker2),
-          GetNthClientInitiatedBidirectionalStreamId(0),
-          &request_header_offset));
+          GetNthClientInitiatedBidirectionalStreamId(0)));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
-                 GetResponseHeaders("200 OK"), &response_header_offset));
+                 GetResponseHeaders("200 OK")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  4, GetNthClientInitiatedBidirectionalStreamId(1), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckAndConnectionClosePacket(5, 4, 3, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
@@ -4531,11 +4434,11 @@ TEST_P(QuicNetworkTransactionTest, PoolByDestination) {
   alternative_services.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           alternative_service2, expiration,
-          session_->params().quic_supported_versions));
+          session_->params().quic_params.supported_versions));
   alternative_services.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           alternative_service1, expiration,
-          session_->params().quic_supported_versions));
+          session_->params().quic_params.supported_versions));
   http_server_properties_.SetAlternativeServices(url::SchemeHostPort(origin2),
                                                  alternative_services);
   // First request opens connection to |destination1|
@@ -4555,7 +4458,7 @@ TEST_P(QuicNetworkTransactionTest, PoolByDestination) {
 // if this is also the first existing QUIC session.
 TEST_P(QuicNetworkTransactionTest,
        UseSharedExistingAlternativeServiceForQuicWithValidCert) {
-  session_params_.quic_allow_remote_alt_svc = true;
+  session_params_.quic_params.allow_remote_alt_svc = true;
   // Default cert is valid for *.example.org
 
   // HTTP data for request to www.example.org.
@@ -4583,34 +4486,29 @@ TEST_P(QuicNetworkTransactionTest,
   socket_factory_.AddSocketDataProvider(&http_data2);
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
-  quic::QuicStreamOffset request_header_offset = 0;
-  quic::QuicStreamOffset response_header_offset = 0;
-
   QuicTestPacketMaker client_maker(
       version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
       &clock_, "mail.example.org", quic::Perspective::IS_CLIENT,
       client_headers_include_h2_stream_dependency_);
   server_maker_.set_hostname("www.example.org");
   client_maker_.set_hostname("www.example.org");
-  MockQuicData mock_quic_data;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &request_header_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   // First QUIC request data.
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &request_header_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
 
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 GetResponseHeaders("200 OK"), &response_header_offset));
+                 GetResponseHeaders("200 OK")));
   std::string header = ConstructDataHeader(21);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello from mail QUIC!"));
+                 header + "hello from mail QUIC!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   // Second QUIC request data.
   mock_quic_data.AddWrite(
@@ -4618,16 +4516,15 @@ TEST_P(QuicNetworkTransactionTest,
       ConstructClientRequestHeadersPacket(
           4, GetNthClientInitiatedBidirectionalStreamId(1), false, true,
           GetRequestHeaders("GET", "https", "/", &client_maker),
-          GetNthClientInitiatedBidirectionalStreamId(0),
-          &request_header_offset));
+          GetNthClientInitiatedBidirectionalStreamId(0)));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
-                 GetResponseHeaders("200 OK"), &response_header_offset));
+                 GetResponseHeaders("200 OK")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  4, GetNthClientInitiatedBidirectionalStreamId(1), false, true,
-                 0, header + "hello from mail QUIC!"));
+                 header + "hello from mail QUIC!"));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckAndConnectionClosePacket(5, 4, 3, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
@@ -4699,15 +4596,12 @@ TEST_P(QuicNetworkTransactionTest, ConfirmAlternativeService) {
   AddCertificate(&ssl_data_);
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -4716,7 +4610,7 @@ TEST_P(QuicNetworkTransactionTest, ConfirmAlternativeService) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -4756,15 +4650,12 @@ TEST_P(QuicNetworkTransactionTest, UseAlternativeServiceForQuicForHttps) {
   socket_factory_.AddSocketDataProvider(&http_data);
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -4773,7 +4664,7 @@ TEST_P(QuicNetworkTransactionTest, UseAlternativeServiceForQuicForHttps) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(SYNCHRONOUS, 0);  // EOF
 
@@ -4793,15 +4684,12 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyWithRacing) {
   proxy_resolution_service_ = ProxyResolutionService::CreateFixedFromPacResult(
       "HTTPS mail.example.org:443", TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "http", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "http", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -4810,7 +4698,7 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyWithRacing) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -4896,14 +4784,12 @@ TEST_P(QuicNetworkTransactionTest, HungAlternativeService) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ZeroRTTWithHttpRace) {
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       1, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -4912,7 +4798,7 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithHttpRace) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(2, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -4933,7 +4819,7 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithHttpRace) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ZeroRTTWithNoHttpRace) {
-  MockQuicData mock_quic_data;
+  MockQuicData mock_quic_data(version_);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
@@ -4947,7 +4833,7 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithNoHttpRace) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(2, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -4998,15 +4884,12 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithProxy) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ZeroRTTWithConfirmationRequired) {
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -5015,7 +4898,7 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithConfirmationRequired) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -5051,57 +4934,49 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithConfirmationRequired) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ZeroRTTWithTooEarlyResponse) {
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset client_header_stream_offset = 0;
-  quic::QuicStreamOffset server_header_stream_offset = 0;
+  uint64_t packet_number = 1;
+  MockQuicData mock_quic_data(version_);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
-                       1, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, GetRequestHeaders("GET", "https", "/"),
-                       &client_header_stream_offset));
+      SYNCHRONOUS,
+      ConstructClientRequestHeadersPacket(
+          packet_number++, GetNthClientInitiatedBidirectionalStreamId(0), true,
+          true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
-      ASYNC,
-      ConstructServerResponseHeadersPacket(
-          1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-          GetResponseHeaders("425 TOO_EARLY"), &server_header_stream_offset));
-  mock_quic_data.AddWrite(SYNCHRONOUS,
-                          ConstructClientAckAndRstPacket(
-                              2, GetNthClientInitiatedBidirectionalStreamId(0),
-                              quic::QUIC_STREAM_CANCELLED, 1, 1, 1));
+      ASYNC, ConstructServerResponseHeadersPacket(
+                 1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 GetResponseHeaders("425 TOO_EARLY")));
+  mock_quic_data.AddWrite(
+      SYNCHRONOUS,
+      ConstructClientAckAndRstPacket(
+          packet_number++, GetNthClientInitiatedBidirectionalStreamId(0),
+          quic::QUIC_STREAM_CANCELLED, 1, 1, 1));
 
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
 
-  spdy::SpdySettingsIR settings_frame;
-  settings_frame.AddSetting(spdy::SETTINGS_MAX_HEADER_LIST_SIZE,
-                            quic::kDefaultMaxUncompressedHeaderSize);
-  spdy::SpdySerializedFrame spdy_frame(
-      client_maker_.spdy_request_framer()->SerializeFrame(settings_frame));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          3, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          false, false, client_header_stream_offset,
-          quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size())));
-  client_header_stream_offset += spdy_frame.size();
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
+    mock_quic_data.AddWrite(
+        SYNCHRONOUS, client_maker_.MakeSettingsPacket(packet_number++, false));
+  }
 
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
-                       4, GetNthClientInitiatedBidirectionalStreamId(1), false,
-                       true, GetRequestHeaders("GET", "https", "/"),
-                       GetNthClientInitiatedBidirectionalStreamId(0),
-                       &client_header_stream_offset));
+      SYNCHRONOUS,
+      ConstructClientRequestHeadersPacket(
+          packet_number++, GetNthClientInitiatedBidirectionalStreamId(1), false,
+          true, GetRequestHeaders("GET", "https", "/"),
+          GetNthClientInitiatedBidirectionalStreamId(0)));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
-                 GetResponseHeaders("200 OK"), &server_header_stream_offset));
+                 GetResponseHeaders("200 OK")));
   std::string header = ConstructDataHeader(6);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(1), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructClientAckAndConnectionClosePacket(5, 3, 1, 1));
+      SYNCHRONOUS,
+      ConstructClientAckAndConnectionClosePacket(packet_number++, 3, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
 
@@ -5143,55 +5018,46 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithTooEarlyResponse) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ZeroRTTWithMultipleTooEarlyResponse) {
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset client_header_stream_offset = 0;
-  quic::QuicStreamOffset server_header_stream_offset = 0;
+  uint64_t packet_number = 1;
+  MockQuicData mock_quic_data(version_);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
-                       1, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, GetRequestHeaders("GET", "https", "/"),
-                       &client_header_stream_offset));
+      SYNCHRONOUS,
+      ConstructClientRequestHeadersPacket(
+          packet_number++, GetNthClientInitiatedBidirectionalStreamId(0), true,
+          true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
-      ASYNC,
-      ConstructServerResponseHeadersPacket(
-          1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-          GetResponseHeaders("425 TOO_EARLY"), &server_header_stream_offset));
-  mock_quic_data.AddWrite(SYNCHRONOUS,
-                          ConstructClientAckAndRstPacket(
-                              2, GetNthClientInitiatedBidirectionalStreamId(0),
-                              quic::QUIC_STREAM_CANCELLED, 1, 1, 1));
+      ASYNC, ConstructServerResponseHeadersPacket(
+                 1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 GetResponseHeaders("425 TOO_EARLY")));
+  mock_quic_data.AddWrite(
+      SYNCHRONOUS,
+      ConstructClientAckAndRstPacket(
+          packet_number++, GetNthClientInitiatedBidirectionalStreamId(0),
+          quic::QUIC_STREAM_CANCELLED, 1, 1, 1));
 
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
 
-  spdy::SpdySettingsIR settings_frame;
-  settings_frame.AddSetting(spdy::SETTINGS_MAX_HEADER_LIST_SIZE,
-                            quic::kDefaultMaxUncompressedHeaderSize);
-  spdy::SpdySerializedFrame spdy_frame(
-      client_maker_.spdy_request_framer()->SerializeFrame(settings_frame));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeDataPacket(
-          3, quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-          false, false, client_header_stream_offset,
-          quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size())));
-  client_header_stream_offset += spdy_frame.size();
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
+    mock_quic_data.AddWrite(
+        SYNCHRONOUS, client_maker_.MakeSettingsPacket(packet_number++, false));
+  }
 
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
-                       4, GetNthClientInitiatedBidirectionalStreamId(1), false,
-                       true, GetRequestHeaders("GET", "https", "/"),
-                       GetNthClientInitiatedBidirectionalStreamId(0),
-                       &client_header_stream_offset));
+      SYNCHRONOUS,
+      ConstructClientRequestHeadersPacket(
+          packet_number++, GetNthClientInitiatedBidirectionalStreamId(1), false,
+          true, GetRequestHeaders("GET", "https", "/"),
+          GetNthClientInitiatedBidirectionalStreamId(0)));
   mock_quic_data.AddRead(
-      ASYNC,
-      ConstructServerResponseHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
-          GetResponseHeaders("425 TOO_EARLY"), &server_header_stream_offset));
-  mock_quic_data.AddWrite(SYNCHRONOUS,
-                          ConstructClientAckAndRstPacket(
-                              5, GetNthClientInitiatedBidirectionalStreamId(1),
-                              quic::QUIC_STREAM_CANCELLED, 2, 1, 1));
+      ASYNC, ConstructServerResponseHeadersPacket(
+                 2, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
+                 GetResponseHeaders("425 TOO_EARLY")));
+  mock_quic_data.AddWrite(
+      SYNCHRONOUS,
+      ConstructClientAckAndRstPacket(
+          packet_number++, GetNthClientInitiatedBidirectionalStreamId(1),
+          quic::QUIC_STREAM_CANCELLED, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
 
@@ -5241,16 +5107,13 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithMultipleTooEarlyResponse) {
 
 TEST_P(QuicNetworkTransactionTest,
        LogGranularQuicErrorCodeOnQuicProtocolErrorLocal) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   // Read a close connection packet with
   // quic::QuicErrorCode: quic::QUIC_CRYPTO_VERSION_NOT_SUPPORTED from the peer.
   mock_quic_data.AddRead(ASYNC, ConstructServerConnectionClosePacket(1));
@@ -5293,16 +5156,13 @@ TEST_P(QuicNetworkTransactionTest,
 
 TEST_P(QuicNetworkTransactionTest,
        LogGranularQuicErrorCodeOnQuicProtocolErrorRemote) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   // Peer sending data from an non-existing stream causes this end to raise
   // error and close connection.
   mock_quic_data.AddRead(
@@ -5349,15 +5209,12 @@ TEST_P(QuicNetworkTransactionTest,
 }
 
 TEST_P(QuicNetworkTransactionTest, RstSteamErrorHandling) {
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   // Read the response headers, then a RST_STREAM frame.
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
@@ -5413,16 +5270,13 @@ TEST_P(QuicNetworkTransactionTest, RstSteamErrorHandling) {
 }
 
 TEST_P(QuicNetworkTransactionTest, RstSteamBeforeHeaders) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerRstPacket(
                  1, false, GetNthClientInitiatedBidirectionalStreamId(0),
@@ -5551,14 +5405,12 @@ TEST_P(QuicNetworkTransactionTest, DelayTCPOnStartWithQuicSupportOnSameIP) {
   // local IP address is sorted out after we configure the UDP socket.
   http_server_properties_.SetSupportsQuic(true, IPAddress(192, 0, 2, 33));
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          1, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       1, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -5567,7 +5419,7 @@ TEST_P(QuicNetworkTransactionTest, DelayTCPOnStartWithQuicSupportOnSameIP) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(2, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -5610,15 +5462,12 @@ TEST_P(QuicNetworkTransactionTest,
   // sorted out after we configure the UDP socket.
   http_server_properties_.SetSupportsQuic(true, IPAddress(1, 2, 3, 4));
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -5627,7 +5476,7 @@ TEST_P(QuicNetworkTransactionTest,
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -5665,7 +5514,7 @@ TEST_P(QuicNetworkTransactionTest, NetErrorDetailsSetBeforeHandshake) {
   // handshake has not yet been confirmed and no stream has been created.
 
   // QUIC job will pause. When resumed, it will fail.
-  MockQuicData mock_quic_data;
+  MockQuicData mock_quic_data(version_);
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);
   mock_quic_data.AddRead(ASYNC, ERR_CONNECTION_CLOSED);
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -5787,7 +5636,7 @@ TEST_P(QuicNetworkTransactionTest, BrokenAlternateProtocolOnConnectFailure) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ConnectionCloseDuringConnect) {
-  MockQuicData mock_quic_data;
+  MockQuicData mock_quic_data(version_);
   mock_quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeDummyCHLOPacket(1));
   mock_quic_data.AddRead(ASYNC, ConstructServerConnectionClosePacket(1));
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -5846,7 +5695,7 @@ TEST_P(QuicNetworkTransactionTest, BrokenAlternativeProxyAddressUnreachable) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ConnectionCloseDuringConnectProxy) {
-  MockQuicData mock_quic_data;
+  MockQuicData mock_quic_data(version_);
   mock_quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeDummyCHLOPacket(1));
   mock_quic_data.AddRead(ASYNC, ConstructServerConnectionClosePacket(1));
   mock_quic_data.AddWrite(
@@ -5896,15 +5745,12 @@ TEST_P(QuicNetworkTransactionTest, SecureResourceOverSecureQuic) {
   client_maker_.set_hostname("www.example.org");
   EXPECT_FALSE(
       test_socket_performance_watcher_factory_.rtt_notification_received());
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -5913,7 +5759,7 @@ TEST_P(QuicNetworkTransactionTest, SecureResourceOverSecureQuic) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more read data.
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -5977,7 +5823,7 @@ TEST_P(QuicNetworkTransactionTest,
 }
 
 TEST_P(QuicNetworkTransactionTest, QuicUpload) {
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
@@ -6004,7 +5850,7 @@ TEST_P(QuicNetworkTransactionTest, QuicUpload) {
 }
 
 TEST_P(QuicNetworkTransactionTest, QuicUploadWriteError) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
   ScopedMockNetworkChangeNotifier network_change_notifier;
   MockNetworkChangeNotifier* mock_ncn =
       network_change_notifier.mock_network_change_notifier();
@@ -6012,23 +5858,21 @@ TEST_P(QuicNetworkTransactionTest, QuicUploadWriteError) {
   mock_ncn->SetConnectedNetworksList(
       {kDefaultNetworkForTests, kNewNetworkForTests});
 
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
-  session_params_.quic_migrate_sessions_on_network_change_v2 = true;
+  session_params_.quic_params.migrate_sessions_on_network_change_v2 = true;
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  quic::QuicStreamOffset offset = 0;
-  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1, &offset));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   socket_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, false,
-          GetRequestHeaders("POST", "https", "/"), &offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       false, GetRequestHeaders("POST", "https", "/")));
   socket_data.AddWrite(SYNCHRONOUS, ERR_FAILED);
   socket_data.AddSocketDataToFactory(&socket_factory_);
 
-  MockQuicData socket_data2;
+  MockQuicData socket_data2(version_);
   socket_data2.AddConnect(SYNCHRONOUS, ERR_ADDRESS_INVALID);
   socket_data2.AddSocketDataToFactory(&socket_factory_);
 
@@ -6058,17 +5902,16 @@ TEST_P(QuicNetworkTransactionTest, QuicUploadWriteError) {
 }
 
 TEST_P(QuicNetworkTransactionTest, RetryAfterAsyncNoBufferSpace) {
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset offset = 0;
-  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1, &offset));
+  MockQuicData socket_data(version_);
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   socket_data.AddWrite(ASYNC, ERR_NO_BUFFER_SPACE);
   socket_data.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, GetRequestHeaders("GET", "https", "/"), &offset));
+                       true, GetRequestHeaders("GET", "https", "/")));
   socket_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -6077,7 +5920,7 @@ TEST_P(QuicNetworkTransactionTest, RetryAfterAsyncNoBufferSpace) {
   socket_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   socket_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
   socket_data.AddWrite(
@@ -6094,17 +5937,16 @@ TEST_P(QuicNetworkTransactionTest, RetryAfterAsyncNoBufferSpace) {
 }
 
 TEST_P(QuicNetworkTransactionTest, RetryAfterSynchronousNoBufferSpace) {
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset offset = 0;
-  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1, &offset));
+  MockQuicData socket_data(version_);
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   socket_data.AddWrite(SYNCHRONOUS, ERR_NO_BUFFER_SPACE);
   socket_data.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, GetRequestHeaders("GET", "https", "/"), &offset));
+                       true, GetRequestHeaders("GET", "https", "/")));
   socket_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -6113,7 +5955,7 @@ TEST_P(QuicNetworkTransactionTest, RetryAfterSynchronousNoBufferSpace) {
   socket_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   socket_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
   socket_data.AddWrite(
@@ -6130,14 +5972,13 @@ TEST_P(QuicNetworkTransactionTest, RetryAfterSynchronousNoBufferSpace) {
 }
 
 TEST_P(QuicNetworkTransactionTest, MaxRetriesAfterAsyncNoBufferSpace) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
-  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1, &offset));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   for (int i = 0; i < 13; ++i) {  // 12 retries then one final failure.
     socket_data.AddWrite(ASYNC, ERR_NO_BUFFER_SPACE);
   }
@@ -6167,14 +6008,13 @@ TEST_P(QuicNetworkTransactionTest, MaxRetriesAfterAsyncNoBufferSpace) {
 }
 
 TEST_P(QuicNetworkTransactionTest, MaxRetriesAfterSynchronousNoBufferSpace) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
-  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1, &offset));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   for (int i = 0; i < 13; ++i) {  // 12 retries then one final failure.
     socket_data.AddWrite(ASYNC, ERR_NO_BUFFER_SPACE);
   }
@@ -6204,17 +6044,16 @@ TEST_P(QuicNetworkTransactionTest, MaxRetriesAfterSynchronousNoBufferSpace) {
 }
 
 TEST_P(QuicNetworkTransactionTest, NoMigrationForMsgTooBig) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
   const std::string error_details =
       quic::QuicStrCat("Write failed with error: ", ERR_MSG_TOO_BIG, " (",
                        strerror(ERR_MSG_TOO_BIG), ")");
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1, &offset));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   socket_data.AddWrite(SYNCHRONOUS, ERR_MSG_TOO_BIG);
   // Connection close packet will be sent for MSG_TOO_BIG.
   socket_data.AddWrite(
@@ -6237,59 +6076,56 @@ TEST_P(QuicNetworkTransactionTest, NoMigrationForMsgTooBig) {
 
 // Adds coverage to catch regression such as https://crbug.com/622043
 TEST_P(QuicNetworkTransactionTest, QuicServerPush) {
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
   uint64_t client_packet_number = 1;
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(client_packet_number++,
-                                                  &header_stream_offset));
+      SYNCHRONOUS, ConstructInitialSettingsPacket(client_packet_number++));
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
       ConstructClientRequestHeadersPacket(
           client_packet_number++, GetNthClientInitiatedBidirectionalStreamId(0),
-          true, true, GetRequestHeaders("GET", "https", "/"),
-          &header_stream_offset));
-  quic::QuicStreamOffset server_header_offset = 0;
+          true, true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
-      ASYNC, ConstructServerPushPromisePacket(
-                 1, GetNthClientInitiatedBidirectionalStreamId(0),
-                 GetNthServerInitiatedUnidirectionalStreamId(0), false,
-                 GetRequestHeaders("GET", "https", "/pushed.jpg"),
-                 &server_header_offset, &server_maker_));
-  if (client_headers_include_h2_stream_dependency_ &&
-      version_.transport_version >= quic::QUIC_VERSION_43) {
-    mock_quic_data.AddWrite(SYNCHRONOUS,
-                            ConstructClientPriorityPacket(
-                                client_packet_number++, false,
-                                GetNthServerInitiatedUnidirectionalStreamId(0),
-                                GetNthClientInitiatedBidirectionalStreamId(0),
-                                DEFAULT_PRIORITY, &header_stream_offset));
+      ASYNC,
+      ConstructServerPushPromisePacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0),
+          GetNthServerInitiatedUnidirectionalStreamId(0), false,
+          GetRequestHeaders("GET", "https", "/pushed.jpg"), &server_maker_));
+  if ((client_headers_include_h2_stream_dependency_ &&
+       version_.transport_version >= quic::QUIC_VERSION_43) ||
+      VersionHasStreamType(version_.transport_version)) {
+    mock_quic_data.AddWrite(
+        SYNCHRONOUS,
+        ConstructClientPriorityPacket(
+            client_packet_number++, false,
+            GetNthServerInitiatedUnidirectionalStreamId(0),
+            GetNthClientInitiatedBidirectionalStreamId(0), DEFAULT_PRIORITY));
   }
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 GetResponseHeaders("200 OK"), &server_header_offset));
+                 GetResponseHeaders("200 OK")));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckPacket(client_packet_number++, 2, 1, 1));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  3, GetNthServerInitiatedUnidirectionalStreamId(0), false,
-                 false, GetResponseHeaders("200 OK"), &server_header_offset));
+                 false, GetResponseHeaders("200 OK")));
   std::string header = ConstructDataHeader(6);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  4, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckPacket(client_packet_number++, 4, 3, 1));
   std::string header2 = ConstructDataHeader(10);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  5, GetNthServerInitiatedUnidirectionalStreamId(0), false, true,
-                 0, header2 + "and hello!"));
+                 header2 + "and hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS,
                           ConstructClientAckAndRstPacket(
                               client_packet_number++,
@@ -6312,8 +6148,7 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPush) {
   SendRequestAndExpectQuicResponse("and hello!");
 
   // Check that the NetLog was filled reasonably.
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
   EXPECT_LT(0u, entries.size());
 
   // Check that we logged a QUIC_HTTP_STREAM_ADOPTED_PUSH_STREAM
@@ -6327,46 +6162,43 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPush) {
 // is closed before the pushed headers arrive, but after the connection
 // is closed and before the callbacks are executed.
 TEST_P(QuicNetworkTransactionTest, CancelServerPushAfterConnectionClose) {
-  session_params_.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
   uint64_t client_packet_number = 1;
   // Initial SETTINGS frame.
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(client_packet_number++,
-                                                  &header_stream_offset));
+      SYNCHRONOUS, ConstructInitialSettingsPacket(client_packet_number++));
   // First request: GET https://mail.example.org/
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
       ConstructClientRequestHeadersPacket(
           client_packet_number++, GetNthClientInitiatedBidirectionalStreamId(0),
-          true, true, GetRequestHeaders("GET", "https", "/"),
-          &header_stream_offset));
-  quic::QuicStreamOffset server_header_offset = 0;
+          true, true, GetRequestHeaders("GET", "https", "/")));
   // Server promise for: https://mail.example.org/pushed.jpg
   mock_quic_data.AddRead(
-      ASYNC, ConstructServerPushPromisePacket(
-                 1, GetNthClientInitiatedBidirectionalStreamId(0),
-                 GetNthServerInitiatedUnidirectionalStreamId(0), false,
-                 GetRequestHeaders("GET", "https", "/pushed.jpg"),
-                 &server_header_offset, &server_maker_));
-  if (client_headers_include_h2_stream_dependency_ &&
-      version_.transport_version >= quic::QUIC_VERSION_43) {
-    mock_quic_data.AddWrite(SYNCHRONOUS,
-                            ConstructClientPriorityPacket(
-                                client_packet_number++, false,
-                                GetNthServerInitiatedUnidirectionalStreamId(0),
-                                GetNthClientInitiatedBidirectionalStreamId(0),
-                                DEFAULT_PRIORITY, &header_stream_offset));
+      ASYNC,
+      ConstructServerPushPromisePacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0),
+          GetNthServerInitiatedUnidirectionalStreamId(0), false,
+          GetRequestHeaders("GET", "https", "/pushed.jpg"), &server_maker_));
+  if ((client_headers_include_h2_stream_dependency_ &&
+       version_.transport_version >= quic::QUIC_VERSION_43) ||
+      VersionHasStreamType(version_.transport_version)) {
+    mock_quic_data.AddWrite(
+        SYNCHRONOUS,
+        ConstructClientPriorityPacket(
+            client_packet_number++, false,
+            GetNthServerInitiatedUnidirectionalStreamId(0),
+            GetNthClientInitiatedBidirectionalStreamId(0), DEFAULT_PRIORITY));
   }
   // Response headers for first request.
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 GetResponseHeaders("200 OK"), &server_header_offset));
+                 GetResponseHeaders("200 OK")));
   // Client ACKs the response headers.
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckPacket(client_packet_number++, 2, 1, 1));
@@ -6375,7 +6207,7 @@ TEST_P(QuicNetworkTransactionTest, CancelServerPushAfterConnectionClose) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   // Write error for the third request.
   mock_quic_data.AddWrite(SYNCHRONOUS, ERR_FAILED);
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
@@ -6419,15 +6251,14 @@ TEST_P(QuicNetworkTransactionTest, CancelServerPushAfterConnectionClose) {
 }
 
 TEST_P(QuicNetworkTransactionTest, QuicForceHolBlocking) {
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data;
+  MockQuicData mock_quic_data(version_);
 
-  quic::QuicStreamOffset offset = 0;
   int write_packet_index = 1;
-  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(
-                                           write_packet_index++, &offset));
+  mock_quic_data.AddWrite(SYNCHRONOUS,
+                          ConstructInitialSettingsPacket(write_packet_index++));
 
   std::string header = ConstructDataHeader(1);
   if (version_.transport_version != quic::QUIC_VERSION_99) {
@@ -6436,15 +6267,14 @@ TEST_P(QuicNetworkTransactionTest, QuicForceHolBlocking) {
         ConstructClientRequestHeadersAndDataFramesPacket(
             write_packet_index++, GetNthClientInitiatedBidirectionalStreamId(0),
             true, true, DEFAULT_PRIORITY,
-            GetRequestHeaders("POST", "https", "/"), 0, &offset, nullptr,
-            {"1"}));
+            GetRequestHeaders("POST", "https", "/"), 0, nullptr, {"1"}));
   } else {
     mock_quic_data.AddWrite(
         SYNCHRONOUS,
         ConstructClientRequestHeadersAndDataFramesPacket(
             write_packet_index++, GetNthClientInitiatedBidirectionalStreamId(0),
             true, true, DEFAULT_PRIORITY,
-            GetRequestHeaders("POST", "https", "/"), 0, &offset, nullptr,
+            GetRequestHeaders("POST", "https", "/"), 0, nullptr,
             {header, "1"}));
   }
 
@@ -6457,7 +6287,7 @@ TEST_P(QuicNetworkTransactionTest, QuicForceHolBlocking) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header2 + "hello!"));
+                 header2 + "hello!"));
 
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckPacket(write_packet_index++, 2, 1, 1));
@@ -6515,33 +6345,35 @@ class QuicURLRequestContext : public URLRequestContext {
 };
 
 TEST_P(QuicNetworkTransactionTest, RawHeaderSizeSuccessfullRequest) {
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   spdy::SpdyHeaderBlock headers(GetRequestHeaders("GET", "https", "/"));
   headers["user-agent"] = "";
   headers["accept-encoding"] = "gzip, deflate";
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, std::move(headers), &header_stream_offset));
+                       true, std::move(headers)));
 
-  quic::QuicStreamOffset expected_raw_header_response_size = 0;
   mock_quic_data.AddRead(
-      ASYNC,
-      ConstructServerResponseHeadersPacket(
-          1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-          GetResponseHeaders("200 OK"), &expected_raw_header_response_size));
+      ASYNC, ConstructServerResponseHeadersPacket(
+                 1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 GetResponseHeaders("200 OK")));
+  quic::QuicStreamOffset expected_raw_header_response_size =
+      server_maker_.stream_offset(
+          quic::VersionUsesQpack(version_.transport_version)
+              ? GetNthClientInitiatedBidirectionalStreamId(0)
+              : quic::QuicUtils::GetHeadersStreamId(
+                    version_.transport_version));
 
   std::string header = ConstructDataHeader(18);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, "Main Resource Data"));
+                 "Main Resource Data"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
 
   mock_quic_data.AddRead(ASYNC, 0);  // EOF
@@ -6583,15 +6415,13 @@ TEST_P(QuicNetworkTransactionTest, RawHeaderSizeSuccessfullRequest) {
 }
 
 TEST_P(QuicNetworkTransactionTest, RawHeaderSizeSuccessfullPushHeadersFirst) {
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
   uint64_t client_packet_number = 1;
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(client_packet_number++,
-                                                  &header_stream_offset));
+      SYNCHRONOUS, ConstructInitialSettingsPacket(client_packet_number++));
   spdy::SpdyHeaderBlock headers(GetRequestHeaders("GET", "https", "/"));
   headers["user-agent"] = "";
   headers["accept-encoding"] = "gzip, deflate";
@@ -6599,35 +6429,40 @@ TEST_P(QuicNetworkTransactionTest, RawHeaderSizeSuccessfullPushHeadersFirst) {
       SYNCHRONOUS,
       ConstructClientRequestHeadersPacket(
           client_packet_number++, GetNthClientInitiatedBidirectionalStreamId(0),
-          true, true, std::move(headers), &header_stream_offset));
-
-  quic::QuicStreamOffset server_header_offset = 0;
-  quic::QuicStreamOffset expected_raw_header_response_size = 0;
+          true, true, std::move(headers)));
 
   mock_quic_data.AddRead(
-      ASYNC, ConstructServerPushPromisePacket(
-                 1, GetNthClientInitiatedBidirectionalStreamId(0),
-                 GetNthServerInitiatedUnidirectionalStreamId(0), false,
-                 GetRequestHeaders("GET", "https", "/pushed.jpg"),
-                 &server_header_offset, &server_maker_));
-
-  if (client_headers_include_h2_stream_dependency_ &&
-      version_.transport_version >= quic::QUIC_VERSION_43) {
-    mock_quic_data.AddWrite(SYNCHRONOUS,
-                            ConstructClientPriorityPacket(
-                                client_packet_number++, false,
-                                GetNthServerInitiatedUnidirectionalStreamId(0),
-                                GetNthClientInitiatedBidirectionalStreamId(0),
-                                DEFAULT_PRIORITY, &header_stream_offset));
+      ASYNC,
+      ConstructServerPushPromisePacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0),
+          GetNthServerInitiatedUnidirectionalStreamId(0), false,
+          GetRequestHeaders("GET", "https", "/pushed.jpg"), &server_maker_));
+
+  if ((client_headers_include_h2_stream_dependency_ &&
+       version_.transport_version >= quic::QUIC_VERSION_43) ||
+      VersionHasStreamType(version_.transport_version)) {
+    mock_quic_data.AddWrite(
+        SYNCHRONOUS,
+        ConstructClientPriorityPacket(
+            client_packet_number++, false,
+            GetNthServerInitiatedUnidirectionalStreamId(0),
+            GetNthClientInitiatedBidirectionalStreamId(0), DEFAULT_PRIORITY));
   }
 
-  expected_raw_header_response_size = server_header_offset;
+  const quic::QuicStreamOffset initial_offset = server_maker_.stream_offset(
+      quic::VersionUsesQpack(version_.transport_version)
+          ? GetNthClientInitiatedBidirectionalStreamId(0)
+          : quic::QuicUtils::GetHeadersStreamId(version_.transport_version));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 GetResponseHeaders("200 OK"), &server_header_offset));
-  expected_raw_header_response_size =
-      server_header_offset - expected_raw_header_response_size;
+                 GetResponseHeaders("200 OK")));
+  const quic::QuicStreamOffset final_offset = server_maker_.stream_offset(
+      quic::VersionUsesQpack(version_.transport_version)
+          ? GetNthClientInitiatedBidirectionalStreamId(0)
+          : quic::QuicUtils::GetHeadersStreamId(version_.transport_version));
+  quic::QuicStreamOffset expected_raw_header_response_size =
+      final_offset - initial_offset;
 
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckPacket(client_packet_number++, 2, 1, 1));
@@ -6635,12 +6470,12 @@ TEST_P(QuicNetworkTransactionTest, RawHeaderSizeSuccessfullPushHeadersFirst) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  3, GetNthServerInitiatedUnidirectionalStreamId(0), false,
-                 false, GetResponseHeaders("200 OK"), &server_header_offset));
+                 false, GetResponseHeaders("200 OK")));
   std::string header = ConstructDataHeader(20);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  4, GetNthServerInitiatedUnidirectionalStreamId(0), false, true,
-                 0, header + "Pushed Resource Data"));
+                 header + "Pushed Resource Data"));
 
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckPacket(client_packet_number++, 4, 3, 1));
@@ -6648,7 +6483,7 @@ TEST_P(QuicNetworkTransactionTest, RawHeaderSizeSuccessfullPushHeadersFirst) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  5, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header2 + "Main Resource Data"));
+                 header2 + "Main Resource Data"));
 
   mock_quic_data.AddRead(ASYNC, ConstructServerConnectionClosePacket(6));
 
@@ -6702,15 +6537,12 @@ TEST_P(QuicNetworkTransactionTest, HostInWhitelist) {
   AddCertificate(&ssl_data_);
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -6719,7 +6551,7 @@ TEST_P(QuicNetworkTransactionTest, HostInWhitelist) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
   mock_quic_data.AddRead(ASYNC, 0);               // EOF
@@ -6781,9 +6613,9 @@ class QuicNetworkTransactionWithDestinationTest
 
     HttpNetworkSession::Params session_params;
     session_params.enable_quic = true;
-    session_params.quic_allow_remote_alt_svc = true;
-    session_params.quic_supported_versions = supported_versions_;
-    session_params.quic_headers_include_h2_stream_dependency =
+    session_params.quic_params.allow_remote_alt_svc = true;
+    session_params.quic_params.supported_versions = supported_versions_;
+    session_params.quic_params.headers_include_h2_stream_dependency =
         client_headers_include_h2_stream_dependency_;
 
     HttpNetworkSession::Context session_context;
@@ -6844,30 +6676,20 @@ class QuicNetworkTransactionWithDestinationTest
         url::SchemeHostPort("https", origin, 443), alternative_service,
         expiration, supported_versions_);
   }
-  std::unique_ptr<quic::QuicEncryptedPacket>
-  ConstructClientRequestHeadersPacket(uint64_t packet_number,
-                                      quic::QuicStreamId stream_id,
-                                      bool should_include_version,
-                                      quic::QuicStreamOffset* offset,
-                                      QuicTestPacketMaker* maker) {
-    return ConstructClientRequestHeadersPacket(
-        packet_number, stream_id, should_include_version, 0, offset, maker);
-  }
 
   std::unique_ptr<quic::QuicEncryptedPacket>
   ConstructClientRequestHeadersPacket(uint64_t packet_number,
                                       quic::QuicStreamId stream_id,
                                       bool should_include_version,
                                       quic::QuicStreamId parent_stream_id,
-                                      quic::QuicStreamOffset* offset,
                                       QuicTestPacketMaker* maker) {
     spdy::SpdyPriority priority =
         ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY);
     spdy::SpdyHeaderBlock headers(
         maker->GetRequestHeaders("GET", "https", "/"));
-    return maker->MakeRequestHeadersPacketWithOffsetTracking(
+    return maker->MakeRequestHeadersPacket(
         packet_number, stream_id, should_include_version, true, priority,
-        std::move(headers), parent_stream_id, offset);
+        std::move(headers), parent_stream_id, nullptr);
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket>
@@ -6876,25 +6698,16 @@ class QuicNetworkTransactionWithDestinationTest
                                       bool should_include_version,
                                       QuicTestPacketMaker* maker) {
     return ConstructClientRequestHeadersPacket(
-        packet_number, stream_id, should_include_version, nullptr, maker);
+        packet_number, stream_id, should_include_version, 0, maker);
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket>
   ConstructServerResponseHeadersPacket(uint64_t packet_number,
                                        quic::QuicStreamId stream_id,
-                                       quic::QuicStreamOffset* offset,
                                        QuicTestPacketMaker* maker) {
     spdy::SpdyHeaderBlock headers(maker->GetResponseHeaders("200 OK"));
-    return maker->MakeResponseHeadersPacketWithOffsetTracking(
-        packet_number, stream_id, false, false, std::move(headers), offset);
-  }
-
-  std::unique_ptr<quic::QuicEncryptedPacket>
-  ConstructServerResponseHeadersPacket(uint64_t packet_number,
-                                       quic::QuicStreamId stream_id,
-                                       QuicTestPacketMaker* maker) {
-    return ConstructServerResponseHeadersPacket(packet_number, stream_id,
-                                                nullptr, maker);
+    return maker->MakeResponseHeadersPacket(packet_number, stream_id, false,
+                                            false, std::move(headers), nullptr);
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket> ConstructServerDataPacket(
@@ -6908,7 +6721,7 @@ class QuicNetworkTransactionWithDestinationTest
       auto header_length = encoder.SerializeDataFrameHeader(5, &buffer);
       header = std::string(buffer.get(), header_length);
     }
-    return maker->MakeDataPacket(packet_number, stream_id, false, true, 0,
+    return maker->MakeDataPacket(packet_number, stream_id, false, true,
                                  header + "hello");
   }
 
@@ -6924,9 +6737,8 @@ class QuicNetworkTransactionWithDestinationTest
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructInitialSettingsPacket(
       uint64_t packet_number,
-      quic::QuicStreamOffset* offset,
       QuicTestPacketMaker* maker) {
-    return maker->MakeInitialSettingsPacket(packet_number, offset);
+    return maker->MakeInitialSettingsPacket(packet_number);
   }
 
   void AddRefusedSocketData() {
@@ -7049,7 +6861,7 @@ TEST_P(QuicNetworkTransactionWithDestinationTest, InvalidCertificate) {
   verify_details.cert_verify_result.is_issued_by_known_root = true;
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData mock_quic_data;
+  MockQuicData mock_quic_data(version_);
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);
   mock_quic_data.AddRead(ASYNC, 0);
 
@@ -7099,21 +6911,17 @@ TEST_P(QuicNetworkTransactionWithDestinationTest, PoolIfCertificateValid) {
       version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
       &clock_, origin1_, quic::Perspective::IS_SERVER, false);
 
-  quic::QuicStreamOffset request_header_offset(0);
-  quic::QuicStreamOffset response_header_offset(0);
-
-  MockQuicData mock_quic_data;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructInitialSettingsPacket(1, &request_header_offset, &client_maker));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS,
+                          ConstructInitialSettingsPacket(1, &client_maker));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       &request_header_offset, &client_maker));
-  mock_quic_data.AddRead(ASYNC,
-                         ConstructServerResponseHeadersPacket(
-                             1, GetNthClientInitiatedBidirectionalStreamId(0),
-                             &response_header_offset, &server_maker));
+                       &client_maker));
+  mock_quic_data.AddRead(
+      ASYNC,
+      ConstructServerResponseHeadersPacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), &server_maker));
   mock_quic_data.AddRead(
       ASYNC,
       ConstructServerDataPacket(
@@ -7125,14 +6933,14 @@ TEST_P(QuicNetworkTransactionWithDestinationTest, PoolIfCertificateValid) {
   server_maker.set_hostname(origin2_);
 
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
-                       4, GetNthClientInitiatedBidirectionalStreamId(1), false,
-                       GetNthClientInitiatedBidirectionalStreamId(0),
-                       &request_header_offset, &client_maker));
-  mock_quic_data.AddRead(ASYNC,
-                         ConstructServerResponseHeadersPacket(
-                             3, GetNthClientInitiatedBidirectionalStreamId(1),
-                             &response_header_offset, &server_maker));
+      SYNCHRONOUS,
+      ConstructClientRequestHeadersPacket(
+          4, GetNthClientInitiatedBidirectionalStreamId(1), false,
+          GetNthClientInitiatedBidirectionalStreamId(0), &client_maker));
+  mock_quic_data.AddRead(
+      ASYNC,
+      ConstructServerResponseHeadersPacket(
+          3, GetNthClientInitiatedBidirectionalStreamId(1), &server_maker));
   mock_quic_data.AddRead(
       ASYNC,
       ConstructServerDataPacket(
@@ -7200,15 +7008,13 @@ TEST_P(QuicNetworkTransactionWithDestinationTest,
       version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
       &clock_, origin1_, quic::Perspective::IS_SERVER, false);
 
-  MockQuicData mock_quic_data1;
-  quic::QuicStreamOffset header_stream_offset1 = 0;
-  mock_quic_data1.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset1,
-                                                  &client_maker1));
+  MockQuicData mock_quic_data1(version_);
+  mock_quic_data1.AddWrite(SYNCHRONOUS,
+                           ConstructInitialSettingsPacket(1, &client_maker1));
   mock_quic_data1.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       &header_stream_offset1, &client_maker1));
+                       &client_maker1));
   mock_quic_data1.AddRead(
       ASYNC,
       ConstructServerResponseHeadersPacket(
@@ -7232,15 +7038,13 @@ TEST_P(QuicNetworkTransactionWithDestinationTest,
       version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
       &clock_, origin2_, quic::Perspective::IS_SERVER, false);
 
-  MockQuicData mock_quic_data2;
-  quic::QuicStreamOffset header_stream_offset2 = 0;
-  mock_quic_data2.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset2,
-                                                  &client_maker2));
+  MockQuicData mock_quic_data2(version_);
+  mock_quic_data2.AddWrite(SYNCHRONOUS,
+                           ConstructInitialSettingsPacket(1, &client_maker2));
   mock_quic_data2.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       &header_stream_offset2, &client_maker2));
+                       &client_maker2));
   mock_quic_data2.AddRead(
       ASYNC,
       ConstructServerResponseHeadersPacket(
@@ -7265,52 +7069,50 @@ TEST_P(QuicNetworkTransactionWithDestinationTest,
 // crbug.com/705109 - this confirms that matching request with a body
 // triggers a crash (pre-fix).
 TEST_P(QuicNetworkTransactionTest, QuicServerPushMatchesRequestWithBody) {
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
   uint64_t client_packet_number = 1;
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(client_packet_number++,
-                                                  &header_stream_offset));
+      SYNCHRONOUS, ConstructInitialSettingsPacket(client_packet_number++));
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
       ConstructClientRequestHeadersPacket(
           client_packet_number++, GetNthClientInitiatedBidirectionalStreamId(0),
-          true, true, GetRequestHeaders("GET", "https", "/"),
-          &header_stream_offset));
-  quic::QuicStreamOffset server_header_offset = 0;
+          true, true, GetRequestHeaders("GET", "https", "/")));
   mock_quic_data.AddRead(
-      ASYNC, ConstructServerPushPromisePacket(
-                 1, GetNthClientInitiatedBidirectionalStreamId(0),
-                 GetNthServerInitiatedUnidirectionalStreamId(0), false,
-                 GetRequestHeaders("GET", "https", "/pushed.jpg"),
-                 &server_header_offset, &server_maker_));
-  if (client_headers_include_h2_stream_dependency_ &&
-      version_.transport_version >= quic::QUIC_VERSION_43) {
-    mock_quic_data.AddWrite(SYNCHRONOUS,
-                            ConstructClientPriorityPacket(
-                                client_packet_number++, false,
-                                GetNthServerInitiatedUnidirectionalStreamId(0),
-                                GetNthClientInitiatedBidirectionalStreamId(0),
-                                DEFAULT_PRIORITY, &header_stream_offset));
+      ASYNC,
+      ConstructServerPushPromisePacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0),
+          GetNthServerInitiatedUnidirectionalStreamId(0), false,
+          GetRequestHeaders("GET", "https", "/pushed.jpg"), &server_maker_));
+
+  if ((client_headers_include_h2_stream_dependency_ &&
+       version_.transport_version >= quic::QUIC_VERSION_43) ||
+      VersionHasStreamType(version_.transport_version)) {
+    mock_quic_data.AddWrite(
+        SYNCHRONOUS,
+        ConstructClientPriorityPacket(
+            client_packet_number++, false,
+            GetNthServerInitiatedUnidirectionalStreamId(0),
+            GetNthClientInitiatedBidirectionalStreamId(0), DEFAULT_PRIORITY));
   }
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 GetResponseHeaders("200 OK"), &server_header_offset));
+                 GetResponseHeaders("200 OK")));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckPacket(client_packet_number++, 2, 1, 1));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  3, GetNthServerInitiatedUnidirectionalStreamId(0), false,
-                 false, GetResponseHeaders("200 OK"), &server_header_offset));
+                 false, GetResponseHeaders("200 OK")));
   std::string header = ConstructDataHeader(6);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  4, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckPacket(client_packet_number++, 4, 3, 1));
 
@@ -7318,7 +7120,7 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushMatchesRequestWithBody) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  5, GetNthServerInitiatedUnidirectionalStreamId(0), false, true,
-                 0, header2 + "and hello!"));
+                 header2 + "and hello!"));
 
   // Because the matching request has a body, we will see the push
   // stream get cancelled, and the matching request go out on the
@@ -7337,8 +7139,7 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushMatchesRequestWithBody) {
             client_packet_number++,
             GetNthClientInitiatedBidirectionalStreamId(1), false, true,
             DEFAULT_PRIORITY, GetRequestHeaders("GET", "https", "/pushed.jpg"),
-            GetNthServerInitiatedUnidirectionalStreamId(0),
-            &header_stream_offset, nullptr, {kBody}));
+            GetNthServerInitiatedUnidirectionalStreamId(0), nullptr, {kBody}));
   } else {
     mock_quic_data.AddWrite(
         SYNCHRONOUS,
@@ -7346,8 +7147,8 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushMatchesRequestWithBody) {
             client_packet_number++,
             GetNthClientInitiatedBidirectionalStreamId(1), false, true,
             DEFAULT_PRIORITY, GetRequestHeaders("GET", "https", "/pushed.jpg"),
-            GetNthServerInitiatedUnidirectionalStreamId(0),
-            &header_stream_offset, nullptr, {header3, kBody}));
+            GetNthServerInitiatedUnidirectionalStreamId(0), nullptr,
+            {header3, kBody}));
   }
 
   // We see the same response as for the earlier pushed and cancelled
@@ -7355,11 +7156,11 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushMatchesRequestWithBody) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  6, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
-                 GetResponseHeaders("200 OK"), &server_header_offset));
+                 GetResponseHeaders("200 OK")));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  7, GetNthClientInitiatedBidirectionalStreamId(1), false, true,
-                 0, header2 + "and hello!"));
+                 header2 + "and hello!"));
 
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientAckPacket(client_packet_number++, 7, 6, 1));
@@ -7393,47 +7194,42 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushWithEmptyHostname) {
   pushed_request_headers[":path"] = "/";
   pushed_request_headers[":scheme"] = "nosuchscheme";
 
-  session_params_.origins_to_force_quic_on.insert(
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
-  MockQuicData mock_quic_data;
+  MockQuicData mock_quic_data(version_);
 
-  quic::QuicStreamOffset header_stream_offset = 0;
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientRequestHeadersPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-          GetRequestHeaders("GET", "https", "/"), &header_stream_offset));
+      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
+                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
+                       true, GetRequestHeaders("GET", "https", "/")));
 
-  quic::QuicStreamOffset server_header_offset = 0;
   mock_quic_data.AddRead(
       ASYNC, ConstructServerPushPromisePacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0),
                  GetNthServerInitiatedUnidirectionalStreamId(0), false,
-                 std::move(pushed_request_headers), &server_header_offset,
-                 &server_maker_));
+                 std::move(pushed_request_headers), &server_maker_));
   mock_quic_data.AddWrite(SYNCHRONOUS,
                           ConstructClientRstPacket(
                               3, GetNthServerInitiatedUnidirectionalStreamId(0),
-                              quic::QUIC_INVALID_PROMISE_URL, 0));
+                              quic::QUIC_INVALID_PROMISE_URL));
 
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 GetResponseHeaders("200 OK"), &server_header_offset));
+                 GetResponseHeaders("200 OK")));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(4, 2, 1, 1));
 
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  3, GetNthServerInitiatedUnidirectionalStreamId(0), false,
-                 false, GetResponseHeaders("200 OK"), &server_header_offset));
+                 false, GetResponseHeaders("200 OK")));
   std::string header = ConstructDataHeader(6);
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  4, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(5, 4, 3, 1));
 
   mock_quic_data.AddRead(ASYNC, 0);
@@ -7459,16 +7255,13 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectHttpsServer) {
   proxy_resolution_service_ = ProxyResolutionService::CreateFixedFromPacResult(
       "QUIC proxy.example.org:70", TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
                        false, HttpProxyConnectJob::kH2QuicTunnelPriority,
-                       ConnectRequestHeaders("mail.example.org:443"), 0,
-                       &header_stream_offset));
+                       ConnectRequestHeaders("mail.example.org:443"), 0));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -7484,13 +7277,13 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectHttpsServer) {
         SYNCHRONOUS,
         ConstructClientAckAndDataPacket(
             3, false, GetNthClientInitiatedBidirectionalStreamId(0), 1, 1, 1,
-            false, 0, quic::QuicStringPiece(get_request)));
+            false, quic::QuicStringPiece(get_request)));
   } else {
     mock_quic_data.AddWrite(
         SYNCHRONOUS,
         ConstructClientAckAndMultipleDataFramesPacket(
             3, false, GetNthClientInitiatedBidirectionalStreamId(0), 1, 1, 1,
-            false, 0, {header, std::string(get_request)}));
+            false, {header, std::string(get_request)}));
   }
 
   const char get_response[] =
@@ -7500,21 +7293,19 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectHttpsServer) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 0, header2 + std::string(get_response)));
+                 header2 + std::string(get_response)));
   std::string header3 = ConstructDataHeader(10);
   mock_quic_data.AddRead(
       SYNCHRONOUS, ConstructServerDataPacket(
                        3, GetNthClientInitiatedBidirectionalStreamId(0), false,
-                       false, strlen(get_response) + header2.length(),
-                       header3 + std::string("0123456789")));
+                       false, header3 + std::string("0123456789")));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(4, 3, 2, 1));
   mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
 
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
       ConstructClientRstPacket(5, GetNthClientInitiatedBidirectionalStreamId(0),
-                               quic::QUIC_STREAM_CANCELLED,
-                               strlen(get_request) + header.length()));
+                               quic::QUIC_STREAM_CANCELLED));
 
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
 
@@ -7552,16 +7343,13 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectSpdyServer) {
   proxy_resolution_service_ = ProxyResolutionService::CreateFixedFromPacResult(
       "QUIC proxy.example.org:70", TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
                        false, HttpProxyConnectJob::kH2QuicTunnelPriority,
-                       ConnectRequestHeaders("mail.example.org:443"), 0,
-                       &header_stream_offset));
+                       ConnectRequestHeaders("mail.example.org:443"), 0));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
@@ -7577,24 +7365,21 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectSpdyServer) {
         SYNCHRONOUS,
         ConstructClientAckAndDataPacket(
             3, false, GetNthClientInitiatedBidirectionalStreamId(0), 1, 1, 1,
-            false, 0,
-            quic::QuicStringPiece(get_frame.data(), get_frame.size())));
+            false, quic::QuicStringPiece(get_frame.data(), get_frame.size())));
   } else {
     mock_quic_data.AddWrite(
         SYNCHRONOUS,
         ConstructClientAckAndMultipleDataFramesPacket(
             3, false, GetNthClientInitiatedBidirectionalStreamId(0), 1, 1, 1,
-            false, 0,
-            {header, std::string(get_frame.data(), get_frame.size())}));
+            false, {header, std::string(get_frame.data(), get_frame.size())}));
   }
   spdy::SpdySerializedFrame resp_frame =
       spdy_util.ConstructSpdyGetReply(nullptr, 0, 1);
   std::string header2 = ConstructDataHeader(resp_frame.size());
   mock_quic_data.AddRead(
-      ASYNC,
-      ConstructServerDataPacket(
-          2, GetNthClientInitiatedBidirectionalStreamId(0), false, false, 0,
-          header2 + std::string(resp_frame.data(), resp_frame.size())));
+      ASYNC, ConstructServerDataPacket(
+                 2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 header2 + std::string(resp_frame.data(), resp_frame.size())));
 
   spdy::SpdySerializedFrame data_frame =
       spdy_util.ConstructSpdyDataFrame(1, "0123456789", true);
@@ -7603,7 +7388,6 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectSpdyServer) {
       SYNCHRONOUS,
       ConstructServerDataPacket(
           3, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-          resp_frame.size() + header2.length(),
           header3 + std::string(data_frame.data(), data_frame.size())));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(4, 3, 2, 1));
   mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
@@ -7611,8 +7395,7 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectSpdyServer) {
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
       ConstructClientRstPacket(5, GetNthClientInitiatedBidirectionalStreamId(0),
-                               quic::QUIC_STREAM_CANCELLED,
-                               get_frame.size() + header.length()));
+                               quic::QUIC_STREAM_CANCELLED));
 
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
 
@@ -7652,25 +7435,21 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseTransportSocket) {
   proxy_resolution_service_ = ProxyResolutionService::CreateFixedFromPacResult(
       "QUIC proxy.example.org:70", TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData mock_quic_data(version_);
   int write_packet_index = 1;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(write_packet_index++,
-                                                  &header_stream_offset));
+  mock_quic_data.AddWrite(SYNCHRONOUS,
+                          ConstructInitialSettingsPacket(write_packet_index++));
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
       ConstructClientRequestHeadersPacket(
           write_packet_index++, GetNthClientInitiatedBidirectionalStreamId(0),
           true, false, HttpProxyConnectJob::kH2QuicTunnelPriority,
-          ConnectRequestHeaders("mail.example.org:443"), 0,
-          &header_stream_offset));
+          ConnectRequestHeaders("mail.example.org:443"), 0));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
                  GetResponseHeaders("200 OK")));
 
-  quic::QuicStreamOffset client_data_offset = 0;
   quic::QuicStreamOffset server_data_offset = 0;
   const char get_request_1[] =
       "GET / HTTP/1.1\r\n"
@@ -7679,22 +7458,18 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseTransportSocket) {
   std::string header = ConstructDataHeader(strlen(get_request_1));
   if (version_.transport_version != quic::QUIC_VERSION_99) {
     mock_quic_data.AddWrite(
-        SYNCHRONOUS,
-        ConstructClientAckAndDataPacket(
-            write_packet_index++, false,
-            GetNthClientInitiatedBidirectionalStreamId(0), 1, 1, 1, false,
-            client_data_offset, quic::QuicStringPiece(get_request_1)));
+        SYNCHRONOUS, ConstructClientAckAndDataPacket(
+                         write_packet_index++, false,
+                         GetNthClientInitiatedBidirectionalStreamId(0), 1, 1, 1,
+                         false, quic::QuicStringPiece(get_request_1)));
   } else {
     mock_quic_data.AddWrite(
-        SYNCHRONOUS,
-        ConstructClientAckAndMultipleDataFramesPacket(
-            write_packet_index++, false,
-            GetNthClientInitiatedBidirectionalStreamId(0), 1, 1, 1, false,
-            client_data_offset, {header, std::string(get_request_1)}));
+        SYNCHRONOUS, ConstructClientAckAndMultipleDataFramesPacket(
+                         write_packet_index++, false,
+                         GetNthClientInitiatedBidirectionalStreamId(0), 1, 1, 1,
+                         false, {header, std::string(get_request_1)}));
   }
 
-  client_data_offset += strlen(get_request_1) + header.length();
-
   const char get_response_1[] =
       "HTTP/1.1 200 OK\r\n"
       "Content-Length: 10\r\n\r\n";
@@ -7702,15 +7477,14 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseTransportSocket) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 server_data_offset, header2 + std::string(get_response_1)));
+                 header2 + std::string(get_response_1)));
   server_data_offset += strlen(get_response_1) + header2.length();
 
   std::string header3 = ConstructDataHeader(10);
   mock_quic_data.AddRead(
-      SYNCHRONOUS,
-      ConstructServerDataPacket(
-          3, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-          server_data_offset, header3 + std::string("0123456789")));
+      SYNCHRONOUS, ConstructServerDataPacket(
+                       3, GetNthClientInitiatedBidirectionalStreamId(0), false,
+                       false, header3 + std::string("0123456789")));
   server_data_offset += 10 + header3.length();
 
   mock_quic_data.AddWrite(
@@ -7726,17 +7500,13 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseTransportSocket) {
         SYNCHRONOUS,
         ConstructClientMultipleDataFramesPacket(
             write_packet_index++, GetNthClientInitiatedBidirectionalStreamId(0),
-            false, false, client_data_offset,
-            {header4, std::string(get_request_2)}));
-    client_data_offset += header4.length() + strlen(get_request_2);
+            false, false, {header4, std::string(get_request_2)}));
   } else {
     mock_quic_data.AddWrite(
         SYNCHRONOUS,
-        ConstructClientDataPacket(write_packet_index++,
-                                  GetNthClientInitiatedBidirectionalStreamId(0),
-                                  false, false, client_data_offset,
-                                  quic::QuicStringPiece(get_request_2)));
-    client_data_offset += strlen(get_request_2);
+        ConstructClientDataPacket(
+            write_packet_index++, GetNthClientInitiatedBidirectionalStreamId(0),
+            false, false, quic::QuicStringPiece(get_request_2)));
   }
 
   const char get_response_2[] =
@@ -7746,15 +7516,14 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseTransportSocket) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  4, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 server_data_offset, header5 + std::string(get_response_2)));
+                 header5 + std::string(get_response_2)));
   server_data_offset += strlen(get_response_2) + header5.length();
 
   std::string header6 = ConstructDataHeader(7);
   mock_quic_data.AddRead(
-      SYNCHRONOUS,
-      ConstructServerDataPacket(
-          5, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-          server_data_offset, header6 + std::string("0123456")));
+      SYNCHRONOUS, ConstructServerDataPacket(
+                       5, GetNthClientInitiatedBidirectionalStreamId(0), false,
+                       false, header6 + std::string("0123456")));
   server_data_offset += 7 + header6.length();
 
   mock_quic_data.AddWrite(
@@ -7763,9 +7532,9 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseTransportSocket) {
 
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
-      ConstructClientRstPacket(
-          write_packet_index++, GetNthClientInitiatedBidirectionalStreamId(0),
-          quic::QUIC_STREAM_CANCELLED, client_data_offset));
+      ConstructClientRstPacket(write_packet_index++,
+                               GetNthClientInitiatedBidirectionalStreamId(0),
+                               quic::QUIC_STREAM_CANCELLED));
 
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
 
@@ -7817,23 +7586,19 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseQuicSession) {
   proxy_resolution_service_ = ProxyResolutionService::CreateFixedFromPacResult(
       "QUIC proxy.example.org:70", TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset client_header_stream_offset = 0;
-  quic::QuicStreamOffset server_header_stream_offset = 0;
-  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(
-                                           1, &client_header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
 
   // CONNECT request and response for first request
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
                        false, HttpProxyConnectJob::kH2QuicTunnelPriority,
-                       ConnectRequestHeaders("mail.example.org:443"), 0,
-                       &client_header_stream_offset));
+                       ConnectRequestHeaders("mail.example.org:443"), 0));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 GetResponseHeaders("200 OK"), &server_header_stream_offset));
+                 GetResponseHeaders("200 OK")));
 
   // GET request, response, and data over QUIC tunnel for first request
   const char get_request[] =
@@ -7846,13 +7611,13 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseQuicSession) {
         SYNCHRONOUS,
         ConstructClientAckAndDataPacket(
             3, false, GetNthClientInitiatedBidirectionalStreamId(0), 1, 1, 1,
-            false, 0, quic::QuicStringPiece(get_request)));
+            false, quic::QuicStringPiece(get_request)));
   } else {
     mock_quic_data.AddWrite(
         SYNCHRONOUS,
         ConstructClientAckAndMultipleDataFramesPacket(
             3, false, GetNthClientInitiatedBidirectionalStreamId(0), 1, 1, 1,
-            false, 0, {header, std::string(get_request)}));
+            false, {header, std::string(get_request)}));
   }
 
   const char get_response[] =
@@ -7862,13 +7627,12 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseQuicSession) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 0, header2 + std::string(get_response)));
+                 header2 + std::string(get_response)));
   std::string header3 = ConstructDataHeader(10);
   mock_quic_data.AddRead(
       SYNCHRONOUS, ConstructServerDataPacket(
                        3, GetNthClientInitiatedBidirectionalStreamId(0), false,
-                       false, strlen(get_response) + header2.length(),
-                       header3 + std::string("0123456789")));
+                       false, header3 + std::string("0123456789")));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(4, 3, 2, 1));
 
   // CONNECT request and response for second request
@@ -7877,12 +7641,11 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseQuicSession) {
                        5, GetNthClientInitiatedBidirectionalStreamId(1), false,
                        false, HttpProxyConnectJob::kH2QuicTunnelPriority,
                        ConnectRequestHeaders("different.example.org:443"),
-                       GetNthClientInitiatedBidirectionalStreamId(0),
-                       &client_header_stream_offset));
+                       GetNthClientInitiatedBidirectionalStreamId(0)));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  4, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
-                 GetResponseHeaders("200 OK"), &server_header_stream_offset));
+                 GetResponseHeaders("200 OK")));
 
   // GET request, response, and data over QUIC tunnel for second request
   SpdyTestUtil spdy_util;
@@ -7894,25 +7657,22 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseQuicSession) {
         SYNCHRONOUS,
         ConstructClientAckAndDataPacket(
             6, false, GetNthClientInitiatedBidirectionalStreamId(1), 4, 4, 1,
-            false, 0,
-            quic::QuicStringPiece(get_frame.data(), get_frame.size())));
+            false, quic::QuicStringPiece(get_frame.data(), get_frame.size())));
   } else {
     mock_quic_data.AddWrite(
         SYNCHRONOUS,
         ConstructClientAckAndMultipleDataFramesPacket(
             6, false, GetNthClientInitiatedBidirectionalStreamId(1), 4, 4, 1,
-            false, 0,
-            {header4, std::string(get_frame.data(), get_frame.size())}));
+            false, {header4, std::string(get_frame.data(), get_frame.size())}));
   }
 
   spdy::SpdySerializedFrame resp_frame =
       spdy_util.ConstructSpdyGetReply(nullptr, 0, 1);
   std::string header5 = ConstructDataHeader(resp_frame.size());
   mock_quic_data.AddRead(
-      ASYNC,
-      ConstructServerDataPacket(
-          5, GetNthClientInitiatedBidirectionalStreamId(1), false, false, 0,
-          header5 + std::string(resp_frame.data(), resp_frame.size())));
+      ASYNC, ConstructServerDataPacket(
+                 5, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
+                 header5 + std::string(resp_frame.data(), resp_frame.size())));
 
   spdy::SpdySerializedFrame data_frame =
       spdy_util.ConstructSpdyDataFrame(1, "0123456", true);
@@ -7920,7 +7680,6 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseQuicSession) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  6, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
-                 resp_frame.size() + header5.length(),
                  header6 + std::string(data_frame.data(), data_frame.size())));
 
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(7, 6, 5, 1));
@@ -7929,13 +7688,11 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectReuseQuicSession) {
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
       ConstructClientRstPacket(8, GetNthClientInitiatedBidirectionalStreamId(0),
-                               quic::QUIC_STREAM_CANCELLED,
-                               strlen(get_request) + header.length()));
+                               quic::QUIC_STREAM_CANCELLED));
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
       ConstructClientRstPacket(9, GetNthClientInitiatedBidirectionalStreamId(1),
-                               quic::QUIC_STREAM_CANCELLED,
-                               get_frame.size() + header4.length()));
+                               quic::QUIC_STREAM_CANCELLED));
 
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
 
@@ -7989,16 +7746,13 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectFailure) {
   proxy_resolution_service_ = ProxyResolutionService::CreateFixedFromPacResult(
       "QUIC proxy.example.org:70", TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
                        false, HttpProxyConnectJob::kH2QuicTunnelPriority,
-                       ConnectRequestHeaders("mail.example.org:443"), 0,
-                       &header_stream_offset));
+                       ConnectRequestHeaders("mail.example.org:443"), 0));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
@@ -8038,16 +7792,13 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyQuicConnectionError) {
   proxy_resolution_service_ = ProxyResolutionService::CreateFixedFromPacResult(
       "QUIC proxy.example.org:70", TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
                        false, HttpProxyConnectJob::kH2QuicTunnelPriority,
-                       ConnectRequestHeaders("mail.example.org:443"), 0,
-                       &header_stream_offset));
+                       ConnectRequestHeaders("mail.example.org:443"), 0));
   mock_quic_data.AddRead(ASYNC, ERR_CONNECTION_FAILED);
 
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
@@ -8077,21 +7828,17 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectBadCertificate) {
   proxy_resolution_service_ = ProxyResolutionService::CreateFixedFromPacResult(
       "QUIC proxy.example.org:70", TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset client_header_stream_offset = 0;
-  quic::QuicStreamOffset server_header_stream_offset = 0;
-  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(
-                                           1, &client_header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
                        false, HttpProxyConnectJob::kH2QuicTunnelPriority,
-                       ConnectRequestHeaders("mail.example.org:443"), 0,
-                       &client_header_stream_offset));
+                       ConnectRequestHeaders("mail.example.org:443"), 0));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
-                 GetResponseHeaders("200 OK"), &server_header_stream_offset));
+                 GetResponseHeaders("200 OK")));
   mock_quic_data.AddWrite(SYNCHRONOUS,
                           ConstructClientAckAndRstPacket(
                               3, GetNthClientInitiatedBidirectionalStreamId(0),
@@ -8102,12 +7849,11 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectBadCertificate) {
                        4, GetNthClientInitiatedBidirectionalStreamId(1), false,
                        false, HttpProxyConnectJob::kH2QuicTunnelPriority,
                        ConnectRequestHeaders("mail.example.org:443"),
-                       GetNthClientInitiatedBidirectionalStreamId(0),
-                       &client_header_stream_offset));
+                       GetNthClientInitiatedBidirectionalStreamId(0)));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
-                 GetResponseHeaders("200 OK"), &server_header_stream_offset));
+                 GetResponseHeaders("200 OK")));
 
   const char get_request[] =
       "GET / HTTP/1.1\r\n"
@@ -8119,13 +7865,13 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectBadCertificate) {
         SYNCHRONOUS,
         ConstructClientAckAndDataPacket(
             5, false, GetNthClientInitiatedBidirectionalStreamId(1), 2, 2, 1,
-            false, 0, quic::QuicStringPiece(get_request)));
+            false, quic::QuicStringPiece(get_request)));
   } else {
     mock_quic_data.AddWrite(
         SYNCHRONOUS,
         ConstructClientAckAndMultipleDataFramesPacket(
             5, false, GetNthClientInitiatedBidirectionalStreamId(1), 2, 2, 1,
-            false, 0, {header, std::string(get_request)}));
+            false, {header, std::string(get_request)}));
   }
   const char get_response[] =
       "HTTP/1.1 200 OK\r\n"
@@ -8134,22 +7880,20 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyConnectBadCertificate) {
   mock_quic_data.AddRead(
       ASYNC, ConstructServerDataPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
-                 0, header2 + std::string(get_response)));
+                 header2 + std::string(get_response)));
 
   std::string header3 = ConstructDataHeader(10);
   mock_quic_data.AddRead(
       SYNCHRONOUS, ConstructServerDataPacket(
                        4, GetNthClientInitiatedBidirectionalStreamId(1), false,
-                       false, strlen(get_response) + header2.length(),
-                       header3 + std::string("0123456789")));
+                       false, header3 + std::string("0123456789")));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(6, 4, 3, 1));
   mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
 
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
       ConstructClientRstPacket(7, GetNthClientInitiatedBidirectionalStreamId(1),
-                               quic::QUIC_STREAM_CANCELLED,
-                               strlen(get_request) + header.length()));
+                               quic::QUIC_STREAM_CANCELLED));
 
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
 
@@ -8201,18 +7945,16 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyUserAgent) {
   proxy_resolution_service_ = ProxyResolutionService::CreateFixedFromPacResult(
       "QUIC proxy.example.org:70", TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
 
   spdy::SpdyHeaderBlock headers = ConnectRequestHeaders("mail.example.org:443");
   headers["user-agent"] = kConfiguredUserAgent;
   mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructClientRequestHeadersPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       false, HttpProxyConnectJob::kH2QuicTunnelPriority,
-                       std::move(headers), 0, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructClientRequestHeadersPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, false,
+          HttpProxyConnectJob::kH2QuicTunnelPriority, std::move(headers), 0));
   // Return an error, so the transaction stops here (this test isn't interested
   // in the rest).
   mock_quic_data.AddRead(ASYNC, ERR_CONNECTION_FAILED);
@@ -8251,16 +7993,13 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyRequestPriority) {
 
   const RequestPriority request_priority = MEDIUM;
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(
       SYNCHRONOUS, ConstructClientRequestHeadersPacket(
                        2, GetNthClientInitiatedBidirectionalStreamId(0), true,
                        false, HttpProxyConnectJob::kH2QuicTunnelPriority,
-                       ConnectRequestHeaders("mail.example.org:443"), 0,
-                       &header_stream_offset));
+                       ConnectRequestHeaders("mail.example.org:443"), 0));
   // Return an error, so the transaction stops here (this test isn't interested
   // in the rest).
   mock_quic_data.AddRead(ASYNC, ERR_CONNECTION_FAILED);
@@ -8291,17 +8030,15 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyMultipleRequestsError) {
   const RequestPriority kRequestPriority = MEDIUM;
   const RequestPriority kRequestPriority2 = LOWEST;
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  mock_quic_data.AddWrite(
-      ASYNC, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(ASYNC, ConstructInitialSettingsPacket(1));
   mock_quic_data.AddWrite(SYNCHRONOUS, ERR_FAILED);
   // This should never be reached.
   mock_quic_data.AddRead(ASYNC, ERR_CONNECTION_FAILED);
   mock_quic_data.AddSocketDataToFactory(&socket_factory_);
 
   // Second connection attempt just fails - result doesn't really matter.
-  MockQuicData mock_quic_data2;
+  MockQuicData mock_quic_data2(version_);
   mock_quic_data2.AddConnect(SYNCHRONOUS, ERR_FAILED);
   mock_quic_data2.AddSocketDataToFactory(&socket_factory_);
 
@@ -8373,44 +8110,40 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyAuth) {
         ProxyResolutionService::CreateFixedFromPacResult(
             "QUIC proxy.example.org:70", TRAFFIC_ANNOTATION_FOR_TESTS);
 
-    MockQuicData mock_quic_data;
-    quic::QuicStreamOffset client_header_stream_offset = 0;
-    quic::QuicStreamOffset server_header_stream_offset = 0;
-    quic::QuicStreamOffset client_data_offset = 0;
+    MockQuicData mock_quic_data(version_);
     quic::QuicStreamOffset server_data_offset = 0;
 
     mock_quic_data.AddWrite(SYNCHRONOUS,
-                            client_maker->MakeInitialSettingsPacket(
-                                1, &client_header_stream_offset));
+                            client_maker->MakeInitialSettingsPacket(1));
 
     mock_quic_data.AddWrite(
         SYNCHRONOUS,
-        client_maker->MakeRequestHeadersPacketWithOffsetTracking(
+        client_maker->MakeRequestHeadersPacket(
             2, GetNthClientInitiatedBidirectionalStreamId(0), true, false,
             ConvertRequestPriorityToQuicPriority(
                 HttpProxyConnectJob::kH2QuicTunnelPriority),
             client_maker->ConnectRequestHeaders("mail.example.org:443"), 0,
-            &client_header_stream_offset));
+            nullptr));
 
     spdy::SpdyHeaderBlock headers =
         server_maker->GetResponseHeaders("407 Proxy Authentication Required");
     headers["proxy-authenticate"] = "Basic realm=\"MyRealm1\"";
     headers["content-length"] = "10";
     mock_quic_data.AddRead(
-        ASYNC, server_maker->MakeResponseHeadersPacketWithOffsetTracking(
+        ASYNC, server_maker->MakeResponseHeadersPacket(
                    1, GetNthClientInitiatedBidirectionalStreamId(0), false,
-                   false, std::move(headers), &server_header_stream_offset));
+                   false, std::move(headers), nullptr));
 
     if (i == 0) {
       mock_quic_data.AddRead(
           ASYNC, server_maker->MakeDataPacket(
                      2, GetNthClientInitiatedBidirectionalStreamId(0), false,
-                     false, server_data_offset, "0123456789"));
+                     false, "0123456789"));
     } else {
       mock_quic_data.AddRead(
           SYNCHRONOUS, server_maker->MakeDataPacket(
                            2, GetNthClientInitiatedBidirectionalStreamId(0),
-                           false, false, server_data_offset, "0123456789"));
+                           false, false, "0123456789"));
     }
     server_data_offset += 10;
 
@@ -8421,19 +8154,19 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyAuth) {
         SYNCHRONOUS,
         client_maker->MakeRstPacket(
             4, false, GetNthClientInitiatedBidirectionalStreamId(0),
-            quic::QUIC_STREAM_CANCELLED, client_data_offset,
+            quic::QUIC_STREAM_CANCELLED,
             /*include_stop_sending_if_v99=*/true));
 
     headers = client_maker->ConnectRequestHeaders("mail.example.org:443");
     headers["proxy-authorization"] = "Basic Zm9vOmJheg==";
     mock_quic_data.AddWrite(
         SYNCHRONOUS,
-        client_maker->MakeRequestHeadersPacketWithOffsetTracking(
+        client_maker->MakeRequestHeadersPacket(
             5, GetNthClientInitiatedBidirectionalStreamId(1), false, false,
             ConvertRequestPriorityToQuicPriority(
                 HttpProxyConnectJob::kH2QuicTunnelPriority),
             std::move(headers), GetNthClientInitiatedBidirectionalStreamId(0),
-            &client_header_stream_offset));
+            nullptr));
 
     // Response to wrong password
     headers =
@@ -8441,9 +8174,9 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyAuth) {
     headers["proxy-authenticate"] = "Basic realm=\"MyRealm1\"";
     headers["content-length"] = "10";
     mock_quic_data.AddRead(
-        ASYNC, server_maker->MakeResponseHeadersPacketWithOffsetTracking(
+        ASYNC, server_maker->MakeResponseHeadersPacket(
                    3, GetNthClientInitiatedBidirectionalStreamId(1), false,
-                   false, std::move(headers), &server_header_stream_offset));
+                   false, std::move(headers), nullptr));
     mock_quic_data.AddRead(SYNCHRONOUS,
                            ERR_IO_PENDING);  // No more data to read
 
@@ -8527,7 +8260,13 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushUpdatesPriority) {
     return;
   }
 
-  session_params_.origins_to_force_quic_on.insert(
+  if (quic::VersionUsesQpack(version_.transport_version)) {
+    // TODO(rch): both stream_dependencies and priority frames need to be
+    // supported in IETF QUIC.
+    return;
+  }
+
+  session_params_.quic_params.origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   const quic::QuicStreamId client_stream_0 =
@@ -8541,79 +8280,68 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushUpdatesPriority) {
   const quic::QuicStreamId push_stream_1 =
       GetNthServerInitiatedUnidirectionalStreamId(1);
 
-  MockQuicData mock_quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  quic::QuicStreamOffset server_header_offset = 0;
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData mock_quic_data(version_);
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
 
   // Client sends "GET" requests for "/0.png", "/1.png", "/2.png".
   mock_quic_data.AddWrite(SYNCHRONOUS,
                           ConstructClientRequestHeadersPacket(
                               2, client_stream_0, true, true, HIGHEST,
-                              GetRequestHeaders("GET", "https", "/0.jpg"), 0,
-                              &header_stream_offset));
-  mock_quic_data.AddWrite(SYNCHRONOUS,
-                          ConstructClientRequestHeadersPacket(
-                              3, client_stream_1, true, true, MEDIUM,
-                              GetRequestHeaders("GET", "https", "/1.jpg"),
-                              client_stream_0, &header_stream_offset));
-  mock_quic_data.AddWrite(SYNCHRONOUS,
-                          ConstructClientRequestHeadersPacket(
-                              4, client_stream_2, true, true, MEDIUM,
-                              GetRequestHeaders("GET", "https", "/2.jpg"),
-                              client_stream_1, &header_stream_offset));
+                              GetRequestHeaders("GET", "https", "/0.jpg"), 0));
+  mock_quic_data.AddWrite(
+      SYNCHRONOUS,
+      ConstructClientRequestHeadersPacket(
+          3, client_stream_1, true, true, MEDIUM,
+          GetRequestHeaders("GET", "https", "/1.jpg"), client_stream_0));
+  mock_quic_data.AddWrite(
+      SYNCHRONOUS,
+      ConstructClientRequestHeadersPacket(
+          4, client_stream_2, true, true, MEDIUM,
+          GetRequestHeaders("GET", "https", "/2.jpg"), client_stream_1));
 
   // Server replies "OK" for the three requests.
-  mock_quic_data.AddRead(
-      ASYNC, ConstructServerResponseHeadersPacket(
-                 1, client_stream_0, false, false, GetResponseHeaders("200 OK"),
-                 &server_header_offset));
-  mock_quic_data.AddRead(
-      ASYNC, ConstructServerResponseHeadersPacket(
-                 2, client_stream_1, false, false, GetResponseHeaders("200 OK"),
-                 &server_header_offset));
+  mock_quic_data.AddRead(ASYNC, ConstructServerResponseHeadersPacket(
+                                    1, client_stream_0, false, false,
+                                    GetResponseHeaders("200 OK")));
+  mock_quic_data.AddRead(ASYNC, ConstructServerResponseHeadersPacket(
+                                    2, client_stream_1, false, false,
+                                    GetResponseHeaders("200 OK")));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(5, 2, 1, 1));
-  mock_quic_data.AddRead(
-      ASYNC, ConstructServerResponseHeadersPacket(
-                 3, client_stream_2, false, false, GetResponseHeaders("200 OK"),
-                 &server_header_offset));
+  mock_quic_data.AddRead(ASYNC, ConstructServerResponseHeadersPacket(
+                                    3, client_stream_2, false, false,
+                                    GetResponseHeaders("200 OK")));
 
   // Server sends two push promises associated with |client_stream_0|; client
   // responds with a PRIORITY frame after each to notify server of HTTP/2 stream
   // dependency info for each push promise stream.
-  mock_quic_data.AddRead(ASYNC,
-                         ConstructServerPushPromisePacket(
-                             4, client_stream_0, push_stream_0, false,
-                             GetRequestHeaders("GET", "https", "/pushed_0.jpg"),
-                             &server_header_offset, &server_maker_));
+  mock_quic_data.AddRead(
+      ASYNC,
+      ConstructServerPushPromisePacket(
+          4, client_stream_0, push_stream_0, false,
+          GetRequestHeaders("GET", "https", "/pushed_0.jpg"), &server_maker_));
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
       ConstructClientAckAndPriorityFramesPacket(
           6, false, 4, 3, 1,
           {{push_stream_0, client_stream_2,
-            ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY)}},
-          &header_stream_offset));
-  mock_quic_data.AddRead(ASYNC,
-                         ConstructServerPushPromisePacket(
-                             5, client_stream_0, push_stream_1, false,
-                             GetRequestHeaders("GET", "https", "/pushed_1.jpg"),
-                             &server_header_offset, &server_maker_));
-  mock_quic_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructClientPriorityPacket(7, false, push_stream_1, push_stream_0,
-                                    DEFAULT_PRIORITY, &header_stream_offset));
+            ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY)}}));
+  mock_quic_data.AddRead(
+      ASYNC,
+      ConstructServerPushPromisePacket(
+          5, client_stream_0, push_stream_1, false,
+          GetRequestHeaders("GET", "https", "/pushed_1.jpg"), &server_maker_));
+  mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientPriorityPacket(
+                                           7, false, push_stream_1,
+                                           push_stream_0, DEFAULT_PRIORITY));
 
   // Server sends the response headers for the two push promises.
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
-                 6, push_stream_0, false, false, GetResponseHeaders("200 OK"),
-                 &server_header_offset));
+                 6, push_stream_0, false, false, GetResponseHeaders("200 OK")));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(8, 6, 5, 1));
   mock_quic_data.AddRead(
       ASYNC, ConstructServerResponseHeadersPacket(
-                 7, push_stream_1, false, false, GetResponseHeaders("200 OK"),
-                 &server_header_offset));
+                 7, push_stream_1, false, false, GetResponseHeaders("200 OK")));
 
   // Request for "pushed_0.jpg" matches |push_stream_0|. |push_stream_0|'s
   // priority updates to match the request's priority. Client sends PRIORITY
@@ -8625,28 +8353,27 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushUpdatesPriority) {
           {{push_stream_1, client_stream_2,
             ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY)},
            {push_stream_0, client_stream_0,
-            ConvertRequestPriorityToQuicPriority(HIGHEST)}},
-          &header_stream_offset));
+            ConvertRequestPriorityToQuicPriority(HIGHEST)}}));
 
   // Server sends data for the three requests and the two push promises.
   std::string header = ConstructDataHeader(8);
   mock_quic_data.AddRead(
-      ASYNC, ConstructServerDataPacket(8, client_stream_0, false, true, 0,
+      ASYNC, ConstructServerDataPacket(8, client_stream_0, false, true,
                                        header + "hello 0!"));
   mock_quic_data.AddRead(
-      SYNCHRONOUS, ConstructServerDataPacket(9, client_stream_1, false, true, 0,
+      SYNCHRONOUS, ConstructServerDataPacket(9, client_stream_1, false, true,
                                              header + "hello 1!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(10, 9, 8, 1));
   mock_quic_data.AddRead(
-      ASYNC, ConstructServerDataPacket(10, client_stream_2, false, true, 0,
+      ASYNC, ConstructServerDataPacket(10, client_stream_2, false, true,
                                        header + "hello 2!"));
   std::string header2 = ConstructDataHeader(12);
   mock_quic_data.AddRead(
-      SYNCHRONOUS, ConstructServerDataPacket(11, push_stream_0, false, true, 0,
+      SYNCHRONOUS, ConstructServerDataPacket(11, push_stream_0, false, true,
                                              header2 + "and hello 0!"));
   mock_quic_data.AddWrite(SYNCHRONOUS, ConstructClientAckPacket(11, 11, 10, 1));
   mock_quic_data.AddRead(
-      ASYNC, ConstructServerDataPacket(12, push_stream_1, false, true, 0,
+      ASYNC, ConstructServerDataPacket(12, push_stream_1, false, true,
                                        header2 + "and hello 1!"));
 
   mock_quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // No more data to read
@@ -8706,5 +8433,383 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushUpdatesPriority) {
   EXPECT_TRUE(mock_quic_data.AllWriteDataConsumed());
 }
 
+// Test that NetworkIsolationKey is respected by QUIC connections, when
+// kPartitionConnectionsByNetworkIsolationKey is enabled.
+TEST_P(QuicNetworkTransactionTest, NetworkIsolation) {
+  const auto kOrigin1 = url::Origin::Create(GURL("http://origin1/"));
+  const auto kOrigin2 = url::Origin::Create(GURL("http://origin2/"));
+  NetworkIsolationKey network_isolation_key1(kOrigin1, kOrigin1);
+  NetworkIsolationKey network_isolation_key2(kOrigin2, kOrigin2);
+
+  session_params_.quic_params.origins_to_force_quic_on.insert(
+      HostPortPair::FromString("mail.example.org:443"));
+
+  // Whether to use an H2 proxy. When false, uses HTTPS H2 requests without a
+  // proxy, when true, uses HTTP requests over an H2 proxy. It's unnecessary to
+  // test tunneled HTTPS over an H2 proxy, since that path sets up H2 sessions
+  // the same way as the HTTP over H2 proxy case.
+  for (bool use_proxy : {false, true}) {
+    SCOPED_TRACE(use_proxy);
+
+    if (use_proxy) {
+      proxy_resolution_service_ =
+          ProxyResolutionService::CreateFixedFromPacResult(
+              "QUIC mail.example.org:443", TRAFFIC_ANNOTATION_FOR_TESTS);
+    } else {
+      proxy_resolution_service_ = ProxyResolutionService::CreateDirect();
+    }
+
+    GURL url1;
+    GURL url2;
+    GURL url3;
+    if (use_proxy) {
+      url1 = GURL("http://mail.example.org/1");
+      url2 = GURL("http://mail.example.org/2");
+      url3 = GURL("http://mail.example.org/3");
+    } else {
+      url1 = GURL("https://mail.example.org/1");
+      url2 = GURL("https://mail.example.org/2");
+      url3 = GURL("https://mail.example.org/3");
+    }
+
+    for (bool partition_connections : {false, true}) {
+      SCOPED_TRACE(partition_connections);
+
+      base::test::ScopedFeatureList feature_list;
+      if (partition_connections) {
+        feature_list.InitAndEnableFeature(
+            features::kPartitionConnectionsByNetworkIsolationKey);
+      } else {
+        feature_list.InitAndDisableFeature(
+            features::kPartitionConnectionsByNetworkIsolationKey);
+      }
+
+      // Reads and writes for the unpartitioned case, where only one socket is
+      // used.
+
+      session_params_.quic_params.origins_to_force_quic_on.insert(
+          HostPortPair::FromString("mail.example.org:443"));
+
+      MockQuicData unpartitioned_mock_quic_data(version_);
+      QuicTestPacketMaker client_maker1(
+          version_,
+          quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
+          &clock_, kDefaultServerHostName, quic::Perspective::IS_CLIENT,
+          client_headers_include_h2_stream_dependency_);
+      QuicTestPacketMaker server_maker1(
+          version_,
+          quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
+          &clock_, kDefaultServerHostName, quic::Perspective::IS_SERVER, false);
+
+      unpartitioned_mock_quic_data.AddWrite(
+          SYNCHRONOUS, client_maker1.MakeInitialSettingsPacket(1));
+
+      unpartitioned_mock_quic_data.AddWrite(
+          SYNCHRONOUS,
+          client_maker1.MakeRequestHeadersPacket(
+              2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
+              ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY),
+              GetRequestHeaders("GET", url1.scheme(), "/1"), 0, nullptr));
+      unpartitioned_mock_quic_data.AddRead(
+          ASYNC, server_maker1.MakeResponseHeadersPacket(
+                     1, GetNthClientInitiatedBidirectionalStreamId(0), false,
+                     false, GetResponseHeaders("200 OK"), nullptr));
+      unpartitioned_mock_quic_data.AddRead(
+          ASYNC, server_maker1.MakeDataPacket(
+                     2, GetNthClientInitiatedBidirectionalStreamId(0), false,
+                     true, ConstructDataHeader(1) + "1"));
+      unpartitioned_mock_quic_data.AddWrite(
+          SYNCHRONOUS, ConstructClientAckPacket(3, 2, 1, 1));
+
+      unpartitioned_mock_quic_data.AddWrite(
+          SYNCHRONOUS,
+          client_maker1.MakeRequestHeadersPacket(
+              4, GetNthClientInitiatedBidirectionalStreamId(1), false, true,
+              ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY),
+              GetRequestHeaders("GET", url2.scheme(), "/2"), 0, nullptr));
+      unpartitioned_mock_quic_data.AddRead(
+          ASYNC, server_maker1.MakeResponseHeadersPacket(
+                     3, GetNthClientInitiatedBidirectionalStreamId(1), false,
+                     false, GetResponseHeaders("200 OK"), nullptr));
+      unpartitioned_mock_quic_data.AddRead(
+          ASYNC, server_maker1.MakeDataPacket(
+                     4, GetNthClientInitiatedBidirectionalStreamId(1), false,
+                     true, ConstructDataHeader(1) + "2"));
+      unpartitioned_mock_quic_data.AddWrite(
+          SYNCHRONOUS, ConstructClientAckAndConnectionClosePacket(5, 4, 3, 1));
+
+      unpartitioned_mock_quic_data.AddWrite(
+          SYNCHRONOUS,
+          client_maker1.MakeRequestHeadersPacket(
+              6, GetNthClientInitiatedBidirectionalStreamId(2), false, true,
+              ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY),
+              GetRequestHeaders("GET", url3.scheme(), "/3"), 0, nullptr));
+      unpartitioned_mock_quic_data.AddRead(
+          ASYNC, server_maker1.MakeResponseHeadersPacket(
+                     5, GetNthClientInitiatedBidirectionalStreamId(2), false,
+                     false, GetResponseHeaders("200 OK"), nullptr));
+      unpartitioned_mock_quic_data.AddRead(
+          ASYNC, server_maker1.MakeDataPacket(
+                     6, GetNthClientInitiatedBidirectionalStreamId(2), false,
+                     true, ConstructDataHeader(1) + "3"));
+      unpartitioned_mock_quic_data.AddWrite(
+          SYNCHRONOUS, ConstructClientAckAndConnectionClosePacket(7, 6, 5, 1));
+
+      unpartitioned_mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
+
+      // Reads and writes for the partitioned case, where two sockets are used.
+
+      MockQuicData partitioned_mock_quic_data1(version_);
+      QuicTestPacketMaker client_maker2(
+          version_,
+          quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
+          &clock_, kDefaultServerHostName, quic::Perspective::IS_CLIENT,
+          client_headers_include_h2_stream_dependency_);
+      QuicTestPacketMaker server_maker2(
+          version_,
+          quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
+          &clock_, kDefaultServerHostName, quic::Perspective::IS_SERVER, false);
+
+      partitioned_mock_quic_data1.AddWrite(
+          SYNCHRONOUS, client_maker2.MakeInitialSettingsPacket(1));
+
+      partitioned_mock_quic_data1.AddWrite(
+          SYNCHRONOUS,
+          client_maker2.MakeRequestHeadersPacket(
+              2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
+              ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY),
+              GetRequestHeaders("GET", url1.scheme(), "/1"), 0, nullptr));
+      partitioned_mock_quic_data1.AddRead(
+          ASYNC, server_maker2.MakeResponseHeadersPacket(
+                     1, GetNthClientInitiatedBidirectionalStreamId(0), false,
+                     false, GetResponseHeaders("200 OK"), nullptr));
+      partitioned_mock_quic_data1.AddRead(
+          ASYNC, server_maker2.MakeDataPacket(
+                     2, GetNthClientInitiatedBidirectionalStreamId(0), false,
+                     true, ConstructDataHeader(1) + "1"));
+      partitioned_mock_quic_data1.AddWrite(
+          SYNCHRONOUS, client_maker2.MakeAckPacket(3, 2, 1, 1, true));
+
+      partitioned_mock_quic_data1.AddWrite(
+          SYNCHRONOUS,
+          client_maker2.MakeRequestHeadersPacket(
+              4, GetNthClientInitiatedBidirectionalStreamId(1), false, true,
+              ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY),
+              GetRequestHeaders("GET", url3.scheme(), "/3"), 0, nullptr));
+      partitioned_mock_quic_data1.AddRead(
+          ASYNC, server_maker2.MakeResponseHeadersPacket(
+                     3, GetNthClientInitiatedBidirectionalStreamId(1), false,
+                     false, GetResponseHeaders("200 OK"), nullptr));
+      partitioned_mock_quic_data1.AddRead(
+          ASYNC, server_maker2.MakeDataPacket(
+                     4, GetNthClientInitiatedBidirectionalStreamId(1), false,
+                     true, ConstructDataHeader(1) + "3"));
+      partitioned_mock_quic_data1.AddWrite(
+          SYNCHRONOUS, client_maker2.MakeAckPacket(5, 4, 3, 1, true));
+
+      partitioned_mock_quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
+
+      MockQuicData partitioned_mock_quic_data2(version_);
+      QuicTestPacketMaker client_maker3(
+          version_,
+          quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
+          &clock_, kDefaultServerHostName, quic::Perspective::IS_CLIENT,
+          client_headers_include_h2_stream_dependency_);
+      QuicTestPacketMaker server_maker3(
+          version_,
+          quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
+          &clock_, kDefaultServerHostName, quic::Perspective::IS_SERVER, false);
+
+      partitioned_mock_quic_data2.AddWrite(
+          SYNCHRONOUS, client_maker3.MakeInitialSettingsPacket(1));
+
+      partitioned_mock_quic_data2.AddWrite(
+          SYNCHRONOUS,
+          client_maker3.MakeRequestHeadersPacket(
+              2, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
+              ConvertRequestPriorityToQuicPriority(DEFAULT_PRIORITY),
+              GetRequestHeaders("GET", url2.scheme(), "/2"), 0, nullptr));
+      partitioned_mock_quic_data2.AddRead(
+          ASYNC, server_maker3.MakeResponseHeadersPacket(
+                     1, GetNthClientInitiatedBidirectionalStreamId(0), false,
+                     false, GetResponseHeaders("200 OK"), nullptr));
+      partitioned_mock_quic_data2.AddRead(
+          ASYNC, server_maker3.MakeDataPacket(
+                     2, GetNthClientInitiatedBidirectionalStreamId(0), false,
+                     true, ConstructDataHeader(1) + "2"));
+      partitioned_mock_quic_data2.AddWrite(
+          SYNCHRONOUS, client_maker3.MakeAckPacket(3, 2, 1, 1, true));
+
+      partitioned_mock_quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
+
+      if (partition_connections) {
+        partitioned_mock_quic_data1.AddSocketDataToFactory(&socket_factory_);
+        partitioned_mock_quic_data2.AddSocketDataToFactory(&socket_factory_);
+      } else {
+        unpartitioned_mock_quic_data.AddSocketDataToFactory(&socket_factory_);
+      }
+
+      CreateSession();
+
+      TestCompletionCallback callback;
+      HttpRequestInfo request1;
+      request1.method = "GET";
+      request1.url = GURL(url1);
+      request1.traffic_annotation =
+          net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+      request1.network_isolation_key = network_isolation_key1;
+      HttpNetworkTransaction trans1(LOWEST, session_.get());
+      int rv = trans1.Start(&request1, callback.callback(), NetLogWithSource());
+      EXPECT_THAT(callback.GetResult(rv), IsOk());
+      std::string response_data1;
+      EXPECT_THAT(ReadTransaction(&trans1, &response_data1), IsOk());
+      EXPECT_EQ("1", response_data1);
+
+      HttpRequestInfo request2;
+      request2.method = "GET";
+      request2.url = GURL(url2);
+      request2.traffic_annotation =
+          net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+      request2.network_isolation_key = network_isolation_key2;
+      HttpNetworkTransaction trans2(LOWEST, session_.get());
+      rv = trans2.Start(&request2, callback.callback(), NetLogWithSource());
+      EXPECT_THAT(callback.GetResult(rv), IsOk());
+      std::string response_data2;
+      EXPECT_THAT(ReadTransaction(&trans2, &response_data2), IsOk());
+      EXPECT_EQ("2", response_data2);
+
+      HttpRequestInfo request3;
+      request3.method = "GET";
+      request3.url = GURL(url3);
+      request3.traffic_annotation =
+          net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+      request3.network_isolation_key = network_isolation_key1;
+      HttpNetworkTransaction trans3(LOWEST, session_.get());
+      rv = trans3.Start(&request3, callback.callback(), NetLogWithSource());
+      EXPECT_THAT(callback.GetResult(rv), IsOk());
+      std::string response_data3;
+      EXPECT_THAT(ReadTransaction(&trans3, &response_data3), IsOk());
+      EXPECT_EQ("3", response_data3);
+
+      if (partition_connections) {
+        EXPECT_TRUE(partitioned_mock_quic_data1.AllReadDataConsumed());
+        EXPECT_TRUE(partitioned_mock_quic_data1.AllWriteDataConsumed());
+        EXPECT_TRUE(partitioned_mock_quic_data2.AllReadDataConsumed());
+        EXPECT_TRUE(partitioned_mock_quic_data2.AllWriteDataConsumed());
+      } else {
+        EXPECT_TRUE(unpartitioned_mock_quic_data.AllReadDataConsumed());
+        EXPECT_TRUE(unpartitioned_mock_quic_data.AllWriteDataConsumed());
+      }
+    }
+  }
+}
+
+// Test that two requests to the same origin over QUIC tunnels use different
+// QUIC sessions if their NetworkIsolationKeys don't match, and
+// kPartitionConnectionsByNetworkIsolationKey is enabled.
+TEST_P(QuicNetworkTransactionTest, NetworkIsolationTunnel) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      features::kPartitionConnectionsByNetworkIsolationKey);
+
+  session_params_.enable_quic = true;
+  session_params_.enable_quic_proxies_for_https_urls = true;
+  proxy_resolution_service_ = ProxyResolutionService::CreateFixedFromPacResult(
+      "QUIC proxy.example.org:70", TRAFFIC_ANNOTATION_FOR_TESTS);
+
+  const char kGetRequest[] =
+      "GET / HTTP/1.1\r\n"
+      "Host: mail.example.org\r\n"
+      "Connection: keep-alive\r\n\r\n";
+  const char kGetResponse[] =
+      "HTTP/1.1 200 OK\r\n"
+      "Content-Length: 10\r\n\r\n";
+
+  std::unique_ptr<MockQuicData> mock_quic_data[2] = {
+      std::make_unique<MockQuicData>(version_),
+      std::make_unique<MockQuicData>(version_)};
+
+  for (int index : {0, 1}) {
+    QuicTestPacketMaker client_maker(
+        version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
+        &clock_, kDefaultServerHostName, quic::Perspective::IS_CLIENT,
+        client_headers_include_h2_stream_dependency_);
+    QuicTestPacketMaker server_maker(
+        version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
+        &clock_, kDefaultServerHostName, quic::Perspective::IS_SERVER, false);
+
+    mock_quic_data[index]->AddWrite(SYNCHRONOUS,
+                                    client_maker.MakeInitialSettingsPacket(1));
+
+    mock_quic_data[index]->AddWrite(
+        SYNCHRONOUS,
+        client_maker.MakeRequestHeadersPacket(
+            2, GetNthClientInitiatedBidirectionalStreamId(0), true, false,
+            ConvertRequestPriorityToQuicPriority(
+                HttpProxyConnectJob::kH2QuicTunnelPriority),
+            ConnectRequestHeaders("mail.example.org:443"), 0, nullptr));
+    mock_quic_data[index]->AddRead(
+        ASYNC, server_maker.MakeResponseHeadersPacket(
+                   1, GetNthClientInitiatedBidirectionalStreamId(0), false,
+                   false, GetResponseHeaders("200 OK"), nullptr));
+
+    std::string header = ConstructDataHeader(strlen(kGetRequest));
+    if (version_.transport_version != quic::QUIC_VERSION_99) {
+      mock_quic_data[index]->AddWrite(
+          SYNCHRONOUS,
+          client_maker.MakeAckAndDataPacket(
+              3, false, GetNthClientInitiatedBidirectionalStreamId(0), 1, 1, 1,
+              false, quic::QuicStringPiece(kGetRequest)));
+    } else {
+      mock_quic_data[index]->AddWrite(
+          SYNCHRONOUS,
+          client_maker.MakeAckAndMultipleDataFramesPacket(
+              3, false, GetNthClientInitiatedBidirectionalStreamId(0), 1, 1, 1,
+              false, {header, std::string(kGetRequest)}));
+    }
+
+    std::string header2 = ConstructDataHeader(strlen(kGetResponse));
+    mock_quic_data[index]->AddRead(
+        ASYNC, server_maker.MakeDataPacket(
+                   2, GetNthClientInitiatedBidirectionalStreamId(0), false,
+                   false, header2 + std::string(kGetResponse)));
+    mock_quic_data[index]->AddRead(
+        SYNCHRONOUS,
+        server_maker.MakeDataPacket(
+            3, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+            ConstructDataHeader(10) + std::string("0123456789")));
+    mock_quic_data[index]->AddWrite(
+        SYNCHRONOUS, client_maker.MakeAckPacket(4, 3, 2, 1, true));
+    mock_quic_data[index]->AddRead(SYNCHRONOUS,
+                                   ERR_IO_PENDING);  // No more data to read
+
+    mock_quic_data[index]->AddSocketDataToFactory(&socket_factory_);
+  }
+
+  socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
+  SSLSocketDataProvider ssl_data2(ASYNC, OK);
+  socket_factory_.AddSSLSocketDataProvider(&ssl_data2);
+
+  CreateSession();
+
+  request_.url = GURL("https://mail.example.org/");
+  AddQuicAlternateProtocolMapping(MockCryptoClientStream::CONFIRM_HANDSHAKE);
+  HttpNetworkTransaction trans(DEFAULT_PRIORITY, session_.get());
+  RunTransaction(&trans);
+  CheckResponseData(&trans, "0123456789");
+
+  HttpRequestInfo request2;
+  const auto kOrigin1 = url::Origin::Create(GURL("http://origin1/"));
+  request_.network_isolation_key = NetworkIsolationKey(kOrigin1, kOrigin1);
+  HttpNetworkTransaction trans2(DEFAULT_PRIORITY, session_.get());
+  RunTransaction(&trans2);
+  CheckResponseData(&trans2, "0123456789");
+
+  EXPECT_TRUE(mock_quic_data[0]->AllReadDataConsumed());
+  EXPECT_TRUE(mock_quic_data[0]->AllWriteDataConsumed());
+  EXPECT_TRUE(mock_quic_data[1]->AllReadDataConsumed());
+  EXPECT_TRUE(mock_quic_data[1]->AllWriteDataConsumed());
+}
+
 }  // namespace test
 }  // namespace net
diff --git a/chromium/net/quic/quic_proxy_client_socket.cc b/chromium/net/quic/quic_proxy_client_socket.cc
index 3e925c90bee..3cb2ba3eae4 100644
--- a/chromium/net/quic/quic_proxy_client_socket.cc
+++ b/chromium/net/quic/quic_proxy_client_socket.cc
@@ -12,6 +12,7 @@
 #include "base/callback_helpers.h"
 #include "base/values.h"
 #include "net/http/http_auth_controller.h"
+#include "net/http/http_log_util.h"
 #include "net/http/http_response_headers.h"
 #include "net/log/net_log_source.h"
 #include "net/log/net_log_source_type.h"
@@ -36,17 +37,16 @@ QuicProxyClientSocket::QuicProxyClientSocket(
       endpoint_(endpoint),
       auth_(auth_controller),
       user_agent_(user_agent),
-      net_log_(net_log),
-      weak_factory_(this) {
+      net_log_(net_log) {
   DCHECK(stream_->IsOpen());
 
   request_.method = "CONNECT";
   request_.url = GURL("https://" + endpoint.ToString());
 
-  net_log_.BeginEvent(NetLogEventType::SOCKET_ALIVE,
-                      net_log_.source().ToEventParametersCallback());
-  net_log_.AddEvent(NetLogEventType::HTTP2_PROXY_CLIENT_SESSION,
-                    stream_->net_log().source().ToEventParametersCallback());
+  net_log_.BeginEventReferencingSource(NetLogEventType::SOCKET_ALIVE,
+                                       net_log_.source());
+  net_log_.AddEventReferencingSource(
+      NetLogEventType::HTTP2_PROXY_CLIENT_SESSION, stream_->net_log().source());
 }
 
 QuicProxyClientSocket::~QuicProxyClientSocket() {
@@ -351,10 +351,9 @@ int QuicProxyClientSocket::DoSendRequest() {
   BuildTunnelRequest(endpoint_, authorization_headers, user_agent_,
                      &request_line, &request_.extra_headers);
 
-  net_log_.AddEvent(
-      NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
-      base::Bind(&HttpRequestHeaders::NetLogCallback,
-                 base::Unretained(&request_.extra_headers), &request_line));
+  NetLogRequestHeaders(net_log_,
+                       NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
+                       request_line, &request_.extra_headers);
 
   spdy::SpdyHeaderBlock headers;
   CreateSpdyHeadersFromHttpRequest(request_, request_.extra_headers, &headers);
@@ -400,9 +399,9 @@ int QuicProxyClientSocket::DoReadReplyComplete(int result) {
   if (response_.headers->GetHttpVersion() < HttpVersion(1, 0))
     return ERR_TUNNEL_CONNECTION_FAILED;
 
-  net_log_.AddEvent(
-      NetLogEventType::HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
-      base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers));
+  NetLogResponseHeaders(
+      net_log_, NetLogEventType::HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
+      response_.headers.get());
 
   switch (response_.headers->response_code()) {
     case 200:  // OK
diff --git a/chromium/net/quic/quic_proxy_client_socket.h b/chromium/net/quic/quic_proxy_client_socket.h
index d72aed881e7..299526c8488 100644
--- a/chromium/net/quic/quic_proxy_client_socket.h
+++ b/chromium/net/quic/quic_proxy_client_socket.h
@@ -145,7 +145,7 @@ class NET_EXPORT_PRIVATE QuicProxyClientSocket : public ProxyClientSocket {
   const NetLogWithSource net_log_;
 
   // The default weak pointer factory.
-  base::WeakPtrFactory<QuicProxyClientSocket> weak_factory_;
+  base::WeakPtrFactory<QuicProxyClientSocket> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicProxyClientSocket);
 };
diff --git a/chromium/net/quic/quic_proxy_client_socket_unittest.cc b/chromium/net/quic/quic_proxy_client_socket_unittest.cc
index 9f3b4384dff..75b361d2845 100644
--- a/chromium/net/quic/quic_proxy_client_socket_unittest.cc
+++ b/chromium/net/quic/quic_proxy_client_socket_unittest.cc
@@ -22,6 +22,7 @@
 #include "net/http/transport_security_state.h"
 #include "net/log/test_net_log.h"
 #include "net/log/test_net_log_util.h"
+#include "net/quic/address_utils.h"
 #include "net/quic/crypto/proof_verifier_chromium.h"
 #include "net/quic/mock_crypto_client_stream_factory.h"
 #include "net/quic/mock_quic_data.h"
@@ -41,7 +42,6 @@
 #include "net/test/test_with_scoped_task_environment.h"
 #include "net/third_party/quiche/src/quic/core/crypto/null_encrypter.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_clock.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_random.h"
@@ -127,8 +127,9 @@ class QuicProxyClientSocketTest
             quic::QuicUtils::GetHeadersStreamId(version_.transport_version) +
             quic::QuicUtils::StreamIdDelta(version_.transport_version)),
         client_headers_include_h2_stream_dependency_(std::get<1>(GetParam())),
-        crypto_config_(quic::test::crypto_test_utils::ProofVerifierForTesting(),
-                       quic::TlsClientHandshaker::CreateSslCtx()),
+        mock_quic_data_(version_),
+        crypto_config_(
+            quic::test::crypto_test_utils::ProofVerifierForTesting()),
         connection_id_(quic::test::TestConnectionId(2)),
         client_maker_(version_,
                       connection_id_,
@@ -143,8 +144,6 @@ class QuicProxyClientSocketTest
                       quic::Perspective::IS_SERVER,
                       false),
         random_generator_(0),
-        header_stream_offset_(0),
-        response_offset_(0),
         user_agent_(kUserAgent),
         proxy_host_port_(kProxyHost, kProxyPort),
         endpoint_host_port_(kOriginHost, kOriginPort),
@@ -153,6 +152,9 @@ class QuicProxyClientSocketTest
     IPAddress ip(192, 0, 2, 33);
     peer_addr_ = IPEndPoint(ip, 443);
     clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(20));
+    if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+      SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
+    }
   }
 
   void SetUp() override {}
@@ -192,9 +194,8 @@ class QuicProxyClientSocketTest
     QuicChromiumPacketWriter* writer = new QuicChromiumPacketWriter(
         socket.get(), base::ThreadTaskRunnerHandle::Get().get());
     quic::QuicConnection* connection = new quic::QuicConnection(
-        connection_id_,
-        quic::QuicSocketAddress(quic::QuicSocketAddressImpl(peer_addr_)),
-        helper_.get(), alarm_factory_.get(), writer, true /* owns_writer */,
+        connection_id_, net::ToQuicSocketAddress(peer_addr_), helper_.get(),
+        alarm_factory_.get(), writer, true /* owns_writer */,
         quic::Perspective::IS_CLIENT, quic::test::SupportedVersions(version_));
     connection->set_visitor(&visitor_);
     quic::test::QuicConnectionPeer::SetSendAlgorithm(connection,
@@ -219,14 +220,15 @@ class QuicProxyClientSocketTest
         base::WrapUnique(static_cast<QuicServerInfo*>(nullptr)),
         QuicSessionKey("mail.example.org", 80, PRIVACY_MODE_DISABLED,
                        SocketTag()),
-        /*require_confirmation=*/false, /*migrate_session_early_v2=*/false,
+        /*require_confirmation=*/false,
+        /*max_allowed_push_id=*/0,
+        /*migrate_session_early_v2=*/false,
         /*migrate_session_on_network_change_v2=*/false,
         /*default_network=*/NetworkChangeNotifier::kInvalidNetworkHandle,
         quic::QuicTime::Delta::FromMilliseconds(
-            kDefaultRetransmittableOnWireTimeoutMillisecs),
-        /*migrate_idle_session=*/true,
-        base::TimeDelta::FromSeconds(kDefaultIdleSessionMigrationPeriodSeconds),
-        base::TimeDelta::FromSeconds(kMaxTimeOnNonDefaultNetworkSecs),
+            kDefaultRetransmittableOnWireTimeout.InMilliseconds()),
+        /*migrate_idle_session=*/true, kDefaultIdleSessionMigrationPeriod,
+        kMaxTimeOnNonDefaultNetwork,
         kMaxMigrationsToNonDefaultNetworkOnWriteError,
         kMaxMigrationsToNonDefaultNetworkOnPathDegrading,
         kQuicYieldAfterPacketsRead,
@@ -278,19 +280,7 @@ class QuicProxyClientSocketTest
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructSettingsPacket(
       uint64_t packet_number) {
-    return client_maker_.MakeInitialSettingsPacket(packet_number,
-                                                   &header_stream_offset_);
-  }
-
-  std::unique_ptr<quic::QuicReceivedPacket> ConstructAckAndRstPacket(
-      uint64_t packet_number,
-      quic::QuicRstStreamErrorCode error_code,
-      uint64_t largest_received,
-      uint64_t smallest_received,
-      uint64_t least_unacked) {
-    return client_maker_.MakeAckAndRstPacket(
-        packet_number, !kIncludeVersion, client_data_stream_id1_, error_code,
-        largest_received, smallest_received, least_unacked, kSendFeedback);
+    return client_maker_.MakeInitialSettingsPacket(packet_number);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructAckAndRstOnlyPacket(
@@ -298,12 +288,10 @@ class QuicProxyClientSocketTest
       quic::QuicRstStreamErrorCode error_code,
       uint64_t largest_received,
       uint64_t smallest_received,
-      uint64_t least_unacked,
-      size_t bytes_written) {
+      uint64_t least_unacked) {
     return client_maker_.MakeAckAndRstPacket(
         packet_number, !kIncludeVersion, client_data_stream_id1_, error_code,
         largest_received, smallest_received, least_unacked, kSendFeedback,
-        bytes_written,
         /*include_stop_sending=*/false);
   }
 
@@ -312,22 +300,18 @@ class QuicProxyClientSocketTest
       quic::QuicRstStreamErrorCode error_code,
       uint64_t largest_received,
       uint64_t smallest_received,
-      uint64_t least_unacked,
-      size_t bytes_written) {
+      uint64_t least_unacked) {
     return client_maker_.MakeAckAndRstPacket(
         packet_number, !kIncludeVersion, client_data_stream_id1_, error_code,
         largest_received, smallest_received, least_unacked, kSendFeedback,
-        bytes_written,
         /*include_stop_sending_if_v99=*/true);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructRstPacket(
       uint64_t packet_number,
-      quic::QuicRstStreamErrorCode error_code,
-      size_t bytes_written) {
+      quic::QuicRstStreamErrorCode error_code) {
     return client_maker_.MakeRstPacket(packet_number, !kIncludeVersion,
                                        client_data_stream_id1_, error_code,
-                                       bytes_written,
                                        /*include_stop_sending_if_v99=*/true);
   }
 
@@ -339,7 +323,7 @@ class QuicProxyClientSocketTest
     return client_maker_.MakeRequestHeadersPacket(
         packet_number, client_data_stream_id1_, kIncludeVersion, !kFin,
         ConvertRequestPriorityToQuicPriority(request_priority),
-        std::move(block), 0, nullptr, &header_stream_offset_);
+        std::move(block), 0, nullptr);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructConnectAuthRequestPacket(
@@ -350,23 +334,21 @@ class QuicProxyClientSocketTest
     return client_maker_.MakeRequestHeadersPacket(
         packet_number, client_data_stream_id1_, kIncludeVersion, !kFin,
         ConvertRequestPriorityToQuicPriority(LOWEST), std::move(block), 0,
-        nullptr, &header_stream_offset_);
+        nullptr);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructDataPacket(
       uint64_t packet_number,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data) {
     return client_maker_.MakeDataPacket(packet_number, client_data_stream_id1_,
-                                        !kIncludeVersion, !kFin, offset, data);
+                                        !kIncludeVersion, !kFin, data);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructMultipleDataFramesPacket(
       uint64_t packet_number,
-      quic::QuicStreamOffset offset,
       const std::vector<std::string> data_writes) {
     return client_maker_.MakeMultipleDataFramesPacket(
-        packet_number, client_data_stream_id1_, !kIncludeVersion, !kFin, offset,
+        packet_number, client_data_stream_id1_, !kIncludeVersion, !kFin,
         data_writes);
   }
 
@@ -375,12 +357,10 @@ class QuicProxyClientSocketTest
       uint64_t largest_received,
       uint64_t smallest_received,
       uint64_t least_unacked,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data) {
     return client_maker_.MakeAckAndDataPacket(
         packet_number, !kIncludeVersion, client_data_stream_id1_,
-        largest_received, smallest_received, least_unacked, !kFin, offset,
-        data);
+        largest_received, smallest_received, least_unacked, !kFin, data);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket>
@@ -389,12 +369,10 @@ class QuicProxyClientSocketTest
       uint64_t largest_received,
       uint64_t smallest_received,
       uint64_t least_unacked,
-      quic::QuicStreamOffset offset,
       const std::vector<std::string> data_writes) {
     return client_maker_.MakeAckAndMultipleDataFramesPacket(
         packet_number, !kIncludeVersion, client_data_stream_id1_,
-        largest_received, smallest_received, least_unacked, !kFin, offset,
-        data_writes);
+        largest_received, smallest_received, least_unacked, !kFin, data_writes);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructAckPacket(
@@ -411,28 +389,24 @@ class QuicProxyClientSocketTest
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructServerRstPacket(
       uint64_t packet_number,
-      quic::QuicRstStreamErrorCode error_code,
-      size_t bytes_written) {
+      quic::QuicRstStreamErrorCode error_code) {
     return server_maker_.MakeRstPacket(packet_number, !kIncludeVersion,
                                        client_data_stream_id1_, error_code,
-                                       bytes_written,
                                        /*include_stop_sending_if_v99=*/true);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructServerDataPacket(
       uint64_t packet_number,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data) {
     return server_maker_.MakeDataPacket(packet_number, client_data_stream_id1_,
-                                        !kIncludeVersion, !kFin, offset, data);
+                                        !kIncludeVersion, !kFin, data);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructServerDataFinPacket(
       uint64_t packet_number,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data) {
     return server_maker_.MakeDataPacket(packet_number, client_data_stream_id1_,
-                                        !kIncludeVersion, kFin, offset, data);
+                                        !kIncludeVersion, kFin, data);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructServerConnectReplyPacket(
@@ -443,7 +417,7 @@ class QuicProxyClientSocketTest
 
     return server_maker_.MakeResponseHeadersPacket(
         packet_number, client_data_stream_id1_, !kIncludeVersion, fin,
-        std::move(block), nullptr, &response_offset_);
+        std::move(block), nullptr);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket>
@@ -453,7 +427,7 @@ class QuicProxyClientSocketTest
     block["proxy-authenticate"] = "Basic realm=\"MyRealm1\"";
     return server_maker_.MakeResponseHeadersPacket(
         packet_number, client_data_stream_id1_, !kIncludeVersion, fin,
-        std::move(block), nullptr, &response_offset_);
+        std::move(block), nullptr);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket>
@@ -464,7 +438,7 @@ class QuicProxyClientSocketTest
     block["set-cookie"] = "foo=bar";
     return server_maker_.MakeResponseHeadersPacket(
         packet_number, client_data_stream_id1_, !kIncludeVersion, fin,
-        std::move(block), nullptr, &response_offset_);
+        std::move(block), nullptr);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket>
@@ -474,7 +448,7 @@ class QuicProxyClientSocketTest
 
     return server_maker_.MakeResponseHeadersPacket(
         packet_number, client_data_stream_id1_, !kIncludeVersion, fin,
-        std::move(block), nullptr, &response_offset_);
+        std::move(block), nullptr);
   }
 
   void AssertConnectSucceeds() {
@@ -562,6 +536,8 @@ class QuicProxyClientSocketTest
     return std::string(buffer.get(), header_length);
   }
 
+  BoundTestNetLog net_log_;
+  QuicFlagSaver saver_;
   const quic::ParsedQuicVersion version_;
   const quic::QuicStreamId client_data_stream_id1_;
   const bool client_headers_include_h2_stream_dependency_;
@@ -574,8 +550,6 @@ class QuicProxyClientSocketTest
   std::unique_ptr<QuicChromiumClientSession::Handle> session_handle_;
   std::unique_ptr<QuicProxyClientSocket> sock_;
 
-  BoundTestNetLog net_log_;
-
   quic::test::MockSendAlgorithm* send_algorithm_;
   scoped_refptr<TestTaskRunner> runner_;
 
@@ -592,8 +566,6 @@ class QuicProxyClientSocketTest
   quic::test::MockRandom random_generator_;
   ProofVerifyDetailsChromium verify_details_;
   MockCryptoClientStreamFactory crypto_client_stream_factory_;
-  quic::QuicStreamOffset header_stream_offset_;
-  quic::QuicStreamOffset response_offset_;
 
   std::string user_agent_;
   HostPortPair proxy_host_port_;
@@ -766,12 +738,12 @@ TEST_P(QuicProxyClientSocketTest, IsConnectedAndIdle) {
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header = ConstructDataHeader(kLen1);
-  mock_quic_data_.AddRead(ASYNC, ConstructServerDataPacket(
-                                     2, 0, header + std::string(kMsg1, kLen1)));
+  mock_quic_data_.AddRead(
+      ASYNC, ConstructServerDataPacket(2, header + std::string(kMsg1, kLen1)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  mock_quic_data_.AddWrite(
-      SYNCHRONOUS, ConstructRstPacket(4, quic::QUIC_STREAM_CANCELLED, 0));
+  mock_quic_data_.AddWrite(SYNCHRONOUS,
+                           ConstructRstPacket(4, quic::QUIC_STREAM_CANCELLED));
 
   Initialize();
 
@@ -800,11 +772,11 @@ TEST_P(QuicProxyClientSocketTest, GetTotalReceivedBytes) {
   std::string header = ConstructDataHeader(kLen333);
   mock_quic_data_.AddRead(
       ASYNC,
-      ConstructServerDataPacket(2, 0, header + std::string(kMsg333, kLen333)));
+      ConstructServerDataPacket(2, header + std::string(kMsg333, kLen333)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  mock_quic_data_.AddWrite(
-      SYNCHRONOUS, ConstructRstPacket(4, quic::QUIC_STREAM_CANCELLED, 0));
+  mock_quic_data_.AddWrite(SYNCHRONOUS,
+                           ConstructRstPacket(4, quic::QUIC_STREAM_CANCELLED));
 
   Initialize();
 
@@ -859,25 +831,21 @@ TEST_P(QuicProxyClientSocketTest, WriteSendsDataInDataFrame) {
     std::string header = ConstructDataHeader(kLen1);
     mock_quic_data_.AddWrite(
         SYNCHRONOUS, ConstructAckAndMultipleDataFramesPacket(
-                         3, 1, 1, 1, 0, {header, std::string(kMsg1, kLen1)}));
+                         3, 1, 1, 1, {header, std::string(kMsg1, kLen1)}));
     std::string header2 = ConstructDataHeader(kLen2);
+    mock_quic_data_.AddWrite(SYNCHRONOUS,
+                             ConstructMultipleDataFramesPacket(
+                                 4, {header2, std::string(kMsg2, kLen2)}));
     mock_quic_data_.AddWrite(
-        SYNCHRONOUS,
-        ConstructMultipleDataFramesPacket(
-            4, kLen1 + header.length(), {header2, std::string(kMsg2, kLen2)}));
-    mock_quic_data_.AddWrite(
-        SYNCHRONOUS,
-        ConstructRstPacket(5, quic::QUIC_STREAM_CANCELLED,
-                           kLen1 + kLen2 + header.length() + header2.length()));
+        SYNCHRONOUS, ConstructRstPacket(5, quic::QUIC_STREAM_CANCELLED));
   } else {
     mock_quic_data_.AddWrite(
         SYNCHRONOUS,
-        ConstructAckAndDataPacket(3, 1, 1, 1, 0, std::string(kMsg1, kLen1)));
-    mock_quic_data_.AddWrite(
-        SYNCHRONOUS, ConstructDataPacket(4, kLen1, std::string(kMsg2, kLen2)));
+        ConstructAckAndDataPacket(3, 1, 1, 1, std::string(kMsg1, kLen1)));
+    mock_quic_data_.AddWrite(SYNCHRONOUS,
+                             ConstructDataPacket(4, std::string(kMsg2, kLen2)));
     mock_quic_data_.AddWrite(
-        SYNCHRONOUS,
-        ConstructRstPacket(5, quic::QUIC_STREAM_CANCELLED, kLen1 + kLen2));
+        SYNCHRONOUS, ConstructRstPacket(5, quic::QUIC_STREAM_CANCELLED));
   }
 
   Initialize();
@@ -899,12 +867,12 @@ TEST_P(QuicProxyClientSocketTest, WriteSplitsLargeDataIntoMultiplePackets) {
   std::string header = ConstructDataHeader(kLen1);
   if (version_.transport_version != quic::QUIC_VERSION_99) {
     mock_quic_data_.AddWrite(
-        SYNCHRONOUS, ConstructAckAndDataPacket(write_packet_index++, 1, 1, 1, 0,
+        SYNCHRONOUS, ConstructAckAndDataPacket(write_packet_index++, 1, 1, 1,
                                                std::string(kMsg1, kLen1)));
   } else {
     mock_quic_data_.AddWrite(SYNCHRONOUS,
                              ConstructAckAndMultipleDataFramesPacket(
-                                 write_packet_index++, 1, 1, 1, 0,
+                                 write_packet_index++, 1, 1, 1,
                                  {header, std::string(kMsg1, kLen1)}));
   }
 
@@ -914,7 +882,8 @@ TEST_P(QuicProxyClientSocketTest, WriteSplitsLargeDataIntoMultiplePackets) {
   std::string data(numDataPackets * quic::kDefaultMaxPacketSize, 'x');
   quic::QuicStreamOffset offset = kLen1 + header.length();
 
-  if (version_.transport_version == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99 ||
+      version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
     numDataPackets++;
   }
   size_t total_data_length = 0;
@@ -928,20 +897,40 @@ TEST_P(QuicProxyClientSocketTest, WriteSplitsLargeDataIntoMultiplePackets) {
       std::string header2 = ConstructDataHeader(3973);
       mock_quic_data_.AddWrite(
           SYNCHRONOUS, ConstructMultipleDataFramesPacket(
-                           write_packet_index++, offset,
+                           write_packet_index++,
                            {header2, std::string(data.c_str(),
                                                  max_packet_data_length - 7)}));
       offset += max_packet_data_length - header2.length() - 1;
+    } else if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 && i == 0) {
+      mock_quic_data_.AddWrite(
+          SYNCHRONOUS,
+          ConstructDataPacket(
+              write_packet_index++,
+              std::string(data.c_str(), max_packet_data_length - 4)));
+      offset += max_packet_data_length - 4;
     } else if (version_.transport_version == quic::QUIC_VERSION_99 &&
                i == numDataPackets - 1) {
       mock_quic_data_.AddWrite(
-          SYNCHRONOUS, ConstructDataPacket(write_packet_index++, offset,
+          SYNCHRONOUS, ConstructDataPacket(write_packet_index++,
                                            std::string(data.c_str(), 7)));
       offset += 7;
+    } else if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+               i == numDataPackets - 1) {
+      mock_quic_data_.AddWrite(
+          SYNCHRONOUS, ConstructDataPacket(write_packet_index++,
+                                           std::string(data.c_str(), 12)));
+      offset += 12;
+    } else if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+      mock_quic_data_.AddWrite(
+          SYNCHRONOUS,
+          ConstructDataPacket(
+              write_packet_index++,
+              std::string(data.c_str(), max_packet_data_length - 4)));
+      offset += max_packet_data_length - 4;
     } else {
       mock_quic_data_.AddWrite(
           SYNCHRONOUS, ConstructDataPacket(
-                           write_packet_index++, offset,
+                           write_packet_index++,
                            std::string(data.c_str(), max_packet_data_length)));
       offset += max_packet_data_length;
     }
@@ -951,8 +940,8 @@ TEST_P(QuicProxyClientSocketTest, WriteSplitsLargeDataIntoMultiplePackets) {
   }
 
   mock_quic_data_.AddWrite(
-      SYNCHRONOUS, ConstructRstPacket(write_packet_index++,
-                                      quic::QUIC_STREAM_CANCELLED, offset));
+      SYNCHRONOUS,
+      ConstructRstPacket(write_packet_index++, quic::QUIC_STREAM_CANCELLED));
 
   Initialize();
 
@@ -977,12 +966,12 @@ TEST_P(QuicProxyClientSocketTest, ReadReadsDataInDataFrame) {
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header = ConstructDataHeader(kLen1);
-  mock_quic_data_.AddRead(ASYNC, ConstructServerDataPacket(
-                                     2, 0, header + std::string(kMsg1, kLen1)));
+  mock_quic_data_.AddRead(
+      ASYNC, ConstructServerDataPacket(2, header + std::string(kMsg1, kLen1)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  mock_quic_data_.AddWrite(
-      SYNCHRONOUS, ConstructRstPacket(4, quic::QUIC_STREAM_CANCELLED, 0));
+  mock_quic_data_.AddWrite(SYNCHRONOUS,
+                           ConstructRstPacket(4, quic::QUIC_STREAM_CANCELLED));
 
   Initialize();
 
@@ -999,15 +988,14 @@ TEST_P(QuicProxyClientSocketTest, ReadDataFromBufferedFrames) {
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header = ConstructDataHeader(kLen1);
-  mock_quic_data_.AddRead(ASYNC, ConstructServerDataPacket(
-                                     2, 0, header + std::string(kMsg1, kLen1)));
+  mock_quic_data_.AddRead(
+      ASYNC, ConstructServerDataPacket(2, header + std::string(kMsg1, kLen1)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header2 = ConstructDataHeader(kLen2);
   mock_quic_data_.AddRead(
-      ASYNC, ConstructServerDataPacket(3, kLen1 + header.length(),
-                                       header2 + std::string(kMsg2, kLen2)));
+      ASYNC, ConstructServerDataPacket(3, header2 + std::string(kMsg2, kLen2)));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
 
   mock_quic_data_.AddWrite(
@@ -1032,13 +1020,12 @@ TEST_P(QuicProxyClientSocketTest, ReadDataMultipleBufferedFrames) {
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header = ConstructDataHeader(kLen1);
-  mock_quic_data_.AddRead(ASYNC, ConstructServerDataPacket(
-                                     2, 0, header + std::string(kMsg1, kLen1)));
+  mock_quic_data_.AddRead(
+      ASYNC, ConstructServerDataPacket(2, header + std::string(kMsg1, kLen1)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   std::string header2 = ConstructDataHeader(kLen2);
   mock_quic_data_.AddRead(
-      ASYNC, ConstructServerDataPacket(3, kLen1 + header.length(),
-                                       header2 + std::string(kMsg2, kLen2)));
+      ASYNC, ConstructServerDataPacket(3, header2 + std::string(kMsg2, kLen2)));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
 
   mock_quic_data_.AddWrite(
@@ -1063,13 +1050,12 @@ TEST_P(QuicProxyClientSocketTest, LargeReadWillMergeDataFromDifferentFrames) {
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header = ConstructDataHeader(kLen3);
-  mock_quic_data_.AddRead(ASYNC, ConstructServerDataPacket(
-                                     2, 0, header + std::string(kMsg3, kLen3)));
+  mock_quic_data_.AddRead(
+      ASYNC, ConstructServerDataPacket(2, header + std::string(kMsg3, kLen3)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   std::string header2 = ConstructDataHeader(kLen3);
   mock_quic_data_.AddRead(
-      ASYNC, ConstructServerDataPacket(3, kLen3 + header.length(),
-                                       header2 + std::string(kMsg3, kLen3)));
+      ASYNC, ConstructServerDataPacket(3, header2 + std::string(kMsg3, kLen3)));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
 
   mock_quic_data_.AddWrite(
@@ -1097,26 +1083,22 @@ TEST_P(QuicProxyClientSocketTest, MultipleShortReadsThenMoreRead) {
 
   std::string header = ConstructDataHeader(kLen1);
   mock_quic_data_.AddRead(
-      ASYNC,
-      ConstructServerDataPacket(2, offset, header + std::string(kMsg1, kLen1)));
+      ASYNC, ConstructServerDataPacket(2, header + std::string(kMsg1, kLen1)));
   offset += kLen1 + header.length();
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
 
   std::string header2 = ConstructDataHeader(kLen3);
   mock_quic_data_.AddRead(
-      ASYNC, ConstructServerDataPacket(3, offset,
-                                       header2 + std::string(kMsg3, kLen3)));
+      ASYNC, ConstructServerDataPacket(3, header2 + std::string(kMsg3, kLen3)));
   offset += kLen3 + header2.length();
   mock_quic_data_.AddRead(
-      ASYNC, ConstructServerDataPacket(4, offset,
-                                       header2 + std::string(kMsg3, kLen3)));
+      ASYNC, ConstructServerDataPacket(4, header2 + std::string(kMsg3, kLen3)));
   offset += kLen3 + header2.length();
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(4, 4, 3, 1));
 
   std::string header3 = ConstructDataHeader(kLen2);
   mock_quic_data_.AddRead(
-      ASYNC, ConstructServerDataPacket(5, offset,
-                                       header3 + std::string(kMsg2, kLen2)));
+      ASYNC, ConstructServerDataPacket(5, header3 + std::string(kMsg2, kLen2)));
   offset += kLen2 + header3.length();
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
 
@@ -1145,13 +1127,12 @@ TEST_P(QuicProxyClientSocketTest, ReadWillSplitDataFromLargeFrame) {
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header = ConstructDataHeader(kLen1);
-  mock_quic_data_.AddRead(ASYNC, ConstructServerDataPacket(
-                                     2, 0, header + std::string(kMsg1, kLen1)));
+  mock_quic_data_.AddRead(
+      ASYNC, ConstructServerDataPacket(2, header + std::string(kMsg1, kLen1)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   std::string header2 = ConstructDataHeader(kLen33);
-  mock_quic_data_.AddRead(
-      ASYNC, ConstructServerDataPacket(3, kLen1 + header.length(),
-                                       header2 + std::string(kMsg33, kLen33)));
+  mock_quic_data_.AddRead(ASYNC, ConstructServerDataPacket(
+                                     3, header2 + std::string(kMsg33, kLen33)));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
 
   mock_quic_data_.AddWrite(
@@ -1181,12 +1162,12 @@ TEST_P(QuicProxyClientSocketTest, MultipleReadsFromSameLargeFrame) {
   std::string header = ConstructDataHeader(kLen333);
   mock_quic_data_.AddRead(
       ASYNC,
-      ConstructServerDataPacket(2, 0, header + std::string(kMsg333, kLen333)));
+      ConstructServerDataPacket(2, header + std::string(kMsg333, kLen333)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
 
-  mock_quic_data_.AddWrite(
-      SYNCHRONOUS, ConstructRstPacket(4, quic::QUIC_STREAM_CANCELLED, 0));
+  mock_quic_data_.AddWrite(SYNCHRONOUS,
+                           ConstructRstPacket(4, quic::QUIC_STREAM_CANCELLED));
 
   Initialize();
 
@@ -1215,13 +1196,12 @@ TEST_P(QuicProxyClientSocketTest, ReadAuthResponseBody) {
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header = ConstructDataHeader(kLen1);
-  mock_quic_data_.AddRead(ASYNC, ConstructServerDataPacket(
-                                     2, 0, header + std::string(kMsg1, kLen1)));
+  mock_quic_data_.AddRead(
+      ASYNC, ConstructServerDataPacket(2, header + std::string(kMsg1, kLen1)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   std::string header2 = ConstructDataHeader(kLen2);
   mock_quic_data_.AddRead(
-      ASYNC, ConstructServerDataPacket(3, kLen1 + header.length(),
-                                       header2 + std::string(kMsg2, kLen2)));
+      ASYNC, ConstructServerDataPacket(3, header2 + std::string(kMsg2, kLen2)));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
 
   mock_quic_data_.AddWrite(
@@ -1247,13 +1227,12 @@ TEST_P(QuicProxyClientSocketTest, ReadErrorResponseBody) {
   std::string header = ConstructDataHeader(kLen1);
   mock_quic_data_.AddRead(
       SYNCHRONOUS,
-      ConstructServerDataPacket(2, 0, header + std::string(kMsg1, kLen1)));
+      ConstructServerDataPacket(2, header + std::string(kMsg1, kLen1)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   std::string header2 = ConstructDataHeader(kLen2);
   mock_quic_data_.AddRead(
       SYNCHRONOUS,
-      ConstructServerDataPacket(3, kLen1 + header.length(),
-                                header2 + std::string(kMsg2, kLen2)));
+      ConstructServerDataPacket(3, header2 + std::string(kMsg2, kLen2)));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
 
   mock_quic_data_.AddWrite(
@@ -1276,8 +1255,8 @@ TEST_P(QuicProxyClientSocketTest, AsyncReadAroundWrite) {
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header = ConstructDataHeader(kLen1);
-  mock_quic_data_.AddRead(ASYNC, ConstructServerDataPacket(
-                                     2, 0, header + std::string(kMsg1, kLen1)));
+  mock_quic_data_.AddRead(
+      ASYNC, ConstructServerDataPacket(2, header + std::string(kMsg1, kLen1)));
   mock_quic_data_.AddWrite(SYNCHRONOUS,
                            ConstructAckPacket(write_packet_index++, 2, 1, 1));
 
@@ -1286,25 +1265,24 @@ TEST_P(QuicProxyClientSocketTest, AsyncReadAroundWrite) {
     mock_quic_data_.AddWrite(
         SYNCHRONOUS,
         ConstructMultipleDataFramesPacket(
-            write_packet_index++, 0, {header2, std::string(kMsg2, kLen2)}));
+            write_packet_index++, {header2, std::string(kMsg2, kLen2)}));
   } else {
     mock_quic_data_.AddWrite(
-        SYNCHRONOUS, ConstructDataPacket(write_packet_index++, header2.length(),
-                                         std::string(kMsg2, kLen2)));
+        SYNCHRONOUS,
+        ConstructDataPacket(write_packet_index++, std::string(kMsg2, kLen2)));
   }
 
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header3 = ConstructDataHeader(kLen3);
   mock_quic_data_.AddRead(
-      ASYNC, ConstructServerDataPacket(3, kLen1 + header.length(),
-                                       header3 + std::string(kMsg3, kLen3)));
+      ASYNC, ConstructServerDataPacket(3, header3 + std::string(kMsg3, kLen3)));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
 
   mock_quic_data_.AddWrite(
-      SYNCHRONOUS, ConstructAckAndRstPacket(write_packet_index++,
-                                            quic::QUIC_STREAM_CANCELLED, 3, 3,
-                                            1, kLen2 + header2.length()));
+      SYNCHRONOUS,
+      ConstructAckAndRstPacket(write_packet_index++,
+                               quic::QUIC_STREAM_CANCELLED, 3, 3, 1));
 
   Initialize();
 
@@ -1333,38 +1311,36 @@ TEST_P(QuicProxyClientSocketTest, AsyncWriteAroundReads) {
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header = ConstructDataHeader(kLen1);
-  mock_quic_data_.AddRead(ASYNC, ConstructServerDataPacket(
-                                     2, 0, header + std::string(kMsg1, kLen1)));
+  mock_quic_data_.AddRead(
+      ASYNC, ConstructServerDataPacket(2, header + std::string(kMsg1, kLen1)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header2 = ConstructDataHeader(kLen3);
   mock_quic_data_.AddRead(
-      ASYNC, ConstructServerDataPacket(3, kLen1 + header.length(),
-                                       header2 + std::string(kMsg3, kLen3)));
+      ASYNC, ConstructServerDataPacket(3, header2 + std::string(kMsg3, kLen3)));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
 
   mock_quic_data_.AddWrite(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header3 = ConstructDataHeader(kLen2);
   if (version_.transport_version != quic::QUIC_VERSION_99) {
+    mock_quic_data_.AddWrite(ASYNC,
+                             ConstructDataPacket(4, std::string(kMsg2, kLen2)));
     mock_quic_data_.AddWrite(
-        ASYNC, ConstructDataPacket(4, 0, std::string(kMsg2, kLen2)));
-    mock_quic_data_.AddWrite(
-        SYNCHRONOUS, ConstructAckAndDataPacket(5, 3, 3, 1, kLen2,
-                                               std::string(kMsg2, kLen2)));
+        SYNCHRONOUS,
+        ConstructAckAndDataPacket(5, 3, 3, 1, std::string(kMsg2, kLen2)));
   } else {
     mock_quic_data_.AddWrite(ASYNC,
                              ConstructMultipleDataFramesPacket(
-                                 4, 0, {header3, std::string(kMsg2, kLen2)}));
+                                 4, {header3, std::string(kMsg2, kLen2)}));
     mock_quic_data_.AddWrite(
-        ASYNC, ConstructAckAndDataPacket(5, 3, 3, 1, header3.length() + kLen2,
+        ASYNC, ConstructAckAndDataPacket(5, 3, 3, 1,
                                          header3 + std::string(kMsg2, kLen2)));
   }
 
-  mock_quic_data_.AddWrite(
-      SYNCHRONOUS, ConstructRstPacket(6, quic::QUIC_STREAM_CANCELLED,
-                                      kLen2 + kLen2 + 2 * header3.length()));
+  mock_quic_data_.AddWrite(SYNCHRONOUS,
+                           ConstructRstPacket(6, quic::QUIC_STREAM_CANCELLED));
 
   Initialize();
 
@@ -1464,11 +1440,11 @@ TEST_P(QuicProxyClientSocketTest, ReadAfterFinReceivedReturnsBufferedData) {
 
   std::string header = ConstructDataHeader(kLen1);
   mock_quic_data_.AddRead(ASYNC, ConstructServerDataFinPacket(
-                                     2, 0, header + std::string(kMsg1, kLen1)));
+                                     2, header + std::string(kMsg1, kLen1)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  mock_quic_data_.AddWrite(
-      SYNCHRONOUS, ConstructRstPacket(4, quic::QUIC_STREAM_CANCELLED, 0));
+  mock_quic_data_.AddWrite(SYNCHRONOUS,
+                           ConstructRstPacket(4, quic::QUIC_STREAM_CANCELLED));
 
   Initialize();
 
@@ -1625,23 +1601,22 @@ TEST_P(QuicProxyClientSocketTest, RstWithReadAndWritePending) {
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   mock_quic_data_.AddRead(
-      ASYNC, ConstructServerRstPacket(2, quic::QUIC_STREAM_CANCELLED, 0));
+      ASYNC, ConstructServerRstPacket(2, quic::QUIC_STREAM_CANCELLED));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   std::string header = ConstructDataHeader(kLen2);
   if (version_.transport_version != quic::QUIC_VERSION_99) {
+    mock_quic_data_.AddWrite(ASYNC, ConstructAckAndDataPacket(
+                                        3, 1, 1, 1, std::string(kMsg2, kLen2)));
     mock_quic_data_.AddWrite(
-        ASYNC,
-        ConstructAckAndDataPacket(3, 1, 1, 1, 0, std::string(kMsg2, kLen2)));
-    mock_quic_data_.AddWrite(
-        SYNCHRONOUS, ConstructAckAndRstPacket(4, quic::QUIC_RST_ACKNOWLEDGEMENT,
-                                              2, 2, 1, kLen2));
+        SYNCHRONOUS,
+        ConstructAckAndRstPacket(4, quic::QUIC_RST_ACKNOWLEDGEMENT, 2, 2, 1));
   } else {
     mock_quic_data_.AddWrite(
         ASYNC, ConstructAckAndMultipleDataFramesPacket(
-                   3, 1, 1, 1, 0, {header, std::string(kMsg2, kLen2)}));
-    mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckAndRstOnlyPacket(
-                                              4, quic::QUIC_STREAM_CANCELLED, 2,
-                                              2, 1, header.length() + kLen2));
+                   3, 1, 1, 1, {header, std::string(kMsg2, kLen2)}));
+    mock_quic_data_.AddWrite(
+        SYNCHRONOUS,
+        ConstructAckAndRstOnlyPacket(4, quic::QUIC_STREAM_CANCELLED, 2, 2, 1));
   }
 
   Initialize();
@@ -1676,12 +1651,12 @@ TEST_P(QuicProxyClientSocketTest, NetLog) {
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   std::string header = ConstructDataHeader(kLen1);
-  mock_quic_data_.AddRead(ASYNC, ConstructServerDataPacket(
-                                     2, 0, header + std::string(kMsg1, kLen1)));
+  mock_quic_data_.AddRead(
+      ASYNC, ConstructServerDataPacket(2, header + std::string(kMsg1, kLen1)));
   mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckPacket(3, 2, 1, 1));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  mock_quic_data_.AddWrite(
-      SYNCHRONOUS, ConstructRstPacket(4, quic::QUIC_STREAM_CANCELLED, 0));
+  mock_quic_data_.AddWrite(SYNCHRONOUS,
+                           ConstructRstPacket(4, quic::QUIC_STREAM_CANCELLED));
 
   Initialize();
 
@@ -1693,8 +1668,7 @@ TEST_P(QuicProxyClientSocketTest, NetLog) {
   NetLogSource sock_source = sock_->NetLog().source();
   sock_.reset();
 
-  TestNetLogEntry::List entry_list;
-  net_log_.GetEntriesForSource(sock_source, &entry_list);
+  auto entry_list = net_log_.GetEntriesForSource(sock_source);
 
   ASSERT_EQ(entry_list.size(), 10u);
   EXPECT_TRUE(
@@ -1758,23 +1732,22 @@ TEST_P(QuicProxyClientSocketTest, RstWithReadAndWritePendingDelete) {
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
   mock_quic_data_.AddRead(
-      ASYNC, ConstructServerRstPacket(2, quic::QUIC_STREAM_CANCELLED, 0));
+      ASYNC, ConstructServerRstPacket(2, quic::QUIC_STREAM_CANCELLED));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   if (version_.transport_version != quic::QUIC_VERSION_99) {
+    mock_quic_data_.AddWrite(ASYNC, ConstructAckAndDataPacket(
+                                        3, 1, 1, 1, std::string(kMsg1, kLen1)));
     mock_quic_data_.AddWrite(
-        ASYNC,
-        ConstructAckAndDataPacket(3, 1, 1, 1, 0, std::string(kMsg1, kLen1)));
-    mock_quic_data_.AddWrite(
-        SYNCHRONOUS, ConstructAckAndRstPacket(4, quic::QUIC_RST_ACKNOWLEDGEMENT,
-                                              2, 2, 1, kLen1));
+        SYNCHRONOUS,
+        ConstructAckAndRstPacket(4, quic::QUIC_RST_ACKNOWLEDGEMENT, 2, 2, 1));
   } else {
     std::string header = ConstructDataHeader(kLen1);
     mock_quic_data_.AddWrite(
         ASYNC, ConstructAckAndMultipleDataFramesPacket(
-                   3, 1, 1, 1, 0, {header, std::string(kMsg1, kLen1)}));
-    mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructAckAndRstOnlyPacket(
-                                              4, quic::QUIC_STREAM_CANCELLED, 2,
-                                              2, 1, header.length() + kLen1));
+                   3, 1, 1, 1, {header, std::string(kMsg1, kLen1)}));
+    mock_quic_data_.AddWrite(
+        SYNCHRONOUS,
+        ConstructAckAndRstOnlyPacket(4, quic::QUIC_STREAM_CANCELLED, 2, 2, 1));
   }
 
   Initialize();
diff --git a/chromium/net/quic/quic_server_info.h b/chromium/net/quic/quic_server_info.h
index 768243870d4..e3ae6726e15 100644
--- a/chromium/net/quic/quic_server_info.h
+++ b/chromium/net/quic/quic_server_info.h
@@ -60,7 +60,7 @@ class QUIC_EXPORT_PRIVATE QuicServerInfo {
 
     void Clear();
 
-    // This class matches QuicClientCryptoConfig::CachedState.
+    // This class matches QuicCryptoClientConfig::CachedState.
     std::string server_config;         // A serialized handshake message.
     std::string source_address_token;  // An opaque proof of IP ownership.
     std::string cert_sct;              // Signed timestamp of the leaf cert.
diff --git a/chromium/net/quic/quic_session_key.cc b/chromium/net/quic/quic_session_key.cc
index da9a601411f..d7907d6b10b 100644
--- a/chromium/net/quic/quic_session_key.cc
+++ b/chromium/net/quic/quic_session_key.cc
@@ -4,34 +4,50 @@
 
 #include "net/quic/quic_session_key.h"
 
+#include "base/feature_list.h"
+#include "net/base/features.h"
+
 namespace net {
 
 QuicSessionKey::QuicSessionKey(const HostPortPair& host_port_pair,
                                PrivacyMode privacy_mode,
-                               const SocketTag& socket_tag)
+                               const SocketTag& socket_tag,
+                               const NetworkIsolationKey& network_isolation_key)
     : QuicSessionKey(host_port_pair.host(),
                      host_port_pair.port(),
                      privacy_mode,
-                     socket_tag) {}
+                     socket_tag,
+                     network_isolation_key) {}
 
 QuicSessionKey::QuicSessionKey(const std::string& host,
                                uint16_t port,
                                PrivacyMode privacy_mode,
-                               const SocketTag& socket_tag)
+                               const SocketTag& socket_tag,
+                               const NetworkIsolationKey& network_isolation_key)
     : QuicSessionKey(
           quic::QuicServerId(host, port, privacy_mode == PRIVACY_MODE_ENABLED),
-          socket_tag) {}
+          socket_tag,
+          network_isolation_key) {}
 
 QuicSessionKey::QuicSessionKey(const quic::QuicServerId& server_id,
-                               const SocketTag& socket_tag)
-    : server_id_(server_id), socket_tag_(socket_tag) {}
+                               const SocketTag& socket_tag,
+                               const NetworkIsolationKey& network_isolation_key)
+    : server_id_(server_id),
+      socket_tag_(socket_tag),
+      network_isolation_key_(
+          base::FeatureList::IsEnabled(
+              features::kPartitionConnectionsByNetworkIsolationKey)
+              ? network_isolation_key
+              : NetworkIsolationKey()) {}
 
 bool QuicSessionKey::operator<(const QuicSessionKey& other) const {
-  return std::tie(server_id_, socket_tag_) <
-         std::tie(other.server_id_, other.socket_tag_);
+  return std::tie(server_id_, socket_tag_, network_isolation_key_) <
+         std::tie(other.server_id_, other.socket_tag_,
+                  other.network_isolation_key_);
 }
 bool QuicSessionKey::operator==(const QuicSessionKey& other) const {
-  return server_id_ == other.server_id_ && socket_tag_ == other.socket_tag_;
+  return server_id_ == other.server_id_ && socket_tag_ == other.socket_tag_ &&
+         network_isolation_key_ == other.network_isolation_key_;
 }
 
 size_t QuicSessionKey::EstimateMemoryUsage() const {
diff --git a/chromium/net/quic/quic_session_key.h b/chromium/net/quic/quic_session_key.h
index 127726caa1e..506556453f7 100644
--- a/chromium/net/quic/quic_session_key.h
+++ b/chromium/net/quic/quic_session_key.h
@@ -6,6 +6,7 @@
 #define NET_QUIC_QUIC_SESSION_KEY_H_
 
 #include "net/base/host_port_pair.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/socket/socket_tag.h"
 #include "net/third_party/quiche/src/quic/core/quic_server_id.h"
@@ -16,16 +17,24 @@ namespace net {
 // tag.
 class QUIC_EXPORT_PRIVATE QuicSessionKey {
  public:
+  // TODO(mmenke): Remove default NetworkIsolationKey() values, which are only
+  // used in tests.
   QuicSessionKey() = default;
-  QuicSessionKey(const HostPortPair& host_port_pair,
-                 PrivacyMode privacy_mode,
-                 const SocketTag& socket_tag);
-  QuicSessionKey(const std::string& host,
-                 uint16_t port,
-                 PrivacyMode privacy_mode,
-                 const SocketTag& socket_tag);
-  QuicSessionKey(const quic::QuicServerId& server_id,
-                 const SocketTag& socket_tag);
+  QuicSessionKey(
+      const HostPortPair& host_port_pair,
+      PrivacyMode privacy_mode,
+      const SocketTag& socket_tag,
+      const NetworkIsolationKey& network_isolation_key = NetworkIsolationKey());
+  QuicSessionKey(
+      const std::string& host,
+      uint16_t port,
+      PrivacyMode privacy_mode,
+      const SocketTag& socket_tag,
+      const NetworkIsolationKey& network_isolation_key = NetworkIsolationKey());
+  QuicSessionKey(
+      const quic::QuicServerId& server_id,
+      const SocketTag& socket_tag,
+      const NetworkIsolationKey& network_isolation_key = NetworkIsolationKey());
   ~QuicSessionKey() = default;
 
   // Needed to be an element of std::set.
@@ -43,11 +52,17 @@ class QUIC_EXPORT_PRIVATE QuicSessionKey {
 
   SocketTag socket_tag() const { return socket_tag_; }
 
+  const NetworkIsolationKey& network_isolation_key() const {
+    return network_isolation_key_;
+  }
+
   size_t EstimateMemoryUsage() const;
 
  private:
   quic::QuicServerId server_id_;
   SocketTag socket_tag_;
+  // Used to separate requests made in different contexts.
+  NetworkIsolationKey network_isolation_key_;
 };
 
 }  // namespace net
diff --git a/chromium/net/quic/quic_stream_factory.cc b/chromium/net/quic/quic_stream_factory.cc
index 7a73796abd8..ede94e16dff 100644
--- a/chromium/net/quic/quic_stream_factory.cc
+++ b/chromium/net/quic/quic_stream_factory.cc
@@ -57,7 +57,6 @@
 #include "net/third_party/quiche/src/quic/core/http/quic_client_promised_info.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_clock.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "third_party/boringssl/src/include/openssl/aead.h"
@@ -92,6 +91,13 @@ enum InitialRttEstimateSource {
   INITIAL_RTT_SOURCE_MAX,
 };
 
+enum class EmptyStaleResultLocation {
+  kResolveHost = 0,
+  kMatchFreshResult = 1,
+  kNotEmpty = 2,
+  kMaxValue = kNotEmpty,
+};
+
 // The maximum receive window sizes for QUIC sessions and streams.
 const int32_t kQuicSessionMaxRecvWindowSize = 15 * 1024 * 1024;  // 15 MB
 const int32_t kQuicStreamMaxRecvWindowSize = 6 * 1024 * 1024;    // 6 MB
@@ -105,9 +111,8 @@ const int32_t kQuicSocketReceiveBufferSize = 1024 * 1024;  // 1MB
 // Set the maximum number of undecryptable packets the connection will store.
 const int32_t kMaxUndecryptablePackets = 100;
 
-base::Value NetLogQuicStreamFactoryJobCallback(
-    const quic::QuicServerId* server_id,
-    NetLogCaptureMode capture_mode) {
+base::Value NetLogQuicStreamFactoryJobParams(
+    const quic::QuicServerId* server_id) {
   base::DictionaryValue dict;
   dict.SetString(
       "server_id",
@@ -117,10 +122,6 @@ base::Value NetLogQuicStreamFactoryJobCallback(
   return std::move(dict);
 }
 
-NetLogParametersCallback NetLogQuicConnectionMigrationTriggerCallback(
-    const char* trigger) {
-  return NetLog::StringCallback("trigger", trigger);
-}
 // Helper class that is used to log a connection migration event.
 class ScopedConnectionMigrationEventLog {
  public:
@@ -128,8 +129,9 @@ class ScopedConnectionMigrationEventLog {
       : net_log_(NetLogWithSource::Make(
             net_log,
             NetLogSourceType::QUIC_CONNECTION_MIGRATION)) {
-    net_log_.BeginEvent(NetLogEventType::QUIC_CONNECTION_MIGRATION_TRIGGERED,
-                        NetLogQuicConnectionMigrationTriggerCallback(trigger));
+    net_log_.BeginEventWithStringParams(
+        NetLogEventType::QUIC_CONNECTION_MIGRATION_TRIGGERED, "trigger",
+        trigger);
   }
 
   ~ScopedConnectionMigrationEventLog() {
@@ -157,6 +159,15 @@ void LogConnectionIpPooling(bool pooled) {
   UMA_HISTOGRAM_BOOLEAN("Net.QuicSession.ConnectionIpPooled", pooled);
 }
 
+void LogEmptyStaleResult(EmptyStaleResultLocation location) {
+  UMA_HISTOGRAM_ENUMERATION("Net.QuicSession.StaleHostResolveFailed", location);
+}
+
+void LogSessionAvailabilityWhenValidatingHost(bool available) {
+  UMA_HISTOGRAM_BOOLEAN("Net.QuicSession.SessionAvailableWhenValidatingDNS",
+                        available);
+}
+
 void SetInitialRttEstimate(base::TimeDelta estimate,
                            enum InitialRttEstimateSource source,
                            quic::QuicConfig* config) {
@@ -169,30 +180,26 @@ void SetInitialRttEstimate(base::TimeDelta estimate,
 quic::QuicConfig InitializeQuicConfig(
     const quic::QuicTagVector& connection_options,
     const quic::QuicTagVector& client_connection_options,
-    int idle_connection_timeout_seconds,
-    int max_time_before_crypto_handshake_seconds,
-    int max_idle_time_before_crypto_handshake_seconds) {
-  DCHECK_GT(idle_connection_timeout_seconds, 0);
+    base::TimeDelta idle_connection_timeout,
+    base::TimeDelta max_time_before_crypto_handshake,
+    base::TimeDelta max_idle_time_before_crypto_handshake) {
+  DCHECK_GT(idle_connection_timeout, base::TimeDelta());
   quic::QuicConfig config;
-  config.SetIdleNetworkTimeout(
-      quic::QuicTime::Delta::FromSeconds(idle_connection_timeout_seconds),
-      quic::QuicTime::Delta::FromSeconds(idle_connection_timeout_seconds));
+  config.SetIdleNetworkTimeout(quic::QuicTime::Delta::FromMicroseconds(
+                                   idle_connection_timeout.InMicroseconds()),
+                               quic::QuicTime::Delta::FromMicroseconds(
+                                   idle_connection_timeout.InMicroseconds()));
   config.set_max_time_before_crypto_handshake(
-      quic::QuicTime::Delta::FromSeconds(
-          max_time_before_crypto_handshake_seconds));
+      quic::QuicTime::Delta::FromMicroseconds(
+          max_time_before_crypto_handshake.InMicroseconds()));
   config.set_max_idle_time_before_crypto_handshake(
-      quic::QuicTime::Delta::FromSeconds(
-          max_idle_time_before_crypto_handshake_seconds));
+      quic::QuicTime::Delta::FromMicroseconds(
+          max_idle_time_before_crypto_handshake.InMicroseconds()));
   config.SetConnectionOptionsToSend(connection_options);
   config.SetClientConnectionOptions(client_connection_options);
   return config;
 }
 
-bssl::UniquePtr<SSL_CTX> QuicStreamFactoryCreateSslCtx() {
-  crypto::EnsureOpenSSLInit();
-  return quic::TlsClientHandshaker::CreateSslCtx();
-}
-
 // An implementation of quic::QuicCryptoClientConfig::ServerIdFilter that wraps
 // an |origin_filter|.
 class ServerIdOriginFilter
@@ -219,6 +226,22 @@ class ServerIdOriginFilter
 
 }  // namespace
 
+QuicParams::QuicParams()
+    : max_packet_length(quic::kDefaultMaxPacketSize),
+      reduced_ping_timeout(
+          base::TimeDelta::FromSeconds(quic::kPingTimeoutSecs)),
+      max_time_before_crypto_handshake(
+          base::TimeDelta::FromSeconds(quic::kMaxTimeForCryptoHandshakeSecs)),
+      max_idle_time_before_crypto_handshake(
+          base::TimeDelta::FromSeconds(quic::kInitialIdleTimeoutSecs)) {
+  supported_versions.push_back(quic::ParsedQuicVersion(
+      quic::PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_46));
+}
+
+QuicParams::QuicParams(const QuicParams& other) = default;
+
+QuicParams::~QuicParams() = default;
+
 // Responsible for verifying the certificates saved in
 // quic::QuicCryptoClientConfig, and for notifying any associated requests when
 // complete. Results from cert verification are ignored.
@@ -257,8 +280,7 @@ class QuicStreamFactory::CertVerifierJob {
             std::make_unique<ProofVerifyContextChromium>(cert_verify_flags,
                                                          net_log)),
         start_time_(base::TimeTicks::Now()),
-        net_log_(net_log),
-        weak_factory_(this) {}
+        net_log_(net_log) {}
 
   ~CertVerifierJob() {
     if (verify_callback_)
@@ -309,7 +331,7 @@ class QuicStreamFactory::CertVerifierJob {
   const base::TimeTicks start_time_;
   const NetLogWithSource net_log_;
   CompletionOnceCallback callback_;
-  base::WeakPtrFactory<CertVerifierJob> weak_factory_;
+  base::WeakPtrFactory<CertVerifierJob> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(CertVerifierJob);
 };
@@ -319,7 +341,7 @@ class QuicStreamFactory::CertVerifierJob {
 class QuicStreamFactory::Job {
  public:
   Job(QuicStreamFactory* factory,
-      const quic::QuicTransportVersion& quic_version,
+      quic::ParsedQuicVersion quic_version,
       HostResolver* host_resolver,
       const QuicSessionAliasKey& key,
       bool was_alternative_service_recently_broken,
@@ -343,6 +365,7 @@ class QuicStreamFactory::Job {
 
   void OnResolveHostComplete(int rv);
   void OnConnectComplete(int rv);
+  void OnSessionClosed(QuicChromiumClientSession* session);
 
   const QuicSessionAliasKey& key() const { return key_; }
 
@@ -404,16 +427,31 @@ class QuicStreamFactory::Job {
     if (session_) {
       QuicChromiumClientSession* session = session_;
       session_ = nullptr;
-      session->CloseSessionOnErrorLater(
-          ERR_ABORTED, quic::QUIC_STALE_CONNECTION_CANCELLED,
-          quic::ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+      if (session) {
+        session->CloseSessionOnErrorLater(
+            ERR_ABORTED, quic::QUIC_STALE_CONNECTION_CANCELLED,
+            quic::ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+      }
     }
   }
 
   bool DoesPeerAddressMatchWithFreshAddressList() {
+    LogSessionAvailabilityWhenValidatingHost(session_ != nullptr);
+
+    if (!session_)
+      return false;
+
     std::vector<net::IPEndPoint> endpoints =
         fresh_resolve_host_request_->GetAddressResults().value().endpoints();
-    IPEndPoint stale_address = ToIPEndPoint(session_->peer_address());
+
+    if (!resolve_host_request_->GetAddressResults()) {
+      LogEmptyStaleResult(EmptyStaleResultLocation::kMatchFreshResult);
+      return false;
+    }
+
+    LogEmptyStaleResult(EmptyStaleResultLocation::kNotEmpty);
+    IPEndPoint stale_address =
+        resolve_host_request_->GetAddressResults().value().front();
 
     if (std::find(endpoints.begin(), endpoints.end(), stale_address) !=
         endpoints.end()) {
@@ -450,7 +488,7 @@ class QuicStreamFactory::Job {
 
   IoState io_state_;
   QuicStreamFactory* factory_;
-  quic::QuicTransportVersion quic_version_;
+  quic::ParsedQuicVersion quic_version_;
   HostResolver* host_resolver_;
   const QuicSessionAliasKey key_;
   RequestPriority priority_;
@@ -459,7 +497,6 @@ class QuicStreamFactory::Job {
   const bool retry_on_alternate_network_before_handshake_;
   const bool race_stale_dns_on_connection_;
   const NetLogWithSource net_log_;
-  int num_sent_client_hellos_;
   bool host_resolution_finished_;
   bool connection_retried_;
   QuicChromiumClientSession* session_;
@@ -475,13 +512,13 @@ class QuicStreamFactory::Job {
   base::TimeTicks dns_resolution_start_time_;
   base::TimeTicks dns_resolution_end_time_;
   std::set<QuicStreamRequest*> stream_requests_;
-  base::WeakPtrFactory<Job> weak_factory_;
+  base::WeakPtrFactory<Job> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(Job);
 };
 
 QuicStreamFactory::Job::Job(QuicStreamFactory* factory,
-                            const quic::QuicTransportVersion& quic_version,
+                            quic::ParsedQuicVersion quic_version,
                             HostResolver* host_resolver,
                             const QuicSessionAliasKey& key,
                             bool was_alternative_service_recently_broken,
@@ -505,22 +542,20 @@ QuicStreamFactory::Job::Job(QuicStreamFactory* factory,
       net_log_(
           NetLogWithSource::Make(net_log.net_log(),
                                  NetLogSourceType::QUIC_STREAM_FACTORY_JOB)),
-      num_sent_client_hellos_(0),
       host_resolution_finished_(false),
       connection_retried_(false),
       session_(nullptr),
-      network_(NetworkChangeNotifier::kInvalidNetworkHandle),
-      weak_factory_(this) {
-  net_log_.BeginEvent(
-      NetLogEventType::QUIC_STREAM_FACTORY_JOB,
-      base::Bind(&NetLogQuicStreamFactoryJobCallback, &key_.server_id()));
+      network_(NetworkChangeNotifier::kInvalidNetworkHandle) {
+  net_log_.BeginEvent(NetLogEventType::QUIC_STREAM_FACTORY_JOB, [&] {
+    return NetLogQuicStreamFactoryJobParams(&key_.server_id());
+  });
   // Associate |net_log_| with |net_log|.
-  net_log_.AddEvent(
+  net_log_.AddEventReferencingSource(
       NetLogEventType::QUIC_STREAM_FACTORY_JOB_BOUND_TO_HTTP_STREAM_JOB,
-      net_log.source().ToEventParametersCallback());
-  net_log.AddEvent(
+      net_log.source());
+  net_log.AddEventReferencingSource(
       NetLogEventType::HTTP_STREAM_JOB_BOUND_TO_QUIC_STREAM_FACTORY_JOB,
-      net_log_.source().ToEventParametersCallback());
+      net_log_.source());
 }
 
 QuicStreamFactory::Job::~Job() {
@@ -572,6 +607,20 @@ int QuicStreamFactory::Job::DoLoop(int rv) {
   return rv;
 }
 
+void QuicStreamFactory::Job::OnSessionClosed(
+    QuicChromiumClientSession* session) {
+  // When dns racing experiment is on, the job needs to know that the stale
+  // session is closed so that it will start the fresh session without matching
+  // dns results.
+  if (io_state_ == STATE_HOST_VALIDATION && session_ == session) {
+    DCHECK(race_stale_dns_on_connection_);
+    DCHECK(fresh_resolve_host_request_);
+    resolve_host_request_ = std::move(fresh_resolve_host_request_);
+    session_ = nullptr;
+    io_state_ = STATE_RESOLVE_HOST_COMPLETE;
+  }
+}
+
 void QuicStreamFactory::Job::OnResolveHostComplete(int rv) {
   DCHECK(!host_resolution_finished_);
 
@@ -696,7 +745,15 @@ int QuicStreamFactory::Job::DoResolveHost() {
     // Fresh request returned immediate results.
     LogStaleHostRacing(false);
     resolve_host_request_ = std::move(fresh_resolve_host_request_);
-    return rv;
+    return fresh_rv;
+  }
+
+  // Check to make sure stale host request does produce valid results.
+  if (!resolve_host_request_->GetAddressResults()) {
+    LogStaleHostRacing(false);
+    LogEmptyStaleResult(EmptyStaleResultLocation::kResolveHost);
+    resolve_host_request_ = std::move(fresh_resolve_host_request_);
+    return fresh_rv;
   }
 
   // No fresh host resolution is available at this time, but there is available
@@ -733,11 +790,11 @@ int QuicStreamFactory::Job::DoConnect() {
   DCHECK(dns_resolution_end_time_ != base::TimeTicks());
   io_state_ = STATE_CONNECT_COMPLETE;
   bool require_confirmation = was_alternative_service_recently_broken_;
-  net_log_.BeginEvent(
-      NetLogEventType::QUIC_STREAM_FACTORY_JOB_CONNECT,
-      NetLog::BoolCallback("require_confirmation", require_confirmation));
+  net_log_.AddEntryWithBoolParams(
+      NetLogEventType::QUIC_STREAM_FACTORY_JOB_CONNECT, NetLogEventPhase::BEGIN,
+      "require_confirmation", require_confirmation);
 
-  DCHECK_NE(quic_version_, quic::QUIC_VERSION_UNSUPPORTED);
+  DCHECK_NE(quic_version_.transport_version, quic::QUIC_VERSION_UNSUPPORTED);
   int rv = factory_->CreateSession(
       key_, quic_version_, cert_verify_flags_, require_confirmation,
       resolve_host_request_->GetAddressResults().value(),
@@ -811,17 +868,6 @@ int QuicStreamFactory::Job::DoConfirmConnection(int rv) {
   UMA_HISTOGRAM_TIMES("Net.QuicSession.TimeFromResolveHostToConfirmConnection",
                       base::TimeTicks::Now() - dns_resolution_start_time_);
   net_log_.EndEvent(NetLogEventType::QUIC_STREAM_FACTORY_JOB_CONNECT);
-  if (session_ &&
-      session_->error() == quic::QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT) {
-    num_sent_client_hellos_ += session_->GetNumSentClientHellos();
-    if (num_sent_client_hellos_ >=
-        quic::QuicCryptoClientStream::kMaxClientHellos)
-      return ERR_QUIC_HANDSHAKE_FAILED;
-    // The handshake was rejected statelessly, so create another connection
-    // to resume the handshake.
-    io_state_ = STATE_CONNECT;
-    return OK;
-  }
 
   if (was_alternative_service_recently_broken_)
     UMA_HISTOGRAM_BOOLEAN("Net.QuicSession.ConnectAfterBroken", rv == OK);
@@ -917,17 +963,18 @@ QuicStreamRequest::~QuicStreamRequest() {
 
 int QuicStreamRequest::Request(
     const HostPortPair& destination,
-    quic::QuicTransportVersion quic_version,
+    quic::ParsedQuicVersion quic_version,
     PrivacyMode privacy_mode,
     RequestPriority priority,
     const SocketTag& socket_tag,
+    const NetworkIsolationKey& network_isolation_key,
     int cert_verify_flags,
     const GURL& url,
     const NetLogWithSource& net_log,
     NetErrorDetails* net_error_details,
     CompletionOnceCallback failed_on_default_network_callback,
     CompletionOnceCallback callback) {
-  DCHECK_NE(quic_version, quic::QUIC_VERSION_UNSUPPORTED);
+  DCHECK_NE(quic_version.transport_version, quic::QUIC_VERSION_UNSUPPORTED);
   DCHECK(net_error_details);
   DCHECK(callback_.is_null());
   DCHECK(host_resolution_callback_.is_null());
@@ -936,8 +983,8 @@ int QuicStreamRequest::Request(
   net_error_details_ = net_error_details;
   failed_on_default_network_callback_ =
       std::move(failed_on_default_network_callback);
-  session_key_ =
-      QuicSessionKey(HostPortPair::FromURL(url), privacy_mode, socket_tag);
+  session_key_ = QuicSessionKey(HostPortPair::FromURL(url), privacy_mode,
+                                socket_tag, network_isolation_key);
 
   int rv = factory_->Create(session_key_, destination, quic_version, priority,
                             cert_verify_flags, url, net_log, this);
@@ -1022,35 +1069,7 @@ QuicStreamFactory::QuicStreamFactory(
     QuicCryptoClientStreamFactory* quic_crypto_client_stream_factory,
     quic::QuicRandom* random_generator,
     quic::QuicClock* clock,
-    size_t max_packet_length,
-    const std::string& user_agent_id,
-    bool store_server_configs_in_properties,
-    bool close_sessions_on_ip_change,
-    bool goaway_sessions_on_ip_change,
-    bool mark_quic_broken_when_network_blackholes,
-    int idle_connection_timeout_seconds,
-    int reduced_ping_timeout_seconds,
-    int retransmittable_on_wire_timeout_milliseconds,
-    int max_time_before_crypto_handshake_seconds,
-    int max_idle_time_before_crypto_handshake_seconds,
-    bool migrate_sessions_on_network_change_v2,
-    bool migrate_sessions_early_v2,
-    bool retry_on_alternate_network_before_handshake,
-    bool migrate_idle_sessions,
-    base::TimeDelta idle_session_migration_period,
-    base::TimeDelta max_time_on_non_default_network,
-    int max_migrations_to_non_default_network_on_write_error,
-    int max_migrations_to_non_default_network_on_path_degrading,
-    bool allow_server_migration,
-    bool race_stale_dns_on_connection,
-    bool go_away_on_path_degrading,
-    bool race_cert_verification,
-    bool estimate_initial_rtt,
-    bool headers_include_h2_stream_dependency,
-    const quic::QuicTagVector& connection_options,
-    const quic::QuicTagVector& client_connection_options,
-    bool enable_socket_recv_optimization,
-    int initial_rtt_for_handshake_milliseconds)
+    const QuicParams& params)
     : require_confirmation_(true),
       net_log_(net_log),
       host_resolver_(host_resolver),
@@ -1062,70 +1081,47 @@ QuicStreamFactory::QuicStreamFactory(
       quic_crypto_client_stream_factory_(quic_crypto_client_stream_factory),
       random_generator_(random_generator),
       clock_(clock),
-      max_packet_length_(max_packet_length),
+      params_(params),
       clock_skew_detector_(base::TimeTicks::Now(), base::Time::Now()),
       socket_performance_watcher_factory_(socket_performance_watcher_factory),
       config_(
-          InitializeQuicConfig(connection_options,
-                               client_connection_options,
-                               idle_connection_timeout_seconds,
-                               max_time_before_crypto_handshake_seconds,
-                               max_idle_time_before_crypto_handshake_seconds)),
+          InitializeQuicConfig(params.connection_options,
+                               params.client_connection_options,
+                               params.idle_connection_timeout,
+                               params.max_time_before_crypto_handshake,
+                               params.max_idle_time_before_crypto_handshake)),
       crypto_config_(
           std::make_unique<ProofVerifierChromium>(cert_verifier,
                                                   ct_policy_enforcer,
                                                   transport_security_state,
-                                                  cert_transparency_verifier),
-          QuicStreamFactoryCreateSslCtx()),
-      mark_quic_broken_when_network_blackholes_(
-          mark_quic_broken_when_network_blackholes),
-      store_server_configs_in_properties_(store_server_configs_in_properties),
+                                                  cert_transparency_verifier)),
       ping_timeout_(quic::QuicTime::Delta::FromSeconds(quic::kPingTimeoutSecs)),
-      reduced_ping_timeout_(
-          quic::QuicTime::Delta::FromSeconds(reduced_ping_timeout_seconds)),
-      retransmittable_on_wire_timeout_(quic::QuicTime::Delta::FromMilliseconds(
-          retransmittable_on_wire_timeout_milliseconds)),
+      reduced_ping_timeout_(quic::QuicTime::Delta::FromMicroseconds(
+          params.reduced_ping_timeout.InMicroseconds())),
+      retransmittable_on_wire_timeout_(quic::QuicTime::Delta::FromMicroseconds(
+          params.retransmittable_on_wire_timeout.InMicroseconds())),
       yield_after_packets_(kQuicYieldAfterPacketsRead),
       yield_after_duration_(quic::QuicTime::Delta::FromMilliseconds(
           kQuicYieldAfterDurationMilliseconds)),
-      close_sessions_on_ip_change_(close_sessions_on_ip_change),
-      goaway_sessions_on_ip_change_(goaway_sessions_on_ip_change),
       migrate_sessions_on_network_change_v2_(
-          migrate_sessions_on_network_change_v2 &&
+          params.migrate_sessions_on_network_change_v2 &&
           NetworkChangeNotifier::AreNetworkHandlesSupported()),
-      migrate_sessions_early_v2_(migrate_sessions_early_v2 &&
+      migrate_sessions_early_v2_(params.migrate_sessions_early_v2 &&
                                  migrate_sessions_on_network_change_v2_),
       retry_on_alternate_network_before_handshake_(
-          retry_on_alternate_network_before_handshake &&
+          params.retry_on_alternate_network_before_handshake &&
           migrate_sessions_on_network_change_v2_),
       default_network_(NetworkChangeNotifier::kInvalidNetworkHandle),
-      migrate_idle_sessions_(migrate_idle_sessions &&
+      migrate_idle_sessions_(params.migrate_idle_sessions &&
                              migrate_sessions_on_network_change_v2_),
-      idle_session_migration_period_(idle_session_migration_period),
-      max_time_on_non_default_network_(max_time_on_non_default_network),
-      max_migrations_to_non_default_network_on_write_error_(
-          max_migrations_to_non_default_network_on_write_error),
-      max_migrations_to_non_default_network_on_path_degrading_(
-          max_migrations_to_non_default_network_on_path_degrading),
-      allow_server_migration_(allow_server_migration),
-      race_stale_dns_on_connection_(race_stale_dns_on_connection),
-      go_away_on_path_degrading_(go_away_on_path_degrading),
-      race_cert_verification_(race_cert_verification),
-      estimate_initial_rtt(estimate_initial_rtt),
-      headers_include_h2_stream_dependency_(
-          headers_include_h2_stream_dependency),
       need_to_check_persisted_supports_quic_(true),
       num_push_streams_created_(0),
       tick_clock_(nullptr),
       task_runner_(nullptr),
-      ssl_config_service_(ssl_config_service),
-      enable_socket_recv_optimization_(enable_socket_recv_optimization),
-      initial_rtt_for_handshake_milliseconds_(
-          initial_rtt_for_handshake_milliseconds),
-      weak_factory_(this) {
+      ssl_config_service_(ssl_config_service) {
   DCHECK(transport_security_state_);
   DCHECK(http_server_properties_);
-  crypto_config_.set_user_agent_id(user_agent_id);
+  crypto_config_.set_user_agent_id(params.user_agent_id);
   crypto_config_.AddCanonicalSuffix(".c.youtube.com");
   crypto_config_.AddCanonicalSuffix(".ggpht.com");
   crypto_config_.AddCanonicalSuffix(".googlevideo.com");
@@ -1134,23 +1130,25 @@ QuicStreamFactory::QuicStreamFactory(
       !crypto_config_.aead.empty() && (crypto_config_.aead[0] == quic::kAESG);
   UMA_HISTOGRAM_BOOLEAN("Net.QuicSession.PreferAesGcm", prefer_aes_gcm);
 
-  if (migrate_sessions_early_v2 || retry_on_alternate_network_before_handshake)
-    DCHECK(migrate_sessions_on_network_change_v2);
+  if (params.migrate_sessions_early_v2 ||
+      params.retry_on_alternate_network_before_handshake)
+    DCHECK(params.migrate_sessions_on_network_change_v2);
 
-  if (retransmittable_on_wire_timeout_milliseconds == 0 &&
-      migrate_sessions_early_v2) {
-    retransmittable_on_wire_timeout_ = quic::QuicTime::Delta::FromMilliseconds(
-        kDefaultRetransmittableOnWireTimeoutMillisecs);
+  if (params.retransmittable_on_wire_timeout.is_zero() &&
+      params.migrate_sessions_early_v2) {
+    retransmittable_on_wire_timeout_ = quic::QuicTime::Delta::FromMicroseconds(
+        kDefaultRetransmittableOnWireTimeout.InMicroseconds());
   }
 
   // goaway_sessions_on_ip_change and close_sessions_on_ip_change should never
   // be simultaneously set to true.
-  DCHECK(!(close_sessions_on_ip_change_ && goaway_sessions_on_ip_change_));
+  DCHECK(!(params_.close_sessions_on_ip_change &&
+           params_.goaway_sessions_on_ip_change));
 
   // Connection migration should not be set if explicitly handle ip address
   // change.
-  bool handle_ip_change =
-      close_sessions_on_ip_change_ || goaway_sessions_on_ip_change_;
+  bool handle_ip_change = params_.close_sessions_on_ip_change ||
+                          params_.goaway_sessions_on_ip_change;
   DCHECK(!(handle_ip_change && migrate_sessions_on_network_change_v2_));
 
   if (handle_ip_change)
@@ -1171,7 +1169,8 @@ QuicStreamFactory::~QuicStreamFactory() {
   active_jobs_.clear();
   while (!active_cert_verifier_jobs_.empty())
     active_cert_verifier_jobs_.erase(active_cert_verifier_jobs_.begin());
-  if (close_sessions_on_ip_change_ || goaway_sessions_on_ip_change_) {
+  if (params_.close_sessions_on_ip_change ||
+      params_.goaway_sessions_on_ip_change) {
     NetworkChangeNotifier::RemoveIPAddressObserver(this);
   }
   if (NetworkChangeNotifier::AreNetworkHandlesSupported()) {
@@ -1244,14 +1243,15 @@ bool QuicStreamFactory::CanUseExistingSession(const QuicSessionKey& session_key,
   if (active_sessions_.empty())
     return false;
 
-  if (base::ContainsKey(active_sessions_, session_key))
+  if (base::Contains(active_sessions_, session_key))
     return true;
 
   for (const auto& key_value : active_sessions_) {
     QuicChromiumClientSession* session = key_value.second;
     if (destination.Equals(all_sessions_[session].destination()) &&
         session->CanPool(session_key.host(), session_key.privacy_mode(),
-                         session_key.socket_tag())) {
+                         session_key.socket_tag(),
+                         session_key.network_isolation_key())) {
       return true;
     }
   }
@@ -1268,7 +1268,7 @@ void QuicStreamFactory::MarkAllActiveSessionsGoingAway() {
 
 int QuicStreamFactory::Create(const QuicSessionKey& session_key,
                               const HostPortPair& destination,
-                              quic::QuicTransportVersion quic_version,
+                              quic::ParsedQuicVersion quic_version,
                               RequestPriority priority,
                               int cert_verify_flags,
                               const GURL& url,
@@ -1315,12 +1315,12 @@ int QuicStreamFactory::Create(const QuicSessionKey& session_key,
   auto it = active_jobs_.find(session_key);
   if (it != active_jobs_.end()) {
     const NetLogWithSource& job_net_log = it->second->net_log();
-    job_net_log.AddEvent(
+    job_net_log.AddEventReferencingSource(
         NetLogEventType::QUIC_STREAM_FACTORY_JOB_BOUND_TO_HTTP_STREAM_JOB,
-        net_log.source().ToEventParametersCallback());
-    net_log.AddEvent(
+        net_log.source());
+    net_log.AddEventReferencingSource(
         NetLogEventType::HTTP_STREAM_JOB_BOUND_TO_QUIC_STREAM_FACTORY_JOB,
-        job_net_log.source().ToEventParametersCallback());
+        job_net_log.source());
     it->second->AddRequest(request);
     return ERR_IO_PENDING;
   }
@@ -1334,7 +1334,8 @@ int QuicStreamFactory::Create(const QuicSessionKey& session_key,
                            session_key.server_id().privacy_mode_enabled()
                                ? PRIVACY_MODE_ENABLED
                                : PRIVACY_MODE_DISABLED,
-                           session_key.socket_tag())) {
+                           session_key.socket_tag(),
+                           session_key.network_isolation_key())) {
         request->SetSession(session->CreateHandle(destination));
         return OK;
       }
@@ -1353,11 +1354,12 @@ int QuicStreamFactory::Create(const QuicSessionKey& session_key,
       StartCertVerifyJob(session_key.server_id(), cert_verify_flags, net_log));
 
   QuicSessionAliasKey key(destination, session_key);
-  std::unique_ptr<Job> job = std::make_unique<Job>(
-      this, quic_version, host_resolver_, key,
-      WasQuicRecentlyBroken(session_key.server_id()),
-      retry_on_alternate_network_before_handshake_,
-      race_stale_dns_on_connection_, priority, cert_verify_flags, net_log);
+  std::unique_ptr<Job> job =
+      std::make_unique<Job>(this, quic_version, host_resolver_, key,
+                            WasQuicRecentlyBroken(session_key.server_id()),
+                            retry_on_alternate_network_before_handshake_,
+                            params_.race_stale_dns_on_connection, priority,
+                            cert_verify_flags, net_log);
   int rv = job->Run(
       base::BindRepeating(&QuicStreamFactory::OnJobComplete,
                           base::Unretained(this), job.get()));
@@ -1408,17 +1410,16 @@ bool QuicStreamFactory::HasMatchingIpSession(const QuicSessionAliasKey& key,
   const quic::QuicServerId& server_id(key.server_id());
   DCHECK(!HasActiveSession(key.session_key()));
   for (const IPEndPoint& address : address_list) {
-    if (!base::ContainsKey(ip_aliases_, address))
+    if (!base::Contains(ip_aliases_, address))
       continue;
 
     const SessionSet& sessions = ip_aliases_[address];
     for (QuicChromiumClientSession* session : sessions) {
-      if (!session->CanPool(server_id.host(),
-                            server_id.privacy_mode_enabled()
-                                ? PRIVACY_MODE_ENABLED
-                                : PRIVACY_MODE_DISABLED,
-                            key.session_key().socket_tag()))
+      if (!session->CanPool(server_id.host(), key.session_key().privacy_mode(),
+                            key.session_key().socket_tag(),
+                            key.session_key().network_isolation_key())) {
         continue;
+      }
       active_sessions_[key.session_key()] = session;
       session_aliases_[session].insert(key);
       return true;
@@ -1474,7 +1475,7 @@ void QuicStreamFactory::OnSessionGoingAway(QuicChromiumClientSession* session) {
   }
   ProcessGoingAwaySession(session, all_sessions_[session].server_id(), false);
   if (!aliases.empty()) {
-    DCHECK(base::ContainsKey(session_peer_ip_, session));
+    DCHECK(base::Contains(session_peer_ip_, session));
     const IPEndPoint peer_address = session_peer_ip_[session];
     ip_aliases_[peer_address].erase(session);
     if (ip_aliases_[peer_address].empty())
@@ -1487,6 +1488,12 @@ void QuicStreamFactory::OnSessionGoingAway(QuicChromiumClientSession* session) {
 void QuicStreamFactory::OnSessionClosed(QuicChromiumClientSession* session) {
   DCHECK_EQ(0u, session->GetNumActiveStreams());
   OnSessionGoingAway(session);
+
+  for (const auto& iter : active_jobs_) {
+    if (iter.first == session->quic_session_key()) {
+      iter.second->OnSessionClosed(session);
+    }
+  }
   delete session;
   all_sessions_.erase(session);
 }
@@ -1497,7 +1504,7 @@ void QuicStreamFactory::OnBlackholeAfterHandshakeConfirmed(
   if (ping_timeout_ > reduced_ping_timeout_)
     ping_timeout_ = reduced_ping_timeout_;
 
-  if (mark_quic_broken_when_network_blackholes_) {
+  if (params_.mark_quic_broken_when_network_blackholes) {
     http_server_properties_->MarkAlternativeServiceBroken(AlternativeService(
         kProtoQUIC, HostPortPair(session->server_id().host(),
                                  session->server_id().port())));
@@ -1573,10 +1580,10 @@ void QuicStreamFactory::OnIPAddressChanged() {
     return;
 
   set_require_confirmation(true);
-  if (close_sessions_on_ip_change_) {
+  if (params_.close_sessions_on_ip_change) {
     CloseAllSessions(ERR_NETWORK_CHANGED, quic::QUIC_IP_ADDRESS_CHANGED);
   } else {
-    DCHECK(goaway_sessions_on_ip_change_);
+    DCHECK(params_.goaway_sessions_on_ip_change);
     MarkAllActiveSessionsGoingAway();
   }
 }
@@ -1665,7 +1672,7 @@ std::unique_ptr<DatagramClientSocket> QuicStreamFactory::CreateSocket(
     const NetLogSource& source) {
   auto socket = client_socket_factory_->CreateDatagramClientSocket(
       DatagramSocket::DEFAULT_BIND, net_log, source);
-  if (enable_socket_recv_optimization_)
+  if (params_.enable_socket_recv_optimization)
     socket->EnableRecvOptimization();
   return socket;
 }
@@ -1688,16 +1695,16 @@ bool QuicStreamFactory::HasActiveSession(
   // TODO(rtenneti): crbug.com/498823 - delete active_sessions_.empty() check.
   if (active_sessions_.empty())
     return false;
-  return base::ContainsKey(active_sessions_, session_key);
+  return base::Contains(active_sessions_, session_key);
 }
 
 bool QuicStreamFactory::HasActiveJob(const QuicSessionKey& session_key) const {
-  return base::ContainsKey(active_jobs_, session_key);
+  return base::Contains(active_jobs_, session_key);
 }
 
 bool QuicStreamFactory::HasActiveCertVerifierJob(
     const quic::QuicServerId& server_id) const {
-  return base::ContainsKey(active_cert_verifier_jobs_, server_id);
+  return base::Contains(active_cert_verifier_jobs_, server_id);
 }
 
 int QuicStreamFactory::ConfigureSocket(DatagramClientSocket* socket,
@@ -1765,7 +1772,7 @@ int QuicStreamFactory::ConfigureSocket(DatagramClientSocket* socket,
 
 int QuicStreamFactory::CreateSession(
     const QuicSessionAliasKey& key,
-    const quic::QuicTransportVersion& quic_version,
+    quic::ParsedQuicVersion quic_version,
     int cert_verify_flags,
     bool require_confirmation,
     const AddressList& address_list,
@@ -1812,7 +1819,7 @@ int QuicStreamFactory::CreateSession(
   quic::QuicConnectionId connection_id =
       quic::QuicUtils::CreateRandomConnectionId(random_generator_);
   std::unique_ptr<QuicServerInfo> server_info;
-  if (store_server_configs_in_properties_) {
+  if (params_.max_server_configs_stored_in_properties > 0) {
     server_info = std::make_unique<PropertiesBasedQuicServerInfo>(
         server_id, http_server_properties_);
   }
@@ -1821,13 +1828,11 @@ int QuicStreamFactory::CreateSession(
   QuicChromiumPacketWriter* writer =
       new QuicChromiumPacketWriter(socket.get(), task_runner_);
   quic::QuicConnection* connection = new quic::QuicConnection(
-      connection_id, quic::QuicSocketAddress(quic::QuicSocketAddressImpl(addr)),
-      helper_.get(), alarm_factory_.get(), writer, true /* owns_writer */,
-      quic::Perspective::IS_CLIENT,
-      quic::ParsedQuicVersionVector{
-          quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO, quic_version)});
+      connection_id, ToQuicSocketAddress(addr), helper_.get(),
+      alarm_factory_.get(), writer, true /* owns_writer */,
+      quic::Perspective::IS_CLIENT, {quic_version});
   connection->set_ping_timeout(ping_timeout_);
-  connection->SetMaxPacketLength(max_packet_length_);
+  connection->SetMaxPacketLength(params_.max_packet_length);
 
   quic::QuicConfig config = config_;
   config.set_max_undecryptable_packets(kMaxUndecryptablePackets);
@@ -1836,7 +1841,7 @@ int QuicStreamFactory::CreateSession(
   config.SetInitialStreamFlowControlWindowToSend(kQuicStreamMaxRecvWindowSize);
   config.SetBytesForConnectionIdToSend(0);
   ConfigureInitialRttEstimate(server_id, &config);
-  if (quic_version < quic::QUIC_VERSION_44 &&
+  if (quic_version.transport_version <= quic::QUIC_VERSION_43 &&
       !config.HasClientSentConnectionOption(quic::kNSTP,
                                             quic::Perspective::IS_CLIENT)) {
     // Enable the no stop waiting frames connection option by default.
@@ -1863,14 +1868,16 @@ int QuicStreamFactory::CreateSession(
       connection, std::move(socket), this, quic_crypto_client_stream_factory_,
       clock_, transport_security_state_, ssl_config_service_,
       std::move(server_info), key.session_key(), require_confirmation,
-      migrate_sessions_early_v2_, migrate_sessions_on_network_change_v2_,
-      default_network_, retransmittable_on_wire_timeout_,
-      migrate_idle_sessions_, idle_session_migration_period_,
-      max_time_on_non_default_network_,
-      max_migrations_to_non_default_network_on_write_error_,
-      max_migrations_to_non_default_network_on_path_degrading_,
-      yield_after_packets_, yield_after_duration_, go_away_on_path_degrading_,
-      headers_include_h2_stream_dependency_, cert_verify_flags, config,
+      params_.max_allowed_push_id, migrate_sessions_early_v2_,
+      migrate_sessions_on_network_change_v2_, default_network_,
+      retransmittable_on_wire_timeout_, migrate_idle_sessions_,
+      params_.idle_session_migration_period,
+      params_.max_time_on_non_default_network,
+      params_.max_migrations_to_non_default_network_on_write_error,
+      params_.max_migrations_to_non_default_network_on_path_degrading,
+      yield_after_packets_, yield_after_duration_,
+      params_.go_away_on_path_degrading,
+      params_.headers_include_h2_stream_dependency, cert_verify_flags, config,
       &crypto_config_, network_connection_.connection_description(),
       dns_resolution_start_time, dns_resolution_end_time, &push_promise_index_,
       push_delegate_, tick_clock_, task_runner_,
@@ -1880,7 +1887,7 @@ int QuicStreamFactory::CreateSession(
   writer->set_delegate(*session);
 
   (*session)->Initialize();
-  bool closed_during_initialize = !base::ContainsKey(all_sessions_, *session) ||
+  bool closed_during_initialize = !base::Contains(all_sessions_, *session) ||
                                   !(*session)->connection()->connected();
   UMA_HISTOGRAM_BOOLEAN("Net.QuicSession.ClosedDuringInitializeSession",
                         closed_during_initialize);
@@ -1905,9 +1912,9 @@ void QuicStreamFactory::ActivateSession(const QuicSessionAliasKey& key,
   session_aliases_[session].insert(key);
   const IPEndPoint peer_address =
       ToIPEndPoint(session->connection()->peer_address());
-  DCHECK(!base::ContainsKey(ip_aliases_[peer_address], session));
+  DCHECK(!base::Contains(ip_aliases_[peer_address], session));
   ip_aliases_[peer_address].insert(session);
-  DCHECK(!base::ContainsKey(session_peer_ip_, session));
+  DCHECK(!base::Contains(session_peer_ip_, session));
   session_peer_ip_[session] = peer_address;
 }
 
@@ -1934,10 +1941,11 @@ void QuicStreamFactory::ConfigureInitialRttEstimate(
     return;
   }
 
-  if (initial_rtt_for_handshake_milliseconds_ > 0) {
-    SetInitialRttEstimate(base::TimeDelta::FromMilliseconds(
-                              initial_rtt_for_handshake_milliseconds_),
-                          INITIAL_RTT_DEFAULT, config);
+  if (params_.initial_rtt_for_handshake > base::TimeDelta()) {
+    SetInitialRttEstimate(
+        base::TimeDelta::FromMicroseconds(
+            params_.initial_rtt_for_handshake.InMicroseconds()),
+        INITIAL_RTT_DEFAULT, config);
     return;
   }
 
@@ -1979,7 +1987,7 @@ quic::QuicAsyncStatus QuicStreamFactory::StartCertVerifyJob(
     const quic::QuicServerId& server_id,
     int cert_verify_flags,
     const NetLogWithSource& net_log) {
-  if (!race_cert_verification_)
+  if (!params_.race_cert_verification)
     return quic::QUIC_FAILURE;
   quic::QuicCryptoClientConfig::CachedState* cached =
       crypto_config_.LookupOrCreate(server_id);
@@ -2007,11 +2015,13 @@ void QuicStreamFactory::InitializeCachedStateInCryptoConfig(
   if (cached->has_server_designated_connection_id())
     *connection_id = cached->GetNextServerDesignatedConnectionId();
 
-  if (!cached->IsEmpty())
+  if (!cached->IsEmpty()) {
     return;
+  }
 
-  if (!server_info || !server_info->Load())
+  if (!server_info || !server_info->Load()) {
     return;
+  }
 
   cached->Initialize(server_info->state().server_config,
                      server_info->state().source_address_token,
diff --git a/chromium/net/quic/quic_stream_factory.h b/chromium/net/quic/quic_stream_factory.h
index bae47ec979e..4b543b1bfc2 100644
--- a/chromium/net/quic/quic_stream_factory.h
+++ b/chromium/net/quic/quic_stream_factory.h
@@ -65,6 +65,7 @@ class CTVerifier;
 class HostResolver;
 class HttpServerProperties;
 class NetLog;
+class NetworkIsolationKey;
 class QuicChromiumConnectionHelper;
 class QuicCryptoClientStreamFactory;
 class QuicServerInfo;
@@ -78,20 +79,24 @@ class QuicStreamFactoryPeer;
 }  // namespace test
 
 // When a connection is idle for 30 seconds it will be closed.
-const int kIdleConnectionTimeoutSeconds = 30;
+constexpr base::TimeDelta kIdleConnectionTimeout =
+    base::TimeDelta::FromSeconds(30);
 
 // Sessions can migrate if they have been idle for less than this period.
-const int kDefaultIdleSessionMigrationPeriodSeconds = 30;
+constexpr base::TimeDelta kDefaultIdleSessionMigrationPeriod =
+    base::TimeDelta::FromSeconds(30);
 
 // The default maximum time allowed to have no retransmittable packets on the
 // wire (after sending the first retransmittable packet) if
 // |migrate_session_early_v2_| is true. PING frames will be sent as needed to
 // enforce this.
-const int64_t kDefaultRetransmittableOnWireTimeoutMillisecs = 100;
+constexpr base::TimeDelta kDefaultRetransmittableOnWireTimeout =
+    base::TimeDelta::FromMilliseconds(100);
 
 // The default maximum time QUIC session could be on non-default network before
 // migrate back to default network.
-const int64_t kMaxTimeOnNonDefaultNetworkSecs = 128;
+constexpr base::TimeDelta kMaxTimeOnNonDefaultNetwork =
+    base::TimeDelta::FromSeconds(128);
 
 // The default maximum number of migrations to non default network on write
 // error per network.
@@ -101,6 +106,118 @@ const int64_t kMaxMigrationsToNonDefaultNetworkOnWriteError = 5;
 // degrading per network.
 const int64_t kMaxMigrationsToNonDefaultNetworkOnPathDegrading = 5;
 
+// Structure containing simple configuration options and experiments for QUIC.
+struct NET_EXPORT QuicParams {
+  QuicParams();
+  QuicParams(const QuicParams& other);
+  ~QuicParams();
+
+  // QUIC runtime configuration options.
+
+  // Versions of QUIC which may be used.
+  quic::ParsedQuicVersionVector supported_versions;
+  // User agent description to send in the QUIC handshake.
+  std::string user_agent_id;
+  // Limit on the size of QUIC packets.
+  size_t max_packet_length;
+  // Maximum number of server configs that are to be stored in
+  // HttpServerProperties, instead of the disk cache.
+  size_t max_server_configs_stored_in_properties = 0u;
+  // QUIC will be used for all connections in this set.
+  std::set<HostPortPair> origins_to_force_quic_on;
+  // Set of QUIC tags to send in the handshake's connection options.
+  quic::QuicTagVector connection_options;
+  // Set of QUIC tags to send in the handshake's connection options that only
+  // affect the client.
+  quic::QuicTagVector client_connection_options;
+  // Enables experimental optimization for receiving data in UDPSocket.
+  bool enable_socket_recv_optimization = false;
+  // Initial value of QuicSpdyClientSessionBase::max_allowed_push_id_.
+  quic::QuicStreamId max_allowed_push_id = 0;
+
+  // Active QUIC experiments
+
+  // Marks a QUIC server broken when a connection blackholes after the
+  // handshake is confirmed.
+  bool mark_quic_broken_when_network_blackholes = false;
+  // Retry requests which fail with QUIC_PROTOCOL_ERROR, and mark QUIC
+  // broken if the retry succeeds.
+  bool retry_without_alt_svc_on_quic_errors = true;
+  // If true, alt-svc headers advertising QUIC in IETF format will be
+  // supported.
+  bool support_ietf_format_quic_altsvc = false;
+  // If true, all QUIC sessions are closed when any local IP address changes.
+  bool close_sessions_on_ip_change = false;
+  // If true, all QUIC sessions are marked as goaway when any local IP address
+  // changes.
+  bool goaway_sessions_on_ip_change = false;
+  // Specifies QUIC idle connection state lifetime.
+  base::TimeDelta idle_connection_timeout = kIdleConnectionTimeout;
+  // Specifies the reduced ping timeout subsequent connections should use when
+  // a connection was timed out with open streams.
+  base::TimeDelta reduced_ping_timeout;
+  // Maximum time that a session can have no retransmittable packets on the
+  // wire. Set to zero if not specified and no retransmittable PING will be
+  // sent to peer when the wire has no retransmittable packets.
+  base::TimeDelta retransmittable_on_wire_timeout;
+  // Maximum time the session can be alive before crypto handshake is
+  // finished.
+  base::TimeDelta max_time_before_crypto_handshake;
+  // Maximum idle time before the crypto handshake has completed.
+  base::TimeDelta max_idle_time_before_crypto_handshake;
+  // If true, connection migration v2 will be used to migrate existing
+  // sessions to network when the platform indicates that the default network
+  // is changing.
+  bool migrate_sessions_on_network_change_v2 = false;
+  // If true, connection migration v2 may be used to migrate active QUIC
+  // sessions to alternative network if current network connectivity is poor.
+  bool migrate_sessions_early_v2 = false;
+  // If true, a new connection may be kicked off on an alternate network when
+  // a connection fails on the default network before handshake is confirmed.
+  bool retry_on_alternate_network_before_handshake = false;
+  // If true, an idle session will be migrated within the idle migration
+  // period.
+  bool migrate_idle_sessions = false;
+  // A session can be migrated if its idle time is within this period.
+  base::TimeDelta idle_session_migration_period =
+      kDefaultIdleSessionMigrationPeriod;
+  // Maximum time the session could be on the non-default network before
+  // migrates back to default network. Defaults to
+  // kMaxTimeOnNonDefaultNetwork.
+  base::TimeDelta max_time_on_non_default_network = kMaxTimeOnNonDefaultNetwork;
+  // Maximum number of migrations to the non-default network on write error
+  // per network for each session.
+  int max_migrations_to_non_default_network_on_write_error =
+      kMaxMigrationsToNonDefaultNetworkOnWriteError;
+  // Maximum number of migrations to the non-default network on path
+  // degrading per network for each session.
+  int max_migrations_to_non_default_network_on_path_degrading =
+      kMaxMigrationsToNonDefaultNetworkOnPathDegrading;
+  // If true, allows migration of QUIC connections to a server-specified
+  // alternate server address.
+  bool allow_server_migration = false;
+  // If true, allows QUIC to use alternative services with a different
+  // hostname from the origin.
+  bool allow_remote_alt_svc = true;
+  // If true, the quic stream factory may race connection from stale dns
+  // result with the original dns resolution
+  bool race_stale_dns_on_connection = false;
+  // If true, the quic session may mark itself as GOAWAY on path degrading.
+  bool go_away_on_path_degrading = false;
+  // If true, bidirectional streams over QUIC will be disabled.
+  bool disable_bidirectional_streams = false;
+  // If true, race cert verification with host resolution.
+  bool race_cert_verification = false;
+  // If true, estimate the initial RTT for QUIC connections based on network.
+  bool estimate_initial_rtt = false;
+  // If true, client headers will include HTTP/2 stream dependency info
+  // derived from the request priority.
+  bool headers_include_h2_stream_dependency = false;
+  // The initial rtt that will be used in crypto handshake if no cached
+  // smoothed rtt is present.
+  base::TimeDelta initial_rtt_for_handshake;
+};
+
 enum QuicPlatformNotification {
   NETWORK_CONNECTED,
   NETWORK_MADE_DEFAULT,
@@ -124,10 +241,11 @@ class NET_EXPORT_PRIVATE QuicStreamRequest {
   // quic::QuicConnection.  This can be different than
   // HostPortPair::FromURL(url).
   int Request(const HostPortPair& destination,
-              quic::QuicTransportVersion quic_version,
+              quic::ParsedQuicVersion quic_version,
               PrivacyMode privacy_mode,
               RequestPriority priority,
               const SocketTag& socket_tag,
+              const NetworkIsolationKey& network_isolation_key,
               int cert_verify_flags,
               const GURL& url,
               const NetLogWithSource& net_log,
@@ -248,35 +366,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
       QuicCryptoClientStreamFactory* quic_crypto_client_stream_factory,
       quic::QuicRandom* random_generator,
       quic::QuicClock* clock,
-      size_t max_packet_length,
-      const std::string& user_agent_id,
-      bool store_server_configs_in_properties,
-      bool close_sessions_on_ip_change,
-      bool goway_sessions_on_ip_change,
-      bool mark_quic_broken_when_network_blackholes,
-      int idle_connection_timeout_seconds,
-      int reduced_ping_timeout_seconds,
-      int retransmittable_on_wire_timeout_milliseconds_,
-      int max_time_before_crypto_handshake_seconds,
-      int max_idle_time_before_crypto_handshake_seconds,
-      bool migrate_sessions_on_network_change_v2,
-      bool migrate_sessions_early_v2,
-      bool retry_on_alternate_network_before_handshake,
-      bool migrate_idle_sessions,
-      base::TimeDelta idle_session_migration_period,
-      base::TimeDelta max_time_on_non_default_network,
-      int max_migrations_to_non_default_network_on_write_error,
-      int max_migrations_to_non_default_network_on_path_degrading,
-      bool allow_server_migration,
-      bool race_stale_dns_on_connection,
-      bool go_away_on_path_degrading,
-      bool race_cert_verification,
-      bool estimate_initial_rtt,
-      bool headers_include_h2_stream_dependency,
-      const quic::QuicTagVector& connection_options,
-      const quic::QuicTagVector& client_connection_options,
-      bool enable_socket_recv_optimization,
-      int initial_rtt_for_handshake_milliseconds);
+      const QuicParams& params);
   ~QuicStreamFactory() override;
 
   // Returns true if there is an existing session for |session_key| or if the
@@ -292,7 +382,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   // OnRequestComplete asynchronously.
   int Create(const QuicSessionKey& session_key,
              const HostPortPair& destination,
-             quic::QuicTransportVersion quic_version,
+             quic::ParsedQuicVersion quic_version,
              RequestPriority priority,
              int cert_verify_flags,
              const GURL& url,
@@ -370,7 +460,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
 
   bool require_confirmation() const { return require_confirmation_; }
 
-  bool allow_server_migration() const { return allow_server_migration_; }
+  bool allow_server_migration() const { return params_.allow_server_migration; }
 
   void set_require_confirmation(bool require_confirmation);
 
@@ -387,7 +477,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   }
 
   bool mark_quic_broken_when_network_blackholes() const {
-    return mark_quic_broken_when_network_blackholes_;
+    return params_.mark_quic_broken_when_network_blackholes;
   }
 
   NetworkChangeNotifier::NetworkHandle default_network() const {
@@ -424,7 +514,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   bool HasActiveJob(const QuicSessionKey& session_key) const;
   bool HasActiveCertVerifierJob(const quic::QuicServerId& server_id) const;
   int CreateSession(const QuicSessionAliasKey& key,
-                    const quic::QuicTransportVersion& quic_version,
+                    quic::ParsedQuicVersion quic_version,
                     int cert_verify_flags,
                     bool require_confirmation,
                     const AddressList& address_list,
@@ -458,8 +548,8 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   bool CryptoConfigCacheIsEmpty(const quic::QuicServerId& server_id);
 
   // Starts an asynchronous job for cert verification if
-  // |race_cert_verification_| is enabled and if there are cached certs for the
-  // given |server_id|.
+  // |params_.race_cert_verification| is enabled and if there are cached certs
+  // for the given |server_id|.
   quic::QuicAsyncStatus StartCertVerifyJob(const quic::QuicServerId& server_id,
                                            int cert_verify_flags,
                                            const NetLogWithSource& net_log);
@@ -488,7 +578,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   QuicCryptoClientStreamFactory* quic_crypto_client_stream_factory_;
   quic::QuicRandom* random_generator_;  // Unowned.
   quic::QuicClock* clock_;              // Unowned.
-  const size_t max_packet_length_;
+  QuicParams params_;
   QuicClockSkewDetector clock_skew_detector_;
 
   // Factory which is used to create socket performance watcher. A new watcher
@@ -525,13 +615,6 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   // Map of quic::QuicServerId to owning CertVerifierJob.
   CertVerifierJobMap active_cert_verifier_jobs_;
 
-  // True if QUIC should be marked as broken when a connection blackholes after
-  // the handshake is confirmed.
-  bool mark_quic_broken_when_network_blackholes_;
-
-  // Set if QUIC server configs should be stored in HttpServerProperties.
-  bool store_server_configs_in_properties_;
-
   // PING timeout for connections.
   quic::QuicTime::Delta ping_timeout_;
   quic::QuicTime::Delta reduced_ping_timeout_;
@@ -545,13 +628,6 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   int yield_after_packets_;
   quic::QuicTime::Delta yield_after_duration_;
 
-  // Set if all sessions should be closed when any local IP address changes.
-  const bool close_sessions_on_ip_change_;
-
-  // Set if all sessions should be marked as go away when any local IP address
-  // changes.
-  const bool goaway_sessions_on_ip_change_;
-
   // Set if migration should be attempted after probing.
   const bool migrate_sessions_on_network_change_v2_;
 
@@ -569,44 +645,10 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   NetworkChangeNotifier::NetworkHandle default_network_;
 
   // Set if idle sessions can be migrated within
-  // |idle_session_migration_period_| when connection migration is triggered.
+  // |params_.idle_session_migration_period| when connection migration is
+  // triggered.
   const bool migrate_idle_sessions_;
 
-  // Sessions can migrate if they have been idle for less than this period.
-  const base::TimeDelta idle_session_migration_period_;
-
-  // Maximum time sessions could use on non-default network before try to
-  // migrate back to default network.
-  const base::TimeDelta max_time_on_non_default_network_;
-
-  // Maximum number of migrations to non default network on write error.
-  const int max_migrations_to_non_default_network_on_write_error_;
-
-  // Maximum number of migrations to non default network on path degrading.
-  const int max_migrations_to_non_default_network_on_path_degrading_;
-
-  // If set, allows migration of connection to server-specified alternate
-  // server address.
-  const bool allow_server_migration_;
-
-  // Set if stale DNS result may be speculatively used to connect and then
-  // compared with the original DNS result.
-  const bool race_stale_dns_on_connection_;
-
-  // Set if client should mark the session as GOAWAY when the connection
-  // experiences poor connectivity
-  const bool go_away_on_path_degrading_;
-
-  // Set if cert verification is to be raced with host resolution.
-  bool race_cert_verification_;
-
-  // If true, estimate the initial RTT based on network type.
-  bool estimate_initial_rtt;
-
-  // If true, client headers will include HTTP/2 stream dependency info
-  // derived from spdy::SpdyPriority.
-  bool headers_include_h2_stream_dependency_;
-
   // Local address of socket that was created in CreateSession.
   IPEndPoint local_address_;
   // True if we need to check HttpServerProperties if QUIC was supported last
@@ -625,14 +667,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
 
   SSLConfigService* const ssl_config_service_;
 
-  // If set to true, the stream factory will create UDP Sockets with
-  // experimental optimization enabled for receiving data.
-  bool enable_socket_recv_optimization_;
-
-  // The initial rtt for handshake.
-  const int initial_rtt_for_handshake_milliseconds_;
-
-  base::WeakPtrFactory<QuicStreamFactory> weak_factory_;
+  base::WeakPtrFactory<QuicStreamFactory> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicStreamFactory);
 };
diff --git a/chromium/net/quic/quic_stream_factory_fuzzer.cc b/chromium/net/quic/quic_stream_factory_fuzzer.cc
index 60d828be793..783cb01036d 100644
--- a/chromium/net/quic/quic_stream_factory_fuzzer.cc
+++ b/chromium/net/quic/quic_stream_factory_fuzzer.cc
@@ -4,9 +4,8 @@
 
 #include "net/quic/quic_stream_factory.h"
 
-#include "base/test/fuzzed_data_provider.h"
-
 #include "base/stl_util.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/do_nothing_ct_verifier.h"
@@ -27,6 +26,7 @@
 #include "net/third_party/quiche/src/quic/test_tools/mock_clock.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_random.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 namespace net {
 
@@ -82,7 +82,7 @@ struct Env {
 static struct Env* env = new Env();
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  base::FuzzedDataProvider data_provider(data, size);
+  FuzzedDataProvider data_provider(data, size);
 
   std::unique_ptr<ContextHostResolver> host_resolver =
       CreateFuzzedContextHostResolver(HostResolver::ManagerOptions(), nullptr,
@@ -93,40 +93,44 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // Initialize this on each loop since some options mutate this.
   HttpServerPropertiesImpl http_server_properties;
 
-  bool store_server_configs_in_properties = data_provider.ConsumeBool();
-  bool close_sessions_on_ip_change = data_provider.ConsumeBool();
-  bool mark_quic_broken_when_network_blackholes = data_provider.ConsumeBool();
-  bool allow_server_migration = data_provider.ConsumeBool();
-  bool race_cert_verification = data_provider.ConsumeBool();
-  bool estimate_initial_rtt = data_provider.ConsumeBool();
-  bool headers_include_h2_stream_dependency = data_provider.ConsumeBool();
-  bool enable_socket_recv_optimization = data_provider.ConsumeBool();
-  bool race_stale_dns_on_connection = data_provider.ConsumeBool();
+  QuicParams params;
+  params.max_server_configs_stored_in_properties =
+      data_provider.ConsumeBool() ? 1 : 0;
+  params.close_sessions_on_ip_change = data_provider.ConsumeBool();
+  params.mark_quic_broken_when_network_blackholes = data_provider.ConsumeBool();
+  params.allow_server_migration = data_provider.ConsumeBool();
+  params.race_cert_verification = data_provider.ConsumeBool();
+  params.estimate_initial_rtt = data_provider.ConsumeBool();
+  params.headers_include_h2_stream_dependency = data_provider.ConsumeBool();
+  params.enable_socket_recv_optimization = data_provider.ConsumeBool();
+  params.race_stale_dns_on_connection = data_provider.ConsumeBool();
 
   env->crypto_client_stream_factory.AddProofVerifyDetails(&env->verify_details);
 
-  bool goaway_sessions_on_ip_change = false;
-  bool migrate_sessions_early_v2 = false;
-  bool migrate_sessions_on_network_change_v2 = false;
-  bool retry_on_alternate_network_before_handshake = false;
-  bool migrate_idle_sessions = false;
-  bool go_away_on_path_degrading = false;
-
-  if (!close_sessions_on_ip_change) {
-    goaway_sessions_on_ip_change = data_provider.ConsumeBool();
-    if (!goaway_sessions_on_ip_change) {
-      migrate_sessions_on_network_change_v2 = data_provider.ConsumeBool();
-      if (migrate_sessions_on_network_change_v2) {
-        migrate_sessions_early_v2 = data_provider.ConsumeBool();
-        retry_on_alternate_network_before_handshake =
+  params.goaway_sessions_on_ip_change = false;
+  params.migrate_sessions_early_v2 = false;
+  params.migrate_sessions_on_network_change_v2 = false;
+  params.retry_on_alternate_network_before_handshake = false;
+  params.migrate_idle_sessions = false;
+  params.go_away_on_path_degrading = false;
+
+  if (!params.close_sessions_on_ip_change) {
+    params.goaway_sessions_on_ip_change = data_provider.ConsumeBool();
+    if (!params.goaway_sessions_on_ip_change) {
+      params.migrate_sessions_on_network_change_v2 =
+          data_provider.ConsumeBool();
+      if (params.migrate_sessions_on_network_change_v2) {
+        params.migrate_sessions_early_v2 = data_provider.ConsumeBool();
+        params.retry_on_alternate_network_before_handshake =
             data_provider.ConsumeBool();
-        migrate_idle_sessions = data_provider.ConsumeBool();
+        params.migrate_idle_sessions = data_provider.ConsumeBool();
       }
     }
   }
 
-  if (!migrate_sessions_early_v2)
-    go_away_on_path_degrading = data_provider.ConsumeBool();
+  if (!params.migrate_sessions_early_v2) {
+    params.go_away_on_path_degrading = data_provider.ConsumeBool();
+  }
 
   std::unique_ptr<QuicStreamFactory> factory =
       std::make_unique<QuicStreamFactory>(
@@ -136,34 +140,20 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
           &env->ct_policy_enforcer, &env->transport_security_state,
           env->cert_transparency_verifier.get(), nullptr,
           &env->crypto_client_stream_factory, &env->random_generator,
-          &env->clock, quic::kDefaultMaxPacketSize, std::string(),
-          store_server_configs_in_properties, close_sessions_on_ip_change,
-          goaway_sessions_on_ip_change,
-          mark_quic_broken_when_network_blackholes,
-          kIdleConnectionTimeoutSeconds, quic::kPingTimeoutSecs,
-          kDefaultRetransmittableOnWireTimeoutMillisecs,
-          quic::kMaxTimeForCryptoHandshakeSecs, quic::kInitialIdleTimeoutSecs,
-          migrate_sessions_on_network_change_v2, migrate_sessions_early_v2,
-          retry_on_alternate_network_before_handshake, migrate_idle_sessions,
-          base::TimeDelta::FromSeconds(
-              kDefaultIdleSessionMigrationPeriodSeconds),
-          base::TimeDelta::FromSeconds(kMaxTimeOnNonDefaultNetworkSecs),
-          kMaxMigrationsToNonDefaultNetworkOnWriteError,
-          kMaxMigrationsToNonDefaultNetworkOnPathDegrading,
-          allow_server_migration, race_stale_dns_on_connection,
-          go_away_on_path_degrading, race_cert_verification,
-          estimate_initial_rtt, headers_include_h2_stream_dependency,
-          env->connection_options, env->client_connection_options,
-          enable_socket_recv_optimization, 0);
+          &env->clock, params);
 
+  SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
   QuicStreamRequest request(factory.get());
   TestCompletionCallback callback;
   NetErrorDetails net_error_details;
+  quic::ParsedQuicVersionVector versions = quic::AllSupportedVersions();
+  quic::ParsedQuicVersion version =
+      versions[data_provider.ConsumeIntegralInRange<size_t>(
+          0, versions.size() - 1)];
   request.Request(
-      env->host_port_pair,
-      data_provider.PickValueInArray(quic::kSupportedTransportVersions),
-      PRIVACY_MODE_DISABLED, DEFAULT_PRIORITY, SocketTag(), kCertVerifyFlags,
-      GURL(kUrl), env->net_log, &net_error_details,
+      env->host_port_pair, version, PRIVACY_MODE_DISABLED, DEFAULT_PRIORITY,
+      SocketTag(), NetworkIsolationKey(), kCertVerifyFlags, GURL(kUrl),
+      env->net_log, &net_error_details,
       /*failed_on_default_network_callback=*/CompletionOnceCallback(),
       callback.callback());
 
diff --git a/chromium/net/quic/quic_stream_factory_peer.cc b/chromium/net/quic/quic_stream_factory_peer.cc
index cb9262e45cb..565e5300c76 100644
--- a/chromium/net/quic/quic_stream_factory_peer.cc
+++ b/chromium/net/quic/quic_stream_factory_peer.cc
@@ -113,13 +113,13 @@ quic::QuicTime::Delta QuicStreamFactoryPeer::GetPingTimeout(
 
 bool QuicStreamFactoryPeer::GetRaceCertVerification(
     QuicStreamFactory* factory) {
-  return factory->race_cert_verification_;
+  return factory->params_.race_cert_verification;
 }
 
 void QuicStreamFactoryPeer::SetRaceCertVerification(
     QuicStreamFactory* factory,
     bool race_cert_verification) {
-  factory->race_cert_verification_ = race_cert_verification;
+  factory->params_.race_cert_verification = race_cert_verification;
 }
 
 quic::QuicAsyncStatus QuicStreamFactoryPeer::StartCertVerifyJob(
diff --git a/chromium/net/quic/quic_stream_factory_test.cc b/chromium/net/quic/quic_stream_factory_test.cc
index 4c909798498..760da17499e 100644
--- a/chromium/net/quic/quic_stream_factory_test.cc
+++ b/chromium/net/quic/quic_stream_factory_test.cc
@@ -16,7 +16,9 @@
 #include "base/test/simple_test_tick_clock.h"
 #include "base/test/test_mock_time_task_runner.h"
 #include "build/build_config.h"
+#include "net/base/load_flags.h"
 #include "net/base/mock_network_change_notifier.h"
+#include "net/base/network_isolation_key.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/do_nothing_ct_verifier.h"
 #include "net/cert/mock_cert_verifier.h"
@@ -38,11 +40,13 @@
 #include "net/quic/quic_server_info.h"
 #include "net/quic/quic_stream_factory_peer.h"
 #include "net/quic/quic_test_packet_maker.h"
+#include "net/quic/quic_test_packet_printer.h"
 #include "net/quic/test_task_runner.h"
 #include "net/socket/next_proto.h"
 #include "net/socket/socket_test_util.h"
 #include "net/spdy/spdy_session_test_util.h"
 #include "net/spdy/spdy_test_util_common.h"
+#include "net/ssl/ssl_config_service_defaults.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/gtest_util.h"
 #include "net/test/test_data_directory.h"
@@ -69,26 +73,6 @@ using std::string;
 
 namespace net {
 
-namespace {
-
-class MockSSLConfigService : public SSLConfigService {
- public:
-  MockSSLConfigService() {}
-  ~MockSSLConfigService() override {}
-
-  void GetSSLConfig(SSLConfig* config) override { *config = config_; }
-
-  bool CanShareConnectionWithClientCerts(
-      const std::string& hostname) const override {
-    return false;
-  }
-
- private:
-  SSLConfig config_;
-};
-
-}  // namespace
-
 namespace test {
 
 namespace {
@@ -132,10 +116,13 @@ struct TestParams {
 std::vector<TestParams> GetTestParams() {
   std::vector<TestParams> params;
   quic::ParsedQuicVersionVector all_supported_versions =
-      quic::AllVersionsExcept99();
+      quic::AllSupportedVersions();
   for (const auto& version : all_supported_versions) {
-    params.push_back(TestParams{version, false});
-    params.push_back(TestParams{version, true});
+    // TODO(rch): crbug.com/978745 - Make this work with TLS
+    if (version.handshake_protocol != quic::PROTOCOL_TLS1_3) {
+      params.push_back(TestParams{version, false});
+      params.push_back(TestParams{version, true});
+    }
   }
   return params;
 }
@@ -172,14 +159,17 @@ struct PoolingTestParams {
 std::vector<PoolingTestParams> GetPoolingTestParams() {
   std::vector<PoolingTestParams> params;
   quic::ParsedQuicVersionVector all_supported_versions =
-      quic::AllVersionsExcept99();
+      quic::AllSupportedVersions();
   for (const quic::ParsedQuicVersion version : all_supported_versions) {
-    params.push_back(PoolingTestParams{version, SAME_AS_FIRST, false});
-    params.push_back(PoolingTestParams{version, SAME_AS_FIRST, true});
-    params.push_back(PoolingTestParams{version, SAME_AS_SECOND, false});
-    params.push_back(PoolingTestParams{version, SAME_AS_SECOND, true});
-    params.push_back(PoolingTestParams{version, DIFFERENT, false});
-    params.push_back(PoolingTestParams{version, DIFFERENT, true});
+    // TODO(rch): crbug.com/978745 - Make this work with TLS
+    if (version.handshake_protocol != quic::PROTOCOL_TLS1_3) {
+      params.push_back(PoolingTestParams{version, SAME_AS_FIRST, false});
+      params.push_back(PoolingTestParams{version, SAME_AS_FIRST, true});
+      params.push_back(PoolingTestParams{version, SAME_AS_SECOND, false});
+      params.push_back(PoolingTestParams{version, SAME_AS_SECOND, true});
+      params.push_back(PoolingTestParams{version, DIFFERENT, false});
+      params.push_back(PoolingTestParams{version, DIFFERENT, true});
+    }
   }
   return params;
 }
@@ -223,7 +213,7 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
   QuicStreamFactoryTestBase(quic::ParsedQuicVersion version,
                             bool client_headers_include_h2_stream_dependency)
       : host_resolver_(new MockHostResolver),
-        ssl_config_service_(new MockSSLConfigService),
+        ssl_config_service_(new SSLConfigServiceDefaults),
         socket_factory_(new MockClientSocketFactory),
         random_generator_(0),
         runner_(new TestTaskRunner(&clock_)),
@@ -255,9 +245,8 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
         failed_on_default_network_callback_(base::BindRepeating(
             &QuicStreamFactoryTestBase::OnFailedOnDefaultNetwork,
             base::Unretained(this))),
-        failed_on_default_network_(false),
-        store_server_configs_in_properties_(false) {
-    test_params_.quic_headers_include_h2_stream_dependency =
+        failed_on_default_network_(false) {
+    test_params_.quic_params.headers_include_h2_stream_dependency =
         client_headers_include_h2_stream_dependency;
     clock_.AdvanceTime(quic::QuicTime::Delta::FromSeconds(1));
   }
@@ -271,35 +260,7 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
         cert_transparency_verifier_.get(),
         /*SocketPerformanceWatcherFactory*/ nullptr,
         &crypto_client_stream_factory_, &random_generator_, &clock_,
-        test_params_.quic_max_packet_length, test_params_.quic_user_agent_id,
-        store_server_configs_in_properties_,
-        test_params_.quic_close_sessions_on_ip_change,
-        test_params_.quic_goaway_sessions_on_ip_change,
-        test_params_.mark_quic_broken_when_network_blackholes,
-        test_params_.quic_idle_connection_timeout_seconds,
-        test_params_.quic_reduced_ping_timeout_seconds,
-        test_params_.quic_retransmittable_on_wire_timeout_milliseconds,
-        test_params_.quic_max_time_before_crypto_handshake_seconds,
-        test_params_.quic_max_idle_time_before_crypto_handshake_seconds,
-        test_params_.quic_migrate_sessions_on_network_change_v2,
-        test_params_.quic_migrate_sessions_early_v2,
-        test_params_.quic_retry_on_alternate_network_before_handshake,
-        test_params_.quic_migrate_idle_sessions,
-        test_params_.quic_idle_session_migration_period,
-        test_params_.quic_max_time_on_non_default_network,
-        test_params_.quic_max_migrations_to_non_default_network_on_write_error,
-        test_params_
-            .quic_max_migrations_to_non_default_network_on_path_degrading,
-        test_params_.quic_allow_server_migration,
-        test_params_.quic_race_stale_dns_on_connection,
-        test_params_.quic_go_away_on_path_degrading,
-        test_params_.quic_race_cert_verification,
-        test_params_.quic_estimate_initial_rtt,
-        test_params_.quic_headers_include_h2_stream_dependency,
-        test_params_.quic_connection_options,
-        test_params_.quic_client_connection_options,
-        test_params_.quic_enable_socket_recv_optimization,
-        test_params_.quic_initial_rtt_for_handshake_milliseconds));
+        test_params_.quic_params));
   }
 
   void InitializeConnectionMigrationV2Test(
@@ -310,8 +271,8 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
         scoped_mock_network_change_notifier_->mock_network_change_notifier();
     mock_ncn->ForceNetworkHandlesSupported();
     mock_ncn->SetConnectedNetworksList(connected_networks);
-    test_params_.quic_migrate_sessions_on_network_change_v2 = true;
-    test_params_.quic_migrate_sessions_early_v2 = true;
+    test_params_.quic_params.migrate_sessions_on_network_change_v2 = true;
+    test_params_.quic_params.migrate_sessions_early_v2 = true;
     socket_factory_.reset(new TestConnectionMigrationSocketFactory);
     Initialize();
   }
@@ -380,7 +341,7 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
     EXPECT_FALSE(HasActiveSession(destination));
     size_t socket_count = socket_factory_->udp_client_socket_ports().size();
 
-    MockQuicData socket_data;
+    MockQuicData socket_data(version_);
     socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
     socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
     socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -389,8 +350,8 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
     GURL url("https://" + destination.host() + "/");
     EXPECT_EQ(ERR_IO_PENDING,
               request.Request(
-                  destination, version_.transport_version, privacy_mode_,
-                  DEFAULT_PRIORITY, SocketTag(),
+                  destination, version_, privacy_mode_, DEFAULT_PRIORITY,
+                  SocketTag(), NetworkIsolationKey(),
                   /*cert_verify_flags=*/0, url, net_log_, &net_error_details_,
                   failed_on_default_network_callback_, callback_.callback()));
 
@@ -471,8 +432,7 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
       quic::QuicStreamId stream_id,
       quic::QuicStreamId parent_stream_id,
       bool should_include_version,
-      bool fin,
-      quic::QuicStreamOffset* offset) {
+      bool fin) {
     spdy::SpdyHeaderBlock headers =
         client_maker_.GetRequestHeaders("GET", "https", "/");
     spdy::SpdyPriority priority =
@@ -480,18 +440,7 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
     size_t spdy_headers_frame_len;
     return client_maker_.MakeRequestHeadersPacket(
         packet_number, stream_id, should_include_version, fin, priority,
-        std::move(headers), parent_stream_id, &spdy_headers_frame_len, offset);
-  }
-
-  std::unique_ptr<quic::QuicEncryptedPacket> ConstructGetRequestPacket(
-      uint64_t packet_number,
-      quic::QuicStreamId stream_id,
-      bool should_include_version,
-      bool fin,
-      quic::QuicStreamOffset* offset) {
-    return ConstructGetRequestPacket(packet_number, stream_id,
-                                     /*parent_stream_id=*/0,
-                                     should_include_version, fin, offset);
+        std::move(headers), parent_stream_id, &spdy_headers_frame_len);
   }
 
   std::unique_ptr<quic::QuicEncryptedPacket> ConstructOkResponsePacket(
@@ -507,19 +456,18 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructInitialSettingsPacket() {
-    return client_maker_.MakeInitialSettingsPacket(1, nullptr);
+    return client_maker_.MakeInitialSettingsPacket(1);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructInitialSettingsPacket(
-      uint64_t packet_number,
-      quic::QuicStreamOffset* offset) {
-    return client_maker_.MakeInitialSettingsPacket(packet_number, offset);
+      uint64_t packet_number) {
+    return client_maker_.MakeInitialSettingsPacket(packet_number);
   }
 
   // Helper method for server migration tests.
   void VerifyServerMigration(const quic::QuicConfig& config,
                              IPEndPoint expected_address) {
-    test_params_.quic_allow_server_migration = true;
+    test_params_.quic_params.allow_server_migration = true;
     Initialize();
 
     ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -527,13 +475,14 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
     crypto_client_stream_factory_.SetConfig(config);
 
     // Set up first socket data provider.
-    MockQuicData socket_data1;
+    MockQuicData socket_data1(version_);
     socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
     socket_data1.AddSocketDataToFactory(socket_factory_.get());
 
+    client_maker_.set_coalesce_http_frames(true);
     // Set up second socket data provider that is used after
     // migration.
-    MockQuicData socket_data2;
+    MockQuicData socket_data2(version_);
     socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
     socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
     socket_data2.AddWrite(
@@ -548,8 +497,8 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
     QuicStreamRequest request(factory_.get());
     EXPECT_EQ(ERR_IO_PENDING,
               request.Request(
-                  host_port_pair_, version_.transport_version, privacy_mode_,
-                  DEFAULT_PRIORITY, SocketTag(),
+                  host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                  SocketTag(), NetworkIsolationKey(),
                   /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                   failed_on_default_network_callback_, callback_.callback()));
     EXPECT_EQ(OK, callback_.WaitForResult());
@@ -591,8 +540,9 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
 
   // Verifies that the QUIC stream factory is initialized correctly.
   void VerifyInitialization() {
-    store_server_configs_in_properties_ = true;
-    test_params_.quic_idle_connection_timeout_seconds = 500;
+    test_params_.quic_params.max_server_configs_stored_in_properties = 1;
+    test_params_.quic_params.idle_connection_timeout =
+        base::TimeDelta::FromSeconds(500);
     Initialize();
     factory_->set_require_confirmation(false);
     ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -728,7 +678,7 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
                                               "192.168.0.1", "");
 
     // Create a session and verify that the cached state is loaded.
-    MockQuicData socket_data;
+    MockQuicData socket_data(version_);
     socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
     socket_data.AddSocketDataToFactory(socket_factory_.get());
 
@@ -736,8 +686,8 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
     EXPECT_EQ(ERR_IO_PENDING,
               request.Request(
                   HostPortPair(quic_server_id.host(), quic_server_id.port()),
-                  version_.transport_version, privacy_mode_, DEFAULT_PRIORITY,
-                  SocketTag(),
+                  version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                  NetworkIsolationKey(),
                   /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                   failed_on_default_network_callback_, callback_.callback()));
     EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -761,7 +711,7 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
     EXPECT_TRUE(socket_data.AllWriteDataConsumed());
 
     // Create a session and verify that the cached state is loaded.
-    MockQuicData socket_data2;
+    MockQuicData socket_data2(version_);
     socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
     socket_data2.AddSocketDataToFactory(socket_factory_.get());
 
@@ -772,8 +722,8 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
     EXPECT_EQ(ERR_IO_PENDING,
               request2.Request(
                   HostPortPair(quic_server_id2.host(), quic_server_id2.port()),
-                  version_.transport_version, privacy_mode_, DEFAULT_PRIORITY,
-                  SocketTag(),
+                  version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                  NetworkIsolationKey(),
                   /*cert_verify_flags=*/0, GURL("https://mail.example.org/"),
                   net_log_, &net_error_details_,
                   failed_on_default_network_callback_, callback_.callback()));
@@ -819,10 +769,9 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
       quic::QuicStreamId stream_id,
       bool should_include_version,
       bool fin,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data) {
-    return server_maker_.MakeDataPacket(
-        packet_number, stream_id, should_include_version, fin, offset, data);
+    return server_maker_.MakeDataPacket(packet_number, stream_id,
+                                        should_include_version, fin, data);
   }
 
   quic::QuicStreamId GetNthServerInitiatedUnidirectionalStreamId(int n) {
@@ -901,7 +850,6 @@ class QuicStreamFactoryTestBase : public WithScopedTaskEnvironment {
 
   // Variables to configure QuicStreamFactory.
   HttpNetworkSession::Params test_params_;
-  bool store_server_configs_in_properties_;
 };
 
 class QuicStreamFactoryTest : public QuicStreamFactoryTestBase,
@@ -922,7 +870,7 @@ TEST_P(QuicStreamFactoryTest, Create) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -930,8 +878,8 @@ TEST_P(QuicStreamFactoryTest, Create) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -942,12 +890,12 @@ TEST_P(QuicStreamFactoryTest, Create) {
   EXPECT_EQ(DEFAULT_PRIORITY, host_resolver_->last_request_priority());
 
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(host_port_pair_, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback_.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   // Will reset stream 3.
   stream = CreateStream(&request2);
 
@@ -956,12 +904,12 @@ TEST_P(QuicStreamFactoryTest, Create) {
   // TODO(rtenneti): We should probably have a tests that HTTP and HTTPS result
   // in streams on different sessions.
   QuicStreamRequest request3(factory_.get());
-  EXPECT_EQ(OK, request3.Request(host_port_pair_, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback_.callback()));
+  EXPECT_EQ(OK,
+            request3.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   stream = CreateStream(&request3);  // Will reset stream 5.
   stream.reset();                    // Will reset stream 7.
 
@@ -975,7 +923,7 @@ TEST_P(QuicStreamFactoryTest, CreateZeroRtt) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
@@ -986,12 +934,12 @@ TEST_P(QuicStreamFactoryTest, CreateZeroRtt) {
                                             "192.168.0.1", "");
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_EQ(OK, request.Request(host_port_pair_, version_.transport_version,
-                                privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                /*cert_verify_flags=*/0, url_, net_log_,
-                                &net_error_details_,
-                                failed_on_default_network_callback_,
-                                callback_.callback()));
+  EXPECT_EQ(OK,
+            request.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
 
   std::unique_ptr<HttpStream> stream = CreateStream(&request);
   EXPECT_TRUE(stream.get());
@@ -1004,7 +952,7 @@ TEST_P(QuicStreamFactoryTest, DefaultInitialRtt) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -1012,8 +960,8 @@ TEST_P(QuicStreamFactoryTest, DefaultInitialRtt) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -1032,7 +980,7 @@ TEST_P(QuicStreamFactoryTest, FactoryDestroyedWhenJobPending) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -1040,8 +988,8 @@ TEST_P(QuicStreamFactoryTest, FactoryDestroyedWhenJobPending) {
   auto request = std::make_unique<QuicStreamRequest>(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request->Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   request.reset();
@@ -1062,7 +1010,7 @@ TEST_P(QuicStreamFactoryTest, RequireConfirmation) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -1070,8 +1018,8 @@ TEST_P(QuicStreamFactoryTest, RequireConfirmation) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -1104,15 +1052,15 @@ TEST_P(QuicStreamFactoryTest, DontRequireConfirmationFromSameIP) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   QuicStreamRequest request(factory_.get());
   EXPECT_THAT(request.Request(
-                  host_port_pair_, version_.transport_version, privacy_mode_,
-                  DEFAULT_PRIORITY, SocketTag(),
+                  host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                  SocketTag(), NetworkIsolationKey(),
                   /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                   failed_on_default_network_callback_, callback_.callback()),
               IsOk());
@@ -1137,13 +1085,13 @@ TEST_P(QuicStreamFactoryTest, CachedInitialRtt) {
   stats.srtt = base::TimeDelta::FromMilliseconds(10);
   http_server_properties_.SetServerNetworkStats(url::SchemeHostPort(url_),
                                                 stats);
-  test_params_.quic_estimate_initial_rtt = true;
+  test_params_.quic_params.estimate_initial_rtt = true;
 
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -1151,8 +1099,8 @@ TEST_P(QuicStreamFactoryTest, CachedInitialRtt) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -1170,13 +1118,13 @@ TEST_P(QuicStreamFactoryTest, 2gInitialRtt) {
   ScopedMockNetworkChangeNotifier notifier;
   notifier.mock_network_change_notifier()->SetConnectionType(
       NetworkChangeNotifier::CONNECTION_2G);
-  test_params_.quic_estimate_initial_rtt = true;
+  test_params_.quic_params.estimate_initial_rtt = true;
 
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -1184,8 +1132,8 @@ TEST_P(QuicStreamFactoryTest, 2gInitialRtt) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -1203,13 +1151,13 @@ TEST_P(QuicStreamFactoryTest, 3gInitialRtt) {
   ScopedMockNetworkChangeNotifier notifier;
   notifier.mock_network_change_notifier()->SetConnectionType(
       NetworkChangeNotifier::CONNECTION_3G);
-  test_params_.quic_estimate_initial_rtt = true;
+  test_params_.quic_params.estimate_initial_rtt = true;
 
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -1217,8 +1165,8 @@ TEST_P(QuicStreamFactoryTest, 3gInitialRtt) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -1237,7 +1185,7 @@ TEST_P(QuicStreamFactoryTest, GoAway) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -1245,8 +1193,8 @@ TEST_P(QuicStreamFactoryTest, GoAway) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -1269,7 +1217,7 @@ TEST_P(QuicStreamFactoryTest, GoAwayForConnectionMigrationWithPortOnly) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -1277,8 +1225,8 @@ TEST_P(QuicStreamFactoryTest, GoAwayForConnectionMigrationWithPortOnly) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -1310,7 +1258,7 @@ TEST_P(QuicStreamFactoryTest, Pooling) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -1322,23 +1270,23 @@ TEST_P(QuicStreamFactoryTest, Pooling) {
   host_resolver_->rules()->AddIPLiteralRule(server2.host(), "192.168.0.1", "");
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_EQ(OK, request.Request(host_port_pair_, version_.transport_version,
-                                privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                /*cert_verify_flags=*/0, url_, net_log_,
-                                &net_error_details_,
-                                failed_on_default_network_callback_,
-                                callback_.callback()));
+  EXPECT_EQ(OK,
+            request.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   std::unique_ptr<HttpStream> stream = CreateStream(&request);
   EXPECT_TRUE(stream.get());
 
   TestCompletionCallback callback;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(server2, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url2_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
 
@@ -1354,8 +1302,7 @@ TEST_P(QuicStreamFactoryTest, PoolingWithServerMigration) {
                                             "192.168.0.1", "");
   IPEndPoint alt_address = IPEndPoint(IPAddress(1, 2, 3, 4), 443);
   quic::QuicConfig config;
-  config.SetAlternateServerAddressToSend(
-      quic::QuicSocketAddress(quic::QuicSocketAddressImpl(alt_address)));
+  config.SetAlternateServerAddressToSend(ToQuicSocketAddress(alt_address));
 
   VerifyServerMigration(config, alt_address);
 
@@ -1364,17 +1311,21 @@ TEST_P(QuicStreamFactoryTest, PoolingWithServerMigration) {
   session->CloseSessionOnError(0u, quic::QUIC_NO_ERROR,
                                quic::ConnectionCloseBehavior::SILENT_CLOSE);
 
+  client_maker_.Reset();
+  client_maker_.set_coalesce_http_frames(false);
   // Set up server IP, socket, proof, and config for new session.
   HostPortPair server2(kServer2HostName, kDefaultServerPort);
   host_resolver_->rules()->AddIPLiteralRule(server2.host(), "192.168.0.1", "");
 
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite writes[] = {MockWrite(SYNCHRONOUS, settings_packet->data(),
                                   settings_packet->length(), 1)};
 
   SequencedSocketData socket_data(reads, writes);
+  QuicPacketPrinter printer(version_);
+  socket_data.set_printer(&printer);
   socket_factory_->AddSocketDataProvider(&socket_data);
 
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -1387,8 +1338,8 @@ TEST_P(QuicStreamFactoryTest, PoolingWithServerMigration) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                server2, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback.callback()));
   EXPECT_EQ(OK, callback.WaitForResult());
@@ -1406,11 +1357,12 @@ TEST_P(QuicStreamFactoryTest, NoPoolingAfterGoAway) {
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data1.AddSocketDataToFactory(socket_factory_.get());
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
@@ -1422,23 +1374,23 @@ TEST_P(QuicStreamFactoryTest, NoPoolingAfterGoAway) {
   host_resolver_->rules()->AddIPLiteralRule(server2.host(), "192.168.0.1", "");
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_EQ(OK, request.Request(host_port_pair_, version_.transport_version,
-                                privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                /*cert_verify_flags=*/0, url_, net_log_,
-                                &net_error_details_,
-                                failed_on_default_network_callback_,
-                                callback_.callback()));
+  EXPECT_EQ(OK,
+            request.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   std::unique_ptr<HttpStream> stream = CreateStream(&request);
   EXPECT_TRUE(stream.get());
 
   TestCompletionCallback callback;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(server2, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url2_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
 
@@ -1448,12 +1400,12 @@ TEST_P(QuicStreamFactoryTest, NoPoolingAfterGoAway) {
 
   TestCompletionCallback callback3;
   QuicStreamRequest request3(factory_.get());
-  EXPECT_EQ(OK, request3.Request(server2, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url2_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback3.callback()));
+  EXPECT_EQ(OK,
+            request3.Request(
+                server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback3.callback()));
   std::unique_ptr<HttpStream> stream3 = CreateStream(&request3);
   EXPECT_TRUE(stream3.get());
 
@@ -1468,7 +1420,7 @@ TEST_P(QuicStreamFactoryTest, NoPoolingAfterGoAway) {
 TEST_P(QuicStreamFactoryTest, HttpsPooling) {
   Initialize();
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -1484,23 +1436,23 @@ TEST_P(QuicStreamFactoryTest, HttpsPooling) {
   host_resolver_->rules()->AddIPLiteralRule(server2.host(), "192.168.0.1", "");
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_EQ(OK, request.Request(server1, version_.transport_version,
-                                privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                /*cert_verify_flags=*/0, url_, net_log_,
-                                &net_error_details_,
-                                failed_on_default_network_callback_,
-                                callback_.callback()));
+  EXPECT_EQ(OK,
+            request.Request(
+                server1, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   std::unique_ptr<HttpStream> stream = CreateStream(&request);
   EXPECT_TRUE(stream.get());
 
   TestCompletionCallback callback;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(server2, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url2_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback_.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
 
@@ -1512,7 +1464,7 @@ TEST_P(QuicStreamFactoryTest, HttpsPooling) {
 
 TEST_P(QuicStreamFactoryTest, HttpsPoolingWithMatchingPins) {
   Initialize();
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -1534,23 +1486,23 @@ TEST_P(QuicStreamFactoryTest, HttpsPoolingWithMatchingPins) {
   host_resolver_->rules()->AddIPLiteralRule(server2.host(), "192.168.0.1", "");
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_EQ(OK, request.Request(server1, version_.transport_version,
-                                privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                /*cert_verify_flags=*/0, url_, net_log_,
-                                &net_error_details_,
-                                failed_on_default_network_callback_,
-                                callback_.callback()));
+  EXPECT_EQ(OK,
+            request.Request(
+                server1, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   std::unique_ptr<HttpStream> stream = CreateStream(&request);
   EXPECT_TRUE(stream.get());
 
   TestCompletionCallback callback;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(server2, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url2_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback_.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
 
@@ -1563,11 +1515,12 @@ TEST_P(QuicStreamFactoryTest, HttpsPoolingWithMatchingPins) {
 TEST_P(QuicStreamFactoryTest, NoHttpsPoolingWithDifferentPins) {
   Initialize();
 
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data1.AddSocketDataToFactory(socket_factory_.get());
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
@@ -1595,23 +1548,23 @@ TEST_P(QuicStreamFactoryTest, NoHttpsPoolingWithDifferentPins) {
   host_resolver_->rules()->AddIPLiteralRule(server2.host(), "192.168.0.1", "");
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_EQ(OK, request.Request(server1, version_.transport_version,
-                                privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                /*cert_verify_flags=*/0, url_, net_log_,
-                                &net_error_details_,
-                                failed_on_default_network_callback_,
-                                callback_.callback()));
+  EXPECT_EQ(OK,
+            request.Request(
+                server1, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   std::unique_ptr<HttpStream> stream = CreateStream(&request);
   EXPECT_TRUE(stream.get());
 
   TestCompletionCallback callback;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(server2, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url2_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback_.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
 
@@ -1629,11 +1582,12 @@ TEST_P(QuicStreamFactoryTest, Goaway) {
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
@@ -1641,8 +1595,8 @@ TEST_P(QuicStreamFactoryTest, Goaway) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -1663,8 +1617,8 @@ TEST_P(QuicStreamFactoryTest, Goaway) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -1691,7 +1645,7 @@ TEST_P(QuicStreamFactoryTest, MaxOpenStream) {
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
   quic::QuicStreamId stream_id = GetNthClientInitiatedBidirectionalStreamId(0);
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   if (version_.transport_version == quic::QUIC_VERSION_99) {
     socket_data.AddWrite(SYNCHRONOUS, client_maker_.MakeStreamsBlockedPacket(
@@ -1727,8 +1681,8 @@ TEST_P(QuicStreamFactoryTest, MaxOpenStream) {
   for (size_t i = 0; i < quic::kDefaultMaxStreamsPerConnection / 2; i++) {
     QuicStreamRequest request(factory_.get());
     int rv = request.Request(
-        host_port_pair_, version_.transport_version, privacy_mode_,
-        DEFAULT_PRIORITY, SocketTag(),
+        host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+        NetworkIsolationKey(),
         /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
         failed_on_default_network_callback_, callback_.callback());
     if (i == 0) {
@@ -1746,12 +1700,12 @@ TEST_P(QuicStreamFactoryTest, MaxOpenStream) {
   }
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_EQ(OK, request.Request(host_port_pair_, version_.transport_version,
-                                privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                /*cert_verify_flags=*/0, url_, net_log_,
-                                &net_error_details_,
-                                failed_on_default_network_callback_,
-                                CompletionOnceCallback()));
+  EXPECT_EQ(OK,
+            request.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, CompletionOnceCallback()));
   std::unique_ptr<HttpStream> stream = CreateStream(&request);
   EXPECT_TRUE(stream);
   EXPECT_EQ(ERR_IO_PENDING,
@@ -1779,7 +1733,7 @@ TEST_P(QuicStreamFactoryTest, MaxOpenStream) {
 
 TEST_P(QuicStreamFactoryTest, ResolutionErrorInCreate) {
   Initialize();
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   host_resolver_->rules()->AddSimulatedFailure(kDefaultServerHostName);
@@ -1787,8 +1741,8 @@ TEST_P(QuicStreamFactoryTest, ResolutionErrorInCreate) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -1801,15 +1755,15 @@ TEST_P(QuicStreamFactoryTest, ResolutionErrorInCreate) {
 TEST_P(QuicStreamFactoryTest, ConnectErrorInCreate) {
   Initialize();
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddConnect(SYNCHRONOUS, ERR_ADDRESS_IN_USE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -1821,7 +1775,7 @@ TEST_P(QuicStreamFactoryTest, ConnectErrorInCreate) {
 
 TEST_P(QuicStreamFactoryTest, CancelCreate) {
   Initialize();
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -1829,8 +1783,8 @@ TEST_P(QuicStreamFactoryTest, CancelCreate) {
     QuicStreamRequest request(factory_.get());
     EXPECT_EQ(ERR_IO_PENDING,
               request.Request(
-                  host_port_pair_, version_.transport_version, privacy_mode_,
-                  DEFAULT_PRIORITY, SocketTag(),
+                  host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                  SocketTag(), NetworkIsolationKey(),
                   /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                   failed_on_default_network_callback_, callback_.callback()));
   }
@@ -1838,12 +1792,12 @@ TEST_P(QuicStreamFactoryTest, CancelCreate) {
   base::RunLoop().RunUntilIdle();
 
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(host_port_pair_, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback_.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   std::unique_ptr<HttpStream> stream = CreateStream(&request2);
 
   EXPECT_TRUE(stream.get());
@@ -1859,17 +1813,18 @@ TEST_P(QuicStreamFactoryTest, CloseAllSessions) {
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(
       SYNCHRONOUS, ConstructClientRstPacket(2, quic::QUIC_RST_ACKNOWLEDGEMENT));
   socket_data.AddWrite(SYNCHRONOUS,
                        client_maker_.MakeConnectionClosePacket(
-                           3, true, quic::QUIC_INTERNAL_ERROR, "net error"));
+                           3, true, quic::QUIC_PEER_GOING_AWAY, "net error"));
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
@@ -1877,8 +1832,8 @@ TEST_P(QuicStreamFactoryTest, CloseAllSessions) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -1892,7 +1847,7 @@ TEST_P(QuicStreamFactoryTest, CloseAllSessions) {
 
   // Close the session and verify that stream saw the error.
   factory_->CloseAllSessions(ERR_INTERNET_DISCONNECTED,
-                             quic::QUIC_INTERNAL_ERROR);
+                             quic::QUIC_PEER_GOING_AWAY);
   EXPECT_EQ(ERR_INTERNET_DISCONNECTED,
             stream->ReadResponseHeaders(callback_.callback()));
 
@@ -1902,8 +1857,8 @@ TEST_P(QuicStreamFactoryTest, CloseAllSessions) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -1928,7 +1883,7 @@ TEST_P(QuicStreamFactoryTest,
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START_WITH_CHLO_SENT);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Trigger PACKET_WRITE_ERROR when sending packets in crypto connect.
   socket_data.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
@@ -1938,8 +1893,8 @@ TEST_P(QuicStreamFactoryTest,
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(ERR_QUIC_HANDSHAKE_FAILED, callback_.WaitForResult());
@@ -1951,7 +1906,8 @@ TEST_P(QuicStreamFactoryTest,
       MockCryptoClientStream::COLD_START);
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
@@ -1959,8 +1915,8 @@ TEST_P(QuicStreamFactoryTest,
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_FALSE(HasActiveSession(host_port_pair_));
@@ -1994,7 +1950,7 @@ TEST_P(QuicStreamFactoryTest, WriteErrorInCryptoConnectWithSyncHostResolution) {
   host_resolver_->rules()->AddIPLiteralRule(host_port_pair_.host(),
                                             "192.168.0.1", "");
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Trigger PACKET_WRITE_ERROR when sending packets in crypto connect.
   socket_data.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
@@ -2004,8 +1960,8 @@ TEST_P(QuicStreamFactoryTest, WriteErrorInCryptoConnectWithSyncHostResolution) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_QUIC_HANDSHAKE_FAILED,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   // Check no active session, or active jobs left for this server.
@@ -2017,7 +1973,8 @@ TEST_P(QuicStreamFactoryTest, WriteErrorInCryptoConnectWithSyncHostResolution) {
       MockCryptoClientStream::COLD_START);
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
@@ -2025,8 +1982,8 @@ TEST_P(QuicStreamFactoryTest, WriteErrorInCryptoConnectWithSyncHostResolution) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_FALSE(HasActiveSession(host_port_pair_));
@@ -2050,13 +2007,13 @@ TEST_P(QuicStreamFactoryTest, WriteErrorInCryptoConnectWithSyncHostResolution) {
 }
 
 TEST_P(QuicStreamFactoryTest, CloseSessionsOnIPAddressChanged) {
-  test_params_.quic_close_sessions_on_ip_change = true;
+  test_params_.quic_params.close_sessions_on_ip_change = true;
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(
@@ -2066,7 +2023,8 @@ TEST_P(QuicStreamFactoryTest, CloseSessionsOnIPAddressChanged) {
                        3, true, quic::QUIC_IP_ADDRESS_CHANGED, "net error"));
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
@@ -2074,8 +2032,8 @@ TEST_P(QuicStreamFactoryTest, CloseSessionsOnIPAddressChanged) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -2109,8 +2067,8 @@ TEST_P(QuicStreamFactoryTest, CloseSessionsOnIPAddressChanged) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -2134,20 +2092,18 @@ TEST_P(QuicStreamFactoryTest, CloseSessionsOnIPAddressChanged) {
 // as going away on IP address change instead of being closed. New requests will
 // go to a new connection.
 TEST_P(QuicStreamFactoryTest, GoAwaySessionsOnIPAddressChanged) {
-  test_params_.quic_goaway_sessions_on_ip_change = true;
+  test_params_.quic_params.goaway_sessions_on_ip_change = true;
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData quic_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  quic_data1.AddWrite(SYNCHRONOUS,
-                      ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData quic_data1(version_);
+  quic_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   quic_data1.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data1.AddRead(
       ASYNC,
@@ -2156,19 +2112,18 @@ TEST_P(QuicStreamFactoryTest, GoAwaySessionsOnIPAddressChanged) {
   quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data1.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data2;
-  quic::QuicStreamOffset header_stream_offset2 = 0;
+  client_maker_.Reset();
+  MockQuicData quic_data2(version_);
   quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
-  quic_data2.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset2));
+  quic_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(1));
   quic_data2.AddSocketDataToFactory(socket_factory_.get());
 
   // Create request and QuicHttpStream.
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -2213,8 +2168,8 @@ TEST_P(QuicStreamFactoryTest, GoAwaySessionsOnIPAddressChanged) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -2242,7 +2197,7 @@ TEST_P(QuicStreamFactoryTest, OnIPAddressChangedWithConnectionMigration) {
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(
@@ -2252,8 +2207,8 @@ TEST_P(QuicStreamFactoryTest, OnIPAddressChangedWithConnectionMigration) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -2275,12 +2230,12 @@ TEST_P(QuicStreamFactoryTest, OnIPAddressChangedWithConnectionMigration) {
 
   // Attempting a new request to the same origin uses the same connection.
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(host_port_pair_, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback_.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   stream = CreateStream(&request2);
 
   stream.reset();
@@ -2314,20 +2269,18 @@ void QuicStreamFactoryTestBase::TestMigrationOnNetworkMadeDefault(
   scoped_mock_network_change_notifier_->mock_network_change_notifier()
       ->QueueNetworkMadeDefault(kDefaultNetworkForTests);
 
-  MockQuicData quic_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data1(version_);
   quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging Read.
-  quic_data1.AddWrite(SYNCHRONOUS,
-                      ConstructInitialSettingsPacket(1, &header_stream_offset));
+  quic_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data1.AddWrite(
-      write_mode, ConstructGetRequestPacket(
-                      2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                      true, &header_stream_offset));
+      write_mode,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   quic_data1.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up the second socket data provider that is used after migration.
   // The response to the earlier request is read on the new socket.
-  MockQuicData quic_data2;
+  MockQuicData quic_data2(version_);
   // Connectivity probe to be sent on the new path.
   quic_data2.AddWrite(SYNCHRONOUS,
                       client_maker_.MakeConnectivityProbingPacket(3, true));
@@ -2353,8 +2306,8 @@ void QuicStreamFactoryTestBase::TestMigrationOnNetworkMadeDefault(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -2489,20 +2442,18 @@ TEST_P(QuicStreamFactoryTest, MigratedToBlockedSocketAfterProbing) {
   scoped_mock_network_change_notifier_->mock_network_change_notifier()
       ->QueueNetworkMadeDefault(kDefaultNetworkForTests);
 
-  MockQuicData quic_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data1(version_);
   quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging Read.
-  quic_data1.AddWrite(SYNCHRONOUS,
-                      ConstructInitialSettingsPacket(1, &header_stream_offset));
+  quic_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   quic_data1.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up the second socket data provider that is used after migration.
   // The response to the earlier request is read on the new socket.
-  MockQuicData quic_data2;
+  MockQuicData quic_data2(version_);
   // First connectivity probe to be sent on the new path.
   quic_data2.AddWrite(SYNCHRONOUS,
                       client_maker_.MakeConnectivityProbingPacket(3, true));
@@ -2532,8 +2483,8 @@ TEST_P(QuicStreamFactoryTest, MigratedToBlockedSocketAfterProbing) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -2667,7 +2618,7 @@ TEST_P(QuicStreamFactoryTest, MigrationTimeoutWithNoNewNetwork) {
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -2676,8 +2627,8 @@ TEST_P(QuicStreamFactoryTest, MigrationTimeoutWithNoNewNetwork) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -2744,13 +2695,13 @@ TEST_P(QuicStreamFactoryTest,
 
 void QuicStreamFactoryTestBase::TestOnNetworkMadeDefaultNonMigratableStream(
     bool migrate_idle_sessions) {
-  test_params_.quic_migrate_idle_sessions = migrate_idle_sessions;
+  test_params_.quic_params.migrate_idle_sessions = migrate_idle_sessions;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   if (!migrate_idle_sessions) {
@@ -2767,7 +2718,7 @@ void QuicStreamFactoryTestBase::TestOnNetworkMadeDefaultNonMigratableStream(
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up the second socket data provider that is used for probing.
-  MockQuicData quic_data1;
+  MockQuicData quic_data1(version_);
   // Connectivity probe to be sent on the new path.
   quic_data1.AddWrite(SYNCHRONOUS,
                       client_maker_.MakeConnectivityProbingPacket(2, true));
@@ -2793,8 +2744,8 @@ void QuicStreamFactoryTestBase::TestOnNetworkMadeDefaultNonMigratableStream(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -2845,7 +2796,7 @@ TEST_P(QuicStreamFactoryTest, OnNetworkMadeDefaultConnectionMigrationDisabled) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(
@@ -2858,8 +2809,8 @@ TEST_P(QuicStreamFactoryTest, OnNetworkMadeDefaultConnectionMigrationDisabled) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -2910,19 +2861,17 @@ TEST_P(QuicStreamFactoryTest,
 
 void QuicStreamFactoryTestBase::TestOnNetworkDisconnectedNonMigratableStream(
     bool migrate_idle_sessions) {
-  test_params_.quic_migrate_idle_sessions = migrate_idle_sessions;
+  test_params_.quic_params.migrate_idle_sessions = migrate_idle_sessions;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData failed_socket_data;
-  MockQuicData socket_data;
+  MockQuicData failed_socket_data(version_);
+  MockQuicData socket_data(version_);
   if (migrate_idle_sessions) {
-    quic::QuicStreamOffset header_stream_offset = 0;
     failed_socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-    failed_socket_data.AddWrite(
-        SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+    failed_socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
     // A RESET will be sent to the peer to cancel the non-migratable stream.
     failed_socket_data.AddWrite(
         SYNCHRONOUS, client_maker_.MakeRstPacket(
@@ -2950,8 +2899,8 @@ void QuicStreamFactoryTestBase::TestOnNetworkDisconnectedNonMigratableStream(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -3001,7 +2950,7 @@ TEST_P(QuicStreamFactoryTest,
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(
@@ -3014,8 +2963,8 @@ TEST_P(QuicStreamFactoryTest,
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -3064,13 +3013,13 @@ TEST_P(QuicStreamFactoryTest,
 
 void QuicStreamFactoryTestBase::TestOnNetworkMadeDefaultNoOpenStreams(
     bool migrate_idle_sessions) {
-  test_params_.quic_migrate_idle_sessions = migrate_idle_sessions;
+  test_params_.quic_params.migrate_idle_sessions = migrate_idle_sessions;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   if (!migrate_idle_sessions) {
@@ -3082,7 +3031,7 @@ void QuicStreamFactoryTestBase::TestOnNetworkMadeDefaultNoOpenStreams(
   }
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data1;
+  MockQuicData quic_data1(version_);
   if (migrate_idle_sessions) {
     // Set up the second socket data provider that is used for probing.
     // Connectivity probe to be sent on the new path.
@@ -3103,8 +3052,8 @@ void QuicStreamFactoryTestBase::TestOnNetworkMadeDefaultNoOpenStreams(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -3145,18 +3094,18 @@ TEST_P(QuicStreamFactoryTest,
 
 void QuicStreamFactoryTestBase::TestOnNetworkDisconnectedNoOpenStreams(
     bool migrate_idle_sessions) {
-  test_params_.quic_migrate_idle_sessions = migrate_idle_sessions;
+  test_params_.quic_params.migrate_idle_sessions = migrate_idle_sessions;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData default_socket_data;
+  MockQuicData default_socket_data(version_);
   default_socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   default_socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   default_socket_data.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData alternate_socket_data;
+  MockQuicData alternate_socket_data(version_);
   if (migrate_idle_sessions) {
     // Set up second socket data provider that is used after migration.
     alternate_socket_data.AddRead(SYNCHRONOUS,
@@ -3171,8 +3120,8 @@ void QuicStreamFactoryTestBase::TestOnNetworkDisconnectedNoOpenStreams(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -3223,17 +3172,15 @@ void QuicStreamFactoryTestBase::TestMigrationOnNetworkDisconnected(
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), runner_.get());
 
   int packet_number = 1;
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructInitialSettingsPacket(packet_number++, &header_stream_offset));
+  socket_data.AddWrite(SYNCHRONOUS,
+                       ConstructInitialSettingsPacket(packet_number++));
   socket_data.AddWrite(
       SYNCHRONOUS,
       ConstructGetRequestPacket(packet_number++,
                                 GetNthClientInitiatedBidirectionalStreamId(0),
-                                true, true, &header_stream_offset));
+                                true, true));
   if (async_write_before) {
     socket_data.AddWrite(ASYNC, OK);
     packet_number++;
@@ -3244,8 +3191,8 @@ void QuicStreamFactoryTestBase::TestMigrationOnNetworkDisconnected(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -3277,7 +3224,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnNetworkDisconnected(
 
   // Set up second socket data provider that is used after migration.
   // The response to the earlier request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
       SYNCHRONOUS,
       client_maker_.MakePingPacket(packet_number++, /*include_version=*/true));
@@ -3348,23 +3295,21 @@ TEST_P(QuicStreamFactoryTest, NewNetworkConnectedAfterNoNetwork) {
   // Use the test task runner.
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), runner_.get());
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Create request and QuicHttpStream.
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -3404,7 +3349,7 @@ TEST_P(QuicStreamFactoryTest, NewNetworkConnectedAfterNoNetwork) {
 
   // Set up second socket data provider that is used after migration.
   // The response to the earlier request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
       SYNCHRONOUS, client_maker_.MakePingPacket(3, /*include_version=*/true));
   socket_data1.AddRead(
@@ -3478,21 +3423,20 @@ TEST_P(QuicStreamFactoryTest, MigrateToProbingSocket) {
       ->QueueNetworkMadeDefault(kDefaultNetworkForTests);
 
   int packet_number = 1;
-  MockQuicData quic_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data1(version_);
   quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging Read.
-  quic_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(
-                                       packet_number++, &header_stream_offset));
+  quic_data1.AddWrite(SYNCHRONOUS,
+                      ConstructInitialSettingsPacket(packet_number++));
   quic_data1.AddWrite(
       SYNCHRONOUS,
       ConstructGetRequestPacket(packet_number++,
                                 GetNthClientInitiatedBidirectionalStreamId(0),
-                                true, true, &header_stream_offset));
+                                true, true));
   quic_data1.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up the second socket data provider that is used for probing on the
   // alternate network.
-  MockQuicData quic_data2;
+  MockQuicData quic_data2(version_);
   // Connectivity probe to be sent on the new path.
   quic_data2.AddWrite(SYNCHRONOUS, client_maker_.MakeConnectivityProbingPacket(
                                        packet_number++, true));
@@ -3526,8 +3470,8 @@ TEST_P(QuicStreamFactoryTest, MigrateToProbingSocket) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -3655,16 +3599,15 @@ void QuicStreamFactoryTestBase::TestMigrationOnPathDegrading(
       ->QueueNetworkMadeDefault(kDefaultNetworkForTests);
 
   int packet_number = 1;
-  MockQuicData quic_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data1(version_);
   quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging Read.
-  quic_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(
-                                       packet_number++, &header_stream_offset));
+  quic_data1.AddWrite(SYNCHRONOUS,
+                      ConstructInitialSettingsPacket(packet_number++));
   quic_data1.AddWrite(
       SYNCHRONOUS,
       ConstructGetRequestPacket(packet_number++,
                                 GetNthClientInitiatedBidirectionalStreamId(0),
-                                true, true, &header_stream_offset));
+                                true, true));
   if (async_write_before) {
     quic_data1.AddWrite(ASYNC, OK);
     packet_number++;
@@ -3673,7 +3616,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnPathDegrading(
 
   // Set up the second socket data provider that is used after migration.
   // The response to the earlier request is read on the new socket.
-  MockQuicData quic_data2;
+  MockQuicData quic_data2(version_);
   // Connectivity probe to be sent on the new path.
   quic_data2.AddWrite(SYNCHRONOUS, client_maker_.MakeConnectivityProbingPacket(
                                        packet_number++, true));
@@ -3700,8 +3643,8 @@ void QuicStreamFactoryTestBase::TestMigrationOnPathDegrading(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -3805,20 +3748,18 @@ void QuicStreamFactoryTestBase::TestMigrationOnPathDegrading(
 // This test verifies that the session marks itself GOAWAY on path degrading
 // and it does not receive any new request
 TEST_P(QuicStreamFactoryTest, GoawayOnPathDegrading) {
-  test_params_.quic_go_away_on_path_degrading = true;
+  test_params_.quic_params.go_away_on_path_degrading = true;
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData quic_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  quic_data1.AddWrite(SYNCHRONOUS,
-                      ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData quic_data1(version_);
+  quic_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   quic_data1.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data1.AddRead(
       ASYNC,
@@ -3827,19 +3768,18 @@ TEST_P(QuicStreamFactoryTest, GoawayOnPathDegrading) {
   quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data1.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data2;
-  quic::QuicStreamOffset header_stream_offset2 = 0;
+  client_maker_.Reset();
+  MockQuicData quic_data2(version_);
   quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
-  quic_data2.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset2));
+  quic_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data2.AddSocketDataToFactory(socket_factory_.get());
 
   // Creat request and QuicHttpStream.
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cerf_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -3879,8 +3819,8 @@ TEST_P(QuicStreamFactoryTest, GoawayOnPathDegrading) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -3925,14 +3865,12 @@ TEST_P(QuicStreamFactoryTest, DoNotMigrateToBadSocketOnPathDegrading) {
   scoped_mock_network_change_notifier_->mock_network_change_notifier()
       ->QueueNetworkMadeDefault(kDefaultNetworkForTests);
 
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     ConstructInitialSettingsPacket(1, &header_stream_offset));
-  quic_data.AddWrite(SYNCHRONOUS,
-                     ConstructGetRequestPacket(
-                         2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                         true, &header_stream_offset));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
+  quic_data.AddWrite(
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data.AddRead(ASYNC, ConstructOkResponsePacket(
                                1, GetNthClientInitiatedBidirectionalStreamId(0),
@@ -3955,8 +3893,8 @@ TEST_P(QuicStreamFactoryTest, DoNotMigrateToBadSocketOnPathDegrading) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -4044,31 +3982,24 @@ void QuicStreamFactoryTestBase::TestMigrateSessionWithDrainingStream(
       ->QueueNetworkMadeDefault(kDefaultNetworkForTests);
 
   int packet_number = 1;
-  MockQuicData quic_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  quic_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(
-                                       packet_number++, &header_stream_offset));
+  MockQuicData quic_data1(version_);
+  quic_data1.AddWrite(SYNCHRONOUS,
+                      ConstructInitialSettingsPacket(packet_number++));
   quic_data1.AddWrite(
       SYNCHRONOUS,
       ConstructGetRequestPacket(packet_number++,
                                 GetNthClientInitiatedBidirectionalStreamId(0),
-                                true, true, &header_stream_offset));
+                                true, true));
   // Read an out of order packet with FIN to drain the stream.
   quic_data1.AddRead(
       ASYNC, ConstructOkResponsePacket(
                  2, GetNthClientInitiatedBidirectionalStreamId(0), false,
                  true));  // keep sending version.
-  if (!GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    // Packet 2 is considered as out of order packet and an ACK will be sent
-    // immediately.
-    quic_data1.AddWrite(SYNCHRONOUS, client_maker_.MakeAckPacket(
-                                         packet_number++, 2, 2, 2, 1, true));
-  }
   quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data1.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up the second socket data provider that is used after migration.
-  MockQuicData quic_data2;
+  MockQuicData quic_data2(version_);
   // Connectivity probe to be sent on the new path.
   quic_data2.AddWrite(SYNCHRONOUS, client_maker_.MakeConnectivityProbingPacket(
                                        packet_number++, false));
@@ -4084,6 +4015,7 @@ void QuicStreamFactoryTestBase::TestMigrateSessionWithDrainingStream(
     quic_data2.AddWrite(ASYNC,
                         client_maker_.MakePingPacket(packet_number++, false));
   }
+  server_maker_.Reset();
   quic_data2.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -4097,8 +4029,8 @@ void QuicStreamFactoryTestBase::TestMigrateSessionWithDrainingStream(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -4215,20 +4147,18 @@ TEST_P(QuicStreamFactoryTest, MigrateOnNewNetworkConnectAfterPathDegrading) {
   scoped_mock_network_change_notifier_->mock_network_change_notifier()
       ->QueueNetworkMadeDefault(kDefaultNetworkForTests);
 
-  MockQuicData quic_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData quic_data1(version_);
   quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging Read.
-  quic_data1.AddWrite(SYNCHRONOUS,
-                      ConstructInitialSettingsPacket(1, &header_stream_offset));
+  quic_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   quic_data1.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up the second socket data provider that is used after migration.
   // The response to the earlier request is read on the new socket.
-  MockQuicData quic_data2;
+  MockQuicData quic_data2(version_);
   // Connectivity probe to be sent on the new path.
   quic_data2.AddWrite(SYNCHRONOUS,
                       client_maker_.MakeConnectivityProbingPacket(3, true));
@@ -4254,8 +4184,8 @@ TEST_P(QuicStreamFactoryTest, MigrateOnNewNetworkConnectAfterPathDegrading) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -4369,12 +4299,13 @@ TEST_P(QuicStreamFactoryTest,
        MigrateMultipleSessionsToBadSocketsAfterDisconnected) {
   InitializeConnectionMigrationV2Test({kDefaultNetworkForTests});
 
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data1.AddWrite(ASYNC, OK);
   socket_data1.AddSocketDataToFactory(socket_factory_.get());
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddWrite(ASYNC, OK);
@@ -4393,23 +4324,23 @@ TEST_P(QuicStreamFactoryTest,
 
   // Create request and QuicHttpStream to create session1.
   QuicStreamRequest request1(factory_.get());
-  EXPECT_EQ(OK, request1.Request(server1, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback_.callback()));
+  EXPECT_EQ(OK,
+            request1.Request(
+                server1, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   std::unique_ptr<HttpStream> stream1 = CreateStream(&request1);
   EXPECT_TRUE(stream1.get());
 
   // Create request and QuicHttpStream to create session2.
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(server2, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url2_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback_.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
 
@@ -4494,14 +4425,12 @@ TEST_P(QuicStreamFactoryTest, MigrateOnPathDegradingWithNoNewNetwork) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData quic_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  quic_data.AddWrite(SYNCHRONOUS,
-                     ConstructInitialSettingsPacket(1, &header_stream_offset));
-  quic_data.AddWrite(SYNCHRONOUS,
-                     ConstructGetRequestPacket(
-                         2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                         true, &header_stream_offset));
+  MockQuicData quic_data(version_);
+  quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
+  quic_data.AddWrite(
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause for path degrading signal.
 
   // The rest of the data will still flow in the original socket as there is no
@@ -4520,8 +4449,8 @@ TEST_P(QuicStreamFactoryTest, MigrateOnPathDegradingWithNoNewNetwork) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -4586,13 +4515,13 @@ TEST_P(QuicStreamFactoryTest,
 
 void QuicStreamFactoryTestBase::TestMigrateSessionEarlyNonMigratableStream(
     bool migrate_idle_sessions) {
-  test_params_.quic_migrate_idle_sessions = migrate_idle_sessions;
+  test_params_.quic_params.migrate_idle_sessions = migrate_idle_sessions;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   if (!migrate_idle_sessions) {
@@ -4608,7 +4537,7 @@ void QuicStreamFactoryTestBase::TestMigrateSessionEarlyNonMigratableStream(
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up the second socket data provider that is used for probing.
-  MockQuicData quic_data1;
+  MockQuicData quic_data1(version_);
   // Connectivity probe to be sent on the new path.
   quic_data1.AddWrite(SYNCHRONOUS,
                       client_maker_.MakeConnectivityProbingPacket(2, true));
@@ -4634,8 +4563,8 @@ void QuicStreamFactoryTestBase::TestMigrateSessionEarlyNonMigratableStream(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -4687,7 +4616,7 @@ TEST_P(QuicStreamFactoryTest, MigrateSessionEarlyConnectionMigrationDisabled) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(
@@ -4700,8 +4629,8 @@ TEST_P(QuicStreamFactoryTest, MigrateSessionEarlyConnectionMigrationDisabled) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -4760,27 +4689,26 @@ TEST_P(QuicStreamFactoryTest, MigrateSessionOnAysncWriteError) {
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(ASYNC, ERR_ADDRESS_UNREACHABLE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up second socket data provider that is used after
   // migration. The request is rewritten to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
-  socket_data1.AddWrite(SYNCHRONOUS,
-                        ConstructGetRequestPacket(
-                            3, GetNthClientInitiatedBidirectionalStreamId(1),
-                            GetNthClientInitiatedBidirectionalStreamId(0), true,
-                            true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
+  client_maker_.set_coalesce_http_frames(true);
+  socket_data1.AddWrite(
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          3, GetNthClientInitiatedBidirectionalStreamId(1),
+          GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -4793,7 +4721,7 @@ TEST_P(QuicStreamFactoryTest, MigrateSessionOnAysncWriteError) {
   socket_data1.AddWrite(
       SYNCHRONOUS, client_maker_.MakeRstPacket(
                        5, false, GetNthClientInitiatedBidirectionalStreamId(1),
-                       quic::QUIC_STREAM_CANCELLED, 0,
+                       quic::QUIC_STREAM_CANCELLED,
                        /*include_stop_sending_if_v99=*/true));
 
   socket_data1.AddSocketDataToFactory(socket_factory_.get());
@@ -4802,8 +4730,8 @@ TEST_P(QuicStreamFactoryTest, MigrateSessionOnAysncWriteError) {
   QuicStreamRequest request1(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -4822,12 +4750,12 @@ TEST_P(QuicStreamFactoryTest, MigrateSessionOnAysncWriteError) {
   // Request #2 returns synchronously because it pools to existing session.
   TestCompletionCallback callback2;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(host_port_pair_, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback2.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback2.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
 
@@ -4912,22 +4840,20 @@ TEST_P(QuicStreamFactoryTest, MigrateBackToDefaultPostMigrationOnWriteError) {
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(ASYNC, ERR_ADDRESS_UNREACHABLE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up second socket data provider that is used after
   // migration. The request is rewritten to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData quic_data2;
+  MockQuicData quic_data2(version_);
   quic_data2.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   quic_data2.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -4939,8 +4865,8 @@ TEST_P(QuicStreamFactoryTest, MigrateBackToDefaultPostMigrationOnWriteError) {
   QuicStreamRequest request1(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -4995,7 +4921,7 @@ TEST_P(QuicStreamFactoryTest, MigrateBackToDefaultPostMigrationOnWriteError) {
   EXPECT_EQ(200, response.headers->response_code());
 
   // Set up the third socket data provider for migrate back to default network.
-  MockQuicData quic_data3;
+  MockQuicData quic_data3(version_);
   // Connectivity probe to be sent on the new path.
   quic_data3.AddWrite(SYNCHRONOUS,
                       client_maker_.MakeConnectivityProbingPacket(3, false));
@@ -5007,7 +4933,7 @@ TEST_P(QuicStreamFactoryTest, MigrateBackToDefaultPostMigrationOnWriteError) {
   quic_data3.AddWrite(
       SYNCHRONOUS, client_maker_.MakeRstPacket(
                        5, false, GetNthClientInitiatedBidirectionalStreamId(0),
-                       quic::QUIC_STREAM_CANCELLED, 0,
+                       quic::QUIC_STREAM_CANCELLED,
                        /*include_stop_sending_if_v99=*/true));
   quic_data3.AddSocketDataToFactory(socket_factory_.get());
 
@@ -5052,7 +4978,7 @@ TEST_P(QuicStreamFactoryTest,
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START_WITH_CHLO_SENT);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(ASYNC, client_maker_.MakeDummyCHLOPacket(1));
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -5061,8 +4987,8 @@ TEST_P(QuicStreamFactoryTest,
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -5113,7 +5039,7 @@ void QuicStreamFactoryTestBase::TestNoAlternateNetworkBeforeHandshake(
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START_WITH_CHLO_SENT);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(ASYNC, client_maker_.MakeDummyCHLOPacket(1));
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -5122,8 +5048,8 @@ void QuicStreamFactoryTestBase::TestNoAlternateNetworkBeforeHandshake(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -5191,7 +5117,7 @@ void QuicStreamFactoryTestBase::
         quic::QuicErrorCode quic_error) {
   DCHECK(quic_error == quic::QUIC_NETWORK_IDLE_TIMEOUT ||
          quic_error == quic::QUIC_HANDSHAKE_TIMEOUT);
-  test_params_.quic_retry_on_alternate_network_before_handshake = true;
+  test_params_.quic_params.retry_on_alternate_network_before_handshake = true;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
 
@@ -5204,24 +5130,21 @@ void QuicStreamFactoryTestBase::
       MockCryptoClientStream::COLD_START_WITH_CHLO_SENT);
 
   // Socket data for connection on the default network.
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(ASYNC, client_maker_.MakeDummyCHLOPacket(1));
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Socket data for connection on the alternate network.
-  MockQuicData socket_data2;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data2(version_);
   socket_data2.AddWrite(SYNCHRONOUS, client_maker_.MakeDummyCHLOPacket(1));
   socket_data2.AddRead(ASYNC, ERR_IO_PENDING);  // Pause.
   // Change the encryption level after handshake is confirmed.
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  socket_data2.AddWrite(
-      ASYNC, ConstructInitialSettingsPacket(2, &header_stream_offset));
+  socket_data2.AddWrite(ASYNC, ConstructInitialSettingsPacket(2));
   socket_data2.AddWrite(
       ASYNC, ConstructGetRequestPacket(
-                 3, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-                 &header_stream_offset));
+                 3, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data2.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -5234,7 +5157,7 @@ void QuicStreamFactoryTestBase::
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
 
   // Socket data for probing on the default network.
-  MockQuicData probing_data;
+  MockQuicData probing_data(version_);
   probing_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   probing_data.AddWrite(SYNCHRONOUS,
                         client_maker_.MakeConnectivityProbingPacket(4, false));
@@ -5244,8 +5167,8 @@ void QuicStreamFactoryTestBase::
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -5343,7 +5266,7 @@ void QuicStreamFactoryTestBase::
 // is triggered before handshake is confirmed and connection migration is turned
 // on.
 TEST_P(QuicStreamFactoryTest, MigrationOnWriteErrorBeforeHandshakeConfirmed) {
-  DCHECK(!test_params_.quic_retry_on_alternate_network_before_handshake);
+  DCHECK(!test_params_.quic_params.retry_on_alternate_network_before_handshake);
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
 
@@ -5351,7 +5274,7 @@ TEST_P(QuicStreamFactoryTest, MigrationOnWriteErrorBeforeHandshakeConfirmed) {
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START_WITH_CHLO_SENT);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Trigger PACKET_WRITE_ERROR when sending packets in crypto connect.
   socket_data.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
@@ -5361,8 +5284,8 @@ TEST_P(QuicStreamFactoryTest, MigrationOnWriteErrorBeforeHandshakeConfirmed) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(ERR_QUIC_HANDSHAKE_FAILED, callback_.WaitForResult());
@@ -5374,7 +5297,8 @@ TEST_P(QuicStreamFactoryTest, MigrationOnWriteErrorBeforeHandshakeConfirmed) {
       MockCryptoClientStream::COLD_START);
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
@@ -5382,8 +5306,8 @@ TEST_P(QuicStreamFactoryTest, MigrationOnWriteErrorBeforeHandshakeConfirmed) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_FALSE(HasActiveSession(host_port_pair_));
@@ -5413,7 +5337,7 @@ TEST_P(QuicStreamFactoryTest, MigrationOnWriteErrorBeforeHandshakeConfirmed) {
 // on, a new connection will be retried on the alternate network.
 TEST_P(QuicStreamFactoryTest,
        RetryConnectionOnWriteErrorBeforeHandshakeConfirmed) {
-  test_params_.quic_retry_on_alternate_network_before_handshake = true;
+  test_params_.quic_params.retry_on_alternate_network_before_handshake = true;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
 
@@ -5422,25 +5346,22 @@ TEST_P(QuicStreamFactoryTest,
       MockCryptoClientStream::COLD_START_WITH_CHLO_SENT);
 
   // Socket data for connection on the default network.
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Trigger PACKET_WRITE_ERROR when sending packets in crypto connect.
   socket_data.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Socket data for connection on the alternate network.
-  MockQuicData socket_data2;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data2(version_);
   socket_data2.AddWrite(SYNCHRONOUS, client_maker_.MakeDummyCHLOPacket(1));
   socket_data2.AddRead(ASYNC, ERR_IO_PENDING);  // Pause.
   // Change the encryption level after handshake is confirmed.
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  socket_data2.AddWrite(
-      ASYNC, ConstructInitialSettingsPacket(2, &header_stream_offset));
+  socket_data2.AddWrite(ASYNC, ConstructInitialSettingsPacket(2));
   socket_data2.AddWrite(
       ASYNC, ConstructGetRequestPacket(
-                 3, GetNthClientInitiatedBidirectionalStreamId(0), true, true,
-                 &header_stream_offset));
+                 3, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data2.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -5456,8 +5377,8 @@ TEST_P(QuicStreamFactoryTest,
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   // Ensure that the session is alive but not active.
@@ -5514,11 +5435,9 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteError(
 
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(write_error_mode, ERR_ADDRESS_UNREACHABLE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
@@ -5526,8 +5445,8 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteError(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -5551,11 +5470,11 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteError(
   // Set up second socket data provider that is used after
   // migration. The request is rewritten to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -5613,7 +5532,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorNoNewNetwork(
   // Use the test task runner, to force the migration alarm timeout later.
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), runner_.get());
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(write_error_mode, ERR_ADDRESS_UNREACHABLE);
@@ -5623,8 +5542,8 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorNoNewNetwork(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -5723,22 +5642,20 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorWithMultipleRequests(
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(write_error_mode, ERR_ADDRESS_UNREACHABLE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up second socket data provider that is used after
   // migration. The request is rewritten to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -5751,7 +5668,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorWithMultipleRequests(
   socket_data1.AddWrite(
       SYNCHRONOUS, client_maker_.MakeRstPacket(
                        4, false, GetNthClientInitiatedBidirectionalStreamId(1),
-                       quic::QUIC_STREAM_CANCELLED, 0,
+                       quic::QUIC_STREAM_CANCELLED,
                        /*include_stop_sending_if_v99=*/true));
 
   socket_data1.AddSocketDataToFactory(socket_factory_.get());
@@ -5760,8 +5677,8 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorWithMultipleRequests(
   QuicStreamRequest request1(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -5780,12 +5697,12 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorWithMultipleRequests(
   // Second request returns synchronously because it pools to existing session.
   TestCompletionCallback callback2;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(host_port_pair_, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback2.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback2.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
   HttpRequestInfo request_info2;
@@ -5856,29 +5773,28 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMixedStreams(
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
   int packet_number = 1;
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data(version_);
+
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructInitialSettingsPacket(packet_number++, &header_stream_offset));
+  socket_data.AddWrite(SYNCHRONOUS,
+                       ConstructInitialSettingsPacket(packet_number++));
   socket_data.AddWrite(write_error_mode, ERR_ADDRESS_UNREACHABLE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up second socket data provider that is used after
   // migration. The request is rewritten to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
       SYNCHRONOUS,
       ConstructGetRequestPacket(packet_number++,
                                 GetNthClientInitiatedBidirectionalStreamId(0),
-                                true, true, &header_stream_offset));
+                                true, true));
   socket_data1.AddWrite(
       SYNCHRONOUS,
       client_maker_.MakeRstPacket(packet_number++, true,
                                   GetNthClientInitiatedBidirectionalStreamId(1),
-                                  quic::QUIC_STREAM_CANCELLED, 0,
+                                  quic::QUIC_STREAM_CANCELLED,
                                   /*include_stop_sending_if_v99=*/true));
   socket_data1.AddRead(
       ASYNC,
@@ -5896,8 +5812,8 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMixedStreams(
   QuicStreamRequest request1(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -5916,12 +5832,12 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMixedStreams(
   // Second request returns synchronously because it pools to existing session.
   TestCompletionCallback callback2;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(host_port_pair_, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback2.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback2.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
 
@@ -5995,12 +5911,10 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMixedStreams2(
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
   int packet_number = 1;
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data.AddWrite(
-      SYNCHRONOUS,
-      ConstructInitialSettingsPacket(packet_number++, &header_stream_offset));
+  socket_data.AddWrite(SYNCHRONOUS,
+                       ConstructInitialSettingsPacket(packet_number++));
   socket_data.AddWrite(write_error_mode,
                        ERR_ADDRESS_UNREACHABLE);  // Write error.
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -6008,25 +5922,25 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMixedStreams2(
   // Set up second socket data provider that is used after
   // migration. The request is rewritten to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   // The packet triggered writer error will be sent anyway even if the stream
   // will be cancelled later.
   socket_data1.AddWrite(
       SYNCHRONOUS,
       ConstructGetRequestPacket(packet_number++,
                                 GetNthClientInitiatedBidirectionalStreamId(1),
-                                true, true, &header_stream_offset));
+                                true, true));
   socket_data1.AddWrite(
       SYNCHRONOUS,
       client_maker_.MakeRstPacket(packet_number++, true,
                                   GetNthClientInitiatedBidirectionalStreamId(1),
-                                  quic::QUIC_STREAM_CANCELLED, 0,
+                                  quic::QUIC_STREAM_CANCELLED,
                                   /*include_stop_sending_if_v99=*/true));
   socket_data1.AddWrite(
       SYNCHRONOUS,
       ConstructGetRequestPacket(packet_number++,
                                 GetNthClientInitiatedBidirectionalStreamId(0),
-                                true, true, &header_stream_offset));
+                                true, true));
   socket_data1.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -6043,8 +5957,8 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMixedStreams2(
   QuicStreamRequest request1(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -6063,12 +5977,12 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMixedStreams2(
   // Second request returns synchronously because it pools to existing session.
   TestCompletionCallback callback2;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(host_port_pair_, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback2.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback2.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
 
@@ -6133,20 +6047,18 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorNonMigratableStream(
   DVLOG(1) << "Write error mode: "
            << ((write_error_mode == SYNCHRONOUS) ? "SYNCHRONOUS" : "ASYNC");
   DVLOG(1) << "Migrate idle sessions: " << migrate_idle_sessions;
-  test_params_.quic_migrate_idle_sessions = migrate_idle_sessions;
+  test_params_.quic_params.migrate_idle_sessions = migrate_idle_sessions;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData failed_socket_data;
-  MockQuicData socket_data;
+  MockQuicData failed_socket_data(version_);
+  MockQuicData socket_data(version_);
   if (migrate_idle_sessions) {
-    quic::QuicStreamOffset header_stream_offset = 0;
     // The socket data provider for the original socket before migration.
     failed_socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-    failed_socket_data.AddWrite(
-        SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+    failed_socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
     failed_socket_data.AddWrite(write_error_mode, ERR_ADDRESS_UNREACHABLE);
     failed_socket_data.AddSocketDataToFactory(socket_factory_.get());
 
@@ -6156,9 +6068,9 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorNonMigratableStream(
     // non-migratable stream and the stream will be cancelled during migration,
     // the packet will still be retransimitted at the connection level.
     socket_data.AddWrite(
-        SYNCHRONOUS, ConstructGetRequestPacket(
-                         2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                         true, &header_stream_offset));
+        SYNCHRONOUS,
+        ConstructGetRequestPacket(
+            2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
     // A RESET will be sent to the peer to cancel the non-migratable stream.
     socket_data.AddWrite(
         SYNCHRONOUS, client_maker_.MakeRstPacket(
@@ -6176,8 +6088,8 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorNonMigratableStream(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -6253,7 +6165,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMigrationDisabled(
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(write_error_mode, ERR_ADDRESS_UNREACHABLE);
@@ -6263,8 +6175,8 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMigrationDisabled(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -6343,25 +6255,23 @@ void QuicStreamFactoryTestBase::TestMigrationOnMultipleWriteErrors(
 
   // Set up the socket data used by the original network, which encounters a
   // write erorr.
-  MockQuicData socket_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data1(version_);
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  socket_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data1.AddWrite(write_error_mode_on_old_network,
                         ERR_ADDRESS_UNREACHABLE);  // Write Error
   socket_data1.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up the socket data used by the alternate network, which also
   // encounters a write error.
-  MockQuicData failed_quic_data2;
+  MockQuicData failed_quic_data2(version_);
   failed_quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   failed_quic_data2.AddWrite(write_error_mode_on_new_network, ERR_FAILED);
   failed_quic_data2.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up the third socket data used by original network, which encounters a
   // write error again.
-  MockQuicData failed_quic_data1;
+  MockQuicData failed_quic_data1(version_);
   failed_quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   failed_quic_data1.AddWrite(write_error_mode_on_old_network, ERR_FAILED);
   failed_quic_data1.AddSocketDataToFactory(socket_factory_.get());
@@ -6369,11 +6279,11 @@ void QuicStreamFactoryTestBase::TestMigrationOnMultipleWriteErrors(
   // Set up the last socket data used by the alternate network, which will
   // finish migration successfully. The request is rewritten to this new socket,
   // and the response to the request is read on this socket.
-  MockQuicData socket_data2;
+  MockQuicData socket_data2(version_);
   socket_data2.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data2.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -6389,8 +6299,8 @@ void QuicStreamFactoryTestBase::TestMigrationOnMultipleWriteErrors(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -6475,7 +6385,7 @@ TEST_P(QuicStreamFactoryTest, NoMigrationBeforeHandshakeOnNetworkDisconnected) {
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START_WITH_CHLO_SENT);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(ASYNC, client_maker_.MakeDummyCHLOPacket(1));
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -6484,8 +6394,8 @@ TEST_P(QuicStreamFactoryTest, NoMigrationBeforeHandshakeOnNetworkDisconnected) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   // Deliver the network notification, which should cause the connection to be
@@ -6511,11 +6421,9 @@ void QuicStreamFactoryTestBase::
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
@@ -6523,8 +6431,8 @@ void QuicStreamFactoryTestBase::
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -6548,11 +6456,11 @@ void QuicStreamFactoryTestBase::
   // Set up second socket data provider that is used after
   // migration. The request is rewritten to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -6645,11 +6553,9 @@ void QuicStreamFactoryTestBase::
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
@@ -6657,8 +6563,8 @@ void QuicStreamFactoryTestBase::
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -6682,11 +6588,11 @@ void QuicStreamFactoryTestBase::
   // Set up second socket data provider that is used after
   // migration. The request is rewritten to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -6785,11 +6691,9 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorPauseBeforeConnected(
   // Use the test task runner.
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), runner_.get());
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(write_error_mode, ERR_FAILED);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
@@ -6797,8 +6701,8 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorPauseBeforeConnected(
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -6833,11 +6737,11 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorPauseBeforeConnected(
 
   // Set up second socket data provider that is used after migration.
   // The response to the earlier request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -6915,12 +6819,13 @@ TEST_P(QuicStreamFactoryTest, IgnoreWriteErrorFromOldWriterAfterMigration) {
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData socket_data(version_);
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
-  socket_data.AddWrite(ASYNC, ERR_ADDRESS_UNREACHABLE);
+  socket_data.AddWrite(
+      ASYNC, ERR_ADDRESS_UNREACHABLE,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
@@ -6928,8 +6833,8 @@ TEST_P(QuicStreamFactoryTest, IgnoreWriteErrorFromOldWriterAfterMigration) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -6952,7 +6857,7 @@ TEST_P(QuicStreamFactoryTest, IgnoreWriteErrorFromOldWriterAfterMigration) {
 
   // Set up second socket data provider that is used after
   // migration. The response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
       SYNCHRONOUS, client_maker_.MakePingPacket(3, /*include_version=*/true));
   socket_data1.AddRead(
@@ -7020,10 +6925,8 @@ TEST_P(QuicStreamFactoryTest, IgnoreReadErrorFromOldReaderAfterMigration) {
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData socket_data(version_);
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   socket_data.AddRead(ASYNC, ERR_ADDRESS_UNREACHABLE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -7032,8 +6935,8 @@ TEST_P(QuicStreamFactoryTest, IgnoreReadErrorFromOldReaderAfterMigration) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -7057,13 +6960,13 @@ TEST_P(QuicStreamFactoryTest, IgnoreReadErrorFromOldReaderAfterMigration) {
   // Set up second socket data provider that is used after
   // migration. The request is written to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
       SYNCHRONOUS, client_maker_.MakePingPacket(2, /*include_version=*/true));
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       3, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          3, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -7134,10 +7037,8 @@ TEST_P(QuicStreamFactoryTest, IgnoreReadErrorOnOldReaderDuringMigration) {
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData socket_data(version_);
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   socket_data.AddRead(ASYNC, ERR_ADDRESS_UNREACHABLE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -7146,8 +7047,8 @@ TEST_P(QuicStreamFactoryTest, IgnoreReadErrorOnOldReaderDuringMigration) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -7171,13 +7072,13 @@ TEST_P(QuicStreamFactoryTest, IgnoreReadErrorOnOldReaderDuringMigration) {
   // Set up second socket data provider that is used after
   // migration. The request is written to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
       SYNCHRONOUS, client_maker_.MakePingPacket(2, /*include_version=*/true));
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       3, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          3, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -7250,10 +7151,8 @@ TEST_P(QuicStreamFactoryTest, DefaultRetransmittableOnWireTimeoutForMigration) {
       factory_.get(),
       std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData socket_data(version_);
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   socket_data.AddRead(ASYNC, ERR_ADDRESS_UNREACHABLE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -7261,36 +7160,24 @@ TEST_P(QuicStreamFactoryTest, DefaultRetransmittableOnWireTimeoutForMigration) {
   // Set up second socket data provider that is used after
   // migration. The request is written to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   // The PING packet sent post migration.
   socket_data1.AddWrite(SYNCHRONOUS, client_maker_.MakePingPacket(2, true));
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       3, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          3, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(ASYNC, ERR_IO_PENDING);  // Pause.
   // Read two packets so that client will send ACK immedaitely.
-  spdy::SpdyHeaderBlock response_headers =
-      server_maker_.GetResponseHeaders("200 OK");
-  response_headers["key1"] = std::string(2000, 'A');
-  spdy::SpdyHeadersIR headers_frame(
-      GetNthClientInitiatedBidirectionalStreamId(0),
-      std::move(response_headers));
-  spdy::SpdyFramer response_framer(spdy::SpdyFramer::ENABLE_COMPRESSION);
-  spdy::SpdySerializedFrame spdy_frame =
-      response_framer.SerializeFrame(headers_frame);
-  size_t chunk_size = 1200;
-  unsigned int packet_number = 1;
-  for (size_t offset = 0; offset < spdy_frame.size(); offset += chunk_size) {
-    size_t len = std::min(chunk_size, spdy_frame.size() - offset);
-    socket_data1.AddRead(
-        ASYNC,
-        server_maker_.MakeDataPacket(
-            packet_number++,
-            quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-            false, false, offset,
-            base::StringPiece(spdy_frame.data() + offset, len)));
-  }
+  socket_data1.AddRead(
+      ASYNC,
+      ConstructOkResponsePacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), false, false));
+  socket_data1.AddRead(
+      ASYNC, server_maker_.MakeDataPacket(
+                 2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 base::StringPiece("Hello World")));
+
   // Read an ACK from server which acks all client data.
   socket_data1.AddRead(SYNCHRONOUS,
                        server_maker_.MakeAckPacket(3, 3, 1, 1, false));
@@ -7302,7 +7189,7 @@ TEST_P(QuicStreamFactoryTest, DefaultRetransmittableOnWireTimeoutForMigration) {
   socket_data1.AddRead(
       ASYNC, ConstructServerDataPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read.
   socket_data1.AddWrite(
       SYNCHRONOUS, client_maker_.MakeRstPacket(
@@ -7314,8 +7201,8 @@ TEST_P(QuicStreamFactoryTest, DefaultRetransmittableOnWireTimeoutForMigration) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -7356,17 +7243,18 @@ TEST_P(QuicStreamFactoryTest, DefaultRetransmittableOnWireTimeoutForMigration) {
   base::RunLoop().RunUntilIdle();
 
   // Ack delay time.
-  int delay = task_runner->NextPendingTaskDelay().InMilliseconds();
-  EXPECT_GT(kDefaultRetransmittableOnWireTimeoutMillisecs, delay);
+  base::TimeDelta delay = task_runner->NextPendingTaskDelay();
+  EXPECT_GT(kDefaultRetransmittableOnWireTimeout, delay);
   // Fire the ack alarm, since ack has been sent, no ack will be sent.
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(delay));
+  clock_.AdvanceTime(
+      quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   // Fire the ping alarm with retransmittable-on-wire timeout, send PING.
-  delay = kDefaultRetransmittableOnWireTimeoutMillisecs - delay;
-  EXPECT_EQ(base::TimeDelta::FromMilliseconds(delay),
-            task_runner->NextPendingTaskDelay());
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(delay));
+  delay = kDefaultRetransmittableOnWireTimeout - delay;
+  EXPECT_EQ(delay, task_runner->NextPendingTaskDelay());
+  clock_.AdvanceTime(
+      quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   socket_data1.Resume();
@@ -7394,8 +7282,9 @@ TEST_P(QuicStreamFactoryTest, DefaultRetransmittableOnWireTimeoutForMigration) {
 // enabled, and a custom retransmittable on wire timeout is specified, the
 // custom value is used.
 TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeoutForMigration) {
-  int custom_timeout_value = 200;
-  test_params_.quic_retransmittable_on_wire_timeout_milliseconds =
+  constexpr base::TimeDelta custom_timeout_value =
+      base::TimeDelta::FromMilliseconds(200);
+  test_params_.quic_params.retransmittable_on_wire_timeout =
       custom_timeout_value;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
@@ -7410,10 +7299,8 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeoutForMigration) {
       factory_.get(),
       std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData socket_data(version_);
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   socket_data.AddRead(ASYNC, ERR_ADDRESS_UNREACHABLE);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -7421,36 +7308,23 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeoutForMigration) {
   // Set up second socket data provider that is used after
   // migration. The request is written to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   // The PING packet sent post migration.
   socket_data1.AddWrite(SYNCHRONOUS, client_maker_.MakePingPacket(2, true));
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       3, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          3, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(ASYNC, ERR_IO_PENDING);  // Pause.
   // Read two packets so that client will send ACK immedaitely.
-  spdy::SpdyHeaderBlock response_headers =
-      server_maker_.GetResponseHeaders("200 OK");
-  response_headers["key1"] = std::string(2000, 'A');
-  spdy::SpdyHeadersIR headers_frame(
-      GetNthClientInitiatedBidirectionalStreamId(0),
-      std::move(response_headers));
-  spdy::SpdyFramer response_framer(spdy::SpdyFramer::ENABLE_COMPRESSION);
-  spdy::SpdySerializedFrame spdy_frame =
-      response_framer.SerializeFrame(headers_frame);
-  size_t chunk_size = 1200;
-  unsigned int packet_number = 1;
-  for (size_t offset = 0; offset < spdy_frame.size(); offset += chunk_size) {
-    size_t len = std::min(chunk_size, spdy_frame.size() - offset);
-    socket_data1.AddRead(
-        ASYNC,
-        server_maker_.MakeDataPacket(
-            packet_number++,
-            quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-            false, false, offset,
-            base::StringPiece(spdy_frame.data() + offset, len)));
-  }
+  socket_data1.AddRead(
+      ASYNC,
+      ConstructOkResponsePacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), false, false));
+  socket_data1.AddRead(
+      ASYNC, server_maker_.MakeDataPacket(
+                 2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 base::StringPiece("Hello World")));
   // Read an ACK from server which acks all client data.
   socket_data1.AddRead(SYNCHRONOUS,
                        server_maker_.MakeAckPacket(3, 3, 1, 1, false));
@@ -7462,7 +7336,7 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeoutForMigration) {
   socket_data1.AddRead(
       ASYNC, ConstructServerDataPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read.
   socket_data1.AddWrite(
       SYNCHRONOUS, client_maker_.MakeRstPacket(
@@ -7474,8 +7348,8 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeoutForMigration) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -7516,17 +7390,18 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeoutForMigration) {
   base::RunLoop().RunUntilIdle();
 
   // Ack delay time.
-  int delay = task_runner->NextPendingTaskDelay().InMilliseconds();
+  base::TimeDelta delay = task_runner->NextPendingTaskDelay();
   EXPECT_GT(custom_timeout_value, delay);
   // Fire the ack alarm, since ack has been sent, no ack will be sent.
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(delay));
+  clock_.AdvanceTime(
+      quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   // Fire the ping alarm with retransmittable-on-wire timeout, send PING.
   delay = custom_timeout_value - delay;
-  EXPECT_EQ(base::TimeDelta::FromMilliseconds(delay),
-            task_runner->NextPendingTaskDelay());
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(delay));
+  EXPECT_EQ(delay, task_runner->NextPendingTaskDelay());
+  clock_.AdvanceTime(
+      quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   socket_data1.Resume();
@@ -7554,8 +7429,9 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeoutForMigration) {
 // retransmittable-on-wire timeout is specified, the ping alarm is set up to
 // send retransmittable pings with the custom value.
 TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeout) {
-  int custom_timeout_value = 200;
-  test_params_.quic_retransmittable_on_wire_timeout_milliseconds =
+  constexpr base::TimeDelta custom_timeout_value =
+      base::TimeDelta::FromMilliseconds(200);
+  test_params_.quic_params.retransmittable_on_wire_timeout =
       custom_timeout_value;
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -7569,37 +7445,22 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeout) {
       factory_.get(),
       std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
 
-  MockQuicData socket_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData socket_data1(version_);
+  socket_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(ASYNC, ERR_IO_PENDING);  // Pause.
   // Read two packets so that client will send ACK immedaitely.
-  spdy::SpdyHeaderBlock response_headers =
-      server_maker_.GetResponseHeaders("200 OK");
-  response_headers["key1"] = std::string(2000, 'A');
-  spdy::SpdyHeadersIR headers_frame(
-      GetNthClientInitiatedBidirectionalStreamId(0),
-      std::move(response_headers));
-  spdy::SpdyFramer response_framer(spdy::SpdyFramer::ENABLE_COMPRESSION);
-  spdy::SpdySerializedFrame spdy_frame =
-      response_framer.SerializeFrame(headers_frame);
-  size_t chunk_size = 1200;
-  unsigned int packet_number = 1;
-  for (size_t offset = 0; offset < spdy_frame.size(); offset += chunk_size) {
-    size_t len = std::min(chunk_size, spdy_frame.size() - offset);
-    socket_data1.AddRead(
-        ASYNC,
-        server_maker_.MakeDataPacket(
-            packet_number++,
-            quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-            false, false, offset,
-            base::StringPiece(spdy_frame.data() + offset, len)));
-  }
+  socket_data1.AddRead(
+      ASYNC,
+      ConstructOkResponsePacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), false, false));
+  socket_data1.AddRead(
+      ASYNC, server_maker_.MakeDataPacket(
+                 2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 base::StringPiece("Hello World")));
   // Read an ACK from server which acks all client data.
   socket_data1.AddRead(SYNCHRONOUS,
                        server_maker_.MakeAckPacket(3, 2, 1, 1, false));
@@ -7611,7 +7472,7 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeout) {
   socket_data1.AddRead(
       ASYNC, ConstructServerDataPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read.
   socket_data1.AddWrite(
       SYNCHRONOUS, client_maker_.MakeRstPacket(
@@ -7623,8 +7484,8 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeout) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -7660,17 +7521,18 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeout) {
   base::RunLoop().RunUntilIdle();
 
   // Ack delay time.
-  int delay = task_runner->NextPendingTaskDelay().InMilliseconds();
+  base::TimeDelta delay = task_runner->NextPendingTaskDelay();
   EXPECT_GT(custom_timeout_value, delay);
   // Fire the ack alarm, since ack has been sent, no ack will be sent.
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(delay));
+  clock_.AdvanceTime(
+      quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   // Fire the ping alarm with retransmittable-on-wire timeout, send PING.
   delay = custom_timeout_value - delay;
-  EXPECT_EQ(base::TimeDelta::FromMilliseconds(delay),
-            task_runner->NextPendingTaskDelay());
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(delay));
+  EXPECT_EQ(delay, task_runner->NextPendingTaskDelay());
+  clock_.AdvanceTime(
+      quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   socket_data1.Resume();
@@ -7707,37 +7569,22 @@ TEST_P(QuicStreamFactoryTest, NoRetransmittableOnWireTimeout) {
       factory_.get(),
       std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
 
-  MockQuicData socket_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData socket_data1(version_);
+  socket_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(ASYNC, ERR_IO_PENDING);  // Pause.
   // Read two packets so that client will send ACK immedaitely.
-  spdy::SpdyHeaderBlock response_headers =
-      server_maker_.GetResponseHeaders("200 OK");
-  response_headers["key1"] = std::string(2000, 'A');
-  spdy::SpdyHeadersIR headers_frame(
-      GetNthClientInitiatedBidirectionalStreamId(0),
-      std::move(response_headers));
-  spdy::SpdyFramer response_framer(spdy::SpdyFramer::ENABLE_COMPRESSION);
-  spdy::SpdySerializedFrame spdy_frame =
-      response_framer.SerializeFrame(headers_frame);
-  size_t chunk_size = 1200;
-  unsigned int packet_number = 1;
-  for (size_t offset = 0; offset < spdy_frame.size(); offset += chunk_size) {
-    size_t len = std::min(chunk_size, spdy_frame.size() - offset);
-    socket_data1.AddRead(
-        ASYNC,
-        server_maker_.MakeDataPacket(
-            packet_number++,
-            quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-            false, false, offset,
-            base::StringPiece(spdy_frame.data() + offset, len)));
-  }
+  socket_data1.AddRead(
+      ASYNC,
+      ConstructOkResponsePacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), false, false));
+  socket_data1.AddRead(
+      ASYNC, server_maker_.MakeDataPacket(
+                 2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 base::StringPiece("Hello World")));
   // Read an ACK from server which acks all client data.
   socket_data1.AddRead(SYNCHRONOUS,
                        server_maker_.MakeAckPacket(3, 2, 1, 1, false));
@@ -7746,7 +7593,7 @@ TEST_P(QuicStreamFactoryTest, NoRetransmittableOnWireTimeout) {
   socket_data1.AddRead(
       ASYNC, ConstructServerDataPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read.
   socket_data1.AddWrite(
       SYNCHRONOUS, client_maker_.MakeRstPacket(
@@ -7758,8 +7605,8 @@ TEST_P(QuicStreamFactoryTest, NoRetransmittableOnWireTimeout) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -7795,17 +7642,19 @@ TEST_P(QuicStreamFactoryTest, NoRetransmittableOnWireTimeout) {
   base::RunLoop().RunUntilIdle();
 
   // Ack delay time.
-  int delay = task_runner->NextPendingTaskDelay().InMilliseconds();
-  EXPECT_GT(kDefaultRetransmittableOnWireTimeoutMillisecs, delay);
+  base::TimeDelta delay = task_runner->NextPendingTaskDelay();
+  EXPECT_GT(kDefaultRetransmittableOnWireTimeout, delay);
   // Fire the ack alarm, since ack has been sent, no ack will be sent.
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(delay));
+  clock_.AdvanceTime(
+      quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   // Verify that the ping alarm is not set with any default value.
-  int wrong_delay = kDefaultRetransmittableOnWireTimeoutMillisecs - delay;
-  delay = task_runner->NextPendingTaskDelay().InMilliseconds();
+  base::TimeDelta wrong_delay = kDefaultRetransmittableOnWireTimeout - delay;
+  delay = task_runner->NextPendingTaskDelay();
   EXPECT_NE(wrong_delay, delay);
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(delay));
+  clock_.AdvanceTime(
+      quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   // Verify that response headers on the migrated socket were delivered to the
@@ -7829,10 +7678,11 @@ TEST_P(QuicStreamFactoryTest, NoRetransmittableOnWireTimeout) {
 // send retransmittable pings to the peer with custom value.
 TEST_P(QuicStreamFactoryTest,
        CustomeRetransmittableOnWireTimeoutWithMigrationOnNetworkChangeOnly) {
-  int custom_timeout_value = 200;
-  test_params_.quic_retransmittable_on_wire_timeout_milliseconds =
+  constexpr base::TimeDelta custom_timeout_value =
+      base::TimeDelta::FromMilliseconds(200);
+  test_params_.quic_params.retransmittable_on_wire_timeout =
       custom_timeout_value;
-  test_params_.quic_migrate_sessions_on_network_change_v2 = true;
+  test_params_.quic_params.migrate_sessions_on_network_change_v2 = true;
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
@@ -7845,37 +7695,22 @@ TEST_P(QuicStreamFactoryTest,
       factory_.get(),
       std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
 
-  MockQuicData socket_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData socket_data1(version_);
+  socket_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(ASYNC, ERR_IO_PENDING);  // Pause.
   // Read two packets so that client will send ACK immedaitely.
-  spdy::SpdyHeaderBlock response_headers =
-      server_maker_.GetResponseHeaders("200 OK");
-  response_headers["key1"] = std::string(2000, 'A');
-  spdy::SpdyHeadersIR headers_frame(
-      GetNthClientInitiatedBidirectionalStreamId(0),
-      std::move(response_headers));
-  spdy::SpdyFramer response_framer(spdy::SpdyFramer::ENABLE_COMPRESSION);
-  spdy::SpdySerializedFrame spdy_frame =
-      response_framer.SerializeFrame(headers_frame);
-  size_t chunk_size = 1200;
-  unsigned int packet_number = 1;
-  for (size_t offset = 0; offset < spdy_frame.size(); offset += chunk_size) {
-    size_t len = std::min(chunk_size, spdy_frame.size() - offset);
-    socket_data1.AddRead(
-        ASYNC,
-        server_maker_.MakeDataPacket(
-            packet_number++,
-            quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-            false, false, offset,
-            base::StringPiece(spdy_frame.data() + offset, len)));
-  }
+  socket_data1.AddRead(
+      ASYNC,
+      ConstructOkResponsePacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), false, false));
+  socket_data1.AddRead(
+      ASYNC, server_maker_.MakeDataPacket(
+                 2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 base::StringPiece("Hello World")));
   // Read an ACK from server which acks all client data.
   socket_data1.AddRead(SYNCHRONOUS,
                        server_maker_.MakeAckPacket(3, 2, 1, 1, false));
@@ -7887,7 +7722,7 @@ TEST_P(QuicStreamFactoryTest,
   socket_data1.AddRead(
       ASYNC, ConstructServerDataPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read.
   socket_data1.AddWrite(
       SYNCHRONOUS, client_maker_.MakeRstPacket(
@@ -7899,8 +7734,8 @@ TEST_P(QuicStreamFactoryTest,
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -7936,17 +7771,18 @@ TEST_P(QuicStreamFactoryTest,
   base::RunLoop().RunUntilIdle();
 
   // Ack delay time.
-  int delay = task_runner->NextPendingTaskDelay().InMilliseconds();
+  base::TimeDelta delay = task_runner->NextPendingTaskDelay();
   EXPECT_GT(custom_timeout_value, delay);
   // Fire the ack alarm, since ack has been sent, no ack will be sent.
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(delay));
+  clock_.AdvanceTime(
+      quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   // Fire the ping alarm with retransmittable-on-wire timeout, send PING.
   delay = custom_timeout_value - delay;
-  EXPECT_EQ(base::TimeDelta::FromMilliseconds(delay),
-            task_runner->NextPendingTaskDelay());
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(delay));
+  EXPECT_EQ(delay, task_runner->NextPendingTaskDelay());
+  clock_.AdvanceTime(
+      quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   socket_data1.Resume();
@@ -7972,7 +7808,7 @@ TEST_P(QuicStreamFactoryTest,
 // NOT send retransmittable pings to the peer with custom value.
 TEST_P(QuicStreamFactoryTest,
        NoRetransmittableOnWireTimeoutWithMigrationOnNetworkChangeOnly) {
-  test_params_.quic_migrate_sessions_on_network_change_v2 = true;
+  test_params_.quic_params.migrate_sessions_on_network_change_v2 = true;
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
@@ -7985,37 +7821,22 @@ TEST_P(QuicStreamFactoryTest,
       factory_.get(),
       std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
 
-  MockQuicData socket_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData socket_data1(version_);
+  socket_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddRead(ASYNC, ERR_IO_PENDING);  // Pause.
   // Read two packets so that client will send ACK immedaitely.
-  spdy::SpdyHeaderBlock response_headers =
-      server_maker_.GetResponseHeaders("200 OK");
-  response_headers["key1"] = std::string(2000, 'A');
-  spdy::SpdyHeadersIR headers_frame(
-      GetNthClientInitiatedBidirectionalStreamId(0),
-      std::move(response_headers));
-  spdy::SpdyFramer response_framer(spdy::SpdyFramer::ENABLE_COMPRESSION);
-  spdy::SpdySerializedFrame spdy_frame =
-      response_framer.SerializeFrame(headers_frame);
-  size_t chunk_size = 1200;
-  unsigned int packet_number = 1;
-  for (size_t offset = 0; offset < spdy_frame.size(); offset += chunk_size) {
-    size_t len = std::min(chunk_size, spdy_frame.size() - offset);
-    socket_data1.AddRead(
-        ASYNC,
-        server_maker_.MakeDataPacket(
-            packet_number++,
-            quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
-            false, false, offset,
-            base::StringPiece(spdy_frame.data() + offset, len)));
-  }
+  socket_data1.AddRead(
+      ASYNC,
+      ConstructOkResponsePacket(
+          1, GetNthClientInitiatedBidirectionalStreamId(0), false, false));
+  socket_data1.AddRead(
+      ASYNC, server_maker_.MakeDataPacket(
+                 2, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 base::StringPiece("Hello World")));
   // Read an ACK from server which acks all client data.
   socket_data1.AddRead(SYNCHRONOUS,
                        server_maker_.MakeAckPacket(3, 2, 1, 1, false));
@@ -8024,7 +7845,7 @@ TEST_P(QuicStreamFactoryTest,
   socket_data1.AddRead(
       ASYNC, ConstructServerDataPacket(
                  3, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
-                 0, header + "hello!"));
+                 header + "hello!"));
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read.
   socket_data1.AddWrite(
       SYNCHRONOUS, client_maker_.MakeRstPacket(
@@ -8036,8 +7857,8 @@ TEST_P(QuicStreamFactoryTest,
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -8073,17 +7894,19 @@ TEST_P(QuicStreamFactoryTest,
   base::RunLoop().RunUntilIdle();
 
   // Ack delay time.
-  int delay = task_runner->NextPendingTaskDelay().InMilliseconds();
-  EXPECT_GT(kDefaultRetransmittableOnWireTimeoutMillisecs, delay);
+  base::TimeDelta delay = task_runner->NextPendingTaskDelay();
+  EXPECT_GT(kDefaultRetransmittableOnWireTimeout, delay);
   // Fire the ack alarm, since ack has been sent, no ack will be sent.
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(delay));
+  clock_.AdvanceTime(
+      quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   // Verify ping alarm is not set with default value.
-  int wrong_delay = kDefaultRetransmittableOnWireTimeoutMillisecs - delay;
-  delay = task_runner->NextPendingTaskDelay().InMilliseconds();
+  base::TimeDelta wrong_delay = kDefaultRetransmittableOnWireTimeout - delay;
+  delay = task_runner->NextPendingTaskDelay();
   EXPECT_NE(wrong_delay, delay);
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(delay));
+  clock_.AdvanceTime(
+      quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   // Verify that response headers on the migrated socket were delivered to the
@@ -8117,10 +7940,8 @@ TEST_P(QuicStreamFactoryTest,
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  MockQuicData socket_data(version_);
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(ASYNC, ERR_FAILED);              // Write error.
   socket_data.AddRead(ASYNC, ERR_ADDRESS_UNREACHABLE);  // Read error.
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -8129,8 +7950,8 @@ TEST_P(QuicStreamFactoryTest,
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -8154,11 +7975,12 @@ TEST_P(QuicStreamFactoryTest,
   // Set up second socket data provider that is used after
   // migration. The request is written to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
+  client_maker_.set_coalesce_http_frames(true);
   socket_data1.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -8262,11 +8084,9 @@ void QuicStreamFactoryTestBase::
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddWrite(write_error_mode, ERR_FAILED);  // Write error.
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
@@ -8274,8 +8094,8 @@ void QuicStreamFactoryTestBase::
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -8316,11 +8136,12 @@ void QuicStreamFactoryTestBase::
   // Set up second socket data provider that is used after
   // migration. The request is rewritten to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
+  client_maker_.set_coalesce_http_frames(true);
   socket_data1.AddRead(
       ASYNC,
       ConstructOkResponsePacket(
@@ -8367,12 +8188,12 @@ void QuicStreamFactoryTestBase::
       ->NotifyNetworkMadeDefault(kNewNetworkForTests);
 
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(host_port_pair_, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback_.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
 
@@ -8393,7 +8214,7 @@ void QuicStreamFactoryTestBase::
 // default network or the idle migration period threshold is exceeded.
 // The default threshold is 30s.
 TEST_P(QuicStreamFactoryTest, DefaultIdleMigrationPeriod) {
-  test_params_.quic_migrate_idle_sessions = true;
+  test_params_.quic_params.migrate_idle_sessions = true;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -8405,13 +8226,13 @@ TEST_P(QuicStreamFactoryTest, DefaultIdleMigrationPeriod) {
   QuicStreamFactoryPeer::SetTickClock(factory_.get(),
                                       task_runner->GetMockTickClock());
 
-  MockQuicData default_socket_data;
+  MockQuicData default_socket_data(version_);
   default_socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   default_socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   default_socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up second socket data provider that is used after migration.
-  MockQuicData alternate_socket_data;
+  MockQuicData alternate_socket_data(version_);
   alternate_socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   // Ping packet to send after migration.
   alternate_socket_data.AddWrite(
@@ -8419,32 +8240,36 @@ TEST_P(QuicStreamFactoryTest, DefaultIdleMigrationPeriod) {
   alternate_socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up probing socket for migrating back to the default network.
-  MockQuicData quic_data;                          // retry count: 0.
+  MockQuicData quic_data(version_);                // retry count: 0.
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   quic_data.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data1;                          // retry count: 1
+  MockQuicData quic_data1(version_);                // retry count: 1
   quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data1.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   quic_data1.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data2;                          // retry count: 2
+  client_maker_.Reset();
+  MockQuicData quic_data2(version_);                // retry count: 2
   quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data2.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   quic_data2.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data3;                          // retry count: 3
+  client_maker_.Reset();
+  MockQuicData quic_data3(version_);                // retry count: 3
   quic_data3.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data3.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   quic_data3.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data4;                          // retry count: 4
+  client_maker_.Reset();
+  MockQuicData quic_data4(version_);                // retry count: 4
   quic_data4.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data4.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   quic_data4.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data5;                          // retry count: 5
+  client_maker_.Reset();
+  MockQuicData quic_data5(version_);                // retry count: 5
   quic_data5.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data5.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   quic_data5.AddSocketDataToFactory(socket_factory_.get());
@@ -8453,8 +8278,8 @@ TEST_P(QuicStreamFactoryTest, DefaultIdleMigrationPeriod) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -8510,8 +8335,8 @@ TEST_P(QuicStreamFactoryTest, DefaultIdleMigrationPeriod) {
 
 TEST_P(QuicStreamFactoryTest, CustomIdleMigrationPeriod) {
   // The customized threshold is 15s.
-  test_params_.quic_migrate_idle_sessions = true;
-  test_params_.quic_idle_session_migration_period =
+  test_params_.quic_params.migrate_idle_sessions = true;
+  test_params_.quic_params.idle_session_migration_period =
       base::TimeDelta::FromSeconds(15);
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
@@ -8524,13 +8349,13 @@ TEST_P(QuicStreamFactoryTest, CustomIdleMigrationPeriod) {
   QuicStreamFactoryPeer::SetTickClock(factory_.get(),
                                       task_runner->GetMockTickClock());
 
-  MockQuicData default_socket_data;
+  MockQuicData default_socket_data(version_);
   default_socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   default_socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   default_socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up second socket data provider that is used after migration.
-  MockQuicData alternate_socket_data;
+  MockQuicData alternate_socket_data(version_);
   alternate_socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   // Ping packet to send after migration.
   alternate_socket_data.AddWrite(
@@ -8538,27 +8363,31 @@ TEST_P(QuicStreamFactoryTest, CustomIdleMigrationPeriod) {
   alternate_socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Set up probing socket for migrating back to the default network.
-  MockQuicData quic_data;                          // retry count: 0.
+  MockQuicData quic_data(version_);                // retry count: 0.
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   quic_data.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data1;                          // retry count: 1
+  client_maker_.Reset();
+  MockQuicData quic_data1(version_);                // retry count: 1
   quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data1.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   quic_data1.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data2;                          // retry count: 2
+  client_maker_.Reset();
+  MockQuicData quic_data2(version_);                // retry count: 2
   quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data2.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   quic_data2.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data3;                          // retry count: 3
+  client_maker_.Reset();
+  MockQuicData quic_data3(version_);                // retry count: 3
   quic_data3.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data3.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   quic_data3.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data4;                          // retry count: 4
+  client_maker_.Reset();
+  MockQuicData quic_data4(version_);                // retry count: 4
   quic_data4.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging read.
   quic_data4.AddWrite(SYNCHRONOUS, ERR_ADDRESS_UNREACHABLE);
   quic_data4.AddSocketDataToFactory(socket_factory_.get());
@@ -8567,8 +8396,8 @@ TEST_P(QuicStreamFactoryTest, CustomIdleMigrationPeriod) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -8623,30 +8452,28 @@ TEST_P(QuicStreamFactoryTest, CustomIdleMigrationPeriod) {
 }
 
 TEST_P(QuicStreamFactoryTest, ServerMigration) {
-  test_params_.quic_allow_server_migration = true;
+  test_params_.quic_params.allow_server_migration = true;
   Initialize();
 
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data1;
-  quic::QuicStreamOffset header_stream_offset = 0;
+  MockQuicData socket_data1(version_);
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
+  socket_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructInitialSettingsPacket(1, &header_stream_offset));
-  socket_data1.AddWrite(
-      SYNCHRONOUS, ConstructGetRequestPacket(
-                       2, GetNthClientInitiatedBidirectionalStreamId(0), true,
-                       true, &header_stream_offset));
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(
+          2, GetNthClientInitiatedBidirectionalStreamId(0), true, true));
   socket_data1.AddSocketDataToFactory(socket_factory_.get());
 
   // Create request and QuicHttpStream.
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -8681,7 +8508,7 @@ TEST_P(QuicStreamFactoryTest, ServerMigration) {
   // Set up second socket data provider that is used after
   // migration. The request is rewritten to this new socket, and the
   // response to the request is read on this new socket.
-  MockQuicData socket_data2;
+  MockQuicData socket_data2(version_);
   socket_data2.AddWrite(
       SYNCHRONOUS, client_maker_.MakePingPacket(3, /*include_version=*/true));
   socket_data2.AddRead(
@@ -8731,8 +8558,7 @@ TEST_P(QuicStreamFactoryTest, ServerMigrationIPv4ToIPv4) {
   // Add alternate IPv4 server address to config.
   IPEndPoint alt_address = IPEndPoint(IPAddress(1, 2, 3, 4), 123);
   quic::QuicConfig config;
-  config.SetAlternateServerAddressToSend(
-      quic::QuicSocketAddress(quic::QuicSocketAddressImpl(alt_address)));
+  config.SetAlternateServerAddressToSend(ToQuicSocketAddress(alt_address));
   VerifyServerMigration(config, alt_address);
 }
 
@@ -8744,8 +8570,7 @@ TEST_P(QuicStreamFactoryTest, ServerMigrationIPv6ToIPv6) {
   IPEndPoint alt_address = IPEndPoint(
       IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16), 123);
   quic::QuicConfig config;
-  config.SetAlternateServerAddressToSend(
-      quic::QuicSocketAddress(quic::QuicSocketAddressImpl(alt_address)));
+  config.SetAlternateServerAddressToSend(ToQuicSocketAddress(alt_address));
   VerifyServerMigration(config, alt_address);
 }
 
@@ -8756,15 +8581,14 @@ TEST_P(QuicStreamFactoryTest, ServerMigrationIPv6ToIPv4) {
   // Add alternate IPv4 server address to config.
   IPEndPoint alt_address = IPEndPoint(IPAddress(1, 2, 3, 4), 123);
   quic::QuicConfig config;
-  config.SetAlternateServerAddressToSend(
-      quic::QuicSocketAddress(quic::QuicSocketAddressImpl(alt_address)));
+  config.SetAlternateServerAddressToSend(ToQuicSocketAddress(alt_address));
   IPEndPoint expected_address(
       ConvertIPv4ToIPv4MappedIPv6(alt_address.address()), alt_address.port());
   VerifyServerMigration(config, expected_address);
 }
 
 TEST_P(QuicStreamFactoryTest, ServerMigrationIPv4ToIPv6Fails) {
-  test_params_.quic_allow_server_migration = true;
+  test_params_.quic_params.allow_server_migration = true;
   Initialize();
 
   // Add a resolver rule to make initial connection to an IPv4 address.
@@ -8774,8 +8598,7 @@ TEST_P(QuicStreamFactoryTest, ServerMigrationIPv4ToIPv6Fails) {
   IPEndPoint alt_address = IPEndPoint(
       IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16), 123);
   quic::QuicConfig config;
-  config.SetAlternateServerAddressToSend(
-      quic::QuicSocketAddress(quic::QuicSocketAddressImpl(alt_address)));
+  config.SetAlternateServerAddressToSend(ToQuicSocketAddress(alt_address));
 
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
@@ -8784,7 +8607,7 @@ TEST_P(QuicStreamFactoryTest, ServerMigrationIPv4ToIPv6Fails) {
   crypto_client_stream_factory_.SetConfig(config);
 
   // Set up only socket data provider.
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data1.AddWrite(
@@ -8797,8 +8620,8 @@ TEST_P(QuicStreamFactoryTest, ServerMigrationIPv4ToIPv6Fails) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -8841,22 +8664,22 @@ TEST_P(QuicStreamFactoryTest, OnCertDBChanged) {
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data2.AddWrite(SYNCHRONOUS,
-                        ConstructInitialSettingsPacket(1, nullptr));
+  socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
 
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -8878,8 +8701,8 @@ TEST_P(QuicStreamFactoryTest, OnCertDBChanged) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -8985,7 +8808,7 @@ TEST_P(QuicStreamFactoryTest, EnableNotLoadFromDiskCache) {
 
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), runner_.get());
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
@@ -8996,12 +8819,12 @@ TEST_P(QuicStreamFactoryTest, EnableNotLoadFromDiskCache) {
                                             "192.168.0.1", "");
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_EQ(OK, request.Request(host_port_pair_, version_.transport_version,
-                                privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                /*cert_verify_flags=*/0, url_, net_log_,
-                                &net_error_details_,
-                                failed_on_default_network_callback_,
-                                callback_.callback()));
+  EXPECT_EQ(OK,
+            request.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
 
   // If we are waiting for disk cache, we would have posted a task. Verify that
   // the CancelWaitForDataReady task hasn't been posted.
@@ -9014,7 +8837,8 @@ TEST_P(QuicStreamFactoryTest, EnableNotLoadFromDiskCache) {
 }
 
 TEST_P(QuicStreamFactoryTest, ReducePingTimeoutOnConnectionTimeOutOpenStreams) {
-  test_params_.quic_reduced_ping_timeout_seconds = 10;
+  test_params_.quic_params.reduced_ping_timeout =
+      base::TimeDelta::FromSeconds(10);
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
@@ -9022,15 +8846,15 @@ TEST_P(QuicStreamFactoryTest, ReducePingTimeoutOnConnectionTimeOutOpenStreams) {
 
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), runner_.get());
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
-  socket_data2.AddWrite(SYNCHRONOUS,
-                        ConstructInitialSettingsPacket(1, nullptr));
+  socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
 
   HostPortPair server2(kServer2HostName, kDefaultServerPort);
@@ -9047,12 +8871,12 @@ TEST_P(QuicStreamFactoryTest, ReducePingTimeoutOnConnectionTimeOutOpenStreams) {
   EXPECT_EQ(quic::QuicTime::Delta::FromSeconds(quic::kPingTimeoutSecs),
             QuicStreamFactoryPeer::GetPingTimeout(factory_.get()));
   QuicStreamRequest request(factory_.get());
-  EXPECT_EQ(OK, request.Request(host_port_pair_, version_.transport_version,
-                                privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                /*cert_verify_flags=*/0, url_, net_log_,
-                                &net_error_details_,
-                                failed_on_default_network_callback_,
-                                callback_.callback()));
+  EXPECT_EQ(OK,
+            request.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
 
   QuicChromiumClientSession* session = GetActiveSession(host_port_pair_);
   EXPECT_EQ(quic::QuicTime::Delta::FromSeconds(quic::kPingTimeoutSecs),
@@ -9085,12 +8909,12 @@ TEST_P(QuicStreamFactoryTest, ReducePingTimeoutOnConnectionTimeOutOpenStreams) {
   DVLOG(1) << "Create 2nd session and timeout with open stream";
   TestCompletionCallback callback2;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(server2, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url2_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback2.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+                NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback2.callback()));
   QuicChromiumClientSession* session2 = GetActiveSession(server2);
   EXPECT_EQ(quic::QuicTime::Delta::FromSeconds(10),
             session2->connection()->ping_timeout());
@@ -9122,7 +8946,7 @@ TEST_P(QuicStreamFactoryTest, MaybeInitialize) {
 TEST_P(QuicStreamFactoryTest, StartCertVerifyJob) {
   Initialize();
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -9159,8 +8983,8 @@ TEST_P(QuicStreamFactoryTest, StartCertVerifyJob) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -9188,7 +9012,7 @@ TEST_P(QuicStreamFactoryTest, YieldAfterPackets) {
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   QuicStreamFactoryPeer::SetYieldAfterPackets(factory_.get(), 0);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ConstructClientConnectionClosePacket(1));
   socket_data.AddRead(ASYNC, OK);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -9206,12 +9030,12 @@ TEST_P(QuicStreamFactoryTest, YieldAfterPackets) {
                                        "StartReading");
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_EQ(OK, request.Request(host_port_pair_, version_.transport_version,
-                                privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                /*cert_verify_flags=*/0, url_, net_log_,
-                                &net_error_details_,
-                                failed_on_default_network_callback_,
-                                callback_.callback()));
+  EXPECT_EQ(OK,
+            request.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
 
   // Call run_loop so that QuicChromiumPacketReader::OnReadComplete() gets
   // called.
@@ -9237,7 +9061,7 @@ TEST_P(QuicStreamFactoryTest, YieldAfterDuration) {
   QuicStreamFactoryPeer::SetYieldAfterDuration(
       factory_.get(), quic::QuicTime::Delta::FromMilliseconds(-1));
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ConstructClientConnectionClosePacket(1));
   socket_data.AddRead(ASYNC, OK);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -9255,12 +9079,12 @@ TEST_P(QuicStreamFactoryTest, YieldAfterDuration) {
                                        "StartReading");
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_EQ(OK, request.Request(host_port_pair_, version_.transport_version,
-                                privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                /*cert_verify_flags=*/0, url_, net_log_,
-                                &net_error_details_,
-                                failed_on_default_network_callback_,
-                                callback_.callback()));
+  EXPECT_EQ(OK,
+            request.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
 
   // Call run_loop so that QuicChromiumPacketReader::OnReadComplete() gets
   // called.
@@ -9283,7 +9107,7 @@ TEST_P(QuicStreamFactoryTest, ServerPushSessionAffinity) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -9291,8 +9115,8 @@ TEST_P(QuicStreamFactoryTest, ServerPushSessionAffinity) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -9312,12 +9136,12 @@ TEST_P(QuicStreamFactoryTest, ServerPushSessionAffinity) {
         ->promised_by_url())[kDefaultUrl] = &promised;
 
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(host_port_pair_, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback_.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
 
   EXPECT_EQ(1, QuicStreamFactoryPeer::GetNumPushStreamsCreated(factory_.get()));
 }
@@ -9328,7 +9152,7 @@ TEST_P(QuicStreamFactoryTest, ServerPushPrivacyModeMismatch) {
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data1;
+  MockQuicData socket_data1(version_);
   socket_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data1.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data1.AddWrite(
@@ -9337,7 +9161,8 @@ TEST_P(QuicStreamFactoryTest, ServerPushPrivacyModeMismatch) {
                        quic::QUIC_STREAM_CANCELLED));
   socket_data1.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
@@ -9345,8 +9170,8 @@ TEST_P(QuicStreamFactoryTest, ServerPushPrivacyModeMismatch) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -9373,8 +9198,8 @@ TEST_P(QuicStreamFactoryTest, ServerPushPrivacyModeMismatch) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                host_port_pair_, version_.transport_version,
-                PRIVACY_MODE_ENABLED, DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, PRIVACY_MODE_ENABLED,
+                DEFAULT_PRIORITY, SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -9402,7 +9227,7 @@ TEST_P(QuicStreamFactoryTest, PoolByOrigin) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -9410,8 +9235,8 @@ TEST_P(QuicStreamFactoryTest, PoolByOrigin) {
   QuicStreamRequest request1(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
-                destination1, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                destination1, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -9422,12 +9247,12 @@ TEST_P(QuicStreamFactoryTest, PoolByOrigin) {
   // Second request returns synchronously because it pools to existing session.
   TestCompletionCallback callback2;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(destination2, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url_, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback2.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                destination2, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback2.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
 
@@ -9531,8 +9356,8 @@ TEST_P(QuicStreamFactoryWithDestinationTest, InvalidCertificate) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                destination, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                destination, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -9565,7 +9390,7 @@ TEST_P(QuicStreamFactoryWithDestinationTest, SharedCertificate) {
 
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite writes[] = {MockWrite(SYNCHRONOUS, settings_packet->data(),
                                   settings_packet->length(), 1)};
   std::unique_ptr<SequencedSocketData> sequenced_socket_data(
@@ -9576,8 +9401,8 @@ TEST_P(QuicStreamFactoryWithDestinationTest, SharedCertificate) {
   QuicStreamRequest request1(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
-                destination, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                destination, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url1, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -9589,12 +9414,12 @@ TEST_P(QuicStreamFactoryWithDestinationTest, SharedCertificate) {
   // Second request returns synchronously because it pools to existing session.
   TestCompletionCallback callback2;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(OK, request2.Request(destination, version_.transport_version,
-                                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                                 /*cert_verify_flags=*/0, url2, net_log_,
-                                 &net_error_details_,
-                                 failed_on_default_network_callback_,
-                                 callback2.callback()));
+  EXPECT_EQ(OK,
+            request2.Request(
+                destination, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url2, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback2.callback()));
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
 
@@ -9640,7 +9465,7 @@ TEST_P(QuicStreamFactoryWithDestinationTest, DifferentPrivacyMode) {
 
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite writes[] = {MockWrite(SYNCHRONOUS, settings_packet->data(),
                                   settings_packet->length(), 1)};
   std::unique_ptr<SequencedSocketData> sequenced_socket_data(
@@ -9655,8 +9480,8 @@ TEST_P(QuicStreamFactoryWithDestinationTest, DifferentPrivacyMode) {
   QuicStreamRequest request1(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
-                destination, version_.transport_version, PRIVACY_MODE_DISABLED,
-                DEFAULT_PRIORITY, SocketTag(),
+                destination, version_, PRIVACY_MODE_DISABLED, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url1, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -9668,8 +9493,8 @@ TEST_P(QuicStreamFactoryWithDestinationTest, DifferentPrivacyMode) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                destination, version_.transport_version, PRIVACY_MODE_ENABLED,
-                DEFAULT_PRIORITY, SocketTag(),
+                destination, version_, PRIVACY_MODE_ENABLED, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url2, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback2.callback()));
   EXPECT_EQ(OK, callback2.WaitForResult());
@@ -9727,7 +9552,7 @@ TEST_P(QuicStreamFactoryWithDestinationTest, DisjointCertificate) {
 
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING, 0)};
   std::unique_ptr<quic::QuicEncryptedPacket> settings_packet(
-      client_maker_.MakeInitialSettingsPacket(1, nullptr));
+      client_maker_.MakeInitialSettingsPacket(1));
   MockWrite writes[] = {MockWrite(SYNCHRONOUS, settings_packet->data(),
                                   settings_packet->length(), 1)};
   std::unique_ptr<SequencedSocketData> sequenced_socket_data(
@@ -9742,8 +9567,8 @@ TEST_P(QuicStreamFactoryWithDestinationTest, DisjointCertificate) {
   QuicStreamRequest request1(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
-                destination, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                destination, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url1, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
@@ -9755,8 +9580,8 @@ TEST_P(QuicStreamFactoryWithDestinationTest, DisjointCertificate) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                destination, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                destination, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url2, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback2.callback()));
   EXPECT_THAT(callback2.WaitForResult(), IsOk());
@@ -9832,18 +9657,18 @@ TEST_P(QuicStreamFactoryTest, ClearCachedStatesInCryptoConfig) {
 // Passes connection options and client connection options to QuicStreamFactory,
 // then checks that its internal quic::QuicConfig is correct.
 TEST_P(QuicStreamFactoryTest, ConfigConnectionOptions) {
-  test_params_.quic_connection_options.push_back(quic::kTIME);
-  test_params_.quic_connection_options.push_back(quic::kTBBR);
-  test_params_.quic_connection_options.push_back(quic::kREJ);
+  test_params_.quic_params.connection_options.push_back(quic::kTIME);
+  test_params_.quic_params.connection_options.push_back(quic::kTBBR);
+  test_params_.quic_params.connection_options.push_back(quic::kREJ);
 
-  test_params_.quic_client_connection_options.push_back(quic::kTBBR);
-  test_params_.quic_client_connection_options.push_back(quic::k1RTT);
+  test_params_.quic_params.client_connection_options.push_back(quic::kTBBR);
+  test_params_.quic_params.client_connection_options.push_back(quic::k1RTT);
 
   Initialize();
 
   const quic::QuicConfig* config =
       QuicStreamFactoryPeer::GetConfig(factory_.get());
-  EXPECT_EQ(test_params_.quic_connection_options,
+  EXPECT_EQ(test_params_.quic_params.connection_options,
             config->SendConnectionOptions());
   EXPECT_TRUE(config->HasClientRequestedIndependentOption(
       quic::kTBBR, quic::Perspective::IS_CLIENT));
@@ -9858,7 +9683,7 @@ TEST_P(QuicStreamFactoryTest, HostResolverUsesRequestPriority) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -9866,8 +9691,8 @@ TEST_P(QuicStreamFactoryTest, HostResolverUsesRequestPriority) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                MAXIMUM_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, MAXIMUM_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -9886,7 +9711,7 @@ TEST_P(QuicStreamFactoryTest, HostResolverRequestReprioritizedOnSetPriority) {
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -9894,8 +9719,8 @@ TEST_P(QuicStreamFactoryTest, HostResolverRequestReprioritizedOnSetPriority) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                MAXIMUM_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, MAXIMUM_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -9905,8 +9730,8 @@ TEST_P(QuicStreamFactoryTest, HostResolverRequestReprioritizedOnSetPriority) {
   QuicStreamRequest request2(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_EQ(DEFAULT_PRIORITY, host_resolver_->last_request_priority());
@@ -9917,12 +9742,14 @@ TEST_P(QuicStreamFactoryTest, HostResolverRequestReprioritizedOnSetPriority) {
   EXPECT_EQ(DEFAULT_PRIORITY, host_resolver_->request_priority(2));
 }
 
-// Passes |quic_max_time_before_crypto_handshake_seconds| and
-// |quic_max_idle_time_before_crypto_handshake_seconds| to QuicStreamFactory,
+// Passes |quic_max_time_before_crypto_handshake| and
+// |quic_max_idle_time_before_crypto_handshake| to QuicStreamFactory,
 // checks that its internal quic::QuicConfig is correct.
 TEST_P(QuicStreamFactoryTest, ConfigMaxTimeBeforeCryptoHandshake) {
-  test_params_.quic_max_time_before_crypto_handshake_seconds = 11;
-  test_params_.quic_max_idle_time_before_crypto_handshake_seconds = 13;
+  test_params_.quic_params.max_time_before_crypto_handshake =
+      base::TimeDelta::FromSeconds(11);
+  test_params_.quic_params.max_idle_time_before_crypto_handshake =
+      base::TimeDelta::FromSeconds(13);
   Initialize();
 
   const quic::QuicConfig* config =
@@ -9942,7 +9769,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackAsyncSync) {
 
   host_resolver_->set_ondemand_mode(true);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_FAILED);
   socket_data.AddWrite(SYNCHRONOUS, ERR_FAILED);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -9950,8 +9777,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackAsyncSync) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -9995,7 +9822,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackAsyncAsync) {
       MockCryptoClientStream::ZERO_RTT);
   factory_->set_require_confirmation(true);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   socket_data.AddRead(ASYNC, ERR_FAILED);
   socket_data.AddWrite(ASYNC, ERR_FAILED);
@@ -10004,8 +9831,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackAsyncAsync) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10047,7 +9874,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackSyncSync) {
 
   host_resolver_->set_synchronous_mode(true);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_FAILED);
   socket_data.AddWrite(SYNCHRONOUS, ERR_FAILED);
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -10055,8 +9882,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackSyncSync) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_QUIC_PROTOCOL_ERROR,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10084,7 +9911,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackSyncAsync) {
       MockCryptoClientStream::ZERO_RTT);
   factory_->set_require_confirmation(true);
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   socket_data.AddRead(ASYNC, ERR_FAILED);
   socket_data.AddWrite(ASYNC, ERR_FAILED);
@@ -10093,8 +9920,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackSyncAsync) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10127,8 +9954,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackFailSync) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_NAME_NOT_RESOLVED,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10153,8 +9980,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackFailAsync) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10177,7 +10004,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackFailAsync) {
 // the final connection is established through the resolved DNS. No racing
 // connection.
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceAndHostResolutionSync) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10199,15 +10026,15 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceAndHostResolutionSync) {
   // Expire the cache
   cache->Invalidate();
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data.AddSocketDataToFactory(socket_factory_.get());
 
   QuicStreamRequest request(factory_.get());
   EXPECT_THAT(request.Request(
-                  host_port_pair_, version_.transport_version, privacy_mode_,
-                  DEFAULT_PRIORITY, SocketTag(),
+                  host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                  SocketTag(), NetworkIsolationKey(),
                   /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                   failed_on_default_network_callback_, callback_.callback()),
               IsOk());
@@ -10234,7 +10061,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceAndHostResolutionAsync) {
   host_resolver_->rules()->AddIPLiteralRule(host_port_pair_.host(),
                                             kNonCachedIPAddress, "");
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data.AddSocketDataToFactory(socket_factory_.get());
@@ -10242,8 +10069,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceAndHostResolutionAsync) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   TestCompletionCallback host_resolution_callback;
@@ -10270,7 +10097,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceAndHostResolutionAsync) {
 // With dns race experiment on, DNS resolve returns async, stale dns used,
 // connects synchrounously, and then the resolved DNS matches.
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncStaleMatch) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10292,7 +10119,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncStaleMatch) {
   // Expire the cache
   cache->Invalidate();
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data.AddSocketDataToFactory(socket_factory_.get());
@@ -10300,8 +10127,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncStaleMatch) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10328,7 +10155,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncStaleMatch) {
 // async, and then the result matches.
 TEST_P(QuicStreamFactoryTest,
        ResultAfterDNSRaceHostResolveAsyncConnectAsyncStaleMatch) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10353,7 +10180,7 @@ TEST_P(QuicStreamFactoryTest,
   // Expire the cache
   cache->Invalidate();
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data.AddSocketDataToFactory(socket_factory_.get());
@@ -10361,8 +10188,8 @@ TEST_P(QuicStreamFactoryTest,
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10395,7 +10222,7 @@ TEST_P(QuicStreamFactoryTest,
 // return, then connection finishes and matches with the result.
 TEST_P(QuicStreamFactoryTest,
        ResultAfterDNSRaceHostResolveAsyncStaleMatchConnectAsync) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10420,7 +10247,7 @@ TEST_P(QuicStreamFactoryTest,
   // Expire the cache
   cache->Invalidate();
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data.AddSocketDataToFactory(socket_factory_.get());
@@ -10428,8 +10255,8 @@ TEST_P(QuicStreamFactoryTest,
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10458,7 +10285,7 @@ TEST_P(QuicStreamFactoryTest,
 // sync, but dns no match
 TEST_P(QuicStreamFactoryTest,
        ResultAfterDNSRaceHostResolveAsyncStaleSyncNoMatch) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10481,7 +10308,7 @@ TEST_P(QuicStreamFactoryTest,
   cache->Invalidate();
 
   // Socket for the stale connection which will invoke connection closure.
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data.AddWrite(
@@ -10491,7 +10318,8 @@ TEST_P(QuicStreamFactoryTest,
   quic_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Socket for the new connection.
-  MockQuicData quic_data2;
+  client_maker_.Reset();
+  MockQuicData quic_data2(version_);
   quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data2.AddSocketDataToFactory(socket_factory_.get());
@@ -10499,8 +10327,8 @@ TEST_P(QuicStreamFactoryTest,
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10528,7 +10356,7 @@ TEST_P(QuicStreamFactoryTest,
 // With dns race experiment on, dns resolve async, stale used and connects
 // async, finishes before dns, but no match
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleAsyncResolveAsyncNoMatch) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10553,7 +10381,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleAsyncResolveAsyncNoMatch) {
   // Expire the cache
   cache->Invalidate();
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data.AddWrite(
@@ -10562,15 +10390,16 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleAsyncResolveAsyncNoMatch) {
           2, true, quic::QUIC_STALE_CONNECTION_CANCELLED, "net error"));
   quic_data.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data2;
+  client_maker_.Reset();
+  MockQuicData quic_data2(version_);
   quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data2.AddSocketDataToFactory(socket_factory_.get());
 
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10600,7 +10429,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleAsyncResolveAsyncNoMatch) {
 // With dns race experiment on, dns resolve async, stale used and connects
 // async, dns finishes first, but no match
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncStaleAsyncNoMatch) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10625,7 +10454,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncStaleAsyncNoMatch) {
   // Expire the cache
   cache->Invalidate();
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   quic_data.AddWrite(
@@ -10634,7 +10463,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncStaleAsyncNoMatch) {
           1, true, quic::QUIC_STALE_CONNECTION_CANCELLED, "net error"));
   quic_data.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data2;
+  client_maker_.Reset();
+  MockQuicData quic_data2(version_);
   quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
   quic_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
@@ -10643,8 +10473,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncStaleAsyncNoMatch) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   // Finish dns resolution, but need to wait for stale connection.
@@ -10669,7 +10499,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncStaleAsyncNoMatch) {
 // With dns race experiment on, dns resolve returns error sync, same behavior
 // as experiment is not on
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveError) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10679,14 +10509,14 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveError) {
   host_resolver_->set_synchronous_mode(true);
   host_resolver_->rules()->AddSimulatedFailure(host_port_pair_.host());
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddSocketDataToFactory(socket_factory_.get());
   QuicStreamRequest request(factory_.get());
 
   EXPECT_EQ(ERR_NAME_NOT_RESOLVED,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 }
@@ -10694,7 +10524,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveError) {
 // With dns race experiment on, no cache available, dns resolve returns error
 // async
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncError) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10704,14 +10534,14 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncError) {
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddSimulatedFailure(host_port_pair_.host());
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddSocketDataToFactory(socket_factory_.get());
   QuicStreamRequest request(factory_.get());
 
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10723,7 +10553,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncError) {
 // With dns race experiment on, dns resolve async, staled used and connects
 // sync, dns returns error and no connection is established.
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleSyncHostResolveError) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10745,7 +10575,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleSyncHostResolveError) {
   cache->Invalidate();
 
   // Socket for the stale connection which is supposed to disconnect.
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data.AddWrite(
@@ -10757,8 +10587,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleSyncHostResolveError) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10778,7 +10608,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleSyncHostResolveError) {
 // return error, then dns matches.
 // This serves as a regression test for crbug.com/956374.
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSMatches) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10801,19 +10631,20 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSMatches) {
   cache->Invalidate();
 
   // Simulate synchronous connect failure.
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddConnect(SYNCHRONOUS, ERR_ADDRESS_IN_USE);
   quic_data.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data2;
+  client_maker_.Reset();
+  MockQuicData quic_data2(version_);
   quic_data2.AddConnect(SYNCHRONOUS, ERR_ADDRESS_IN_USE);
   quic_data2.AddSocketDataToFactory(socket_factory_.get());
 
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   EXPECT_FALSE(HasLiveSession(host_port_pair_));
@@ -10826,7 +10657,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSMatches) {
 // With dns race experiment on, dns resolve async, stale used and connection
 // returns error, dns no match, new connection is established
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatch) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10849,11 +10680,12 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatch) {
   cache->Invalidate();
 
   // Add failure for the stale connection.
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddConnect(SYNCHRONOUS, ERR_ADDRESS_IN_USE);
   quic_data.AddSocketDataToFactory(socket_factory_.get());
 
-  MockQuicData quic_data2;
+  client_maker_.Reset();
+  MockQuicData quic_data2(version_);
   quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data2.AddSocketDataToFactory(socket_factory_.get());
@@ -10861,8 +10693,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatch) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10888,7 +10720,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatch) {
 // With dns race experiment on, dns resolve async, stale used and connection
 // returns error, dns no match, new connection error
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatchError) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10911,20 +10743,21 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatchError) {
   cache->Invalidate();
 
   // Add failure for stale connection.
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddConnect(SYNCHRONOUS, ERR_ADDRESS_IN_USE);
   quic_data.AddSocketDataToFactory(socket_factory_.get());
 
   // Add failure for resolved dns connection.
-  MockQuicData quic_data2;
+  client_maker_.Reset();
+  MockQuicData quic_data2(version_);
   quic_data2.AddConnect(SYNCHRONOUS, ERR_ADDRESS_IN_USE);
   quic_data2.AddSocketDataToFactory(socket_factory_.get());
 
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10940,7 +10773,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatchError) {
 // With dns race experiment on, dns resolve async and stale connect async, dns
 // resolve returns error and then preconnect finishes
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncErrorStaleAsync) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10965,7 +10798,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncErrorStaleAsync) {
   cache->Invalidate();
 
   // Socket data for stale connection which is supposed to disconnect.
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   quic_data.AddWrite(
@@ -10977,8 +10810,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncErrorStaleAsync) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -10994,7 +10827,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncErrorStaleAsync) {
 // resolve returns error and then preconnect fails.
 TEST_P(QuicStreamFactoryTest,
        ResultAfterDNSRaceResolveAsyncErrorStaleAsyncError) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -11018,7 +10851,7 @@ TEST_P(QuicStreamFactoryTest,
   // Expire the cache
   cache->Invalidate();
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   quic_data.AddWrite(
@@ -11030,8 +10863,8 @@ TEST_P(QuicStreamFactoryTest,
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -11047,7 +10880,7 @@ TEST_P(QuicStreamFactoryTest,
 // With dns race experiment on, test that host resolution callback behaves
 // normal as experiment is not on
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsync) {
-  test_params_.quic_race_stale_dns_on_connection = true;
+  test_params_.quic_params.race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -11057,7 +10890,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsync) {
   host_resolver_->rules()->AddIPLiteralRule(host_port_pair_.host(),
                                             kNonCachedIPAddress, "");
 
-  MockQuicData quic_data;
+  MockQuicData quic_data(version_);
   quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   quic_data.AddSocketDataToFactory(socket_factory_.get());
@@ -11065,8 +10898,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsync) {
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
 
@@ -11088,9 +10921,155 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsync) {
   EXPECT_TRUE(quic_data.AllWriteDataConsumed());
 }
 
+// With stale dns and migration before handshake experiment on, migration failed
+// after handshake confirmed, and then fresh resolve returns.
+TEST_P(QuicStreamFactoryTest, StaleNetworkFailedAfterHandshake) {
+  test_params_.quic_params.race_stale_dns_on_connection = true;
+  host_resolver_ = std::make_unique<MockCachingHostResolver>();
+
+  InitializeConnectionMigrationV2Test(
+      {kDefaultNetworkForTests, kNewNetworkForTests});
+  ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
+  crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
+
+  // Set an address in resolver for asynchronous return.
+  host_resolver_->set_ondemand_mode(true);
+  host_resolver_->rules()->AddIPLiteralRule(host_port_pair_.host(),
+                                            kNonCachedIPAddress, "");
+
+  // Set up the same address in the stale resolver cache.
+  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Entry entry(OK,
+                         AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
+                         HostCache::Entry::SOURCE_DNS);
+  base::TimeDelta zero;
+  HostCache* cache = host_resolver_->GetHostCache();
+  cache->Set(key, entry, base::TimeTicks::Now(), zero);
+  // Expire the cache
+  cache->Invalidate();
+
+  MockQuicData quic_data(version_);
+  quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
+  quic_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
+  quic_data.AddSocketDataToFactory(socket_factory_.get());
+
+  // Socket for the new connection.
+  client_maker_.Reset();
+  MockQuicData quic_data2(version_);
+  quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
+  quic_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
+  quic_data2.AddSocketDataToFactory(socket_factory_.get());
+
+  QuicStreamRequest request(factory_.get());
+  EXPECT_EQ(ERR_IO_PENDING,
+            request.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
+
+  // Check that the racing job is running.
+  EXPECT_TRUE(HasLiveSession(host_port_pair_));
+  EXPECT_TRUE(HasActiveJob(host_port_pair_, privacy_mode_));
+
+  // By disconnecting the network, the stale session will be killed.
+  scoped_mock_network_change_notifier_->mock_network_change_notifier()
+      ->NotifyNetworkDisconnected(kDefaultNetworkForTests);
+
+  host_resolver_->ResolveAllPending();
+  EXPECT_THAT(callback_.WaitForResult(), IsOk());
+
+  std::unique_ptr<HttpStream> stream = CreateStream(&request);
+  EXPECT_TRUE(stream.get());
+
+  QuicChromiumClientSession* session = GetActiveSession(host_port_pair_);
+
+  EXPECT_EQ(session->peer_address().host().ToString(), kNonCachedIPAddress);
+
+  EXPECT_TRUE(quic_data.AllReadDataConsumed());
+  EXPECT_TRUE(quic_data.AllWriteDataConsumed());
+  EXPECT_TRUE(quic_data2.AllReadDataConsumed());
+  EXPECT_TRUE(quic_data2.AllWriteDataConsumed());
+}
+
+// With stale dns experiment on,  the stale session is killed while waiting for
+// handshake
+TEST_P(QuicStreamFactoryTest, StaleNetworkFailedBeforeHandshake) {
+  test_params_.quic_params.race_stale_dns_on_connection = true;
+  host_resolver_ = std::make_unique<MockCachingHostResolver>();
+  InitializeConnectionMigrationV2Test(
+      {kDefaultNetworkForTests, kNewNetworkForTests});
+  ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
+  crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
+
+  // Set an address in resolver for asynchronous return.
+  host_resolver_->set_ondemand_mode(true);
+  factory_->set_require_confirmation(true);
+  crypto_client_stream_factory_.set_handshake_mode(
+      MockCryptoClientStream::ZERO_RTT);
+  host_resolver_->rules()->AddIPLiteralRule(host_port_pair_.host(),
+                                            kNonCachedIPAddress, "");
+
+  // Set up a different address in the stale resolvercache.
+  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Entry entry(OK,
+                         AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
+                         HostCache::Entry::SOURCE_DNS);
+  base::TimeDelta zero;
+  HostCache* cache = host_resolver_->GetHostCache();
+  cache->Set(key, entry, base::TimeTicks::Now(), zero);
+  // Expire the cache
+  cache->Invalidate();
+
+  MockQuicData quic_data(version_);
+  quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
+  quic_data.AddSocketDataToFactory(socket_factory_.get());
+
+  client_maker_.Reset();
+  MockQuicData quic_data2(version_);
+  quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
+  quic_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
+  quic_data2.AddSocketDataToFactory(socket_factory_.get());
+
+  QuicStreamRequest request(factory_.get());
+  EXPECT_EQ(ERR_IO_PENDING,
+            request.Request(
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
+                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+                failed_on_default_network_callback_, callback_.callback()));
+
+  // Check that the racing job is running.
+  EXPECT_TRUE(HasLiveSession(host_port_pair_));
+  EXPECT_TRUE(HasActiveJob(host_port_pair_, privacy_mode_));
+
+  // By disconnecting the network, the stale session will be killed.
+  scoped_mock_network_change_notifier_->mock_network_change_notifier()
+      ->NotifyNetworkDisconnected(kDefaultNetworkForTests);
+
+  host_resolver_->ResolveAllPending();
+  base::RunLoop().RunUntilIdle();
+  // Make sure the fresh session is established.
+  crypto_client_stream_factory_.last_stream()->SendOnCryptoHandshakeEvent(
+      quic::QuicSession::HANDSHAKE_CONFIRMED);
+  EXPECT_THAT(callback_.WaitForResult(), IsOk());
+
+  std::unique_ptr<HttpStream> stream = CreateStream(&request);
+  EXPECT_TRUE(stream.get());
+
+  QuicChromiumClientSession* session = GetActiveSession(host_port_pair_);
+  EXPECT_EQ(session->peer_address().host().ToString(), kNonCachedIPAddress);
+
+  EXPECT_TRUE(quic_data.AllReadDataConsumed());
+  EXPECT_TRUE(quic_data.AllWriteDataConsumed());
+  EXPECT_TRUE(quic_data2.AllReadDataConsumed());
+  EXPECT_TRUE(quic_data2.AllWriteDataConsumed());
+}
+
 TEST_P(QuicStreamFactoryTest, ConfigInitialRttForHandshake) {
-  int kInitialRtt = 400;
-  test_params_.quic_initial_rtt_for_handshake_milliseconds = kInitialRtt;
+  constexpr base::TimeDelta kInitialRtt =
+      base::TimeDelta::FromMilliseconds(400);
+  test_params_.quic_params.initial_rtt_for_handshake = kInitialRtt;
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START_WITH_CHLO_SENT);
   Initialize();
@@ -11106,19 +11085,20 @@ TEST_P(QuicStreamFactoryTest, ConfigInitialRttForHandshake) {
       factory_.get(),
       std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
 
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(ASYNC, client_maker_.MakeDummyCHLOPacket(1));
   socket_data.AddWrite(ASYNC, client_maker_.MakeDummyCHLOPacket(2));
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_FORWARD_SECURE);
-  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(3, 0));
+  socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket(3));
+
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   QuicStreamRequest request(factory_.get());
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
-                host_port_pair_, version_.transport_version, privacy_mode_,
-                DEFAULT_PRIORITY, SocketTag(),
+                host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+                SocketTag(), NetworkIsolationKey(),
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
   base::RunLoop().RunUntilIdle();
@@ -11127,19 +11107,18 @@ TEST_P(QuicStreamFactoryTest, ConfigInitialRttForHandshake) {
   EXPECT_TRUE(HasActiveJob(host_port_pair_, privacy_mode_));
 
   // The pending task is scheduled for handshake timeout retransmission,
-  // which is 2 * 400ms for v99 and 1.5 * 400ms for others.
-  int handshake_timeout = version_.transport_version == quic::QUIC_VERSION_99
-                              ? 2 * kInitialRtt
-                              : 1.5 * kInitialRtt;
-  EXPECT_EQ(base::TimeDelta::FromMilliseconds(handshake_timeout),
-            task_runner->NextPendingTaskDelay());
+  // which is 2 * 400ms with crypto frames and 1.5 * 400ms otherwise.
+  base::TimeDelta handshake_timeout =
+      QuicVersionUsesCryptoFrames(version_.transport_version)
+          ? 2 * kInitialRtt
+          : 1.5 * kInitialRtt;
+  EXPECT_EQ(handshake_timeout, task_runner->NextPendingTaskDelay());
 
   // The alarm factory dependes on |clock_|, so clock is advanced to trigger
   // retransmission alarm.
-  clock_.AdvanceTime(
-      quic::QuicTime::Delta::FromMilliseconds(handshake_timeout));
-  task_runner->FastForwardBy(
-      base::TimeDelta::FromMilliseconds(handshake_timeout));
+  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(
+      handshake_timeout.InMilliseconds()));
+  task_runner->FastForwardBy(handshake_timeout);
 
   crypto_client_stream_factory_.last_stream()->SendOnCryptoHandshakeEvent(
       quic::QuicSession::HANDSHAKE_CONFIRMED);
@@ -11163,11 +11142,12 @@ TEST_P(QuicStreamFactoryTest, Tag) {
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
   // Prepare to establish two QUIC sessions.
-  MockQuicData socket_data;
+  MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data.AddSocketDataToFactory(socket_factory_.get());
-  MockQuicData socket_data2;
+  client_maker_.Reset();
+  MockQuicData socket_data2(version_);
   socket_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   socket_data2.AddWrite(SYNCHRONOUS, ConstructInitialSettingsPacket());
   socket_data2.AddSocketDataToFactory(socket_factory_.get());
@@ -11183,8 +11163,8 @@ TEST_P(QuicStreamFactoryTest, Tag) {
   // Request a stream with |tag1|.
   QuicStreamRequest request1(factory_.get());
   int rv = request1.Request(
-      host_port_pair_, version_.transport_version, privacy_mode_,
-      DEFAULT_PRIORITY, tag1,
+      host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY, tag1,
+      NetworkIsolationKey(),
       /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
       failed_on_default_network_callback_, callback_.callback());
   EXPECT_THAT(callback_.GetResult(rv), IsOk());
@@ -11199,8 +11179,8 @@ TEST_P(QuicStreamFactoryTest, Tag) {
   // Request a stream with |tag1| and verify underlying session is reused.
   QuicStreamRequest request2(factory_.get());
   rv = request2.Request(
-      host_port_pair_, version_.transport_version, privacy_mode_,
-      DEFAULT_PRIORITY, tag1,
+      host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY, tag1,
+      NetworkIsolationKey(),
       /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
       failed_on_default_network_callback_, callback_.callback());
   EXPECT_THAT(callback_.GetResult(rv), IsOk());
@@ -11213,8 +11193,8 @@ TEST_P(QuicStreamFactoryTest, Tag) {
   // Request a stream with |tag2| and verify a new session is created.
   QuicStreamRequest request3(factory_.get());
   rv = request3.Request(
-      host_port_pair_, version_.transport_version, privacy_mode_,
-      DEFAULT_PRIORITY, tag2,
+      host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY, tag2,
+      NetworkIsolationKey(),
       /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
       failed_on_default_network_callback_, callback_.callback());
   EXPECT_THAT(callback_.GetResult(rv), IsOk());
diff --git a/chromium/net/quic/quic_test_packet_maker.cc b/chromium/net/quic/quic_test_packet_maker.cc
index 26dae2b6526..c2a246f0c43 100644
--- a/chromium/net/quic/quic_test_packet_maker.cc
+++ b/chromium/net/quic/quic_test_packet_maker.cc
@@ -8,7 +8,9 @@
 #include <utility>
 
 #include "net/quic/mock_crypto_client_stream.h"
+#include "net/quic/quic_chromium_client_session.h"
 #include "net/quic/quic_http_utils.h"
+#include "net/third_party/quiche/src/quic/core/http/http_constants.h"
 #include "net/third_party/quiche/src/quic/core/quic_framer.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_random.h"
@@ -25,8 +27,93 @@ quic::QuicAckFrame MakeAckFrame(uint64_t largest_observed) {
   return ack;
 }
 
+quic::QuicFrames CloneFrames(const quic::QuicFrames& frames) {
+  quic::QuicFrames new_frames = frames;
+  for (auto& frame : new_frames) {
+    switch (frame.type) {
+      // Frames smaller than a pointer are inlined, so don't need to be cloned.
+      case quic::PADDING_FRAME:
+      case quic::MTU_DISCOVERY_FRAME:
+      case quic::PING_FRAME:
+      case quic::MAX_STREAMS_FRAME:
+      case quic::STOP_WAITING_FRAME:
+      case quic::STREAMS_BLOCKED_FRAME:
+      case quic::STREAM_FRAME:
+        break;
+      case quic::ACK_FRAME:
+        frame.ack_frame = new quic::QuicAckFrame(*frame.ack_frame);
+        break;
+      case quic::RST_STREAM_FRAME:
+        frame.rst_stream_frame =
+            new quic::QuicRstStreamFrame(*frame.rst_stream_frame);
+        break;
+      case quic::CONNECTION_CLOSE_FRAME:
+        frame.connection_close_frame =
+            new quic::QuicConnectionCloseFrame(*frame.connection_close_frame);
+        break;
+      case quic::GOAWAY_FRAME:
+        frame.goaway_frame = new quic::QuicGoAwayFrame(*frame.goaway_frame);
+        break;
+      case quic::BLOCKED_FRAME:
+        frame.blocked_frame = new quic::QuicBlockedFrame(*frame.blocked_frame);
+        break;
+      case quic::WINDOW_UPDATE_FRAME:
+        frame.window_update_frame =
+            new quic::QuicWindowUpdateFrame(*frame.window_update_frame);
+        break;
+      case quic::PATH_CHALLENGE_FRAME:
+        frame.path_challenge_frame =
+            new quic::QuicPathChallengeFrame(*frame.path_challenge_frame);
+        break;
+      case quic::STOP_SENDING_FRAME:
+        frame.stop_sending_frame =
+            new quic::QuicStopSendingFrame(*frame.stop_sending_frame);
+        break;
+      case quic::NEW_CONNECTION_ID_FRAME:
+        frame.new_connection_id_frame =
+            new quic::QuicNewConnectionIdFrame(*frame.new_connection_id_frame);
+        break;
+      case quic::RETIRE_CONNECTION_ID_FRAME:
+        frame.retire_connection_id_frame =
+            new quic::QuicRetireConnectionIdFrame(
+                *frame.retire_connection_id_frame);
+        break;
+      case quic::PATH_RESPONSE_FRAME:
+        frame.path_response_frame =
+            new quic::QuicPathResponseFrame(*frame.path_response_frame);
+        break;
+      case quic::MESSAGE_FRAME:
+        DCHECK(false) << "Message frame not supported";
+        // frame.message_frame = new
+        // quic::QuicMessageFrame(*frame.message_frame);
+        break;
+      case quic::CRYPTO_FRAME:
+        frame.crypto_frame = new quic::QuicCryptoFrame(*frame.crypto_frame);
+        break;
+      case quic::NEW_TOKEN_FRAME:
+        frame.new_token_frame =
+            new quic::QuicNewTokenFrame(*frame.new_token_frame);
+        break;
+
+      case quic::NUM_FRAME_TYPES:
+        DCHECK(false) << "Cannot clone frame type: " << frame.type;
+    }
+  }
+  return new_frames;
+}
+
 }  // namespace
 
+void QuicTestPacketMaker::DecoderStreamErrorDelegate::OnDecoderStreamError(
+    quic::QuicStringPiece error_message) {
+  LOG(FATAL) << error_message;
+}
+
+void QuicTestPacketMaker::EncoderStreamSenderDelegate::WriteStreamData(
+    quic::QuicStringPiece data) {
+  LOG(FATAL) << "data.length: " << data.length();
+}
+
 QuicTestPacketMaker::QuicTestPacketMaker(
     quic::ParsedQuicVersion version,
     quic::QuicConnectionId connection_id,
@@ -40,17 +127,27 @@ QuicTestPacketMaker::QuicTestPacketMaker(
       host_(host),
       spdy_request_framer_(spdy::SpdyFramer::ENABLE_COMPRESSION),
       spdy_response_framer_(spdy::SpdyFramer::ENABLE_COMPRESSION),
+      coalesce_http_frames_(false),
+      save_packet_frames_(false),
+      qpack_encoder_(&decoder_stream_error_delegate_,
+                     &encoder_stream_sender_delegate_),
       perspective_(perspective),
       encryption_level_(quic::ENCRYPTION_FORWARD_SECURE),
       long_header_type_(quic::INVALID_PACKET_TYPE),
       client_headers_include_h2_stream_dependency_(
           client_headers_include_h2_stream_dependency &&
           version.transport_version >= quic::QUIC_VERSION_43) {
+  stream_offsets_[quic::QuicUtils::GetHeadersStreamId(
+      version_.transport_version)] = 0;
   DCHECK(!(perspective_ == quic::Perspective::IS_SERVER &&
            client_headers_include_h2_stream_dependency_));
 }
 
-QuicTestPacketMaker::~QuicTestPacketMaker() {}
+QuicTestPacketMaker::~QuicTestPacketMaker() {
+  for (auto& kv : saved_frames_) {
+    quic::DeleteFrames(&(kv.second));
+  }
+}
 
 void QuicTestPacketMaker::set_hostname(const std::string& host) {
   host_.assign(host);
@@ -59,24 +156,7 @@ void QuicTestPacketMaker::set_hostname(const std::string& host) {
 std::unique_ptr<quic::QuicReceivedPacket>
 QuicTestPacketMaker::MakeConnectivityProbingPacket(uint64_t num,
                                                    bool include_version) {
-  quic::QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.destination_connection_id_included = HasDestinationConnectionId();
-  header.source_connection_id = connection_id_;
-  header.source_connection_id_included = HasSourceConnectionId();
-  header.reset_flag = false;
-  header.version_flag = ShouldIncludeVersion(include_version);
-  header.long_packet_type = long_header_type_;
-  header.packet_number_length = GetPacketNumberLength();
-  header.packet_number = quic::QuicPacketNumber(num);
-
-  if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      header.version_flag) {
-    if (long_header_type_ == quic::INITIAL) {
-      header.retry_token_length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    }
-    header.length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
+  InitializeHeader(num, include_version);
 
   quic::QuicFramer framer(quic::test::SupportedVersions(version_),
                           clock_->Now(), perspective_,
@@ -87,23 +167,24 @@ QuicTestPacketMaker::MakeConnectivityProbingPacket(uint64_t num,
   size_t length;
   if (version_.transport_version != quic::QUIC_VERSION_99) {
     length = framer.BuildConnectivityProbingPacket(
-        header, buffer, max_plaintext_size, encryption_level_);
+        header_, buffer, max_plaintext_size, encryption_level_);
   } else if (perspective_ == quic::Perspective::IS_CLIENT) {
     quic::test::MockRandom rand(0);
     quic::QuicPathFrameBuffer payload;
-    length = framer.BuildPaddedPathChallengePacket(
-        header, buffer, max_plaintext_size, &payload, &rand, encryption_level_);
+    length = framer.BuildPaddedPathChallengePacket(header_, buffer,
+                                                   max_plaintext_size, &payload,
+                                                   &rand, encryption_level_);
   } else {
     quic::test::MockRandom rand(0);
     quic::QuicPathFrameBuffer payload;
     rand.RandBytes(payload.data(), payload.size());
     quic::QuicDeque<quic::QuicPathFrameBuffer> payloads{payload};
-    length = framer.BuildPathResponsePacket(header, buffer, max_plaintext_size,
+    length = framer.BuildPathResponsePacket(header_, buffer, max_plaintext_size,
                                             payloads, true, encryption_level_);
   }
   size_t encrypted_size = framer.EncryptInPlace(
-      quic::ENCRYPTION_INITIAL, header.packet_number,
-      GetStartOfEncryptedData(framer.transport_version(), header), length,
+      quic::ENCRYPTION_INITIAL, header_.packet_number,
+      GetStartOfEncryptedData(framer.transport_version(), header_), length,
       quic::kDefaultMaxPacketSize, buffer);
   EXPECT_EQ(quic::kDefaultMaxPacketSize, encrypted_size);
   quic::QuicReceivedPacket encrypted(buffer, encrypted_size, clock_->Now(),
@@ -114,27 +195,10 @@ QuicTestPacketMaker::MakeConnectivityProbingPacket(uint64_t num,
 std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakePingPacket(
     uint64_t num,
     bool include_version) {
-  quic::QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.destination_connection_id_included = HasDestinationConnectionId();
-  header.source_connection_id = connection_id_;
-  header.source_connection_id_included = HasSourceConnectionId();
-  header.reset_flag = false;
-  header.version_flag = ShouldIncludeVersion(include_version);
-  header.long_packet_type = long_header_type_;
-  header.packet_number_length = GetPacketNumberLength();
-  header.packet_number = quic::QuicPacketNumber(num);
-
-  if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      header.version_flag) {
-    if (long_header_type_ == quic::INITIAL) {
-      header.retry_token_length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    }
-    header.length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
+  InitializeHeader(num, include_version);
 
   quic::QuicPingFrame ping;
-  return MakePacket(header, quic::QuicFrame(ping));
+  return MakePacket(header_, quic::QuicFrame(ping));
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
@@ -178,24 +242,7 @@ QuicTestPacketMaker::MakeAckAndPingPacket(uint64_t num,
                                           uint64_t largest_received,
                                           uint64_t smallest_received,
                                           uint64_t least_unacked) {
-  quic::QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.destination_connection_id_included = HasDestinationConnectionId();
-  header.source_connection_id = connection_id_;
-  header.source_connection_id_included = HasSourceConnectionId();
-  header.reset_flag = false;
-  header.version_flag = ShouldIncludeVersion(include_version);
-  header.long_packet_type = long_header_type_;
-  header.packet_number_length = GetPacketNumberLength();
-  header.packet_number = quic::QuicPacketNumber(num);
-
-  if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      header.version_flag) {
-    if (long_header_type_ == quic::INITIAL) {
-      header.retry_token_length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    }
-    header.length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
+  InitializeHeader(num, include_version);
 
   quic::QuicAckFrame ack(MakeAckFrame(largest_received));
   ack.ack_delay_time = quic::QuicTime::Delta::Zero();
@@ -214,7 +261,7 @@ QuicTestPacketMaker::MakeAckAndPingPacket(uint64_t num,
   frames.push_back(quic::QuicFrame(quic::QuicPingFrame()));
   DVLOG(1) << "Adding frame: " << frames.back();
 
-  return MakeMultipleFramesPacket(header, frames, nullptr);
+  return MakeMultipleFramesPacket(header_, frames, nullptr);
 }
 
 std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakeRstPacket(
@@ -222,7 +269,7 @@ std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakeRstPacket(
     bool include_version,
     quic::QuicStreamId stream_id,
     quic::QuicRstStreamErrorCode error_code) {
-  return MakeRstPacket(num, include_version, stream_id, error_code, 0,
+  return MakeRstPacket(num, include_version, stream_id, error_code,
                        /*include_stop_sending_if_v99=*/true);
 }
 
@@ -231,30 +278,13 @@ std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakeRstPacket(
     bool include_version,
     quic::QuicStreamId stream_id,
     quic::QuicRstStreamErrorCode error_code,
-    size_t bytes_written,
     bool include_stop_sending_if_v99) {
-  quic::QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.destination_connection_id_included = HasDestinationConnectionId();
-  header.source_connection_id = connection_id_;
-  header.source_connection_id_included = HasSourceConnectionId();
-  header.reset_flag = false;
-  header.version_flag = ShouldIncludeVersion(include_version);
-  header.long_packet_type = long_header_type_;
-  header.packet_number_length = GetPacketNumberLength();
-  header.packet_number = quic::QuicPacketNumber(num);
-
-  if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      header.version_flag) {
-    if (long_header_type_ == quic::INITIAL) {
-      header.retry_token_length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    }
-    header.length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
+  InitializeHeader(num, include_version);
 
   quic::QuicFrames frames;
 
-  quic::QuicRstStreamFrame rst(1, stream_id, error_code, bytes_written);
+  quic::QuicRstStreamFrame rst(1, stream_id, error_code,
+                               stream_offsets_[stream_id]);
   frames.push_back(quic::QuicFrame(&rst));
   DVLOG(1) << "Adding frame: " << frames.back();
 
@@ -266,7 +296,7 @@ std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakeRstPacket(
     frames.push_back(quic::QuicFrame(&stop));
     DVLOG(1) << "Adding frame: " << frames.back();
   }
-  return MakeMultipleFramesPacket(header, frames, nullptr);
+  return MakeMultipleFramesPacket(header_, frames, nullptr);
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
@@ -275,28 +305,11 @@ QuicTestPacketMaker::MakeStreamsBlockedPacket(
     bool include_version,
     quic::QuicStreamCount stream_count,
     bool unidirectional) {
-  quic::QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.destination_connection_id_included = HasDestinationConnectionId();
-  header.source_connection_id = connection_id_;
-  header.source_connection_id_included = HasSourceConnectionId();
-  header.reset_flag = false;
-  header.version_flag = ShouldIncludeVersion(include_version);
-  header.long_packet_type = long_header_type_;
-  header.packet_number_length = GetPacketNumberLength();
-  header.packet_number = quic::QuicPacketNumber(num);
-
-  if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      header.version_flag) {
-    if (long_header_type_ == quic::INITIAL) {
-      header.retry_token_length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    }
-    header.length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
+  InitializeHeader(num, include_version);
 
   quic::QuicStreamsBlockedFrame frame(1, stream_count, unidirectional);
   DVLOG(1) << "Adding frame: " << quic::QuicFrame(frame);
-  return MakePacket(header, quic::QuicFrame(frame));
+  return MakePacket(header_, quic::QuicFrame(frame));
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
@@ -304,28 +317,11 @@ QuicTestPacketMaker::MakeMaxStreamsPacket(uint64_t num,
                                           bool include_version,
                                           quic::QuicStreamCount stream_count,
                                           bool unidirectional) {
-  quic::QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.destination_connection_id_included = HasDestinationConnectionId();
-  header.source_connection_id = connection_id_;
-  header.source_connection_id_included = HasSourceConnectionId();
-  header.reset_flag = false;
-  header.version_flag = ShouldIncludeVersion(include_version);
-  header.long_packet_type = long_header_type_;
-  header.packet_number_length = GetPacketNumberLength();
-  header.packet_number = quic::QuicPacketNumber(num);
-
-  if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      header.version_flag) {
-    if (long_header_type_ == quic::INITIAL) {
-      header.retry_token_length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    }
-    header.length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
+  InitializeHeader(num, include_version);
 
   quic::QuicMaxStreamsFrame frame(1, stream_count, unidirectional);
   DVLOG(1) << "Adding frame: " << quic::QuicFrame(frame);
-  return MakePacket(header, quic::QuicFrame(frame));
+  return MakePacket(header_, quic::QuicFrame(frame));
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
@@ -339,25 +335,9 @@ QuicTestPacketMaker::MakeRstAndRequestHeadersPacket(
     spdy::SpdyPriority priority,
     spdy::SpdyHeaderBlock headers,
     quic::QuicStreamId parent_stream_id,
-    size_t* spdy_headers_frame_length,
-    quic::QuicStreamOffset* offset) {
+    size_t* spdy_headers_frame_length) {
+  InitializeHeader(num, include_version);
   quic::QuicRstStreamFrame rst_frame(1, rst_stream_id, rst_error_code, 0);
-
-  spdy::SpdySerializedFrame spdy_frame = MakeSpdyHeadersFrame(
-      stream_id, fin, priority, std::move(headers), parent_stream_id);
-  if (spdy_headers_frame_length) {
-    *spdy_headers_frame_length = spdy_frame.size();
-  }
-  quic::QuicStreamOffset header_offset = 0;
-  if (offset != nullptr) {
-    header_offset = *offset;
-    *offset += spdy_frame.size();
-  }
-  quic::QuicStreamFrame headers_frame(
-      quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
-      header_offset,
-      quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
-
   quic::QuicFrames frames;
   frames.push_back(quic::QuicFrame(&rst_frame));
   DVLOG(1) << "Adding frame: " << frames.back();
@@ -369,8 +349,66 @@ QuicTestPacketMaker::MakeRstAndRequestHeadersPacket(
     frames.push_back(quic::QuicFrame(&stop));
     DVLOG(1) << "Adding frame: " << frames.back();
   }
+
+  if (quic::VersionUsesQpack(version_.transport_version)) {
+    // A stream frame containing stream type will be written on the control
+    // stream first.
+    std::string type(1, 0x00);
+
+    quic::SettingsFrame settings;
+    settings.values[quic::kSettingsMaxHeaderListSize] = kQuicMaxHeaderListSize;
+    std::unique_ptr<char[]> buffer1;
+    quic::QuicByteCount frame_length1 =
+        http_encoder_.SerializeSettingsFrame(settings, &buffer1);
+    std::string settings_data = std::string(buffer1.get(), frame_length1);
+
+    quic::QuicStreamFrame type_frame;
+    quic::QuicStreamFrame settings_frame;
+    if (stream_offsets_[2] == 0) {
+      type_frame = GenerateNextStreamFrame(2, false, type);
+      frames.push_back(quic::QuicFrame(type_frame));
+      settings_frame = GenerateNextStreamFrame(2, false, settings_data);
+      frames.push_back(quic::QuicFrame(settings_frame));
+    }
+
+    quic::PriorityFrame frame;
+    frame.weight = priority;
+    frame.dependency_type = quic::ROOT_OF_TREE;
+    frame.prioritized_type = quic::REQUEST_STREAM;
+    frame.prioritized_element_id = stream_id;
+
+    std::unique_ptr<char[]> buffer;
+    quic::QuicByteCount frame_length =
+        http_encoder_.SerializePriorityFrame(frame, &buffer);
+    std::string priority_data = std::string(buffer.get(), frame_length);
+
+    quic::QuicStreamFrame priority_frame =
+        GenerateNextStreamFrame(2, false, priority_data);
+
+    frames.push_back(quic::QuicFrame(priority_frame));
+
+    // STREAM frames for HEADERS.
+    std::vector<std::string> data = QpackEncodeHeaders(
+        stream_id, std::move(headers), spdy_headers_frame_length);
+    std::vector<quic::QuicStreamFrame> stream_frames =
+        GenerateNextStreamFrames(stream_id, fin, data);
+
+    for (const auto& frame : stream_frames)
+      frames.push_back(quic::QuicFrame(frame));
+
+    InitializeHeader(num, include_version);
+    return MakeMultipleFramesPacket(header_, frames, nullptr);
+  }
+
+  spdy::SpdySerializedFrame spdy_frame = MakeSpdyHeadersFrame(
+      stream_id, fin, priority, std::move(headers), parent_stream_id);
+  if (spdy_headers_frame_length) {
+    *spdy_headers_frame_length = spdy_frame.size();
+  }
+  quic::QuicStreamFrame headers_frame = GenerateNextStreamFrame(
+      quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
+      quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
   frames.push_back(quic::QuicFrame(headers_frame));
-  DVLOG(1) << "Adding frame: " << frames.back();
 
   InitializeHeader(num, include_version);
   return MakeMultipleFramesPacket(header_, frames, nullptr);
@@ -388,7 +426,7 @@ QuicTestPacketMaker::MakeAckAndRstPacket(
     bool send_feedback) {
   return MakeAckAndRstPacket(num, include_version, stream_id, error_code,
                              largest_received, smallest_received, least_unacked,
-                             send_feedback, 0,
+                             send_feedback,
                              /*include_stop_sending_if_v99=*/true);
 }
 
@@ -402,26 +440,8 @@ QuicTestPacketMaker::MakeAckAndRstPacket(
     uint64_t smallest_received,
     uint64_t least_unacked,
     bool send_feedback,
-    size_t bytes_written,
     bool include_stop_sending_if_v99) {
-  quic::QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.destination_connection_id_included = HasDestinationConnectionId();
-  header.source_connection_id = connection_id_;
-  header.source_connection_id_included = HasSourceConnectionId();
-  header.reset_flag = false;
-  header.version_flag = ShouldIncludeVersion(include_version);
-  header.long_packet_type = long_header_type_;
-  header.packet_number_length = GetPacketNumberLength();
-  header.packet_number = quic::QuicPacketNumber(num);
-
-  if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      header.version_flag) {
-    if (long_header_type_ == quic::INITIAL) {
-      header.retry_token_length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    }
-    header.length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
+  InitializeHeader(num, include_version);
 
   quic::QuicAckFrame ack(MakeAckFrame(largest_received));
   ack.ack_delay_time = quic::QuicTime::Delta::Zero();
@@ -437,7 +457,8 @@ QuicTestPacketMaker::MakeAckAndRstPacket(
   frames.push_back(quic::QuicFrame(&ack));
   DVLOG(1) << "Adding frame: " << frames.back();
 
-  quic::QuicRstStreamFrame rst(1, stream_id, error_code, bytes_written);
+  quic::QuicRstStreamFrame rst(1, stream_id, error_code,
+                               stream_offsets_[stream_id]);
   frames.push_back(quic::QuicFrame(&rst));
   DVLOG(1) << "Adding frame: " << frames.back();
 
@@ -450,7 +471,7 @@ QuicTestPacketMaker::MakeAckAndRstPacket(
     DVLOG(1) << "Adding frame: " << frames.back();
   }
 
-  return MakeMultipleFramesPacket(header, frames, nullptr);
+  return MakeMultipleFramesPacket(header_, frames, nullptr);
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
@@ -465,24 +486,7 @@ QuicTestPacketMaker::MakeRstAckAndConnectionClosePacket(
     uint64_t least_unacked,
     quic::QuicErrorCode quic_error,
     const std::string& quic_error_details) {
-  quic::QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.destination_connection_id_included = HasDestinationConnectionId();
-  header.source_connection_id = connection_id_;
-  header.source_connection_id_included = HasSourceConnectionId();
-  header.reset_flag = false;
-  header.version_flag = ShouldIncludeVersion(include_version);
-  header.long_packet_type = long_header_type_;
-  header.packet_number_length = GetPacketNumberLength();
-  header.packet_number = quic::QuicPacketNumber(num);
-
-  if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      header.version_flag) {
-    if (long_header_type_ == quic::INITIAL) {
-      header.retry_token_length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    }
-    header.length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
+  InitializeHeader(num, include_version);
 
   quic::QuicFrames frames;
   quic::QuicRstStreamFrame rst(1, stream_id, error_code, 0);
@@ -521,7 +525,7 @@ QuicTestPacketMaker::MakeRstAckAndConnectionClosePacket(
   frames.push_back(quic::QuicFrame(&close));
   DVLOG(1) << "Adding frame: " << frames.back();
 
-  return MakeMultipleFramesPacket(header, frames, nullptr);
+  return MakeMultipleFramesPacket(header_, frames, nullptr);
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
@@ -534,24 +538,7 @@ QuicTestPacketMaker::MakeAckAndConnectionClosePacket(
     uint64_t least_unacked,
     quic::QuicErrorCode quic_error,
     const std::string& quic_error_details) {
-  quic::QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.destination_connection_id_included = HasDestinationConnectionId();
-  header.source_connection_id = connection_id_;
-  header.source_connection_id_included = HasSourceConnectionId();
-  header.reset_flag = false;
-  header.version_flag = ShouldIncludeVersion(include_version);
-  header.long_packet_type = long_header_type_;
-  header.packet_number_length = GetPacketNumberLength();
-  header.packet_number = quic::QuicPacketNumber(num);
-
-  if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      header.version_flag) {
-    if (long_header_type_ == quic::INITIAL) {
-      header.retry_token_length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    }
-    header.length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
+  InitializeHeader(num, include_version);
 
   quic::QuicAckFrame ack(MakeAckFrame(largest_received));
   ack.ack_delay_time = ack_delay_time;
@@ -577,7 +564,7 @@ QuicTestPacketMaker::MakeAckAndConnectionClosePacket(
   frames.push_back(quic::QuicFrame(&close));
   DVLOG(1) << "Adding frame: " << frames.back();
 
-  return MakeMultipleFramesPacket(header, frames, nullptr);
+  return MakeMultipleFramesPacket(header_, frames, nullptr);
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
@@ -586,24 +573,7 @@ QuicTestPacketMaker::MakeConnectionClosePacket(
     bool include_version,
     quic::QuicErrorCode quic_error,
     const std::string& quic_error_details) {
-  quic::QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.destination_connection_id_included = HasDestinationConnectionId();
-  header.source_connection_id = connection_id_;
-  header.source_connection_id_included = HasSourceConnectionId();
-  header.reset_flag = false;
-  header.version_flag = ShouldIncludeVersion(include_version);
-  header.long_packet_type = long_header_type_;
-  header.packet_number_length = GetPacketNumberLength();
-  header.packet_number = quic::QuicPacketNumber(num);
-
-  if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      header.version_flag) {
-    if (long_header_type_ == quic::INITIAL) {
-      header.retry_token_length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    }
-    header.length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
+  InitializeHeader(num, include_version);
 
   quic::QuicConnectionCloseFrame close;
   close.quic_error_code = quic_error;
@@ -612,37 +582,20 @@ QuicTestPacketMaker::MakeConnectionClosePacket(
     close.close_type = quic::IETF_QUIC_TRANSPORT_CONNECTION_CLOSE;
   }
 
-  return MakePacket(header, quic::QuicFrame(&close));
+  return MakePacket(header_, quic::QuicFrame(&close));
 }
 
 std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakeGoAwayPacket(
     uint64_t num,
     quic::QuicErrorCode error_code,
     std::string reason_phrase) {
-  quic::QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.destination_connection_id_included = HasDestinationConnectionId();
-  header.source_connection_id = connection_id_;
-  header.source_connection_id_included = HasSourceConnectionId();
-  header.reset_flag = false;
-  header.version_flag = ShouldIncludeVersion(false);
-  header.long_packet_type = long_header_type_;
-  header.packet_number_length = GetPacketNumberLength();
-  header.packet_number = quic::QuicPacketNumber(num);
-
-  if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      header.version_flag) {
-    if (long_header_type_ == quic::INITIAL) {
-      header.retry_token_length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    }
-    header.length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
+  InitializeHeader(num, /*include_version=*/false);
 
   quic::QuicGoAwayFrame goaway;
   goaway.error_code = error_code;
   goaway.last_good_stream_id = 0;
   goaway.reason_phrase = reason_phrase;
-  return MakePacket(header, quic::QuicFrame(&goaway));
+  return MakePacket(header_, quic::QuicFrame(&goaway));
 }
 
 std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakeAckPacket(
@@ -687,24 +640,7 @@ std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakeAckPacket(
     uint64_t least_unacked,
     bool send_feedback,
     quic::QuicTime::Delta ack_delay_time) {
-  quic::QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.destination_connection_id_included = HasDestinationConnectionId();
-  header.source_connection_id = connection_id_;
-  header.source_connection_id_included = HasSourceConnectionId();
-  header.reset_flag = false;
-  header.version_flag = ShouldIncludeVersion(false);
-  header.long_packet_type = long_header_type_;
-  header.packet_number_length = GetPacketNumberLength();
-  header.packet_number = quic::QuicPacketNumber(packet_number);
-
-  if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      header.version_flag) {
-    if (long_header_type_ == quic::INITIAL) {
-      header.retry_token_length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    }
-    header.length_length = quic::VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
+  InitializeHeader(packet_number, /*include_version=*/false);
 
   quic::QuicAckFrame ack(MakeAckFrame(largest_received));
   ack.ack_delay_time = ack_delay_time;
@@ -729,7 +665,7 @@ std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakeAckPacket(
       framer.GetMaxPlaintextSize(quic::kDefaultMaxPacketSize);
   size_t ack_frame_length = framer.GetSerializedFrameLength(
       ack_frame, max_plaintext_size, /*first_frame*/ true, /*last_frame*/ false,
-      header.packet_number_length);
+      header_.packet_number_length);
   const size_t min_plaintext_size = 7;
   if (version_.HasHeaderProtection() && ack_frame_length < min_plaintext_size) {
     size_t padding_length = min_plaintext_size - ack_frame_length;
@@ -737,10 +673,10 @@ std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakeAckPacket(
   }
 
   std::unique_ptr<quic::QuicPacket> packet(
-      quic::test::BuildUnsizedDataPacket(&framer, header, frames));
+      quic::test::BuildUnsizedDataPacket(&framer, header_, frames));
   char buffer[quic::kMaxOutgoingPacketSize];
   size_t encrypted_size =
-      framer.EncryptPayload(quic::ENCRYPTION_INITIAL, header.packet_number,
+      framer.EncryptPayload(quic::ENCRYPTION_INITIAL, header_.packet_number,
                             *packet, buffer, quic::kMaxOutgoingPacketSize);
   EXPECT_NE(0u, encrypted_size);
   quic::QuicReceivedPacket encrypted(buffer, encrypted_size, clock_->Now(),
@@ -748,17 +684,25 @@ std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakeAckPacket(
   return encrypted.Clone();
 }
 
-// Returns a newly created packet to send kData on stream 1.
+std::unique_ptr<quic::QuicReceivedPacket>
+QuicTestPacketMaker::MakeHeadersDataPacket(uint64_t packet_number,
+                                           bool should_include_version,
+                                           bool fin,
+                                           quic::QuicStringPiece data) {
+  return MakeDataPacket(
+      packet_number,
+      quic::QuicUtils::GetHeadersStreamId(version_.transport_version),
+      should_include_version, fin, data);
+}
+
 std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakeDataPacket(
     uint64_t packet_number,
     quic::QuicStreamId stream_id,
     bool should_include_version,
     bool fin,
-    quic::QuicStreamOffset offset,
     quic::QuicStringPiece data) {
   InitializeHeader(packet_number, should_include_version);
-  quic::QuicStreamFrame frame(stream_id, fin, offset, data);
-  DVLOG(1) << "Adding frame: " << frame;
+  quic::QuicStreamFrame frame = GenerateNextStreamFrame(stream_id, fin, data);
   return MakePacket(header_, quic::QuicFrame(frame));
 }
 
@@ -768,17 +712,14 @@ QuicTestPacketMaker::MakeMultipleDataFramesPacket(
     quic::QuicStreamId stream_id,
     bool should_include_version,
     bool fin,
-    quic::QuicStreamOffset offset,
     const std::vector<std::string>& data_writes) {
   InitializeHeader(packet_number, should_include_version);
   quic::QuicFrames data_frames;
   for (size_t i = 0; i < data_writes.size(); ++i) {
     bool is_fin = fin && (i == data_writes.size() - 1);
-    quic::QuicFrame quic_frame(quic::QuicStreamFrame(
-        stream_id, is_fin, offset, quic::QuicStringPiece(data_writes[i])));
-    DVLOG(1) << "Adding frame: " << quic_frame;
+    quic::QuicFrame quic_frame(
+        GenerateNextStreamFrame(stream_id, is_fin, data_writes[i]));
     data_frames.push_back(quic_frame);
-    offset += data_writes[i].length();
   }
   return MakeMultipleFramesPacket(header_, data_frames, nullptr);
 }
@@ -791,7 +732,6 @@ QuicTestPacketMaker::MakeAckAndDataPacket(uint64_t packet_number,
                                           uint64_t smallest_received,
                                           uint64_t least_unacked,
                                           bool fin,
-                                          quic::QuicStreamOffset offset,
                                           quic::QuicStringPiece data) {
   InitializeHeader(packet_number, include_version);
 
@@ -810,8 +750,7 @@ QuicTestPacketMaker::MakeAckAndDataPacket(uint64_t packet_number,
   DVLOG(1) << "Adding frame: " << frames.back();
 
   frames.push_back(
-      quic::QuicFrame(quic::QuicStreamFrame(stream_id, fin, offset, data)));
-  DVLOG(1) << "Adding frame: " << frames.back();
+      quic::QuicFrame(GenerateNextStreamFrame(stream_id, fin, data)));
 
   return MakeMultipleFramesPacket(header_, frames, nullptr);
 }
@@ -825,7 +764,6 @@ QuicTestPacketMaker::MakeAckAndMultipleDataFramesPacket(
     uint64_t smallest_received,
     uint64_t least_unacked,
     bool fin,
-    quic::QuicStreamOffset offset,
     const std::vector<std::string>& data_writes) {
   InitializeHeader(packet_number, include_version);
 
@@ -845,11 +783,9 @@ QuicTestPacketMaker::MakeAckAndMultipleDataFramesPacket(
 
   for (size_t i = 0; i < data_writes.size(); ++i) {
     bool is_fin = fin && (i == data_writes.size() - 1);
-    quic::QuicFrame quic_frame(quic::QuicStreamFrame(
-        stream_id, is_fin, offset, quic::QuicStringPiece(data_writes[i])));
-    DVLOG(1) << "Adding frame: " << quic_frame;
+    quic::QuicFrame quic_frame(GenerateNextStreamFrame(
+        stream_id, is_fin, quic::QuicStringPiece(data_writes[i])));
     frames.push_back(quic_frame);
-    offset += data_writes[i].length();
   }
   return MakeMultipleFramesPacket(header_, frames, nullptr);
 }
@@ -863,10 +799,66 @@ QuicTestPacketMaker::MakeRequestHeadersAndMultipleDataFramesPacket(
     spdy::SpdyPriority priority,
     spdy::SpdyHeaderBlock headers,
     quic::QuicStreamId parent_stream_id,
-    quic::QuicStreamOffset* header_stream_offset,
     size_t* spdy_headers_frame_length,
     const std::vector<std::string>& data_writes) {
   InitializeHeader(packet_number, should_include_version);
+  if (quic::VersionUsesQpack(version_.transport_version)) {
+    // A stream frame containing stream type will be written on the control
+    // stream first.
+    std::string type(1, 0x00);
+
+    quic::SettingsFrame settings;
+    settings.values[quic::kSettingsMaxHeaderListSize] = kQuicMaxHeaderListSize;
+    std::unique_ptr<char[]> buffer1;
+    quic::QuicByteCount frame_length1 =
+        http_encoder_.SerializeSettingsFrame(settings, &buffer1);
+    std::string settings_data = std::string(buffer1.get(), frame_length1);
+
+    quic::QuicStreamFrame type_frame;
+    quic::QuicStreamFrame settings_frame;
+    quic::QuicFrames frames;
+    if (stream_offsets_[2] == 0) {
+      type_frame = GenerateNextStreamFrame(2, false, type);
+      frames.push_back(quic::QuicFrame(type_frame));
+      settings_frame = GenerateNextStreamFrame(2, false, settings_data);
+      frames.push_back(quic::QuicFrame(settings_frame));
+    }
+
+    quic::PriorityFrame frame;
+    frame.weight = priority;
+    frame.dependency_type = quic::ROOT_OF_TREE;
+    frame.prioritized_type = quic::REQUEST_STREAM;
+    frame.prioritized_element_id = stream_id;
+
+    std::unique_ptr<char[]> buffer;
+    quic::QuicByteCount frame_length =
+        http_encoder_.SerializePriorityFrame(frame, &buffer);
+    std::string priority_data = std::string(buffer.get(), frame_length);
+
+    quic::QuicStreamFrame priority_frame =
+        GenerateNextStreamFrame(2, false, priority_data);
+
+    // STREAM frames for HEADERS.
+    std::vector<std::string> data = QpackEncodeHeaders(
+        stream_id, std::move(headers), spdy_headers_frame_length);
+    std::vector<quic::QuicStreamFrame> stream_frames =
+        GenerateNextStreamFrames(stream_id, false, data);
+
+    // STREAM frames for DATA.
+    for (size_t i = 0; i < data_writes.size(); ++i) {
+      bool is_fin = fin && (i == data_writes.size() - 1);
+      stream_frames.push_back(GenerateNextStreamFrame(
+          stream_id, is_fin, quic::QuicStringPiece(data_writes[i])));
+    }
+
+    frames.push_back(quic::QuicFrame(priority_frame));
+
+    for (const auto& frame : stream_frames)
+      frames.push_back(quic::QuicFrame(frame));
+
+    return MakeMultipleFramesPacket(header_, frames, nullptr);
+  }
+
   spdy::SpdySerializedFrame spdy_frame =
       MakeSpdyHeadersFrame(stream_id, fin && data_writes.empty(), priority,
                            std::move(headers), parent_stream_id);
@@ -874,30 +866,20 @@ QuicTestPacketMaker::MakeRequestHeadersAndMultipleDataFramesPacket(
   if (spdy_headers_frame_length) {
     *spdy_headers_frame_length = spdy_frame.size();
   }
-  quic::QuicFrames frames;
-  quic::QuicStreamOffset header_offset =
-      header_stream_offset == nullptr ? 0 : *header_stream_offset;
-  quic::QuicStreamFrame frame(
+  quic::QuicStreamFrame frame = GenerateNextStreamFrame(
       quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
-      header_offset,
       quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
+  quic::QuicFrames frames;
   frames.push_back(quic::QuicFrame(frame));
-  DVLOG(1) << "Adding frame: " << frames.back();
-  if (header_stream_offset != nullptr) {
-    *header_stream_offset += spdy_frame.size();
-  }
 
-  quic::QuicStreamOffset offset = 0;
   // quic::QuicFrame takes a raw pointer. Use a std::vector here so we keep
   // StreamFrames alive until MakeMultipleFramesPacket is done.
   std::vector<std::unique_ptr<quic::QuicStreamFrame>> stream_frames;
   for (size_t i = 0; i < data_writes.size(); ++i) {
     bool is_fin = fin && (i == data_writes.size() - 1);
-    quic::QuicFrame quic_frame(quic::QuicStreamFrame(
-        stream_id, is_fin, offset, quic::QuicStringPiece(data_writes[i])));
-    DVLOG(1) << "Adding frame: " << quic_frame;
+    quic::QuicFrame quic_frame(GenerateNextStreamFrame(
+        stream_id, is_fin, quic::QuicStringPiece(data_writes[i])));
     frames.push_back(quic_frame);
-    offset += data_writes[i].length();
   }
   return MakeMultipleFramesPacket(header_, frames, nullptr);
 }
@@ -912,64 +894,66 @@ QuicTestPacketMaker::MakeRequestHeadersPacket(
     spdy::SpdyHeaderBlock headers,
     quic::QuicStreamId parent_stream_id,
     size_t* spdy_headers_frame_length) {
-  return MakeRequestHeadersPacket(
-      packet_number, stream_id, should_include_version, fin, priority,
-      std::move(headers), parent_stream_id, spdy_headers_frame_length, nullptr);
-}
+  InitializeHeader(packet_number, should_include_version);
 
-// If |offset| is provided, will use the value when creating the packet.
-// Will also update the value after packet creation.
-std::unique_ptr<quic::QuicReceivedPacket>
-QuicTestPacketMaker::MakeRequestHeadersPacket(
-    uint64_t packet_number,
-    quic::QuicStreamId stream_id,
-    bool should_include_version,
-    bool fin,
-    spdy::SpdyPriority priority,
-    spdy::SpdyHeaderBlock headers,
-    quic::QuicStreamId parent_stream_id,
-    size_t* spdy_headers_frame_length,
-    quic::QuicStreamOffset* offset) {
-  std::string unused_stream_data;
-  return MakeRequestHeadersPacketAndSaveData(
-      packet_number, stream_id, should_include_version, fin, priority,
-      std::move(headers), parent_stream_id, spdy_headers_frame_length, offset,
-      &unused_stream_data);
-}
+  if (quic::VersionUsesQpack(version_.transport_version)) {
+    // A stream frame containing stream type will be written on the control
+    // stream first.
+    std::string type(1, 0x00);
+
+    quic::SettingsFrame settings;
+    settings.values[quic::kSettingsMaxHeaderListSize] = kQuicMaxHeaderListSize;
+    std::unique_ptr<char[]> buffer1;
+    quic::QuicByteCount frame_length1 =
+        http_encoder_.SerializeSettingsFrame(settings, &buffer1);
+    std::string settings_data = std::string(buffer1.get(), frame_length1);
+
+    quic::QuicStreamFrame type_frame;
+    quic::QuicStreamFrame settings_frame;
+    quic::QuicFrames frames;
+    if (stream_offsets_[2] == 0) {
+      type_frame = GenerateNextStreamFrame(2, false, type);
+      frames.push_back(quic::QuicFrame(type_frame));
+      settings_frame = GenerateNextStreamFrame(2, false, settings_data);
+      frames.push_back(quic::QuicFrame(settings_frame));
+    }
+
+    quic::PriorityFrame frame;
+    frame.weight = priority;
+    frame.dependency_type = quic::ROOT_OF_TREE;
+    frame.prioritized_type = quic::REQUEST_STREAM;
+    frame.prioritized_element_id = stream_id;
+
+    std::unique_ptr<char[]> buffer;
+    quic::QuicByteCount frame_length =
+        http_encoder_.SerializePriorityFrame(frame, &buffer);
+    std::string priority_data = std::string(buffer.get(), frame_length);
+
+    quic::QuicStreamFrame priority_frame =
+        GenerateNextStreamFrame(2, false, priority_data);
+
+    std::vector<std::string> data = QpackEncodeHeaders(
+        stream_id, std::move(headers), spdy_headers_frame_length);
+    std::vector<quic::QuicStreamFrame> stream_frames =
+        GenerateNextStreamFrames(stream_id, fin, data);
+
+    frames.push_back(quic::QuicFrame(priority_frame));
+
+    for (const auto& frame : stream_frames)
+      frames.push_back(quic::QuicFrame(frame));
+    return MakeMultipleFramesPacket(header_, frames, nullptr);
+  }
 
-std::unique_ptr<quic::QuicReceivedPacket>
-QuicTestPacketMaker::MakeRequestHeadersPacketAndSaveData(
-    uint64_t packet_number,
-    quic::QuicStreamId stream_id,
-    bool should_include_version,
-    bool fin,
-    spdy::SpdyPriority priority,
-    spdy::SpdyHeaderBlock headers,
-    quic::QuicStreamId parent_stream_id,
-    size_t* spdy_headers_frame_length,
-    quic::QuicStreamOffset* offset,
-    std::string* stream_data) {
-  InitializeHeader(packet_number, should_include_version);
   spdy::SpdySerializedFrame spdy_frame = MakeSpdyHeadersFrame(
       stream_id, fin, priority, std::move(headers), parent_stream_id);
-  *stream_data = std::string(spdy_frame.data(), spdy_frame.size());
 
   if (spdy_headers_frame_length)
     *spdy_headers_frame_length = spdy_frame.size();
 
-  if (offset != nullptr) {
-    quic::QuicStreamFrame frame(
-        quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
-        *offset, quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
-    *offset += spdy_frame.size();
-    return MakePacket(header_, quic::QuicFrame(frame));
-  } else {
-    quic::QuicStreamFrame frame(
-        quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
-        0, quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
-
-    return MakePacket(header_, quic::QuicFrame(frame));
-  }
+  quic::QuicStreamFrame frame = GenerateNextStreamFrame(
+      quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
+      quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
+  return MakePacket(header_, quic::QuicFrame(frame));
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
@@ -982,25 +966,76 @@ QuicTestPacketMaker::MakeRequestHeadersAndRstPacket(
     spdy::SpdyHeaderBlock headers,
     quic::QuicStreamId parent_stream_id,
     size_t* spdy_headers_frame_length,
-    quic::QuicStreamOffset* header_stream_offset,
-    quic::QuicRstStreamErrorCode error_code,
-    size_t bytes_written) {
+    quic::QuicRstStreamErrorCode error_code) {
+  if (quic::VersionUsesQpack(version_.transport_version)) {
+    // A stream frame containing stream type will be written on the control
+    // stream first.
+    std::string type(1, 0x00);
+
+    quic::SettingsFrame settings;
+    settings.values[quic::kSettingsMaxHeaderListSize] = kQuicMaxHeaderListSize;
+    std::unique_ptr<char[]> buffer1;
+    quic::QuicByteCount frame_length1 =
+        http_encoder_.SerializeSettingsFrame(settings, &buffer1);
+    std::string settings_data = std::string(buffer1.get(), frame_length1);
+
+    quic::QuicStreamFrame type_frame;
+    quic::QuicStreamFrame settings_frame;
+    quic::QuicFrames frames;
+    if (stream_offsets_[2] == 0) {
+      type_frame = GenerateNextStreamFrame(2, false, type);
+      frames.push_back(quic::QuicFrame(type_frame));
+      settings_frame = GenerateNextStreamFrame(2, false, settings_data);
+      frames.push_back(quic::QuicFrame(settings_frame));
+    }
+
+    quic::PriorityFrame frame;
+    frame.weight = priority;
+    frame.dependency_type = quic::ROOT_OF_TREE;
+    frame.prioritized_type = quic::REQUEST_STREAM;
+    frame.prioritized_element_id = stream_id;
+
+    std::unique_ptr<char[]> buffer;
+    quic::QuicByteCount frame_length =
+        http_encoder_.SerializePriorityFrame(frame, &buffer);
+    std::string priority_data = std::string(buffer.get(), frame_length);
+
+    quic::QuicStreamFrame priority_frame =
+        GenerateNextStreamFrame(2, false, priority_data);
+
+    std::vector<std::string> data = QpackEncodeHeaders(
+        stream_id, std::move(headers), spdy_headers_frame_length);
+    std::vector<quic::QuicStreamFrame> stream_frames =
+        GenerateNextStreamFrames(stream_id, fin, data);
+
+    frames.push_back(quic::QuicFrame(priority_frame));
+
+    for (const auto& frame : stream_frames)
+      frames.push_back(quic::QuicFrame(frame));
+
+    quic::QuicRstStreamFrame rst_frame(1, stream_id, error_code,
+                                       stream_offsets_[stream_id]);
+    frames.push_back(quic::QuicFrame(&rst_frame));
+    DVLOG(1) << "Adding frame: " << frames.back();
+
+    quic::QuicStopSendingFrame stop(1, stream_id, error_code);
+    frames.push_back(quic::QuicFrame(&stop));
+    DVLOG(1) << "Adding frame: " << frames.back();
+    InitializeHeader(packet_number, should_include_version);
+    return MakeMultipleFramesPacket(header_, frames, nullptr);
+  }
+
   spdy::SpdySerializedFrame spdy_frame = MakeSpdyHeadersFrame(
       stream_id, fin, priority, std::move(headers), parent_stream_id);
   if (spdy_headers_frame_length) {
     *spdy_headers_frame_length = spdy_frame.size();
   }
-  quic::QuicStreamOffset header_offset = 0;
-  if (header_stream_offset != nullptr) {
-    header_offset = *header_stream_offset;
-    *header_stream_offset += spdy_frame.size();
-  }
-  quic::QuicStreamFrame headers_frame(
+  quic::QuicStreamFrame headers_frame = GenerateNextStreamFrame(
       quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
-      header_offset,
       quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
 
-  quic::QuicRstStreamFrame rst_frame(1, stream_id, error_code, bytes_written);
+  quic::QuicRstStreamFrame rst_frame(1, stream_id, error_code,
+                                     stream_offsets_[stream_id]);
 
   quic::QuicFrames frames;
   frames.push_back(quic::QuicFrame(headers_frame));
@@ -1042,25 +1077,6 @@ spdy::SpdySerializedFrame QuicTestPacketMaker::MakeSpdyHeadersFrame(
   return spdy_request_framer_.SerializeFrame(headers_frame);
 }
 
-// Convenience method for calling MakeRequestHeadersPacket with nullptr for
-// |spdy_headers_frame_length|.
-std::unique_ptr<quic::QuicReceivedPacket>
-QuicTestPacketMaker::MakeRequestHeadersPacketWithOffsetTracking(
-    uint64_t packet_number,
-    quic::QuicStreamId stream_id,
-    bool should_include_version,
-    bool fin,
-    spdy::SpdyPriority priority,
-    spdy::SpdyHeaderBlock headers,
-    quic::QuicStreamId parent_stream_id,
-    quic::QuicStreamOffset* offset) {
-  return MakeRequestHeadersPacket(
-      packet_number, stream_id, should_include_version, fin, priority,
-      std::move(headers), parent_stream_id, nullptr, offset);
-}
-
-// If |offset| is provided, will use the value when creating the packet.
-// Will also update the value after packet creation.
 std::unique_ptr<quic::QuicReceivedPacket>
 QuicTestPacketMaker::MakePushPromisePacket(
     uint64_t packet_number,
@@ -1069,8 +1085,7 @@ QuicTestPacketMaker::MakePushPromisePacket(
     bool should_include_version,
     bool fin,
     spdy::SpdyHeaderBlock headers,
-    size_t* spdy_headers_frame_length,
-    quic::QuicStreamOffset* offset) {
+    size_t* spdy_headers_frame_length) {
   InitializeHeader(packet_number, should_include_version);
   spdy::SpdySerializedFrame spdy_frame;
   spdy::SpdyPushPromiseIR promise_frame(stream_id, promised_stream_id,
@@ -1080,18 +1095,10 @@ QuicTestPacketMaker::MakePushPromisePacket(
   if (spdy_headers_frame_length) {
     *spdy_headers_frame_length = spdy_frame.size();
   }
-  if (offset != nullptr) {
-    quic::QuicStreamFrame frame(
-        quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
-        *offset, quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
-    *offset += spdy_frame.size();
-    return MakePacket(header_, quic::QuicFrame(frame));
-  } else {
-    quic::QuicStreamFrame frame(
-        quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
-        0, quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
-    return MakePacket(header_, quic::QuicFrame(frame));
-  }
+  quic::QuicStreamFrame frame = GenerateNextStreamFrame(
+      quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
+      quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
+  return MakePacket(header_, quic::QuicFrame(frame));
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
@@ -1122,9 +1129,22 @@ QuicTestPacketMaker::MakeResponseHeadersPacket(
     bool should_include_version,
     bool fin,
     spdy::SpdyHeaderBlock headers,
-    size_t* spdy_headers_frame_length,
-    quic::QuicStreamOffset* offset) {
+    size_t* spdy_headers_frame_length) {
   InitializeHeader(packet_number, should_include_version);
+
+  if (quic::VersionUsesQpack(version_.transport_version)) {
+    // STREAM frames for HEADERS.
+    std::vector<std::string> data = QpackEncodeHeaders(
+        stream_id, std::move(headers), spdy_headers_frame_length);
+    std::vector<quic::QuicStreamFrame> stream_frames =
+        GenerateNextStreamFrames(stream_id, fin, data);
+
+    quic::QuicFrames frames;
+    for (const auto& frame : stream_frames)
+      frames.push_back(quic::QuicFrame(frame));
+    return MakeMultipleFramesPacket(header_, frames, nullptr);
+  }
+
   spdy::SpdySerializedFrame spdy_frame;
   spdy::SpdyHeadersIR headers_frame(stream_id, std::move(headers));
   headers_frame.set_fin(fin);
@@ -1133,46 +1153,10 @@ QuicTestPacketMaker::MakeResponseHeadersPacket(
   if (spdy_headers_frame_length) {
     *spdy_headers_frame_length = spdy_frame.size();
   }
-  if (offset != nullptr) {
-    quic::QuicStreamFrame frame(
-        quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
-        *offset, quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
-    *offset += spdy_frame.size();
-    return MakePacket(header_, quic::QuicFrame(frame));
-  } else {
-    quic::QuicStreamFrame frame(
-        quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
-        0, quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
-    return MakePacket(header_, quic::QuicFrame(frame));
-  }
-}
-
-std::unique_ptr<quic::QuicReceivedPacket>
-QuicTestPacketMaker::MakeResponseHeadersPacket(
-    uint64_t packet_number,
-    quic::QuicStreamId stream_id,
-    bool should_include_version,
-    bool fin,
-    spdy::SpdyHeaderBlock headers,
-    size_t* spdy_headers_frame_length) {
-  return MakeResponseHeadersPacket(
-      packet_number, stream_id, should_include_version, fin, std::move(headers),
-      spdy_headers_frame_length, nullptr);
-}
-
-// Convenience method for calling MakeResponseHeadersPacket with nullptr for
-// |spdy_headers_frame_length|.
-std::unique_ptr<quic::QuicReceivedPacket>
-QuicTestPacketMaker::MakeResponseHeadersPacketWithOffsetTracking(
-    uint64_t packet_number,
-    quic::QuicStreamId stream_id,
-    bool should_include_version,
-    bool fin,
-    spdy::SpdyHeaderBlock headers,
-    quic::QuicStreamOffset* offset) {
-  return MakeResponseHeadersPacket(packet_number, stream_id,
-                                   should_include_version, fin,
-                                   std::move(headers), nullptr, offset);
+  quic::QuicStreamFrame frame = GenerateNextStreamFrame(
+      quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
+      quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
+  return MakePacket(header_, quic::QuicFrame(frame));
 }
 
 spdy::SpdyHeaderBlock QuicTestPacketMaker::GetRequestHeaders(
@@ -1232,7 +1216,7 @@ QuicTestPacketMaker::MakeMultipleFramesPacket(
   if (data_producer != nullptr) {
     framer.set_data_producer(data_producer);
   }
-  quic::QuicFrames frames_copy = frames;
+  quic::QuicFrames frames_copy = CloneFrames(frames);
   size_t max_plaintext_size =
       framer.GetMaxPlaintextSize(quic::kDefaultMaxPacketSize);
   if (version_.HasHeaderProtection()) {
@@ -1265,14 +1249,19 @@ QuicTestPacketMaker::MakeMultipleFramesPacket(
   EXPECT_NE(0u, encrypted_size);
   quic::QuicReceivedPacket encrypted(buffer, encrypted_size, clock_->Now(),
                                      false);
+  if (save_packet_frames_) {
+    saved_frames_[header.packet_number] = frames_copy;
+  } else {
+    DeleteFrames(&frames_copy);
+  }
   return encrypted.Clone();
 }
 
 void QuicTestPacketMaker::InitializeHeader(uint64_t packet_number,
                                            bool should_include_version) {
-  header_.destination_connection_id = connection_id_;
+  header_.destination_connection_id = DestinationConnectionId();
   header_.destination_connection_id_included = HasDestinationConnectionId();
-  header_.source_connection_id = connection_id_;
+  header_.source_connection_id = SourceConnectionId();
   header_.source_connection_id_included = HasSourceConnectionId();
   header_.reset_flag = false;
   header_.version_flag = ShouldIncludeVersion(should_include_version);
@@ -1280,7 +1269,7 @@ void QuicTestPacketMaker::InitializeHeader(uint64_t packet_number,
   header_.packet_number_length = GetPacketNumberLength();
   header_.packet_number = quic::QuicPacketNumber(packet_number);
   if (quic::QuicVersionHasLongHeaderLengths(version_.transport_version) &&
-      should_include_version) {
+      header_.version_flag) {
     if (long_header_type_ == quic::INITIAL) {
       header_.retry_token_length_length =
           quic::VARIABLE_LENGTH_INTEGER_LENGTH_1;
@@ -1290,36 +1279,94 @@ void QuicTestPacketMaker::InitializeHeader(uint64_t packet_number,
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
-QuicTestPacketMaker::MakeInitialSettingsPacket(uint64_t packet_number,
-                                               quic::QuicStreamOffset* offset) {
-  std::string unused_data;
-  return MakeInitialSettingsPacketAndSaveData(packet_number, offset,
-                                              &unused_data);
+QuicTestPacketMaker::MakeSettingsPacket(uint64_t packet_number,
+                                        bool should_include_version) {
+  if (!quic::VersionHasStreamType(version_.transport_version)) {
+    spdy::SpdySettingsIR settings_frame;
+    settings_frame.AddSetting(spdy::SETTINGS_MAX_HEADER_LIST_SIZE,
+                              kQuicMaxHeaderListSize);
+    spdy::SpdySerializedFrame spdy_frame(
+        spdy_request_framer_.SerializeFrame(settings_frame));
+    InitializeHeader(packet_number, should_include_version);
+    quic::QuicStreamFrame quic_frame = GenerateNextStreamFrame(
+        quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
+        quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
+    return MakePacket(header_, quic::QuicFrame(quic_frame));
+  }
+  quic::QuicFrames frames;
+  // A stream frame containing stream type will be written on the control stream
+  // first.
+  std::string type(1, 0x00);
+  quic::SettingsFrame settings;
+  settings.values[quic::kSettingsMaxHeaderListSize] = kQuicMaxHeaderListSize;
+  std::unique_ptr<char[]> buffer;
+  quic::QuicByteCount frame_length =
+      http_encoder_.SerializeSettingsFrame(settings, &buffer);
+  std::string settings_data = std::string(buffer.get(), frame_length);
+
+  std::vector<std::string> data;
+  if (coalesce_http_frames_) {
+    data = {type + settings_data};
+  } else {
+    data = {type, settings_data};
+  }
+
+  quic::QuicStreamId stream_id =
+      quic::QuicUtils::GetFirstUnidirectionalStreamId(
+          version_.transport_version, perspective_);
+
+  std::vector<quic::QuicStreamFrame> stream_frames =
+      GenerateNextStreamFrames(stream_id, false, data);
+  for (const auto& frame : stream_frames)
+    frames.push_back(quic::QuicFrame(frame));
+
+  InitializeHeader(packet_number, /*should_include_version*/ true);
+  return MakeMultipleFramesPacket(header_, frames, nullptr);
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
-QuicTestPacketMaker::MakeInitialSettingsPacketAndSaveData(
-    uint64_t packet_number,
-    quic::QuicStreamOffset* offset,
-    std::string* stream_data) {
-  spdy::SpdySettingsIR settings_frame;
-  settings_frame.AddSetting(spdy::SETTINGS_MAX_HEADER_LIST_SIZE,
-                            quic::kDefaultMaxUncompressedHeaderSize);
-  spdy::SpdySerializedFrame spdy_frame(
-      spdy_request_framer_.SerializeFrame(settings_frame));
-  InitializeHeader(packet_number, /*should_include_version*/ true);
-  *stream_data = std::string(spdy_frame.data(), spdy_frame.size());
-  if (offset != nullptr) {
-    quic::QuicStreamFrame quic_frame(
+QuicTestPacketMaker::MakeInitialSettingsPacket(uint64_t packet_number) {
+  if (!quic::VersionHasStreamType(version_.transport_version)) {
+    spdy::SpdySettingsIR settings_frame;
+    settings_frame.AddSetting(spdy::SETTINGS_MAX_HEADER_LIST_SIZE,
+                              kQuicMaxHeaderListSize);
+    spdy::SpdySerializedFrame spdy_frame(
+        spdy_request_framer_.SerializeFrame(settings_frame));
+    InitializeHeader(packet_number, /*should_include_version*/ true);
+    quic::QuicStreamFrame quic_frame = GenerateNextStreamFrame(
         quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
-        *offset, quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
-    *offset += spdy_frame.size();
+        quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
     return MakePacket(header_, quic::QuicFrame(quic_frame));
   }
-  quic::QuicStreamFrame quic_frame(
-      quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false, 0,
-      quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
-  return MakePacket(header_, quic::QuicFrame(quic_frame));
+  quic::QuicFrames frames;
+  // A stream frame containing stream type will be written on the control stream
+  // first.
+  std::string type(1, 0x00);
+  quic::SettingsFrame settings;
+  settings.values[quic::kSettingsMaxHeaderListSize] = kQuicMaxHeaderListSize;
+  std::unique_ptr<char[]> buffer;
+  quic::QuicByteCount frame_length =
+      http_encoder_.SerializeSettingsFrame(settings, &buffer);
+  std::string settings_data = std::string(buffer.get(), frame_length);
+
+  std::vector<std::string> data;
+  if (coalesce_http_frames_) {
+    data = {type + settings_data};
+  } else {
+    data = {type, settings_data};
+  }
+
+  quic::QuicStreamId stream_id =
+      quic::QuicUtils::GetFirstUnidirectionalStreamId(
+          version_.transport_version, perspective_);
+
+  std::vector<quic::QuicStreamFrame> stream_frames =
+      GenerateNextStreamFrames(stream_id, false, data);
+  for (const auto& frame : stream_frames)
+    frames.push_back(quic::QuicFrame(frame));
+
+  InitializeHeader(packet_number, /*should_include_version*/ true);
+  return MakeMultipleFramesPacket(header_, frames, nullptr);
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
@@ -1327,27 +1374,44 @@ QuicTestPacketMaker::MakePriorityPacket(uint64_t packet_number,
                                         bool should_include_version,
                                         quic::QuicStreamId id,
                                         quic::QuicStreamId parent_stream_id,
-                                        spdy::SpdyPriority priority,
-                                        quic::QuicStreamOffset* offset) {
-  if (!client_headers_include_h2_stream_dependency_) {
+                                        spdy::SpdyPriority priority) {
+  if (!client_headers_include_h2_stream_dependency_ ||
+      quic::VersionUsesQpack(version_.transport_version)) {
+    // TODO(rch): both stream_dependencies and priority frames need to be
+    // supported in IETF QUIC.
     parent_stream_id = 0;
   }
   int weight = spdy::Spdy3PriorityToHttp2Weight(priority);
   bool exclusive = client_headers_include_h2_stream_dependency_;
-  spdy::SpdyPriorityIR priority_frame(id, parent_stream_id, weight, exclusive);
-  spdy::SpdySerializedFrame spdy_frame(
-      spdy_request_framer_.SerializeFrame(priority_frame));
+  if (!VersionUsesQpack(version_.transport_version)) {
+    spdy::SpdyPriorityIR priority_frame(id, parent_stream_id, weight,
+                                        exclusive);
+    spdy::SpdySerializedFrame spdy_frame(
+        spdy_request_framer_.SerializeFrame(priority_frame));
 
-  quic::QuicStreamOffset header_offset = 0;
-  if (offset != nullptr) {
-    header_offset = *offset;
-    *offset += spdy_frame.size();
+    quic::QuicStreamFrame quic_frame = GenerateNextStreamFrame(
+        quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
+        quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
+    InitializeHeader(packet_number, should_include_version);
+    return MakePacket(header_, quic::QuicFrame(quic_frame));
   }
-  quic::QuicStreamFrame quic_frame(
-      quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
-      header_offset,
-      quic::QuicStringPiece(spdy_frame.data(), spdy_frame.size()));
-  DVLOG(1) << "Adding frame: " << quic::QuicFrame(quic_frame);
+  quic::PriorityFrame frame;
+  frame.weight = weight;
+  frame.exclusive = true;
+  frame.prioritized_element_id = id;
+  frame.element_dependency_id = parent_stream_id;
+  frame.dependency_type = quic::REQUEST_STREAM;
+  frame.prioritized_type =
+      quic::QuicUtils::IsServerInitiatedStreamId(version_.transport_version, id)
+          ? quic::PUSH_STREAM
+          : quic::REQUEST_STREAM;
+  std::unique_ptr<char[]> buffer;
+  quic::QuicByteCount frame_length =
+      http_encoder_.SerializePriorityFrame(frame, &buffer);
+  std::string priority_data = std::string(buffer.get(), frame_length);
+
+  quic::QuicStreamFrame quic_frame =
+      GenerateNextStreamFrame(2, false, priority_data);
   InitializeHeader(packet_number, should_include_version);
   return MakePacket(header_, quic::QuicFrame(quic_frame));
 }
@@ -1359,8 +1423,7 @@ QuicTestPacketMaker::MakeAckAndMultiplePriorityFramesPacket(
     uint64_t largest_received,
     uint64_t smallest_received,
     uint64_t least_unacked,
-    const std::vector<Http2StreamDependency>& priority_frames,
-    quic::QuicStreamOffset* offset) {
+    const std::vector<Http2StreamDependency>& priority_frames) {
   quic::QuicAckFrame ack(MakeAckFrame(largest_received));
   ack.ack_delay_time = quic::QuicTime::Delta::Zero();
   for (uint64_t i = smallest_received; i <= largest_received; ++i) {
@@ -1376,10 +1439,6 @@ QuicTestPacketMaker::MakeAckAndMultiplePriorityFramesPacket(
   DVLOG(1) << "Adding frame: " << frames.back();
 
   const bool exclusive = client_headers_include_h2_stream_dependency_;
-  quic::QuicStreamOffset header_offset = 0;
-  if (offset == nullptr) {
-    offset = &header_offset;
-  }
   // Keep SpdySerializedFrames alive until MakeMultipleFramesPacket is done.
   std::vector<std::unique_ptr<spdy::SpdySerializedFrame>> spdy_frames;
   for (const Http2StreamDependency& info : priority_frames) {
@@ -1391,19 +1450,43 @@ QuicTestPacketMaker::MakeAckAndMultiplePriorityFramesPacket(
         spdy_request_framer_.SerializeFrame(priority_frame)));
 
     spdy::SpdySerializedFrame* spdy_frame = spdy_frames.back().get();
-    quic::QuicStreamFrame stream_frame(
+    quic::QuicStreamFrame stream_frame = GenerateNextStreamFrame(
         quic::QuicUtils::GetHeadersStreamId(version_.transport_version), false,
-        *offset, quic::QuicStringPiece(spdy_frame->data(), spdy_frame->size()));
-    *offset += spdy_frame->size();
+        quic::QuicStringPiece(spdy_frame->data(), spdy_frame->size()));
 
     frames.push_back(quic::QuicFrame(stream_frame));
-    DVLOG(1) << "Adding frame: " << frames.back();
   }
 
   InitializeHeader(packet_number, should_include_version);
   return MakeMultipleFramesPacket(header_, frames, nullptr);
 }
 
+std::unique_ptr<quic::QuicReceivedPacket>
+QuicTestPacketMaker::MakeRetransmissionPacket(uint64_t original_packet_number,
+                                              uint64_t new_packet_number,
+                                              bool should_include_version) {
+  DCHECK(save_packet_frames_);
+  InitializeHeader(new_packet_number, should_include_version);
+  return MakeMultipleFramesPacket(
+      header_, saved_frames_[quic::QuicPacketNumber(original_packet_number)],
+      nullptr);
+}
+
+void QuicTestPacketMaker::RemoveSavedStreamFrames(
+    quic::QuicStreamId stream_id) {
+  for (auto& kv : saved_frames_) {
+    auto it = kv.second.begin();
+    while (it != kv.second.end()) {
+      if (it->type == quic::STREAM_FRAME &&
+          it->stream_frame.stream_id == stream_id) {
+        it = kv.second.erase(it);
+      } else {
+        ++it;
+      }
+    }
+  }
+}
+
 void QuicTestPacketMaker::SetEncryptionLevel(quic::EncryptionLevel level) {
   encryption_level_ = level;
     switch (level) {
@@ -1429,20 +1512,113 @@ bool QuicTestPacketMaker::ShouldIncludeVersion(bool include_version) const {
   return include_version;
 }
 
+quic::QuicStreamFrame QuicTestPacketMaker::GenerateNextStreamFrame(
+    quic::QuicStreamId stream_id,
+    bool fin,
+    quic::QuicStringPiece data) {
+  if (save_packet_frames_) {
+    saved_stream_data_.push_back(std::make_unique<std::string>(data));
+    data = *saved_stream_data_.back();
+  }
+  quic::QuicStreamFrame frame(stream_id, fin, stream_offsets_[stream_id], data);
+  stream_offsets_[stream_id] += data.length();
+  DVLOG(1) << "Adding frame: " << frame;
+  return frame;
+}
+
+std::vector<std::string> QuicTestPacketMaker::QpackEncodeHeaders(
+    quic::QuicStreamId stream_id,
+    spdy::SpdyHeaderBlock headers,
+    size_t* encoded_data_length) {
+  DCHECK(quic::VersionUsesQpack(version_.transport_version));
+  std::vector<std::string> data;
+
+  std::string encoded_headers =
+      qpack_encoder_.EncodeHeaderList(stream_id, &headers);
+
+  // Generate HEADERS frame header.
+  std::unique_ptr<char[]> headers_frame_header;
+  const size_t headers_frame_header_length =
+      http_encoder_.SerializeHeadersFrameHeader(encoded_headers.size(),
+                                                &headers_frame_header);
+
+  // Possible add a PUSH stream type.
+  if (!quic::QuicUtils::IsBidirectionalStreamId(stream_id) &&
+      stream_offsets_[stream_id] == 0) {
+    // Push stream type header
+    data.push_back("\x01");
+  }
+
+  // Add the HEADERS frame header.
+  data.push_back(
+      std::string(headers_frame_header.get(), headers_frame_header_length));
+  // Add the HEADERS frame payload.
+  data.push_back(encoded_headers);
+
+  if (coalesce_http_frames_) {
+    std::string coalesced;
+    for (const auto& d : data) {
+      coalesced += d;
+    }
+    data = {coalesced};
+  }
+
+  // Compute the total data length.
+  if (encoded_data_length) {
+    *encoded_data_length = 0;
+    for (const auto& d : data)
+      *encoded_data_length += d.length();
+  }
+  return data;
+}
+
+std::vector<quic::QuicStreamFrame>
+QuicTestPacketMaker::GenerateNextStreamFrames(
+    quic::QuicStreamId stream_id,
+    bool fin,
+    const std::vector<std::string>& data) {
+  std::vector<quic::QuicStreamFrame> frames;
+  for (size_t i = 0; i < data.size(); ++i) {
+    const bool frame_fin = i == data.size() - 1 && fin;
+    quic::QuicStreamFrame frame =
+        GenerateNextStreamFrame(stream_id, frame_fin, data[i]);
+    frames.push_back(frame);
+  }
+  return frames;
+}
+
 quic::QuicPacketNumberLength QuicTestPacketMaker::GetPacketNumberLength()
     const {
   if (version_.transport_version > quic::QUIC_VERSION_43 &&
       encryption_level_ < quic::ENCRYPTION_FORWARD_SECURE &&
-      version_.transport_version != quic::QUIC_VERSION_99) {
+      !version_.SendsVariableLengthPacketNumberInLongHeader()) {
     return quic::PACKET_4BYTE_PACKET_NUMBER;
   }
   return quic::PACKET_1BYTE_PACKET_NUMBER;
 }
 
+quic::QuicConnectionId QuicTestPacketMaker::DestinationConnectionId() const {
+  if (perspective_ == quic::Perspective::IS_SERVER &&
+      GetQuicRestartFlag(quic_do_not_override_connection_id)) {
+    return quic::EmptyQuicConnectionId();
+  }
+  return connection_id_;
+}
+
+quic::QuicConnectionId QuicTestPacketMaker::SourceConnectionId() const {
+  if (perspective_ == quic::Perspective::IS_CLIENT &&
+      GetQuicRestartFlag(quic_do_not_override_connection_id)) {
+    return quic::EmptyQuicConnectionId();
+  }
+  return connection_id_;
+}
+
 quic::QuicConnectionIdIncluded QuicTestPacketMaker::HasDestinationConnectionId()
     const {
-  if (perspective_ == quic::Perspective::IS_SERVER &&
-      version_.transport_version > quic::QUIC_VERSION_43) {
+  if (!version_.SupportsClientConnectionIds() &&
+      perspective_ == quic::Perspective::IS_SERVER &&
+      (VersionHasIetfInvariantHeader(version_.transport_version) ||
+       GetQuicRestartFlag(quic_do_not_override_connection_id))) {
     return quic::CONNECTION_ID_ABSENT;
   }
   return quic::CONNECTION_ID_PRESENT;
@@ -1450,13 +1626,20 @@ quic::QuicConnectionIdIncluded QuicTestPacketMaker::HasDestinationConnectionId()
 
 quic::QuicConnectionIdIncluded QuicTestPacketMaker::HasSourceConnectionId()
     const {
-  if (perspective_ == quic::Perspective::IS_SERVER &&
-      version_.transport_version > quic::QUIC_VERSION_43 &&
-      encryption_level_ < quic::ENCRYPTION_FORWARD_SECURE) {
+  if (version_.SupportsClientConnectionIds() ||
+      (perspective_ == quic::Perspective::IS_SERVER &&
+       encryption_level_ < quic::ENCRYPTION_FORWARD_SECURE &&
+       (VersionHasIetfInvariantHeader(version_.transport_version) ||
+        GetQuicRestartFlag(quic_do_not_override_connection_id)))) {
     return quic::CONNECTION_ID_PRESENT;
   }
   return quic::CONNECTION_ID_ABSENT;
 }
 
+void QuicTestPacketMaker::Reset() {
+  for (const auto& kv : stream_offsets_)
+    stream_offsets_[kv.first] = 0;
+}
+
 }  // namespace test
 }  // namespace net
diff --git a/chromium/net/quic/quic_test_packet_maker.h b/chromium/net/quic/quic_test_packet_maker.h
index 9569b53a1db..7b18e4ef839 100644
--- a/chromium/net/quic/quic_test_packet_maker.h
+++ b/chromium/net/quic/quic_test_packet_maker.h
@@ -15,8 +15,11 @@
 
 #include "base/macros.h"
 #include "net/base/request_priority.h"
+#include "net/third_party/quiche/src/quic/core/http/http_encoder.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_stream_frame_data_producer.h"
+#include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_clock.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_random.h"
@@ -87,7 +90,6 @@ class QuicTestPacketMaker {
       bool include_version,
       quic::QuicStreamId stream_id,
       quic::QuicRstStreamErrorCode error_code,
-      size_t bytes_written,
       bool include_stop_sending_if_v99);
 
   std::unique_ptr<quic::QuicReceivedPacket> MakeRstAndRequestHeadersPacket(
@@ -100,8 +102,7 @@ class QuicTestPacketMaker {
       spdy::SpdyPriority priority,
       spdy::SpdyHeaderBlock headers,
       quic::QuicStreamId parent_stream_id,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset);
+      size_t* spdy_headers_frame_length);
 
   std::unique_ptr<quic::QuicReceivedPacket> MakeAckAndRstPacket(
       uint64_t num,
@@ -121,7 +122,6 @@ class QuicTestPacketMaker {
       uint64_t smallest_received,
       uint64_t least_unacked,
       bool send_feedback,
-      size_t bytes_written,
       bool include_stop_sending_if_v99);
   std::unique_ptr<quic::QuicReceivedPacket> MakeRstAckAndConnectionClosePacket(
       uint64_t num,
@@ -185,7 +185,11 @@ class QuicTestPacketMaker {
       quic::QuicStreamId stream_id,
       bool should_include_version,
       bool fin,
-      quic::QuicStreamOffset offset,
+      quic::QuicStringPiece data);
+  std::unique_ptr<quic::QuicReceivedPacket> MakeHeadersDataPacket(
+      uint64_t packet_number,
+      bool should_include_version,
+      bool fin,
       quic::QuicStringPiece data);
   std::unique_ptr<quic::QuicReceivedPacket> MakeForceHolDataPacket(
       uint64_t packet_number,
@@ -199,7 +203,6 @@ class QuicTestPacketMaker {
       quic::QuicStreamId stream_id,
       bool should_include_version,
       bool fin,
-      quic::QuicStreamOffset offset,
       const std::vector<std::string>& data_writes);
   std::unique_ptr<quic::QuicReceivedPacket> MakeAckAndDataPacket(
       uint64_t packet_number,
@@ -209,7 +212,6 @@ class QuicTestPacketMaker {
       uint64_t smallest_received,
       uint64_t least_unacked,
       bool fin,
-      quic::QuicStreamOffset offset,
       quic::QuicStringPiece data);
   std::unique_ptr<quic::QuicReceivedPacket> MakeAckAndMultipleDataFramesPacket(
       uint64_t packet_number,
@@ -219,7 +221,6 @@ class QuicTestPacketMaker {
       uint64_t smallest_received,
       uint64_t least_unacked,
       bool fin,
-      quic::QuicStreamOffset offset,
       const std::vector<std::string>& data);
 
   std::unique_ptr<quic::QuicReceivedPacket>
@@ -231,7 +232,6 @@ class QuicTestPacketMaker {
       spdy::SpdyPriority priority,
       spdy::SpdyHeaderBlock headers,
       quic::QuicStreamId parent_stream_id,
-      quic::QuicStreamOffset* header_stream_offset,
       size_t* spdy_headers_frame_length,
       const std::vector<std::string>& data_writes);
 
@@ -247,30 +247,6 @@ class QuicTestPacketMaker {
       quic::QuicStreamId parent_stream_id,
       size_t* spdy_headers_frame_length);
 
-  std::unique_ptr<quic::QuicReceivedPacket> MakeRequestHeadersPacket(
-      uint64_t packet_number,
-      quic::QuicStreamId stream_id,
-      bool should_include_version,
-      bool fin,
-      spdy::SpdyPriority priority,
-      spdy::SpdyHeaderBlock headers,
-      quic::QuicStreamId parent_stream_id,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset);
-
-  // Saves the serialized QUIC stream data in |stream_data|.
-  std::unique_ptr<quic::QuicReceivedPacket> MakeRequestHeadersPacketAndSaveData(
-      uint64_t packet_number,
-      quic::QuicStreamId stream_id,
-      bool should_include_version,
-      bool fin,
-      spdy::SpdyPriority priority,
-      spdy::SpdyHeaderBlock headers,
-      quic::QuicStreamId parent_stream_id,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset,
-      std::string* stream_data);
-
   std::unique_ptr<quic::QuicReceivedPacket> MakeRequestHeadersAndRstPacket(
       uint64_t packet_number,
       quic::QuicStreamId stream_id,
@@ -280,22 +256,7 @@ class QuicTestPacketMaker {
       spdy::SpdyHeaderBlock headers,
       quic::QuicStreamId parent_stream_id,
       size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* header_stream_offset,
-      quic::QuicRstStreamErrorCode error_code,
-      size_t bytes_written);
-
-  // Convenience method for calling MakeRequestHeadersPacket with nullptr for
-  // |spdy_headers_frame_length|.
-  std::unique_ptr<quic::QuicReceivedPacket>
-  MakeRequestHeadersPacketWithOffsetTracking(
-      uint64_t packet_number,
-      quic::QuicStreamId stream_id,
-      bool should_include_version,
-      bool fin,
-      spdy::SpdyPriority priority,
-      spdy::SpdyHeaderBlock headers,
-      quic::QuicStreamId parent_stream_id,
-      quic::QuicStreamOffset* offset);
+      quic::QuicRstStreamErrorCode error_code);
 
   // If |spdy_headers_frame_length| is non-null, it will be set to the size of
   // the SPDY headers frame created for this packet.
@@ -306,8 +267,7 @@ class QuicTestPacketMaker {
       bool should_include_version,
       bool fin,
       spdy::SpdyHeaderBlock headers,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset);
+      size_t* spdy_headers_frame_length);
 
   // If |spdy_headers_frame_length| is non-null, it will be set to the size of
   // the SPDY headers frame created for this packet.
@@ -317,47 +277,23 @@ class QuicTestPacketMaker {
       bool should_include_version,
       bool fin,
       spdy::SpdyHeaderBlock headers,
-      size_t* spdy_headers_frame_length,
-      quic::QuicStreamOffset* offset);
-
-  std::unique_ptr<quic::QuicReceivedPacket> MakeResponseHeadersPacket(
-      uint64_t packet_number,
-      quic::QuicStreamId stream_id,
-      bool should_include_version,
-      bool fin,
-      spdy::SpdyHeaderBlock headers,
       size_t* spdy_headers_frame_length);
 
-  // Convenience method for calling MakeResponseHeadersPacket with nullptr for
-  // |spdy_headers_frame_length|.
-  std::unique_ptr<quic::QuicReceivedPacket>
-  MakeResponseHeadersPacketWithOffsetTracking(uint64_t packet_number,
-                                              quic::QuicStreamId stream_id,
-                                              bool should_include_version,
-                                              bool fin,
-                                              spdy::SpdyHeaderBlock headers,
-                                              quic::QuicStreamOffset* offset);
-
   // Creates a packet containing the initial SETTINGS frame, and saves the
   // headers stream offset into |offset|.
   std::unique_ptr<quic::QuicReceivedPacket> MakeInitialSettingsPacket(
-      uint64_t packet_number,
-      quic::QuicStreamOffset* offset);
+      uint64_t packet_number);
 
-  // Same as above, but also saves the serialized QUIC stream data in
-  // |stream_data|.
-  std::unique_ptr<quic::QuicReceivedPacket>
-  MakeInitialSettingsPacketAndSaveData(uint64_t packet_number,
-                                       quic::QuicStreamOffset* offset,
-                                       std::string* stream_data);
+  std::unique_ptr<quic::QuicReceivedPacket> MakeSettingsPacket(
+      uint64_t packet_number,
+      bool should_include_version);
 
   std::unique_ptr<quic::QuicReceivedPacket> MakePriorityPacket(
       uint64_t packet_number,
       bool should_include_version,
       quic::QuicStreamId id,
       quic::QuicStreamId parent_stream_id,
-      spdy::SpdyPriority priority,
-      quic::QuicStreamOffset* offset);
+      spdy::SpdyPriority priority);
 
   std::unique_ptr<quic::QuicReceivedPacket>
   MakeAckAndMultiplePriorityFramesPacket(
@@ -366,8 +302,15 @@ class QuicTestPacketMaker {
       uint64_t largest_received,
       uint64_t smallest_received,
       uint64_t least_unacked,
-      const std::vector<Http2StreamDependency>& priority_frames,
-      quic::QuicStreamOffset* offset);
+      const std::vector<Http2StreamDependency>& priority_frames);
+
+  std::unique_ptr<quic::QuicReceivedPacket> MakeRetransmissionPacket(
+      uint64_t original_packet_number,
+      uint64_t new_packet_number,
+      bool should_include_version);
+
+  // Removes all stream frames associated with |stream_id|.
+  void RemoveSavedStreamFrames(quic::QuicStreamId stream_id);
 
   void SetEncryptionLevel(quic::EncryptionLevel level);
 
@@ -385,7 +328,42 @@ class QuicTestPacketMaker {
   spdy::SpdyFramer* spdy_request_framer() { return &spdy_request_framer_; }
   spdy::SpdyFramer* spdy_response_framer() { return &spdy_response_framer_; }
 
+  void Reset();
+
+  quic::QuicStreamOffset stream_offset(quic::QuicStreamId stream_id) {
+    return stream_offsets_[stream_id];
+  }
+
+  void set_coalesce_http_frames(bool coalesce_http_frames) {
+    coalesce_http_frames_ = coalesce_http_frames;
+  }
+
+  void set_save_packet_frames(bool save_packet_frames) {
+    save_packet_frames_ = save_packet_frames;
+  }
+
+  std::vector<std::string> QpackEncodeHeaders(quic::QuicStreamId stream_id,
+                                              spdy::SpdyHeaderBlock headers,
+                                              size_t* encoded_data_length);
+
  private:
+  // QpackEncoder::DecoderStreamErrorDelegate implementation that does nothing
+  class DecoderStreamErrorDelegate
+      : public quic::QpackEncoder::DecoderStreamErrorDelegate {
+   public:
+    ~DecoderStreamErrorDelegate() override = default;
+
+    void OnDecoderStreamError(quic::QuicStringPiece error_message) override;
+  };
+
+  // QpackEncoderStreamSender::Delegate implementation that does nothing.
+  class EncoderStreamSenderDelegate : public quic::QpackStreamSenderDelegate {
+   public:
+    ~EncoderStreamSenderDelegate() override = default;
+
+    void WriteStreamData(quic::QuicStringPiece data) override;
+  };
+
   std::unique_ptr<quic::QuicReceivedPacket> MakePacket(
       const quic::QuicPacketHeader& header,
       const quic::QuicFrame& frame);
@@ -405,8 +383,20 @@ class QuicTestPacketMaker {
 
   bool ShouldIncludeVersion(bool include_version) const;
 
+  quic::QuicStreamFrame GenerateNextStreamFrame(quic::QuicStreamId stream_id,
+                                                bool fin,
+                                                quic::QuicStringPiece data);
+
+  std::vector<quic::QuicStreamFrame> GenerateNextStreamFrames(
+      quic::QuicStreamId stream_id,
+      bool fin,
+      const std::vector<std::string>& data);
+
   quic::QuicPacketNumberLength GetPacketNumberLength() const;
 
+  quic::QuicConnectionId DestinationConnectionId() const;
+  quic::QuicConnectionId SourceConnectionId() const;
+
   quic::QuicConnectionIdIncluded HasDestinationConnectionId() const;
   quic::QuicConnectionIdIncluded HasSourceConnectionId() const;
 
@@ -416,11 +406,20 @@ class QuicTestPacketMaker {
   std::string host_;
   spdy::SpdyFramer spdy_request_framer_;
   spdy::SpdyFramer spdy_response_framer_;
+  quic::HttpEncoder http_encoder_;
+  bool coalesce_http_frames_;
+  bool save_packet_frames_;
+  DecoderStreamErrorDelegate decoder_stream_error_delegate_;
+  EncoderStreamSenderDelegate encoder_stream_sender_delegate_;
+  quic::QpackEncoder qpack_encoder_;
   quic::test::MockRandom random_generator_;
+  std::map<quic::QuicStreamId, quic::QuicStreamOffset> stream_offsets_;
   quic::QuicPacketHeader header_;
   quic::Perspective perspective_;
   quic::EncryptionLevel encryption_level_;
   quic::QuicLongHeaderType long_header_type_;
+  std::vector<std::unique_ptr<std::string>> saved_stream_data_;
+  std::map<quic::QuicPacketNumber, quic::QuicFrames> saved_frames_;
 
   // If true, generated request headers will include non-default HTTP2 stream
   // dependency info.
diff --git a/chromium/net/quic/quic_test_packet_printer.cc b/chromium/net/quic/quic_test_packet_printer.cc
new file mode 100644
index 00000000000..bc76d7d3ba9
--- /dev/null
+++ b/chromium/net/quic/quic_test_packet_printer.cc
@@ -0,0 +1,215 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/quic/quic_test_packet_printer.h"
+
+#include <ostream>
+
+#include "net/third_party/quiche/src/quic/core/crypto/null_decrypter.h"
+#include "net/third_party/quiche/src/quic/core/quic_framer.h"
+#include "net/third_party/quiche/src/quic/core/quic_utils.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+
+namespace quic {
+
+class QuicPacketPrinter : public QuicFramerVisitorInterface {
+ public:
+  explicit QuicPacketPrinter(QuicFramer* framer, std::ostream* output)
+      : framer_(framer), output_(output) {}
+
+  // QuicFramerVisitorInterface implementation.
+  void OnError(QuicFramer* framer) override {
+    *output_ << "OnError: " << QuicErrorCodeToString(framer->error())
+             << " detail: " << framer->detailed_error() << "\n";
+  }
+  bool OnProtocolVersionMismatch(ParsedQuicVersion received_version) override {
+    framer_->set_version(received_version);
+    *output_ << "OnProtocolVersionMismatch: "
+             << ParsedQuicVersionToString(received_version) << "\n";
+    return true;
+  }
+  void OnPacket() override { *output_ << "OnPacket\n"; }
+  void OnPublicResetPacket(const QuicPublicResetPacket& packet) override {
+    *output_ << "OnPublicResetPacket\n";
+  }
+  void OnVersionNegotiationPacket(
+      const QuicVersionNegotiationPacket& packet) override {
+    *output_ << "OnVersionNegotiationPacket\n";
+  }
+  void OnRetryPacket(QuicConnectionId original_connection_id,
+                     QuicConnectionId new_connection_id,
+                     QuicStringPiece retry_token) override {
+    *output_ << "OnRetryPacket\n";
+  }
+  bool OnUnauthenticatedPublicHeader(const QuicPacketHeader& header) override {
+    *output_ << "OnUnauthenticatedPublicHeader: " << header << "\n";
+    return true;
+  }
+  bool OnUnauthenticatedHeader(const QuicPacketHeader& header) override {
+    *output_ << "OnUnauthenticatedHeader: " << header;
+    return true;
+  }
+  void OnDecryptedPacket(EncryptionLevel level) override {
+    *output_ << "OnDecryptedPacket\n";
+  }
+  bool OnPacketHeader(const QuicPacketHeader& header) override {
+    *output_ << "OnPacketHeader\n";
+    return true;
+  }
+  void OnCoalescedPacket(const QuicEncryptedPacket& packet) override {
+    *output_ << "OnCoalescedPacket\n";
+  }
+  bool OnStreamFrame(const QuicStreamFrame& frame) override {
+    *output_ << "OnStreamFrame: " << frame;
+    *output_ << "         data: { "
+             << QuicTextUtils::HexEncode(frame.data_buffer, frame.data_length)
+             << " }\n";
+    return true;
+  }
+  bool OnCryptoFrame(const QuicCryptoFrame& frame) override {
+    *output_ << "OnCryptoFrame: " << frame;
+    *output_ << "         data: { "
+             << QuicTextUtils::HexEncode(frame.data_buffer, frame.data_length)
+             << " }\n";
+    return true;
+  }
+  bool OnAckFrameStart(QuicPacketNumber largest_acked,
+                       QuicTime::Delta /*ack_delay_time*/) override {
+    *output_ << "OnAckFrameStart, largest_acked: " << largest_acked << "\n";
+    return true;
+  }
+  bool OnAckRange(QuicPacketNumber start, QuicPacketNumber end) override {
+    *output_ << "OnAckRange: [" << start << ", " << end << ")\n";
+    return true;
+  }
+  bool OnAckTimestamp(QuicPacketNumber packet_number,
+                      QuicTime timestamp) override {
+    *output_ << "OnAckTimestamp: [" << packet_number << ", "
+             << timestamp.ToDebuggingValue() << ")\n";
+    return true;
+  }
+  bool OnAckFrameEnd(QuicPacketNumber start) override {
+    *output_ << "OnAckFrameEnd, start: " << start << "\n";
+    return true;
+  }
+  bool OnStopWaitingFrame(const QuicStopWaitingFrame& frame) override {
+    *output_ << "OnStopWaitingFrame: " << frame;
+    return true;
+  }
+  bool OnPaddingFrame(const QuicPaddingFrame& frame) override {
+    *output_ << "OnPaddingFrame: " << frame;
+    return true;
+  }
+  bool OnPingFrame(const QuicPingFrame& frame) override {
+    *output_ << "OnPingFrame\n";
+    return true;
+  }
+  bool OnRstStreamFrame(const QuicRstStreamFrame& frame) override {
+    *output_ << "OnRstStreamFrame: " << frame;
+    return true;
+  }
+  bool OnConnectionCloseFrame(const QuicConnectionCloseFrame& frame) override {
+    // The frame printout will indicate whether it's a Google QUIC
+    // CONNECTION_CLOSE, IETF QUIC CONNECTION_CLOSE/Transport, or IETF QUIC
+    // CONNECTION_CLOSE/Application frame.
+    *output_ << "OnConnectionCloseFrame: " << frame;
+    return true;
+  }
+  bool OnNewConnectionIdFrame(const QuicNewConnectionIdFrame& frame) override {
+    *output_ << "OnNewConnectionIdFrame: " << frame;
+    return true;
+  }
+  bool OnRetireConnectionIdFrame(
+      const QuicRetireConnectionIdFrame& frame) override {
+    *output_ << "OnRetireConnectionIdFrame: " << frame;
+    return true;
+  }
+  bool OnNewTokenFrame(const QuicNewTokenFrame& frame) override {
+    *output_ << "OnNewTokenFrame: " << frame;
+    return true;
+  }
+  bool OnStopSendingFrame(const QuicStopSendingFrame& frame) override {
+    *output_ << "OnStopSendingFrame: " << frame;
+    return true;
+  }
+  bool OnPathChallengeFrame(const QuicPathChallengeFrame& frame) override {
+    *output_ << "OnPathChallengeFrame: " << frame;
+    return true;
+  }
+  bool OnPathResponseFrame(const QuicPathResponseFrame& frame) override {
+    *output_ << "OnPathResponseFrame: " << frame;
+    return true;
+  }
+  bool OnGoAwayFrame(const QuicGoAwayFrame& frame) override {
+    *output_ << "OnGoAwayFrame: " << frame;
+    return true;
+  }
+  bool OnMaxStreamsFrame(const QuicMaxStreamsFrame& frame) override {
+    *output_ << "OnMaxStreamsFrame: " << frame;
+    return true;
+  }
+  bool OnStreamsBlockedFrame(const QuicStreamsBlockedFrame& frame) override {
+    *output_ << "OnStreamsBlockedFrame: " << frame;
+    return true;
+  }
+  bool OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame) override {
+    *output_ << "OnWindowUpdateFrame: " << frame;
+    return true;
+  }
+  bool OnBlockedFrame(const QuicBlockedFrame& frame) override {
+    *output_ << "OnBlockedFrame: " << frame;
+    return true;
+  }
+  bool OnMessageFrame(const QuicMessageFrame& frame) override {
+    *output_ << "OnMessageFrame: " << frame;
+    return true;
+  }
+  void OnPacketComplete() override { *output_ << "OnPacketComplete\n"; }
+  bool IsValidStatelessResetToken(QuicUint128 token) const override {
+    *output_ << "IsValidStatelessResetToken\n";
+    return false;
+  }
+  void OnAuthenticatedIetfStatelessResetPacket(
+      const QuicIetfStatelessResetPacket& packet) override {
+    *output_ << "OnAuthenticatedIetfStatelessResetPacket\n";
+  }
+
+ private:
+  QuicFramer* framer_;  // Unowned.
+  mutable std::ostream* output_;
+};
+
+}  // namespace quic
+
+namespace net {
+
+std::string QuicPacketPrinter::PrintWrite(const std::string& data) {
+  quic::ParsedQuicVersionVector versions = {version_};
+  // Fake a time since we're not actually generating acks.
+  quic::QuicTime start(quic::QuicTime::Zero());
+  // Construct a server framer as this will be processing packets from
+  // the client.
+  quic::QuicFramer framer(versions, start, quic::Perspective::IS_SERVER,
+                          quic::kQuicDefaultConnectionIdLength);
+  std::ostringstream stream;
+  quic::QuicPacketPrinter visitor(&framer, &stream);
+  framer.set_visitor(&visitor);
+
+  if (version_.KnowsWhichDecrypterToUse()) {
+    framer.InstallDecrypter(
+        quic::ENCRYPTION_FORWARD_SECURE,
+        std::make_unique<quic::NullDecrypter>(quic::Perspective::IS_SERVER));
+  } else {
+    framer.SetDecrypter(
+        quic::ENCRYPTION_FORWARD_SECURE,
+        std::make_unique<quic::NullDecrypter>(quic::Perspective::IS_SERVER));
+  }
+
+  quic::QuicEncryptedPacket encrypted(data.c_str(), data.length());
+  framer.ProcessPacket(encrypted);
+  return stream.str() + "\n\n";
+}
+
+}  // namespace net
diff --git a/chromium/net/quic/quic_test_packet_printer.h b/chromium/net/quic/quic_test_packet_printer.h
new file mode 100644
index 00000000000..d1d1bd5e948
--- /dev/null
+++ b/chromium/net/quic/quic_test_packet_printer.h
@@ -0,0 +1,31 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_QUIC_QUIC_TEST_PACKET_PRINTER_H_
+#define NET_QUIC_QUIC_TEST_PACKET_PRINTER_H_
+
+#include <string>
+
+#include "net/socket/socket_test_util.h"
+
+namespace net {
+
+class QuicPacketPrinter : public SocketDataPrinter {
+ public:
+  explicit QuicPacketPrinter(quic::ParsedQuicVersion version)
+      : version_(version) {}
+  QuicPacketPrinter(const QuicPacketPrinter&) = delete;
+  QuicPacketPrinter& operator=(const QuicPacketPrinter&) = delete;
+
+  ~QuicPacketPrinter() = default;
+
+  std::string PrintWrite(const std::string& data) override;
+
+ private:
+  quic::ParsedQuicVersion version_;
+};
+
+}  // namespace net
+
+#endif  // NET_QUIC_QUIC_TEST_PACKET_PRINTER_H_
diff --git a/chromium/net/quic/quic_transport_parameters_fuzzer.cc b/chromium/net/quic/quic_transport_parameters_fuzzer.cc
index 91d95fca9ab..3fe7a56b108 100644
--- a/chromium/net/quic/quic_transport_parameters_fuzzer.cc
+++ b/chromium/net/quic/quic_transport_parameters_fuzzer.cc
@@ -7,16 +7,17 @@
 
 #include <vector>
 
-#include "base/test/fuzzed_data_provider.h"
 #include "net/third_party/quiche/src/quic/core/crypto/transport_parameters.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 // Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  base::FuzzedDataProvider data_provider(data, size);
+  FuzzedDataProvider data_provider(data, size);
   auto perspective = data_provider.ConsumeBool() ? quic::Perspective::IS_CLIENT
                                                  : quic::Perspective::IS_SERVER;
   quic::TransportParameters transport_parameters;
-  std::vector<uint8_t> remaining_bytes = data_provider.ConsumeRemainingBytes();
+  std::vector<uint8_t> remaining_bytes =
+      data_provider.ConsumeRemainingBytes<uint8_t>();
   quic::ParseTransportParameters(remaining_bytes.data(), remaining_bytes.size(),
                                  perspective, &transport_parameters);
   return 0;
diff --git a/chromium/net/reporting/OWNERS b/chromium/net/reporting/OWNERS
new file mode 100644
index 00000000000..7117a80a72b
--- /dev/null
+++ b/chromium/net/reporting/OWNERS
@@ -0,0 +1 @@
+chlily@chromium.org
diff --git a/chromium/net/reporting/mock_persistent_reporting_store.cc b/chromium/net/reporting/mock_persistent_reporting_store.cc
index df95febe9af..b56c80f0a02 100644
--- a/chromium/net/reporting/mock_persistent_reporting_store.cc
+++ b/chromium/net/reporting/mock_persistent_reporting_store.cc
@@ -4,6 +4,8 @@
 
 #include "net/reporting/mock_persistent_reporting_store.h"
 
+#include <algorithm>
+
 namespace net {
 
 MockPersistentReportingStore::Command::Command(
@@ -187,6 +189,15 @@ bool MockPersistentReportingStore::VerifyCommands(
   return command_list_ == expected_commands;
 }
 
+int MockPersistentReportingStore::CountCommands(Command::Type t) {
+  int c = 0;
+  for (const auto& cmd : command_list_) {
+    if (cmd.type == t)
+      ++c;
+  }
+  return c;
+}
+
 MockPersistentReportingStore::CommandList
 MockPersistentReportingStore::GetAllCommands() const {
   return command_list_;
diff --git a/chromium/net/reporting/mock_persistent_reporting_store.h b/chromium/net/reporting/mock_persistent_reporting_store.h
index ea05f8e3a3f..cbfe43763c2 100644
--- a/chromium/net/reporting/mock_persistent_reporting_store.h
+++ b/chromium/net/reporting/mock_persistent_reporting_store.h
@@ -20,6 +20,8 @@ namespace net {
 // received commands in order in a vector, to be checked by tests. Simulates
 // loading pre-existing stored endpoints and endpoint groups, which can be
 // provided using SetPrestoredClients().
+//
+// TODO(sburnett): Replace this with a fake store to reduce awkwardness.
 class MockPersistentReportingStore
     : public ReportingCache::PersistentReportingStore {
  public:
@@ -103,8 +105,12 @@ class MockPersistentReportingStore
   void FinishLoading(bool load_success);
 
   // Verify that |command_list_| matches |expected_commands|.
+  // TODO(sburnett): Replace this with a set of gmock matchers.
   bool VerifyCommands(const CommandList& expected_commands) const;
 
+  // Count the number of commands with type |t|.
+  int CountCommands(Command::Type t);
+
   CommandList GetAllCommands() const;
 
   // Gets the number of stored endpoints/groups, simulating the actual number
diff --git a/chromium/net/reporting/mock_persistent_reporting_store_unittest.cc b/chromium/net/reporting/mock_persistent_reporting_store_unittest.cc
index b2006ae6e25..0c4c6660c9e 100644
--- a/chromium/net/reporting/mock_persistent_reporting_store_unittest.cc
+++ b/chromium/net/reporting/mock_persistent_reporting_store_unittest.cc
@@ -2,12 +2,13 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "net/reporting/mock_persistent_reporting_store.h"
+
 #include <vector>
 
 #include "base/location.h"
 #include "base/test/bind_test_util.h"
 #include "base/time/time.h"
-#include "net/reporting/mock_persistent_reporting_store.h"
 #include "net/reporting/reporting_endpoint.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
@@ -17,6 +18,8 @@ namespace net {
 
 namespace {
 
+using CommandType = MockPersistentReportingStore::Command::Type;
+
 const url::Origin kOrigin = url::Origin::Create(GURL("https://example.test/"));
 const char kGroupName[] = "groupname";
 const GURL kUrl = GURL("https://endpoint.test/reports");
@@ -59,8 +62,7 @@ TEST(MockPersistentReportingStoreTest, FinishLoading) {
 
   store.LoadReportingClients(MakeExpectedRunReportingClientsLoadedCallback(
       &loaded_endpoints, &loaded_groups));
-  expected_commands.emplace_back(
-      MockPersistentReportingStore::Command::Type::LOAD_REPORTING_CLIENTS);
+  expected_commands.emplace_back(CommandType::LOAD_REPORTING_CLIENTS);
 
   store.FinishLoading(true /* load_success */);
   EXPECT_EQ(0u, loaded_endpoints.size());
@@ -82,8 +84,7 @@ TEST(MockPersistentReportingStoreTest, PreStoredClients) {
 
   store.LoadReportingClients(MakeExpectedRunReportingClientsLoadedCallback(
       &loaded_endpoints, &loaded_groups));
-  expected_commands.emplace_back(
-      MockPersistentReportingStore::Command::Type::LOAD_REPORTING_CLIENTS);
+  expected_commands.emplace_back(CommandType::LOAD_REPORTING_CLIENTS);
 
   store.FinishLoading(true /* load_success */);
   EXPECT_EQ(1u, loaded_endpoints.size());
@@ -105,8 +106,7 @@ TEST(MockPersistentReportingStoreTest, FailedLoad) {
 
   store.LoadReportingClients(MakeExpectedRunReportingClientsLoadedCallback(
       &loaded_endpoints, &loaded_groups));
-  expected_commands.emplace_back(
-      MockPersistentReportingStore::Command::Type::LOAD_REPORTING_CLIENTS);
+  expected_commands.emplace_back(CommandType::LOAD_REPORTING_CLIENTS);
 
   store.FinishLoading(false /* load_success */);
   EXPECT_EQ(0u, loaded_endpoints.size());
@@ -123,8 +123,7 @@ TEST(MockPersistentReportingStoreTest, AddFlushDeleteFlush) {
 
   store.LoadReportingClients(MakeExpectedRunReportingClientsLoadedCallback(
       &loaded_endpoints, &loaded_groups));
-  expected_commands.emplace_back(
-      MockPersistentReportingStore::Command::Type::LOAD_REPORTING_CLIENTS);
+  expected_commands.emplace_back(CommandType::LOAD_REPORTING_CLIENTS);
   EXPECT_EQ(1u, store.GetAllCommands().size());
 
   store.FinishLoading(true /* load_success */);
@@ -134,44 +133,74 @@ TEST(MockPersistentReportingStoreTest, AddFlushDeleteFlush) {
   EXPECT_EQ(0, store.StoredEndpointGroupsCount());
 
   store.AddReportingEndpoint(kEndpoint);
-  expected_commands.emplace_back(
-      MockPersistentReportingStore::Command::Type::ADD_REPORTING_ENDPOINT,
-      kEndpoint);
+  expected_commands.emplace_back(CommandType::ADD_REPORTING_ENDPOINT,
+                                 kEndpoint);
   EXPECT_EQ(2u, store.GetAllCommands().size());
 
   store.AddReportingEndpointGroup(kGroup);
-  expected_commands.emplace_back(
-      MockPersistentReportingStore::Command::Type::ADD_REPORTING_ENDPOINT_GROUP,
-      kGroup);
+  expected_commands.emplace_back(CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+                                 kGroup);
   EXPECT_EQ(3u, store.GetAllCommands().size());
 
   store.Flush();
-  expected_commands.emplace_back(
-      MockPersistentReportingStore::Command::Type::FLUSH);
+  expected_commands.emplace_back(CommandType::FLUSH);
   EXPECT_EQ(4u, store.GetAllCommands().size());
   EXPECT_EQ(1, store.StoredEndpointsCount());
   EXPECT_EQ(1, store.StoredEndpointGroupsCount());
 
   store.DeleteReportingEndpoint(kEndpoint);
-  expected_commands.emplace_back(
-      MockPersistentReportingStore::Command::Type::DELETE_REPORTING_ENDPOINT,
-      kEndpoint);
+  expected_commands.emplace_back(CommandType::DELETE_REPORTING_ENDPOINT,
+                                 kEndpoint);
   EXPECT_EQ(5u, store.GetAllCommands().size());
 
   store.DeleteReportingEndpointGroup(kGroup);
-  expected_commands.emplace_back(MockPersistentReportingStore::Command::Type::
-                                     DELETE_REPORTING_ENDPOINT_GROUP,
+  expected_commands.emplace_back(CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
                                  kGroup);
   EXPECT_EQ(6u, store.GetAllCommands().size());
 
   store.Flush();
-  expected_commands.emplace_back(
-      MockPersistentReportingStore::Command::Type::FLUSH);
+  expected_commands.emplace_back(CommandType::FLUSH);
   EXPECT_EQ(7u, store.GetAllCommands().size());
   EXPECT_EQ(0, store.StoredEndpointsCount());
   EXPECT_EQ(0, store.StoredEndpointGroupsCount());
 
   EXPECT_TRUE(store.VerifyCommands(expected_commands));
+
+  EXPECT_EQ(1, store.CountCommands(CommandType::LOAD_REPORTING_CLIENTS));
+  EXPECT_EQ(
+      0, store.CountCommands(CommandType::UPDATE_REPORTING_ENDPOINT_DETAILS));
+}
+
+TEST(MockPersistentReportingStoreTest, CountCommands) {
+  MockPersistentReportingStore store;
+
+  std::vector<ReportingEndpoint> loaded_endpoints;
+  std::vector<CachedReportingEndpointGroup> loaded_groups;
+  store.LoadReportingClients(MakeExpectedRunReportingClientsLoadedCallback(
+      &loaded_endpoints, &loaded_groups));
+  store.FinishLoading(true /* load_success */);
+
+  store.AddReportingEndpoint(kEndpoint);
+  store.AddReportingEndpointGroup(kGroup);
+  store.Flush();
+
+  store.DeleteReportingEndpoint(kEndpoint);
+  store.DeleteReportingEndpointGroup(kGroup);
+  store.Flush();
+
+  EXPECT_EQ(1, store.CountCommands(CommandType::LOAD_REPORTING_CLIENTS));
+  EXPECT_EQ(1, store.CountCommands(CommandType::ADD_REPORTING_ENDPOINT));
+  EXPECT_EQ(1, store.CountCommands(CommandType::ADD_REPORTING_ENDPOINT_GROUP));
+  EXPECT_EQ(0, store.CountCommands(
+                   CommandType::UPDATE_REPORTING_ENDPOINT_GROUP_ACCESS_TIME));
+  EXPECT_EQ(
+      0, store.CountCommands(CommandType::UPDATE_REPORTING_ENDPOINT_DETAILS));
+  EXPECT_EQ(0, store.CountCommands(
+                   CommandType::UPDATE_REPORTING_ENDPOINT_GROUP_DETAILS));
+  EXPECT_EQ(1, store.CountCommands(CommandType::DELETE_REPORTING_ENDPOINT));
+  EXPECT_EQ(1,
+            store.CountCommands(CommandType::DELETE_REPORTING_ENDPOINT_GROUP));
+  EXPECT_EQ(2, store.CountCommands(CommandType::FLUSH));
 }
 
 }  // namespace
diff --git a/chromium/net/reporting/reporting_cache.cc b/chromium/net/reporting/reporting_cache.cc
index ec5ef10150d..8773122dab3 100644
--- a/chromium/net/reporting/reporting_cache.cc
+++ b/chromium/net/reporting/reporting_cache.cc
@@ -11,9 +11,8 @@ namespace net {
 
 // static
 std::unique_ptr<ReportingCache> ReportingCache::Create(
-    ReportingContext* context,
-    PersistentReportingStore* store) {
-  return std::make_unique<ReportingCacheImpl>(context, store);
+    ReportingContext* context) {
+  return std::make_unique<ReportingCacheImpl>(context);
 }
 
 ReportingCache::~ReportingCache() = default;
diff --git a/chromium/net/reporting/reporting_cache.h b/chromium/net/reporting/reporting_cache.h
index 6b441fa8268..a9f6ad76b50 100644
--- a/chromium/net/reporting/reporting_cache.h
+++ b/chromium/net/reporting/reporting_cache.h
@@ -48,10 +48,7 @@ class NET_EXPORT ReportingCache {
  public:
   class PersistentReportingStore;
 
-  // |store| should outlive the ReportingCache.
-  static std::unique_ptr<ReportingCache> Create(
-      ReportingContext* context,
-      PersistentReportingStore* store);
+  static std::unique_ptr<ReportingCache> Create(ReportingContext* context);
 
   virtual ~ReportingCache();
 
@@ -162,6 +159,15 @@ class NET_EXPORT ReportingCache {
   // they become empty.
   virtual void RemoveEndpointsForUrl(const GURL& url) = 0;
 
+  // Insert endpoints and endpoint groups that have been loaded from the store.
+  //
+  // You must only call this method if context.store() was non-null when you
+  // constructed the cache and persist_clients_across_restarts in your
+  // ReportingPolicy is true.
+  virtual void AddClientsLoadedFromStore(
+      std::vector<ReportingEndpoint> loaded_endpoints,
+      std::vector<CachedReportingEndpointGroup> loaded_endpoint_groups) = 0;
+
   // Gets endpoints that apply to a delivery for |origin| and |group|.
   //
   // First checks for |group| in a client exactly matching |origin|.
diff --git a/chromium/net/reporting/reporting_cache_impl.cc b/chromium/net/reporting/reporting_cache_impl.cc
index 01f343d1fdd..52cf80e9305 100644
--- a/chromium/net/reporting/reporting_cache_impl.cc
+++ b/chromium/net/reporting/reporting_cache_impl.cc
@@ -40,20 +40,19 @@ std::string GetSuperdomain(const std::string& domain) {
 
 }  // namespace
 
-ReportingCacheImpl::ReportingCacheImpl(ReportingContext* context,
-                                       PersistentReportingStore* store)
-    : context_(context), store_(store) {
+ReportingCacheImpl::ReportingCacheImpl(ReportingContext* context)
+    : context_(context) {
   DCHECK(context_);
 }
 
 ReportingCacheImpl::~ReportingCacheImpl() {
-  base::TimeTicks now = tick_clock()->NowTicks();
+  base::TimeTicks now = tick_clock().NowTicks();
 
   // Mark all undoomed reports as erased at shutdown, and record outcomes of
   // all remaining reports (doomed or not).
   for (auto it = reports_.begin(); it != reports_.end(); ++it) {
     ReportingReport* report = it->second.get();
-    if (!base::ContainsKey(doomed_reports_, report))
+    if (!base::Contains(doomed_reports_, report))
       report->outcome = ReportingReport::Outcome::ERASED_REPORTING_SHUT_DOWN;
     report->RecordOutcome(now);
   }
@@ -84,7 +83,7 @@ void ReportingCacheImpl::AddReport(const GURL& url,
     DCHECK_NE(nullptr, to_evict);
     // The newly-added report isn't pending, so even if all other reports are
     // pending, the cache should have a report to evict.
-    DCHECK(!base::ContainsKey(pending_reports_, to_evict));
+    DCHECK(!base::Contains(pending_reports_, to_evict));
     reports_[to_evict]->outcome = ReportingReport::Outcome::ERASED_EVICTED;
     RemoveReportInternal(to_evict);
   }
@@ -96,7 +95,7 @@ void ReportingCacheImpl::GetReports(
     std::vector<const ReportingReport*>* reports_out) const {
   reports_out->clear();
   for (const auto& it : reports_) {
-    if (!base::ContainsKey(doomed_reports_, it.first))
+    if (!base::Contains(doomed_reports_, it.first))
       reports_out->push_back(it.second.get());
   }
 }
@@ -131,9 +130,9 @@ base::Value ReportingCacheImpl::GetReportsAsValue() const {
     if (report->body) {
       report_dict.SetKey("body", report->body->Clone());
     }
-    if (base::ContainsKey(doomed_reports_, report)) {
+    if (base::Contains(doomed_reports_, report)) {
       report_dict.SetKey("status", base::Value("doomed"));
-    } else if (base::ContainsKey(pending_reports_, report)) {
+    } else if (base::Contains(pending_reports_, report)) {
       report_dict.SetKey("status", base::Value("pending"));
     } else {
       report_dict.SetKey("status", base::Value("queued"));
@@ -147,8 +146,8 @@ void ReportingCacheImpl::GetNonpendingReports(
     std::vector<const ReportingReport*>* reports_out) const {
   reports_out->clear();
   for (const auto& it : reports_) {
-    if (!base::ContainsKey(pending_reports_, it.first) &&
-        !base::ContainsKey(doomed_reports_, it.first)) {
+    if (!base::Contains(pending_reports_, it.first) &&
+        !base::Contains(doomed_reports_, it.first)) {
       reports_out->push_back(it.second.get());
     }
   }
@@ -169,7 +168,7 @@ void ReportingCacheImpl::ClearReportsPending(
   for (const ReportingReport* report : reports) {
     size_t erased = pending_reports_.erase(report);
     DCHECK_EQ(1u, erased);
-    if (base::ContainsKey(doomed_reports_, report)) {
+    if (base::Contains(doomed_reports_, report)) {
       reports_to_remove.push_back(report);
       doomed_reports_.erase(report);
     }
@@ -182,7 +181,7 @@ void ReportingCacheImpl::ClearReportsPending(
 void ReportingCacheImpl::IncrementReportsAttempts(
     const std::vector<const ReportingReport*>& reports) {
   for (const ReportingReport* report : reports) {
-    DCHECK(base::ContainsKey(reports_, report));
+    DCHECK(base::Contains(reports_, report));
     reports_[report]->attempts++;
   }
 
@@ -216,10 +215,10 @@ void ReportingCacheImpl::RemoveReports(
     ReportingReport::Outcome outcome) {
   for (const ReportingReport* report : reports) {
     reports_[report]->outcome = outcome;
-    if (base::ContainsKey(pending_reports_, report)) {
+    if (base::Contains(pending_reports_, report)) {
       doomed_reports_.insert(report);
     } else {
-      DCHECK(!base::ContainsKey(doomed_reports_, report));
+      DCHECK(!base::Contains(doomed_reports_, report));
       RemoveReportInternal(report);
     }
   }
@@ -232,7 +231,7 @@ void ReportingCacheImpl::RemoveAllReports(ReportingReport::Outcome outcome) {
   for (auto it = reports_.begin(); it != reports_.end(); ++it) {
     ReportingReport* report = it->second.get();
     report->outcome = outcome;
-    if (!base::ContainsKey(pending_reports_, report))
+    if (!base::Contains(pending_reports_, report))
       reports_to_remove.push_back(report);
     else
       doomed_reports_.insert(report);
@@ -250,12 +249,12 @@ size_t ReportingCacheImpl::GetFullReportCountForTesting() const {
 
 bool ReportingCacheImpl::IsReportPendingForTesting(
     const ReportingReport* report) const {
-  return base::ContainsKey(pending_reports_, report);
+  return base::Contains(pending_reports_, report);
 }
 
 bool ReportingCacheImpl::IsReportDoomedForTesting(
     const ReportingReport* report) const {
-  return base::ContainsKey(doomed_reports_, report);
+  return base::Contains(doomed_reports_, report);
 }
 
 void ReportingCacheImpl::OnParsedHeader(
@@ -264,12 +263,13 @@ void ReportingCacheImpl::OnParsedHeader(
   SanityCheckClients();
 
   OriginClient new_client(origin);
-  base::Time now = clock()->Now();
+  base::Time now = clock().Now();
   new_client.last_used = now;
 
+  std::map<ReportingEndpointGroupKey, std::set<GURL>> endpoints_per_group;
+
   for (const auto& parsed_endpoint_group : parsed_header) {
     new_client.endpoint_group_names.insert(parsed_endpoint_group.name);
-    new_client.endpoint_count += parsed_endpoint_group.endpoints.size();
 
     // Creates an endpoint group and sets its |last_used| to |now|.
     CachedReportingEndpointGroup new_group(new_client.origin,
@@ -278,6 +278,7 @@ void ReportingCacheImpl::OnParsedHeader(
     std::set<GURL> new_endpoints;
     for (const auto& parsed_endpoint_info : parsed_endpoint_group.endpoints) {
       new_endpoints.insert(parsed_endpoint_info.url);
+      endpoints_per_group[new_group.group_key].insert(parsed_endpoint_info.url);
       ReportingEndpoint new_endpoint(origin, parsed_endpoint_group.name,
                                      std::move(parsed_endpoint_info));
       AddOrUpdateEndpoint(std::move(new_endpoint));
@@ -290,6 +291,14 @@ void ReportingCacheImpl::OnParsedHeader(
     AddOrUpdateEndpointGroup(std::move(new_group));
   }
 
+  // Compute the total endpoint count for this origin. We can't just count the
+  // number of endpoints per group because there may be duplicate endpoint URLs,
+  // which we ignore. See http://crbug.com/983000 for discussion.
+  // TODO(crbug.com/983000): Allow duplicate endpoint URLs.
+  for (const auto& group_key_and_endpoint_set : endpoints_per_group) {
+    new_client.endpoint_count += group_key_and_endpoint_set.second.size();
+  }
+
   // Remove endpoint groups that may have been configured for an existing client
   // for |origin|, but which are not specified in the current header.
   RemoveEndpointGroupsForOriginOtherThan(origin,
@@ -324,10 +333,17 @@ void ReportingCacheImpl::RemoveClient(const url::Origin& origin) {
 
 void ReportingCacheImpl::RemoveAllClients() {
   SanityCheckClients();
-  origin_clients_.clear();
-  endpoint_groups_.clear();
-  endpoints_.clear();
-  endpoint_its_by_url_.clear();
+
+  auto remove_it = origin_clients_.begin();
+  while (remove_it != origin_clients_.end()) {
+    remove_it = RemoveClientInternal(remove_it);
+  }
+
+  DCHECK(origin_clients_.empty());
+  DCHECK(endpoint_groups_.empty());
+  DCHECK(endpoints_.empty());
+  DCHECK(endpoint_its_by_url_.empty());
+
   SanityCheckClients();
   context_->NotifyCachedClientsUpdated();
 }
@@ -382,11 +398,103 @@ void ReportingCacheImpl::RemoveEndpointsForUrl(const GURL& url) {
   context_->NotifyCachedClientsUpdated();
 }
 
+// Reconstruct an OriginClient from the loaded endpoint groups, and add the
+// loaded endpoints and endpoint groups into the cache.
+void ReportingCacheImpl::AddClientsLoadedFromStore(
+    std::vector<ReportingEndpoint> loaded_endpoints,
+    std::vector<CachedReportingEndpointGroup> loaded_endpoint_groups) {
+  DCHECK(context_->IsClientDataPersisted());
+
+  std::sort(loaded_endpoints.begin(), loaded_endpoints.end(),
+            [](const ReportingEndpoint& a, const ReportingEndpoint& b) -> bool {
+              return a.group_key < b.group_key;
+            });
+  std::sort(loaded_endpoint_groups.begin(), loaded_endpoint_groups.end(),
+            [](const CachedReportingEndpointGroup& a,
+               const CachedReportingEndpointGroup& b) -> bool {
+              return a.group_key < b.group_key;
+            });
+
+  // If using a persistent store, cache should be empty before loading finishes.
+  DCHECK(origin_clients_.empty());
+  DCHECK(endpoint_groups_.empty());
+  DCHECK(endpoints_.empty());
+  DCHECK(endpoint_its_by_url_.empty());
+
+  // |loaded_endpoints| and |loaded_endpoint_groups| should both be sorted by
+  // origin and group name.
+  auto endpoints_it = loaded_endpoints.begin();
+  auto endpoint_groups_it = loaded_endpoint_groups.begin();
+
+  base::Optional<OriginClient> origin_client;
+
+  while (endpoint_groups_it != loaded_endpoint_groups.end() &&
+         endpoints_it != loaded_endpoints.end()) {
+    const CachedReportingEndpointGroup& group = *endpoint_groups_it;
+    const ReportingEndpointGroupKey& group_key = group.group_key;
+
+    if (group_key < endpoints_it->group_key) {
+      // This endpoint group has no associated endpoints, so move on to the next
+      // endpoint group.
+      ++endpoint_groups_it;
+      continue;
+    } else if (group_key > endpoints_it->group_key) {
+      // This endpoint has no associated endpoint group, so move on to the next
+      // endpoint.
+      ++endpoints_it;
+      continue;
+    }
+
+    DCHECK(group_key == endpoints_it->group_key);
+
+    size_t cur_group_endpoints_count = 0;
+
+    // Insert the endpoints corresponding to this group.
+    while (endpoints_it != loaded_endpoints.end() &&
+           endpoints_it->group_key == group_key) {
+      EndpointMap::iterator inserted = endpoints_.insert(
+          std::make_pair(group_key, std::move(*endpoints_it)));
+      endpoint_its_by_url_.insert(
+          std::make_pair(inserted->second.info.url, inserted));
+      ++cur_group_endpoints_count;
+      ++endpoints_it;
+    }
+
+    if (!origin_client || origin_client->origin != group_key.origin) {
+      // Store the old origin_client and start a new one.
+      if (origin_client) {
+        OriginClientMap::iterator client_it =
+            origin_clients_.insert(std::make_pair(origin_client->origin.host(),
+                                                  std::move(*origin_client)));
+        EnforcePerOriginAndGlobalEndpointLimits(client_it->second.origin);
+      }
+      origin_client.emplace(group_key.origin);
+    }
+    DCHECK(origin_client.has_value());
+    origin_client->endpoint_group_names.insert(group_key.group_name);
+    origin_client->endpoint_count += cur_group_endpoints_count;
+    origin_client->last_used =
+        std::max(origin_client->last_used, group.last_used);
+
+    endpoint_groups_.insert(std::make_pair(group_key, std::move(group)));
+
+    ++endpoint_groups_it;
+  }
+
+  if (origin_client) {
+    OriginClientMap::iterator client_it = origin_clients_.insert(std::make_pair(
+        origin_client->origin.host(), std::move(*origin_client)));
+    EnforcePerOriginAndGlobalEndpointLimits(client_it->second.origin);
+  }
+
+  SanityCheckClients();
+}
+
 std::vector<ReportingEndpoint>
 ReportingCacheImpl::GetCandidateEndpointsForDelivery(
     const url::Origin& origin,
     const std::string& group_name) {
-  base::Time now = clock()->Now();
+  base::Time now = clock().Now();
   SanityCheckClients();
 
   // Look for an exact origin match for |origin| and |group|.
@@ -411,7 +519,7 @@ ReportingCacheImpl::GetCandidateEndpointsForDelivery(
       // Client for a superdomain of |origin|
       const OriginClient& client = client_it->second;
       // Check if |client| has a group with the requested name.
-      if (!base::ContainsKey(client.endpoint_group_names, group_name))
+      if (!base::Contains(client.endpoint_group_names, group_name))
         continue;
 
       ReportingEndpointGroupKey group_key(client.origin, group_name);
@@ -503,7 +611,7 @@ void ReportingCacheImpl::SetEndpointForTesting(
         origin_clients_.insert(std::make_pair(domain, std::move(new_client)));
   }
 
-  base::Time now = clock()->Now();
+  base::Time now = clock().Now();
 
   ReportingEndpointGroupKey group_key(origin, group_name);
   EndpointGroupMap::iterator group_it = FindEndpointGroupIt(group_key);
@@ -557,16 +665,8 @@ ReportingCacheImpl::OriginClient::OriginClient(OriginClient&& other) = default;
 
 ReportingCacheImpl::OriginClient::~OriginClient() = default;
 
-bool ReportingCacheImpl::IsReportDataPersisted() const {
-  return store_ && context_->policy().persist_reports_across_restarts;
-}
-
-bool ReportingCacheImpl::IsClientDataPersisted() const {
-  return store_ && context_->policy().persist_clients_across_restarts;
-}
-
 void ReportingCacheImpl::RemoveReportInternal(const ReportingReport* report) {
-  reports_[report]->RecordOutcome(tick_clock()->NowTicks());
+  reports_[report]->RecordOutcome(tick_clock().NowTicks());
   size_t erased = reports_.erase(report);
   DCHECK_EQ(1u, erased);
 }
@@ -576,7 +676,7 @@ const ReportingReport* ReportingCacheImpl::FindReportToEvict() const {
 
   for (const auto& it : reports_) {
     const ReportingReport* report = it.first;
-    if (base::ContainsKey(pending_reports_, report))
+    if (base::Contains(pending_reports_, report))
       continue;
     if (!earliest_queued || report->queued < earliest_queued->queued) {
       earliest_queued = report;
@@ -601,7 +701,7 @@ void ReportingCacheImpl::SanityCheckClients() const {
     total_endpoint_group_count += SanityCheckOriginClient(domain, client);
 
     // We have not seen a duplicate client with the same origin.
-    DCHECK(!base::ContainsKey(origins_in_cache, client.origin));
+    DCHECK(!base::Contains(origins_in_cache, client.origin));
     origins_in_cache.insert(client.origin);
   }
 
@@ -634,6 +734,7 @@ size_t ReportingCacheImpl::SanityCheckOriginClient(
   for (const std::string& group_name : client.endpoint_group_names) {
     ++endpoint_group_count_in_client;
     ReportingEndpointGroupKey group_key(client.origin, group_name);
+    DCHECK(endpoint_groups_.find(group_key) != endpoint_groups_.end());
     const CachedReportingEndpointGroup& group = endpoint_groups_.at(group_key);
     endpoint_count_in_client += SanityCheckEndpointGroup(group_key, group);
   }
@@ -672,7 +773,7 @@ size_t ReportingCacheImpl::SanityCheckEndpointGroup(
 
     // We have not seen a duplicate endpoint with the same URL in this
     // group.
-    DCHECK(!base::ContainsKey(endpoint_urls_in_group, endpoint.info.url));
+    DCHECK(!base::Contains(endpoint_urls_in_group, endpoint.info.url));
     endpoint_urls_in_group.insert(endpoint.info.url);
 
     ++endpoint_count_in_group;
@@ -693,14 +794,14 @@ void ReportingCacheImpl::SanityCheckEndpoint(
   DCHECK_LE(0, endpoint.info.weight);
 
   // The endpoint is in the |endpoint_its_by_url_| index.
-  DCHECK(base::ContainsKey(endpoint_its_by_url_, endpoint.info.url));
+  DCHECK(base::Contains(endpoint_its_by_url_, endpoint.info.url));
   auto url_range = endpoint_its_by_url_.equal_range(endpoint.info.url);
   std::vector<EndpointMap::iterator> endpoint_its_for_url;
   for (auto index_it = url_range.first; index_it != url_range.second;
        ++index_it) {
     endpoint_its_for_url.push_back(index_it->second);
   }
-  DCHECK(base::ContainsValue(endpoint_its_for_url, endpoint_it));
+  DCHECK(base::Contains(endpoint_its_for_url, endpoint_it));
 #endif  // DCHECK_IS_ON()
 }
 
@@ -762,6 +863,9 @@ void ReportingCacheImpl::AddOrUpdateEndpointGroup(
 
   // Add a new endpoint group for this origin and group name.
   if (group_it == endpoint_groups_.end()) {
+    if (context_->IsClientDataPersisted())
+      store()->AddReportingEndpointGroup(new_group);
+
     endpoint_groups_.insert(
         std::make_pair(new_group.group_key, std::move(new_group)));
     return;
@@ -773,6 +877,9 @@ void ReportingCacheImpl::AddOrUpdateEndpointGroup(
   old_group.expires = new_group.expires;
   old_group.last_used = new_group.last_used;
 
+  if (context_->IsClientDataPersisted())
+    store()->UpdateReportingEndpointGroupDetails(new_group);
+
   // Note: SanityCheckClients() may fail here because we have not yet
   // added/updated the OriginClient for |origin| yet.
 }
@@ -783,6 +890,9 @@ void ReportingCacheImpl::AddOrUpdateEndpoint(ReportingEndpoint new_endpoint) {
 
   // Add a new endpoint for this origin, group, and url.
   if (endpoint_it == endpoints_.end()) {
+    if (context_->IsClientDataPersisted())
+      store()->AddReportingEndpoint(new_endpoint);
+
     url::Origin origin = new_endpoint.group_key.origin;
     EndpointMap::iterator endpoint_it = endpoints_.insert(
         std::make_pair(new_endpoint.group_key, std::move(new_endpoint)));
@@ -801,6 +911,9 @@ void ReportingCacheImpl::AddOrUpdateEndpoint(ReportingEndpoint new_endpoint) {
   old_endpoint.info.weight = new_endpoint.info.weight;
   // |old_endpoint.stats| stays the same.
 
+  if (context_->IsClientDataPersisted())
+    store()->UpdateReportingEndpointDetails(new_endpoint);
+
   // Note: SanityCheckClients() may fail here because we have not yet
   // added/updated the OriginClient for |origin| yet.
 }
@@ -822,7 +935,7 @@ void ReportingCacheImpl::RemoveEndpointsInGroupOtherThan(
 
   const auto group_range = endpoints_.equal_range(group_key);
   for (auto it = group_range.first; it != group_range.second;) {
-    if (base::ContainsKey(endpoints_to_keep_urls, it->second.info.url)) {
+    if (base::Contains(endpoints_to_keep_urls, it->second.info.url)) {
       ++it;
       continue;
     }
@@ -878,6 +991,8 @@ void ReportingCacheImpl::MarkEndpointGroupAndClientUsed(
     base::Time now) {
   group_it->second.last_used = now;
   client_it->second.last_used = now;
+  if (context_->IsClientDataPersisted())
+    store()->UpdateReportingEndpointGroupAccessTime(group_it->second);
 }
 
 base::Optional<ReportingCacheImpl::EndpointMap::iterator>
@@ -902,6 +1017,8 @@ ReportingCacheImpl::RemoveEndpointInternal(OriginClientMap::iterator client_it,
   DCHECK_GT(client_it->second.endpoint_count, 1u);
   RemoveEndpointItFromIndex(endpoint_it);
   --client_it->second.endpoint_count;
+  if (context_->IsClientDataPersisted())
+    store()->DeleteReportingEndpoint(endpoint_it->second);
   return endpoints_.erase(endpoint_it);
 }
 
@@ -922,6 +1039,9 @@ ReportingCacheImpl::RemoveEndpointGroupInternal(
   if (num_endpoints_removed)
     *num_endpoints_removed += endpoints_removed;
   for (auto it = group_range.first; it != group_range.second; ++it) {
+    if (context_->IsClientDataPersisted())
+      store()->DeleteReportingEndpoint(it->second);
+
     RemoveEndpointItFromIndex(it);
   }
   endpoints_.erase(group_range.first, group_range.second);
@@ -935,6 +1055,9 @@ ReportingCacheImpl::RemoveEndpointGroupInternal(
       client.endpoint_group_names.erase(group_key.group_name);
   DCHECK_EQ(1u, erased_from_client);
 
+  if (context_->IsClientDataPersisted())
+    store()->DeleteReportingEndpointGroup(group_it->second);
+
   base::Optional<EndpointGroupMap::iterator> rv =
       endpoint_groups_.erase(group_it);
 
@@ -955,10 +1078,16 @@ ReportingCacheImpl::RemoveClientInternal(OriginClientMap::iterator client_it) {
   // Erase all groups in this client, and all endpoints in those groups.
   for (const std::string& group_name : client.endpoint_group_names) {
     ReportingEndpointGroupKey group_key(client.origin, group_name);
-    endpoint_groups_.erase(group_key);
+    EndpointGroupMap::iterator group_it = FindEndpointGroupIt(group_key);
+    if (context_->IsClientDataPersisted())
+      store()->DeleteReportingEndpointGroup(group_it->second);
+    endpoint_groups_.erase(group_it);
 
     const auto group_range = endpoints_.equal_range(group_key);
     for (auto it = group_range.first; it != group_range.second; ++it) {
+      if (context_->IsClientDataPersisted())
+        store()->DeleteReportingEndpoint(it->second);
+
       RemoveEndpointItFromIndex(it);
     }
     endpoints_.erase(group_range.first, group_range.second);
@@ -1078,7 +1207,7 @@ void ReportingCacheImpl::EvictEndpointFromGroup(
 bool ReportingCacheImpl::RemoveExpiredOrStaleGroups(
     OriginClientMap::iterator client_it,
     size_t* num_endpoints_removed) {
-  base::Time now = clock()->Now();
+  base::Time now = clock().Now();
   // Make a copy of this because |client_it| may be invalidated.
   std::set<std::string> groups_in_client_names(
       client_it->second.endpoint_group_names);
diff --git a/chromium/net/reporting/reporting_cache_impl.h b/chromium/net/reporting/reporting_cache_impl.h
index 908a14b7ec3..bccd0b168d9 100644
--- a/chromium/net/reporting/reporting_cache_impl.h
+++ b/chromium/net/reporting/reporting_cache_impl.h
@@ -31,8 +31,7 @@ namespace net {
 
 class ReportingCacheImpl : public ReportingCache {
  public:
-  ReportingCacheImpl(ReportingContext* context,
-                     PersistentReportingStore* store);
+  ReportingCacheImpl(ReportingContext* context);
 
   ~ReportingCacheImpl() override;
 
@@ -76,6 +75,10 @@ class ReportingCacheImpl : public ReportingCache {
   void RemoveEndpointGroup(const url::Origin& origin,
                            const std::string& name) override;
   void RemoveEndpointsForUrl(const GURL& url) override;
+  void AddClientsLoadedFromStore(
+      std::vector<ReportingEndpoint> loaded_endpoints,
+      std::vector<CachedReportingEndpointGroup> loaded_endpoint_groups)
+      override;
   std::vector<ReportingEndpoint> GetCandidateEndpointsForDelivery(
       const url::Origin& origin,
       const std::string& group_name) override;
@@ -129,11 +132,6 @@ class ReportingCacheImpl : public ReportingCache {
   using EndpointMap =
       std::multimap<ReportingEndpointGroupKey, ReportingEndpoint>;
 
-  // Returns whether the cached data is persisted across restarts in the
-  // PersistentReportingStore.
-  bool IsReportDataPersisted() const;
-  bool IsClientDataPersisted() const;
-
   void RemoveReportInternal(const ReportingReport* report);
 
   const ReportingReport* FindReportToEvict() const;
@@ -286,17 +284,13 @@ class ReportingCacheImpl : public ReportingCache {
       const CachedReportingEndpointGroup& group) const;
   base::Value GetEndpointAsValue(const ReportingEndpoint& endpoint) const;
 
-  base::Clock* clock() const { return context_->clock(); }
-
-  const base::TickClock* tick_clock() const { return context_->tick_clock(); }
+  // Convenience methods for fetching things from the context_.
+  const base::Clock& clock() const { return context_->clock(); }
+  const base::TickClock& tick_clock() const { return context_->tick_clock(); }
+  PersistentReportingStore* store() { return context_->store(); }
 
   ReportingContext* context_;
 
-  // Stores cached data persistently, if not null. If |store_| is null, then the
-  // ReportingCache will store data in memory only.
-  // TODO(chlily): Implement.
-  PersistentReportingStore* const store_;
-
   // Owns all reports, keyed by const raw pointer for easier lookup.
   std::unordered_map<const ReportingReport*, std::unique_ptr<ReportingReport>>
       reports_;
diff --git a/chromium/net/reporting/reporting_cache_unittest.cc b/chromium/net/reporting/reporting_cache_unittest.cc
index 163ca17bc0b..11c8716e5e3 100644
--- a/chromium/net/reporting/reporting_cache_unittest.cc
+++ b/chromium/net/reporting/reporting_cache_unittest.cc
@@ -8,6 +8,7 @@
 #include <string>
 #include <utility>
 
+#include "base/bind.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/test/simple_test_tick_clock.h"
 #include "base/test/values_test_util.h"
@@ -19,6 +20,7 @@
 #include "net/reporting/reporting_endpoint.h"
 #include "net/reporting/reporting_report.h"
 #include "net/reporting/reporting_test_util.h"
+#include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
 #include "url/origin.h"
@@ -26,6 +28,8 @@
 namespace net {
 namespace {
 
+using CommandType = MockPersistentReportingStore::Command::Type;
+
 class TestReportingCacheObserver : public ReportingCacheObserver {
  public:
   TestReportingCacheObserver()
@@ -71,6 +75,16 @@ class ReportingCacheTest : public ReportingTestBase,
 
   ~ReportingCacheTest() override { context()->RemoveCacheObserver(&observer_); }
 
+  void LoadReportingClients() {
+    // All ReportingCache methods assume that the store has been initialized.
+    if (store()) {
+      store()->LoadReportingClients(
+          base::BindOnce(&ReportingCache::AddClientsLoadedFromStore,
+                         base::Unretained(cache())));
+      store()->FinishLoading(true);
+    }
+  }
+
   TestReportingCacheObserver* observer() { return &observer_; }
 
   size_t report_count() {
@@ -132,6 +146,8 @@ class ReportingCacheTest : public ReportingTestBase,
   const url::Origin kOrigin2_ = url::Origin::Create(GURL("https://origin2/"));
   const GURL kEndpoint1_ = GURL("https://endpoint1/");
   const GURL kEndpoint2_ = GURL("https://endpoint2/");
+  const GURL kEndpoint3_ = GURL("https://endpoint3/");
+  const GURL kEndpoint4_ = GURL("https://endpoint4/");
   const std::string kUserAgent_ = "Mozilla/1.0";
   const std::string kGroup1_ = "group1";
   const std::string kGroup2_ = "group2";
@@ -152,6 +168,8 @@ class ReportingCacheTest : public ReportingTestBase,
 // header parser.
 
 TEST_P(ReportingCacheTest, Reports) {
+  LoadReportingClients();
+
   std::vector<const ReportingReport*> reports;
   cache()->GetReports(&reports);
   EXPECT_TRUE(reports.empty());
@@ -192,6 +210,8 @@ TEST_P(ReportingCacheTest, Reports) {
 }
 
 TEST_P(ReportingCacheTest, RemoveAllReports) {
+  LoadReportingClients();
+
   cache()->AddReport(kUrl1_, kUserAgent_, kGroup1_, kType_,
                      std::make_unique<base::DictionaryValue>(), 0, kNowTicks_,
                      0);
@@ -212,6 +232,8 @@ TEST_P(ReportingCacheTest, RemoveAllReports) {
 }
 
 TEST_P(ReportingCacheTest, RemovePendingReports) {
+  LoadReportingClients();
+
   cache()->AddReport(kUrl1_, kUserAgent_, kGroup1_, kType_,
                      std::make_unique<base::DictionaryValue>(), 0, kNowTicks_,
                      0);
@@ -244,6 +266,8 @@ TEST_P(ReportingCacheTest, RemovePendingReports) {
 }
 
 TEST_P(ReportingCacheTest, RemoveAllPendingReports) {
+  LoadReportingClients();
+
   cache()->AddReport(kUrl1_, kUserAgent_, kGroup1_, kType_,
                      std::make_unique<base::DictionaryValue>(), 0, kNowTicks_,
                      0);
@@ -276,6 +300,8 @@ TEST_P(ReportingCacheTest, RemoveAllPendingReports) {
 }
 
 TEST_P(ReportingCacheTest, GetReportsAsValue) {
+  LoadReportingClients();
+
   // We need a reproducible expiry timestamp for this test case.
   const base::TimeTicks now = base::TimeTicks();
   const ReportingReport* report1 =
@@ -346,6 +372,8 @@ TEST_P(ReportingCacheTest, GetReportsAsValue) {
 }
 
 TEST_P(ReportingCacheTest, Endpoints) {
+  LoadReportingClients();
+
   EXPECT_EQ(0u, cache()->GetEndpointCount());
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint1_, kExpires1_));
   EXPECT_EQ(1u, cache()->GetEndpointCount());
@@ -402,6 +430,8 @@ TEST_P(ReportingCacheTest, Endpoints) {
 }
 
 TEST_P(ReportingCacheTest, RemoveClient) {
+  LoadReportingClients();
+
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint1_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint2_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOrigin2_, kGroup1_, kEndpoint1_, kExpires1_));
@@ -415,9 +445,41 @@ TEST_P(ReportingCacheTest, RemoveClient) {
   EXPECT_EQ(2u, cache()->GetEndpointCount());
   EXPECT_FALSE(OriginClientExistsInCache(kOrigin1_));
   EXPECT_TRUE(OriginClientExistsInCache(kOrigin2_));
+
+  if (store()) {
+    store()->Flush();
+    // SetEndpointInCache doesn't update store counts, which is why they go
+    // negative here.
+    // TODO(crbug.com/895821): Populate the cache via the store so we don't need
+    // negative counts.
+    EXPECT_EQ(-2, store()->StoredEndpointsCount());
+    EXPECT_EQ(-1, store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    EXPECT_EQ(2,
+              store()->CountCommands(CommandType::DELETE_REPORTING_ENDPOINT));
+    EXPECT_EQ(1, store()->CountCommands(
+                     CommandType::DELETE_REPORTING_ENDPOINT_GROUP));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin1_, kGroup1_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin1_, kGroup1_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin1_, kGroup1_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint1_}));
+    EXPECT_THAT(store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
 TEST_P(ReportingCacheTest, RemoveAllClients) {
+  LoadReportingClients();
+
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint1_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint2_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOrigin2_, kGroup1_, kEndpoint1_, kExpires1_));
@@ -431,9 +493,59 @@ TEST_P(ReportingCacheTest, RemoveAllClients) {
   EXPECT_EQ(0u, cache()->GetEndpointCount());
   EXPECT_FALSE(OriginClientExistsInCache(kOrigin1_));
   EXPECT_FALSE(OriginClientExistsInCache(kOrigin2_));
+
+  if (store()) {
+    store()->Flush();
+    // SetEndpointInCache doesn't update store counts, which is why they go
+    // negative here.
+    // TODO(crbug.com/895821): Populate the cache via the store so we don't need
+    // negative counts.
+    EXPECT_EQ(-4, store()->StoredEndpointsCount());
+    EXPECT_EQ(-3, store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    EXPECT_EQ(4,
+              store()->CountCommands(CommandType::DELETE_REPORTING_ENDPOINT));
+    EXPECT_EQ(3, store()->CountCommands(
+                     CommandType::DELETE_REPORTING_ENDPOINT_GROUP));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin1_, kGroup1_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint1_}));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin1_, kGroup1_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin2_, kGroup1_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint1_}));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin2_, kGroup2_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin1_, kGroup1_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin2_, kGroup1_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin2_, kGroup2_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
 TEST_P(ReportingCacheTest, RemoveEndpointGroup) {
+  LoadReportingClients();
+
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint1_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint2_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOrigin2_, kGroup1_, kEndpoint1_, kExpires1_));
@@ -465,9 +577,46 @@ TEST_P(ReportingCacheTest, RemoveEndpointGroup) {
   EXPECT_TRUE(OriginClientExistsInCache(kOrigin1_));
   EXPECT_TRUE(EndpointGroupExistsInCache(
       kOrigin1_, kGroup1_, OriginSubdomains::DEFAULT, kExpires1_));
+
+  if (store()) {
+    store()->Flush();
+    // SetEndpointInCache doesn't update store counts, which is why they go
+    // negative here.
+    // TODO(crbug.com/895821): Populate the cache via the store so we don't need
+    // negative counts.
+    EXPECT_EQ(-2, store()->StoredEndpointsCount());
+    EXPECT_EQ(-2, store()->StoredEndpointGroupsCount());
+    EXPECT_EQ(2,
+              store()->CountCommands(CommandType::DELETE_REPORTING_ENDPOINT));
+    EXPECT_EQ(2, store()->CountCommands(
+                     CommandType::DELETE_REPORTING_ENDPOINT_GROUP));
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin2_, kGroup1_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint1_}));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin2_, kGroup2_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin2_, kGroup1_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin2_, kGroup2_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
 TEST_P(ReportingCacheTest, RemoveEndpointsForUrl) {
+  LoadReportingClients();
+
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint1_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint2_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOrigin2_, kGroup1_, kEndpoint1_, kExpires1_));
@@ -497,9 +646,41 @@ TEST_P(ReportingCacheTest, RemoveEndpointsForUrl) {
   EXPECT_TRUE(FindEndpointInCache(kOrigin1_, kGroup1_, kEndpoint2_));
   EXPECT_FALSE(FindEndpointInCache(kOrigin2_, kGroup1_, kEndpoint1_));
   EXPECT_TRUE(FindEndpointInCache(kOrigin2_, kGroup2_, kEndpoint2_));
+
+  if (store()) {
+    store()->Flush();
+    // SetEndpointInCache doesn't update store counts, which is why they go
+    // negative here.
+    // TODO(crbug.com/895821): Populate the cache via the store so we don't need
+    // negative counts.
+    EXPECT_EQ(-2, store()->StoredEndpointsCount());
+    EXPECT_EQ(-1, store()->StoredEndpointGroupsCount());
+    EXPECT_EQ(2,
+              store()->CountCommands(CommandType::DELETE_REPORTING_ENDPOINT));
+    EXPECT_EQ(1, store()->CountCommands(
+                     CommandType::DELETE_REPORTING_ENDPOINT_GROUP));
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin1_, kGroup1_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint1_}));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin2_, kGroup1_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint1_}));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin2_, kGroup1_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
 TEST_P(ReportingCacheTest, GetClientsAsValue) {
+  LoadReportingClients();
+
   // These times are bogus but we need a reproducible expiry timestamp for this
   // test case.
   const base::TimeTicks expires_ticks =
@@ -562,6 +743,8 @@ TEST_P(ReportingCacheTest, GetClientsAsValue) {
 }
 
 TEST_P(ReportingCacheTest, GetCandidateEndpointsForDelivery) {
+  LoadReportingClients();
+
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint1_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint2_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOrigin2_, kGroup1_, kEndpoint1_, kExpires1_));
@@ -582,6 +765,8 @@ TEST_P(ReportingCacheTest, GetCandidateEndpointsForDelivery) {
 }
 
 TEST_P(ReportingCacheTest, GetCandidateEndpointsExcludesExpired) {
+  LoadReportingClients();
+
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint1_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, kEndpoint2_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOrigin2_, kGroup1_, kEndpoint1_, kExpires1_));
@@ -606,6 +791,8 @@ TEST_P(ReportingCacheTest, GetCandidateEndpointsExcludesExpired) {
 }
 
 TEST_P(ReportingCacheTest, ExcludeSubdomainsDifferentPort) {
+  LoadReportingClients();
+
   const url::Origin kOrigin = url::Origin::Create(GURL("https://example/"));
   const url::Origin kDifferentPortOrigin =
       url::Origin::Create(GURL("https://example:444/"));
@@ -619,6 +806,8 @@ TEST_P(ReportingCacheTest, ExcludeSubdomainsDifferentPort) {
 }
 
 TEST_P(ReportingCacheTest, ExcludeSubdomainsSuperdomain) {
+  LoadReportingClients();
+
   const url::Origin kOrigin = url::Origin::Create(GURL("https://foo.example/"));
   const url::Origin kSuperOrigin =
       url::Origin::Create(GURL("https://example/"));
@@ -632,6 +821,8 @@ TEST_P(ReportingCacheTest, ExcludeSubdomainsSuperdomain) {
 }
 
 TEST_P(ReportingCacheTest, IncludeSubdomainsDifferentPort) {
+  LoadReportingClients();
+
   const url::Origin kOrigin = url::Origin::Create(GURL("https://example/"));
   const url::Origin kDifferentPortOrigin =
       url::Origin::Create(GURL("https://example:444/"));
@@ -646,6 +837,8 @@ TEST_P(ReportingCacheTest, IncludeSubdomainsDifferentPort) {
 }
 
 TEST_P(ReportingCacheTest, IncludeSubdomainsSuperdomain) {
+  LoadReportingClients();
+
   const url::Origin kOrigin = url::Origin::Create(GURL("https://foo.example/"));
   const url::Origin kSuperOrigin =
       url::Origin::Create(GURL("https://example/"));
@@ -660,6 +853,8 @@ TEST_P(ReportingCacheTest, IncludeSubdomainsSuperdomain) {
 }
 
 TEST_P(ReportingCacheTest, IncludeSubdomainsPreferOriginToDifferentPort) {
+  LoadReportingClients();
+
   const url::Origin kOrigin = url::Origin::Create(GURL("https://foo.example/"));
   const url::Origin kDifferentPortOrigin =
       url::Origin::Create(GURL("https://example:444/"));
@@ -676,6 +871,8 @@ TEST_P(ReportingCacheTest, IncludeSubdomainsPreferOriginToDifferentPort) {
 }
 
 TEST_P(ReportingCacheTest, IncludeSubdomainsPreferOriginToSuperdomain) {
+  LoadReportingClients();
+
   const url::Origin kOrigin = url::Origin::Create(GURL("https://foo.example/"));
   const url::Origin kSuperOrigin =
       url::Origin::Create(GURL("https://example/"));
@@ -692,6 +889,8 @@ TEST_P(ReportingCacheTest, IncludeSubdomainsPreferOriginToSuperdomain) {
 }
 
 TEST_P(ReportingCacheTest, IncludeSubdomainsPreferMoreSpecificSuperdomain) {
+  LoadReportingClients();
+
   const url::Origin kOrigin =
       url::Origin::Create(GURL("https://foo.bar.example/"));
   const url::Origin kSuperOrigin =
@@ -711,6 +910,8 @@ TEST_P(ReportingCacheTest, IncludeSubdomainsPreferMoreSpecificSuperdomain) {
 }
 
 TEST_P(ReportingCacheTest, EvictOldestReport) {
+  LoadReportingClients();
+
   size_t max_report_count = policy().max_report_count;
 
   ASSERT_LT(0u, max_report_count);
@@ -742,6 +943,8 @@ TEST_P(ReportingCacheTest, EvictOldestReport) {
 }
 
 TEST_P(ReportingCacheTest, DontEvictPendingReports) {
+  LoadReportingClients();
+
   size_t max_report_count = policy().max_report_count;
 
   ASSERT_LT(0u, max_report_count);
@@ -777,6 +980,8 @@ TEST_P(ReportingCacheTest, DontEvictPendingReports) {
 }
 
 TEST_P(ReportingCacheTest, EvictEndpointsOverPerOriginLimit) {
+  LoadReportingClients();
+
   for (size_t i = 0; i < policy().max_endpoints_per_origin; ++i) {
     ASSERT_TRUE(
         SetEndpointInCache(kOrigin1_, kGroup1_, MakeURL(i), kExpires1_));
@@ -789,6 +994,8 @@ TEST_P(ReportingCacheTest, EvictEndpointsOverPerOriginLimit) {
 }
 
 TEST_P(ReportingCacheTest, EvictExpiredGroups) {
+  LoadReportingClients();
+
   for (size_t i = 0; i < policy().max_endpoints_per_origin; ++i) {
     ASSERT_TRUE(
         SetEndpointInCache(kOrigin1_, kGroup1_, MakeURL(i), kExpires1_));
@@ -813,6 +1020,8 @@ TEST_P(ReportingCacheTest, EvictExpiredGroups) {
 }
 
 TEST_P(ReportingCacheTest, EvictStaleGroups) {
+  LoadReportingClients();
+
   for (size_t i = 0; i < policy().max_endpoints_per_origin; ++i) {
     ASSERT_TRUE(
         SetEndpointInCache(kOrigin1_, kGroup1_, MakeURL(i), kExpires1_));
@@ -836,6 +1045,8 @@ TEST_P(ReportingCacheTest, EvictStaleGroups) {
 }
 
 TEST_P(ReportingCacheTest, EvictFromStalestGroup) {
+  LoadReportingClients();
+
   for (size_t i = 0; i < policy().max_endpoints_per_origin; ++i) {
     ASSERT_TRUE(SetEndpointInCache(kOrigin1_, base::NumberToString(i),
                                    MakeURL(i), kExpires1_));
@@ -866,6 +1077,8 @@ TEST_P(ReportingCacheTest, EvictFromStalestGroup) {
 }
 
 TEST_P(ReportingCacheTest, EvictFromLargestGroup) {
+  LoadReportingClients();
+
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, MakeURL(0), kExpires1_));
   // This group should be evicted from because it has 2 endpoints.
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup2_, MakeURL(1), kExpires1_));
@@ -890,6 +1103,8 @@ TEST_P(ReportingCacheTest, EvictFromLargestGroup) {
 }
 
 TEST_P(ReportingCacheTest, EvictLeastImportantEndpoint) {
+  LoadReportingClients();
+
   ASSERT_TRUE(SetEndpointInCache(kOrigin1_, kGroup1_, MakeURL(0), kExpires1_,
                                  OriginSubdomains::DEFAULT, 1 /* priority*/,
                                  1 /* weight */));
@@ -917,6 +1132,8 @@ TEST_P(ReportingCacheTest, EvictLeastImportantEndpoint) {
 }
 
 TEST_P(ReportingCacheTest, EvictEndpointsOverGlobalLimitFromStalestClient) {
+  LoadReportingClients();
+
   // Set enough endpoints to reach the global endpoint limit.
   for (size_t i = 0; i < policy().max_endpoint_count; ++i) {
     ASSERT_TRUE(SetEndpointInCache(url::Origin::Create(MakeURL(i)), kGroup1_,
@@ -938,6 +1155,180 @@ TEST_P(ReportingCacheTest, EvictEndpointsOverGlobalLimitFromStalestClient) {
   EXPECT_TRUE(OriginClientExistsInCache(kOrigin1_));
 }
 
+TEST_P(ReportingCacheTest, AddClientsLoadedFromStore) {
+  if (!store())
+    return;
+
+  base::Time now = clock()->Now();
+
+  std::vector<ReportingEndpoint> endpoints;
+  endpoints.emplace_back(kOrigin1_, kGroup1_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint1_});
+  endpoints.emplace_back(kOrigin2_, kGroup2_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint2_});
+  endpoints.emplace_back(kOrigin1_, kGroup1_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint2_});
+  endpoints.emplace_back(kOrigin2_, kGroup1_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint1_});
+  std::vector<CachedReportingEndpointGroup> groups;
+  groups.emplace_back(kOrigin2_, kGroup1_, OriginSubdomains::DEFAULT,
+                      now + base::TimeDelta::FromMinutes(2) /* expires */,
+                      now /* last_used */);
+  groups.emplace_back(kOrigin1_, kGroup1_, OriginSubdomains::DEFAULT,
+                      now + base::TimeDelta::FromMinutes(1) /* expires */,
+                      now /* last_used */);
+  groups.emplace_back(kOrigin2_, kGroup2_, OriginSubdomains::DEFAULT,
+                      now + base::TimeDelta::FromMinutes(3) /* expires */,
+                      now /* last_used */);
+  store()->SetPrestoredClients(endpoints, groups);
+
+  LoadReportingClients();
+
+  EXPECT_EQ(4u, cache()->GetEndpointCount());
+  EXPECT_EQ(3u, cache()->GetEndpointGroupCountForTesting());
+  EXPECT_TRUE(EndpointExistsInCache(kOrigin1_, kGroup1_, kEndpoint1_));
+  EXPECT_TRUE(EndpointExistsInCache(kOrigin1_, kGroup1_, kEndpoint2_));
+  EXPECT_TRUE(EndpointExistsInCache(kOrigin2_, kGroup1_, kEndpoint1_));
+  EXPECT_TRUE(EndpointExistsInCache(kOrigin2_, kGroup2_, kEndpoint2_));
+  EXPECT_TRUE(
+      EndpointGroupExistsInCache(kOrigin1_, kGroup1_, OriginSubdomains::DEFAULT,
+                                 now + base::TimeDelta::FromMinutes(1)));
+  EXPECT_TRUE(
+      EndpointGroupExistsInCache(kOrigin2_, kGroup1_, OriginSubdomains::DEFAULT,
+                                 now + base::TimeDelta::FromMinutes(2)));
+  EXPECT_TRUE(
+      EndpointGroupExistsInCache(kOrigin2_, kGroup2_, OriginSubdomains::DEFAULT,
+                                 now + base::TimeDelta::FromMinutes(3)));
+  EXPECT_TRUE(OriginClientExistsInCache(kOrigin1_));
+  EXPECT_TRUE(OriginClientExistsInCache(kOrigin2_));
+}
+
+TEST_P(ReportingCacheTest, DoNotStoreMoreThanLimits) {
+  if (!store())
+    return;
+
+  base::Time now = clock()->Now();
+
+  // We hardcode the number of endpoints in this test, so we need to manually
+  // update the test when |max_endpoint_count| changes. You'll need to
+  // add/remove elements to |endpoints| when that happens.
+  EXPECT_EQ(5u, policy().max_endpoint_count) << "You need to update this test "
+                                             << "to reflect a change in "
+                                             << "max_endpoint_count";
+
+  std::vector<ReportingEndpoint> endpoints;
+  endpoints.emplace_back(kOrigin1_, kGroup1_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint1_});
+  endpoints.emplace_back(kOrigin1_, kGroup1_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint2_});
+  endpoints.emplace_back(kOrigin1_, kGroup1_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint3_});
+  endpoints.emplace_back(kOrigin1_, kGroup1_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint4_});
+  endpoints.emplace_back(kOrigin2_, kGroup2_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint1_});
+  endpoints.emplace_back(kOrigin2_, kGroup2_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint2_});
+  endpoints.emplace_back(kOrigin2_, kGroup2_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint3_});
+  endpoints.emplace_back(kOrigin2_, kGroup2_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint4_});
+  std::vector<CachedReportingEndpointGroup> groups;
+  groups.emplace_back(kOrigin1_, kGroup1_, OriginSubdomains::DEFAULT,
+                      now /* expires */, now /* last_used */);
+  groups.emplace_back(kOrigin2_, kGroup2_, OriginSubdomains::DEFAULT,
+                      now /* expires */, now /* last_used */);
+  store()->SetPrestoredClients(endpoints, groups);
+
+  LoadReportingClients();
+
+  EXPECT_GE(5u, cache()->GetEndpointCount());
+  EXPECT_GE(2u, cache()->GetEndpointGroupCountForTesting());
+}
+
+TEST_P(ReportingCacheTest, DoNotLoadMismatchedGroupsAndEndpoints) {
+  if (!store())
+    return;
+
+  base::Time now = clock()->Now();
+
+  std::vector<ReportingEndpoint> endpoints;
+  // This endpoint has no corresponding endpoint group
+  endpoints.emplace_back(kOrigin1_, kGroup1_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint1_});
+  endpoints.emplace_back(kOrigin2_, kGroup1_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint1_});
+  // This endpoint has no corresponding endpoint group
+  endpoints.emplace_back(kOrigin2_, kGroup2_,
+                         ReportingEndpoint::EndpointInfo{kEndpoint1_});
+  std::vector<CachedReportingEndpointGroup> groups;
+  // This endpoint group has no corresponding endpoint
+  groups.emplace_back(kOrigin1_, kGroup2_, OriginSubdomains::DEFAULT,
+                      now /* expires */, now /* last_used */);
+  groups.emplace_back(kOrigin2_, kGroup1_, OriginSubdomains::DEFAULT,
+                      now /* expires */, now /* last_used */);
+  // This endpoint group has no corresponding endpoint
+  groups.emplace_back(kOrigin2_, "last_group", OriginSubdomains::DEFAULT,
+                      now /* expires */, now /* last_used */);
+  store()->SetPrestoredClients(endpoints, groups);
+
+  LoadReportingClients();
+
+  EXPECT_GE(1u, cache()->GetEndpointCount());
+  EXPECT_GE(1u, cache()->GetEndpointGroupCountForTesting());
+  EXPECT_TRUE(EndpointExistsInCache(kOrigin2_, kGroup1_, kEndpoint1_));
+}
+
+// This test verifies that we preserve the last_used field when storing clients
+// loaded from disk. We don't have direct access into individual cache elements,
+// so we test this indirectly by triggering a cache eviction and verifying that
+// a stale element (i.e., one older than a week, by default) is selected for
+// eviction. If last_used weren't populated then presumably that element
+// wouldn't be evicted. (Or rather, it would only have a 25% chance of being
+// evicted and this test would then be flaky.)
+TEST_P(ReportingCacheTest, StoreLastUsedProperly) {
+  if (!store())
+    return;
+
+  base::Time now = clock()->Now();
+
+  // We hardcode the number of endpoints in this test, so we need to manually
+  // update the test when |max_endpoints_per_origin| changes. You'll need to
+  // add/remove elements to |endpoints| and |grups| when that happens.
+  EXPECT_EQ(3u, policy().max_endpoints_per_origin)
+      << "You need to update this test to reflect a change in "
+         "max_endpoints_per_origin";
+
+  // We need more than three endpoints to trigger eviction.
+  std::vector<ReportingEndpoint> endpoints;
+  endpoints.emplace_back(kOrigin1_, "1",
+                         ReportingEndpoint::EndpointInfo{kEndpoint1_});
+  endpoints.emplace_back(kOrigin1_, "2",
+                         ReportingEndpoint::EndpointInfo{kEndpoint1_});
+  endpoints.emplace_back(kOrigin1_, "3",
+                         ReportingEndpoint::EndpointInfo{kEndpoint1_});
+  endpoints.emplace_back(kOrigin1_, "4",
+                         ReportingEndpoint::EndpointInfo{kEndpoint1_});
+  std::vector<CachedReportingEndpointGroup> groups;
+  groups.emplace_back(kOrigin1_, "1", OriginSubdomains::DEFAULT,
+                      now /* expires */, now /* last_used */);
+  groups.emplace_back(kOrigin1_, "2", OriginSubdomains::DEFAULT,
+                      now /* expires */, now /* last_used */);
+  // Stale last_used on group "3" should cause us to select it for eviction
+  groups.emplace_back(kOrigin1_, "3", OriginSubdomains::DEFAULT,
+                      now /* expires */, base::Time() /* last_used */);
+  groups.emplace_back(kOrigin1_, "4", OriginSubdomains::DEFAULT,
+                      now /* expires */, now /* last_used */);
+  store()->SetPrestoredClients(endpoints, groups);
+
+  LoadReportingClients();
+
+  EXPECT_TRUE(EndpointExistsInCache(kOrigin1_, "1", kEndpoint1_));
+  EXPECT_TRUE(EndpointExistsInCache(kOrigin1_, "2", kEndpoint1_));
+  EXPECT_FALSE(EndpointExistsInCache(kOrigin1_, "3", kEndpoint1_));
+  EXPECT_TRUE(EndpointExistsInCache(kOrigin1_, "4", kEndpoint1_));
+}
+
 INSTANTIATE_TEST_SUITE_P(ReportingCacheStoreTest,
                          ReportingCacheTest,
                          testing::Bool());
diff --git a/chromium/net/reporting/reporting_context.cc b/chromium/net/reporting/reporting_context.cc
index 64cbb887f6d..1c38d6f8b2c 100644
--- a/chromium/net/reporting/reporting_context.cc
+++ b/chromium/net/reporting/reporting_context.cc
@@ -77,8 +77,18 @@ void ReportingContext::NotifyCachedClientsUpdated() {
     observer.OnClientsUpdated();
 }
 
+bool ReportingContext::IsReportDataPersisted() const {
+  return store_ && policy_.persist_reports_across_restarts;
+}
+
+bool ReportingContext::IsClientDataPersisted() const {
+  return store_ && policy_.persist_clients_across_restarts;
+}
+
 void ReportingContext::OnShutdown() {
   uploader_->OnShutdown();
+  if (store_)
+    store_->Flush();
 }
 
 ReportingContext::ReportingContext(
@@ -94,7 +104,8 @@ ReportingContext::ReportingContext(
       tick_clock_(tick_clock),
       uploader_(std::move(uploader)),
       delegate_(std::move(delegate)),
-      cache_(ReportingCache::Create(this, store)),
+      cache_(ReportingCache::Create(this)),
+      store_(store),
       endpoint_manager_(ReportingEndpointManager::Create(this, rand_callback)),
       delivery_agent_(ReportingDeliveryAgent::Create(this)),
       garbage_collector_(ReportingGarbageCollector::Create(this)),
diff --git a/chromium/net/reporting/reporting_context.h b/chromium/net/reporting/reporting_context.h
index 233dbc73938..b418868f7e3 100644
--- a/chromium/net/reporting/reporting_context.h
+++ b/chromium/net/reporting/reporting_context.h
@@ -43,14 +43,14 @@ class NET_EXPORT ReportingContext {
 
   ~ReportingContext();
 
-  const ReportingPolicy& policy() { return policy_; }
+  const ReportingPolicy& policy() const { return policy_; }
 
-  base::Clock* clock() { return clock_; }
-  const base::TickClock* tick_clock() { return tick_clock_; }
+  const base::Clock& clock() const { return *clock_; }
+  const base::TickClock& tick_clock() const { return *tick_clock_; }
   ReportingUploader* uploader() { return uploader_.get(); }
-
   ReportingDelegate* delegate() { return delegate_.get(); }
   ReportingCache* cache() { return cache_.get(); }
+  ReportingCache::PersistentReportingStore* store() { return store_; }
   ReportingEndpointManager* endpoint_manager() {
     return endpoint_manager_.get();
   }
@@ -65,6 +65,11 @@ class NET_EXPORT ReportingContext {
   void NotifyCachedReportsUpdated();
   void NotifyCachedClientsUpdated();
 
+  // Returns whether the data in the cache is persisted across restarts in the
+  // PersistentReportingStore.
+  bool IsReportDataPersisted() const;
+  bool IsClientDataPersisted() const;
+
   void OnShutdown();
 
  protected:
@@ -90,6 +95,8 @@ class NET_EXPORT ReportingContext {
 
   std::unique_ptr<ReportingCache> cache_;
 
+  ReportingCache::PersistentReportingStore* const store_;
+
   // |endpoint_manager_| must come after |tick_clock_| and |cache_|.
   std::unique_ptr<ReportingEndpointManager> endpoint_manager_;
 
diff --git a/chromium/net/reporting/reporting_delivery_agent.cc b/chromium/net/reporting/reporting_delivery_agent.cc
index 2745cafffc4..7d143363a23 100644
--- a/chromium/net/reporting/reporting_delivery_agent.cc
+++ b/chromium/net/reporting/reporting_delivery_agent.cc
@@ -55,9 +55,7 @@ class ReportingDeliveryAgentImpl : public ReportingDeliveryAgent,
                                    public ReportingCacheObserver {
  public:
   ReportingDeliveryAgentImpl(ReportingContext* context)
-      : context_(context),
-        timer_(std::make_unique<base::OneShotTimer>()),
-        weak_factory_(this) {
+      : context_(context), timer_(std::make_unique<base::OneShotTimer>()) {
     context_->AddCacheObserver(this);
   }
 
@@ -170,7 +168,7 @@ class ReportingDeliveryAgentImpl : public ReportingDeliveryAgent,
       const url::Origin& report_origin = origin_group.first;
       const std::string& group = origin_group.second;
 
-      if (base::ContainsKey(pending_origin_groups_, origin_group))
+      if (base::Contains(pending_origin_groups_, origin_group))
         continue;
 
       const ReportingEndpoint endpoint =
@@ -209,7 +207,7 @@ class ReportingDeliveryAgentImpl : public ReportingDeliveryAgent,
       std::unique_ptr<Delivery>& delivery = it.second;
 
       std::string json;
-      SerializeReports(delivery->reports, tick_clock()->NowTicks(), &json);
+      SerializeReports(delivery->reports, tick_clock().NowTicks(), &json);
 
       int max_depth = 0;
       for (const ReportingReport* report : delivery->reports) {
@@ -261,8 +259,8 @@ class ReportingDeliveryAgentImpl : public ReportingDeliveryAgent,
     cache()->ClearReportsPending(delivery->reports);
   }
 
-  const ReportingPolicy& policy() { return context_->policy(); }
-  const base::TickClock* tick_clock() { return context_->tick_clock(); }
+  const ReportingPolicy& policy() const { return context_->policy(); }
+  const base::TickClock& tick_clock() const { return context_->tick_clock(); }
   ReportingDelegate* delegate() { return context_->delegate(); }
   ReportingCache* cache() { return context_->cache(); }
   ReportingUploader* uploader() { return context_->uploader(); }
@@ -278,7 +276,7 @@ class ReportingDeliveryAgentImpl : public ReportingDeliveryAgent,
   // (Would be an unordered_set, but there's no hash on pair.)
   std::set<OriginGroup> pending_origin_groups_;
 
-  base::WeakPtrFactory<ReportingDeliveryAgentImpl> weak_factory_;
+  base::WeakPtrFactory<ReportingDeliveryAgentImpl> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(ReportingDeliveryAgentImpl);
 };
diff --git a/chromium/net/reporting/reporting_endpoint.cc b/chromium/net/reporting/reporting_endpoint.cc
index 506a860fc35..3b5b790842d 100644
--- a/chromium/net/reporting/reporting_endpoint.cc
+++ b/chromium/net/reporting/reporting_endpoint.cc
@@ -32,6 +32,11 @@ bool operator<(const ReportingEndpointGroupKey& lhs,
   return std::tie(lhs.origin, lhs.group_name) <
          std::tie(rhs.origin, rhs.group_name);
 }
+bool operator>(const ReportingEndpointGroupKey& lhs,
+               const ReportingEndpointGroupKey& rhs) {
+  return std::tie(lhs.origin, lhs.group_name) >
+         std::tie(rhs.origin, rhs.group_name);
+}
 
 const int ReportingEndpoint::EndpointInfo::kDefaultPriority = 1;
 const int ReportingEndpoint::EndpointInfo::kDefaultWeight = 1;
@@ -51,6 +56,10 @@ ReportingEndpoint::ReportingEndpoint(url::Origin origin,
 ReportingEndpoint::ReportingEndpoint(const ReportingEndpoint& other) = default;
 ReportingEndpoint::ReportingEndpoint(ReportingEndpoint&& other) = default;
 
+ReportingEndpoint& ReportingEndpoint::operator=(const ReportingEndpoint&) =
+    default;
+ReportingEndpoint& ReportingEndpoint::operator=(ReportingEndpoint&&) = default;
+
 ReportingEndpoint::~ReportingEndpoint() = default;
 
 bool ReportingEndpoint::is_valid() const {
diff --git a/chromium/net/reporting/reporting_endpoint.h b/chromium/net/reporting/reporting_endpoint.h
index 9447fb0e8c6..a6801e2ea2a 100644
--- a/chromium/net/reporting/reporting_endpoint.h
+++ b/chromium/net/reporting/reporting_endpoint.h
@@ -21,10 +21,10 @@ struct NET_EXPORT ReportingEndpointGroupKey {
   ReportingEndpointGroupKey(url::Origin origin, std::string group_name);
 
   // Origin that configured this endpoint group.
-  const url::Origin origin;
+  url::Origin origin;
 
   // Name of the endpoint group (defaults to "default" during header parsing).
-  const std::string group_name;
+  std::string group_name;
 };
 
 NET_EXPORT bool operator==(const ReportingEndpointGroupKey& lhs,
@@ -33,6 +33,8 @@ NET_EXPORT bool operator!=(const ReportingEndpointGroupKey& lhs,
                            const ReportingEndpointGroupKey& rhs);
 NET_EXPORT bool operator<(const ReportingEndpointGroupKey& lhs,
                           const ReportingEndpointGroupKey& rhs);
+NET_EXPORT bool operator>(const ReportingEndpointGroupKey& lhs,
+                          const ReportingEndpointGroupKey& rhs);
 
 // The configuration by an origin to use an endpoint for report delivery.
 // TODO(crbug.com/921049): Rename to ReportingEndpoint because that's what it
@@ -81,13 +83,16 @@ struct NET_EXPORT ReportingEndpoint {
   ReportingEndpoint(const ReportingEndpoint& other);
   ReportingEndpoint(ReportingEndpoint&& other);
 
+  ReportingEndpoint& operator=(const ReportingEndpoint&);
+  ReportingEndpoint& operator=(ReportingEndpoint&&);
+
   ~ReportingEndpoint();
 
   bool is_valid() const;
   explicit operator bool() const { return is_valid(); }
 
   // Identifies the endpoint group to which this endpoint belongs.
-  const ReportingEndpointGroupKey group_key;
+  ReportingEndpointGroupKey group_key;
 
   // URL, priority, and weight of the endpoint.
   EndpointInfo info;
@@ -138,7 +143,7 @@ struct NET_EXPORT CachedReportingEndpointGroup {
                                base::Time now);
 
   // Origin and group name.
-  const ReportingEndpointGroupKey group_key;
+  ReportingEndpointGroupKey group_key;
 
   // Whether this group applies to subdomains of |group_key.origin|.
   OriginSubdomains include_subdomains = OriginSubdomains::DEFAULT;
diff --git a/chromium/net/reporting/reporting_endpoint_manager.cc b/chromium/net/reporting/reporting_endpoint_manager.cc
index ec6f3863e09..8ed18fa9b8c 100644
--- a/chromium/net/reporting/reporting_endpoint_manager.cc
+++ b/chromium/net/reporting/reporting_endpoint_manager.cc
@@ -50,7 +50,7 @@ class ReportingEndpointManagerImpl : public ReportingEndpointManager {
     int total_weight = 0;
 
     for (const ReportingEndpoint endpoint : endpoints) {
-      if (base::ContainsKey(endpoint_backoff_, endpoint.info.url) &&
+      if (base::Contains(endpoint_backoff_, endpoint.info.url) &&
           endpoint_backoff_[endpoint.info.url]->ShouldRejectRequest()) {
         continue;
       }
@@ -102,16 +102,16 @@ class ReportingEndpointManagerImpl : public ReportingEndpointManager {
   }
 
   void InformOfEndpointRequest(const GURL& endpoint, bool succeeded) override {
-    if (!base::ContainsKey(endpoint_backoff_, endpoint)) {
+    if (!base::Contains(endpoint_backoff_, endpoint)) {
       endpoint_backoff_[endpoint] = std::make_unique<BackoffEntry>(
-          &policy().endpoint_backoff_policy, tick_clock());
+          &policy().endpoint_backoff_policy, &tick_clock());
     }
     endpoint_backoff_[endpoint]->InformOfRequest(succeeded);
   }
 
  private:
-  const ReportingPolicy& policy() { return context_->policy(); }
-  const base::TickClock* tick_clock() { return context_->tick_clock(); }
+  const ReportingPolicy& policy() const { return context_->policy(); }
+  const base::TickClock& tick_clock() const { return context_->tick_clock(); }
   ReportingDelegate* delegate() { return context_->delegate(); }
   ReportingCache* cache() { return context_->cache(); }
 
diff --git a/chromium/net/reporting/reporting_garbage_collector.cc b/chromium/net/reporting/reporting_garbage_collector.cc
index 451f762e749..f524bfd0639 100644
--- a/chromium/net/reporting/reporting_garbage_collector.cc
+++ b/chromium/net/reporting/reporting_garbage_collector.cc
@@ -54,7 +54,7 @@ class ReportingGarbageCollectorImpl : public ReportingGarbageCollector,
   // TODO(crbug.com/912622): Garbage collect clients, reports with no matching
   // endpoints.
   void CollectGarbage() {
-    base::TimeTicks now = context_->tick_clock()->NowTicks();
+    base::TimeTicks now = context_->tick_clock().NowTicks();
     const ReportingPolicy& policy = context_->policy();
 
     std::vector<const ReportingReport*> all_reports;
diff --git a/chromium/net/reporting/reporting_header_parser.cc b/chromium/net/reporting/reporting_header_parser.cc
index 222a92e7288..19a407ac41a 100644
--- a/chromium/net/reporting/reporting_header_parser.cc
+++ b/chromium/net/reporting/reporting_header_parser.cc
@@ -14,6 +14,7 @@
 #include "base/metrics/histogram_macros.h"
 #include "base/time/time.h"
 #include "base/values.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_context.h"
 #include "net/reporting/reporting_delegate.h"
@@ -143,6 +144,15 @@ HeaderEndpointGroupOutcome ProcessEndpointGroup(
   if (dict->HasKey(kIncludeSubdomainsKey) &&
       dict->GetBoolean(kIncludeSubdomainsKey, &subdomains_bool) &&
       subdomains_bool == true) {
+    // Disallow eTLDs from setting include_subdomains endpoint groups.
+    if (registry_controlled_domains::GetRegistryLength(
+            origin.GetURL(),
+            registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES,
+            registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES) == 0) {
+      return HeaderEndpointGroupOutcome::
+          DISCARDED_INCLUDE_SUBDOMAINS_NOT_ALLOWED;
+    }
+
     parsed_endpoint_group_out->include_subdomains = OriginSubdomains::INCLUDE;
   }
 
diff --git a/chromium/net/reporting/reporting_header_parser.h b/chromium/net/reporting/reporting_header_parser.h
index 8de7d2fa644..5888426547c 100644
--- a/chromium/net/reporting/reporting_header_parser.h
+++ b/chromium/net/reporting/reporting_header_parser.h
@@ -51,6 +51,7 @@ class NET_EXPORT ReportingHeaderParser {
     PARSED = 7,
     REMOVED_TTL_ZERO = 8,
     REMOVED_EMPTY = 9,
+    DISCARDED_INCLUDE_SUBDOMAINS_NOT_ALLOWED = 10,
     MAX
   };
 
diff --git a/chromium/net/reporting/reporting_header_parser_unittest.cc b/chromium/net/reporting/reporting_header_parser_unittest.cc
index 08f24e489bb..48bda761e22 100644
--- a/chromium/net/reporting/reporting_header_parser_unittest.cc
+++ b/chromium/net/reporting/reporting_header_parser_unittest.cc
@@ -8,12 +8,14 @@
 #include <string>
 #include <vector>
 
+#include "base/bind.h"
 #include "base/json/json_reader.h"
 #include "base/stl_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/test/simple_test_tick_clock.h"
 #include "base/time/time.h"
 #include "base/values.h"
+#include "net/reporting/mock_persistent_reporting_store.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_endpoint.h"
 #include "net/reporting/reporting_test_util.h"
@@ -24,17 +26,40 @@
 namespace net {
 namespace {
 
-class ReportingHeaderParserTest : public ReportingTestBase {
+using CommandType = MockPersistentReportingStore::Command::Type;
+
+// This test is parametrized on a boolean that represents whether to use a
+// MockPersistentReportingStore.
+class ReportingHeaderParserTest : public ReportingTestBase,
+                                  public ::testing::WithParamInterface<bool> {
  protected:
   ReportingHeaderParserTest() : ReportingTestBase() {
     ReportingPolicy policy;
     policy.max_endpoints_per_origin = 10;
     policy.max_endpoint_count = 20;
     UsePolicy(policy);
+
+    if (GetParam())
+      store_ = std::make_unique<MockPersistentReportingStore>();
+    else
+      store_ = nullptr;
+    UseStore(store_.get());
   }
 
   ~ReportingHeaderParserTest() override = default;
 
+  void SetUp() override {
+    // All ReportingCache methods assume that the store has been initialized.
+    if (mock_store()) {
+      mock_store()->LoadReportingClients(
+          base::BindOnce(&ReportingCache::AddClientsLoadedFromStore,
+                         base::Unretained(cache())));
+      mock_store()->FinishLoading(true);
+    }
+  }
+
+  MockPersistentReportingStore* mock_store() { return store_.get(); }
+
   ReportingEndpointGroup MakeEndpointGroup(
       std::string name,
       std::vector<ReportingEndpoint::EndpointInfo> endpoints,
@@ -112,18 +137,24 @@ class ReportingHeaderParserTest : public ReportingTestBase {
   const GURL kUrl2_ = GURL("https://origin2.test/path");
   const url::Origin kOrigin2_ =
       url::Origin::Create(GURL("https://origin2.test/"));
+  const GURL kUrlEtld_ = GURL("https://co.uk/foo.html/");
+  const url::Origin kOriginEtld_ = url::Origin::Create(kUrlEtld_);
   const GURL kEndpoint_ = GURL("https://endpoint.test/");
   const GURL kEndpoint2_ = GURL("https://endpoint2.test/");
+  const GURL kEndpoint3_ = GURL("https://endpoint3.test/");
   const std::string kGroup_ = "group";
   const std::string kGroup2_ = "group2";
   const std::string kType_ = "type";
+
+ private:
+  std::unique_ptr<MockPersistentReportingStore> store_;
 };
 
 // TODO(juliatuttle): Ideally these tests should be expecting that JSON parsing
 // (and therefore header parsing) may happen asynchronously, but the entire
 // pipeline is also tested by NetworkErrorLoggingEndToEndTest.
 
-TEST_F(ReportingHeaderParserTest, Invalid) {
+TEST_P(ReportingHeaderParserTest, Invalid) {
   static const struct {
     const char* header_value;
     const char* description;
@@ -172,10 +203,16 @@ TEST_F(ReportingHeaderParserTest, Invalid) {
     EXPECT_EQ(0u, cache()->GetEndpointCount())
         << "Invalid Report-To header (" << test_case.description << ": \""
         << test_case.header_value << "\") parsed as valid.";
+
+    if (mock_store()) {
+      mock_store()->Flush();
+      EXPECT_EQ(0, mock_store()->StoredEndpointsCount());
+      EXPECT_EQ(0, mock_store()->StoredEndpointGroupsCount());
+    }
   }
 }
 
-TEST_F(ReportingHeaderParserTest, Basic) {
+TEST_P(ReportingHeaderParserTest, Basic) {
   std::vector<ReportingEndpoint::EndpointInfo> endpoints = {{kEndpoint_}};
 
   std::string header =
@@ -197,9 +234,27 @@ TEST_F(ReportingHeaderParserTest, Basic) {
             endpoint.info.priority);
   EXPECT_EQ(ReportingEndpoint::EndpointInfo::kDefaultWeight,
             endpoint.info.weight);
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(1, mock_store()->StoredEndpointsCount());
+    EXPECT_EQ(1, mock_store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, OmittedGroupName) {
+TEST_P(ReportingHeaderParserTest, OmittedGroupName) {
   std::vector<ReportingEndpoint::EndpointInfo> endpoints = {{kEndpoint_}};
   std::string header =
       ConstructHeaderGroupString(MakeEndpointGroup(std::string(), endpoints));
@@ -220,9 +275,27 @@ TEST_F(ReportingHeaderParserTest, OmittedGroupName) {
             endpoint.info.priority);
   EXPECT_EQ(ReportingEndpoint::EndpointInfo::kDefaultWeight,
             endpoint.info.weight);
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(1, mock_store()->StoredEndpointsCount());
+    EXPECT_EQ(1, mock_store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "default",
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, "default", OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, IncludeSubdomainsTrue) {
+TEST_P(ReportingHeaderParserTest, IncludeSubdomainsTrue) {
   std::vector<ReportingEndpoint::EndpointInfo> endpoints = {{kEndpoint_}};
 
   std::string header = ConstructHeaderGroupString(
@@ -234,9 +307,27 @@ TEST_F(ReportingHeaderParserTest, IncludeSubdomainsTrue) {
       EndpointGroupExistsInCache(kOrigin_, kGroup_, OriginSubdomains::INCLUDE));
   EXPECT_EQ(1u, cache()->GetEndpointCount());
   EXPECT_TRUE(EndpointExistsInCache(kOrigin_, kGroup_, kEndpoint_));
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(1, mock_store()->StoredEndpointsCount());
+    EXPECT_EQ(1, mock_store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, IncludeSubdomainsFalse) {
+TEST_P(ReportingHeaderParserTest, IncludeSubdomainsFalse) {
   std::vector<ReportingEndpoint::EndpointInfo> endpoints = {{kEndpoint_}};
 
   std::string header = ConstructHeaderGroupString(
@@ -249,9 +340,55 @@ TEST_F(ReportingHeaderParserTest, IncludeSubdomainsFalse) {
       EndpointGroupExistsInCache(kOrigin_, kGroup_, OriginSubdomains::EXCLUDE));
   EXPECT_EQ(1u, cache()->GetEndpointCount());
   EXPECT_TRUE(EndpointExistsInCache(kOrigin_, kGroup_, kEndpoint_));
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(1, mock_store()->StoredEndpointsCount());
+    EXPECT_EQ(1, mock_store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
+}
+
+TEST_P(ReportingHeaderParserTest, IncludeSubdomainsEtldRejected) {
+  std::vector<ReportingEndpoint::EndpointInfo> endpoints = {{kEndpoint_}};
+
+  std::string header = ConstructHeaderGroupString(
+      MakeEndpointGroup(kGroup_, endpoints, OriginSubdomains::INCLUDE));
+  ParseHeader(kUrlEtld_, header);
+
+  EXPECT_EQ(0u, cache()->GetEndpointGroupCountForTesting());
+  EXPECT_FALSE(EndpointGroupExistsInCache(kOriginEtld_, kGroup_,
+                                          OriginSubdomains::INCLUDE));
+  EXPECT_EQ(0u, cache()->GetEndpointCount());
+  EXPECT_FALSE(EndpointExistsInCache(kOriginEtld_, kGroup_, kEndpoint_));
 }
 
-TEST_F(ReportingHeaderParserTest, IncludeSubdomainsNotBoolean) {
+TEST_P(ReportingHeaderParserTest, NonIncludeSubdomainsEtldAccepted) {
+  std::vector<ReportingEndpoint::EndpointInfo> endpoints = {{kEndpoint_}};
+
+  std::string header = ConstructHeaderGroupString(
+      MakeEndpointGroup(kGroup_, endpoints, OriginSubdomains::EXCLUDE));
+  ParseHeader(kUrlEtld_, header);
+
+  EXPECT_EQ(1u, cache()->GetEndpointGroupCountForTesting());
+  EXPECT_TRUE(EndpointGroupExistsInCache(kOriginEtld_, kGroup_,
+                                         OriginSubdomains::EXCLUDE));
+  EXPECT_EQ(1u, cache()->GetEndpointCount());
+  EXPECT_TRUE(EndpointExistsInCache(kOriginEtld_, kGroup_, kEndpoint_));
+}
+
+TEST_P(ReportingHeaderParserTest, IncludeSubdomainsNotBoolean) {
   std::string header =
       "{\"group\": \"" + kGroup_ +
       "\", "
@@ -265,9 +402,27 @@ TEST_F(ReportingHeaderParserTest, IncludeSubdomainsNotBoolean) {
       EndpointGroupExistsInCache(kOrigin_, kGroup_, OriginSubdomains::DEFAULT));
   EXPECT_EQ(1u, cache()->GetEndpointCount());
   EXPECT_TRUE(EndpointExistsInCache(kOrigin_, kGroup_, kEndpoint_));
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(1, mock_store()->StoredEndpointsCount());
+    EXPECT_EQ(1, mock_store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, NonDefaultPriority) {
+TEST_P(ReportingHeaderParserTest, NonDefaultPriority) {
   const int kNonDefaultPriority = 10;
   std::vector<ReportingEndpoint::EndpointInfo> endpoints = {
       {kEndpoint_, kNonDefaultPriority}};
@@ -286,9 +441,27 @@ TEST_F(ReportingHeaderParserTest, NonDefaultPriority) {
   EXPECT_EQ(kNonDefaultPriority, endpoint.info.priority);
   EXPECT_EQ(ReportingEndpoint::EndpointInfo::kDefaultWeight,
             endpoint.info.weight);
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(1, mock_store()->StoredEndpointsCount());
+    EXPECT_EQ(1, mock_store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, NonDefaultWeight) {
+TEST_P(ReportingHeaderParserTest, NonDefaultWeight) {
   const int kNonDefaultWeight = 10;
   std::vector<ReportingEndpoint::EndpointInfo> endpoints = {
       {kEndpoint_, ReportingEndpoint::EndpointInfo::kDefaultPriority,
@@ -308,9 +481,27 @@ TEST_F(ReportingHeaderParserTest, NonDefaultWeight) {
   EXPECT_EQ(ReportingEndpoint::EndpointInfo::kDefaultPriority,
             endpoint.info.priority);
   EXPECT_EQ(kNonDefaultWeight, endpoint.info.weight);
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(1, mock_store()->StoredEndpointsCount());
+    EXPECT_EQ(1, mock_store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, MaxAge) {
+TEST_P(ReportingHeaderParserTest, MaxAge) {
   const int kMaxAgeSecs = 100;
   base::TimeDelta ttl = base::TimeDelta::FromSeconds(kMaxAgeSecs);
   base::Time expires = clock()->Now() + ttl;
@@ -324,9 +515,27 @@ TEST_F(ReportingHeaderParserTest, MaxAge) {
   EXPECT_EQ(1u, cache()->GetEndpointGroupCountForTesting());
   EXPECT_TRUE(EndpointGroupExistsInCache(kOrigin_, kGroup_,
                                          OriginSubdomains::DEFAULT, expires));
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(1, mock_store()->StoredEndpointsCount());
+    EXPECT_EQ(1, mock_store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, MultipleEndpointsSameGroup) {
+TEST_P(ReportingHeaderParserTest, MultipleEndpointsSameGroup) {
   std::vector<ReportingEndpoint::EndpointInfo> endpoints = {{kEndpoint_},
                                                             {kEndpoint2_}};
   std::string header =
@@ -359,9 +568,31 @@ TEST_F(ReportingHeaderParserTest, MultipleEndpointsSameGroup) {
             endpoint2.info.priority);
   EXPECT_EQ(ReportingEndpoint::EndpointInfo::kDefaultWeight,
             endpoint2.info.weight);
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(2, mock_store()->StoredEndpointsCount());
+    EXPECT_EQ(1, mock_store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, MultipleEndpointsDifferentGroups) {
+TEST_P(ReportingHeaderParserTest, MultipleEndpointsDifferentGroups) {
   std::vector<ReportingEndpoint::EndpointInfo> endpoints1 = {{kEndpoint_}};
   std::vector<ReportingEndpoint::EndpointInfo> endpoints2 = {{kEndpoint_}};
   std::string header =
@@ -397,9 +628,36 @@ TEST_F(ReportingHeaderParserTest, MultipleEndpointsDifferentGroups) {
             endpoint2.info.priority);
   EXPECT_EQ(ReportingEndpoint::EndpointInfo::kDefaultWeight,
             endpoint2.info.weight);
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(2, mock_store()->StoredEndpointsCount());
+    EXPECT_EQ(2, mock_store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup2_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup2_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, MultipleHeadersFromDifferentOrigins) {
+TEST_P(ReportingHeaderParserTest, MultipleHeadersFromDifferentOrigins) {
   // First origin sets a header with two endpoints in the same group.
   std::vector<ReportingEndpoint::EndpointInfo> endpoints1 = {{kEndpoint_},
                                                              {kEndpoint2_}};
@@ -432,9 +690,49 @@ TEST_F(ReportingHeaderParserTest, MultipleHeadersFromDifferentOrigins) {
   EXPECT_TRUE(FindEndpointInCache(kOrigin_, kGroup_, kEndpoint2_));
   EXPECT_TRUE(FindEndpointInCache(kOrigin2_, kGroup_, kEndpoint_));
   EXPECT_TRUE(FindEndpointInCache(kOrigin2_, kGroup2_, kEndpoint2_));
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(4, mock_store()->StoredEndpointsCount());
+    EXPECT_EQ(3, mock_store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin2_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin2_, kGroup2_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin2_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin2_, kGroup2_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest,
+TEST_P(ReportingHeaderParserTest,
        HeaderErroneouslyContainsMultipleGroupsOfSameName) {
   std::vector<ReportingEndpoint::EndpointInfo> endpoints1 = {{kEndpoint_}};
   std::vector<ReportingEndpoint::EndpointInfo> endpoints2 = {{kEndpoint2_}};
@@ -470,9 +768,95 @@ TEST_F(ReportingHeaderParserTest,
             endpoint2.info.priority);
   EXPECT_EQ(ReportingEndpoint::EndpointInfo::kDefaultWeight,
             endpoint2.info.weight);
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(2, mock_store()->StoredEndpointsCount());
+    EXPECT_EQ(1, mock_store()->StoredEndpointGroupsCount());
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
+}
+
+TEST_P(ReportingHeaderParserTest,
+       HeaderErroneouslyContainsGroupsWithRedundantEndpoints) {
+  std::vector<ReportingEndpoint::EndpointInfo> endpoints = {{kEndpoint_},
+                                                            {kEndpoint_}};
+  std::string header =
+      ConstructHeaderGroupString(MakeEndpointGroup(kGroup_, endpoints));
+  ParseHeader(kUrl_, header);
+
+  // We should dedupe the identical endpoint URLs.
+  EXPECT_EQ(1u, cache()->GetEndpointCount());
+  ASSERT_TRUE(FindEndpointInCache(kOrigin_, kGroup_, kEndpoint_));
+
+  EXPECT_TRUE(
+      EndpointGroupExistsInCache(kOrigin_, kGroup_, OriginSubdomains::DEFAULT));
+  EXPECT_EQ(1u, cache()->GetEndpointGroupCountForTesting());
+
+  EXPECT_TRUE(OriginClientExistsInCache(kOrigin_));
+}
+
+TEST_P(ReportingHeaderParserTest,
+       HeaderErroneouslyContainsMultipleGroupsOfSameNameAndEndpoints) {
+  std::vector<ReportingEndpoint::EndpointInfo> endpoints = {{kEndpoint_}};
+  std::string header =
+      ConstructHeaderGroupString(MakeEndpointGroup(kGroup_, endpoints)) + ", " +
+      ConstructHeaderGroupString(MakeEndpointGroup(kGroup_, endpoints));
+  ParseHeader(kUrl_, header);
+
+  // We should dedupe the identical endpoint URLs, even when they're in
+  // different headers.
+  EXPECT_EQ(1u, cache()->GetEndpointCount());
+  ASSERT_TRUE(FindEndpointInCache(kOrigin_, kGroup_, kEndpoint_));
+
+  EXPECT_TRUE(
+      EndpointGroupExistsInCache(kOrigin_, kGroup_, OriginSubdomains::DEFAULT));
+  EXPECT_EQ(1u, cache()->GetEndpointGroupCountForTesting());
+
+  EXPECT_TRUE(OriginClientExistsInCache(kOrigin_));
 }
 
-TEST_F(ReportingHeaderParserTest, OverwriteOldHeader) {
+TEST_P(ReportingHeaderParserTest,
+       HeaderErroneouslyContainsGroupsOfSameNameAndOverlappingEndpoints) {
+  std::vector<ReportingEndpoint::EndpointInfo> endpoints1 = {{kEndpoint_},
+                                                             {kEndpoint2_}};
+  std::vector<ReportingEndpoint::EndpointInfo> endpoints2 = {{kEndpoint_},
+                                                             {kEndpoint3_}};
+  std::string header =
+      ConstructHeaderGroupString(MakeEndpointGroup(kGroup_, endpoints1)) +
+      ", " + ConstructHeaderGroupString(MakeEndpointGroup(kGroup_, endpoints2));
+  ParseHeader(kUrl_, header);
+
+  // We should dedupe the identical endpoint URLs, even when they're in
+  // different headers.
+  EXPECT_EQ(3u, cache()->GetEndpointCount());
+  ASSERT_TRUE(FindEndpointInCache(kOrigin_, kGroup_, kEndpoint_));
+  ASSERT_TRUE(FindEndpointInCache(kOrigin_, kGroup_, kEndpoint2_));
+  ASSERT_TRUE(FindEndpointInCache(kOrigin_, kGroup_, kEndpoint3_));
+
+  EXPECT_TRUE(
+      EndpointGroupExistsInCache(kOrigin_, kGroup_, OriginSubdomains::DEFAULT));
+  EXPECT_EQ(1u, cache()->GetEndpointGroupCountForTesting());
+
+  EXPECT_TRUE(OriginClientExistsInCache(kOrigin_));
+}
+
+TEST_P(ReportingHeaderParserTest, OverwriteOldHeader) {
   // First, the origin sets a header with two endpoints in the same group.
   std::vector<ReportingEndpoint::EndpointInfo> endpoints1 = {
       {kEndpoint_, 10 /* priority */}, {kEndpoint2_}};
@@ -487,6 +871,29 @@ TEST_F(ReportingHeaderParserTest, OverwriteOldHeader) {
   EXPECT_EQ(2u, cache()->GetEndpointCount());
   EXPECT_TRUE(FindEndpointInCache(kOrigin_, kGroup_, kEndpoint_));
   EXPECT_TRUE(FindEndpointInCache(kOrigin_, kGroup_, kEndpoint2_));
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(2,
+              mock_store()->CountCommands(CommandType::ADD_REPORTING_ENDPOINT));
+    EXPECT_EQ(1, mock_store()->CountCommands(
+                     CommandType::ADD_REPORTING_ENDPOINT_GROUP));
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 
   // Second header from the same origin should overwrite the previous one.
   std::vector<ReportingEndpoint::EndpointInfo> endpoints2 = {
@@ -514,9 +921,34 @@ TEST_F(ReportingHeaderParserTest, OverwriteOldHeader) {
             FindEndpointInCache(kOrigin_, kGroup_, kEndpoint_).info.priority);
   EXPECT_FALSE(FindEndpointInCache(kOrigin_, kGroup_, kEndpoint2_));
   EXPECT_TRUE(FindEndpointInCache(kOrigin_, kGroup2_, kEndpoint2_));
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(2 + 1,
+              mock_store()->CountCommands(CommandType::ADD_REPORTING_ENDPOINT));
+    EXPECT_EQ(1 + 1, mock_store()->CountCommands(
+                         CommandType::ADD_REPORTING_ENDPOINT_GROUP));
+    EXPECT_EQ(
+        1, mock_store()->CountCommands(CommandType::DELETE_REPORTING_ENDPOINT));
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup2_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup2_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, OverwriteOldHeaderWithCompletelyNew) {
+TEST_P(ReportingHeaderParserTest, OverwriteOldHeaderWithCompletelyNew) {
   std::vector<ReportingEndpoint::EndpointInfo> endpoints1_1 = {{MakeURL(10)},
                                                                {MakeURL(11)}};
   std::vector<ReportingEndpoint::EndpointInfo> endpoints2_1 = {{MakeURL(20)},
@@ -537,6 +969,49 @@ TEST_F(ReportingHeaderParserTest, OverwriteOldHeaderWithCompletelyNew) {
   EXPECT_TRUE(
       EndpointGroupExistsInCache(kOrigin_, "3", OriginSubdomains::DEFAULT));
   EXPECT_EQ(6u, cache()->GetEndpointCount());
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(6,
+              mock_store()->CountCommands(CommandType::ADD_REPORTING_ENDPOINT));
+    EXPECT_EQ(3, mock_store()->CountCommands(
+                     CommandType::ADD_REPORTING_ENDPOINT_GROUP));
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "1", endpoints1_1[0]));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "1", endpoints1_1[1]));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "2", endpoints2_1[0]));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "2", endpoints2_1[1]));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "3", endpoints3_1[0]));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "3", endpoints3_1[1]));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, "1", OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, "2", OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, "3", OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 
   // Replace endpoints in each group with completely new endpoints.
   std::vector<ReportingEndpoint::EndpointInfo> endpoints1_2 = {{MakeURL(12)}};
@@ -565,6 +1040,47 @@ TEST_F(ReportingHeaderParserTest, OverwriteOldHeaderWithCompletelyNew) {
   EXPECT_TRUE(FindEndpointInCache(kOrigin_, "3", MakeURL(32)));
   EXPECT_FALSE(FindEndpointInCache(kOrigin_, "3", MakeURL(30)));
   EXPECT_FALSE(FindEndpointInCache(kOrigin_, "3", MakeURL(31)));
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(6 + 3,
+              mock_store()->CountCommands(CommandType::ADD_REPORTING_ENDPOINT));
+    EXPECT_EQ(3, mock_store()->CountCommands(
+                     CommandType::ADD_REPORTING_ENDPOINT_GROUP));
+    EXPECT_EQ(
+        6, mock_store()->CountCommands(CommandType::DELETE_REPORTING_ENDPOINT));
+    EXPECT_EQ(0, mock_store()->CountCommands(
+                     CommandType::DELETE_REPORTING_ENDPOINT_GROUP));
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "1", endpoints1_2[0]));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "2", endpoints2_2[0]));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "3", endpoints3_2[0]));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "1", endpoints1_1[0]));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "1", endpoints1_1[1]));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "2", endpoints2_1[0]));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "2", endpoints2_1[1]));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "3", endpoints3_1[0]));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "3", endpoints3_1[1]));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 
   // Replace all the groups with completely new groups.
   std::vector<ReportingEndpoint::EndpointInfo> endpoints4_3 = {{MakeURL(40)}};
@@ -586,14 +1102,75 @@ TEST_F(ReportingHeaderParserTest, OverwriteOldHeaderWithCompletelyNew) {
   EXPECT_FALSE(
       EndpointGroupExistsInCache(kOrigin_, "3", OriginSubdomains::DEFAULT));
   EXPECT_EQ(2u, cache()->GetEndpointCount());
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(6 + 3 + 2,
+              mock_store()->CountCommands(CommandType::ADD_REPORTING_ENDPOINT));
+    EXPECT_EQ(3 + 2, mock_store()->CountCommands(
+                         CommandType::ADD_REPORTING_ENDPOINT_GROUP));
+    EXPECT_EQ(6 + 3, mock_store()->CountCommands(
+                         CommandType::DELETE_REPORTING_ENDPOINT));
+    EXPECT_EQ(3, mock_store()->CountCommands(
+                     CommandType::DELETE_REPORTING_ENDPOINT_GROUP));
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "4", endpoints4_3[0]));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "5", endpoints5_3[0]));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, "4", OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, "5", OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "1", endpoints1_2[0]));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "2", endpoints2_2[0]));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, "3", endpoints3_2[0]));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, "1", OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, "2", OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, "3", OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, ZeroMaxAgeRemovesEndpointGroup) {
+TEST_P(ReportingHeaderParserTest, ZeroMaxAgeRemovesEndpointGroup) {
   // Without a pre-existing client, max_age: 0 should do nothing.
   ASSERT_EQ(0u, cache()->GetEndpointCount());
   ParseHeader(kUrl_, "{\"endpoints\":[{\"url\":\"" + kEndpoint_.spec() +
                          "\"}],\"max_age\":0}");
   EXPECT_EQ(0u, cache()->GetEndpointCount());
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(0,
+              mock_store()->CountCommands(CommandType::ADD_REPORTING_ENDPOINT));
+    EXPECT_EQ(0, mock_store()->CountCommands(
+                     CommandType::ADD_REPORTING_ENDPOINT_GROUP));
+  }
 
   // Set a header with two endpoint groups.
   std::vector<ReportingEndpoint::EndpointInfo> endpoints1 = {{kEndpoint_}};
@@ -611,6 +1188,34 @@ TEST_F(ReportingHeaderParserTest, ZeroMaxAgeRemovesEndpointGroup) {
   EXPECT_TRUE(EndpointGroupExistsInCache(kOrigin_, kGroup2_,
                                          OriginSubdomains::DEFAULT));
   EXPECT_EQ(2u, cache()->GetEndpointCount());
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(2,
+              mock_store()->CountCommands(CommandType::ADD_REPORTING_ENDPOINT));
+    EXPECT_EQ(2, mock_store()->CountCommands(
+                     CommandType::ADD_REPORTING_ENDPOINT_GROUP));
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup2_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    expected_commands.emplace_back(
+        CommandType::ADD_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup2_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 
   // Set another header with max_age: 0 to delete one of the groups.
   std::string header2 = ConstructHeaderGroupString(MakeEndpointGroup(
@@ -631,6 +1236,29 @@ TEST_F(ReportingHeaderParserTest, ZeroMaxAgeRemovesEndpointGroup) {
   EXPECT_TRUE(EndpointGroupExistsInCache(kOrigin_, kGroup2_,
                                          OriginSubdomains::DEFAULT));
   EXPECT_EQ(1u, cache()->GetEndpointCount());
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(2,
+              mock_store()->CountCommands(CommandType::ADD_REPORTING_ENDPOINT));
+    EXPECT_EQ(2, mock_store()->CountCommands(
+                     CommandType::ADD_REPORTING_ENDPOINT_GROUP));
+    EXPECT_EQ(
+        1, mock_store()->CountCommands(CommandType::DELETE_REPORTING_ENDPOINT));
+    EXPECT_EQ(1, mock_store()->CountCommands(
+                     CommandType::DELETE_REPORTING_ENDPOINT_GROUP));
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint_}));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 
   // Set another header with max_age: 0 to delete the other group. (Should work
   // even if the endpoints field is an empty list.)
@@ -644,9 +1272,32 @@ TEST_F(ReportingHeaderParserTest, ZeroMaxAgeRemovesEndpointGroup) {
   EXPECT_FALSE(OriginClientExistsInCache(kOrigin_));
   EXPECT_EQ(0u, cache()->GetEndpointGroupCountForTesting());
   EXPECT_EQ(0u, cache()->GetEndpointCount());
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(2,
+              mock_store()->CountCommands(CommandType::ADD_REPORTING_ENDPOINT));
+    EXPECT_EQ(2, mock_store()->CountCommands(
+                     CommandType::ADD_REPORTING_ENDPOINT_GROUP));
+    EXPECT_EQ(1 + 1, mock_store()->CountCommands(
+                         CommandType::DELETE_REPORTING_ENDPOINT));
+    EXPECT_EQ(1 + 1, mock_store()->CountCommands(
+                         CommandType::DELETE_REPORTING_ENDPOINT_GROUP));
+    MockPersistentReportingStore::CommandList expected_commands;
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT,
+        ReportingEndpoint(kOrigin_, kGroup2_,
+                          ReportingEndpoint::EndpointInfo{kEndpoint2_}));
+    expected_commands.emplace_back(
+        CommandType::DELETE_REPORTING_ENDPOINT_GROUP,
+        CachedReportingEndpointGroup(
+            kOrigin_, kGroup2_, OriginSubdomains::DEFAULT /* irrelevant */,
+            base::Time() /* irrelevant */, base::Time() /* irrelevant */));
+    EXPECT_THAT(mock_store()->GetAllCommands(),
+                testing::IsSupersetOf(expected_commands));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, EvictEndpointsOverPerOriginLimit1) {
+TEST_P(ReportingHeaderParserTest, EvictEndpointsOverPerOriginLimit1) {
   // Set a header with too many endpoints, all in the same group.
   std::vector<ReportingEndpoint::EndpointInfo> endpoints;
   for (size_t i = 0; i < policy().max_endpoints_per_origin + 1; ++i) {
@@ -658,9 +1309,20 @@ TEST_F(ReportingHeaderParserTest, EvictEndpointsOverPerOriginLimit1) {
 
   // Endpoint count should be at most the limit.
   EXPECT_GE(policy().max_endpoints_per_origin, cache()->GetEndpointCount());
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(policy().max_endpoints_per_origin + 1,
+              static_cast<unsigned long>(mock_store()->CountCommands(
+                  CommandType::ADD_REPORTING_ENDPOINT)));
+    EXPECT_EQ(1, mock_store()->CountCommands(
+                     CommandType::ADD_REPORTING_ENDPOINT_GROUP));
+    EXPECT_EQ(
+        1, mock_store()->CountCommands(CommandType::DELETE_REPORTING_ENDPOINT));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, EvictEndpointsOverPerOriginLimit2) {
+TEST_P(ReportingHeaderParserTest, EvictEndpointsOverPerOriginLimit2) {
   // Set a header with too many endpoints, in different groups.
   std::string header;
   for (size_t i = 0; i < policy().max_endpoints_per_origin + 1; ++i) {
@@ -674,9 +1336,23 @@ TEST_F(ReportingHeaderParserTest, EvictEndpointsOverPerOriginLimit2) {
 
   // Endpoint count should be at most the limit.
   EXPECT_GE(policy().max_endpoints_per_origin, cache()->GetEndpointCount());
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(policy().max_endpoints_per_origin + 1,
+              static_cast<unsigned long>(mock_store()->CountCommands(
+                  CommandType::ADD_REPORTING_ENDPOINT)));
+    EXPECT_EQ(policy().max_endpoints_per_origin + 1,
+              static_cast<unsigned long>(mock_store()->CountCommands(
+                  CommandType::ADD_REPORTING_ENDPOINT_GROUP)));
+    EXPECT_EQ(
+        1, mock_store()->CountCommands(CommandType::DELETE_REPORTING_ENDPOINT));
+    EXPECT_EQ(1, mock_store()->CountCommands(
+                     CommandType::DELETE_REPORTING_ENDPOINT_GROUP));
+  }
 }
 
-TEST_F(ReportingHeaderParserTest, EvictEndpointsOverGlobalLimit) {
+TEST_P(ReportingHeaderParserTest, EvictEndpointsOverGlobalLimit) {
   // Set headers from different origins up to the global limit.
   for (size_t i = 0; i < policy().max_endpoint_count; ++i) {
     std::vector<ReportingEndpoint::EndpointInfo> endpoints = {{MakeURL(i)}};
@@ -692,7 +1368,25 @@ TEST_F(ReportingHeaderParserTest, EvictEndpointsOverGlobalLimit) {
 
   // Endpoint count should be at most the limit.
   EXPECT_GE(policy().max_endpoint_count, cache()->GetEndpointCount());
+
+  if (mock_store()) {
+    mock_store()->Flush();
+    EXPECT_EQ(policy().max_endpoint_count + 1,
+              static_cast<unsigned long>(mock_store()->CountCommands(
+                  CommandType::ADD_REPORTING_ENDPOINT)));
+    EXPECT_EQ(policy().max_endpoint_count + 1,
+              static_cast<unsigned long>(mock_store()->CountCommands(
+                  CommandType::ADD_REPORTING_ENDPOINT_GROUP)));
+    EXPECT_EQ(
+        1, mock_store()->CountCommands(CommandType::DELETE_REPORTING_ENDPOINT));
+    EXPECT_EQ(1, mock_store()->CountCommands(
+                     CommandType::DELETE_REPORTING_ENDPOINT_GROUP));
+  }
 }
 
+INSTANTIATE_TEST_SUITE_P(ReportingHeaderParserStoreTest,
+                         ReportingHeaderParserTest,
+                         testing::Bool());
+
 }  // namespace
 }  // namespace net
diff --git a/chromium/net/reporting/reporting_service.cc b/chromium/net/reporting/reporting_service.cc
index 9fe09f261e3..313a825d111 100644
--- a/chromium/net/reporting/reporting_service.cc
+++ b/chromium/net/reporting/reporting_service.cc
@@ -59,7 +59,7 @@ class ReportingServiceImpl : public ReportingService {
 
     context_->cache()->AddReport(sanitized_url, user_agent, group, type,
                                  std::move(body), depth,
-                                 context_->tick_clock()->NowTicks(), 0);
+                                 context_->tick_clock().NowTicks(), 0);
   }
 
   void ProcessHeader(const GURL& url,
diff --git a/chromium/net/server/http_server.cc b/chromium/net/server/http_server.cc
index 9b9116d9afd..678d6f493c3 100644
--- a/chromium/net/server/http_server.cc
+++ b/chromium/net/server/http_server.cc
@@ -56,8 +56,7 @@ HttpServer::HttpServer(std::unique_ptr<ServerSocket> server_socket,
                        HttpServer::Delegate* delegate)
     : server_socket_(std::move(server_socket)),
       delegate_(delegate),
-      last_id_(0),
-      weak_ptr_factory_(this) {
+      last_id_(0) {
   DCHECK(server_socket_);
   // Start accepting connections in next run loop in case when delegate is not
   // ready to get callbacks.
diff --git a/chromium/net/server/http_server.h b/chromium/net/server/http_server.h
index c6e2554c6ee..cb70b575731 100644
--- a/chromium/net/server/http_server.h
+++ b/chromium/net/server/http_server.h
@@ -131,7 +131,7 @@ class HttpServer {
   int last_id_;
   std::map<int, std::unique_ptr<HttpConnection>> id_to_connection_;
 
-  base::WeakPtrFactory<HttpServer> weak_ptr_factory_;
+  base::WeakPtrFactory<HttpServer> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(HttpServer);
 };
diff --git a/chromium/net/server/http_server_fuzzer.cc b/chromium/net/server/http_server_fuzzer.cc
index 53e0899f8ef..e8c57affbb7 100644
--- a/chromium/net/server/http_server_fuzzer.cc
+++ b/chromium/net/server/http_server_fuzzer.cc
@@ -5,18 +5,18 @@
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/run_loop.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "net/base/net_errors.h"
 #include "net/log/test_net_log.h"
 #include "net/server/http_server.h"
 #include "net/socket/fuzzed_server_socket.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 namespace {
 
 class WaitTillHttpCloseDelegate : public net::HttpServer::Delegate {
  public:
-  WaitTillHttpCloseDelegate(base::FuzzedDataProvider* data_provider,
+  WaitTillHttpCloseDelegate(FuzzedDataProvider* data_provider,
                             const base::Closure& done_closure)
       : server_(nullptr),
         data_provider_(data_provider),
@@ -81,7 +81,7 @@ class WaitTillHttpCloseDelegate : public net::HttpServer::Delegate {
   };
 
   net::HttpServer* server_;
-  base::FuzzedDataProvider* const data_provider_;
+  FuzzedDataProvider* const data_provider_;
   base::Closure done_closure_;
   const uint8_t action_flags_;
 
@@ -95,7 +95,7 @@ class WaitTillHttpCloseDelegate : public net::HttpServer::Delegate {
 // |data| is used to create a FuzzedServerSocket.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   net::TestNetLog test_net_log;
-  base::FuzzedDataProvider data_provider(data, size);
+  FuzzedDataProvider data_provider(data, size);
 
   std::unique_ptr<net::ServerSocket> server_socket(
       std::make_unique<net::FuzzedServerSocket>(&data_provider, &test_net_log));
diff --git a/chromium/net/socket/client_socket_factory.cc b/chromium/net/socket/client_socket_factory.cc
index 313bc16b1f2..1a165c8d4c0 100644
--- a/chromium/net/socket/client_socket_factory.cc
+++ b/chromium/net/socket/client_socket_factory.cc
@@ -9,7 +9,7 @@
 #include "base/lazy_instance.h"
 #include "build/build_config.h"
 #include "net/http/http_proxy_client_socket.h"
-#include "net/socket/ssl_client_socket_impl.h"
+#include "net/socket/ssl_client_socket.h"
 #include "net/socket/tcp_client_socket.h"
 #include "net/socket/udp_client_socket.h"
 
@@ -44,12 +44,12 @@ class DefaultClientSocketFactory : public ClientSocketFactory {
   }
 
   std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
+      SSLClientContext* context,
       std::unique_ptr<StreamSocket> stream_socket,
       const HostPortPair& host_and_port,
-      const SSLConfig& ssl_config,
-      const SSLClientSocketContext& context) override {
-    return std::make_unique<SSLClientSocketImpl>(
-        std::move(stream_socket), host_and_port, ssl_config, context);
+      const SSLConfig& ssl_config) override {
+    return context->CreateSSLClientSocket(std::move(stream_socket),
+                                          host_and_port, ssl_config);
   }
 
   std::unique_ptr<ProxyClientSocket> CreateProxyClientSocket(
diff --git a/chromium/net/socket/client_socket_factory.h b/chromium/net/socket/client_socket_factory.h
index db61cc42a65..4d70620a0bf 100644
--- a/chromium/net/socket/client_socket_factory.h
+++ b/chromium/net/socket/client_socket_factory.h
@@ -22,8 +22,8 @@ class DatagramClientSocket;
 class HostPortPair;
 class NetLog;
 struct NetLogSource;
+class SSLClientContext;
 class SSLClientSocket;
-struct SSLClientSocketContext;
 struct SSLConfig;
 class ProxyClientSocket;
 class ProxyDelegate;
@@ -52,10 +52,10 @@ class NET_EXPORT ClientSocketFactory {
   // It is allowed to pass in a StreamSocket that is not obtained from a
   // socket pool. The caller could create a StreamSocket directly.
   virtual std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
+      SSLClientContext* context,
       std::unique_ptr<StreamSocket> stream_socket,
       const HostPortPair& host_and_port,
-      const SSLConfig& ssl_config,
-      const SSLClientSocketContext& context) = 0;
+      const SSLConfig& ssl_config) = 0;
 
   virtual std::unique_ptr<ProxyClientSocket> CreateProxyClientSocket(
       std::unique_ptr<StreamSocket> stream_socket,
diff --git a/chromium/net/socket/client_socket_handle.cc b/chromium/net/socket/client_socket_handle.cc
index 2e52f8ceb8e..0fd702e8e55 100644
--- a/chromium/net/socket/client_socket_handle.cc
+++ b/chromium/net/socket/client_socket_handle.cc
@@ -199,8 +199,8 @@ void ClientSocketHandle::HandleInitCompletion(int result) {
   // release() socket. It ends up working though, since those methods are being
   // used to layer sockets (and the destination sources are the same).
   DCHECK(socket_.get());
-  socket_->NetLog().BeginEvent(NetLogEventType::SOCKET_IN_USE,
-                               requesting_source_.ToEventParametersCallback());
+  socket_->NetLog().BeginEventReferencingSource(NetLogEventType::SOCKET_IN_USE,
+                                                requesting_source_);
 }
 
 void ClientSocketHandle::ResetInternal(bool cancel, bool cancel_connect_job) {
diff --git a/chromium/net/socket/client_socket_pool.cc b/chromium/net/socket/client_socket_pool.cc
index 62eb8f4bc76..7709ce977d6 100644
--- a/chromium/net/socket/client_socket_pool.cc
+++ b/chromium/net/socket/client_socket_pool.cc
@@ -135,16 +135,13 @@ void ClientSocketPool::NetLogTcpClientSocketPoolRequestedSocket(
   if (net_log.IsCapturing()) {
     // TODO(eroman): Split out the host and port parameters.
     net_log.AddEvent(NetLogEventType::TCP_CLIENT_SOCKET_POOL_REQUESTED_SOCKET,
-                     base::BindRepeating(&NetLogGroupIdCallback,
-                                         base::Unretained(&group_id)));
+                     [&] { return NetLogGroupIdParams(group_id); });
   }
 }
 
-base::Value ClientSocketPool::NetLogGroupIdCallback(
-    const GroupId* group_id,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value ClientSocketPool::NetLogGroupIdParams(const GroupId& group_id) {
   base::DictionaryValue event_params;
-  event_params.SetString("group_id", group_id->ToString());
+  event_params.SetString("group_id", group_id.ToString());
   return std::move(event_params);
 }
 
diff --git a/chromium/net/socket/client_socket_pool.h b/chromium/net/socket/client_socket_pool.h
index 17a787eea3d..8933f91dc1d 100644
--- a/chromium/net/socket/client_socket_pool.h
+++ b/chromium/net/socket/client_socket_pool.h
@@ -129,7 +129,7 @@ class NET_EXPORT ClientSocketPool : public LowerLayeredPool {
 
     PrivacyMode privacy_mode() const { return privacy_mode_; }
 
-    const NetworkIsolationKey& network_isolation_key() {
+    const NetworkIsolationKey& network_isolation_key() const {
       return network_isolation_key_;
     }
 
@@ -352,8 +352,7 @@ class NET_EXPORT ClientSocketPool : public LowerLayeredPool {
                                                 const GroupId& group_id);
 
   // Utility method to log a GroupId with a NetLog event.
-  static base::Value NetLogGroupIdCallback(const GroupId* group_id,
-                                           NetLogCaptureMode capture_mode);
+  static base::Value NetLogGroupIdParams(const GroupId& group_id);
 
   static std::unique_ptr<ConnectJob> CreateConnectJob(
       GroupId group_id,
diff --git a/chromium/net/socket/client_socket_pool_base_unittest.cc b/chromium/net/socket/client_socket_pool_base_unittest.cc
index faa495115b4..0f8df878608 100644
--- a/chromium/net/socket/client_socket_pool_base_unittest.cc
+++ b/chromium/net/socket/client_socket_pool_base_unittest.cc
@@ -42,7 +42,6 @@
 #include "net/log/net_log_source.h"
 #include "net/log/net_log_source_type.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/client_socket_handle.h"
@@ -232,7 +231,7 @@ class MockClientSocketFactory : public ClientSocketFactory {
       NetLog* net_log,
       const NetLogSource& source) override {
     NOTREACHED();
-    return std::unique_ptr<DatagramClientSocket>();
+    return nullptr;
   }
 
   std::unique_ptr<TransportClientSocket> CreateTransportClientSocket(
@@ -246,12 +245,12 @@ class MockClientSocketFactory : public ClientSocketFactory {
   }
 
   std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
+      SSLClientContext* context,
       std::unique_ptr<StreamSocket> stream_socket,
       const HostPortPair& host_and_port,
-      const SSLConfig& ssl_config,
-      const SSLClientSocketContext& context) override {
+      const SSLConfig& ssl_config) override {
     NOTIMPLEMENTED();
-    return std::unique_ptr<SSLClientSocket>();
+    return nullptr;
   }
 
   std::unique_ptr<ProxyClientSocket> CreateProxyClientSocket(
@@ -334,8 +333,7 @@ class TestConnectJob : public ConnectJob {
         client_socket_factory_(client_socket_factory),
         load_state_(LOAD_STATE_IDLE),
         has_established_connection_(false),
-        store_additional_error_state_(false),
-        weak_factory_(this) {}
+        store_additional_error_state_(false) {}
 
   void Signal() {
     DoConnect(waiting_success_, true /* async */, false /* recoverable */);
@@ -524,7 +522,7 @@ class TestConnectJob : public ConnectJob {
   bool has_established_connection_;
   bool store_additional_error_state_;
 
-  base::WeakPtrFactory<TestConnectJob> weak_factory_;
+  base::WeakPtrFactory<TestConnectJob> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(TestConnectJob);
 };
@@ -544,8 +542,7 @@ class TestConnectJobFactory
             nullptr /* quic_stream_factory */,
             nullptr /* proxy_delegate */,
             nullptr /* http_user_agent_settings */,
-            SSLClientSocketContext(),
-            SSLClientSocketContext(),
+            nullptr /* ssl_client_context */,
             nullptr /* socket_performance_watcher_factory */,
             nullptr /* network_quality_estimator */,
             net_log,
@@ -629,7 +626,7 @@ class ClientSocketPoolBaseTest : public TestWithScopedTaskEnvironment {
  protected:
   ClientSocketPoolBaseTest()
       : TestWithScopedTaskEnvironment(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME),
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME),
         params_(ClientSocketPool::SocketParams::CreateForHttpForTesting()) {
     connect_backup_jobs_enabled_ =
         TransportClientSocketPool::connect_backup_jobs_enabled();
@@ -711,6 +708,9 @@ class ClientSocketPoolBaseTest : public TestWithScopedTaskEnvironment {
   ClientSocketPoolTest test_base_;
 };
 
+// TODO(950069): Add testing for frame_origin in NetworkIsolationKey
+// using kAppendInitiatingFrameOriginToNetworkIsolationKey.
+
 TEST_F(ClientSocketPoolBaseTest, BasicSynchronous) {
   CreatePool(kDefaultMaxSockets, kDefaultMaxSocketsPerGroup);
 
@@ -731,8 +731,7 @@ TEST_F(ClientSocketPoolBaseTest, BasicSynchronous) {
   handle.Reset();
   TestLoadTimingInfoNotConnected(handle);
 
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_EQ(5u, entries.size());
   EXPECT_TRUE(LogContainsEvent(
@@ -770,8 +769,7 @@ TEST_F(ClientSocketPoolBaseTest, InitConnectionFailure) {
   EXPECT_FALSE(handle.ssl_cert_request_info());
   TestLoadTimingInfoNotConnected(handle);
 
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_EQ(4u, entries.size());
   EXPECT_TRUE(LogContainsEvent(
@@ -806,9 +804,11 @@ TEST_F(ClientSocketPoolBaseTest, GroupSeparation) {
   const PrivacyMode kPrivacyModes[] = {PrivacyMode::PRIVACY_MODE_DISABLED,
                                        PrivacyMode::PRIVACY_MODE_ENABLED};
 
+  const auto kOriginA = url::Origin::Create(GURL("http://a.test/"));
+  const auto kOriginB = url::Origin::Create(GURL("http://b.test/"));
   const NetworkIsolationKey kNetworkIsolationKeys[] = {
-      NetworkIsolationKey(url::Origin::Create(GURL("http://a.test/"))),
-      NetworkIsolationKey(url::Origin::Create(GURL("http://b.test/"))),
+      NetworkIsolationKey(kOriginA, kOriginA),
+      NetworkIsolationKey(kOriginB, kOriginB),
   };
 
   int total_idle_sockets = 0;
@@ -2016,8 +2016,7 @@ TEST_F(ClientSocketPoolBaseTest, BasicAsynchronous) {
   handle.Reset();
   TestLoadTimingInfoNotConnected(handle);
 
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_EQ(5u, entries.size());
   EXPECT_TRUE(LogContainsEvent(
@@ -2056,8 +2055,7 @@ TEST_F(ClientSocketPoolBaseTest,
   EXPECT_FALSE(handle.is_ssl_error());
   EXPECT_FALSE(handle.ssl_cert_request_info());
 
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_EQ(4u, entries.size());
   EXPECT_TRUE(LogContainsEvent(
@@ -2540,8 +2538,7 @@ TEST_F(ClientSocketPoolBaseTest, CleanupTimedOutIdleSocketsReuse) {
   EXPECT_EQ(0u, pool_->IdleSocketCountInGroup(TestGroupId("a")));
   EXPECT_EQ(1, pool_->NumActiveSocketsInGroupForTesting(TestGroupId("a")));
 
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   EXPECT_TRUE(LogContainsEvent(
       entries, 0, NetLogEventType::TCP_CLIENT_SOCKET_POOL_REQUESTED_SOCKET,
       NetLogEventPhase::NONE));
@@ -2619,8 +2616,7 @@ TEST_F(ClientSocketPoolBaseTest, CleanupTimedOutIdleSocketsNoReuse) {
   EXPECT_EQ(0u, pool_->IdleSocketCountInGroup(TestGroupId("a")));
   EXPECT_EQ(1, pool_->NumActiveSocketsInGroupForTesting(TestGroupId("a")));
 
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   EXPECT_FALSE(LogContainsEntryWithType(
       entries, 1, NetLogEventType::SOCKET_POOL_REUSED_AN_EXISTING_SOCKET));
 }
diff --git a/chromium/net/socket/client_socket_pool_manager.cc b/chromium/net/socket/client_socket_pool_manager.cc
index 3e1f92b374a..1dcb89eff54 100644
--- a/chromium/net/socket/client_socket_pool_manager.cc
+++ b/chromium/net/socket/client_socket_pool_manager.cc
@@ -296,14 +296,12 @@ int PreconnectSocketsForHttpRequest(
     const SSLConfig& ssl_config_for_origin,
     const SSLConfig& ssl_config_for_proxy,
     PrivacyMode privacy_mode,
+    const NetworkIsolationKey& network_isolation_key,
     const NetLogWithSource& net_log,
     int num_preconnect_streams) {
   // QUIC proxies are currently not supported through this method.
   DCHECK(!proxy_info.is_quic());
 
-  // TODO(https://crbug.com/966896): Get this field from the caller.
-  NetworkIsolationKey network_isolation_key;
-
   return InitSocketPoolHelper(
       group_type, endpoint, request_load_flags, request_priority, session,
       proxy_info, ssl_config_for_origin, ssl_config_for_proxy,
diff --git a/chromium/net/socket/client_socket_pool_manager.h b/chromium/net/socket/client_socket_pool_manager.h
index b10a75622c8..3d92536f62c 100644
--- a/chromium/net/socket/client_socket_pool_manager.h
+++ b/chromium/net/socket/client_socket_pool_manager.h
@@ -150,6 +150,7 @@ int PreconnectSocketsForHttpRequest(
     const SSLConfig& ssl_config_for_origin,
     const SSLConfig& ssl_config_for_proxy,
     PrivacyMode privacy_mode,
+    const NetworkIsolationKey& network_isolation_key,
     const NetLogWithSource& net_log,
     int num_preconnect_streams);
 
diff --git a/chromium/net/socket/client_socket_pool_unittest.cc b/chromium/net/socket/client_socket_pool_unittest.cc
index c543feb7e34..1ec12ff7b7f 100644
--- a/chromium/net/socket/client_socket_pool_unittest.cc
+++ b/chromium/net/socket/client_socket_pool_unittest.cc
@@ -20,6 +20,9 @@ namespace net {
 
 namespace {
 
+// TODO(950069): Add testing for frame_origin in NetworkIsolationKey
+// using kAppendInitiatingFrameOriginToNetworkIsolationKey.
+
 TEST(ClientSocketPool, GroupIdOperators) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
@@ -43,9 +46,11 @@ TEST(ClientSocketPool, GroupIdOperators) {
       PrivacyMode::PRIVACY_MODE_ENABLED,
   };
 
+  const auto kOriginA = url::Origin::Create(GURL("http://a.test/"));
+  const auto kOriginB = url::Origin::Create(GURL("http://b.test/"));
   const NetworkIsolationKey kNetworkIsolationKeys[] = {
-      NetworkIsolationKey(url::Origin::Create(GURL("http://a.test/"))),
-      NetworkIsolationKey(url::Origin::Create(GURL("http://b.test/"))),
+      NetworkIsolationKey(kOriginA, kOriginA),
+      NetworkIsolationKey(kOriginB, kOriginB),
   };
 
   // All previously created |group_ids|. They should all be less than the
@@ -127,13 +132,16 @@ TEST(ClientSocketPool, GroupIdToString) {
       ClientSocketPool::GroupId(
           HostPortPair("foo", 443), ClientSocketPool::SocketType::kSsl,
           PrivacyMode::PRIVACY_MODE_DISABLED,
-          NetworkIsolationKey(url::Origin::Create(GURL("https://foo.com"))))
+          NetworkIsolationKey(url::Origin::Create(GURL("https://foo.com")),
+                              url::Origin::Create(GURL("https://foo.com"))))
           .ToString());
 }
 
 TEST(ClientSocketPool, PartitionConnectionsByNetworkIsolationKeyDisabled) {
   // Partitioning connections by NetworkIsolationKey is disabled by default, so
   // test both the explicitly and implicitly disabled cases.
+  const auto kOriginFoo = url::Origin::Create(GURL("https://foo.com"));
+  const auto kOriginBar = url::Origin::Create(GURL("https://bar.com"));
   for (bool explicitly_disabled : {false, true}) {
     base::test::ScopedFeatureList feature_list;
     if (explicitly_disabled) {
@@ -144,12 +152,12 @@ TEST(ClientSocketPool, PartitionConnectionsByNetworkIsolationKeyDisabled) {
     ClientSocketPool::GroupId group_id1(
         HostPortPair("foo", 443), ClientSocketPool::SocketType::kSsl,
         PrivacyMode::PRIVACY_MODE_DISABLED,
-        NetworkIsolationKey(url::Origin::Create(GURL("https://foo.com"))));
+        NetworkIsolationKey(kOriginFoo, kOriginFoo));
 
     ClientSocketPool::GroupId group_id2(
         HostPortPair("foo", 443), ClientSocketPool::SocketType::kSsl,
         PrivacyMode::PRIVACY_MODE_DISABLED,
-        NetworkIsolationKey(url::Origin::Create(GURL("http://bar.com"))));
+        NetworkIsolationKey(kOriginBar, kOriginBar));
 
     EXPECT_FALSE(group_id1.network_isolation_key().IsFullyPopulated());
     EXPECT_FALSE(group_id2.network_isolation_key().IsFullyPopulated());
diff --git a/chromium/net/socket/connect_job.cc b/chromium/net/socket/connect_job.cc
index 871d0f5bcbd..daea92c36a4 100644
--- a/chromium/net/socket/connect_job.cc
+++ b/chromium/net/socket/connect_job.cc
@@ -34,8 +34,7 @@ CommonConnectJobParams::CommonConnectJobParams(
     QuicStreamFactory* quic_stream_factory,
     ProxyDelegate* proxy_delegate,
     const HttpUserAgentSettings* http_user_agent_settings,
-    const SSLClientSocketContext& ssl_client_socket_context,
-    const SSLClientSocketContext& ssl_client_socket_context_privacy_mode,
+    SSLClientContext* ssl_client_context,
     SocketPerformanceWatcherFactory* socket_performance_watcher_factory,
     NetworkQualityEstimator* network_quality_estimator,
     NetLog* net_log,
@@ -49,9 +48,7 @@ CommonConnectJobParams::CommonConnectJobParams(
       quic_stream_factory(quic_stream_factory),
       proxy_delegate(proxy_delegate),
       http_user_agent_settings(http_user_agent_settings),
-      ssl_client_socket_context(ssl_client_socket_context),
-      ssl_client_socket_context_privacy_mode(
-          ssl_client_socket_context_privacy_mode),
+      ssl_client_context(ssl_client_context),
       socket_performance_watcher_factory(socket_performance_watcher_factory),
       network_quality_estimator(network_quality_estimator),
       net_log(net_log),
@@ -129,7 +126,7 @@ std::unique_ptr<ConnectJob> ConnectJob::CreateConnectJob(
         ssl_params = base::MakeRefCounted<SSLSocketParams>(
             std::move(proxy_tcp_params), nullptr, nullptr,
             proxy_server.host_port_pair(), *ssl_config_for_proxy,
-            PRIVACY_MODE_DISABLED);
+            PRIVACY_MODE_DISABLED, network_isolation_key);
         proxy_tcp_params = nullptr;
       }
 
@@ -158,7 +155,7 @@ std::unique_ptr<ConnectJob> ConnectJob::CreateConnectJob(
     auto ssl_params = base::MakeRefCounted<SSLSocketParams>(
         std::move(ssl_tcp_params), std::move(socks_params),
         std::move(http_proxy_params), endpoint, *ssl_config_for_origin,
-        privacy_mode);
+        privacy_mode, network_isolation_key);
     return std::make_unique<SSLConnectJob>(
         request_priority, socket_tag, common_connect_job_params,
         std::move(ssl_params), delegate, nullptr /* net_log */);
diff --git a/chromium/net/socket/connect_job.h b/chromium/net/socket/connect_job.h
index 6a267fad4fa..69274c11bab 100644
--- a/chromium/net/socket/connect_job.h
+++ b/chromium/net/socket/connect_job.h
@@ -68,8 +68,7 @@ struct NET_EXPORT_PRIVATE CommonConnectJobParams {
       QuicStreamFactory* quic_stream_factory,
       ProxyDelegate* proxy_delegate,
       const HttpUserAgentSettings* http_user_agent_settings,
-      const SSLClientSocketContext& ssl_client_socket_context,
-      const SSLClientSocketContext& ssl_client_socket_context_privacy_mode,
+      SSLClientContext* ssl_client_context,
       SocketPerformanceWatcherFactory* socket_performance_watcher_factory,
       NetworkQualityEstimator* network_quality_estimator,
       NetLog* net_log,
@@ -88,8 +87,7 @@ struct NET_EXPORT_PRIVATE CommonConnectJobParams {
   QuicStreamFactory* quic_stream_factory;
   ProxyDelegate* proxy_delegate;
   const HttpUserAgentSettings* http_user_agent_settings;
-  SSLClientSocketContext ssl_client_socket_context;
-  SSLClientSocketContext ssl_client_socket_context_privacy_mode;
+  SSLClientContext* ssl_client_context;
   SocketPerformanceWatcherFactory* socket_performance_watcher_factory;
   NetworkQualityEstimator* network_quality_estimator;
   NetLog* net_log;
@@ -265,11 +263,8 @@ class NET_EXPORT_PRIVATE ConnectJob {
   const HttpUserAgentSettings* http_user_agent_settings() const {
     return common_connect_job_params_->http_user_agent_settings;
   }
-  const SSLClientSocketContext& ssl_client_socket_context() {
-    return common_connect_job_params_->ssl_client_socket_context;
-  }
-  const SSLClientSocketContext& ssl_client_socket_context_privacy_mode() {
-    return common_connect_job_params_->ssl_client_socket_context_privacy_mode;
+  SSLClientContext* ssl_client_context() {
+    return common_connect_job_params_->ssl_client_context;
   }
   SocketPerformanceWatcherFactory* socket_performance_watcher_factory() {
     return common_connect_job_params_->socket_performance_watcher_factory;
diff --git a/chromium/net/socket/connect_job_unittest.cc b/chromium/net/socket/connect_job_unittest.cc
index 2c97a0ea928..ec058c41d23 100644
--- a/chromium/net/socket/connect_job_unittest.cc
+++ b/chromium/net/socket/connect_job_unittest.cc
@@ -90,7 +90,7 @@ class ConnectJobTest : public testing::Test {
  public:
   ConnectJobTest()
       : scoped_task_environment_(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME),
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME),
         common_connect_job_params_(
             nullptr /* client_socket_factory */,
             nullptr /* host_resolver */,
@@ -101,8 +101,7 @@ class ConnectJobTest : public testing::Test {
             nullptr /* quic_stream_factory */,
             nullptr /* proxy_delegate */,
             nullptr /* http_user_agent_settings */,
-            SSLClientSocketContext(),
-            SSLClientSocketContext(),
+            nullptr /* ssl_client_context */,
             nullptr /* socket_performance_watcher_factory */,
             nullptr /* network_quality_estimator */,
             &net_log_,
@@ -184,8 +183,7 @@ TEST_F(ConnectJobTest, TimedOut) {
   // Have to delete the job for it to log the end event.
   job.reset();
 
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
 
   EXPECT_EQ(6u, entries.size());
   EXPECT_TRUE(LogContainsBeginEvent(entries, 0, NetLogEventType::CONNECT_JOB));
diff --git a/chromium/net/socket/fuzzed_datagram_client_socket.cc b/chromium/net/socket/fuzzed_datagram_client_socket.cc
index 6b011f843ac..db03e578df8 100644
--- a/chromium/net/socket/fuzzed_datagram_client_socket.cc
+++ b/chromium/net/socket/fuzzed_datagram_client_socket.cc
@@ -11,12 +11,12 @@
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/strings/string_piece.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/io_buffer.h"
 #include "net/base/ip_address.h"
 #include "net/base/net_errors.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 namespace net {
 
@@ -29,8 +29,8 @@ const Error kWriteErrors[] = {ERR_FAILED, ERR_ADDRESS_UNREACHABLE,
                               ERR_MSG_TOO_BIG};
 
 FuzzedDatagramClientSocket::FuzzedDatagramClientSocket(
-    base::FuzzedDataProvider* data_provider)
-    : data_provider_(data_provider), weak_factory_(this) {}
+    FuzzedDataProvider* data_provider)
+    : data_provider_(data_provider) {}
 
 FuzzedDatagramClientSocket::~FuzzedDatagramClientSocket() = default;
 
diff --git a/chromium/net/socket/fuzzed_datagram_client_socket.h b/chromium/net/socket/fuzzed_datagram_client_socket.h
index 62c68db2c4e..f53eaecf430 100644
--- a/chromium/net/socket/fuzzed_datagram_client_socket.h
+++ b/chromium/net/socket/fuzzed_datagram_client_socket.h
@@ -16,9 +16,7 @@
 #include "net/log/net_log_with_source.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
 
-namespace base {
 class FuzzedDataProvider;
-}
 
 namespace net {
 
@@ -30,7 +28,7 @@ class IOBuffer;
 class FuzzedDatagramClientSocket : public DatagramClientSocket {
  public:
   // |data_provider| must outlive the created socket.
-  explicit FuzzedDatagramClientSocket(base::FuzzedDataProvider* data_provider);
+  explicit FuzzedDatagramClientSocket(FuzzedDataProvider* data_provider);
   ~FuzzedDatagramClientSocket() override;
 
   // DatagramClientSocket implementation:
@@ -83,7 +81,7 @@ class FuzzedDatagramClientSocket : public DatagramClientSocket {
   void OnReadComplete(net::CompletionOnceCallback callback, int result);
   void OnWriteComplete(net::CompletionOnceCallback callback, int result);
 
-  base::FuzzedDataProvider* data_provider_;
+  FuzzedDataProvider* data_provider_;
 
   bool connected_ = false;
   bool read_pending_ = false;
@@ -93,7 +91,7 @@ class FuzzedDatagramClientSocket : public DatagramClientSocket {
 
   IPEndPoint remote_address_;
 
-  base::WeakPtrFactory<FuzzedDatagramClientSocket> weak_factory_;
+  base::WeakPtrFactory<FuzzedDatagramClientSocket> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(FuzzedDatagramClientSocket);
 };
diff --git a/chromium/net/socket/fuzzed_server_socket.cc b/chromium/net/socket/fuzzed_server_socket.cc
index cffa433de48..a5fc9dbe31a 100644
--- a/chromium/net/socket/fuzzed_server_socket.cc
+++ b/chromium/net/socket/fuzzed_server_socket.cc
@@ -13,13 +13,12 @@
 
 namespace net {
 
-FuzzedServerSocket::FuzzedServerSocket(base::FuzzedDataProvider* data_provider,
+FuzzedServerSocket::FuzzedServerSocket(FuzzedDataProvider* data_provider,
                                        net::NetLog* net_log)
     : data_provider_(data_provider),
       net_log_(net_log),
       first_accept_(true),
-      listen_called_(false),
-      weak_factory_(this) {}
+      listen_called_(false) {}
 
 FuzzedServerSocket::~FuzzedServerSocket() = default;
 
diff --git a/chromium/net/socket/fuzzed_server_socket.h b/chromium/net/socket/fuzzed_server_socket.h
index 0d9cd16f89a..03c6467246b 100644
--- a/chromium/net/socket/fuzzed_server_socket.h
+++ b/chromium/net/socket/fuzzed_server_socket.h
@@ -16,9 +16,7 @@
 #include "net/base/ip_endpoint.h"
 #include "net/socket/server_socket.h"
 
-namespace base {
 class FuzzedDataProvider;
-}
 
 namespace net {
 
@@ -34,8 +32,7 @@ class FuzzedServerSocket : public ServerSocket {
   // |data_provider| is used as to determine behavior of the socket. It
   // must remain valid until after both this object and the StreamSocket
   // produced by Accept are destroyed.
-  FuzzedServerSocket(base::FuzzedDataProvider* data_provider,
-                     net::NetLog* net_log);
+  FuzzedServerSocket(FuzzedDataProvider* data_provider, net::NetLog* net_log);
   ~FuzzedServerSocket() override;
 
   int Listen(const IPEndPoint& address, int backlog) override;
@@ -48,14 +45,14 @@ class FuzzedServerSocket : public ServerSocket {
   void DispatchAccept(std::unique_ptr<StreamSocket>* socket,
                       CompletionOnceCallback callback);
 
-  base::FuzzedDataProvider* data_provider_;
+  FuzzedDataProvider* data_provider_;
   net::NetLog* net_log_;
 
   IPEndPoint listening_on_;
   bool first_accept_;
   bool listen_called_;
 
-  base::WeakPtrFactory<FuzzedServerSocket> weak_factory_;
+  base::WeakPtrFactory<FuzzedServerSocket> weak_factory_{this};
   DISALLOW_COPY_AND_ASSIGN(FuzzedServerSocket);
 };
 
diff --git a/chromium/net/socket/fuzzed_socket.cc b/chromium/net/socket/fuzzed_socket.cc
index b974d9c4d03..9952f2d826f 100644
--- a/chromium/net/socket/fuzzed_socket.cc
+++ b/chromium/net/socket/fuzzed_socket.cc
@@ -9,11 +9,11 @@
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/logging.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/io_buffer.h"
 #include "net/log/net_log_source_type.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 namespace net {
 
@@ -36,12 +36,11 @@ const Error kReadWriteErrors[] = {ERR_CONNECTION_CLOSED, ERR_FAILED,
 
 }  // namespace
 
-FuzzedSocket::FuzzedSocket(base::FuzzedDataProvider* data_provider,
+FuzzedSocket::FuzzedSocket(FuzzedDataProvider* data_provider,
                            net::NetLog* net_log)
     : data_provider_(data_provider),
       net_log_(NetLogWithSource::Make(net_log, NetLogSourceType::SOCKET)),
-      remote_address_(IPEndPoint(IPAddress::IPv4Localhost(), 80)),
-      weak_factory_(this) {}
+      remote_address_(IPEndPoint(IPAddress::IPv4Localhost(), 80)) {}
 
 FuzzedSocket::~FuzzedSocket() = default;
 
diff --git a/chromium/net/socket/fuzzed_socket.h b/chromium/net/socket/fuzzed_socket.h
index abe59615c35..8e420c10dac 100644
--- a/chromium/net/socket/fuzzed_socket.h
+++ b/chromium/net/socket/fuzzed_socket.h
@@ -17,9 +17,7 @@
 #include "net/socket/transport_client_socket.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
 
-namespace base {
 class FuzzedDataProvider;
-}
 
 namespace net {
 
@@ -43,7 +41,7 @@ class FuzzedSocket : public TransportClientSocket {
  public:
   // |data_provider| is used as to determine behavior of the FuzzedSocket. It
   // must remain valid until after the FuzzedSocket is destroyed.
-  FuzzedSocket(base::FuzzedDataProvider* data_provider, net::NetLog* net_log);
+  FuzzedSocket(FuzzedDataProvider* data_provider, net::NetLog* net_log);
   ~FuzzedSocket() override;
 
   // If set to true, the socket will fuzz the result of the Connect() call.
@@ -104,7 +102,7 @@ class FuzzedSocket : public TransportClientSocket {
   // See https://crbug.com/823012
   bool ForceSync() const;
 
-  base::FuzzedDataProvider* data_provider_;
+  FuzzedDataProvider* data_provider_;
 
   // If true, the result of the Connect() call is fuzzed - it can succeed or
   // fail with a variety of connection errors, and it can complete synchronously
@@ -133,7 +131,7 @@ class FuzzedSocket : public TransportClientSocket {
 
   IPEndPoint remote_address_;
 
-  base::WeakPtrFactory<FuzzedSocket> weak_factory_;
+  base::WeakPtrFactory<FuzzedSocket> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(FuzzedSocket);
 };
diff --git a/chromium/net/socket/fuzzed_socket_factory.cc b/chromium/net/socket/fuzzed_socket_factory.cc
index 7736fa429e3..83e796bd6a9 100644
--- a/chromium/net/socket/fuzzed_socket_factory.cc
+++ b/chromium/net/socket/fuzzed_socket_factory.cc
@@ -5,7 +5,6 @@
 #include "net/socket/fuzzed_socket_factory.h"
 
 #include "base/logging.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "net/base/address_list.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
@@ -16,6 +15,7 @@
 #include "net/socket/fuzzed_socket.h"
 #include "net/socket/ssl_client_socket.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 namespace net {
 
@@ -105,8 +105,7 @@ class FailingSSLClientSocket : public SSLClientSocket {
 
 }  // namespace
 
-FuzzedSocketFactory::FuzzedSocketFactory(
-    base::FuzzedDataProvider* data_provider)
+FuzzedSocketFactory::FuzzedSocketFactory(FuzzedDataProvider* data_provider)
     : data_provider_(data_provider), fuzz_connect_result_(true) {}
 
 FuzzedSocketFactory::~FuzzedSocketFactory() = default;
@@ -134,10 +133,10 @@ FuzzedSocketFactory::CreateTransportClientSocket(
 }
 
 std::unique_ptr<SSLClientSocket> FuzzedSocketFactory::CreateSSLClientSocket(
+    SSLClientContext* context,
     std::unique_ptr<StreamSocket> stream_socket,
     const HostPortPair& host_and_port,
-    const SSLConfig& ssl_config,
-    const SSLClientSocketContext& context) {
+    const SSLConfig& ssl_config) {
   return std::make_unique<FailingSSLClientSocket>();
 }
 
diff --git a/chromium/net/socket/fuzzed_socket_factory.h b/chromium/net/socket/fuzzed_socket_factory.h
index 4002d0060c9..c0dd972d275 100644
--- a/chromium/net/socket/fuzzed_socket_factory.h
+++ b/chromium/net/socket/fuzzed_socket_factory.h
@@ -11,9 +11,7 @@
 #include "base/macros.h"
 #include "net/socket/client_socket_factory.h"
 
-namespace base {
 class FuzzedDataProvider;
-}
 
 namespace net {
 
@@ -33,7 +31,7 @@ class FuzzedSocketFactory : public ClientSocketFactory {
   // creates. Other objects can also continue to consume |data_provider|, as
   // long as their calls into it are made on the CLientSocketFactory's thread
   // and the calls are deterministic.
-  explicit FuzzedSocketFactory(base::FuzzedDataProvider* data_provider);
+  explicit FuzzedSocketFactory(FuzzedDataProvider* data_provider);
   ~FuzzedSocketFactory() override;
 
   std::unique_ptr<DatagramClientSocket> CreateDatagramClientSocket(
@@ -48,10 +46,10 @@ class FuzzedSocketFactory : public ClientSocketFactory {
       const NetLogSource& source) override;
 
   std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
+      SSLClientContext* context,
       std::unique_ptr<StreamSocket> stream_socket,
       const HostPortPair& host_and_port,
-      const SSLConfig& ssl_config,
-      const SSLClientSocketContext& context) override;
+      const SSLConfig& ssl_config) override;
 
   std::unique_ptr<ProxyClientSocket> CreateProxyClientSocket(
       std::unique_ptr<StreamSocket> stream_socket,
@@ -70,7 +68,7 @@ class FuzzedSocketFactory : public ClientSocketFactory {
   void set_fuzz_connect_result(bool v) { fuzz_connect_result_ = v; }
 
  private:
-  base::FuzzedDataProvider* data_provider_;
+  FuzzedDataProvider* data_provider_;
   bool fuzz_connect_result_;
 
   DISALLOW_COPY_AND_ASSIGN(FuzzedSocketFactory);
diff --git a/chromium/net/socket/socket_bio_adapter.cc b/chromium/net/socket/socket_bio_adapter.cc
index 6e2496972e3..6f134af6634 100644
--- a/chromium/net/socket/socket_bio_adapter.cc
+++ b/chromium/net/socket/socket_bio_adapter.cc
@@ -66,8 +66,7 @@ SocketBIOAdapter::SocketBIOAdapter(StreamSocket* socket,
       write_buffer_capacity_(write_buffer_capacity),
       write_buffer_used_(0),
       write_error_(OK),
-      delegate_(delegate),
-      weak_factory_(this) {
+      delegate_(delegate) {
   bio_.reset(BIO_new(&kBIOMethod));
   bio_->ptr = this;
   bio_->init = 1;
diff --git a/chromium/net/socket/socket_bio_adapter.h b/chromium/net/socket/socket_bio_adapter.h
index 95475350b3c..98421c701e4 100644
--- a/chromium/net/socket/socket_bio_adapter.h
+++ b/chromium/net/socket/socket_bio_adapter.h
@@ -136,7 +136,7 @@ class NET_EXPORT_PRIVATE SocketBIOAdapter {
 
   Delegate* delegate_;
 
-  base::WeakPtrFactory<SocketBIOAdapter> weak_factory_;
+  base::WeakPtrFactory<SocketBIOAdapter> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(SocketBIOAdapter);
 };
diff --git a/chromium/net/socket/socket_net_log_params.cc b/chromium/net/socket/socket_net_log_params.cc
index bde45306a4c..eb8d372c576 100644
--- a/chromium/net/socket/socket_net_log_params.cc
+++ b/chromium/net/socket/socket_net_log_params.cc
@@ -12,37 +12,39 @@
 #include "net/base/host_port_pair.h"
 #include "net/base/ip_endpoint.h"
 #include "net/log/net_log_capture_mode.h"
+#include "net/log/net_log_with_source.h"
 
 namespace net {
 
-namespace {
-
-base::Value NetLogSocketErrorCallback(int net_error,
-                                      int os_error,
-                                      NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSocketErrorParams(int net_error, int os_error) {
   base::DictionaryValue dict;
   dict.SetInteger("net_error", net_error);
   dict.SetInteger("os_error", os_error);
   return std::move(dict);
 }
 
-base::Value NetLogHostPortPairCallback(const HostPortPair* host_and_port,
-                                       NetLogCaptureMode /* capture_mode */) {
+void NetLogSocketError(const NetLogWithSource& net_log,
+                       NetLogEventType type,
+                       int net_error,
+                       int os_error) {
+  net_log.AddEvent(
+      type, [&] { return NetLogSocketErrorParams(net_error, os_error); });
+}
+
+base::Value CreateNetLogHostPortPairParams(const HostPortPair* host_and_port) {
   base::DictionaryValue dict;
   dict.SetString("host_and_port", host_and_port->ToString());
   return std::move(dict);
 }
 
-base::Value NetLogIPEndPointCallback(const IPEndPoint* address,
-                                     NetLogCaptureMode /* capture_mode */) {
+base::Value CreateNetLogIPEndPointParams(const IPEndPoint* address) {
   base::DictionaryValue dict;
   dict.SetString("address", address->ToString());
   return std::move(dict);
 }
 
-base::Value NetLogSourceAddressCallback(const struct sockaddr* net_address,
-                                        socklen_t address_len,
-                                        NetLogCaptureMode /* capture_mode */) {
+base::Value CreateNetLogSourceAddressParams(const struct sockaddr* net_address,
+                                            socklen_t address_len) {
   base::DictionaryValue dict;
   IPEndPoint ipe;
   bool result = ipe.FromSockAddr(net_address, address_len);
@@ -51,27 +53,4 @@ base::Value NetLogSourceAddressCallback(const struct sockaddr* net_address,
   return std::move(dict);
 }
 
-}  // namespace
-
-NetLogParametersCallback CreateNetLogSocketErrorCallback(int net_error,
-                                                         int os_error) {
-  return base::Bind(&NetLogSocketErrorCallback, net_error, os_error);
-}
-
-NetLogParametersCallback CreateNetLogHostPortPairCallback(
-    const HostPortPair* host_and_port) {
-  return base::Bind(&NetLogHostPortPairCallback, host_and_port);
-}
-
-NetLogParametersCallback CreateNetLogIPEndPointCallback(
-    const IPEndPoint* address) {
-  return base::Bind(&NetLogIPEndPointCallback, address);
-}
-
-NetLogParametersCallback CreateNetLogSourceAddressCallback(
-    const struct sockaddr* net_address,
-    socklen_t address_len) {
-  return base::Bind(&NetLogSourceAddressCallback, net_address, address_len);
-}
-
 }  // namespace net
diff --git a/chromium/net/socket/socket_net_log_params.h b/chromium/net/socket/socket_net_log_params.h
index c1c2c4347cd..37dfacbac90 100644
--- a/chromium/net/socket/socket_net_log_params.h
+++ b/chromium/net/socket/socket_net_log_params.h
@@ -6,32 +6,33 @@
 #define NET_SOCKET_SOCKET_NET_LOG_PARAMS_H_
 
 #include "net/base/sys_addrinfo.h"
-#include "net/log/net_log_parameters_callback.h"
+#include "net/log/net_log_event_type.h"
+
+namespace base {
+class Value;
+}
 
 namespace net {
 
+class NetLogWithSource;
 class HostPortPair;
 class IPEndPoint;
 
-// Creates a NetLog callback for socket error events.
-NetLogParametersCallback CreateNetLogSocketErrorCallback(int net_error,
-                                                         int os_error);
-
-// Creates a NetLog callback for a HostPortPair.
-// |host_and_port| must remain valid for the lifetime of the returned callback.
-NetLogParametersCallback CreateNetLogHostPortPairCallback(
-    const HostPortPair* host_and_port);
-
-// Creates a NetLog callback for an IPEndPoint.
-// |address| must remain valid for the lifetime of the returned callback.
-NetLogParametersCallback CreateNetLogIPEndPointCallback(
-    const IPEndPoint* address);
-
-// Creates a NetLog callback for the source sockaddr on connect events.
-// |net_address| must remain valid for the lifetime of the returned callback.
-NetLogParametersCallback CreateNetLogSourceAddressCallback(
-    const struct sockaddr* net_address,
-    socklen_t address_len);
+// Emits an event to NetLog with socket error parameters.
+void NetLogSocketError(const NetLogWithSource& net_log,
+                       NetLogEventType type,
+                       int net_error,
+                       int os_error);
+
+// Creates a NetLog parameters for a HostPortPair.
+base::Value CreateNetLogHostPortPairParams(const HostPortPair* host_and_port);
+
+// Creates a NetLog parameters for an IPEndPoint.
+base::Value CreateNetLogIPEndPointParams(const IPEndPoint* address);
+
+// Creates a NetLog parameters for the source sockaddr on connect events.
+base::Value CreateNetLogSourceAddressParams(const struct sockaddr* net_address,
+                                            socklen_t address_len);
 
 }  // namespace net
 
diff --git a/chromium/net/socket/socket_test_util.cc b/chromium/net/socket/socket_test_util.cc
index bb05c92bba5..65f78408ebd 100644
--- a/chromium/net/socket/socket_test_util.cc
+++ b/chromium/net/socket/socket_test_util.cc
@@ -220,7 +220,8 @@ void StaticSocketDataHelper::Reset() {
   write_index_ = 0;
 }
 
-bool StaticSocketDataHelper::VerifyWriteData(const std::string& data) {
+bool StaticSocketDataHelper::VerifyWriteData(const std::string& data,
+                                             SocketDataPrinter* printer) {
   CHECK(!AllWriteDataConsumed());
   // Check that the actual data matches the expectations, skipping over any
   // pause events.
@@ -240,6 +241,12 @@ bool StaticSocketDataHelper::VerifyWriteData(const std::string& data) {
   EXPECT_TRUE(actual_data == expected_data)
       << "Actual write data:\n" << HexDump(data)
       << "Expected write data:\n" << HexDump(expected_data);
+  if (printer) {
+    EXPECT_TRUE(actual_data == expected_data)
+        << "Actual write data:\n"
+        << printer->PrintWrite(data) << "Expected write data:\n"
+        << printer->PrintWrite(expected_data);
+  }
   return expected_data == actual_data;
 }
 
@@ -295,7 +302,7 @@ MockWriteResult StaticSocketDataProvider::OnWrite(const std::string& data) {
 
   // Check that what we are writing matches the expectation.
   // Then give the mocked return value.
-  if (!helper_.VerifyWriteData(data))
+  if (!helper_.VerifyWriteData(data, printer_))
     return MockWriteResult(SYNCHRONOUS, ERR_UNEXPECTED);
 
   const MockWrite& next_write = helper_.AdvanceWrite();
@@ -354,8 +361,7 @@ SequencedSocketData::SequencedSocketData(base::span<const MockRead> reads,
       sequence_number_(0),
       read_state_(IDLE),
       write_state_(IDLE),
-      busy_before_sync_reads_(false),
-      weak_factory_(this) {
+      busy_before_sync_reads_(false) {
   // Check that reads and writes have a contiguous set of sequence numbers
   // starting from 0 and working their way up, with no repeats and skipping
   // no values.
@@ -435,7 +441,8 @@ SequencedSocketData::SequencedSocketData(const MockConnect& connect,
 
 MockRead SequencedSocketData::OnRead() {
   CHECK_EQ(IDLE, read_state_);
-  CHECK(!helper_.AllReadDataConsumed());
+  CHECK(!helper_.AllReadDataConsumed())
+      << "Application tried to read but there is no read data left";
 
   NET_TRACE(1, " *** ") << "sequence_number: " << sequence_number_;
   const MockRead& next_read = helper_.PeekRead();
@@ -487,7 +494,7 @@ MockWriteResult SequencedSocketData::OnWrite(const std::string& data) {
   NET_TRACE(1, " *** ") << "next_write: " << next_write.sequence_number;
   CHECK_GE(next_write.sequence_number, sequence_number_);
 
-  if (!helper_.VerifyWriteData(data))
+  if (!helper_.VerifyWriteData(data, printer_))
     return MockWriteResult(SYNCHRONOUS, ERR_UNEXPECTED);
 
   if (next_write.sequence_number <= sequence_number_) {
@@ -785,10 +792,10 @@ MockClientSocketFactory::CreateTransportClientSocket(
 }
 
 std::unique_ptr<SSLClientSocket> MockClientSocketFactory::CreateSSLClientSocket(
+    SSLClientContext* context,
     std::unique_ptr<StreamSocket> stream_socket,
     const HostPortPair& host_and_port,
-    const SSLConfig& ssl_config,
-    const SSLClientSocketContext& context) {
+    const SSLConfig& ssl_config) {
   SSLSocketDataProvider* next_ssl_data = mock_ssl_data_.GetNext();
   if (next_ssl_data->next_protos_expected_in_ssl_config.has_value()) {
     EXPECT_EQ(next_ssl_data->next_protos_expected_in_ssl_config.value().size(),
@@ -812,9 +819,12 @@ std::unique_ptr<SSLClientSocket> MockClientSocketFactory::CreateSSLClientSocket(
       EXPECT_FALSE(ssl_config.client_cert);
     }
   }
-  if (next_ssl_data->expected_false_start_enabled) {
-    EXPECT_EQ(*next_ssl_data->expected_false_start_enabled,
-              ssl_config.false_start_enabled);
+  if (next_ssl_data->expected_host_and_port) {
+    EXPECT_EQ(*next_ssl_data->expected_host_and_port, host_and_port);
+  }
+  if (next_ssl_data->expected_network_isolation_key) {
+    EXPECT_EQ(*next_ssl_data->expected_network_isolation_key,
+              ssl_config.network_isolation_key);
   }
   return std::unique_ptr<SSLClientSocket>(new MockSSLClientSocket(
       std::move(stream_socket), host_and_port, ssl_config, next_ssl_data));
@@ -845,7 +855,7 @@ MockClientSocketFactory::CreateProxyClientSocket(
 }
 
 MockClientSocket::MockClientSocket(const NetLogWithSource& net_log)
-    : connected_(false), net_log_(net_log), weak_factory_(this) {
+    : connected_(false), net_log_(net_log) {
   local_addr_ = IPEndPoint(IPAddress(192, 0, 2, 33), 123);
   peer_addr_ = IPEndPoint(IPAddress(192, 0, 2, 33), 0);
 }
@@ -1290,8 +1300,7 @@ MockProxyClientSocket::MockProxyClientSocket(
     : net_log_(socket->NetLog()),
       socket_(std::move(socket)),
       data_(data),
-      auth_controller_(auth_controller),
-      weak_factory_(this) {
+      auth_controller_(auth_controller) {
   DCHECK(data_);
 }
 
@@ -1457,8 +1466,7 @@ MockSSLClientSocket::MockSSLClientSocket(
     SSLSocketDataProvider* data)
     : net_log_(stream_socket->NetLog()),
       stream_socket_(std::move(stream_socket)),
-      data_(data),
-      weak_factory_(this) {
+      data_(data) {
   DCHECK(data_);
   peer_addr_ = data->connect.peer_addr;
 }
@@ -1659,8 +1667,7 @@ MockUDPClientSocket::MockUDPClientSocket(SocketDataProvider* data,
       network_(NetworkChangeNotifier::kInvalidNetworkHandle),
       pending_read_buf_(nullptr),
       pending_read_buf_len_(0),
-      net_log_(NetLogWithSource::Make(net_log, NetLogSourceType::NONE)),
-      weak_factory_(this) {
+      net_log_(NetLogWithSource::Make(net_log, NetLogSourceType::NONE)) {
   DCHECK(data_);
   data_->Initialize(this);
   peer_addr_ = data->connect_data().peer_addr;
diff --git a/chromium/net/socket/socket_test_util.h b/chromium/net/socket/socket_test_util.h
index 05d4c51e62d..94f9905af13 100644
--- a/chromium/net/socket/socket_test_util.h
+++ b/chromium/net/socket/socket_test_util.h
@@ -355,6 +355,15 @@ class AsyncSocket {
   virtual void OnDataProviderDestroyed() = 0;
 };
 
+class SocketDataPrinter {
+ public:
+  ~SocketDataPrinter() = default;
+
+  // Prints the write in |data| using some sort of protocol-specific
+  // format.
+  virtual std::string PrintWrite(const std::string& data) = 0;
+};
+
 // StaticSocketDataHelper manages a list of reads and writes.
 class StaticSocketDataHelper {
  public:
@@ -377,7 +386,7 @@ class StaticSocketDataHelper {
   // Returns true if |data| is valid data for the next write. In order
   // to support short writes, the next write may be longer than |data|
   // in which case this method will still return true.
-  bool VerifyWriteData(const std::string& data);
+  bool VerifyWriteData(const std::string& data, SocketDataPrinter* printer);
 
   size_t read_index() const { return read_index_; }
   size_t write_index() const { return write_index_; }
@@ -424,11 +433,14 @@ class StaticSocketDataProvider : public SocketDataProvider {
   size_t read_count() const { return helper_.read_count(); }
   size_t write_count() const { return helper_.write_count(); }
 
+  void set_printer(SocketDataPrinter* printer) { printer_ = printer; }
+
  private:
   // From SocketDataProvider:
   void Reset() override;
 
   StaticSocketDataHelper helper_;
+  SocketDataPrinter* printer_ = nullptr;
   bool paused_ = false;
 
   DISALLOW_COPY_AND_ASSIGN(StaticSocketDataProvider);
@@ -482,7 +494,8 @@ struct SSLSocketDataProvider {
   uint16_t expected_ssl_version_max;
   base::Optional<bool> expected_send_client_cert;
   scoped_refptr<X509Certificate> expected_client_cert;
-  base::Optional<bool> expected_false_start_enabled;
+  base::Optional<HostPortPair> expected_host_and_port;
+  base::Optional<NetworkIsolationKey> expected_network_isolation_key;
 
   bool is_connect_data_consumed = false;
   bool is_confirm_data_consumed = false;
@@ -542,6 +555,8 @@ class SequencedSocketData : public SocketDataProvider {
     busy_before_sync_reads_ = busy_before_sync_reads;
   }
 
+  void set_printer(SocketDataPrinter* printer) { printer_ = printer; }
+
  private:
   // Defines the state for the read or write path.
   enum IoState {
@@ -562,6 +577,7 @@ class SequencedSocketData : public SocketDataProvider {
   void MaybePostWriteCompleteTask();
 
   StaticSocketDataHelper helper_;
+  SocketDataPrinter* printer_ = nullptr;
   int sequence_number_;
   IoState read_state_;
   IoState write_state_;
@@ -571,7 +587,7 @@ class SequencedSocketData : public SocketDataProvider {
   // Used by RunUntilPaused.  NULL at all other times.
   std::unique_ptr<base::RunLoop> run_until_paused_run_loop_;
 
-  base::WeakPtrFactory<SequencedSocketData> weak_factory_;
+  base::WeakPtrFactory<SequencedSocketData> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(SequencedSocketData);
 };
@@ -649,10 +665,10 @@ class MockClientSocketFactory : public ClientSocketFactory {
       NetLog* net_log,
       const NetLogSource& source) override;
   std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
+      SSLClientContext* context,
       std::unique_ptr<StreamSocket> stream_socket,
       const HostPortPair& host_and_port,
-      const SSLConfig& ssl_config,
-      const SSLClientSocketContext& context) override;
+      const SSLConfig& ssl_config) override;
   std::unique_ptr<ProxyClientSocket> CreateProxyClientSocket(
       std::unique_ptr<StreamSocket> stream_socket,
       const std::string& user_agent,
@@ -735,7 +751,7 @@ class MockClientSocket : public TransportClientSocket {
   NetLogWithSource net_log_;
 
  private:
-  base::WeakPtrFactory<MockClientSocket> weak_factory_;
+  base::WeakPtrFactory<MockClientSocket> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(MockClientSocket);
 };
@@ -896,7 +912,7 @@ class MockProxyClientSocket : public AsyncSocket, public ProxyClientSocket {
   ProxyClientSocketDataProvider* data_;
   scoped_refptr<HttpAuthController> auth_controller_;
 
-  base::WeakPtrFactory<MockProxyClientSocket> weak_factory_;
+  base::WeakPtrFactory<MockProxyClientSocket> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(MockProxyClientSocket);
 };
@@ -978,7 +994,7 @@ class MockSSLClientSocket : public AsyncSocket, public SSLClientSocket {
   // Address of the "remote" peer we're connected to.
   IPEndPoint peer_addr_;
 
-  base::WeakPtrFactory<MockSSLClientSocket> weak_factory_;
+  base::WeakPtrFactory<MockSSLClientSocket> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(MockSSLClientSocket);
 };
@@ -1085,7 +1101,7 @@ class MockUDPClientSocket : public DatagramClientSocket, public AsyncSocket {
   bool data_transferred_ = false;
   bool tagged_before_data_transferred_ = true;
 
-  base::WeakPtrFactory<MockUDPClientSocket> weak_factory_;
+  base::WeakPtrFactory<MockUDPClientSocket> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(MockUDPClientSocket);
 };
diff --git a/chromium/net/socket/socks5_client_socket.cc b/chromium/net/socket/socks5_client_socket.cc
index 832afa61c78..e22ddb2630b 100644
--- a/chromium/net/socket/socks5_client_socket.cc
+++ b/chromium/net/socket/socks5_client_socket.cc
@@ -334,13 +334,13 @@ int SOCKS5ClientSocket::DoGreetReadComplete(int result) {
 
   // Got the greet data.
   if (buffer_[0] != kSOCKS5Version) {
-    net_log_.AddEvent(NetLogEventType::SOCKS_UNEXPECTED_VERSION,
-                      NetLog::IntCallback("version", buffer_[0]));
+    net_log_.AddEventWithIntParams(NetLogEventType::SOCKS_UNEXPECTED_VERSION,
+                                   "version", buffer_[0]);
     return ERR_SOCKS_CONNECTION_FAILED;
   }
   if (buffer_[1] != 0x00) {
-    net_log_.AddEvent(NetLogEventType::SOCKS_UNEXPECTED_AUTH,
-                      NetLog::IntCallback("method", buffer_[1]));
+    net_log_.AddEventWithIntParams(NetLogEventType::SOCKS_UNEXPECTED_AUTH,
+                                   "method", buffer_[1]);
     return ERR_SOCKS_CONNECTION_FAILED;
   }
 
@@ -442,13 +442,13 @@ int SOCKS5ClientSocket::DoHandshakeReadComplete(int result) {
   // and accordingly increase them
   if (bytes_received_ == kReadHeaderSize) {
     if (buffer_[0] != kSOCKS5Version || buffer_[2] != kNullByte) {
-      net_log_.AddEvent(NetLogEventType::SOCKS_UNEXPECTED_VERSION,
-                        NetLog::IntCallback("version", buffer_[0]));
+      net_log_.AddEventWithIntParams(NetLogEventType::SOCKS_UNEXPECTED_VERSION,
+                                     "version", buffer_[0]);
       return ERR_SOCKS_CONNECTION_FAILED;
     }
     if (buffer_[1] != 0x00) {
-      net_log_.AddEvent(NetLogEventType::SOCKS_SERVER_ERROR,
-                        NetLog::IntCallback("error_code", buffer_[1]));
+      net_log_.AddEventWithIntParams(NetLogEventType::SOCKS_SERVER_ERROR,
+                                     "error_code", buffer_[1]);
       return ERR_SOCKS_CONNECTION_FAILED;
     }
 
@@ -466,8 +466,9 @@ int SOCKS5ClientSocket::DoHandshakeReadComplete(int result) {
     } else if (address_type == kEndPointResolvedIPv6) {
       read_header_size += sizeof(struct in6_addr) - 1;
     } else {
-      net_log_.AddEvent(NetLogEventType::SOCKS_UNKNOWN_ADDRESS_TYPE,
-                        NetLog::IntCallback("address_type", buffer_[3]));
+      net_log_.AddEventWithIntParams(
+          NetLogEventType::SOCKS_UNKNOWN_ADDRESS_TYPE, "address_type",
+          buffer_[3]);
       return ERR_SOCKS_CONNECTION_FAILED;
     }
 
diff --git a/chromium/net/socket/socks5_client_socket_fuzzer.cc b/chromium/net/socket/socks5_client_socket_fuzzer.cc
index ad2a9a9282d..a2fb1cc51ee 100644
--- a/chromium/net/socket/socks5_client_socket_fuzzer.cc
+++ b/chromium/net/socket/socks5_client_socket_fuzzer.cc
@@ -8,7 +8,7 @@
 #include <memory>
 
 #include "base/logging.h"
-#include "base/test/fuzzed_data_provider.h"
+
 #include "net/base/address_list.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_completion_callback.h"
@@ -16,6 +16,7 @@
 #include "net/socket/fuzzed_socket.h"
 #include "net/socket/socks5_client_socket.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 // Fuzzer for Socks5ClientSocket.  Only covers the SOCKS5 greeet and
 // handshake.
@@ -26,7 +27,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // Use a test NetLog, to exercise logging code.
   net::TestNetLog test_net_log;
 
-  base::FuzzedDataProvider data_provider(data, size);
+  FuzzedDataProvider data_provider(data, size);
 
   net::TestCompletionCallback callback;
   std::unique_ptr<net::FuzzedSocket> fuzzed_socket(
diff --git a/chromium/net/socket/socks5_client_socket_unittest.cc b/chromium/net/socket/socks5_client_socket_unittest.cc
index 4d76dd3c358..a25befe078c 100644
--- a/chromium/net/socket/socks5_client_socket_unittest.cc
+++ b/chromium/net/socket/socks5_client_socket_unittest.cc
@@ -19,7 +19,6 @@
 #include "net/base/winsock_init.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/socket_test_util.h"
@@ -143,8 +142,7 @@ TEST_F(SOCKS5ClientSocketTest, CompleteHandshake) {
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   EXPECT_FALSE(user_sock_->IsConnected());
 
-  TestNetLogEntry::List net_log_entries;
-  net_log_.GetEntries(&net_log_entries);
+  auto net_log_entries = net_log_.GetEntries();
   EXPECT_TRUE(LogContainsBeginEvent(net_log_entries, 0,
                                     NetLogEventType::SOCKS5_CONNECT));
 
@@ -153,7 +151,7 @@ TEST_F(SOCKS5ClientSocketTest, CompleteHandshake) {
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(user_sock_->IsConnected());
 
-  net_log_.GetEntries(&net_log_entries);
+  net_log_entries = net_log_.GetEntries();
   EXPECT_TRUE(LogContainsEndEvent(net_log_entries, -1,
                                   NetLogEventType::SOCKS5_CONNECT));
 
@@ -265,8 +263,7 @@ TEST_F(SOCKS5ClientSocketTest, PartialReadWrites) {
     int rv = user_sock_->Connect(callback_.callback());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
-    TestNetLogEntry::List net_log_entries;
-    net_log_.GetEntries(&net_log_entries);
+    auto net_log_entries = net_log_.GetEntries();
     EXPECT_TRUE(LogContainsBeginEvent(net_log_entries, 0,
                                       NetLogEventType::SOCKS5_CONNECT));
 
@@ -274,7 +271,7 @@ TEST_F(SOCKS5ClientSocketTest, PartialReadWrites) {
     EXPECT_THAT(rv, IsOk());
     EXPECT_TRUE(user_sock_->IsConnected());
 
-    net_log_.GetEntries(&net_log_entries);
+    net_log_entries = net_log_.GetEntries();
     EXPECT_TRUE(LogContainsEndEvent(net_log_entries, -1,
                                     NetLogEventType::SOCKS5_CONNECT));
   }
@@ -295,14 +292,13 @@ TEST_F(SOCKS5ClientSocketTest, PartialReadWrites) {
     int rv = user_sock_->Connect(callback_.callback());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
-    TestNetLogEntry::List net_log_entries;
-    net_log_.GetEntries(&net_log_entries);
+    auto net_log_entries = net_log_.GetEntries();
     EXPECT_TRUE(LogContainsBeginEvent(net_log_entries, 0,
                                       NetLogEventType::SOCKS5_CONNECT));
     rv = callback_.WaitForResult();
     EXPECT_THAT(rv, IsOk());
     EXPECT_TRUE(user_sock_->IsConnected());
-    net_log_.GetEntries(&net_log_entries);
+    net_log_entries = net_log_.GetEntries();
     EXPECT_TRUE(LogContainsEndEvent(net_log_entries, -1,
                                     NetLogEventType::SOCKS5_CONNECT));
   }
@@ -322,14 +318,13 @@ TEST_F(SOCKS5ClientSocketTest, PartialReadWrites) {
         BuildMockSocket(data_reads, data_writes, hostname, 80, &net_log_);
     int rv = user_sock_->Connect(callback_.callback());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-    TestNetLogEntry::List net_log_entries;
-    net_log_.GetEntries(&net_log_entries);
+    auto net_log_entries = net_log_.GetEntries();
     EXPECT_TRUE(LogContainsBeginEvent(net_log_entries, 0,
                                       NetLogEventType::SOCKS5_CONNECT));
     rv = callback_.WaitForResult();
     EXPECT_THAT(rv, IsOk());
     EXPECT_TRUE(user_sock_->IsConnected());
-    net_log_.GetEntries(&net_log_entries);
+    net_log_entries = net_log_.GetEntries();
     EXPECT_TRUE(LogContainsEndEvent(net_log_entries, -1,
                                     NetLogEventType::SOCKS5_CONNECT));
   }
@@ -351,14 +346,13 @@ TEST_F(SOCKS5ClientSocketTest, PartialReadWrites) {
         BuildMockSocket(data_reads, data_writes, hostname, 80, &net_log_);
     int rv = user_sock_->Connect(callback_.callback());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-    TestNetLogEntry::List net_log_entries;
-    net_log_.GetEntries(&net_log_entries);
+    auto net_log_entries = net_log_.GetEntries();
     EXPECT_TRUE(LogContainsBeginEvent(net_log_entries, 0,
                                       NetLogEventType::SOCKS5_CONNECT));
     rv = callback_.WaitForResult();
     EXPECT_THAT(rv, IsOk());
     EXPECT_TRUE(user_sock_->IsConnected());
-    net_log_.GetEntries(&net_log_entries);
+    net_log_entries = net_log_.GetEntries();
     EXPECT_TRUE(LogContainsEndEvent(net_log_entries, -1,
                                     NetLogEventType::SOCKS5_CONNECT));
   }
diff --git a/chromium/net/socket/socks_client_socket_fuzzer.cc b/chromium/net/socket/socks_client_socket_fuzzer.cc
index 6f300f98339..be5764cca0f 100644
--- a/chromium/net/socket/socks_client_socket_fuzzer.cc
+++ b/chromium/net/socket/socks_client_socket_fuzzer.cc
@@ -8,7 +8,6 @@
 #include <memory>
 
 #include "base/logging.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "net/base/address_list.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_completion_callback.h"
@@ -18,6 +17,7 @@
 #include "net/socket/fuzzed_socket.h"
 #include "net/socket/socks_client_socket.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 // Fuzzer for SocksClientSocket.  Only covers the SOCKS4 handshake.
 //
@@ -27,7 +27,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // Use a test NetLog, to exercise logging code.
   net::TestNetLog test_net_log;
 
-  base::FuzzedDataProvider data_provider(data, size);
+  FuzzedDataProvider data_provider(data, size);
 
   // Determine if the DNS lookup returns synchronously or asynchronously,
   // succeeds or fails, and returns an IPv4 or IPv6 address.
diff --git a/chromium/net/socket/socks_client_socket_unittest.cc b/chromium/net/socket/socks_client_socket_unittest.cc
index 099e9b688c0..a946f2e1eac 100644
--- a/chromium/net/socket/socks_client_socket_unittest.cc
+++ b/chromium/net/socket/socks_client_socket_unittest.cc
@@ -18,7 +18,6 @@
 #include "net/dns/mock_host_resolver.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/socket_test_util.h"
@@ -127,8 +126,7 @@ TEST_F(SOCKSClientSocketTest, CompleteHandshake) {
     int rv = user_sock_->Connect(callback_.callback());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
-    TestNetLogEntry::List entries;
-    log.GetEntries(&entries);
+    auto entries = log.GetEntries();
     EXPECT_TRUE(
         LogContainsBeginEvent(entries, 0, NetLogEventType::SOCKS_CONNECT));
     EXPECT_FALSE(user_sock_->IsConnected());
@@ -136,7 +134,7 @@ TEST_F(SOCKSClientSocketTest, CompleteHandshake) {
     rv = callback_.WaitForResult();
     EXPECT_THAT(rv, IsOk());
     EXPECT_TRUE(user_sock_->IsConnected());
-    log.GetEntries(&entries);
+    entries = log.GetEntries();
     EXPECT_TRUE(
         LogContainsEndEvent(entries, -1, NetLogEventType::SOCKS_CONNECT));
 
@@ -242,8 +240,7 @@ TEST_F(SOCKSClientSocketTest, HandshakeFailures) {
     int rv = user_sock_->Connect(callback_.callback());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
-    TestNetLogEntry::List entries;
-    log.GetEntries(&entries);
+    auto entries = log.GetEntries();
     EXPECT_TRUE(
         LogContainsBeginEvent(entries, 0, NetLogEventType::SOCKS_CONNECT));
 
@@ -251,7 +248,7 @@ TEST_F(SOCKSClientSocketTest, HandshakeFailures) {
     EXPECT_EQ(test.fail_code, rv);
     EXPECT_FALSE(user_sock_->IsConnected());
     EXPECT_TRUE(tcp_sock_->IsConnected());
-    log.GetEntries(&entries);
+    entries = log.GetEntries();
     EXPECT_TRUE(
         LogContainsEndEvent(entries, -1, NetLogEventType::SOCKS_CONNECT));
   }
@@ -275,15 +272,14 @@ TEST_F(SOCKSClientSocketTest, PartialServerReads) {
 
   int rv = user_sock_->Connect(callback_.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   EXPECT_TRUE(
       LogContainsBeginEvent(entries, 0, NetLogEventType::SOCKS_CONNECT));
 
   rv = callback_.WaitForResult();
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(user_sock_->IsConnected());
-  log.GetEntries(&entries);
+  entries = log.GetEntries();
   EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SOCKS_CONNECT));
 }
 
@@ -310,15 +306,14 @@ TEST_F(SOCKSClientSocketTest, PartialClientWrites) {
 
   int rv = user_sock_->Connect(callback_.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   EXPECT_TRUE(
       LogContainsBeginEvent(entries, 0, NetLogEventType::SOCKS_CONNECT));
 
   rv = callback_.WaitForResult();
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(user_sock_->IsConnected());
-  log.GetEntries(&entries);
+  entries = log.GetEntries();
   EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SOCKS_CONNECT));
 }
 
@@ -338,15 +333,14 @@ TEST_F(SOCKSClientSocketTest, FailedSocketRead) {
 
   int rv = user_sock_->Connect(callback_.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   EXPECT_TRUE(
       LogContainsBeginEvent(entries, 0, NetLogEventType::SOCKS_CONNECT));
 
   rv = callback_.WaitForResult();
   EXPECT_THAT(rv, IsError(ERR_CONNECTION_CLOSED));
   EXPECT_FALSE(user_sock_->IsConnected());
-  log.GetEntries(&entries);
+  entries = log.GetEntries();
   EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SOCKS_CONNECT));
 }
 
@@ -364,15 +358,14 @@ TEST_F(SOCKSClientSocketTest, FailedDNS) {
 
   int rv = user_sock_->Connect(callback_.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   EXPECT_TRUE(
       LogContainsBeginEvent(entries, 0, NetLogEventType::SOCKS_CONNECT));
 
   rv = callback_.WaitForResult();
   EXPECT_THAT(rv, IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(user_sock_->IsConnected());
-  log.GetEntries(&entries);
+  entries = log.GetEntries();
   EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SOCKS_CONNECT));
 }
 
diff --git a/chromium/net/socket/socks_connect_job_unittest.cc b/chromium/net/socket/socks_connect_job_unittest.cc
index 9469220f1da..a9bfede63f0 100644
--- a/chromium/net/socket/socks_connect_job_unittest.cc
+++ b/chromium/net/socket/socks_connect_job_unittest.cc
@@ -47,9 +47,7 @@ class SOCKSConnectJobTest : public testing::Test,
 
   SOCKSConnectJobTest()
       : WithScopedTaskEnvironment(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME,
-            base::test::ScopedTaskEnvironment::NowSource::
-                MAIN_THREAD_MOCK_TIME),
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME_AND_NOW),
         common_connect_job_params_(
             &client_socket_factory_,
             &host_resolver_,
@@ -60,16 +58,11 @@ class SOCKSConnectJobTest : public testing::Test,
             nullptr /* quic_stream_factory */,
             nullptr /* proxy_delegate */,
             nullptr /* http_user_agent_settings */,
-            SSLClientSocketContext(),
-            SSLClientSocketContext(),
+            nullptr /* ssl_client_context */,
             nullptr /* socket_performance_watcher_factory */,
             nullptr /* network_quality_estimator */,
             &net_log_,
-            nullptr /* websocket_endpoint_lock_manager */) {
-    // Set an initial delay to ensure that the first call to TimeTicks::Now()
-    // before incrementing the counter does not return a null value.
-    FastForwardBy(base::TimeDelta::FromSeconds(1));
-  }
+            nullptr /* websocket_endpoint_lock_manager */) {}
 
   ~SOCKSConnectJobTest() override {}
 
diff --git a/chromium/net/socket/ssl_client_socket.cc b/chromium/net/socket/ssl_client_socket.cc
index d5eebe53801..52ae9bed3c9 100644
--- a/chromium/net/socket/ssl_client_socket.cc
+++ b/chromium/net/socket/ssl_client_socket.cc
@@ -4,13 +4,11 @@
 
 #include "net/socket/ssl_client_socket.h"
 
-#include "base/metrics/histogram_macros.h"
-#include "base/metrics/sparse_histogram.h"
-#include "base/strings/string_util.h"
-#include "crypto/ec_private_key.h"
-#include "net/base/net_errors.h"
+#include <string>
+
+#include "base/logging.h"
 #include "net/socket/ssl_client_socket_impl.h"
-#include "net/ssl/ssl_config_service.h"
+#include "net/socket/stream_socket.h"
 #include "net/ssl/ssl_key_logger.h"
 
 namespace net {
@@ -47,4 +45,31 @@ std::vector<uint8_t> SSLClientSocket::SerializeNextProtos(
   return wire_protos;
 }
 
+SSLClientContext::SSLClientContext(
+    CertVerifier* cert_verifier,
+    TransportSecurityState* transport_security_state,
+    CTVerifier* cert_transparency_verifier,
+    CTPolicyEnforcer* ct_policy_enforcer,
+    SSLClientSessionCache* ssl_client_session_cache)
+    : cert_verifier_(cert_verifier),
+      transport_security_state_(transport_security_state),
+      cert_transparency_verifier_(cert_transparency_verifier),
+      ct_policy_enforcer_(ct_policy_enforcer),
+      ssl_client_session_cache_(ssl_client_session_cache) {
+  CHECK(cert_verifier_);
+  CHECK(transport_security_state_);
+  CHECK(cert_transparency_verifier_);
+  CHECK(ct_policy_enforcer_);
+}
+
+SSLClientContext::~SSLClientContext() = default;
+
+std::unique_ptr<SSLClientSocket> SSLClientContext::CreateSSLClientSocket(
+    std::unique_ptr<StreamSocket> stream_socket,
+    const HostPortPair& host_and_port,
+    const SSLConfig& ssl_config) {
+  return std::make_unique<SSLClientSocketImpl>(this, std::move(stream_socket),
+                                               host_and_port, ssl_config);
+}
+
 }  // namespace net
diff --git a/chromium/net/socket/ssl_client_socket.h b/chromium/net/socket/ssl_client_socket.h
index 90a7f96ad16..8b7d08ae1f2 100644
--- a/chromium/net/socket/ssl_client_socket.h
+++ b/chromium/net/socket/ssl_client_socket.h
@@ -7,48 +7,26 @@
 
 #include <stdint.h>
 
-#include <string>
+#include <memory>
 #include <vector>
 
 #include "base/gtest_prod_util.h"
-#include "base/strings/string_piece.h"
-#include "net/base/load_flags.h"
-#include "net/base/net_errors.h"
+#include "base/macros.h"
 #include "net/base/net_export.h"
 #include "net/socket/ssl_socket.h"
-#include "net/socket/stream_socket.h"
 
 namespace net {
 
 class CTPolicyEnforcer;
 class CertVerifier;
 class CTVerifier;
+class HostPortPair;
 class SSLClientSessionCache;
+struct SSLConfig;
 class SSLKeyLogger;
+class StreamSocket;
 class TransportSecurityState;
 
-// This struct groups together several fields which are used by various
-// classes related to SSLClientSocket.
-struct SSLClientSocketContext {
-  SSLClientSocketContext() = default;
-  SSLClientSocketContext(CertVerifier* cert_verifier_arg,
-                         TransportSecurityState* transport_security_state_arg,
-                         CTVerifier* cert_transparency_verifier_arg,
-                         CTPolicyEnforcer* ct_policy_enforcer_arg,
-                         SSLClientSessionCache* ssl_client_session_cache_arg)
-      : cert_verifier(cert_verifier_arg),
-        transport_security_state(transport_security_state_arg),
-        cert_transparency_verifier(cert_transparency_verifier_arg),
-        ct_policy_enforcer(ct_policy_enforcer_arg),
-        ssl_client_session_cache(ssl_client_session_cache_arg) {}
-
-  CertVerifier* cert_verifier = nullptr;
-  TransportSecurityState* transport_security_state = nullptr;
-  CTVerifier* cert_transparency_verifier = nullptr;
-  CTPolicyEnforcer* ct_policy_enforcer = nullptr;
-  SSLClientSessionCache* ssl_client_session_cache = nullptr;
-};
-
 // A client socket that uses SSL as the transport layer.
 //
 // NOTE: The SSL handshake occurs within the Connect method after a TCP
@@ -99,6 +77,49 @@ class NET_EXPORT SSLClientSocket : public SSLSocket {
   bool stapled_ocsp_response_received_;
 };
 
+// Shared state and configuration across multiple SSLClientSockets.
+class NET_EXPORT SSLClientContext {
+ public:
+  // Creates a new SSLClientContext with the specified parameters. The
+  // SSLClientContext may not outlive the input parameters.
+  //
+  // |ssl_client_session_cache| may be null to disable session caching.
+  SSLClientContext(CertVerifier* cert_verifier,
+                   TransportSecurityState* transport_security_state,
+                   CTVerifier* cert_transparency_verifier,
+                   CTPolicyEnforcer* ct_policy_enforcer,
+                   SSLClientSessionCache* ssl_client_session_cache);
+  ~SSLClientContext();
+
+  CertVerifier* cert_verifier() { return cert_verifier_; }
+  TransportSecurityState* transport_security_state() {
+    return transport_security_state_;
+  }
+  CTVerifier* cert_transparency_verifier() {
+    return cert_transparency_verifier_;
+  }
+  CTPolicyEnforcer* ct_policy_enforcer() { return ct_policy_enforcer_; }
+  SSLClientSessionCache* ssl_client_session_cache() {
+    return ssl_client_session_cache_;
+  }
+
+  // Creates a new SSLClientSocket which can then be used to establish an SSL
+  // connection to |host_and_port| over the already-connected |stream_socket|.
+  std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
+      std::unique_ptr<StreamSocket> stream_socket,
+      const HostPortPair& host_and_port,
+      const SSLConfig& ssl_config);
+
+ private:
+  CertVerifier* cert_verifier_;
+  TransportSecurityState* transport_security_state_;
+  CTVerifier* cert_transparency_verifier_;
+  CTPolicyEnforcer* ct_policy_enforcer_;
+  SSLClientSessionCache* ssl_client_session_cache_;
+
+  DISALLOW_COPY_AND_ASSIGN(SSLClientContext);
+};
+
 }  // namespace net
 
 #endif  // NET_SOCKET_SSL_CLIENT_SOCKET_H_
diff --git a/chromium/net/socket/ssl_client_socket_impl.cc b/chromium/net/socket/ssl_client_socket_impl.cc
index 857dc8a00a8..1af7e165fb9 100644
--- a/chromium/net/socket/ssl_client_socket_impl.cc
+++ b/chromium/net/socket/ssl_client_socket_impl.cc
@@ -14,6 +14,7 @@
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/containers/span.h"
+#include "base/feature_list.h"
 #include "base/lazy_instance.h"
 #include "base/macros.h"
 #include "base/memory/singleton.h"
@@ -42,13 +43,13 @@
 #include "net/cert/x509_util.h"
 #include "net/der/parse_values.h"
 #include "net/http/transport_security_state.h"
-#include "net/log/net_log.h"
 #include "net/log/net_log_event_type.h"
-#include "net/log/net_log_parameters_callback.h"
+#include "net/log/net_log_values.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
 #include "net/ssl/ssl_client_session_cache.h"
 #include "net/ssl/ssl_connection_status_flags.h"
+#include "net/ssl/ssl_handshake_details.h"
 #include "net/ssl/ssl_info.h"
 #include "net/ssl/ssl_key_logger.h"
 #include "net/ssl/ssl_private_key.h"
@@ -78,9 +79,8 @@ const int kCertVerifyPending = 1;
 // Default size of the internal BoringSSL buffers.
 const int kDefaultOpenSSLBufferSize = 17 * 1024;
 
-base::Value NetLogPrivateKeyOperationCallback(uint16_t algorithm,
-                                              SSLPrivateKey* key,
-                                              NetLogCaptureMode mode) {
+base::Value NetLogPrivateKeyOperationParams(uint16_t algorithm,
+                                            SSLPrivateKey* key) {
   base::DictionaryValue value;
   value.SetString("algorithm", SSL_get_signature_algorithm_name(
                                    algorithm, 0 /* exclude curve */));
@@ -88,8 +88,7 @@ base::Value NetLogPrivateKeyOperationCallback(uint16_t algorithm,
   return std::move(value);
 }
 
-base::Value NetLogSSLInfoCallback(SSLClientSocketImpl* socket,
-                                  NetLogCaptureMode capture_mode) {
+base::Value NetLogSSLInfoParams(SSLClientSocketImpl* socket) {
   SSLInfo ssl_info;
   if (!socket->GetSSLInfo(&ssl_info))
     return base::Value();
@@ -110,18 +109,16 @@ base::Value NetLogSSLInfoCallback(SSLClientSocketImpl* socket,
   return std::move(dict);
 }
 
-base::Value NetLogSSLAlertCallback(const void* bytes,
-                                   size_t len,
-                                   NetLogCaptureMode capture_mode) {
+base::Value NetLogSSLAlertParams(const void* bytes, size_t len) {
   base::DictionaryValue dict;
   dict.SetKey("bytes", NetLogBinaryValue(bytes, len));
   return std::move(dict);
 }
 
-base::Value NetLogSSLMessageCallback(bool is_write,
-                                     const void* bytes,
-                                     size_t len,
-                                     NetLogCaptureMode capture_mode) {
+base::Value NetLogSSLMessageParams(bool is_write,
+                                   const void* bytes,
+                                   size_t len,
+                                   NetLogCaptureMode capture_mode) {
   base::DictionaryValue dict;
   if (len == 0) {
     NOTREACHED();
@@ -138,7 +135,7 @@ base::Value NetLogSSLMessageCallback(bool is_write,
   // (that's the private key which isn't sent over the wire), but it may contain
   // information on the user's identity.
   if (!is_write || type != SSL3_MT_CERTIFICATE ||
-      capture_mode.include_socket_bytes()) {
+      NetLogCaptureIncludesSocketBytes(capture_mode)) {
     dict.SetKey("bytes", NetLogBinaryValue(bytes, len));
   }
 
@@ -400,37 +397,29 @@ const SSL_PRIVATE_KEY_METHOD
 };
 
 SSLClientSocketImpl::SSLClientSocketImpl(
+    SSLClientContext* context,
     std::unique_ptr<StreamSocket> stream_socket,
     const HostPortPair& host_and_port,
-    const SSLConfig& ssl_config,
-    const SSLClientSocketContext& context)
+    const SSLConfig& ssl_config)
     : pending_read_error_(kSSLClientSocketNoPendingResult),
       pending_read_ssl_error_(SSL_ERROR_NONE),
       completed_connect_(false),
       was_ever_used_(false),
-      cert_verifier_(context.cert_verifier),
+      context_(context),
       cert_verification_result_(kCertVerifyPending),
-      cert_transparency_verifier_(context.cert_transparency_verifier),
       stream_socket_(std::move(stream_socket)),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
-      ssl_client_session_cache_(context.ssl_client_session_cache),
       next_handshake_state_(STATE_NONE),
       in_confirm_handshake_(false),
       disconnected_(false),
       negotiated_protocol_(kProtoUnknown),
       certificate_requested_(false),
       signature_result_(kSSLClientSocketNoPendingResult),
-      transport_security_state_(context.transport_security_state),
-      policy_enforcer_(context.ct_policy_enforcer),
       pkp_bypassed_(false),
       is_fatal_cert_error_(false),
-      net_log_(stream_socket_->NetLog()),
-      weak_factory_(this) {
-  CHECK(cert_verifier_);
-  CHECK(transport_security_state_);
-  CHECK(cert_transparency_verifier_);
-  CHECK(policy_enforcer_);
+      net_log_(stream_socket_->NetLog()) {
+  CHECK(context_);
 }
 
 SSLClientSocketImpl::~SSLClientSocketImpl() {
@@ -794,7 +783,18 @@ int SSLClientSocketImpl::Init() {
 
   if (IsCachingEnabled()) {
     bssl::UniquePtr<SSL_SESSION> session =
-        ssl_client_session_cache_->Lookup(GetSessionCacheKey());
+        context_->ssl_client_session_cache()->Lookup(
+            GetSessionCacheKey(/*dest_ip_addr=*/base::nullopt));
+    if (!session) {
+      // If a previous session negotiated an RSA cipher suite then it may have
+      // been inserted into the cache keyed by both hostname and resolved IP
+      // address. See https://crbug.com/969684.
+      IPEndPoint peer_address;
+      if (stream_socket_->GetPeerAddress(&peer_address) == OK) {
+        session = context_->ssl_client_session_cache()->Lookup(
+            GetSessionCacheKey(peer_address.address()));
+      }
+    }
     if (session)
       SSL_set_session(ssl_.get(), session.get());
   }
@@ -871,9 +871,7 @@ int SSLClientSocketImpl::Init() {
   if (!ssl_config_.alpn_protos.empty()) {
     std::vector<uint8_t> wire_protos =
         SerializeNextProtos(ssl_config_.alpn_protos);
-    SSL_set_alpn_protos(ssl_.get(),
-                        wire_protos.empty() ? nullptr : &wire_protos[0],
-                        wire_protos.size());
+    SSL_set_alpn_protos(ssl_.get(), wire_protos.data(), wire_protos.size());
   }
 
   SSL_enable_signed_cert_timestamps(ssl_.get());
@@ -942,9 +940,8 @@ int SSLClientSocketImpl::DoHandshake() {
 
     LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code "
                << ssl_error << ", net_error " << net_error;
-    net_log_.AddEvent(
-        NetLogEventType::SSL_HANDSHAKE_ERROR,
-        CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));
+    NetLogOpenSSLError(net_log_, NetLogEventType::SSL_HANDSHAKE_ERROR,
+                       net_error, ssl_error, error_info);
   }
 
   next_handshake_state_ = STATE_HANDSHAKE_COMPLETE;
@@ -960,10 +957,6 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) {
     return OK;
   }
 
-  if (IsCachingEnabled()) {
-    ssl_client_session_cache_->ResetLookupCount(GetSessionCacheKey());
-  }
-
   const uint8_t* alpn_proto = nullptr;
   unsigned alpn_len = 0;
   SSL_get0_alpn_selected(ssl_.get(), &alpn_proto, &alpn_len);
@@ -1074,6 +1067,26 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) {
     }
   }
 
+  SSLHandshakeDetails details;
+  if (SSL_version(ssl_.get()) < TLS1_3_VERSION) {
+    if (SSL_session_reused(ssl_.get())) {
+      details = SSLHandshakeDetails::kTLS12Resume;
+    } else if (SSL_in_false_start(ssl_.get())) {
+      details = SSLHandshakeDetails::kTLS12FalseStart;
+    } else {
+      details = SSLHandshakeDetails::kTLS12Full;
+    }
+  } else {
+    if (SSL_in_early_data(ssl_.get())) {
+      details = SSLHandshakeDetails::kTLS13Early;
+    } else if (SSL_session_reused(ssl_.get())) {
+      details = SSLHandshakeDetails::kTLS13Resume;
+    } else {
+      details = SSLHandshakeDetails::kTLS13Full;
+    }
+  }
+  UMA_HISTOGRAM_ENUMERATION("Net.SSLHandshakeDetails", details);
+
   completed_connect_ = true;
   next_handshake_state_ = STATE_NONE;
   return OK;
@@ -1115,9 +1128,9 @@ ssl_verify_result_t SSLClientSocketImpl::VerifyCert() {
     return ssl_verify_invalid;
   }
 
-  net_log_.AddEvent(NetLogEventType::SSL_CERTIFICATES_RECEIVED,
-                    base::Bind(&NetLogX509CertificateCallback,
-                               base::Unretained(server_cert_.get())));
+  net_log_.AddEvent(NetLogEventType::SSL_CERTIFICATES_RECEIVED, [&] {
+    return NetLogX509CertificateParams(server_cert_.get());
+  });
 
   // If the certificate is bad and has been previously accepted, use
   // the previous status and bypass the error.
@@ -1144,7 +1157,7 @@ ssl_verify_result_t SSLClientSocketImpl::VerifyCert() {
   base::StringPiece sct_list(reinterpret_cast<const char*>(sct_list_raw),
                              sct_list_len);
 
-  cert_verification_result_ = cert_verifier_->Verify(
+  cert_verification_result_ = context_->cert_verifier()->Verify(
       CertVerifier::RequestParams(
           server_cert_, host_and_port_.host(), ssl_config_.GetCertVerifyFlags(),
           ocsp_response.as_string(), sct_list.as_string()),
@@ -1204,7 +1217,7 @@ ssl_verify_result_t SSLClientSocketImpl::HandleVerifyResult() {
         IsCertStatusMinorError(server_cert_verify_result_.cert_status)))) {
     int ct_result = VerifyCT();
     TransportSecurityState::PKPStatus pin_validity =
-        transport_security_state_->CheckPublicKeyPins(
+        context_->transport_security_state()->CheckPublicKeyPins(
             host_and_port_, server_cert_verify_result_.is_issued_by_known_root,
             server_cert_verify_result_.public_key_hashes, server_cert_.get(),
             server_cert_verify_result_.verified_cert.get(),
@@ -1229,7 +1242,8 @@ ssl_verify_result_t SSLClientSocketImpl::HandleVerifyResult() {
   is_fatal_cert_error_ =
       IsCertStatusError(server_cert_verify_result_.cert_status) &&
       !IsCertStatusMinorError(server_cert_verify_result_.cert_status) &&
-      transport_security_state_->ShouldSSLErrorsBeFatal(host_and_port_.host());
+      context_->transport_security_state()->ShouldSSLErrorsBeFatal(
+          host_and_port_.host());
 
   if (IsCertificateError(result) && ssl_config_.ignore_certificate_errors) {
     result = OK;
@@ -1304,10 +1318,8 @@ int SSLClientSocketImpl::DoPayloadRead(IOBuffer* buf, int buf_len) {
       net_log_.AddByteTransferEvent(NetLogEventType::SSL_SOCKET_BYTES_RECEIVED,
                                     rv, buf->data());
     } else {
-      net_log_.AddEvent(
-          NetLogEventType::SSL_READ_ERROR,
-          CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_,
-                                           pending_read_error_info_));
+      NetLogOpenSSLError(net_log_, NetLogEventType::SSL_READ_ERROR, rv,
+                         pending_read_ssl_error_, pending_read_error_info_);
     }
     pending_read_ssl_error_ = SSL_ERROR_NONE;
     pending_read_error_info_ = OpenSSLErrorInfo();
@@ -1375,10 +1387,8 @@ int SSLClientSocketImpl::DoPayloadRead(IOBuffer* buf, int buf_len) {
     net_log_.AddByteTransferEvent(NetLogEventType::SSL_SOCKET_BYTES_RECEIVED,
                                   rv, buf->data());
   } else if (rv != ERR_IO_PENDING) {
-    net_log_.AddEvent(
-        NetLogEventType::SSL_READ_ERROR,
-        CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_,
-                                         pending_read_error_info_));
+    NetLogOpenSSLError(net_log_, NetLogEventType::SSL_READ_ERROR, rv,
+                       pending_read_ssl_error_, pending_read_error_info_);
     pending_read_ssl_error_ = SSL_ERROR_NONE;
     pending_read_error_info_ = OpenSSLErrorInfo();
   }
@@ -1410,9 +1420,8 @@ int SSLClientSocketImpl::DoPayloadWrite() {
   int net_error = MapLastOpenSSLError(ssl_error, err_tracer, &error_info);
 
   if (net_error != ERR_IO_PENDING) {
-    net_log_.AddEvent(
-        NetLogEventType::SSL_WRITE_ERROR,
-        CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));
+    NetLogOpenSSLError(net_log_, NetLogEventType::SSL_WRITE_ERROR, net_error,
+                       ssl_error, error_info);
   }
   return net_error;
 }
@@ -1473,15 +1482,17 @@ int SSLClientSocketImpl::VerifyCT() {
   // Note that this is a completely synchronous operation: The CT Log Verifier
   // gets all the data it needs for SCT verification and does not do any
   // external communication.
-  cert_transparency_verifier_->Verify(
+  context_->cert_transparency_verifier()->Verify(
       host_and_port().host(), server_cert_verify_result_.verified_cert.get(),
       ocsp_response, sct_list, &ct_verify_result_.scts, net_log_);
 
   ct::SCTList verified_scts =
       ct::SCTsMatchingStatus(ct_verify_result_.scts, ct::SCT_STATUS_OK);
 
-  ct_verify_result_.policy_compliance = policy_enforcer_->CheckCompliance(
-      server_cert_verify_result_.verified_cert.get(), verified_scts, net_log_);
+  ct_verify_result_.policy_compliance =
+      context_->ct_policy_enforcer()->CheckCompliance(
+          server_cert_verify_result_.verified_cert.get(), verified_scts,
+          net_log_);
   if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
     if (ct_verify_result_.policy_compliance !=
             ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS &&
@@ -1512,7 +1523,7 @@ int SSLClientSocketImpl::VerifyCT() {
   }
 
   TransportSecurityState::CTRequirementsStatus ct_requirement_status =
-      transport_security_state_->CheckCTRequirements(
+      context_->transport_security_state()->CheckCTRequirements(
           host_and_port_, server_cert_verify_result_.is_issued_by_known_root,
           server_cert_verify_result_.public_key_hashes,
           server_cert_verify_result_.verified_cert.get(), server_cert_.get(),
@@ -1590,19 +1601,17 @@ int SSLClientSocketImpl::ClientCertRequestCallback(SSL* ssl) {
     SSL_set_signing_algorithm_prefs(ssl_.get(), preferences.data(),
                                     preferences.size());
 
-    net_log_.AddEvent(
-        NetLogEventType::SSL_CLIENT_CERT_PROVIDED,
-        NetLog::IntCallback(
-            "cert_count",
-            base::checked_cast<int>(
-                1 + ssl_config_.client_cert->intermediate_buffers().size())));
+    net_log_.AddEventWithIntParams(
+        NetLogEventType::SSL_CLIENT_CERT_PROVIDED, "cert_count",
+        base::checked_cast<int>(
+            1 + ssl_config_.client_cert->intermediate_buffers().size()));
     return 1;
   }
 #endif  // defined(OS_IOS)
 
   // Send no client certificate.
-  net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_PROVIDED,
-                    NetLog::IntCallback("cert_count", 0));
+  net_log_.AddEventWithIntParams(NetLogEventType::SSL_CLIENT_CERT_PROVIDED,
+                                 "cert_count", 0);
   return 1;
 }
 
@@ -1610,10 +1619,23 @@ int SSLClientSocketImpl::NewSessionCallback(SSL_SESSION* session) {
   if (!IsCachingEnabled())
     return 0;
 
+  base::Optional<IPAddress> ip_addr;
+  if (SSL_CIPHER_get_kx_nid(SSL_SESSION_get0_cipher(session)) == NID_kx_rsa) {
+    // If RSA key exchange was used, additionally key the cache with the
+    // destination IP address. Of course, if a proxy is being used, the
+    // semantics of this are a little complex, but we're doing our best. See
+    // https://crbug.com/969684
+    IPEndPoint ip_endpoint;
+    if (stream_socket_->GetPeerAddress(&ip_endpoint) != OK) {
+      return 0;
+    }
+    ip_addr = ip_endpoint.address();
+  }
+
   // OpenSSL optionally passes ownership of |session|. Returning one signals
   // that this function has claimed it.
-  ssl_client_session_cache_->Insert(GetSessionCacheKey(),
-                                    bssl::UniquePtr<SSL_SESSION>(session));
+  context_->ssl_client_session_cache()->Insert(
+      GetSessionCacheKey(ip_addr), bssl::UniquePtr<SSL_SESSION>(session));
   return 1;
 }
 
@@ -1621,8 +1643,25 @@ void SSLClientSocketImpl::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const {
   ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_);
 }
 
-std::string SSLClientSocketImpl::GetSessionCacheKey() const {
-  return host_and_port_.ToString();
+std::string SSLClientSocketImpl::GetSessionCacheKey(
+    base::Optional<IPAddress> dest_ip_addr) const {
+  std::string ret;
+  if (dest_ip_addr) {
+    ret += dest_ip_addr->ToString();
+  }
+  ret.push_back('/');
+  ret += host_and_port_.ToString();
+  ret.push_back('/');
+  if (ssl_config_.privacy_mode == PRIVACY_MODE_ENABLED) {
+    ret.push_back('1');
+  } else {
+    ret.push_back('0');
+  }
+  if (base::FeatureList::IsEnabled(
+          features::kPartitionSSLSessionsByNetworkIsolationKey)) {
+    ret += '/' + ssl_config_.network_isolation_key.ToString();
+  }
+  return ret;
 }
 
 bool SSLClientSocketImpl::IsRenegotiationAllowed() const {
@@ -1637,7 +1676,7 @@ bool SSLClientSocketImpl::IsRenegotiationAllowed() const {
 }
 
 bool SSLClientSocketImpl::IsCachingEnabled() const {
-  return ssl_client_session_cache_ != nullptr;
+  return context_->ssl_client_session_cache() != nullptr;
 }
 
 ssl_private_key_result_t SSLClientSocketImpl::PrivateKeySignCallback(
@@ -1651,13 +1690,13 @@ ssl_private_key_result_t SSLClientSocketImpl::PrivateKeySignCallback(
   DCHECK(signature_.empty());
   DCHECK(ssl_config_.client_private_key);
 
-  net_log_.BeginEvent(
-      NetLogEventType::SSL_PRIVATE_KEY_OP,
-      base::BindRepeating(
-          &NetLogPrivateKeyOperationCallback, algorithm,
-          // Pass the SSLPrivateKey pointer to avoid making copies of the
-          // provider name in the common case with logging disabled.
-          base::Unretained(ssl_config_.client_private_key.get())));
+  net_log_.BeginEvent(NetLogEventType::SSL_PRIVATE_KEY_OP, [&] {
+    return NetLogPrivateKeyOperationParams(
+        algorithm,
+        // Pass the SSLPrivateKey pointer to avoid making copies of the
+        // provider name in the common case with logging disabled.
+        ssl_config_.client_private_key.get());
+  });
 
   signature_result_ = ERR_IO_PENDING;
   ssl_config_.client_private_key->Sign(
@@ -1723,13 +1762,15 @@ void SSLClientSocketImpl::MessageCallback(int is_write,
     case SSL3_RT_ALERT:
       net_log_.AddEvent(is_write ? NetLogEventType::SSL_ALERT_SENT
                                  : NetLogEventType::SSL_ALERT_RECEIVED,
-                        base::Bind(&NetLogSSLAlertCallback, buf, len));
+                        [&] { return NetLogSSLAlertParams(buf, len); });
       break;
     case SSL3_RT_HANDSHAKE:
       net_log_.AddEvent(
           is_write ? NetLogEventType::SSL_HANDSHAKE_MESSAGE_SENT
                    : NetLogEventType::SSL_HANDSHAKE_MESSAGE_RECEIVED,
-          base::Bind(&NetLogSSLMessageCallback, !!is_write, buf, len));
+          [&](NetLogCaptureMode capture_mode) {
+            return NetLogSSLMessageParams(!!is_write, buf, len, capture_mode);
+          });
       break;
     default:
       return;
@@ -1743,7 +1784,7 @@ void SSLClientSocketImpl::LogConnectEndEvent(int rv) {
   }
 
   net_log_.EndEvent(NetLogEventType::SSL_CONNECT,
-                    base::Bind(&NetLogSSLInfoCallback, base::Unretained(this)));
+                    [&] { return NetLogSSLInfoParams(this); });
 }
 
 void SSLClientSocketImpl::RecordNegotiatedProtocol() const {
diff --git a/chromium/net/socket/ssl_client_socket_impl.h b/chromium/net/socket/ssl_client_socket_impl.h
index fef393adee6..a360025e686 100644
--- a/chromium/net/socket/ssl_client_socket_impl.h
+++ b/chromium/net/socket/ssl_client_socket_impl.h
@@ -41,8 +41,6 @@ class OpenSSLErrStackTracer;
 
 namespace net {
 
-class CertVerifier;
-class CTVerifier;
 class SSLCertRequestInfo;
 class SSLInfo;
 class SSLKeyLogger;
@@ -53,11 +51,11 @@ class SSLClientSocketImpl : public SSLClientSocket,
   // Takes ownership of |stream_socket|, which may already be connected.
   // The given hostname will be compared with the name(s) in the server's
   // certificate during the SSL handshake.  |ssl_config| specifies the SSL
-  // settings.
-  SSLClientSocketImpl(std::unique_ptr<StreamSocket> stream_socket,
+  // settings. The resulting socket may not outlive |context|.
+  SSLClientSocketImpl(SSLClientContext* context,
+                      std::unique_ptr<StreamSocket> stream_socket,
                       const HostPortPair& host_and_port,
-                      const SSLConfig& ssl_config,
-                      const SSLClientSocketContext& context);
+                      const SSLConfig& ssl_config);
   ~SSLClientSocketImpl() override;
 
   const HostPortPair& host_and_port() const { return host_and_port_; }
@@ -165,7 +163,7 @@ class SSLClientSocketImpl : public SSLClientSocket,
   void AddCTInfoToSSLInfo(SSLInfo* ssl_info) const;
 
   // Returns a unique key string for the SSL session cache for this socket.
-  std::string GetSessionCacheKey() const;
+  std::string GetSessionCacheKey(base::Optional<IPAddress> dest_ip_addr) const;
 
   // Returns true if renegotiations are allowed.
   bool IsRenegotiationAllowed() const;
@@ -244,7 +242,8 @@ class SSLClientSocketImpl : public SSLClientSocket,
   // network.
   bool was_ever_used_;
 
-  CertVerifier* const cert_verifier_;
+  SSLClientContext* const context_;
+
   std::unique_ptr<CertVerifier::Request> cert_verifier_request_;
   base::TimeTicks start_cert_verification_time_;
 
@@ -253,7 +252,6 @@ class SSLClientSocketImpl : public SSLClientSocket,
 
   // Certificate Transparency: Verifier and result holder.
   ct::CTVerifyResult ct_verify_result_;
-  CTVerifier* cert_transparency_verifier_;
 
   // OpenSSL stuff
   bssl::UniquePtr<SSL> ssl_;
@@ -262,8 +260,6 @@ class SSLClientSocketImpl : public SSLClientSocket,
   std::unique_ptr<SocketBIOAdapter> transport_adapter_;
   const HostPortPair host_and_port_;
   SSLConfig ssl_config_;
-  // ssl_client_session_cache_ is a non-owning pointer to session cache
-  SSLClientSessionCache* ssl_client_session_cache_;
 
   enum State {
     STATE_NONE,
@@ -285,10 +281,6 @@ class SSLClientSocketImpl : public SSLClientSocket,
   int signature_result_;
   std::vector<uint8_t> signature_;
 
-  TransportSecurityState* transport_security_state_;
-
-  CTPolicyEnforcer* const policy_enforcer_;
-
   // pinning_failure_log contains a message produced by
   // TransportSecurityState::CheckPublicKeyPins in the event of a
   // pinning failure. It is a (somewhat) human-readable string.
@@ -302,7 +294,7 @@ class SSLClientSocketImpl : public SSLClientSocket,
   bool is_fatal_cert_error_;
 
   NetLogWithSource net_log_;
-  base::WeakPtrFactory<SSLClientSocketImpl> weak_factory_;
+  base::WeakPtrFactory<SSLClientSocketImpl> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(SSLClientSocketImpl);
 };
diff --git a/chromium/net/socket/ssl_client_socket_unittest.cc b/chromium/net/socket/ssl_client_socket_unittest.cc
index f07bdcd6a37..917d43b40f9 100644
--- a/chromium/net/socket/ssl_client_socket_unittest.cc
+++ b/chromium/net/socket/ssl_client_socket_unittest.cc
@@ -34,6 +34,7 @@
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/ct_policy_enforcer.h"
@@ -53,7 +54,6 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/client_socket_handle.h"
@@ -66,6 +66,7 @@
 #include "net/ssl/ssl_client_session_cache.h"
 #include "net/ssl/ssl_config_service.h"
 #include "net/ssl/ssl_connection_status_flags.h"
+#include "net/ssl/ssl_handshake_details.h"
 #include "net/ssl/ssl_info.h"
 #include "net/ssl/ssl_server_config.h"
 #include "net/ssl/test_ssl_private_key.h"
@@ -85,6 +86,8 @@
 #include "third_party/boringssl/src/include/openssl/bio.h"
 #include "third_party/boringssl/src/include/openssl/evp.h"
 #include "third_party/boringssl/src/include/openssl/pem.h"
+#include "url/gurl.h"
+#include "url/origin.h"
 
 using net::test::IsError;
 using net::test::IsOk;
@@ -790,17 +793,18 @@ class SSLClientSocketTest : public PlatformTest,
  public:
   SSLClientSocketTest()
       : socket_factory_(ClientSocketFactory::GetDefaultFactory()),
-        cert_verifier_(new MockCertVerifier),
-        transport_security_state_(new TransportSecurityState),
-        ct_verifier_(new DoNothingCTVerifier),
-        ct_policy_enforcer_(new MockCTPolicyEnforcer),
-        ssl_client_session_cache_(
-            new SSLClientSessionCache(SSLClientSessionCache::Config())),
-        context_(cert_verifier_.get(),
-                 transport_security_state_.get(),
-                 ct_verifier_.get(),
-                 ct_policy_enforcer_.get(),
-                 ssl_client_session_cache_.get()) {
+        cert_verifier_(std::make_unique<MockCertVerifier>()),
+        transport_security_state_(std::make_unique<TransportSecurityState>()),
+        ct_verifier_(std::make_unique<DoNothingCTVerifier>()),
+        ct_policy_enforcer_(std::make_unique<MockCTPolicyEnforcer>()),
+        ssl_client_session_cache_(std::make_unique<SSLClientSessionCache>(
+            SSLClientSessionCache::Config())),
+        context_(std::make_unique<SSLClientContext>(
+            cert_verifier_.get(),
+            transport_security_state_.get(),
+            ct_verifier_.get(),
+            ct_policy_enforcer_.get(),
+            ssl_client_session_cache_.get())) {
     cert_verifier_->set_default_result(OK);
 
     EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(_, _, _))
@@ -827,18 +831,6 @@ class SSLClientSocketTest : public PlatformTest,
     return spawned_test_server_.get();
   }
 
-  void SetCertVerifier(CertVerifier* cert_verifier) {
-    context_.cert_verifier = cert_verifier;
-  }
-
-  void SetCTVerifier(CTVerifier* ct_verifier) {
-    context_.cert_transparency_verifier = ct_verifier;
-  }
-
-  void SetCTPolicyEnforcer(CTPolicyEnforcer* policy_enforcer) {
-    context_.ct_policy_enforcer = policy_enforcer;
-  }
-
   // Starts the embedded test server with the specified parameters. Returns true
   // on success.
   bool StartEmbeddedTestServer(EmbeddedTestServer::ServerCertificate cert,
@@ -890,7 +882,7 @@ class SSLClientSocketTest : public PlatformTest,
       const HostPortPair& host_and_port,
       const SSLConfig& ssl_config) {
     return socket_factory_->CreateSSLClientSocket(
-        std::move(transport_socket), host_and_port, ssl_config, context_);
+        context_.get(), std::move(transport_socket), host_and_port, ssl_config);
   }
 
   // Create an SSLClientSocket object and use it to connect to a test server,
@@ -946,15 +938,15 @@ class SSLClientSocketTest : public PlatformTest,
     cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
   }
 
+  TestNetLog log_;
   ClientSocketFactory* socket_factory_;
   std::unique_ptr<MockCertVerifier> cert_verifier_;
   std::unique_ptr<TransportSecurityState> transport_security_state_;
   std::unique_ptr<DoNothingCTVerifier> ct_verifier_;
   std::unique_ptr<MockCTPolicyEnforcer> ct_policy_enforcer_;
   std::unique_ptr<SSLClientSessionCache> ssl_client_session_cache_;
-  SSLClientSocketContext context_;
+  std::unique_ptr<SSLClientContext> context_;
   std::unique_ptr<SSLClientSocket> sock_;
-  TestNetLog log_;
 
  private:
   std::unique_ptr<SpawnedTestServer> spawned_test_server_;
@@ -1015,14 +1007,14 @@ class ClientSocketFactoryWithoutReadIfReady : public ClientSocketFactory {
   }
 
   std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
+      SSLClientContext* context,
       std::unique_ptr<StreamSocket> stream_socket,
       const HostPortPair& host_and_port,
-      const SSLConfig& ssl_config,
-      const SSLClientSocketContext& context) override {
+      const SSLConfig& ssl_config) override {
     stream_socket = std::make_unique<StreamSocketWithoutReadIfReady>(
         std::move(stream_socket));
-    return factory_->CreateSSLClientSocket(std::move(stream_socket),
-                                           host_and_port, ssl_config, context);
+    return factory_->CreateSSLClientSocket(context, std::move(stream_socket),
+                                           host_and_port, ssl_config);
   }
 
   std::unique_ptr<ProxyClientSocket> CreateProxyClientSocket(
@@ -1148,7 +1140,7 @@ class SSLClientSocketCertRequestInfoTest : public SSLClientSocketTest {
     rv = callback.GetResult(sock->Connect(callback.callback()));
     EXPECT_THAT(rv, IsError(ERR_SSL_CLIENT_AUTH_CERT_NEEDED));
 
-    scoped_refptr<SSLCertRequestInfo> request_info = new SSLCertRequestInfo();
+    auto request_info = base::MakeRefCounted<SSLCertRequestInfo>();
     sock->GetSSLCertRequestInfo(request_info.get());
     sock->Disconnect();
     EXPECT_FALSE(sock->IsConnected());
@@ -1467,6 +1459,9 @@ class HangingCertVerifier : public CertVerifier {
 
 }  // namespace
 
+// TODO(950069): Add testing for frame_origin in NetworkIsolationKey
+// using kAppendInitiatingFrameOriginToNetworkIsolationKey.
+
 TEST_F(SSLClientSocketTest, Connect) {
   ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
 
@@ -1485,14 +1480,13 @@ TEST_F(SSLClientSocketTest, Connect) {
 
   rv = sock->Connect(callback.callback());
 
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLogEventType::SSL_CONNECT));
   if (rv == ERR_IO_PENDING)
     rv = callback.WaitForResult();
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(sock->IsConnected());
-  log.GetEntries(&entries);
+  entries = log.GetEntries();
   EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SSL_CONNECT));
 
   sock->Disconnect();
@@ -1523,8 +1517,7 @@ TEST_F(SSLClientSocketTest, ConnectExpired) {
   // test that the handshake has finished. This is because it may be
   // desirable to disconnect the socket before showing a user prompt, since
   // the user may take indefinitely long to respond.
-  TestNetLogEntry::List entries;
-  log_.GetEntries(&entries);
+  auto entries = log_.GetEntries();
   EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SSL_CONNECT));
 }
 
@@ -1547,7 +1540,9 @@ TEST_F(SSLClientSocketTest, SocketDestroyedDuringVerify) {
   ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
 
   HangingCertVerifier verifier;
-  SetCertVerifier(&verifier);
+  context_ = std::make_unique<SSLClientContext>(
+      &verifier, transport_security_state_.get(), ct_verifier_.get(),
+      ct_policy_enforcer_.get(), ssl_client_session_cache_.get());
 
   TestCompletionCallback callback;
   auto transport =
@@ -1568,6 +1563,8 @@ TEST_F(SSLClientSocketTest, SocketDestroyedDuringVerify) {
   // Destroying the socket should cancel it.
   sock = nullptr;
   EXPECT_EQ(0, verifier.num_active_requests());
+
+  context_ = nullptr;
 }
 
 TEST_F(SSLClientSocketTest, ConnectMismatched) {
@@ -1585,8 +1582,7 @@ TEST_F(SSLClientSocketTest, ConnectMismatched) {
   // test that the handshake has finished. This is because it may be
   // desirable to disconnect the socket before showing a user prompt, since
   // the user may take indefinitely long to respond.
-  TestNetLogEntry::List entries;
-  log_.GetEntries(&entries);
+  auto entries = log_.GetEntries();
   EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SSL_CONNECT));
 }
 
@@ -1632,8 +1628,7 @@ TEST_F(SSLClientSocketTest, ConnectClientAuthCertRequested) {
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
   EXPECT_THAT(rv, IsError(ERR_SSL_CLIENT_AUTH_CERT_NEEDED));
 
-  TestNetLogEntry::List entries;
-  log_.GetEntries(&entries);
+  auto entries = log_.GetEntries();
   EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SSL_CONNECT));
   EXPECT_FALSE(sock_->IsConnected());
 }
@@ -2383,7 +2378,7 @@ TEST_P(SSLClientSocketReadTest, Read_FullLogging) {
 
   TestCompletionCallback callback;
   TestNetLog log;
-  log.SetCaptureMode(NetLogCaptureMode::IncludeSocketBytes());
+  log.SetObserverCaptureMode(NetLogCaptureMode::kEverything);
   std::unique_ptr<StreamSocket> transport(
       new TCPClientSocket(addr(), nullptr, &log, NetLogSource()));
   int rv = callback.GetResult(transport->Connect(callback.callback()));
@@ -2407,8 +2402,7 @@ TEST_P(SSLClientSocketReadTest, Read_FullLogging) {
                   callback.callback(), TRAFFIC_ANNOTATION_FOR_TESTS));
   EXPECT_EQ(static_cast<int>(base::size(request_text) - 1), rv);
 
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   size_t last_index = ExpectLogContainsSomewhereAfter(
       entries, 5, NetLogEventType::SSL_SOCKET_BYTES_SENT,
       NetLogEventPhase::NONE);
@@ -2420,7 +2414,7 @@ TEST_P(SSLClientSocketReadTest, Read_FullLogging) {
     if (rv <= 0)
       break;
 
-    log.GetEntries(&entries);
+    entries = log.GetEntries();
     last_index = ExpectLogContainsSomewhereAfter(
         entries, last_index + 1, NetLogEventType::SSL_SOCKET_BYTES_RECEIVED,
         NetLogEventPhase::NONE);
@@ -2504,8 +2498,8 @@ TEST_F(SSLClientSocketTest, ClientSocketHandleNotFromPool) {
   EXPECT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(socket_factory_->CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig(), context_));
+      context_.get(), std::move(transport),
+      spawned_test_server()->host_port_pair(), SSLConfig()));
 
   EXPECT_FALSE(sock->IsConnected());
   rv = callback.GetResult(sock->Connect(callback.callback()));
@@ -2688,8 +2682,7 @@ TEST_F(SSLClientSocketTest, VerifyReturnChainProperlyOrdered) {
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(sock_->IsConnected());
 
-  TestNetLogEntry::List entries;
-  log_.GetEntries(&entries);
+  auto entries = log_.GetEntries();
   EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SSL_CONNECT));
 
   SSLInfo ssl_info;
@@ -2811,10 +2804,10 @@ TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsTLSExtension) {
   ssl_options.signed_cert_timestamps_tls_ext = sct_ext.as_string();
   ASSERT_TRUE(StartTestServer(ssl_options));
 
-  SSLConfig ssl_config;
-
   MockCTVerifier ct_verifier;
-  SetCTVerifier(&ct_verifier);
+  context_ = std::make_unique<SSLClientContext>(
+      cert_verifier_.get(), transport_security_state_.get(), &ct_verifier,
+      ct_policy_enforcer_.get(), ssl_client_session_cache_.get());
 
   // Check that the SCT list is extracted from the TLS extension as expected,
   // while also simulating that it was an unparsable response.
@@ -2823,10 +2816,13 @@ TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsTLSExtension) {
       .WillOnce(testing::SetArgPointee<4>(sct_list));
 
   int rv;
-  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
   EXPECT_THAT(rv, IsOk());
 
   EXPECT_TRUE(sock_->signed_cert_timestamps_received_);
+
+  sock_ = nullptr;
+  context_ = nullptr;
 }
 
 // Test that when a CT verifier and a CTPolicyEnforcer are defined, and
@@ -2840,9 +2836,7 @@ TEST_F(SSLClientSocketTest, EVCertStatusMaintainedForCompliantCert) {
   AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config);
 
   // Emulate compliance of the certificate to the policy.
-  MockCTPolicyEnforcer policy_enforcer;
-  SetCTPolicyEnforcer(&policy_enforcer);
-  EXPECT_CALL(policy_enforcer, CheckCompliance(_, _, _))
+  EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(_, _, _))
       .WillRepeatedly(
           Return(ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
 
@@ -2867,9 +2861,7 @@ TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) {
   AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config);
 
   // Emulate non-compliance of the certificate to the policy.
-  MockCTPolicyEnforcer policy_enforcer;
-  SetCTPolicyEnforcer(&policy_enforcer);
-  EXPECT_CALL(policy_enforcer, CheckCompliance(_, _, _))
+  EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(_, _, _))
       .WillRepeatedly(
           Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
 
@@ -2903,9 +2895,7 @@ TEST_F(SSLClientSocketTest, NonCTCompliantEVHistogram) {
   cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
 
   // Emulate non-compliance of the certificate to the policy.
-  MockCTPolicyEnforcer policy_enforcer;
-  SetCTPolicyEnforcer(&policy_enforcer);
-  EXPECT_CALL(policy_enforcer, CheckCompliance(_, _, _))
+  EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(_, _, _))
       .WillRepeatedly(
           Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
 
@@ -2943,9 +2933,7 @@ TEST_F(SSLClientSocketTest, CTCompliantEVHistogram) {
   cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
 
   // Emulate non-compliance of the certificate to the policy.
-  MockCTPolicyEnforcer policy_enforcer;
-  SetCTPolicyEnforcer(&policy_enforcer);
-  EXPECT_CALL(policy_enforcer, CheckCompliance(_, _, _))
+  EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(_, _, _))
       .WillRepeatedly(
           Return(ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
 
@@ -3045,7 +3033,7 @@ TEST_F(SSLClientSocketTest, IsFatalErrorSetOnFatalError) {
   int rv;
   const base::Time expiry =
       base::Time::Now() + base::TimeDelta::FromSeconds(1000);
-  context_.transport_security_state->AddHSTS(
+  transport_security_state_->AddHSTS(
       spawned_test_server()->host_port_pair().host(), expiry, true);
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
   SSLInfo ssl_info;
@@ -3131,7 +3119,7 @@ TEST_F(SSLClientSocketTest, SessionResumption) {
   EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
   sock.reset();
 
-  context_.ssl_client_session_cache->Flush();
+  ssl_client_session_cache_->Flush();
 
   // After clearing the session cache, the next handshake doesn't resume.
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
@@ -3140,6 +3128,83 @@ TEST_F(SSLClientSocketTest, SessionResumption) {
   EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
 }
 
+namespace {
+
+// FakePeerAddressSocket wraps a |StreamSocket|, forwarding all calls except
+// that it provides a given answer for |GetPeerAddress|.
+class FakePeerAddressSocket : public WrappedStreamSocket {
+ public:
+  FakePeerAddressSocket(std::unique_ptr<StreamSocket> socket,
+                        const IPEndPoint& address)
+      : WrappedStreamSocket(std::move(socket)), address_(address) {}
+  ~FakePeerAddressSocket() override {}
+
+  int GetPeerAddress(IPEndPoint* address) const override {
+    *address = address_;
+    return OK;
+  }
+
+ private:
+  const IPEndPoint address_;
+};
+
+}  // namespace
+
+TEST_F(SSLClientSocketTest, SessionResumption_RSA) {
+  for (bool use_rsa : {false, true}) {
+    SCOPED_TRACE(use_rsa);
+
+    SpawnedTestServer::SSLOptions ssl_options;
+    ssl_options.key_exchanges =
+        use_rsa ? SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA
+                : SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA;
+    ASSERT_TRUE(StartTestServer(ssl_options));
+    SSLConfig ssl_config;
+    ssl_client_session_cache_->Flush();
+
+    for (int i = 0; i < 3; i++) {
+      SCOPED_TRACE(i);
+
+      std::unique_ptr<StreamSocket> transport(
+          new TCPClientSocket(addr(), nullptr, &log_, NetLogSource()));
+      TestCompletionCallback callback;
+      ASSERT_THAT(callback.GetResult(transport->Connect(callback.callback())),
+                  IsOk());
+      // The third handshake sees a different destination IP address.
+      IPEndPoint fake_peer_address(IPAddress(1, 1, 1, i == 2 ? 2 : 1), 443);
+      auto socket = std::make_unique<FakePeerAddressSocket>(
+          std::move(transport), fake_peer_address);
+      std::unique_ptr<SSLClientSocket> sock = CreateSSLClientSocket(
+          std::move(socket), HostPortPair("example.com", 443), ssl_config);
+      ASSERT_THAT(callback.GetResult(sock->Connect(callback.callback())),
+                  IsOk());
+      SSLInfo ssl_info;
+      ASSERT_TRUE(sock->GetSSLInfo(&ssl_info));
+      sock.reset();
+
+      switch (i) {
+        case 0:
+          // Initial handshake should be a full handshake.
+          EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
+          break;
+        case 1:
+          // Second handshake should resume.
+          EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+          break;
+        case 2:
+          // Third handshake gets a different IP address and, if the
+          // session used RSA key exchange, it should not resume.
+          EXPECT_EQ(
+              use_rsa ? SSLInfo::HANDSHAKE_FULL : SSLInfo::HANDSHAKE_RESUME,
+              ssl_info.handshake_type);
+          break;
+        default:
+          NOTREACHED();
+      }
+    }
+  }
+}
+
 // Tests that ALPN works with session resumption.
 TEST_F(SSLClientSocketTest, SessionResumptionAlpn) {
   SpawnedTestServer::SSLOptions ssl_options;
@@ -3170,6 +3235,120 @@ TEST_F(SSLClientSocketTest, SessionResumptionAlpn) {
   EXPECT_EQ(kProtoHTTP11, sock_->GetNegotiatedProtocol());
 }
 
+// Tests that the session cache is not sharded by NetworkIsolationKey if the
+// feature is disabled.
+TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyDisabled) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndDisableFeature(
+      features::kPartitionSSLSessionsByNetworkIsolationKey);
+
+  SpawnedTestServer::SSLOptions ssl_options;
+  ASSERT_TRUE(StartTestServer(ssl_options));
+
+  // First, perform a full handshake.
+  SSLConfig ssl_config;
+  int rv;
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_THAT(rv, IsOk());
+  SSLInfo ssl_info;
+  ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
+
+  // The next connection should resume.
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_THAT(rv, IsOk());
+  ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  sock_.reset();
+
+  // Using a different NetworkIsolationKey shares session cache key because
+  // sharding is disabled.
+  const auto kOriginA = url::Origin::Create(GURL("https://a.test"));
+  ssl_config.network_isolation_key = NetworkIsolationKey(kOriginA, kOriginA);
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_THAT(rv, IsOk());
+  ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  sock_.reset();
+
+  const auto kOriginB = url::Origin::Create(GURL("https://a.test"));
+  ssl_config.network_isolation_key = NetworkIsolationKey(kOriginB, kOriginB);
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_THAT(rv, IsOk());
+  ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  sock_.reset();
+}
+
+// Tests that the session cache is sharded by NetworkIsolationKey if the
+// feature is enabled.
+TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyEnabled) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      features::kPartitionSSLSessionsByNetworkIsolationKey);
+
+  const auto kOriginA = url::Origin::Create(GURL("https://a.test"));
+  const auto kOriginB = url::Origin::Create(GURL("https://b.test"));
+  const NetworkIsolationKey kNetworkIsolationKeyA(kOriginA, kOriginA);
+  const NetworkIsolationKey kNetworkIsolationKeyB(kOriginB, kOriginB);
+
+  SpawnedTestServer::SSLOptions ssl_options;
+  ASSERT_TRUE(StartTestServer(ssl_options));
+
+  // First, perform a full handshake.
+  SSLConfig ssl_config;
+  int rv;
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_THAT(rv, IsOk());
+  SSLInfo ssl_info;
+  ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
+
+  // The next connection should resume.
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_THAT(rv, IsOk());
+  ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  sock_.reset();
+
+  // Using a different NetworkIsolationKey uses a different session cache key.
+  ssl_config.network_isolation_key = kNetworkIsolationKeyA;
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_THAT(rv, IsOk());
+  ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
+  sock_.reset();
+
+  // We, however, can resume under that newly-established session.
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_THAT(rv, IsOk());
+  ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  sock_.reset();
+
+  // Repeat with another non-null key.
+  ssl_config.network_isolation_key = kNetworkIsolationKeyB;
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_THAT(rv, IsOk());
+  ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
+  sock_.reset();
+
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_THAT(rv, IsOk());
+  ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  sock_.reset();
+
+  // b.test does not evict a.test's session.
+  ssl_config.network_isolation_key = kNetworkIsolationKeyA;
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_THAT(rv, IsOk());
+  ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  sock_.reset();
+}
+
 // Tests that connections with certificate errors do not add entries to the
 // session cache.
 TEST_F(SSLClientSocketTest, CertificateErrorNoResume) {
@@ -3545,7 +3724,7 @@ TEST_F(SSLClientSocketTest, PKPBypassedSet) {
       MakeHashValueVector(kBadHashValueVectorInput);
   cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
 
-  context_.transport_security_state->EnableStaticPinsForTesting();
+  transport_security_state_->EnableStaticPinsForTesting();
   ScopedTransportSecurityStateSource scoped_security_state_source;
 
   SSLConfig ssl_config;
@@ -3579,7 +3758,7 @@ TEST_F(SSLClientSocketTest, PKPEnforced) {
       MakeHashValueVector(kBadHashValueVectorInput);
   cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
 
-  context_.transport_security_state->EnableStaticPinsForTesting();
+  transport_security_state_->EnableStaticPinsForTesting();
   ScopedTransportSecurityStateSource scoped_security_state_source;
 
   SSLConfig ssl_config;
@@ -4187,7 +4366,7 @@ TEST_F(SSLClientSocketTest, PKPMoreImportantThanCT) {
       MakeHashValueVector(kBadHashValueVectorInput);
   cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
 
-  context_.transport_security_state->EnableStaticPinsForTesting();
+  transport_security_state_->EnableStaticPinsForTesting();
   ScopedTransportSecurityStateSource scoped_security_state_source;
 
   const char kCTHost[] = "pkp-expect-ct.preloaded.test";
@@ -5395,4 +5574,134 @@ TEST_P(TLS13DowngradeMetricsTest, Metrics) {
   }
 }
 
+struct SSLHandshakeDetailsParams {
+  bool alpn;
+  bool early_data;
+  uint16_t version;
+  SSLHandshakeDetails expected_initial;
+  SSLHandshakeDetails expected_resume;
+};
+
+const SSLHandshakeDetailsParams kSSLHandshakeDetailsParams[] = {
+    // TLS 1.0 and 1.1 never do False Start.
+    {false /* no ALPN */, false /* no early data */, SSL_PROTOCOL_VERSION_TLS1,
+     SSLHandshakeDetails::kTLS12Full, SSLHandshakeDetails::kTLS12Resume},
+    {false /* no ALPN */, false /* no early data */,
+     SSL_PROTOCOL_VERSION_TLS1_1, SSLHandshakeDetails::kTLS12Full,
+     SSLHandshakeDetails::kTLS12Resume},
+
+    // TLS 1.2 does False Start if ALPN is enabled.
+    {false /* no ALPN */, false /* no early data */,
+     SSL_PROTOCOL_VERSION_TLS1_2, SSLHandshakeDetails::kTLS12Full,
+     SSLHandshakeDetails::kTLS12Resume},
+    {true /* ALPN */, false /* no early data */, SSL_PROTOCOL_VERSION_TLS1_2,
+     SSLHandshakeDetails::kTLS12FalseStart, SSLHandshakeDetails::kTLS12Resume},
+
+    // TLS 1.3 supports full handshakes, resumption, and 0-RTT.
+    {false /* no ALPN */, false /* no early data */,
+     SSL_PROTOCOL_VERSION_TLS1_3, SSLHandshakeDetails::kTLS13Full,
+     SSLHandshakeDetails::kTLS13Resume},
+    {false /* no ALPN */, true /* early data */, SSL_PROTOCOL_VERSION_TLS1_3,
+     SSLHandshakeDetails::kTLS13Full, SSLHandshakeDetails::kTLS13Early},
+};
+
+class SSLHandshakeDetailsTest
+    : public SSLClientSocketTest,
+      public ::testing::WithParamInterface<SSLHandshakeDetailsParams> {};
+
+INSTANTIATE_TEST_SUITE_P(/* no prefix */,
+                         SSLHandshakeDetailsTest,
+                         ::testing::ValuesIn(kSSLHandshakeDetailsParams));
+
+TEST_P(SSLHandshakeDetailsTest, Metrics) {
+  // Enable all test features in the server.
+  SSLServerConfig server_config;
+  server_config.version_min = SSL_PROTOCOL_VERSION_TLS1;
+  server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_3;
+  server_config.early_data_enabled = true;
+  server_config.alpn_protos = {kProtoHTTP11};
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
+
+  SSLConfig client_config;
+  client_config.version_min = GetParam().version;
+  client_config.version_max = GetParam().version;
+  client_config.early_data_enabled = GetParam().early_data;
+  if (GetParam().alpn) {
+    client_config.alpn_protos = {kProtoHTTP11};
+  }
+
+  SSLVersion version;
+  switch (GetParam().version) {
+    case SSL_PROTOCOL_VERSION_TLS1:
+      version = SSL_CONNECTION_VERSION_TLS1;
+      break;
+    case SSL_PROTOCOL_VERSION_TLS1_1:
+      version = SSL_CONNECTION_VERSION_TLS1_1;
+      break;
+    case SSL_PROTOCOL_VERSION_TLS1_2:
+      version = SSL_CONNECTION_VERSION_TLS1_2;
+      break;
+    case SSL_PROTOCOL_VERSION_TLS1_3:
+      version = SSL_CONNECTION_VERSION_TLS1_3;
+      break;
+    default:
+      FAIL() << GetParam().version;
+  }
+
+  // Make the initial connection.
+  {
+    base::HistogramTester histograms;
+    int rv;
+    ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
+    EXPECT_THAT(rv, IsOk());
+
+    // Sanity-check the socket matches the test parameters.
+    SSLInfo info;
+    ASSERT_TRUE(sock_->GetSSLInfo(&info));
+    EXPECT_EQ(version, SSLConnectionStatusToVersion(info.connection_status));
+    EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, info.handshake_type);
+    EXPECT_EQ(GetParam().alpn, sock_->WasAlpnNegotiated());
+
+    histograms.ExpectUniqueSample("Net.SSLHandshakeDetails",
+                                  GetParam().expected_initial, 1);
+
+    // Use the socket to ensure the session ticket has been picked up.
+    base::StringPiece request = "GET / HTTP/1.0\r\n\r\n";
+    TestCompletionCallback callback;
+    while (!request.empty()) {
+      auto request_buffer =
+          base::MakeRefCounted<StringIOBuffer>(request.as_string());
+      rv = callback.GetResult(
+          sock_->Write(request_buffer.get(), request_buffer->size(),
+                       callback.callback(), TRAFFIC_ANNOTATION_FOR_TESTS));
+      ASSERT_GT(rv, 0);
+      request = request.substr(rv);
+    }
+
+    auto response_buffer = base::MakeRefCounted<IOBuffer>(1024);
+    rv = callback.GetResult(
+        sock_->Read(response_buffer.get(), 1024, callback.callback()));
+    ASSERT_GT(rv, 0);
+  }
+
+  // Make a resumption connection.
+  {
+    base::HistogramTester histograms;
+    int rv;
+    ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
+    EXPECT_THAT(rv, IsOk());
+
+    // Sanity-check the socket matches the test parameters.
+    SSLInfo info;
+    ASSERT_TRUE(sock_->GetSSLInfo(&info));
+    EXPECT_EQ(version, SSLConnectionStatusToVersion(info.connection_status));
+    EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, info.handshake_type);
+    EXPECT_EQ(GetParam().alpn, sock_->WasAlpnNegotiated());
+
+    histograms.ExpectUniqueSample("Net.SSLHandshakeDetails",
+                                  GetParam().expected_resume, 1);
+  }
+}
+
 }  // namespace net
diff --git a/chromium/net/socket/ssl_connect_job.cc b/chromium/net/socket/ssl_connect_job.cc
index 3c512cd60f1..a10c57d6102 100644
--- a/chromium/net/socket/ssl_connect_job.cc
+++ b/chromium/net/socket/ssl_connect_job.cc
@@ -46,13 +46,15 @@ SSLSocketParams::SSLSocketParams(
     scoped_refptr<HttpProxySocketParams> http_proxy_params,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
-    PrivacyMode privacy_mode)
+    PrivacyMode privacy_mode,
+    NetworkIsolationKey network_isolation_key)
     : direct_params_(std::move(direct_params)),
       socks_proxy_params_(std::move(socks_proxy_params)),
       http_proxy_params_(std::move(http_proxy_params)),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
-      privacy_mode_(privacy_mode) {
+      privacy_mode_(privacy_mode),
+      network_isolation_key_(network_isolation_key) {
   // Only one set of lower level ConnectJob params should be non-NULL.
   DCHECK((direct_params_ && !socks_proxy_params_ && !http_proxy_params_) ||
          (!direct_params_ && socks_proxy_params_ && !http_proxy_params_) ||
@@ -332,32 +334,26 @@ int SSLConnectJob::DoSSLConnect() {
   // Set the timeout to just the time allowed for the SSL handshake.
   ResetTimer(kSSLHandshakeTimeout);
 
-  // If the handle has a fresh socket, get its connect start and DNS times.
-  const LoadTimingInfo::ConnectTiming* socket_connect_timing = nullptr;
-  socket_connect_timing = &nested_connect_job_->connect_timing();
-
-  if (socket_connect_timing) {
-    // Overwriting |connect_start| serves two purposes - it adjusts timing so
-    // |connect_start| doesn't include dns times, and it adjusts the time so
-    // as not to include time spent waiting for an idle socket.
-    connect_timing_.connect_start = socket_connect_timing->connect_start;
-    connect_timing_.dns_start = socket_connect_timing->dns_start;
-    connect_timing_.dns_end = socket_connect_timing->dns_end;
-  }
+  // Get the transport's connect start and DNS times.
+  const LoadTimingInfo::ConnectTiming& socket_connect_timing =
+      nested_connect_job_->connect_timing();
+
+  // Overwriting |connect_start| serves two purposes - it adjusts timing so
+  // |connect_start| doesn't include dns times, and it adjusts the time so
+  // as not to include time spent waiting for an idle socket.
+  connect_timing_.connect_start = socket_connect_timing.connect_start;
+  connect_timing_.dns_start = socket_connect_timing.dns_start;
+  connect_timing_.dns_end = socket_connect_timing.dns_end;
 
   ssl_negotiation_started_ = true;
   connect_timing_.ssl_start = base::TimeTicks::Now();
 
-  // TODO(mmenke): Consider moving this up to the socket pool layer, after
-  // giving socket pools knowledge of privacy mode.
-  const SSLClientSocketContext& context =
-      params_->privacy_mode() == PRIVACY_MODE_ENABLED
-          ? ssl_client_socket_context_privacy_mode()
-          : ssl_client_socket_context();
-
+  SSLConfig ssl_config = params_->ssl_config();
+  ssl_config.network_isolation_key = params_->network_isolation_key();
+  ssl_config.privacy_mode = params_->privacy_mode();
   ssl_socket_ = client_socket_factory()->CreateSSLClientSocket(
-      std::move(nested_socket_), params_->host_and_port(),
-      params_->ssl_config(), context);
+      ssl_client_context(), std::move(nested_socket_), params_->host_and_port(),
+      ssl_config);
   nested_connect_job_.reset();
   return ssl_socket_->Connect(callback_);
 }
diff --git a/chromium/net/socket/ssl_connect_job.h b/chromium/net/socket/ssl_connect_job.h
index bc198867b4f..575f429335a 100644
--- a/chromium/net/socket/ssl_connect_job.h
+++ b/chromium/net/socket/ssl_connect_job.h
@@ -14,6 +14,7 @@
 #include "net/base/completion_once_callback.h"
 #include "net/base/completion_repeating_callback.h"
 #include "net/base/net_export.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/socket/connect_job.h"
 #include "net/socket/connection_attempts.h"
@@ -41,7 +42,8 @@ class NET_EXPORT_PRIVATE SSLSocketParams
                   scoped_refptr<HttpProxySocketParams> http_proxy_params,
                   const HostPortPair& host_and_port,
                   const SSLConfig& ssl_config,
-                  PrivacyMode privacy_mode);
+                  PrivacyMode privacy_mode,
+                  NetworkIsolationKey network_isolation_key);
 
   // Returns the type of the underlying connection.
   ConnectionType GetConnectionType() const;
@@ -59,6 +61,9 @@ class NET_EXPORT_PRIVATE SSLSocketParams
   const HostPortPair& host_and_port() const { return host_and_port_; }
   const SSLConfig& ssl_config() const { return ssl_config_; }
   PrivacyMode privacy_mode() const { return privacy_mode_; }
+  const NetworkIsolationKey& network_isolation_key() const {
+    return network_isolation_key_;
+  }
 
  private:
   friend class base::RefCounted<SSLSocketParams>;
@@ -70,6 +75,7 @@ class NET_EXPORT_PRIVATE SSLSocketParams
   const HostPortPair host_and_port_;
   const SSLConfig ssl_config_;
   const PrivacyMode privacy_mode_;
+  const NetworkIsolationKey network_isolation_key_;
 
   DISALLOW_COPY_AND_ASSIGN(SSLSocketParams);
 };
diff --git a/chromium/net/socket/ssl_connect_job_unittest.cc b/chromium/net/socket/ssl_connect_job_unittest.cc
index 799d2325c70..3ffef96f83e 100644
--- a/chromium/net/socket/ssl_connect_job_unittest.cc
+++ b/chromium/net/socket/ssl_connect_job_unittest.cc
@@ -78,18 +78,11 @@ class SSLConnectJobTest : public WithScopedTaskEnvironment,
  public:
   SSLConnectJobTest()
       : WithScopedTaskEnvironment(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME,
-            base::test::ScopedTaskEnvironment::NowSource::
-                MAIN_THREAD_MOCK_TIME),
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME_AND_NOW),
         proxy_resolution_service_(ProxyResolutionService::CreateDirect()),
         ssl_config_service_(new SSLConfigServiceDefaults),
         http_auth_handler_factory_(HttpAuthHandlerFactory::CreateDefault()),
         session_(CreateNetworkSession()),
-        ssl_client_socket_context_(&cert_verifier_,
-                                   &transport_security_state_,
-                                   &ct_verifier_,
-                                   &ct_policy_enforcer_,
-                                   nullptr /* ssl_client_session_cache */),
         direct_transport_socket_params_(
             new TransportSocketParams(HostPortPair("host", 443),
                                       OnHostResolutionCallback())),
@@ -112,10 +105,6 @@ class SSLConnectJobTest : public WithScopedTaskEnvironment,
                                       NetworkIsolationKey())),
         common_connect_job_params_(session_->CreateCommonConnectJobParams()) {
     ssl_config_service_->GetSSLConfig(&ssl_config_);
-
-    // Set an initial delay to ensure that the first call to TimeTicks::Now()
-    // before incrementing the counter does not return a null value.
-    FastForwardBy(base::TimeDelta::FromSeconds(1));
   }
 
   ~SSLConnectJobTest() override = default;
@@ -135,7 +124,8 @@ class SSLConnectJobTest : public WithScopedTaskEnvironment,
                                             : nullptr,
         proxy == ProxyServer::SCHEME_SOCKS5 ? socks_socket_params_ : nullptr,
         proxy == ProxyServer::SCHEME_HTTP ? http_proxy_socket_params_ : nullptr,
-        HostPortPair("host", 443), ssl_config_, PRIVACY_MODE_DISABLED);
+        HostPortPair("host", 443), ssl_config_, PRIVACY_MODE_DISABLED,
+        NetworkIsolationKey());
   }
 
   void AddAuthToCache() {
@@ -175,7 +165,6 @@ class SSLConnectJobTest : public WithScopedTaskEnvironment,
   const std::unique_ptr<HttpAuthHandlerFactory> http_auth_handler_factory_;
   HttpServerPropertiesImpl http_server_properties_;
   const std::unique_ptr<HttpNetworkSession> session_;
-  SSLClientSocketContext ssl_client_socket_context_;
 
   scoped_refptr<TransportSocketParams> direct_transport_socket_params_;
 
diff --git a/chromium/net/socket/ssl_server_socket_impl.cc b/chromium/net/socket/ssl_server_socket_impl.cc
index bb3e4fc8df1..8e9e8a2750a 100644
--- a/chromium/net/socket/ssl_server_socket_impl.cc
+++ b/chromium/net/socket/ssl_server_socket_impl.cc
@@ -26,6 +26,7 @@
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_info.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
+#include "third_party/boringssl/src/include/openssl/bytestring.h"
 #include "third_party/boringssl/src/include/openssl/err.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
 #include "third_party/boringssl/src/include/openssl/ssl.h"
@@ -142,6 +143,13 @@ class SSLServerContextImpl::SocketImpl : public SSLServerSocket,
                                                       size_t max_out);
   void OnPrivateKeyComplete(Error error, const std::vector<uint8_t>& signature);
 
+  static int ALPNSelectCallback(SSL* ssl,
+                                const uint8_t** out,
+                                uint8_t* out_len,
+                                const uint8_t* in,
+                                unsigned in_len,
+                                void* arg);
+
   // SocketBIOAdapter::Delegate implementation.
   void OnReadReady() override;
   void OnWriteReady() override;
@@ -202,7 +210,9 @@ class SSLServerContextImpl::SocketImpl : public SSLServerSocket,
   State next_handshake_state_;
   bool completed_handshake_;
 
-  base::WeakPtrFactory<SocketImpl> weak_factory_;
+  NextProto negotiated_protocol_;
+
+  base::WeakPtrFactory<SocketImpl> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(SocketImpl);
 };
@@ -218,7 +228,7 @@ SSLServerContextImpl::SocketImpl::SocketImpl(
       transport_socket_(std::move(transport_socket)),
       next_handshake_state_(STATE_NONE),
       completed_handshake_(false),
-      weak_factory_(this) {
+      negotiated_protocol_(kProtoUnknown) {
   ssl_.reset(SSL_new(context_->ssl_ctx_.get()));
   SSL_set_app_data(ssl_.get(), this);
   SSL_set_shed_handshake_config(ssl_.get(), 1);
@@ -335,6 +345,41 @@ void SSLServerContextImpl::SocketImpl::OnPrivateKeyComplete(
   DoHandshakeLoop(ERR_IO_PENDING);
 }
 
+int SSLServerContextImpl::SocketImpl::ALPNSelectCallback(SSL* ssl,
+                                                         const uint8_t** out,
+                                                         uint8_t* out_len,
+                                                         const uint8_t* in,
+                                                         unsigned in_len,
+                                                         void* arg) {
+  SSLServerContextImpl::SocketImpl* socket =
+      static_cast<SSLServerContextImpl::SocketImpl*>(SSL_get_ex_data(
+          ssl, SocketDataIndex::GetInstance()->ssl_socket_data_index_));
+
+  // Iterate over the server protocols in preference order.
+  for (NextProto server_proto :
+       socket->context_->ssl_server_config_.alpn_protos) {
+    const char* server_proto_str = NextProtoToString(server_proto);
+
+    // See if the client advertised the corresponding protocol.
+    CBS cbs;
+    CBS_init(&cbs, in, in_len);
+    while (CBS_len(&cbs) != 0) {
+      CBS client_proto;
+      if (!CBS_get_u8_length_prefixed(&cbs, &client_proto)) {
+        return SSL_TLSEXT_ERR_NOACK;
+      }
+      if (base::StringPiece(
+              reinterpret_cast<const char*>(CBS_data(&client_proto)),
+              CBS_len(&client_proto)) == server_proto_str) {
+        *out = CBS_data(&client_proto);
+        *out_len = CBS_len(&client_proto);
+        return SSL_TLSEXT_ERR_OK;
+      }
+    }
+  }
+  return SSL_TLSEXT_ERR_NOACK;
+}
+
 int SSLServerContextImpl::SocketImpl::Handshake(
     CompletionOnceCallback callback) {
   net_log_.BeginEvent(NetLogEventType::SSL_SERVER_HANDSHAKE);
@@ -486,13 +531,11 @@ bool SSLServerContextImpl::SocketImpl::WasEverUsed() const {
 }
 
 bool SSLServerContextImpl::SocketImpl::WasAlpnNegotiated() const {
-  NOTIMPLEMENTED();
-  return false;
+  return negotiated_protocol_ != kProtoUnknown;
 }
 
 NextProto SSLServerContextImpl::SocketImpl::GetNegotiatedProtocol() const {
-  // ALPN is not supported by this class.
-  return kProtoUnknown;
+  return negotiated_protocol_;
 }
 
 bool SSLServerContextImpl::SocketImpl::GetSSLInfo(SSLInfo* ssl_info) {
@@ -594,9 +637,8 @@ int SSLServerContextImpl::SocketImpl::DoPayloadRead() {
   int net_error =
       MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
   if (net_error != ERR_IO_PENDING) {
-    net_log_.AddEvent(
-        NetLogEventType::SSL_READ_ERROR,
-        CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));
+    NetLogOpenSSLError(net_log_, NetLogEventType::SSL_READ_ERROR, net_error,
+                       ssl_error, error_info);
   }
   return net_error;
 }
@@ -615,9 +657,8 @@ int SSLServerContextImpl::SocketImpl::DoPayloadWrite() {
   int net_error =
       MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
   if (net_error != ERR_IO_PENDING) {
-    net_log_.AddEvent(
-        NetLogEventType::SSL_WRITE_ERROR,
-        CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));
+    NetLogOpenSSLError(net_log_, NetLogEventType::SSL_WRITE_ERROR, net_error,
+                       ssl_error, error_info);
   }
   return net_error;
 }
@@ -659,6 +700,15 @@ int SSLServerContextImpl::SocketImpl::DoHandshake() {
       if (!client_cert_)
         return ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT;
     }
+
+    const uint8_t* alpn_proto = nullptr;
+    unsigned alpn_len = 0;
+    SSL_get0_alpn_selected(ssl_.get(), &alpn_proto, &alpn_len);
+    if (alpn_len > 0) {
+      base::StringPiece proto(reinterpret_cast<const char*>(alpn_proto),
+                              alpn_len);
+      negotiated_protocol_ = NextProtoFromString(proto);
+    }
   } else {
     int ssl_error = SSL_get_error(ssl_.get(), rv);
 
@@ -685,9 +735,8 @@ int SSLServerContextImpl::SocketImpl::DoHandshake() {
     } else {
       LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code "
                  << ssl_error << ", net_error " << net_error;
-      net_log_.AddEvent(
-          NetLogEventType::SSL_HANDSHAKE_ERROR,
-          CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));
+      NetLogOpenSSLError(net_log_, NetLogEventType::SSL_HANDSHAKE_ERROR,
+                         net_error, ssl_error, error_info);
     }
   }
   return net_error;
@@ -915,6 +964,9 @@ void SSLServerContextImpl::Init() {
     }
     SSL_CTX_set0_client_CAs(ssl_ctx_.get(), stack.release());
   }
+
+  SSL_CTX_set_alpn_select_cb(ssl_ctx_.get(), &SocketImpl::ALPNSelectCallback,
+                             nullptr);
 }
 
 SSLServerContextImpl::~SSLServerContextImpl() = default;
diff --git a/chromium/net/socket/ssl_server_socket_unittest.cc b/chromium/net/socket/ssl_server_socket_unittest.cc
index 0a4c466fa15..c288bcad423 100644
--- a/chromium/net/socket/ssl_server_socket_unittest.cc
+++ b/chromium/net/socket/ssl_server_socket_unittest.cc
@@ -103,11 +103,7 @@ class MockCTPolicyEnforcer : public CTPolicyEnforcer {
 class FakeDataChannel {
  public:
   FakeDataChannel()
-      : read_buf_len_(0),
-        closed_(false),
-        write_called_after_close_(false),
-        weak_factory_(this) {
-  }
+      : read_buf_len_(0), closed_(false), write_called_after_close_(false) {}
 
   int Read(IOBuffer* buf, int buf_len, CompletionOnceCallback callback) {
     DCHECK(read_callback_.is_null());
@@ -214,7 +210,7 @@ class FakeDataChannel {
   // asynchronously.
   bool write_called_after_close_;
 
-  base::WeakPtrFactory<FakeDataChannel> weak_factory_;
+  base::WeakPtrFactory<FakeDataChannel> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(FakeDataChannel);
 };
@@ -357,8 +353,7 @@ class SSLServerSocketTest : public PlatformTest,
                             public WithScopedTaskEnvironment {
  public:
   SSLServerSocketTest()
-      : socket_factory_(ClientSocketFactory::GetDefaultFactory()),
-        cert_verifier_(new MockCertVerifier()),
+      : cert_verifier_(new MockCertVerifier()),
         client_cert_verifier_(new MockClientCertVerifier()),
         transport_security_state_(new TransportSecurityState),
         ct_verifier_(new DoNothingCTVerifier),
@@ -388,6 +383,11 @@ class SSLServerSocketTest : public PlatformTest,
     // Certificate provided by the host doesn't need authority.
     client_ssl_config_.allowed_bad_certs.emplace_back(
         server_cert_, CERT_STATUS_AUTHORITY_INVALID);
+
+    client_context_ = std::make_unique<SSLClientContext>(
+        cert_verifier_.get(), transport_security_state_.get(),
+        ct_verifier_.get(), ct_policy_enforcer_.get(),
+        ssl_client_session_cache_.get());
   }
 
  protected:
@@ -396,7 +396,6 @@ class SSLServerSocketTest : public PlatformTest,
     server_socket_.reset();
     channel_1_.reset();
     channel_2_.reset();
-    server_context_.reset();
     server_context_ = CreateSSLServerContext(
         server_cert_.get(), *server_private_key_, server_ssl_config_);
   }
@@ -422,14 +421,9 @@ class SSLServerSocketTest : public PlatformTest,
         std::make_unique<FakeSocket>(channel_2_.get(), channel_1_.get());
 
     HostPortPair host_and_pair("unittest", 0);
-    SSLClientSocketContext context(
-        cert_verifier_.get(), transport_security_state_.get(),
-        ct_verifier_.get(), ct_policy_enforcer_.get(),
-        ssl_client_session_cache_.get());
 
-    client_socket_ = socket_factory_->CreateSSLClientSocket(
-        std::move(client_connection), host_and_pair, client_ssl_config_,
-        context);
+    client_socket_ = client_context_->CreateSSLClientSocket(
+        std::move(client_connection), host_and_pair, client_ssl_config_);
     ASSERT_TRUE(client_socket_);
 
     server_socket_ =
@@ -515,16 +509,16 @@ class SSLServerSocketTest : public PlatformTest,
   std::unique_ptr<FakeDataChannel> channel_2_;
   SSLConfig client_ssl_config_;
   SSLServerConfig server_ssl_config_;
-  std::unique_ptr<SSLClientSocket> client_socket_;
-  std::unique_ptr<SSLServerSocket> server_socket_;
-  ClientSocketFactory* socket_factory_;
   std::unique_ptr<MockCertVerifier> cert_verifier_;
   std::unique_ptr<MockClientCertVerifier> client_cert_verifier_;
   std::unique_ptr<TransportSecurityState> transport_security_state_;
   std::unique_ptr<DoNothingCTVerifier> ct_verifier_;
   std::unique_ptr<MockCTPolicyEnforcer> ct_policy_enforcer_;
   std::unique_ptr<SSLClientSessionCache> ssl_client_session_cache_;
+  std::unique_ptr<SSLClientContext> client_context_;
   std::unique_ptr<SSLServerContext> server_context_;
+  std::unique_ptr<SSLClientSocket> client_socket_;
+  std::unique_ptr<SSLServerSocket> server_socket_;
   std::unique_ptr<crypto::RSAPrivateKey> server_private_key_;
   scoped_refptr<SSLPrivateKey> server_ssl_private_key_;
   scoped_refptr<X509Certificate> server_cert_;
@@ -791,7 +785,7 @@ TEST_F(SSLServerSocketTest, HandshakeWithClientCertRequiredNotSupplied) {
             connect_callback.GetResult(
                 client_socket_->Connect(connect_callback.callback())));
 
-  scoped_refptr<SSLCertRequestInfo> request_info = new SSLCertRequestInfo();
+  auto request_info = base::MakeRefCounted<SSLCertRequestInfo>();
   client_socket_->GetSSLCertRequestInfo(request_info.get());
 
   // Check that the authority name that arrived in the CertificateRequest
@@ -825,7 +819,7 @@ TEST_F(SSLServerSocketTest, HandshakeWithClientCertRequiredNotSuppliedCached) {
             connect_callback.GetResult(
                 client_socket_->Connect(connect_callback.callback())));
 
-  scoped_refptr<SSLCertRequestInfo> request_info = new SSLCertRequestInfo();
+  auto request_info = base::MakeRefCounted<SSLCertRequestInfo>();
   client_socket_->GetSSLCertRequestInfo(request_info.get());
 
   // Check that the authority name that arrived in the CertificateRequest
@@ -851,7 +845,7 @@ TEST_F(SSLServerSocketTest, HandshakeWithClientCertRequiredNotSuppliedCached) {
             connect_callback2.GetResult(
                 client_socket_->Connect(connect_callback2.callback())));
 
-  scoped_refptr<SSLCertRequestInfo> request_info2 = new SSLCertRequestInfo();
+  auto request_info2 = base::MakeRefCounted<SSLCertRequestInfo>();
   client_socket_->GetSSLCertRequestInfo(request_info2.get());
 
   // Check that the authority name that arrived in the CertificateRequest
@@ -1255,6 +1249,7 @@ TEST_F(SSLServerSocketTest, HandshakeServerSSLPrivateKeyRequireEcdhe) {
   };
   client_ssl_config_.disabled_cipher_suites.assign(
       kEcdheCiphers, kEcdheCiphers + base::size(kEcdheCiphers));
+
   // TLS 1.3 always works with SSLPrivateKey.
   client_ssl_config_.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
 
diff --git a/chromium/net/socket/tcp_client_socket.cc b/chromium/net/socket/tcp_client_socket.cc
index c6970172beb..46d0a7d5854 100644
--- a/chromium/net/socket/tcp_client_socket.cc
+++ b/chromium/net/socket/tcp_client_socket.cc
@@ -49,9 +49,7 @@ TCPClientSocket::TCPClientSocket(std::unique_ptr<TCPSocket> connected_socket,
 TCPClientSocket::~TCPClientSocket() {
   Disconnect();
 #if defined(TCP_CLIENT_SOCKET_OBSERVES_SUSPEND)
-  base::PowerMonitor* power_monitor = base::PowerMonitor::Get();
-  if (power_monitor)
-    power_monitor->RemoveObserver(this);
+  base::PowerMonitor::RemoveObserver(this);
 #endif  // defined(TCP_CLIENT_SOCKET_OBSERVES_SUSPEND)
 }
 
@@ -144,15 +142,12 @@ TCPClientSocket::TCPClientSocket(std::unique_ptr<TCPSocket> socket,
       previously_disconnected_(false),
       total_received_bytes_(0),
       was_ever_used_(false),
-      was_disconnected_on_suspend_(false),
-      weak_ptr_factory_(this) {
+      was_disconnected_on_suspend_(false) {
   DCHECK(socket_);
   if (socket_->IsValid())
     socket_->SetDefaultOptionsForClient();
 #if defined(TCP_CLIENT_SOCKET_OBSERVES_SUSPEND)
-  base::PowerMonitor* power_monitor = base::PowerMonitor::Get();
-  if (power_monitor)
-    power_monitor->AddObserver(this);
+  base::PowerMonitor::AddObserver(this);
 #endif  // defined(TCP_CLIENT_SOCKET_OBSERVES_SUSPEND)
 }
 
diff --git a/chromium/net/socket/tcp_client_socket.h b/chromium/net/socket/tcp_client_socket.h
index 1bf00384458..306c6b359e1 100644
--- a/chromium/net/socket/tcp_client_socket.h
+++ b/chromium/net/socket/tcp_client_socket.h
@@ -207,7 +207,7 @@ class NET_EXPORT TCPClientSocket : public TransportClientSocket,
   // Connect() or Disconnect() is called.
   bool was_disconnected_on_suspend_;
 
-  base::WeakPtrFactory<TCPClientSocket> weak_ptr_factory_;
+  base::WeakPtrFactory<TCPClientSocket> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(TCPClientSocket);
 };
diff --git a/chromium/net/socket/tcp_client_socket_unittest.cc b/chromium/net/socket/tcp_client_socket_unittest.cc
index d2268247d92..0fc860632c9 100644
--- a/chromium/net/socket/tcp_client_socket_unittest.cc
+++ b/chromium/net/socket/tcp_client_socket_unittest.cc
@@ -55,8 +55,6 @@ class TestPowerMonitorSource : public base::PowerMonitorSource {
   TestPowerMonitorSource() = default;
   ~TestPowerMonitorSource() override = default;
 
-  void Shutdown() override {}
-
   void Suspend() { ProcessPowerEvent(SUSPEND_EVENT); }
 
   void Resume() { ProcessPowerEvent(RESUME_EVENT); }
@@ -75,10 +73,11 @@ class TCPClientSocketTest : public testing::Test {
     std::unique_ptr<TestPowerMonitorSource> power_monitor_source =
         std::make_unique<TestPowerMonitorSource>();
     power_monitor_source_ = power_monitor_source.get();
-    power_monitor_ =
-        std::make_unique<base::PowerMonitor>(std::move(power_monitor_source));
+    base::PowerMonitor::Initialize(std::move(power_monitor_source));
   }
 
+  ~TCPClientSocketTest() override { base::PowerMonitor::ShutdownForTesting(); }
+
   void Suspend() { power_monitor_source_->Suspend(); }
   void Resume() { power_monitor_source_->Resume(); }
 
@@ -124,7 +123,6 @@ class TCPClientSocketTest : public testing::Test {
  private:
   base::test::ScopedTaskEnvironment scoped_task_environment_;
 
-  std::unique_ptr<base::PowerMonitor> power_monitor_;
   TestPowerMonitorSource* power_monitor_source_;
 };
 
diff --git a/chromium/net/socket/tcp_socket_posix.cc b/chromium/net/socket/tcp_socket_posix.cc
index deb88c0965c..520f8d7865e 100644
--- a/chromium/net/socket/tcp_socket_posix.cc
+++ b/chromium/net/socket/tcp_socket_posix.cc
@@ -139,8 +139,7 @@ TCPSocketPosix::TCPSocketPosix(
     : socket_performance_watcher_(std::move(socket_performance_watcher)),
       logging_multiple_connect_attempts_(false),
       net_log_(NetLogWithSource::Make(net_log, NetLogSourceType::SOCKET)) {
-  net_log_.BeginEvent(NetLogEventType::SOCKET_ALIVE,
-                      source.ToEventParametersCallback());
+  net_log_.BeginEventReferencingSource(NetLogEventType::SOCKET_ALIVE, source);
 }
 
 TCPSocketPosix::~TCPSocketPosix() {
@@ -233,7 +232,7 @@ int TCPSocketPosix::Connect(const IPEndPoint& address,
     LogConnectBegin(AddressList(address));
 
   net_log_.BeginEvent(NetLogEventType::TCP_CONNECT_ATTEMPT,
-                      CreateNetLogIPEndPointCallback(&address));
+                      [&] { return CreateNetLogIPEndPointParams(&address); });
 
   SockaddrStorage storage;
   if (!address.ToSockAddr(storage.addr, &storage.addr_len))
@@ -485,7 +484,7 @@ int TCPSocketPosix::HandleAcceptCompleted(
 
   if (rv == OK) {
     net_log_.EndEvent(NetLogEventType::TCP_ACCEPT,
-                      CreateNetLogIPEndPointCallback(address));
+                      [&] { return CreateNetLogIPEndPointParams(address); });
   } else {
     net_log_.EndEventWithNetErrorCode(NetLogEventType::TCP_ACCEPT, rv);
   }
@@ -519,8 +518,8 @@ void TCPSocketPosix::ConnectCompleted(CompletionOnceCallback callback, int rv) {
 int TCPSocketPosix::HandleConnectCompleted(int rv) {
   // Log the end of this attempt (and any OS error it threw).
   if (rv != OK) {
-    net_log_.EndEvent(NetLogEventType::TCP_CONNECT_ATTEMPT,
-                      NetLog::IntCallback("os_error", errno));
+    net_log_.EndEventWithIntParams(NetLogEventType::TCP_CONNECT_ATTEMPT,
+                                   "os_error", errno);
     tag_ = SocketTag();
   } else {
     net_log_.EndEvent(NetLogEventType::TCP_CONNECT_ATTEMPT);
@@ -539,7 +538,7 @@ int TCPSocketPosix::HandleConnectCompleted(int rv) {
 
 void TCPSocketPosix::LogConnectBegin(const AddressList& addresses) const {
   net_log_.BeginEvent(NetLogEventType::TCP_CONNECT,
-                      addresses.CreateNetLogCallback());
+                      [&] { return addresses.NetLogParams(); });
 }
 
 void TCPSocketPosix::LogConnectEnd(int net_error) const {
@@ -557,9 +556,9 @@ void TCPSocketPosix::LogConnectEnd(int net_error) const {
     return;
   }
 
-  net_log_.EndEvent(
-      NetLogEventType::TCP_CONNECT,
-      CreateNetLogSourceAddressCallback(storage.addr, storage.addr_len));
+  net_log_.EndEvent(NetLogEventType::TCP_CONNECT, [&] {
+    return CreateNetLogSourceAddressParams(storage.addr, storage.addr_len);
+  });
 }
 
 void TCPSocketPosix::ReadCompleted(const scoped_refptr<IOBuffer>& buf,
@@ -598,8 +597,7 @@ int TCPSocketPosix::HandleReadCompleted(IOBuffer* buf, int rv) {
 
 void TCPSocketPosix::HandleReadCompletedHelper(int rv) {
   if (rv < 0) {
-    net_log_.AddEvent(NetLogEventType::SOCKET_READ_ERROR,
-                      CreateNetLogSocketErrorCallback(rv, errno));
+    NetLogSocketError(net_log_, NetLogEventType::SOCKET_READ_ERROR, rv, errno);
   }
 }
 
@@ -612,8 +610,7 @@ void TCPSocketPosix::WriteCompleted(const scoped_refptr<IOBuffer>& buf,
 
 int TCPSocketPosix::HandleWriteCompleted(IOBuffer* buf, int rv) {
   if (rv < 0) {
-    net_log_.AddEvent(NetLogEventType::SOCKET_WRITE_ERROR,
-                      CreateNetLogSocketErrorCallback(rv, errno));
+    NetLogSocketError(net_log_, NetLogEventType::SOCKET_WRITE_ERROR, rv, errno);
     return rv;
   }
 
diff --git a/chromium/net/socket/tcp_socket_win.cc b/chromium/net/socket/tcp_socket_win.cc
index 3e6ecb8e9c6..6a8c306a569 100644
--- a/chromium/net/socket/tcp_socket_win.cc
+++ b/chromium/net/socket/tcp_socket_win.cc
@@ -267,8 +267,7 @@ TCPSocketWin::TCPSocketWin(
       connect_os_error_(0),
       logging_multiple_connect_attempts_(false),
       net_log_(NetLogWithSource::Make(net_log, NetLogSourceType::SOCKET)) {
-  net_log_.BeginEvent(NetLogEventType::SOCKET_ALIVE,
-                      source.ToEventParametersCallback());
+  net_log_.BeginEventReferencingSource(NetLogEventType::SOCKET_ALIVE, source);
   EnsureWinsockInit();
 }
 
@@ -518,8 +517,8 @@ int TCPSocketWin::ReadIfReady(IOBuffer* buf,
   if (rv == SOCKET_ERROR) {
     if (os_error != WSAEWOULDBLOCK) {
       int net_error = MapSystemError(os_error);
-      net_log_.AddEvent(NetLogEventType::SOCKET_READ_ERROR,
-                        CreateNetLogSocketErrorCallback(net_error, os_error));
+      NetLogSocketError(net_log_, NetLogEventType::SOCKET_READ_ERROR, net_error,
+                        os_error);
       return net_error;
     }
   } else {
@@ -586,8 +585,8 @@ int TCPSocketWin::Write(
   } else {
     if (os_error != WSA_IO_PENDING) {
       int net_error = MapSystemError(os_error);
-      net_log_.AddEvent(NetLogEventType::SOCKET_WRITE_ERROR,
-                        CreateNetLogSocketErrorCallback(net_error, os_error));
+      NetLogSocketError(net_log_, NetLogEventType::SOCKET_WRITE_ERROR,
+                        net_error, os_error);
       return net_error;
     }
   }
@@ -795,8 +794,9 @@ int TCPSocketWin::AcceptInternal(std::unique_ptr<TCPSocketWin>* socket,
   }
   *socket = std::move(tcp_socket);
   *address = ip_end_point;
-  net_log_.EndEvent(NetLogEventType::TCP_ACCEPT,
-                    CreateNetLogIPEndPointCallback(&ip_end_point));
+  net_log_.EndEvent(NetLogEventType::TCP_ACCEPT, [&] {
+    return CreateNetLogIPEndPointParams(&ip_end_point);
+  });
   return OK;
 }
 
@@ -829,8 +829,9 @@ int TCPSocketWin::DoConnect() {
   DCHECK_EQ(connect_os_error_, 0);
   DCHECK(!core_.get());
 
-  net_log_.BeginEvent(NetLogEventType::TCP_CONNECT_ATTEMPT,
-                      CreateNetLogIPEndPointCallback(peer_address_.get()));
+  net_log_.BeginEvent(NetLogEventType::TCP_CONNECT_ATTEMPT, [&] {
+    return CreateNetLogIPEndPointParams(peer_address_.get());
+  });
 
   core_ = new Core(this);
 
@@ -877,8 +878,8 @@ void TCPSocketWin::DoConnectComplete(int result) {
   int os_error = connect_os_error_;
   connect_os_error_ = 0;
   if (result != OK) {
-    net_log_.EndEvent(NetLogEventType::TCP_CONNECT_ATTEMPT,
-                      NetLog::IntCallback("os_error", os_error));
+    net_log_.EndEventWithIntParams(NetLogEventType::TCP_CONNECT_ATTEMPT,
+                                   "os_error", os_error);
   } else {
     net_log_.EndEvent(NetLogEventType::TCP_CONNECT_ATTEMPT);
   }
@@ -889,7 +890,7 @@ void TCPSocketWin::DoConnectComplete(int result) {
 
 void TCPSocketWin::LogConnectBegin(const AddressList& addresses) {
   net_log_.BeginEvent(NetLogEventType::TCP_CONNECT,
-                      addresses.CreateNetLogCallback());
+                      [&] { return addresses.NetLogParams(); });
 }
 
 void TCPSocketWin::LogConnectEnd(int net_error) {
@@ -910,11 +911,11 @@ void TCPSocketWin::LogConnectEnd(int net_error) {
     return;
   }
 
-  net_log_.EndEvent(
-      NetLogEventType::TCP_CONNECT,
-      CreateNetLogSourceAddressCallback(
-          reinterpret_cast<const struct sockaddr*>(&source_address),
-          sizeof(source_address)));
+  net_log_.EndEvent(NetLogEventType::TCP_CONNECT, [&] {
+    return CreateNetLogSourceAddressParams(
+        reinterpret_cast<const struct sockaddr*>(&source_address),
+        sizeof(source_address));
+  });
 }
 
 void TCPSocketWin::RetryRead(int rv) {
@@ -974,8 +975,8 @@ void TCPSocketWin::DidCompleteWrite() {
   int rv;
   if (!ok) {
     rv = MapSystemError(os_error);
-    net_log_.AddEvent(NetLogEventType::SOCKET_WRITE_ERROR,
-                      CreateNetLogSocketErrorCallback(rv, os_error));
+    NetLogSocketError(net_log_, NetLogEventType::SOCKET_WRITE_ERROR, rv,
+                      os_error);
   } else {
     rv = static_cast<int>(num_bytes);
     if (rv > core_->write_buffer_length_ || rv < 0) {
diff --git a/chromium/net/socket/transport_client_socket_pool.cc b/chromium/net/socket/transport_client_socket_pool.cc
index 3a1fb84662c..5c569152a2a 100644
--- a/chromium/net/socket/transport_client_socket_pool.cc
+++ b/chromium/net/socket/transport_client_socket_pool.cc
@@ -38,10 +38,9 @@ namespace {
 // after a certain timeout has passed without receiving an ACK.
 bool g_connect_backup_jobs_enabled = true;
 
-base::Value NetLogCreateConnectJobCallback(
+base::Value NetLogCreateConnectJobParams(
     bool backup_job,
-    const ClientSocketPool::GroupId* group_id,
-    net::NetLogCaptureMode capture_mode) {
+    const ClientSocketPool::GroupId* group_id) {
   base::DictionaryValue dict;
   dict.SetBoolean("backup_job", backup_job);
   dict.SetString("group_id", group_id->ToString());
@@ -225,14 +224,14 @@ bool TransportClientSocketPool::IsStalled() const {
 void TransportClientSocketPool::AddHigherLayeredPool(
     HigherLayeredPool* higher_pool) {
   CHECK(higher_pool);
-  CHECK(!base::ContainsKey(higher_pools_, higher_pool));
+  CHECK(!base::Contains(higher_pools_, higher_pool));
   higher_pools_.insert(higher_pool);
 }
 
 void TransportClientSocketPool::RemoveHigherLayeredPool(
     HigherLayeredPool* higher_pool) {
   CHECK(higher_pool);
-  CHECK(base::ContainsKey(higher_pools_, higher_pool));
+  CHECK(base::Contains(higher_pools_, higher_pool));
   higher_pools_.erase(higher_pool);
 }
 
@@ -297,8 +296,7 @@ void TransportClientSocketPool::RequestSockets(
   if (net_log.IsCapturing()) {
     // TODO(eroman): Split out the host and port parameters.
     net_log.AddEvent(NetLogEventType::TCP_CLIENT_SOCKET_POOL_REQUESTED_SOCKETS,
-                     base::BindRepeating(&NetLogGroupIdCallback,
-                                         base::Unretained(&group_id)));
+                     [&] { return NetLogGroupIdParams(group_id); });
   }
 
   Request request(nullptr /* no handle */, CompletionOnceCallback(),
@@ -313,9 +311,9 @@ void TransportClientSocketPool::RequestSockets(
     num_sockets = max_sockets_per_group_;
   }
 
-  request.net_log().BeginEvent(
-      NetLogEventType::SOCKET_POOL_CONNECTING_N_SOCKETS,
-      NetLog::IntCallback("num_sockets", num_sockets));
+  request.net_log().BeginEventWithIntParams(
+      NetLogEventType::SOCKET_POOL_CONNECTING_N_SOCKETS, "num_sockets",
+      num_sockets);
 
   Group* group = GetOrCreateGroup(group_id);
 
@@ -329,11 +327,11 @@ void TransportClientSocketPool::RequestSockets(
     rv = RequestSocketInternal(group_id, request);
     if (rv < 0 && rv != ERR_IO_PENDING) {
       // We're encountering a synchronous error.  Give up.
-      if (!base::ContainsKey(group_map_, group_id))
+      if (!base::Contains(group_map_, group_id))
         deleted_group = true;
       break;
     }
-    if (!base::ContainsKey(group_map_, group_id)) {
+    if (!base::Contains(group_map_, group_id)) {
       // Unexpected.  The group should only be getting deleted on synchronous
       // error.
       NOTREACHED();
@@ -417,9 +415,9 @@ int TransportClientSocketPool::RequestSocketInternal(const GroupId& group_id,
           group_id, request.socket_params(), request.proxy_annotation_tag(),
           request.priority(), request.socket_tag(), group));
   owned_connect_job->net_log().AddEvent(
-      NetLogEventType::SOCKET_POOL_CONNECT_JOB_CREATED,
-      base::BindRepeating(&NetLogCreateConnectJobCallback,
-                          false /* backup_job */, base::Unretained(&group_id)));
+      NetLogEventType::SOCKET_POOL_CONNECT_JOB_CREATED, [&] {
+        return NetLogCreateConnectJobParams(false /* backup_job */, &group_id);
+      });
   ConnectJob* connect_job = owned_connect_job.get();
   bool was_group_empty = group->IsEmpty();
   // Need to add the ConnectJob to the group before connecting, to ensure
@@ -528,8 +526,8 @@ bool TransportClientSocketPool::AssignIdleSocketToRequest(
 void TransportClientSocketPool::LogBoundConnectJobToRequest(
     const NetLogSource& connect_job_source,
     const Request& request) {
-  request.net_log().AddEvent(NetLogEventType::SOCKET_POOL_BOUND_TO_CONNECT_JOB,
-                             connect_job_source.ToEventParametersCallback());
+  request.net_log().AddEventReferencingSource(
+      NetLogEventType::SOCKET_POOL_BOUND_TO_CONNECT_JOB, connect_job_source);
 }
 
 void TransportClientSocketPool::SetPriority(const GroupId& group_id,
@@ -537,7 +535,7 @@ void TransportClientSocketPool::SetPriority(const GroupId& group_id,
                                             RequestPriority priority) {
   auto group_it = group_map_.find(group_id);
   if (group_it == group_map_.end()) {
-    DCHECK(base::ContainsKey(pending_callback_map_, handle));
+    DCHECK(base::Contains(pending_callback_map_, handle));
     // The Request has already completed and been destroyed; nothing to
     // reprioritize.
     return;
@@ -570,7 +568,7 @@ void TransportClientSocketPool::CancelRequest(const GroupId& group_id,
     return;
   }
 
-  CHECK(base::ContainsKey(group_map_, group_id));
+  CHECK(base::Contains(group_map_, group_id));
   Group* group = GetOrCreateGroup(group_id);
 
   std::unique_ptr<Request> request = group->FindAndRemoveBoundRequest(handle);
@@ -633,7 +631,7 @@ size_t TransportClientSocketPool::IdleSocketCountInGroup(
 LoadState TransportClientSocketPool::GetLoadState(
     const GroupId& group_id,
     const ClientSocketHandle* handle) const {
-  if (base::ContainsKey(pending_callback_map_, handle))
+  if (base::Contains(pending_callback_map_, handle))
     return LOAD_STATE_CONNECTING;
 
   auto group_it = group_map_.find(group_id);
@@ -780,8 +778,7 @@ TransportClientSocketPool::TransportClientSocketPool(
       connect_job_factory_(std::move(connect_job_factory)),
       connect_backup_jobs_enabled_(connect_backup_jobs_enabled &&
                                    g_connect_backup_jobs_enabled),
-      ssl_config_service_(ssl_config_service),
-      weak_factory_(this) {
+      ssl_config_service_(ssl_config_service) {
   DCHECK_LE(0, max_sockets_per_group);
   DCHECK_LE(max_sockets_per_group, max_sockets);
 
@@ -798,7 +795,7 @@ void TransportClientSocketPool::OnSSLConfigChanged() {
 }
 
 bool TransportClientSocketPool::HasGroup(const GroupId& group_id) const {
-  return base::ContainsKey(group_map_, group_id);
+  return base::Contains(group_map_, group_id);
 }
 
 void TransportClientSocketPool::CleanupIdleSockets(bool force) {
@@ -1023,7 +1020,7 @@ void TransportClientSocketPool::RemoveConnectJob(ConnectJob* job,
 
 void TransportClientSocketPool::OnAvailableSocketSlot(const GroupId& group_id,
                                                       Group* group) {
-  DCHECK(base::ContainsKey(group_map_, group_id));
+  DCHECK(base::Contains(group_map_, group_id));
   if (group->IsEmpty()) {
     RemoveGroup(group_id);
   } else if (group->has_unbound_requests()) {
@@ -1074,10 +1071,9 @@ void TransportClientSocketPool::HandOutSocket(
   handle->set_connect_timing(connect_timing);
 
   if (reuse_type == ClientSocketHandle::REUSED_IDLE) {
-    net_log.AddEvent(
-        NetLogEventType::SOCKET_POOL_REUSED_AN_EXISTING_SOCKET,
-        NetLog::IntCallback("idle_ms",
-                            static_cast<int>(idle_time.InMilliseconds())));
+    net_log.AddEventWithIntParams(
+        NetLogEventType::SOCKET_POOL_REUSED_AN_EXISTING_SOCKET, "idle_ms",
+        static_cast<int>(idle_time.InMilliseconds()));
   }
 
   if (reuse_type != ClientSocketHandle::UNUSED) {
@@ -1087,9 +1083,9 @@ void TransportClientSocketPool::HandOutSocket(
                                 idle_socket_count_ + 1, 1, 256, 50);
   }
 
-  net_log.AddEvent(
+  net_log.AddEventReferencingSource(
       NetLogEventType::SOCKET_POOL_BOUND_TO_SOCKET,
-      handle->socket()->NetLog().source().ToEventParametersCallback());
+      handle->socket()->NetLog().source());
 
   handed_out_socket_count_++;
   group->IncrementActiveSocketCount();
@@ -1295,7 +1291,7 @@ void TransportClientSocketPool::InvokeUserCallbackLater(
     CompletionOnceCallback callback,
     int rv,
     const SocketTag& socket_tag) {
-  CHECK(!base::ContainsKey(pending_callback_map_, handle));
+  CHECK(!base::Contains(pending_callback_map_, handle));
   pending_callback_map_[handle] = CallbackResultPair(std::move(callback), rv);
   if (rv == OK) {
     handle->socket()->ApplySocketTag(socket_tag);
@@ -1512,9 +1508,9 @@ void TransportClientSocketPool::Group::OnBackupJobTimerFired(
           group_id, request->socket_params(), request->proxy_annotation_tag(),
           request->priority(), request->socket_tag(), this);
   owned_backup_job->net_log().AddEvent(
-      NetLogEventType::SOCKET_POOL_CONNECT_JOB_CREATED,
-      base::BindRepeating(&NetLogCreateConnectJobCallback,
-                          true /* backup_job */, &group_id_));
+      NetLogEventType::SOCKET_POOL_CONNECT_JOB_CREATED, [&] {
+        return NetLogCreateConnectJobParams(true /* backup_job */, &group_id_);
+      });
   ConnectJob* backup_job = owned_backup_job.get();
   AddJob(std::move(owned_backup_job), false);
   client_socket_pool_->connecting_socket_count_++;
diff --git a/chromium/net/socket/transport_client_socket_pool.h b/chromium/net/socket/transport_client_socket_pool.h
index 2f61148245d..02ac61e95b5 100644
--- a/chromium/net/socket/transport_client_socket_pool.h
+++ b/chromium/net/socket/transport_client_socket_pool.h
@@ -795,7 +795,7 @@ class NET_EXPORT_PRIVATE TransportClientSocketPool
 
   SSLConfigService* const ssl_config_service_;
 
-  base::WeakPtrFactory<TransportClientSocketPool> weak_factory_;
+  base::WeakPtrFactory<TransportClientSocketPool> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(TransportClientSocketPool);
 };
diff --git a/chromium/net/socket/transport_client_socket_pool_test_util.cc b/chromium/net/socket/transport_client_socket_pool_test_util.cc
index bf8b36601a4..ba52c32aa6c 100644
--- a/chromium/net/socket/transport_client_socket_pool_test_util.cc
+++ b/chromium/net/socket/transport_client_socket_pool_test_util.cc
@@ -194,8 +194,7 @@ class MockTriggerableClientSocket : public TransportClientSocket {
       : should_connect_(should_connect),
         is_connected_(false),
         addrlist_(addrlist),
-        net_log_(NetLogWithSource::Make(net_log, NetLogSourceType::SOCKET)),
-        weak_factory_(this) {}
+        net_log_(NetLogWithSource::Make(net_log, NetLogSourceType::SOCKET)) {}
 
   // Call this method to get a closure which will trigger the connect callback
   // when called. The closure can be called even after the socket is deleted; it
@@ -322,7 +321,7 @@ class MockTriggerableClientSocket : public TransportClientSocket {
   CompletionOnceCallback callback_;
   ConnectionAttempts connection_attempts_;
 
-  base::WeakPtrFactory<MockTriggerableClientSocket> weak_factory_;
+  base::WeakPtrFactory<MockTriggerableClientSocket> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(MockTriggerableClientSocket);
 };
@@ -444,12 +443,12 @@ MockTransportClientSocketFactory::CreateTransportClientSocket(
 
 std::unique_ptr<SSLClientSocket>
 MockTransportClientSocketFactory::CreateSSLClientSocket(
+    SSLClientContext* context,
     std::unique_ptr<StreamSocket> stream_socket,
     const HostPortPair& host_and_port,
-    const SSLConfig& ssl_config,
-    const SSLClientSocketContext& context) {
+    const SSLConfig& ssl_config) {
   NOTIMPLEMENTED();
-  return std::unique_ptr<SSLClientSocket>();
+  return nullptr;
 }
 
 std::unique_ptr<ProxyClientSocket>
diff --git a/chromium/net/socket/transport_client_socket_pool_test_util.h b/chromium/net/socket/transport_client_socket_pool_test_util.h
index 38a9744138f..a10aea17f6a 100644
--- a/chromium/net/socket/transport_client_socket_pool_test_util.h
+++ b/chromium/net/socket/transport_client_socket_pool_test_util.h
@@ -86,12 +86,11 @@ class MockTransportClientSocketFactory : public ClientSocketFactory {
       NetLog* /* net_log */,
       const NetLogSource& /* source */) override;
 
-
   std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
+      SSLClientContext* context,
       std::unique_ptr<StreamSocket> nested_socket,
       const HostPortPair& host_and_port,
-      const SSLConfig& ssl_config,
-      const SSLClientSocketContext& context) override;
+      const SSLConfig& ssl_config) override;
 
   std::unique_ptr<ProxyClientSocket> CreateProxyClientSocket(
       std::unique_ptr<StreamSocket> stream_socket,
diff --git a/chromium/net/socket/transport_client_socket_pool_unittest.cc b/chromium/net/socket/transport_client_socket_pool_unittest.cc
index d8d59caf1f5..8a1058402bb 100644
--- a/chromium/net/socket/transport_client_socket_pool_unittest.cc
+++ b/chromium/net/socket/transport_client_socket_pool_unittest.cc
@@ -94,17 +94,11 @@ class SOCKS5MockData {
 class TransportClientSocketPoolTest : public ::testing::Test,
                                       public WithScopedTaskEnvironment {
  protected:
-  // Default constructor.
-  TransportClientSocketPoolTest()
-      : TransportClientSocketPoolTest(
-            base::test::ScopedTaskEnvironment::MainThreadType::IO,
-            base::test::ScopedTaskEnvironment::NowSource::REAL_TIME) {}
-
   // Constructor that allows mocking of the time.
-  TransportClientSocketPoolTest(
-      base::test::ScopedTaskEnvironment::MainThreadType type,
-      base::test::ScopedTaskEnvironment::NowSource now_source)
-      : WithScopedTaskEnvironment(type, now_source),
+  explicit TransportClientSocketPoolTest(
+      base::test::ScopedTaskEnvironment::TimeSource time_source =
+          base::test::ScopedTaskEnvironment::TimeSource::DEFAULT)
+      : WithScopedTaskEnvironment(time_source),
         connect_backup_jobs_enabled_(
             TransportClientSocketPool::set_connect_backup_jobs_enabled(true)),
         group_id_(HostPortPair("www.google.com", 80),
@@ -2174,13 +2168,7 @@ class TransportClientSocketPoolMockNowSourceTest
  protected:
   TransportClientSocketPoolMockNowSourceTest()
       : TransportClientSocketPoolTest(
-            base::test::ScopedTaskEnvironment::MainThreadType::IO_MOCK_TIME,
-            base::test::ScopedTaskEnvironment::NowSource::
-                MAIN_THREAD_MOCK_TIME) {
-    // Forward the clock by a non-zero amount to avoid triggering DCHECKs that
-    // verify that certain timestamps are non-null.
-    FastForwardBy(base::TimeDelta::FromSeconds(1));
-  }
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME_AND_NOW) {}
 
  private:
   DISALLOW_COPY_AND_ASSIGN(TransportClientSocketPoolMockNowSourceTest);
diff --git a/chromium/net/socket/transport_client_socket_unittest.cc b/chromium/net/socket/transport_client_socket_unittest.cc
index 38cff8f2917..46e285ef568 100644
--- a/chromium/net/socket/transport_client_socket_unittest.cc
+++ b/chromium/net/socket/transport_client_socket_unittest.cc
@@ -17,7 +17,6 @@
 #include "net/log/net_log_source.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/tcp_client_socket.h"
@@ -236,8 +235,7 @@ TEST_P(TransportClientSocketTest, Connect) {
   // Wait for |listen_sock_| to accept a connection.
   connect_loop_.Run();
 
-  TestNetLogEntry::List net_log_entries;
-  net_log_.GetEntries(&net_log_entries);
+  auto net_log_entries = net_log_.GetEntries();
   EXPECT_TRUE(
       LogContainsBeginEvent(net_log_entries, 0, NetLogEventType::SOCKET_ALIVE));
   EXPECT_TRUE(
@@ -250,7 +248,7 @@ TEST_P(TransportClientSocketTest, Connect) {
   }
 
   EXPECT_TRUE(sock_->IsConnected());
-  net_log_.GetEntries(&net_log_entries);
+  net_log_entries = net_log_.GetEntries();
   EXPECT_TRUE(
       LogContainsEndEvent(net_log_entries, -1, NetLogEventType::TCP_CONNECT));
 
diff --git a/chromium/net/socket/transport_connect_job.cc b/chromium/net/socket/transport_connect_job.cc
index 047ac7add56..dafaecab369 100644
--- a/chromium/net/socket/transport_connect_job.cc
+++ b/chromium/net/socket/transport_connect_job.cc
@@ -101,8 +101,7 @@ TransportConnectJob::TransportConnectJob(
                  NetLogEventType::TRANSPORT_CONNECT_JOB_CONNECT),
       params_(params),
       next_state_(STATE_NONE),
-      resolve_result_(OK),
-      weak_ptr_factory_(this) {
+      resolve_result_(OK) {
   // This is only set for WebSockets.
   DCHECK(!common_connect_job_params->websocket_endpoint_lock_manager);
 }
diff --git a/chromium/net/socket/transport_connect_job.h b/chromium/net/socket/transport_connect_job.h
index 0258e52eb42..69b763d3007 100644
--- a/chromium/net/socket/transport_connect_job.h
+++ b/chromium/net/socket/transport_connect_job.h
@@ -170,7 +170,7 @@ class NET_EXPORT_PRIVATE TransportConnectJob : public ConnectJob {
   ConnectionAttempts connection_attempts_;
   ConnectionAttempts fallback_connection_attempts_;
 
-  base::WeakPtrFactory<TransportConnectJob> weak_ptr_factory_;
+  base::WeakPtrFactory<TransportConnectJob> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(TransportConnectJob);
 };
diff --git a/chromium/net/socket/transport_connect_job_unittest.cc b/chromium/net/socket/transport_connect_job_unittest.cc
index 0b14db63192..0489b276302 100644
--- a/chromium/net/socket/transport_connect_job_unittest.cc
+++ b/chromium/net/socket/transport_connect_job_unittest.cc
@@ -35,9 +35,7 @@ class TransportConnectJobTest : public WithScopedTaskEnvironment,
  public:
   TransportConnectJobTest()
       : WithScopedTaskEnvironment(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME,
-            base::test::ScopedTaskEnvironment::NowSource::
-                MAIN_THREAD_MOCK_TIME),
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME_AND_NOW),
         client_socket_factory_(&net_log_),
         common_connect_job_params_(
             &client_socket_factory_,
@@ -49,16 +47,11 @@ class TransportConnectJobTest : public WithScopedTaskEnvironment,
             nullptr /* quic_stream_factory */,
             nullptr /* proxy_delegate */,
             nullptr /* http_user_agent_settings */,
-            SSLClientSocketContext(),
-            SSLClientSocketContext(),
+            nullptr /* ssl_client_context */,
             nullptr /* socket_performance_watcher_factory */,
             nullptr /* network_quality_estimator */,
             &net_log_,
-            nullptr /* websocket_endpoint_lock_manager */) {
-    // Set an initial delay to ensure that calls to TimeTicks::Now() do not
-    // return a null value.
-    FastForwardBy(base::TimeDelta::FromSeconds(1));
-  }
+            nullptr /* websocket_endpoint_lock_manager */) {}
 
   ~TransportConnectJobTest() override {}
 
diff --git a/chromium/net/socket/udp_net_log_parameters.cc b/chromium/net/socket/udp_net_log_parameters.cc
index d6b6fad3af7..f0bc87d9ff2 100644
--- a/chromium/net/socket/udp_net_log_parameters.cc
+++ b/chromium/net/socket/udp_net_log_parameters.cc
@@ -6,34 +6,33 @@
 
 #include <utility>
 
-#include "base/bind.h"
 #include "base/values.h"
 #include "net/base/ip_endpoint.h"
-#include "net/log/net_log.h"
+#include "net/log/net_log_values.h"
+#include "net/log/net_log_with_source.h"
 
 namespace net {
 
 namespace {
 
-base::Value NetLogUDPDataTranferCallback(int byte_count,
-                                         const char* bytes,
-                                         const IPEndPoint* address,
-                                         NetLogCaptureMode capture_mode) {
+base::Value NetLogUDPDataTransferParams(int byte_count,
+                                        const char* bytes,
+                                        const IPEndPoint* address,
+                                        NetLogCaptureMode capture_mode) {
   base::DictionaryValue dict;
   dict.SetInteger("byte_count", byte_count);
-  if (capture_mode.include_socket_bytes())
+  if (NetLogCaptureIncludesSocketBytes(capture_mode))
     dict.SetKey("bytes", NetLogBinaryValue(bytes, byte_count));
   if (address)
     dict.SetString("address", address->ToString());
   return std::move(dict);
 }
 
-base::Value NetLogUDPConnectCallback(
-    const IPEndPoint* address,
-    NetworkChangeNotifier::NetworkHandle network,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogUDPConnectParams(
+    const IPEndPoint& address,
+    NetworkChangeNotifier::NetworkHandle network) {
   base::DictionaryValue dict;
-  dict.SetString("address", address->ToString());
+  dict.SetString("address", address.ToString());
   if (network != NetworkChangeNotifier::kInvalidNetworkHandle)
     dict.SetInteger("bound_to_network", network);
   return std::move(dict);
@@ -41,19 +40,22 @@ base::Value NetLogUDPConnectCallback(
 
 }  // namespace
 
-NetLogParametersCallback CreateNetLogUDPDataTranferCallback(
-    int byte_count,
-    const char* bytes,
-    const IPEndPoint* address) {
+void NetLogUDPDataTransfer(const NetLogWithSource& net_log,
+                           NetLogEventType type,
+                           int byte_count,
+                           const char* bytes,
+                           const IPEndPoint* address) {
   DCHECK(bytes);
-  return base::Bind(&NetLogUDPDataTranferCallback, byte_count, bytes, address);
+  net_log.AddEvent(type, [&](NetLogCaptureMode capture_mode) {
+    return NetLogUDPDataTransferParams(byte_count, bytes, address,
+                                       capture_mode);
+  });
 }
 
-NetLogParametersCallback CreateNetLogUDPConnectCallback(
-    const IPEndPoint* address,
+base::Value CreateNetLogUDPConnectParams(
+    const IPEndPoint& address,
     NetworkChangeNotifier::NetworkHandle network) {
-  DCHECK(address);
-  return base::Bind(&NetLogUDPConnectCallback, address, network);
+  return NetLogUDPConnectParams(address, network);
 }
 
 }  // namespace net
diff --git a/chromium/net/socket/udp_net_log_parameters.h b/chromium/net/socket/udp_net_log_parameters.h
index 78b080b96e4..0ba1240d69b 100644
--- a/chromium/net/socket/udp_net_log_parameters.h
+++ b/chromium/net/socket/udp_net_log_parameters.h
@@ -6,26 +6,29 @@
 #define NET_SOCKET_UDP_NET_LOG_PARAMETERS_H_
 
 #include "net/base/network_change_notifier.h"
-#include "net/log/net_log_parameters_callback.h"
+#include "net/log/net_log_event_type.h"
+
+namespace base {
+class Value;
+}
 
 namespace net {
 
+class NetLogWithSource;
 class IPEndPoint;
 
-// Creates a NetLog callback that returns parameters describing a UDP
-// receive/send event.  |bytes| are only logged when byte logging is
-// enabled.  |address| may be NULL.  |address| (if given) and |bytes|
-// must be valid for the life of the callback.
-NetLogParametersCallback CreateNetLogUDPDataTranferCallback(
-    int byte_count,
-    const char* bytes,
-    const IPEndPoint* address);
-
-// Creates a NetLog callback that returns parameters describing a UDP
-// connect event.  |address| cannot be NULL, and must remain valid for
-// the lifetime of the callback.
-NetLogParametersCallback CreateNetLogUDPConnectCallback(
-    const IPEndPoint* address,
+// Emits a NetLog event with parameters describing a UDP receive/send event.
+// |bytes| are only logged when byte logging is enabled.  |address| may be
+// nullptr.
+void NetLogUDPDataTransfer(const NetLogWithSource& net_log,
+                           NetLogEventType type,
+                           int byte_count,
+                           const char* bytes,
+                           const IPEndPoint* address);
+
+// Creates NetLog parameters describing a UDP connect event.
+base::Value CreateNetLogUDPConnectParams(
+    const IPEndPoint& address,
     NetworkChangeNotifier::NetworkHandle network);
 
 }  // namespace net
diff --git a/chromium/net/socket/udp_socket_perftest.cc b/chromium/net/socket/udp_socket_perftest.cc
index 4c3408284b4..05018fffbe8 100644
--- a/chromium/net/socket/udp_socket_perftest.cc
+++ b/chromium/net/socket/udp_socket_perftest.cc
@@ -30,8 +30,7 @@ namespace {
 class UDPSocketPerfTest : public PlatformTest {
  public:
   UDPSocketPerfTest()
-      : buffer_(base::MakeRefCounted<IOBufferWithSize>(kPacketSize)),
-        weak_factory_(this) {}
+      : buffer_(base::MakeRefCounted<IOBufferWithSize>(kPacketSize)) {}
 
   void DoneWritePacketsToSocket(UDPClientSocket* socket,
                                 int num_of_packets,
@@ -52,7 +51,7 @@ class UDPSocketPerfTest : public PlatformTest {
  protected:
   static const int kPacketSize = 1024;
   scoped_refptr<IOBufferWithSize> buffer_;
-  base::WeakPtrFactory<UDPSocketPerfTest> weak_factory_;
+  base::WeakPtrFactory<UDPSocketPerfTest> weak_factory_{this};
 };
 
 const int UDPSocketPerfTest::kPacketSize;
diff --git a/chromium/net/socket/udp_socket_posix.cc b/chromium/net/socket/udp_socket_posix.cc
index 08bf79c75c1..dbc8c5aaf3b 100644
--- a/chromium/net/socket/udp_socket_posix.cc
+++ b/chromium/net/socket/udp_socket_posix.cc
@@ -200,10 +200,8 @@ UDPSocketPosix::UDPSocketPosix(DatagramSocket::BindType bind_type,
       write_buf_len_(0),
       net_log_(NetLogWithSource::Make(net_log, NetLogSourceType::UDP_SOCKET)),
       bound_network_(NetworkChangeNotifier::kInvalidNetworkHandle),
-      experimental_recv_optimization_enabled_(false),
-      weak_factory_(this) {
-  net_log_.BeginEvent(NetLogEventType::SOCKET_ALIVE,
-                      source.ToEventParametersCallback());
+      experimental_recv_optimization_enabled_(false) {
+  net_log_.BeginEventReferencingSource(NetLogEventType::SOCKET_ALIVE, source);
 }
 
 UDPSocketPosix::~UDPSocketPosix() {
@@ -364,9 +362,9 @@ int UDPSocketPosix::GetLocalAddress(IPEndPoint* address) const {
     if (!address->FromSockAddr(storage.addr, storage.addr_len))
       return ERR_ADDRESS_INVALID;
     local_address_ = std::move(address);
-    net_log_.AddEvent(
-        NetLogEventType::UDP_LOCAL_ADDRESS,
-        CreateNetLogUDPConnectCallback(local_address_.get(), bound_network_));
+    net_log_.AddEvent(NetLogEventType::UDP_LOCAL_ADDRESS, [&] {
+      return CreateNetLogUDPConnectParams(*local_address_, bound_network_);
+    });
   }
 
   *address = *local_address_;
@@ -460,8 +458,9 @@ int UDPSocketPosix::SendToOrWrite(IOBuffer* buf,
 
 int UDPSocketPosix::Connect(const IPEndPoint& address) {
   DCHECK_NE(socket_, kInvalidSocket);
-  net_log_.BeginEvent(NetLogEventType::UDP_CONNECT,
-                      CreateNetLogUDPConnectCallback(&address, bound_network_));
+  net_log_.BeginEvent(NetLogEventType::UDP_CONNECT, [&] {
+    return CreateNetLogUDPConnectParams(address, bound_network_);
+  });
   int rv = SetMulticastOptions();
   if (rv != OK)
     return rv;
@@ -765,9 +764,8 @@ void UDPSocketPosix::LogRead(int result,
 
     IPEndPoint address;
     bool is_address_valid = address.FromSockAddr(addr, addr_len);
-    net_log_.AddEvent(NetLogEventType::UDP_BYTES_RECEIVED,
-                      CreateNetLogUDPDataTranferCallback(
-                          result, bytes, is_address_valid ? &address : NULL));
+    NetLogUDPDataTransfer(net_log_, NetLogEventType::UDP_BYTES_RECEIVED, result,
+                          bytes, is_address_valid ? &address : nullptr);
   }
 
   received_activity_monitor_.Increment(result);
@@ -795,9 +793,8 @@ void UDPSocketPosix::LogWrite(int result,
   }
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(
-        NetLogEventType::UDP_BYTES_SENT,
-        CreateNetLogUDPDataTranferCallback(result, bytes, address));
+    NetLogUDPDataTransfer(net_log_, NetLogEventType::UDP_BYTES_SENT, result,
+                          bytes, address);
   }
 
   sent_activity_monitor_.Increment(result);
diff --git a/chromium/net/socket/udp_socket_posix.h b/chromium/net/socket/udp_socket_posix.h
index c62b4a88147..ce96046e720 100644
--- a/chromium/net/socket/udp_socket_posix.h
+++ b/chromium/net/socket/udp_socket_posix.h
@@ -632,7 +632,7 @@ class NET_EXPORT UDPSocketPosix {
   THREAD_CHECKER(thread_checker_);
 
   // Used for alternate writes that are posted for concurrent execution.
-  base::WeakPtrFactory<UDPSocketPosix> weak_factory_;
+  base::WeakPtrFactory<UDPSocketPosix> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(UDPSocketPosix);
 };
diff --git a/chromium/net/socket/udp_socket_posix_unittest.cc b/chromium/net/socket/udp_socket_posix_unittest.cc
index 42a42a16287..43817cc5be5 100644
--- a/chromium/net/socket/udp_socket_posix_unittest.cc
+++ b/chromium/net/socket/udp_socket_posix_unittest.cc
@@ -8,7 +8,6 @@
 #include "net/base/completion_repeating_callback.h"
 #include "net/base/net_errors.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/socket/datagram_socket.h"
 #include "net/test/test_with_scoped_task_environment.h"
@@ -131,10 +130,9 @@ class UDPSocketPosixTest : public TestWithScopedTaskEnvironment {
  public:
   UDPSocketPosixTest()
       : TestWithScopedTaskEnvironment(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME),
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME),
         socket_(DatagramSocket::DEFAULT_BIND, &client_log_, NetLogSource()),
-        callback_fired_(false),
-        weak_factory_(this) {
+        callback_fired_(false) {
     write_callback_ = base::BindRepeating(&UDPSocketPosixTest::OnWriteComplete,
                                           weak_factory_.GetWeakPtr());
   }
@@ -236,7 +234,7 @@ class UDPSocketPosixTest : public TestWithScopedTaskEnvironment {
   struct iovec msg_iov_[kNumMsgs];
   struct mmsghdr msgvec_[kNumMsgs];
 #endif
-  base::WeakPtrFactory<UDPSocketPosixTest> weak_factory_;
+  base::WeakPtrFactory<UDPSocketPosixTest> weak_factory_{this};
 };
 
 TEST_F(UDPSocketPosixTest, InternalSendBuffers) {
@@ -345,8 +343,7 @@ TEST_F(UDPSocketPosixTest, DidSendBuffers) {
   socket_.DidSendBuffers(std::move(send_result));
   EXPECT_EQ(0u, socket_.GetUnwrittenBuffers().size());
   VerifyBuffersDequeued();
-  TestNetLogEntry::List client_entries;
-  client_log_.GetEntries(&client_entries);
+  auto client_entries = client_log_.GetEntries();
   EXPECT_EQ(4u, client_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(client_entries, 0, NetLogEventType::SOCKET_ALIVE));
@@ -369,8 +366,7 @@ TEST_F(UDPSocketPosixTest, DidSendBuffersAsync) {
   socket_.SetWriteCallback(write_callback_);
   socket_.DidSendBuffers(std::move(send_result));
   EXPECT_EQ(0u, socket_.GetUnwrittenBuffers().size());
-  TestNetLogEntry::List client_entries;
-  client_log_.GetEntries(&client_entries);
+  auto client_entries = client_log_.GetEntries();
   EXPECT_EQ(4u, client_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(client_entries, 0, NetLogEventType::SOCKET_ALIVE));
@@ -394,8 +390,7 @@ TEST_F(UDPSocketPosixTest, DidSendBuffersError) {
   socket_.SetWriteCallback(write_callback_);
   socket_.DidSendBuffers(std::move(send_result));
   EXPECT_EQ(2u, socket_.GetUnwrittenBuffers().size());
-  TestNetLogEntry::List client_entries;
-  client_log_.GetEntries(&client_entries);
+  auto client_entries = client_log_.GetEntries();
   EXPECT_EQ(2u, client_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(client_entries, 0, NetLogEventType::SOCKET_ALIVE));
@@ -413,8 +408,7 @@ TEST_F(UDPSocketPosixTest, DidSendBuffersShort) {
   socket_.SetWriteCallback(write_callback_);
   socket_.DidSendBuffers(std::move(send_result));
   EXPECT_EQ(2u, socket_.GetUnwrittenBuffers().size());
-  TestNetLogEntry::List client_entries;
-  client_log_.GetEntries(&client_entries);
+  auto client_entries = client_log_.GetEntries();
   EXPECT_EQ(2u, client_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(client_entries, 0, NetLogEventType::SOCKET_ALIVE));
@@ -433,8 +427,7 @@ TEST_F(UDPSocketPosixTest, DidSendBuffersPending) {
   EXPECT_CALL(socket_, InternalWatchFileDescriptor()).WillOnce(Return(true));
   socket_.DidSendBuffers(std::move(send_result));
   EXPECT_EQ(2u, socket_.GetUnwrittenBuffers().size());
-  TestNetLogEntry::List client_entries;
-  client_log_.GetEntries(&client_entries);
+  auto client_entries = client_log_.GetEntries();
   EXPECT_EQ(2u, client_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(client_entries, 0, NetLogEventType::SOCKET_ALIVE));
@@ -454,8 +447,7 @@ TEST_F(UDPSocketPosixTest, DidSendBuffersWatchError) {
       .WillOnce(InvokeWithoutArgs(WatcherSetInvalidHandle));
   socket_.DidSendBuffers(std::move(send_result));
   EXPECT_EQ(2u, socket_.GetUnwrittenBuffers().size());
-  TestNetLogEntry::List client_entries;
-  client_log_.GetEntries(&client_entries);
+  auto client_entries = client_log_.GetEntries();
   EXPECT_EQ(3u, client_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(client_entries, 0, NetLogEventType::SOCKET_ALIVE));
@@ -478,8 +470,7 @@ TEST_F(UDPSocketPosixTest, DidSendBuffersStopWatch) {
   socket_.DidSendBuffers(std::move(send_result));
   buffers_ = socket_.GetUnwrittenBuffers();
   EXPECT_EQ(2u, buffers_.size());
-  TestNetLogEntry::List client_entries;
-  client_log_.GetEntries(&client_entries);
+  auto client_entries = client_log_.GetEntries();
   EXPECT_EQ(2u, client_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(client_entries, 0, NetLogEventType::SOCKET_ALIVE));
@@ -497,7 +488,7 @@ TEST_F(UDPSocketPosixTest, DidSendBuffersStopWatch) {
   socket_.DidSendBuffers(std::move(send_result2));
 
   EXPECT_EQ(0u, socket_.GetUnwrittenBuffers().size());
-  client_log_.GetEntries(&client_entries);
+  client_entries = client_log_.GetEntries();
   EXPECT_EQ(4u, client_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(client_entries, 0, NetLogEventType::SOCKET_ALIVE));
@@ -523,8 +514,7 @@ TEST_F(UDPSocketPosixTest, DidSendBuffersErrorStopWatch) {
   socket_.DidSendBuffers(std::move(send_result));
   buffers_ = socket_.GetUnwrittenBuffers();
   EXPECT_EQ(2u, buffers_.size());
-  TestNetLogEntry::List client_entries;
-  client_log_.GetEntries(&client_entries);
+  auto client_entries = client_log_.GetEntries();
   EXPECT_EQ(2u, client_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(client_entries, 0, NetLogEventType::SOCKET_ALIVE));
@@ -542,7 +532,7 @@ TEST_F(UDPSocketPosixTest, DidSendBuffersErrorStopWatch) {
   socket_.DidSendBuffers(std::move(send_result2));
 
   EXPECT_EQ(2u, socket_.GetUnwrittenBuffers().size());
-  client_log_.GetEntries(&client_entries);
+  client_entries = client_log_.GetEntries();
   EXPECT_EQ(2u, client_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(client_entries, 0, NetLogEventType::SOCKET_ALIVE));
@@ -561,8 +551,7 @@ TEST_F(UDPSocketPosixTest, DidSendBuffersDelayCallbackWhileTooManyBuffers) {
   ResetWriteCallback();
   socket_.SetWriteCallback(write_callback_);
   socket_.DidSendBuffers(std::move(send_result));
-  TestNetLogEntry::List client_entries;
-  client_log_.GetEntries(&client_entries);
+  auto client_entries = client_log_.GetEntries();
   EXPECT_EQ(3u, client_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(client_entries, 0, NetLogEventType::SOCKET_ALIVE));
diff --git a/chromium/net/socket/udp_socket_unittest.cc b/chromium/net/socket/udp_socket_unittest.cc
index b89b518b4bc..47ff0d115e8 100644
--- a/chromium/net/socket/udp_socket_unittest.cc
+++ b/chromium/net/socket/udp_socket_unittest.cc
@@ -25,7 +25,6 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/socket/socket_test_util.h"
 #include "net/socket/udp_client_socket.h"
@@ -219,8 +218,7 @@ void UDPSocketTest::ConnectTest(bool use_nonblocking_io) {
   client.reset();
 
   // Check the server's log.
-  TestNetLogEntry::List server_entries;
-  server_log.GetEntries(&server_entries);
+  auto server_entries = server_log.GetEntries();
   ASSERT_EQ(6u, server_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(server_entries, 0, NetLogEventType::SOCKET_ALIVE));
@@ -240,8 +238,7 @@ void UDPSocketTest::ConnectTest(bool use_nonblocking_io) {
       LogContainsEndEvent(server_entries, 5, NetLogEventType::SOCKET_ALIVE));
 
   // Check the client's log.
-  TestNetLogEntry::List client_entries;
-  client_log.GetEntries(&client_entries);
+  auto client_entries = client_log.GetEntries();
   EXPECT_EQ(7u, client_entries.size());
   EXPECT_TRUE(
       LogContainsBeginEvent(client_entries, 0, NetLogEventType::SOCKET_ALIVE));
@@ -651,8 +648,6 @@ TEST_F(UDPSocketTest, JoinMulticastGroup) {
   socket.Close();
 }
 
-#if !defined(OS_FUCHSIA)
-// TODO(https://crbug.com/900709): SO_REUSEPORT doesn't work on Fuchsia.
 #if defined(OS_IOS)
 // TODO(https://crbug.com/947115): failing on device on iOS 12.2.
 #define MAYBE_SharedMulticastAddress DISABLED_SharedMulticastAddress
@@ -711,7 +706,6 @@ TEST_F(UDPSocketTest, MAYBE_SharedMulticastAddress) {
   EXPECT_EQ(kMessage, RecvFromSocket(&socket2));
 #endif  // !defined(OS_CHROMEOS)
 }
-#endif  // !defined(OS_FUCHSIA)
 #endif  // !defined(OS_ANDROID)
 
 TEST_F(UDPSocketTest, MulticastOptions) {
diff --git a/chromium/net/socket/udp_socket_win.cc b/chromium/net/socket/udp_socket_win.cc
index 8bc2497da39..f9cfcc474e9 100644
--- a/chromium/net/socket/udp_socket_win.cc
+++ b/chromium/net/socket/udp_socket_win.cc
@@ -259,8 +259,7 @@ UDPSocketWin::UDPSocketWin(DatagramSocket::BindType bind_type,
       net_log_(NetLogWithSource::Make(net_log, NetLogSourceType::UDP_SOCKET)),
       event_pending_(this) {
   EnsureWinsockInit();
-  net_log_.BeginEvent(NetLogEventType::SOCKET_ALIVE,
-                      source.ToEventParametersCallback());
+  net_log_.BeginEventReferencingSource(NetLogEventType::SOCKET_ALIVE, source);
 }
 
 UDPSocketWin::~UDPSocketWin() {
@@ -361,10 +360,10 @@ int UDPSocketWin::GetLocalAddress(IPEndPoint* address) const {
     if (!local_address->FromSockAddr(storage.addr, storage.addr_len))
       return ERR_ADDRESS_INVALID;
     local_address_ = std::move(local_address);
-    net_log_.AddEvent(NetLogEventType::UDP_LOCAL_ADDRESS,
-                      CreateNetLogUDPConnectCallback(
-                          local_address_.get(),
-                          NetworkChangeNotifier::kInvalidNetworkHandle));
+    net_log_.AddEvent(NetLogEventType::UDP_LOCAL_ADDRESS, [&] {
+      return CreateNetLogUDPConnectParams(
+          *local_address_, NetworkChangeNotifier::kInvalidNetworkHandle);
+    });
   }
 
   *address = *local_address_;
@@ -445,10 +444,10 @@ int UDPSocketWin::SendToOrWrite(IOBuffer* buf,
 
 int UDPSocketWin::Connect(const IPEndPoint& address) {
   DCHECK_NE(socket_, INVALID_SOCKET);
-  net_log_.BeginEvent(
-      NetLogEventType::UDP_CONNECT,
-      CreateNetLogUDPConnectCallback(
-          &address, NetworkChangeNotifier::kInvalidNetworkHandle));
+  net_log_.BeginEvent(NetLogEventType::UDP_CONNECT, [&] {
+    return CreateNetLogUDPConnectParams(
+        address, NetworkChangeNotifier::kInvalidNetworkHandle);
+  });
   int rv = SetMulticastOptions();
   if (rv != OK)
     return rv;
@@ -743,9 +742,8 @@ void UDPSocketWin::LogRead(int result,
   }
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(
-        NetLogEventType::UDP_BYTES_RECEIVED,
-        CreateNetLogUDPDataTranferCallback(result, bytes, address));
+    NetLogUDPDataTransfer(net_log_, NetLogEventType::UDP_BYTES_RECEIVED, result,
+                          bytes, address);
   }
 
   NetworkActivityMonitor::GetInstance()->IncrementBytesReceived(result);
@@ -760,9 +758,8 @@ void UDPSocketWin::LogWrite(int result,
   }
 
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(
-        NetLogEventType::UDP_BYTES_SENT,
-        CreateNetLogUDPDataTranferCallback(result, bytes, address));
+    NetLogUDPDataTransfer(net_log_, NetLogEventType::UDP_BYTES_SENT, result,
+                          bytes, address);
   }
 
   NetworkActivityMonitor::GetInstance()->IncrementBytesSent(result);
diff --git a/chromium/net/socket/websocket_endpoint_lock_manager.cc b/chromium/net/socket/websocket_endpoint_lock_manager.cc
index cdf90aa8132..9124b235aa5 100644
--- a/chromium/net/socket/websocket_endpoint_lock_manager.cc
+++ b/chromium/net/socket/websocket_endpoint_lock_manager.cc
@@ -47,8 +47,7 @@ WebSocketEndpointLockManager::LockReleaser::~LockReleaser() {
 
 WebSocketEndpointLockManager::WebSocketEndpointLockManager()
     : unlock_delay_(base::TimeDelta::FromMilliseconds(kUnlockDelayInMs)),
-      pending_unlock_count_(0),
-      weak_factory_(this) {}
+      pending_unlock_count_(0) {}
 
 WebSocketEndpointLockManager::~WebSocketEndpointLockManager() {
   DCHECK_EQ(lock_info_map_.size(), pending_unlock_count_);
diff --git a/chromium/net/socket/websocket_endpoint_lock_manager.h b/chromium/net/socket/websocket_endpoint_lock_manager.h
index 2d7cdf5ea8d..4e96c736a10 100644
--- a/chromium/net/socket/websocket_endpoint_lock_manager.h
+++ b/chromium/net/socket/websocket_endpoint_lock_manager.h
@@ -130,7 +130,7 @@ class NET_EXPORT_PRIVATE WebSocketEndpointLockManager {
   // Number of sockets currently pending unlock.
   size_t pending_unlock_count_;
 
-  base::WeakPtrFactory<WebSocketEndpointLockManager> weak_factory_;
+  base::WeakPtrFactory<WebSocketEndpointLockManager> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(WebSocketEndpointLockManager);
 };
diff --git a/chromium/net/socket/websocket_transport_client_socket_pool.cc b/chromium/net/socket/websocket_transport_client_socket_pool.cc
index 820288f6c66..aa0eba304bd 100644
--- a/chromium/net/socket/websocket_transport_client_socket_pool.cc
+++ b/chromium/net/socket/websocket_transport_client_socket_pool.cc
@@ -36,8 +36,7 @@ WebSocketTransportClientSocketPool::WebSocketTransportClientSocketPool(
       common_connect_job_params_(common_connect_job_params),
       max_sockets_(max_sockets),
       handed_out_socket_count_(0),
-      flushing_(false),
-      weak_factory_(this) {
+      flushing_(false) {
   DCHECK(common_connect_job_params_->websocket_endpoint_lock_manager);
 }
 
@@ -113,10 +112,9 @@ int WebSocketTransportClientSocketPool::RequestSocket(
   // Regardless of the outcome of |connect_job|, it will always be bound to
   // |handle|, since this pool uses early-binding. So the binding is logged
   // here, without waiting for the result.
-  request_net_log.AddEvent(NetLogEventType::SOCKET_POOL_BOUND_TO_CONNECT_JOB,
-                           connect_job_delegate->connect_job_net_log()
-                               .source()
-                               .ToEventParametersCallback());
+  request_net_log.AddEventReferencingSource(
+      NetLogEventType::SOCKET_POOL_BOUND_TO_CONNECT_JOB,
+      connect_job_delegate->connect_job_net_log().source());
 
   if (result == ERR_IO_PENDING) {
     // TODO(ricea): Implement backup job timer?
@@ -373,9 +371,9 @@ void WebSocketTransportClientSocketPool::HandOutSocket(
   handle->set_group_generation(0);
   handle->set_connect_timing(connect_timing);
 
-  net_log.AddEvent(
+  net_log.AddEventReferencingSource(
       NetLogEventType::SOCKET_POOL_BOUND_TO_SOCKET,
-      handle->socket()->NetLog().source().ToEventParametersCallback());
+      handle->socket()->NetLog().source());
 
   ++handed_out_socket_count_;
 }
diff --git a/chromium/net/socket/websocket_transport_client_socket_pool.h b/chromium/net/socket/websocket_transport_client_socket_pool.h
index f1d5f0d9497..904e71975d2 100644
--- a/chromium/net/socket/websocket_transport_client_socket_pool.h
+++ b/chromium/net/socket/websocket_transport_client_socket_pool.h
@@ -211,7 +211,7 @@ class NET_EXPORT_PRIVATE WebSocketTransportClientSocketPool
   int handed_out_socket_count_;
   bool flushing_;
 
-  base::WeakPtrFactory<WebSocketTransportClientSocketPool> weak_factory_;
+  base::WeakPtrFactory<WebSocketTransportClientSocketPool> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(WebSocketTransportClientSocketPool);
 };
diff --git a/chromium/net/socket/websocket_transport_client_socket_pool_unittest.cc b/chromium/net/socket/websocket_transport_client_socket_pool_unittest.cc
index 944fcac5443..c404a2d35d9 100644
--- a/chromium/net/socket/websocket_transport_client_socket_pool_unittest.cc
+++ b/chromium/net/socket/websocket_transport_client_socket_pool_unittest.cc
@@ -80,8 +80,7 @@ class WebSocketTransportClientSocketPoolTest
             nullptr /* quic_stream_factory */,
             nullptr /* proxy_delegate */,
             nullptr /* http_user_agent_settings */,
-            SSLClientSocketContext(),
-            SSLClientSocketContext(),
+            nullptr /* ssl_client_context */,
             nullptr /* socket_performance_watcher_factory */,
             nullptr /* network_quality_estimator */,
             nullptr /* netlog */,
diff --git a/chromium/net/socket/websocket_transport_connect_job.cc b/chromium/net/socket/websocket_transport_connect_job.cc
index 1b80ee69585..5510ec197e4 100644
--- a/chromium/net/socket/websocket_transport_connect_job.cc
+++ b/chromium/net/socket/websocket_transport_connect_job.cc
@@ -41,8 +41,7 @@ WebSocketTransportConnectJob::WebSocketTransportConnectJob(
       next_state_(STATE_NONE),
       race_result_(TransportConnectJob::RACE_UNKNOWN),
       had_ipv4_(false),
-      had_ipv6_(false),
-      weak_ptr_factory_(this) {
+      had_ipv6_(false) {
   DCHECK(common_connect_job_params->websocket_endpoint_lock_manager);
 }
 
diff --git a/chromium/net/socket/websocket_transport_connect_job.h b/chromium/net/socket/websocket_transport_connect_job.h
index 6ba51a0840c..cfd0ed38890 100644
--- a/chromium/net/socket/websocket_transport_connect_job.h
+++ b/chromium/net/socket/websocket_transport_connect_job.h
@@ -106,7 +106,7 @@ class NET_EXPORT_PRIVATE WebSocketTransportConnectJob : public ConnectJob {
   bool had_ipv4_;
   bool had_ipv6_;
 
-  base::WeakPtrFactory<WebSocketTransportConnectJob> weak_ptr_factory_;
+  base::WeakPtrFactory<WebSocketTransportConnectJob> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(WebSocketTransportConnectJob);
 };
diff --git a/chromium/net/spdy/bidirectional_stream_spdy_impl.cc b/chromium/net/spdy/bidirectional_stream_spdy_impl.cc
index 32d0999841e..f428a759d5a 100644
--- a/chromium/net/spdy/bidirectional_stream_spdy_impl.cc
+++ b/chromium/net/spdy/bidirectional_stream_spdy_impl.cc
@@ -45,8 +45,7 @@ BidirectionalStreamSpdyImpl::BidirectionalStreamSpdyImpl(
       closed_stream_status_(ERR_FAILED),
       closed_stream_received_bytes_(0),
       closed_stream_sent_bytes_(0),
-      closed_has_load_timing_info_(false),
-      weak_factory_(this) {}
+      closed_has_load_timing_info_(false) {}
 
 BidirectionalStreamSpdyImpl::~BidirectionalStreamSpdyImpl() {
   // Sends a RST to the remote if the stream is destroyed before it completes.
diff --git a/chromium/net/spdy/bidirectional_stream_spdy_impl.h b/chromium/net/spdy/bidirectional_stream_spdy_impl.h
index 7266e66f0d4..954a678252a 100644
--- a/chromium/net/spdy/bidirectional_stream_spdy_impl.h
+++ b/chromium/net/spdy/bidirectional_stream_spdy_impl.h
@@ -130,7 +130,7 @@ class NET_EXPORT_PRIVATE BidirectionalStreamSpdyImpl
   // Keep a reference here so it is alive until OnDataSent is invoked.
   scoped_refptr<IOBuffer> pending_combined_buffer_;
 
-  base::WeakPtrFactory<BidirectionalStreamSpdyImpl> weak_factory_;
+  base::WeakPtrFactory<BidirectionalStreamSpdyImpl> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(BidirectionalStreamSpdyImpl);
 };
diff --git a/chromium/net/spdy/bidirectional_stream_spdy_impl_unittest.cc b/chromium/net/spdy/bidirectional_stream_spdy_impl_unittest.cc
index 1a314666e47..5373ba3879d 100644
--- a/chromium/net/spdy/bidirectional_stream_spdy_impl_unittest.cc
+++ b/chromium/net/spdy/bidirectional_stream_spdy_impl_unittest.cc
@@ -432,7 +432,7 @@ TEST_F(BidirectionalStreamSpdyImplTest, SendDataAfterStreamFailed) {
   delegate->SendData(buf.get(), buf->size(), false);
   base::RunLoop().RunUntilIdle();
 
-  EXPECT_THAT(delegate->error(), IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(delegate->error(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
   EXPECT_EQ(0, delegate->on_data_read_count());
   EXPECT_EQ(0, delegate->on_data_sent_count());
   EXPECT_EQ(kProtoHTTP2, delegate->GetProtocol());
diff --git a/chromium/net/spdy/buffered_spdy_framer.h b/chromium/net/spdy/buffered_spdy_framer.h
index ca497b9f9fa..1d0851ae696 100644
--- a/chromium/net/spdy/buffered_spdy_framer.h
+++ b/chromium/net/spdy/buffered_spdy_framer.h
@@ -240,7 +240,7 @@ class NET_EXPORT_PRIVATE BufferedSpdyFramer
   http2::Http2DecoderAdapter deframer_;
   BufferedSpdyFramerVisitorInterface* visitor_;
 
-  int frames_received_;
+  int frames_received_ = 0;
 
   // Collection of fields from control frames that we need to
   // buffer up from the spdy framer.
@@ -248,16 +248,16 @@ class NET_EXPORT_PRIVATE BufferedSpdyFramer
     ControlFrameFields();
 
     spdy::SpdyFrameType type;
-    spdy::SpdyStreamId stream_id;
-    spdy::SpdyStreamId associated_stream_id;
-    spdy::SpdyStreamId promised_stream_id;
-    bool has_priority;
-    spdy::SpdyPriority priority;
-    int weight;
-    spdy::SpdyStreamId parent_stream_id;
-    bool exclusive;
-    bool fin;
-    bool unidirectional;
+    spdy::SpdyStreamId stream_id = 0U;
+    spdy::SpdyStreamId associated_stream_id = 0U;
+    spdy::SpdyStreamId promised_stream_id = 0U;
+    bool has_priority = false;
+    spdy::SpdyPriority priority = 0U;
+    int weight = 0;
+    spdy::SpdyStreamId parent_stream_id = 0U;
+    bool exclusive = false;
+    bool fin = false;
+    bool unidirectional = false;
     base::TimeTicks recv_first_byte_time;
   };
   std::unique_ptr<ControlFrameFields> control_frame_fields_;
diff --git a/chromium/net/spdy/header_coalescer.cc b/chromium/net/spdy/header_coalescer.cc
index 9a3bb1888c6..a77c1b8840d 100644
--- a/chromium/net/spdy/header_coalescer.cc
+++ b/chromium/net/spdy/header_coalescer.cc
@@ -8,31 +8,32 @@
 #include <string>
 #include <utility>
 
-#include "base/bind.h"
-#include "base/callback.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/trace_event/memory_usage_estimator.h"
 #include "base/values.h"
-#include "net/base/escape.h"
 #include "net/http/http_log_util.h"
 #include "net/http/http_util.h"
-#include "net/log/net_log.h"
+#include "net/log/net_log_values.h"
 
 namespace net {
 namespace {
 
-base::Value ElideNetLogHeaderCallback(base::StringPiece header_name,
-                                      base::StringPiece header_value,
-                                      base::StringPiece error_message,
-                                      NetLogCaptureMode capture_mode) {
-  base::DictionaryValue dict;
-  dict.SetKey("header_name", NetLogStringValue(header_name));
-  dict.SetKey("header_value", NetLogStringValue(ElideHeaderValueForNetLog(
-                                  capture_mode, header_name.as_string(),
-                                  header_value.as_string())));
-  dict.SetString("error", error_message);
-  return std::move(dict);
+void NetLogInvalidHeader(const NetLogWithSource& net_log,
+                         base::StringPiece header_name,
+                         base::StringPiece header_value,
+                         const char* error_message) {
+  net_log.AddEvent(NetLogEventType::HTTP2_SESSION_RECV_INVALID_HEADER,
+                   [&](NetLogCaptureMode capture_mode) {
+                     base::DictionaryValue dict;
+                     dict.SetKey("header_name", NetLogStringValue(header_name));
+                     dict.SetKey("header_value",
+                                 NetLogStringValue(ElideHeaderValueForNetLog(
+                                     capture_mode, header_name.as_string(),
+                                     header_value.as_string())));
+                     dict.SetString("error", error_message);
+                     return dict;
+                   });
 }
 
 bool ContainsUppercaseAscii(base::StringPiece str) {
@@ -65,19 +66,15 @@ size_t HeaderCoalescer::EstimateMemoryUsage() const {
 bool HeaderCoalescer::AddHeader(base::StringPiece key,
                                 base::StringPiece value) {
   if (key.empty()) {
-    net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_RECV_INVALID_HEADER,
-                      base::Bind(&ElideNetLogHeaderCallback, key, value,
-                                 "Header name must not be empty."));
+    NetLogInvalidHeader(net_log_, key, value, "Header name must not be empty.");
     return false;
   }
 
   base::StringPiece key_name = key;
   if (key[0] == ':') {
     if (regular_header_seen_) {
-      net_log_.AddEvent(
-          NetLogEventType::HTTP2_SESSION_RECV_INVALID_HEADER,
-          base::Bind(&ElideNetLogHeaderCallback, key, value,
-                     "Pseudo header must not follow regular headers."));
+      NetLogInvalidHeader(net_log_, key, value,
+                          "Pseudo header must not follow regular headers.");
       return false;
     }
     key_name.remove_prefix(1);
@@ -86,25 +83,21 @@ bool HeaderCoalescer::AddHeader(base::StringPiece key,
   }
 
   if (!HttpUtil::IsValidHeaderName(key_name)) {
-    net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_RECV_INVALID_HEADER,
-                      base::Bind(&ElideNetLogHeaderCallback, key, value,
-                                 "Invalid character in header name."));
+    NetLogInvalidHeader(net_log_, key, value,
+                        "Invalid character in header name.");
     return false;
   }
 
   if (ContainsUppercaseAscii(key_name)) {
-    net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_RECV_INVALID_HEADER,
-                      base::Bind(&ElideNetLogHeaderCallback, key, value,
-                                 "Upper case characters in header name."));
+    NetLogInvalidHeader(net_log_, key, value,
+                        "Upper case characters in header name.");
     return false;
   }
 
   // 32 byte overhead according to RFC 7540 Section 6.5.2.
   header_list_size_ += key.size() + value.size() + 32;
   if (header_list_size_ > max_header_list_size_) {
-    net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_RECV_INVALID_HEADER,
-                      base::Bind(&ElideNetLogHeaderCallback, key, value,
-                                 "Header list too large."));
+    NetLogInvalidHeader(net_log_, key, value, "Header list too large.");
     return false;
   }
 
@@ -124,9 +117,7 @@ bool HeaderCoalescer::AddHeader(base::StringPiece key,
       std::string error_line;
       base::StringAppendF(&error_line,
                           "Invalid character 0x%02X in header value.", c);
-      net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_RECV_INVALID_HEADER,
-                        base::Bind(&ElideNetLogHeaderCallback, key, value,
-                                   error_line.c_str()));
+      NetLogInvalidHeader(net_log_, key, value, error_line.c_str());
       return false;
     }
   }
diff --git a/chromium/net/spdy/header_coalescer_test.cc b/chromium/net/spdy/header_coalescer_test.cc
index 72693b87740..b6aa1b5acf9 100644
--- a/chromium/net/spdy/header_coalescer_test.cc
+++ b/chromium/net/spdy/header_coalescer_test.cc
@@ -8,6 +8,7 @@
 #include <vector>
 
 #include "net/log/test_net_log.h"
+#include "net/log/test_net_log_util.h"
 #include "net/spdy/spdy_test_util_common.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -26,19 +27,18 @@ class HeaderCoalescerTest : public ::testing::Test {
   void ExpectEntry(base::StringPiece expected_header_name,
                    base::StringPiece expected_header_value,
                    base::StringPiece expected_error_message) {
-    TestNetLogEntry::List entry_list;
-    net_log_.GetEntries(&entry_list);
+    auto entry_list = net_log_.GetEntries();
     ASSERT_EQ(1u, entry_list.size());
     EXPECT_EQ(entry_list[0].type,
               NetLogEventType::HTTP2_SESSION_RECV_INVALID_HEADER);
     EXPECT_EQ(entry_list[0].source.id, net_log_.bound().source().id);
     std::string value;
-    EXPECT_TRUE(entry_list[0].GetStringValue("header_name", &value));
-    EXPECT_EQ(expected_header_name, value);
-    EXPECT_TRUE(entry_list[0].GetStringValue("header_value", &value));
-    EXPECT_EQ(expected_header_value, value);
-    EXPECT_TRUE(entry_list[0].GetStringValue("error", &value));
-    EXPECT_EQ(expected_error_message, value);
+    EXPECT_EQ(expected_header_name,
+              GetStringValueFromParams(entry_list[0], "header_name"));
+    EXPECT_EQ(expected_header_value,
+              GetStringValueFromParams(entry_list[0], "header_value"));
+    EXPECT_EQ(expected_error_message,
+              GetStringValueFromParams(entry_list[0], "error"));
   }
 
  protected:
diff --git a/chromium/net/spdy/platform/impl/spdy_containers_impl.h b/chromium/net/spdy/platform/impl/spdy_containers_impl.h
index 5792eb759a1..1a5381ae690 100644
--- a/chromium/net/spdy/platform/impl/spdy_containers_impl.h
+++ b/chromium/net/spdy/platform/impl/spdy_containers_impl.h
@@ -8,6 +8,7 @@
 #include <unordered_set>
 #include <vector>
 
+#include "base/containers/small_map.h"
 #include "base/strings/string_piece.h"
 #include "net/third_party/quiche/src/common/simple_linked_hash_map.h"
 
@@ -34,6 +35,12 @@ inline size_t SpdyHashStringPairImpl(SpdyStringPiece a, SpdyStringPiece b) {
   return base::StringPieceHash()(a) ^ base::StringPieceHash()(b);
 }
 
+// A map which is faster than (for example) hash_map for a certain number of
+// unique key-value-pair elements, and upgrades itself to unordered_map when
+// runs out of space.
+template <typename Key, typename Value, size_t Size>
+using SpdySmallMapImpl = base::small_map<std::unordered_map<Key, Value>, Size>;
+
 }  // namespace spdy
 
 #endif  // NET_SPDY_PLATFORM_IMPL_SPDY_CONTAINERS_IMPL_H_
diff --git a/chromium/net/spdy/platform/impl/spdy_test_impl.h b/chromium/net/spdy/platform/impl/spdy_test_impl.h
new file mode 100644
index 00000000000..3b31aba0f92
--- /dev/null
+++ b/chromium/net/spdy/platform/impl/spdy_test_impl.h
@@ -0,0 +1,12 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_SPDY_PLATFORM_IMPL_SPDY_TEST_IMPL_H_
+#define NET_SPDY_PLATFORM_IMPL_SPDY_TEST_IMPL_H_
+
+#include "testing/gmock/include/gmock/gmock.h"      // IWYU pragma: export
+#include "testing/gtest/include/gtest/gtest-spi.h"  // IWYU pragma: export
+#include "testing/gtest/include/gtest/gtest.h"      // IWYU pragma: export
+
+#endif  // NET_SPDY_PLATFORM_IMPL_SPDY_TEST_IMPL_H_
diff --git a/chromium/net/spdy/spdy_http_stream.cc b/chromium/net/spdy/spdy_http_stream.cc
index 3a8865e2896..9b91a1e6f99 100644
--- a/chromium/net/spdy/spdy_http_stream.cc
+++ b/chromium/net/spdy/spdy_http_stream.cc
@@ -121,8 +121,7 @@ SpdyHttpStream::SpdyHttpStream(const base::WeakPtr<SpdySession>& spdy_session,
       request_body_buf_size_(0),
       buffered_read_callback_pending_(false),
       more_read_data_pending_(false),
-      was_alpn_negotiated_(false),
-      weak_factory_(this) {
+      was_alpn_negotiated_(false) {
   DCHECK(spdy_session_.get());
 }
 
@@ -348,7 +347,9 @@ int SpdyHttpStream::SendRequest(const HttpRequestHeaders& request_headers,
   CreateSpdyHeadersFromHttpRequest(*request_info_, request_headers, &headers);
   stream_->net_log().AddEvent(
       NetLogEventType::HTTP_TRANSACTION_HTTP2_SEND_REQUEST_HEADERS,
-      base::Bind(&SpdyHeaderBlockNetLogCallback, &headers));
+      [&](NetLogCaptureMode capture_mode) {
+        return SpdyHeaderBlockNetLogParams(&headers, capture_mode);
+      });
   DispatchRequestHeadersCallback(headers);
   result = stream_->SendRequestHeaders(
       std::move(headers),
@@ -399,7 +400,7 @@ void SpdyHttpStream::OnHeadersReceived(
                              response_headers, *response_info_)) {
     // Cancel will call OnClose, which might call callbacks and might destroy
     // |this|.
-    stream_->Cancel(ERR_SPDY_PUSHED_RESPONSE_DOES_NOT_MATCH);
+    stream_->Cancel(ERR_HTTP2_PUSHED_RESPONSE_DOES_NOT_MATCH);
 
     return;
   }
diff --git a/chromium/net/spdy/spdy_http_stream.h b/chromium/net/spdy/spdy_http_stream.h
index 643c4f374ce..a647849b2b0 100644
--- a/chromium/net/spdy/spdy_http_stream.h
+++ b/chromium/net/spdy/spdy_http_stream.h
@@ -233,7 +233,7 @@ class NET_EXPORT_PRIVATE SpdyHttpStream : public SpdyStream::Delegate,
   base::debug::StackTrace stack_trace_;
 #endif
 
-  base::WeakPtrFactory<SpdyHttpStream> weak_factory_;
+  base::WeakPtrFactory<SpdyHttpStream> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(SpdyHttpStream);
 };
diff --git a/chromium/net/spdy/spdy_http_stream_unittest.cc b/chromium/net/spdy/spdy_http_stream_unittest.cc
index 6993bbbeb88..fd8484702d7 100644
--- a/chromium/net/spdy/spdy_http_stream_unittest.cc
+++ b/chromium/net/spdy/spdy_http_stream_unittest.cc
@@ -76,7 +76,7 @@ class ReadErrorUploadDataStream : public UploadDataStream {
   enum class FailureMode { SYNC, ASYNC };
 
   explicit ReadErrorUploadDataStream(FailureMode mode)
-      : UploadDataStream(true, 0), async_(mode), weak_factory_(this) {}
+      : UploadDataStream(true, 0), async_(mode) {}
 
  private:
   void CompleteRead() { UploadDataStream::OnReadCompleted(ERR_FAILED); }
@@ -98,7 +98,7 @@ class ReadErrorUploadDataStream : public UploadDataStream {
 
   const FailureMode async_;
 
-  base::WeakPtrFactory<ReadErrorUploadDataStream> weak_factory_;
+  base::WeakPtrFactory<ReadErrorUploadDataStream> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(ReadErrorUploadDataStream);
 };
diff --git a/chromium/net/spdy/spdy_log_util.cc b/chromium/net/spdy/spdy_log_util.cc
index bb44301df67..fe85d2f016c 100644
--- a/chromium/net/spdy/spdy_log_util.cc
+++ b/chromium/net/spdy/spdy_log_util.cc
@@ -10,12 +10,13 @@
 #include "base/strings/string_number_conversions.h"
 #include "base/values.h"
 #include "net/http/http_log_util.h"
+#include "net/log/net_log_values.h"
 
 namespace net {
 
 base::Value ElideGoAwayDebugDataForNetLog(NetLogCaptureMode capture_mode,
                                           base::StringPiece debug_data) {
-  if (capture_mode.include_cookies_and_credentials())
+  if (NetLogCaptureIncludesSensitive(capture_mode))
     return NetLogStringValue(debug_data);
 
   return NetLogStringValue(base::StrCat(
@@ -37,8 +38,8 @@ base::ListValue ElideSpdyHeaderBlockForNetLog(
   return headers_list;
 }
 
-base::Value SpdyHeaderBlockNetLogCallback(const spdy::SpdyHeaderBlock* headers,
-                                          NetLogCaptureMode capture_mode) {
+base::Value SpdyHeaderBlockNetLogParams(const spdy::SpdyHeaderBlock* headers,
+                                        NetLogCaptureMode capture_mode) {
   base::DictionaryValue dict;
   dict.SetKey("headers", ElideSpdyHeaderBlockForNetLog(*headers, capture_mode));
   return std::move(dict);
diff --git a/chromium/net/spdy/spdy_log_util.h b/chromium/net/spdy/spdy_log_util.h
index df08152b292..4638caa9848 100644
--- a/chromium/net/spdy/spdy_log_util.h
+++ b/chromium/net/spdy/spdy_log_util.h
@@ -34,7 +34,7 @@ NET_EXPORT_PRIVATE base::ListValue ElideSpdyHeaderBlockForNetLog(
     NetLogCaptureMode capture_mode);
 
 // Converts a spdy::SpdyHeaderBlock into NetLog event parameters.
-NET_EXPORT_PRIVATE base::Value SpdyHeaderBlockNetLogCallback(
+NET_EXPORT_PRIVATE base::Value SpdyHeaderBlockNetLogParams(
     const spdy::SpdyHeaderBlock* headers,
     NetLogCaptureMode capture_mode);
 
diff --git a/chromium/net/spdy/spdy_log_util_unittest.cc b/chromium/net/spdy/spdy_log_util_unittest.cc
index 53f788a6f31..9d4594620f9 100644
--- a/chromium/net/spdy/spdy_log_util_unittest.cc
+++ b/chromium/net/spdy/spdy_log_util_unittest.cc
@@ -21,15 +21,13 @@ std::string ElideGoAwayDebugDataForNetLogAsString(
 TEST(SpdyLogUtilTest, ElideGoAwayDebugDataForNetLog) {
   // Only elide for appropriate log level.
   EXPECT_EQ("[6 bytes were stripped]",
-            ElideGoAwayDebugDataForNetLogAsString(NetLogCaptureMode::Default(),
+            ElideGoAwayDebugDataForNetLogAsString(NetLogCaptureMode::kDefault,
                                                   "foobar"));
-  EXPECT_EQ("foobar",
+  EXPECT_EQ("foobar", ElideGoAwayDebugDataForNetLogAsString(
+                          NetLogCaptureMode::kIncludeSensitive, "foobar"));
+  EXPECT_EQ("%ESCAPED:\xE2\x80\x8B %FE%FF",
             ElideGoAwayDebugDataForNetLogAsString(
-                NetLogCaptureMode::IncludeCookiesAndCredentials(), "foobar"));
-  EXPECT_EQ(
-      "%ESCAPED:\xE2\x80\x8B %FE%FF",
-      ElideGoAwayDebugDataForNetLogAsString(
-          NetLogCaptureMode::IncludeCookiesAndCredentials(), "\xfe\xff\x00"));
+                NetLogCaptureMode::kIncludeSensitive, "\xfe\xff\x00"));
 }
 
 TEST(SpdyLogUtilTest, ElideSpdyHeaderBlockForNetLog) {
@@ -38,7 +36,7 @@ TEST(SpdyLogUtilTest, ElideSpdyHeaderBlockForNetLog) {
   headers["cookie"] = "name=value";
 
   base::ListValue list =
-      ElideSpdyHeaderBlockForNetLog(headers, NetLogCaptureMode::Default());
+      ElideSpdyHeaderBlockForNetLog(headers, NetLogCaptureMode::kDefault);
 
   ASSERT_FALSE(list.is_none());
   ASSERT_EQ(2u, list.GetList().size());
@@ -49,8 +47,8 @@ TEST(SpdyLogUtilTest, ElideSpdyHeaderBlockForNetLog) {
   ASSERT_TRUE(list.GetList()[1].is_string());
   EXPECT_EQ("cookie: [10 bytes were stripped]", list.GetList()[1].GetString());
 
-  list = ElideSpdyHeaderBlockForNetLog(
-      headers, NetLogCaptureMode::IncludeCookiesAndCredentials());
+  list = ElideSpdyHeaderBlockForNetLog(headers,
+                                       NetLogCaptureMode::kIncludeSensitive);
 
   ASSERT_FALSE(list.is_none());
   ASSERT_EQ(2u, list.GetList().size());
@@ -62,13 +60,13 @@ TEST(SpdyLogUtilTest, ElideSpdyHeaderBlockForNetLog) {
   EXPECT_EQ("cookie: name=value", list.GetList()[1].GetString());
 }
 
-TEST(SpdyLogUtilTest, SpdyHeaderBlockNetLogCallback) {
+TEST(SpdyLogUtilTest, SpdyHeaderBlockNetLogParams) {
   spdy::SpdyHeaderBlock headers;
   headers["foo"] = "bar";
   headers["cookie"] = "name=value";
 
   std::unique_ptr<base::Value> dict = base::Value::ToUniquePtrValue(
-      SpdyHeaderBlockNetLogCallback(&headers, NetLogCaptureMode::Default()));
+      SpdyHeaderBlockNetLogParams(&headers, NetLogCaptureMode::kDefault));
 
   ASSERT_TRUE(dict);
   ASSERT_TRUE(dict->is_dict());
@@ -86,8 +84,8 @@ TEST(SpdyLogUtilTest, SpdyHeaderBlockNetLogCallback) {
   EXPECT_EQ("cookie: [10 bytes were stripped]",
             header_list->GetList()[1].GetString());
 
-  dict = base::Value::ToUniquePtrValue(SpdyHeaderBlockNetLogCallback(
-      &headers, NetLogCaptureMode::IncludeCookiesAndCredentials()));
+  dict = base::Value::ToUniquePtrValue(SpdyHeaderBlockNetLogParams(
+      &headers, NetLogCaptureMode::kIncludeSensitive));
 
   ASSERT_TRUE(dict);
   ASSERT_TRUE(dict->is_dict());
@@ -113,7 +111,7 @@ TEST(SpdyLogUtilTest, ElideSpdyHeaderBlockForNetLogWithNonUTF8Characters) {
   headers["\xde\xad"] = "\xbe\xef";
 
   base::ListValue list =
-      ElideSpdyHeaderBlockForNetLog(headers, NetLogCaptureMode::Default());
+      ElideSpdyHeaderBlockForNetLog(headers, NetLogCaptureMode::kDefault);
 
   ASSERT_EQ(3u, list.GetSize());
   std::string field;
diff --git a/chromium/net/spdy/spdy_network_transaction_unittest.cc b/chromium/net/spdy/spdy_network_transaction_unittest.cc
index 444861f9189..95678b2d9a9 100644
--- a/chromium/net/spdy/spdy_network_transaction_unittest.cc
+++ b/chromium/net/spdy/spdy_network_transaction_unittest.cc
@@ -41,7 +41,6 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/socket/next_proto.h"
 #include "net/socket/socket_tag.h"
@@ -2117,7 +2116,7 @@ TEST_F(SpdyNetworkTransactionTest, ResponseWithoutHeaders) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_, nullptr);
   helper.RunToCompletion(&data);
   TransactionHelperResult out = helper.output();
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_PROTOCOL_ERROR));
 }
 
 // Test that the transaction doesn't crash when we get two replies on the same
@@ -2161,7 +2160,7 @@ TEST_F(SpdyNetworkTransactionTest, ResponseWithTwoSynReplies) {
   EXPECT_TRUE(response->was_fetched_via_spdy);
   std::string response_data;
   rv = ReadTransaction(trans, &response_data);
-  EXPECT_THAT(rv, IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(rv, IsError(ERR_HTTP2_PROTOCOL_ERROR));
 
   helper.VerifyDataConsumed();
 }
@@ -2191,7 +2190,7 @@ TEST_F(SpdyNetworkTransactionTest, ResetReplyWithTransferEncoding) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_, nullptr);
   helper.RunToCompletion(&data);
   TransactionHelperResult out = helper.output();
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_PROTOCOL_ERROR));
 
   helper.session()->spdy_session_pool()->CloseAllSessions();
   helper.VerifyDataConsumed();
@@ -4540,7 +4539,7 @@ TEST_F(SpdyNetworkTransactionTest, InvalidResponseHeaders) {
                                        nullptr);
     helper.RunToCompletion(&data);
     TransactionHelperResult out = helper.output();
-    EXPECT_THAT(out.rv, IsError(ERR_SPDY_PROTOCOL_ERROR));
+    EXPECT_THAT(out.rv, IsError(ERR_HTTP2_PROTOCOL_ERROR));
   }
 }
 
@@ -4568,7 +4567,7 @@ TEST_F(SpdyNetworkTransactionTest, CorruptFrameSessionError) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_, nullptr);
   helper.RunToCompletion(&data);
   TransactionHelperResult out = helper.output();
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_COMPRESSION_ERROR));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_COMPRESSION_ERROR));
 }
 
 TEST_F(SpdyNetworkTransactionTest, GoAwayOnDecompressionFailure) {
@@ -4589,7 +4588,7 @@ TEST_F(SpdyNetworkTransactionTest, GoAwayOnDecompressionFailure) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_, nullptr);
   helper.RunToCompletion(&data);
   TransactionHelperResult out = helper.output();
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_COMPRESSION_ERROR));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_COMPRESSION_ERROR));
 }
 
 TEST_F(SpdyNetworkTransactionTest, GoAwayOnFrameSizeError) {
@@ -4610,7 +4609,7 @@ TEST_F(SpdyNetworkTransactionTest, GoAwayOnFrameSizeError) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_, nullptr);
   helper.RunToCompletion(&data);
   TransactionHelperResult out = helper.output();
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_FRAME_SIZE_ERROR));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_FRAME_SIZE_ERROR));
 }
 
 // Test that we shutdown correctly on write errors.
@@ -4702,8 +4701,7 @@ TEST_F(SpdyNetworkTransactionTest, NetLog) {
   // This test is intentionally non-specific about the exact ordering of the
   // log; instead we just check to make sure that certain events exist, and that
   // they are in the right order.
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
 
   EXPECT_LT(0u, entries.size());
   int pos = 0;
@@ -4731,8 +4729,8 @@ TEST_F(SpdyNetworkTransactionTest, NetLog) {
                                    NetLogEventType::HTTP2_SESSION_SEND_HEADERS,
                                    NetLogEventPhase::NONE);
 
-  ASSERT_TRUE(entries[pos].params);
-  auto* header_list = entries[pos].params->FindKey("headers");
+  ASSERT_TRUE(entries[pos].HasParams());
+  auto* header_list = entries[pos].params.FindKey("headers");
   ASSERT_TRUE(header_list);
   ASSERT_TRUE(header_list->is_list());
   ASSERT_EQ(5u, header_list->GetList().size());
@@ -6106,11 +6104,11 @@ TEST_F(SpdyNetworkTransactionTest, ResponseHeadersTwice) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_, nullptr);
   helper.RunToCompletion(&data);
   TransactionHelperResult out = helper.output();
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_PROTOCOL_ERROR));
 }
 
 // Tests that receiving HEADERS, DATA, HEADERS, and DATA in that sequence will
-// trigger a ERR_SPDY_PROTOCOL_ERROR because trailing HEADERS must not be
+// trigger a ERR_HTTP2_PROTOCOL_ERROR because trailing HEADERS must not be
 // followed by any DATA frames.
 TEST_F(SpdyNetworkTransactionTest, SyncReplyDataAfterTrailers) {
   spdy::SpdySerializedFrame req(
@@ -6143,7 +6141,7 @@ TEST_F(SpdyNetworkTransactionTest, SyncReplyDataAfterTrailers) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_, nullptr);
   helper.RunToCompletion(&data);
   TransactionHelperResult out = helper.output();
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_PROTOCOL_ERROR));
 }
 
 struct PushUrlTestParams {
@@ -7040,7 +7038,7 @@ TEST_F(SpdyNetworkTransactionTest, WindowUpdateOverflow) {
 
   base::RunLoop().RunUntilIdle();
   ASSERT_TRUE(callback.have_result());
-  EXPECT_THAT(callback.WaitForResult(), IsError(ERR_SPDY_FLOW_CONTROL_ERROR));
+  EXPECT_THAT(callback.WaitForResult(), IsError(ERR_HTTP2_FLOW_CONTROL_ERROR));
   helper.VerifyDataConsumed();
 }
 
@@ -7074,7 +7072,7 @@ TEST_F(SpdyNetworkTransactionTest, InitialWindowSizeOverflow) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_, nullptr);
   helper.RunToCompletion(&data);
   TransactionHelperResult out = helper.output();
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_FLOW_CONTROL_ERROR));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_FLOW_CONTROL_ERROR));
 }
 
 // Test that after hitting a send window size of 0, the write process
@@ -7585,7 +7583,7 @@ TEST_F(SpdyNetworkTransactionTest, GoAwayOnOddPushStreamId) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_, nullptr);
   helper.RunToCompletion(&data);
   TransactionHelperResult out = helper.output();
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_PROTOCOL_ERROR));
 
   histogram_tester.ExpectBucketCount(
       "Net.SpdyPushedStreamFate",
@@ -7624,7 +7622,7 @@ TEST_F(SpdyNetworkTransactionTest,
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_, nullptr);
   helper.RunToCompletion(&data);
   TransactionHelperResult out = helper.output();
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_PROTOCOL_ERROR));
 
   histogram_tester.ExpectBucketCount(
       "Net.SpdyPushedStreamFate",
@@ -7723,7 +7721,7 @@ TEST_F(SpdyNetworkTransactionTest, CRLFInHeaderValue) {
   helper.RunToCompletion(&data);
   TransactionHelperResult out = helper.output();
 
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_PROTOCOL_ERROR));
 }
 
 // Regression test for https://crbug.com/603182.
@@ -7742,7 +7740,7 @@ TEST_F(SpdyNetworkTransactionTest, RstStreamNoError) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_, nullptr);
   helper.RunToCompletion(&data);
   TransactionHelperResult out = helper.output();
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_PROTOCOL_ERROR));
 }
 
 // Regression test for https://crbug.com/603182.
@@ -7801,7 +7799,7 @@ TEST_F(SpdyNetworkTransactionTest, 100Continue) {
 // has not been sent and received."  (RFC7540 Section 8.1)
 // Regression test for https://crbug.com/606990.  Server responds before POST
 // data are sent and closes connection: this must result in
-// ERR_CONNECTION_CLOSED (as opposed to ERR_SPDY_PROTOCOL_ERROR).
+// ERR_CONNECTION_CLOSED (as opposed to ERR_HTTP2_PROTOCOL_ERROR).
 TEST_F(SpdyNetworkTransactionTest, ResponseBeforePostDataSent) {
   spdy::SpdySerializedFrame req(
       spdy_util_.ConstructChunkedSpdyPost(nullptr, 0));
@@ -7910,7 +7908,7 @@ class SpdyNetworkTransactionTLSUsageCheckTest
                                        nullptr);
     helper.RunToCompletionWithSSLData(&data, std::move(ssl_provider));
     TransactionHelperResult out = helper.output();
-    EXPECT_THAT(out.rv, IsError(ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY));
+    EXPECT_THAT(out.rv, IsError(ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY));
   }
 };
 
@@ -7956,7 +7954,7 @@ TEST_F(SpdyNetworkTransactionTest, InsecureUrlCreatesSecureSpdySession) {
 
   helper.RunToCompletionWithSSLData(&data, std::move(ssl_provider));
   TransactionHelperResult out = helper.output();
-  EXPECT_THAT(out.rv, IsError(ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY));
+  EXPECT_THAT(out.rv, IsError(ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY));
 }
 
 TEST_F(SpdyNetworkTransactionTest, RequestHeadersCallback) {
diff --git a/chromium/net/spdy/spdy_proxy_client_socket.cc b/chromium/net/spdy/spdy_proxy_client_socket.cc
index 33303052173..4356d9605ad 100644
--- a/chromium/net/spdy/spdy_proxy_client_socket.cc
+++ b/chromium/net/spdy/spdy_proxy_client_socket.cc
@@ -20,6 +20,7 @@
 #include "net/base/io_buffer.h"
 #include "net/http/http_auth_cache.h"
 #include "net/http/http_auth_handler_factory.h"
+#include "net/http/http_log_util.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
 #include "net/log/net_log_event_type.h"
@@ -46,16 +47,14 @@ SpdyProxyClientSocket::SpdyProxyClientSocket(
       was_ever_used_(false),
       net_log_(NetLogWithSource::Make(spdy_stream->net_log().net_log(),
                                       NetLogSourceType::PROXY_CLIENT_SOCKET)),
-      source_dependency_(source_net_log.source()),
-      weak_factory_(this),
-      write_callback_weak_factory_(this) {
+      source_dependency_(source_net_log.source()) {
   request_.method = "CONNECT";
   request_.url = GURL("https://" + endpoint.ToString());
-  net_log_.BeginEvent(NetLogEventType::SOCKET_ALIVE,
-                      source_net_log.source().ToEventParametersCallback());
-  net_log_.AddEvent(
+  net_log_.BeginEventReferencingSource(NetLogEventType::SOCKET_ALIVE,
+                                       source_net_log.source());
+  net_log_.AddEventReferencingSource(
       NetLogEventType::HTTP2_PROXY_CLIENT_SESSION,
-      spdy_stream->net_log().source().ToEventParametersCallback());
+      spdy_stream->net_log().source());
 
   spdy_stream_->SetDelegate(this);
   was_ever_used_ = spdy_stream_->WasEverUsed();
@@ -368,10 +367,9 @@ int SpdyProxyClientSocket::DoSendRequest() {
   BuildTunnelRequest(endpoint_, authorization_headers, user_agent_,
                      &request_line, &request_.extra_headers);
 
-  net_log_.AddEvent(
-      NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
-      base::Bind(&HttpRequestHeaders::NetLogCallback,
-                 base::Unretained(&request_.extra_headers), &request_line));
+  NetLogRequestHeaders(net_log_,
+                       NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
+                       request_line, &request_.extra_headers);
 
   spdy::SpdyHeaderBlock headers;
   CreateSpdyHeadersFromHttpRequest(request_, request_.extra_headers, &headers);
@@ -400,9 +398,9 @@ int SpdyProxyClientSocket::DoReadReplyComplete(int result) {
   if (response_.headers->GetHttpVersion() < HttpVersion(1, 0))
     return ERR_TUNNEL_CONNECTION_FAILED;
 
-  net_log_.AddEvent(
-      NetLogEventType::HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
-      base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers));
+  NetLogResponseHeaders(
+      net_log_, NetLogEventType::HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
+      response_.headers.get());
 
   switch (response_.headers->response_code()) {
     case 200:  // OK
diff --git a/chromium/net/spdy/spdy_proxy_client_socket.h b/chromium/net/spdy/spdy_proxy_client_socket.h
index 02a2ecf972b..eb47162cf2e 100644
--- a/chromium/net/spdy/spdy_proxy_client_socket.h
+++ b/chromium/net/spdy/spdy_proxy_client_socket.h
@@ -173,11 +173,12 @@ class NET_EXPORT_PRIVATE SpdyProxyClientSocket : public ProxyClientSocket,
   const NetLogSource source_dependency_;
 
   // The default weak pointer factory.
-  base::WeakPtrFactory<SpdyProxyClientSocket> weak_factory_;
+  base::WeakPtrFactory<SpdyProxyClientSocket> weak_factory_{this};
 
   // Only used for posting write callbacks. Weak pointers created by this
   // factory are invalidated in Disconnect().
-  base::WeakPtrFactory<SpdyProxyClientSocket> write_callback_weak_factory_;
+  base::WeakPtrFactory<SpdyProxyClientSocket> write_callback_weak_factory_{
+      this};
 
   DISALLOW_COPY_AND_ASSIGN(SpdyProxyClientSocket);
 };
diff --git a/chromium/net/spdy/spdy_proxy_client_socket_unittest.cc b/chromium/net/spdy/spdy_proxy_client_socket_unittest.cc
index 3570796a0dd..6e1652f15a3 100644
--- a/chromium/net/spdy/spdy_proxy_client_socket_unittest.cc
+++ b/chromium/net/spdy/spdy_proxy_client_socket_unittest.cc
@@ -23,7 +23,6 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/connect_job_test_util.h"
@@ -98,7 +97,7 @@ base::WeakPtr<SpdySession> CreateSpdyProxySession(
   SSLConfig ssl_config;
   auto ssl_params = base::MakeRefCounted<SSLSocketParams>(
       transport_params, nullptr, nullptr, key.host_port_pair(), ssl_config,
-      key.privacy_mode());
+      key.privacy_mode(), key.network_isolation_key());
   TestConnectJobDelegate connect_job_delegate;
   SSLConnectJob connect_job(MEDIUM, SocketTag(), common_connect_job_params,
                             ssl_params, &connect_job_delegate,
@@ -179,12 +178,12 @@ class SpdyProxyClientSocketTest : public PlatformTest,
   // Whether to use net::Socket::ReadIfReady() instead of net::Socket::Read().
   bool use_read_if_ready() const { return GetParam(); }
 
+  BoundTestNetLog net_log_;
   SpdyTestUtil spdy_util_;
   std::unique_ptr<SpdyProxyClientSocket> sock_;
   TestCompletionCallback read_callback_;
   TestCompletionCallback write_callback_;
   std::unique_ptr<SequencedSocketData> data_;
-  BoundTestNetLog net_log_;
 
  private:
   scoped_refptr<IOBuffer> read_buf_;
@@ -1417,8 +1416,7 @@ TEST_P(SpdyProxyClientSocketTest, NetLog) {
   NetLogSource sock_source = sock_->NetLog().source();
   sock_.reset();
 
-  TestNetLogEntry::List entry_list;
-  net_log_.GetEntriesForSource(sock_source, &entry_list);
+  auto entry_list = net_log_.GetEntriesForSource(sock_source);
 
   ASSERT_EQ(entry_list.size(), 10u);
   EXPECT_TRUE(
diff --git a/chromium/net/spdy/spdy_session.cc b/chromium/net/spdy/spdy_session.cc
index 6e71a07e045..ba7797357e7 100644
--- a/chromium/net/spdy/spdy_session.cc
+++ b/chromium/net/spdy/spdy_session.cc
@@ -54,7 +54,7 @@
 #include "net/spdy/spdy_stream.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
 #include "net/ssl/ssl_connection_status_flags.h"
-#include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
+#include "net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_frame_builder.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
 #include "url/url_constants.h"
@@ -223,15 +223,15 @@ bool IsPushEnabled(const spdy::SettingsMap& initial_settings) {
   return it->second == 1;
 }
 
-base::Value NetLogSpdyHeadersSentCallback(const spdy::SpdyHeaderBlock* headers,
-                                          bool fin,
-                                          spdy::SpdyStreamId stream_id,
-                                          bool has_priority,
-                                          int weight,
-                                          spdy::SpdyStreamId parent_stream_id,
-                                          bool exclusive,
-                                          NetLogSource source_dependency,
-                                          NetLogCaptureMode capture_mode) {
+base::Value NetLogSpdyHeadersSentParams(const spdy::SpdyHeaderBlock* headers,
+                                        bool fin,
+                                        spdy::SpdyStreamId stream_id,
+                                        bool has_priority,
+                                        int weight,
+                                        spdy::SpdyStreamId parent_stream_id,
+                                        bool exclusive,
+                                        NetLogSource source_dependency,
+                                        NetLogCaptureMode capture_mode) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetKey("headers", ElideSpdyHeaderBlockForNetLog(*headers, capture_mode));
   dict.SetBoolKey("fin", fin);
@@ -248,7 +248,7 @@ base::Value NetLogSpdyHeadersSentCallback(const spdy::SpdyHeaderBlock* headers,
   return dict;
 }
 
-base::Value NetLogSpdyHeadersReceivedCallback(
+base::Value NetLogSpdyHeadersReceivedParams(
     const spdy::SpdyHeaderBlock* headers,
     bool fin,
     spdy::SpdyStreamId stream_id,
@@ -260,27 +260,22 @@ base::Value NetLogSpdyHeadersReceivedCallback(
   return dict;
 }
 
-base::Value NetLogSpdySessionCloseCallback(
-    int net_error,
-    const std::string* description,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdySessionCloseParams(int net_error,
+                                         const std::string& description) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("net_error", net_error);
-  dict.SetStringKey("description", *description);
+  dict.SetStringKey("description", description);
   return dict;
 }
 
-base::Value NetLogSpdySessionCallback(const HostPortProxyPair* host_pair,
-                                      NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdySessionParams(const HostPortProxyPair& host_pair) {
   base::Value dict(base::Value::Type::DICTIONARY);
-  dict.SetStringKey("host", host_pair->first.ToString());
-  dict.SetStringKey("proxy", host_pair->second.ToPacString());
+  dict.SetStringKey("host", host_pair.first.ToString());
+  dict.SetStringKey("proxy", host_pair.second.ToPacString());
   return dict;
 }
 
-base::Value NetLogSpdyInitializedCallback(
-    NetLogSource source,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdyInitializedParams(NetLogSource source) {
   base::Value dict(base::Value::Type::DICTIONARY);
   if (source.IsValid()) {
     source.AddToEventParameters(&dict);
@@ -289,9 +284,7 @@ base::Value NetLogSpdyInitializedCallback(
   return dict;
 }
 
-base::Value NetLogSpdySendSettingsCallback(
-    const spdy::SettingsMap* settings,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdySendSettingsParams(const spdy::SettingsMap* settings) {
   base::Value dict(base::Value::Type::DICTIONARY);
   base::ListValue settings_list;
   for (auto it = settings->begin(); it != settings->end(); ++it) {
@@ -305,10 +298,8 @@ base::Value NetLogSpdySendSettingsCallback(
   return dict;
 }
 
-base::Value NetLogSpdyRecvSettingCallback(
-    spdy::SpdySettingsId id,
-    uint32_t value,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdyRecvSettingParams(spdy::SpdySettingsId id,
+                                        uint32_t value) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetStringKey(
       "id",
@@ -317,30 +308,25 @@ base::Value NetLogSpdyRecvSettingCallback(
   return dict;
 }
 
-base::Value NetLogSpdyWindowUpdateFrameCallback(
-    spdy::SpdyStreamId stream_id,
-    uint32_t delta,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdyWindowUpdateFrameParams(spdy::SpdyStreamId stream_id,
+                                              uint32_t delta) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("stream_id", static_cast<int>(stream_id));
   dict.SetIntKey("delta", delta);
   return dict;
 }
 
-base::Value NetLogSpdySessionWindowUpdateCallback(
-    int32_t delta,
-    int32_t window_size,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdySessionWindowUpdateParams(int32_t delta,
+                                                int32_t window_size) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("delta", delta);
   dict.SetIntKey("window_size", window_size);
   return dict;
 }
 
-base::Value NetLogSpdyDataCallback(spdy::SpdyStreamId stream_id,
-                                   int size,
-                                   bool fin,
-                                   NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdyDataParams(spdy::SpdyStreamId stream_id,
+                                 int size,
+                                 bool fin) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("stream_id", static_cast<int>(stream_id));
   dict.SetIntKey("size", size);
@@ -348,10 +334,8 @@ base::Value NetLogSpdyDataCallback(spdy::SpdyStreamId stream_id,
   return dict;
 }
 
-base::Value NetLogSpdyRecvRstStreamCallback(
-    spdy::SpdyStreamId stream_id,
-    spdy::SpdyErrorCode error_code,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdyRecvRstStreamParams(spdy::SpdyStreamId stream_id,
+                                          spdy::SpdyErrorCode error_code) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("stream_id", static_cast<int>(stream_id));
   dict.SetStringKey(
@@ -360,24 +344,21 @@ base::Value NetLogSpdyRecvRstStreamCallback(
   return dict;
 }
 
-base::Value NetLogSpdySendRstStreamCallback(
-    spdy::SpdyStreamId stream_id,
-    spdy::SpdyErrorCode error_code,
-    const std::string* description,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdySendRstStreamParams(spdy::SpdyStreamId stream_id,
+                                          spdy::SpdyErrorCode error_code,
+                                          const std::string& description) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("stream_id", static_cast<int>(stream_id));
   dict.SetStringKey(
       "error_code",
       base::StringPrintf("%u (%s)", error_code, ErrorCodeToString(error_code)));
-  dict.SetStringKey("description", *description);
+  dict.SetStringKey("description", description);
   return dict;
 }
 
-base::Value NetLogSpdyPingCallback(spdy::SpdyPingId unique_id,
-                                   bool is_ack,
-                                   const char* type,
-                                   NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdyPingParams(spdy::SpdyPingId unique_id,
+                                 bool is_ack,
+                                 const char* type) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("unique_id", static_cast<int>(unique_id));
   dict.SetStringKey("type", type);
@@ -385,12 +366,12 @@ base::Value NetLogSpdyPingCallback(spdy::SpdyPingId unique_id,
   return dict;
 }
 
-base::Value NetLogSpdyRecvGoAwayCallback(spdy::SpdyStreamId last_stream_id,
-                                         int active_streams,
-                                         int unclaimed_streams,
-                                         spdy::SpdyErrorCode error_code,
-                                         base::StringPiece debug_data,
-                                         NetLogCaptureMode capture_mode) {
+base::Value NetLogSpdyRecvGoAwayParams(spdy::SpdyStreamId last_stream_id,
+                                       int active_streams,
+                                       int unclaimed_streams,
+                                       spdy::SpdyErrorCode error_code,
+                                       base::StringPiece debug_data,
+                                       NetLogCaptureMode capture_mode) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("last_accepted_stream_id", static_cast<int>(last_stream_id));
   dict.SetIntKey("active_streams", active_streams);
@@ -403,7 +384,7 @@ base::Value NetLogSpdyRecvGoAwayCallback(spdy::SpdyStreamId last_stream_id,
   return dict;
 }
 
-base::Value NetLogSpdyPushPromiseReceivedCallback(
+base::Value NetLogSpdyPushPromiseReceivedParams(
     const spdy::SpdyHeaderBlock* headers,
     spdy::SpdyStreamId stream_id,
     spdy::SpdyStreamId promised_stream_id,
@@ -415,22 +396,19 @@ base::Value NetLogSpdyPushPromiseReceivedCallback(
   return dict;
 }
 
-base::Value NetLogSpdyAdoptedPushStreamCallback(
-    spdy::SpdyStreamId stream_id,
-    const GURL* url,
-    NetLogCaptureMode capture_mode) {
+base::Value NetLogSpdyAdoptedPushStreamParams(spdy::SpdyStreamId stream_id,
+                                              const GURL& url) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("stream_id", stream_id);
-  dict.SetStringKey("url", url->spec());
+  dict.SetStringKey("url", url.spec());
   return dict;
 }
 
-base::Value NetLogSpdySessionStalledCallback(size_t num_active_streams,
-                                             size_t num_created_streams,
-                                             size_t num_pushed_streams,
-                                             size_t max_concurrent_streams,
-                                             const std::string& url,
-                                             NetLogCaptureMode capture_mode) {
+base::Value NetLogSpdySessionStalledParams(size_t num_active_streams,
+                                           size_t num_created_streams,
+                                           size_t num_pushed_streams,
+                                           size_t max_concurrent_streams,
+                                           const std::string& url) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("num_active_streams", num_active_streams);
   dict.SetIntKey("num_created_streams", num_created_streams);
@@ -440,11 +418,10 @@ base::Value NetLogSpdySessionStalledCallback(size_t num_active_streams,
   return dict;
 }
 
-base::Value NetLogSpdyPriorityCallback(spdy::SpdyStreamId stream_id,
-                                       spdy::SpdyStreamId parent_stream_id,
-                                       int weight,
-                                       bool exclusive,
-                                       NetLogCaptureMode capture_mode) {
+base::Value NetLogSpdyPriorityParams(spdy::SpdyStreamId stream_id,
+                                     spdy::SpdyStreamId parent_stream_id,
+                                     int weight,
+                                     bool exclusive) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("stream_id", stream_id);
   dict.SetIntKey("parent_stream_id", parent_stream_id);
@@ -553,42 +530,42 @@ Error MapFramerErrorToNetError(
     case http2::Http2DecoderAdapter::SPDY_NO_ERROR:
       return OK;
     case http2::Http2DecoderAdapter::SPDY_INVALID_CONTROL_FRAME:
-      return ERR_SPDY_PROTOCOL_ERROR;
+      return ERR_HTTP2_PROTOCOL_ERROR;
     case http2::Http2DecoderAdapter::SPDY_CONTROL_PAYLOAD_TOO_LARGE:
-      return ERR_SPDY_FRAME_SIZE_ERROR;
+      return ERR_HTTP2_FRAME_SIZE_ERROR;
     case http2::Http2DecoderAdapter::SPDY_ZLIB_INIT_FAILURE:
-      return ERR_SPDY_COMPRESSION_ERROR;
+      return ERR_HTTP2_COMPRESSION_ERROR;
     case http2::Http2DecoderAdapter::SPDY_UNSUPPORTED_VERSION:
-      return ERR_SPDY_PROTOCOL_ERROR;
+      return ERR_HTTP2_PROTOCOL_ERROR;
     case http2::Http2DecoderAdapter::SPDY_DECOMPRESS_FAILURE:
-      return ERR_SPDY_COMPRESSION_ERROR;
+      return ERR_HTTP2_COMPRESSION_ERROR;
     case http2::Http2DecoderAdapter::SPDY_COMPRESS_FAILURE:
-      return ERR_SPDY_COMPRESSION_ERROR;
+      return ERR_HTTP2_COMPRESSION_ERROR;
     case http2::Http2DecoderAdapter::SPDY_GOAWAY_FRAME_CORRUPT:
-      return ERR_SPDY_PROTOCOL_ERROR;
+      return ERR_HTTP2_PROTOCOL_ERROR;
     case http2::Http2DecoderAdapter::SPDY_RST_STREAM_FRAME_CORRUPT:
-      return ERR_SPDY_PROTOCOL_ERROR;
+      return ERR_HTTP2_PROTOCOL_ERROR;
     case http2::Http2DecoderAdapter::SPDY_INVALID_PADDING:
-      return ERR_SPDY_PROTOCOL_ERROR;
+      return ERR_HTTP2_PROTOCOL_ERROR;
     case http2::Http2DecoderAdapter::SPDY_INVALID_DATA_FRAME_FLAGS:
-      return ERR_SPDY_PROTOCOL_ERROR;
+      return ERR_HTTP2_PROTOCOL_ERROR;
     case http2::Http2DecoderAdapter::SPDY_INVALID_CONTROL_FRAME_FLAGS:
-      return ERR_SPDY_PROTOCOL_ERROR;
+      return ERR_HTTP2_PROTOCOL_ERROR;
     case http2::Http2DecoderAdapter::SPDY_UNEXPECTED_FRAME:
-      return ERR_SPDY_PROTOCOL_ERROR;
+      return ERR_HTTP2_PROTOCOL_ERROR;
     case http2::Http2DecoderAdapter::SPDY_INTERNAL_FRAMER_ERROR:
-      return ERR_SPDY_PROTOCOL_ERROR;
+      return ERR_HTTP2_PROTOCOL_ERROR;
     case http2::Http2DecoderAdapter::SPDY_INVALID_CONTROL_FRAME_SIZE:
-      return ERR_SPDY_FRAME_SIZE_ERROR;
+      return ERR_HTTP2_FRAME_SIZE_ERROR;
     case http2::Http2DecoderAdapter::SPDY_INVALID_STREAM_ID:
-      return ERR_SPDY_PROTOCOL_ERROR;
+      return ERR_HTTP2_PROTOCOL_ERROR;
     case http2::Http2DecoderAdapter::SPDY_OVERSIZED_PAYLOAD:
-      return ERR_SPDY_FRAME_SIZE_ERROR;
+      return ERR_HTTP2_FRAME_SIZE_ERROR;
     case http2::Http2DecoderAdapter::LAST_ERROR:
       NOTREACHED();
   }
   NOTREACHED();
-  return ERR_SPDY_PROTOCOL_ERROR;
+  return ERR_HTTP2_PROTOCOL_ERROR;
 }
 
 SpdyProtocolErrorDetails MapRstStreamStatusToProtocolError(
@@ -631,22 +608,22 @@ spdy::SpdyErrorCode MapNetErrorToGoAwayStatus(Error err) {
   switch (err) {
     case OK:
       return spdy::ERROR_CODE_NO_ERROR;
-    case ERR_SPDY_PROTOCOL_ERROR:
+    case ERR_HTTP2_PROTOCOL_ERROR:
       return spdy::ERROR_CODE_PROTOCOL_ERROR;
-    case ERR_SPDY_FLOW_CONTROL_ERROR:
+    case ERR_HTTP2_FLOW_CONTROL_ERROR:
       return spdy::ERROR_CODE_FLOW_CONTROL_ERROR;
-    case ERR_SPDY_FRAME_SIZE_ERROR:
+    case ERR_HTTP2_FRAME_SIZE_ERROR:
       return spdy::ERROR_CODE_FRAME_SIZE_ERROR;
-    case ERR_SPDY_COMPRESSION_ERROR:
+    case ERR_HTTP2_COMPRESSION_ERROR:
       return spdy::ERROR_CODE_COMPRESSION_ERROR;
-    case ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY:
+    case ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY:
       return spdy::ERROR_CODE_INADEQUATE_SECURITY;
     default:
       return spdy::ERROR_CODE_PROTOCOL_ERROR;
   }
 }
 
-SpdyStreamRequest::SpdyStreamRequest() : weak_ptr_factory_(this) {
+SpdyStreamRequest::SpdyStreamRequest() {
   Reset();
 }
 
@@ -953,18 +930,15 @@ SpdySession::SpdySession(
           base::TimeDelta::FromSeconds(kDefaultConnectionAtRiskOfLossSeconds)),
       hung_interval_(base::TimeDelta::FromSeconds(kHungIntervalSeconds)),
       time_func_(time_func),
-      network_quality_estimator_(network_quality_estimator),
-      weak_factory_(this) {
-  net_log_.BeginEvent(
-      NetLogEventType::HTTP2_SESSION,
-      base::Bind(&NetLogSpdySessionCallback, &host_port_proxy_pair()));
+      network_quality_estimator_(network_quality_estimator) {
+  net_log_.BeginEvent(NetLogEventType::HTTP2_SESSION, [&] {
+    return NetLogSpdySessionParams(host_port_proxy_pair());
+  });
 
+  DCHECK(base::Contains(initial_settings_, spdy::SETTINGS_HEADER_TABLE_SIZE));
   DCHECK(
-      base::ContainsKey(initial_settings_, spdy::SETTINGS_HEADER_TABLE_SIZE));
-  DCHECK(base::ContainsKey(initial_settings_,
-                           spdy::SETTINGS_MAX_CONCURRENT_STREAMS));
-  DCHECK(
-      base::ContainsKey(initial_settings_, spdy::SETTINGS_INITIAL_WINDOW_SIZE));
+      base::Contains(initial_settings_, spdy::SETTINGS_MAX_CONCURRENT_STREAMS));
+  DCHECK(base::Contains(initial_settings_, spdy::SETTINGS_INITIAL_WINDOW_SIZE));
 
   if (greased_http2_frame_) {
     // See https://tools.ietf.org/html/draft-bishop-httpbis-grease-00
@@ -1010,12 +984,12 @@ int SpdySession::GetPushedStream(const GURL& url,
   if (active_it == active_streams_.end()) {
     // A previously claimed pushed stream might not be available, for example,
     // if the server has reset it in the meanwhile.
-    return ERR_SPDY_PUSHED_STREAM_NOT_AVAILABLE;
+    return ERR_HTTP2_PUSHED_STREAM_NOT_AVAILABLE;
   }
 
-  net_log_.AddEvent(
-      NetLogEventType::HTTP2_STREAM_ADOPTED_PUSH_STREAM,
-      base::Bind(&NetLogSpdyAdoptedPushStreamCallback, pushed_stream_id, &url));
+  net_log_.AddEvent(NetLogEventType::HTTP2_STREAM_ADOPTED_PUSH_STREAM, [&] {
+    return NetLogSpdyAdoptedPushStreamParams(pushed_stream_id, url);
+  });
 
   *stream = active_it->second;
 
@@ -1138,12 +1112,13 @@ std::unique_ptr<spdy::SpdySerializedFrame> SpdySession::CreateHeaders(
       stream_id, spdy_priority, &parent_stream_id, &weight, &exclusive);
 
   if (net_log().IsCapturing()) {
-    net_log().AddEvent(
-        NetLogEventType::HTTP2_SESSION_SEND_HEADERS,
-        base::Bind(&NetLogSpdyHeadersSentCallback, &block,
-                   (flags & spdy::CONTROL_FLAG_FIN) != 0, stream_id,
-                   has_priority, weight, parent_stream_id, exclusive,
-                   source_dependency));
+    net_log().AddEvent(NetLogEventType::HTTP2_SESSION_SEND_HEADERS,
+                       [&](NetLogCaptureMode capture_mode) {
+                         return NetLogSpdyHeadersSentParams(
+                             &block, (flags & spdy::CONTROL_FLAG_FIN) != 0,
+                             stream_id, has_priority, weight, parent_stream_id,
+                             exclusive, source_dependency, capture_mode);
+                       });
   }
 
   spdy::SpdyHeadersIR headers(stream_id, std::move(block));
@@ -1212,9 +1187,9 @@ std::unique_ptr<SpdyBuffer> SpdySession::CreateDataBuffer(
     // Even though we're currently stalled only by the stream, we
     // might end up being stalled by the session also.
     QueueSendStalledStream(*stream);
-    net_log().AddEvent(
+    net_log().AddEventWithIntParams(
         NetLogEventType::HTTP2_SESSION_STREAM_STALLED_BY_STREAM_SEND_WINDOW,
-        NetLog::IntCallback("stream_id", stream_id));
+        "stream_id", stream_id);
     return std::unique_ptr<SpdyBuffer>();
   }
 
@@ -1224,9 +1199,9 @@ std::unique_ptr<SpdyBuffer> SpdySession::CreateDataBuffer(
   if (send_stalled_by_session) {
     stream->set_send_stalled_by_flow_control(true);
     QueueSendStalledStream(*stream);
-    net_log().AddEvent(
+    net_log().AddEventWithIntParams(
         NetLogEventType::HTTP2_SESSION_STREAM_STALLED_BY_SESSION_SEND_WINDOW,
-        NetLog::IntCallback("stream_id", stream_id));
+        "stream_id", stream_id);
     return std::unique_ptr<SpdyBuffer>();
   }
 
@@ -1240,10 +1215,10 @@ std::unique_ptr<SpdyBuffer> SpdySession::CreateDataBuffer(
     flags = static_cast<spdy::SpdyDataFlags>(flags & ~spdy::DATA_FLAG_FIN);
 
   if (net_log().IsCapturing()) {
-    net_log().AddEvent(
-        NetLogEventType::HTTP2_SESSION_SEND_DATA,
-        base::Bind(&NetLogSpdyDataCallback, stream_id, effective_len,
-                   (flags & spdy::DATA_FLAG_FIN) != 0));
+    net_log().AddEvent(NetLogEventType::HTTP2_SESSION_SEND_DATA, [&] {
+      return NetLogSpdyDataParams(stream_id, effective_len,
+                                  (flags & spdy::DATA_FLAG_FIN) != 0);
+    });
   }
 
   // Send PrefacePing for DATA_FRAMEs with nonzero payload size.
@@ -1335,7 +1310,7 @@ void SpdySession::ResetStream(spdy::SpdyStreamId stream_id,
 }
 
 bool SpdySession::IsStreamActive(spdy::SpdyStreamId stream_id) const {
-  return base::ContainsKey(active_streams_, stream_id);
+  return base::Contains(active_streams_, stream_id);
 }
 
 LoadState SpdySession::GetLoadState() const {
@@ -1676,9 +1651,9 @@ void SpdySession::InitializeInternal(SpdySessionPool* pool) {
   buffered_spdy_framer_->set_debug_visitor(this);
   buffered_spdy_framer_->UpdateHeaderDecoderTableSize(max_header_table_size_);
 
-  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_INITIALIZED,
-                    base::BindRepeating(&NetLogSpdyInitializedCallback,
-                                        socket_->NetLog().source()));
+  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_INITIALIZED, [&] {
+    return NetLogSpdyInitializedParams(socket_->NetLog().source());
+  });
 
   DCHECK_EQ(availability_state_, STATE_AVAILABLE);
   if (enable_sending_initial_data_)
@@ -1716,11 +1691,11 @@ int SpdySession::TryCreateStream(
   }
 
   if (net_log().IsCapturing()) {
-    net_log().AddEvent(
-        NetLogEventType::HTTP2_SESSION_STALLED_MAX_STREAMS,
-        base::Bind(&NetLogSpdySessionStalledCallback, active_streams_.size(),
-                   created_streams_.size(), num_pushed_streams_,
-                   max_concurrent_streams_, request->url().spec()));
+    net_log().AddEvent(NetLogEventType::HTTP2_SESSION_STALLED_MAX_STREAMS, [&] {
+      return NetLogSpdySessionStalledParams(
+          active_streams_.size(), created_streams_.size(), num_pushed_streams_,
+          max_concurrent_streams_, request->url().spec());
+    });
   }
   RequestPriority priority = request->priority();
   CHECK_GE(priority, MINIMUM_PRIORITY);
@@ -1864,7 +1839,7 @@ void SpdySession::TryCreatePushStream(spdy::SpdyStreamId stream_id,
     LOG(WARNING) << description;
     RecordSpdyPushedStreamFateHistogram(
         SpdyPushedStreamFate::kPromisedStreamIdParityError);
-    CloseSessionOnError(ERR_SPDY_PROTOCOL_ERROR, description);
+    CloseSessionOnError(ERR_HTTP2_PROTOCOL_ERROR, description);
     return;
   }
 
@@ -1875,7 +1850,7 @@ void SpdySession::TryCreatePushStream(spdy::SpdyStreamId stream_id,
     LOG(WARNING) << description;
     RecordSpdyPushedStreamFateHistogram(
         SpdyPushedStreamFate::kAssociatedStreamIdParityError);
-    CloseSessionOnError(ERR_SPDY_PROTOCOL_ERROR, description);
+    CloseSessionOnError(ERR_HTTP2_PROTOCOL_ERROR, description);
     return;
   }
 
@@ -1886,7 +1861,7 @@ void SpdySession::TryCreatePushStream(spdy::SpdyStreamId stream_id,
     LOG(WARNING) << description;
     RecordSpdyPushedStreamFateHistogram(
         SpdyPushedStreamFate::kStreamIdOutOfOrder);
-    CloseSessionOnError(ERR_SPDY_PROTOCOL_ERROR, description);
+    CloseSessionOnError(ERR_HTTP2_PROTOCOL_ERROR, description);
     return;
   }
 
@@ -1907,7 +1882,7 @@ void SpdySession::TryCreatePushStream(spdy::SpdyStreamId stream_id,
   streams_pushed_count_++;
 
   // Verify that the response had a URL for us.
-  GURL gurl(quic::SpdyUtils::GetPromisedUrlFromHeaders(headers));
+  GURL gurl(quic::SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers));
   if (!gurl.is_valid()) {
     RecordSpdyPushedStreamFateHistogram(SpdyPushedStreamFate::kInvalidUrl);
     EnqueueResetStreamFrame(stream_id, request_priority,
@@ -2112,14 +2087,14 @@ void SpdySession::ResetStreamIterator(ActiveStreamMap::iterator it,
   if (error == ERR_FAILED) {
     error_code = spdy::ERROR_CODE_INTERNAL_ERROR;
   } else if (error == ERR_ABORTED ||
-             error == ERR_SPDY_PUSHED_RESPONSE_DOES_NOT_MATCH) {
+             error == ERR_HTTP2_PUSHED_RESPONSE_DOES_NOT_MATCH) {
     error_code = spdy::ERROR_CODE_CANCEL;
-  } else if (error == ERR_SPDY_FLOW_CONTROL_ERROR) {
+  } else if (error == ERR_HTTP2_FLOW_CONTROL_ERROR) {
     error_code = spdy::ERROR_CODE_FLOW_CONTROL_ERROR;
   } else if (error == ERR_TIMED_OUT ||
-             error == ERR_SPDY_CLIENT_REFUSED_STREAM) {
+             error == ERR_HTTP2_CLIENT_REFUSED_STREAM) {
     error_code = spdy::ERROR_CODE_REFUSED_STREAM;
-  } else if (error == ERR_SPDY_STREAM_CLOSED) {
+  } else if (error == ERR_HTTP2_STREAM_CLOSED) {
     error_code = spdy::ERROR_CODE_STREAM_CLOSED;
   }
   spdy::SpdyStreamId stream_id = it->first;
@@ -2137,9 +2112,9 @@ void SpdySession::EnqueueResetStreamFrame(spdy::SpdyStreamId stream_id,
                                           const std::string& description) {
   DCHECK_NE(stream_id, 0u);
 
-  net_log().AddEvent(NetLogEventType::HTTP2_SESSION_SEND_RST_STREAM,
-                     base::Bind(&NetLogSpdySendRstStreamCallback, stream_id,
-                                error_code, &description));
+  net_log().AddEvent(NetLogEventType::HTTP2_SESSION_SEND_RST_STREAM, [&] {
+    return NetLogSpdySendRstStreamParams(stream_id, error_code, description);
+  });
 
   DCHECK(buffered_spdy_framer_.get());
   std::unique_ptr<spdy::SpdySerializedFrame> rst_frame(
@@ -2154,9 +2129,10 @@ void SpdySession::EnqueuePriorityFrame(spdy::SpdyStreamId stream_id,
                                        spdy::SpdyStreamId dependency_id,
                                        int weight,
                                        bool exclusive) {
-  net_log().AddEvent(NetLogEventType::HTTP2_STREAM_SEND_PRIORITY,
-                     base::Bind(&NetLogSpdyPriorityCallback, stream_id,
-                                dependency_id, weight, exclusive));
+  net_log().AddEvent(NetLogEventType::HTTP2_STREAM_SEND_PRIORITY, [&] {
+    return NetLogSpdyPriorityParams(stream_id, dependency_id, weight,
+                                    exclusive);
+  });
 
   DCHECK(buffered_spdy_framer_.get());
   std::unique_ptr<spdy::SpdySerializedFrame> frame(
@@ -2495,8 +2471,9 @@ void SpdySession::SendInitialData() {
       settings_map.insert(setting);
     }
   }
-  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_SEND_SETTINGS,
-                    base::Bind(&NetLogSpdySendSettingsCallback, &settings_map));
+  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_SEND_SETTINGS, [&] {
+    return NetLogSpdySendSettingsParams(&settings_map);
+  });
   std::unique_ptr<spdy::SpdySerializedFrame> settings_frame(
       buffered_spdy_framer_->CreateSettings(settings_map));
 
@@ -2513,15 +2490,17 @@ void SpdySession::SendInitialData() {
     const int32_t delta_window_size =
         session_max_recv_window_size_ - session_recv_window_size_;
     session_recv_window_size_ += delta_window_size;
-    net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_UPDATE_RECV_WINDOW,
-                      base::Bind(&NetLogSpdySessionWindowUpdateCallback,
-                                 delta_window_size, session_recv_window_size_));
+    net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_UPDATE_RECV_WINDOW, [&] {
+      return NetLogSpdySessionWindowUpdateParams(delta_window_size,
+                                                 session_recv_window_size_);
+    });
 
     session_unacked_recv_window_bytes_ += delta_window_size;
-    net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_SEND_WINDOW_UPDATE,
-                      base::Bind(&NetLogSpdyWindowUpdateFrameCallback,
-                                 spdy::kSessionFlowControlStreamId,
-                                 session_unacked_recv_window_bytes_));
+    net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_SEND_WINDOW_UPDATE, [&] {
+      return NetLogSpdyWindowUpdateFrameParams(
+          spdy::kSessionFlowControlStreamId,
+          session_unacked_recv_window_bytes_);
+    });
     window_update_frame = buffered_spdy_framer_->CreateWindowUpdate(
         spdy::kSessionFlowControlStreamId, session_unacked_recv_window_bytes_);
     session_unacked_recv_window_bytes_ = 0;
@@ -2566,9 +2545,9 @@ void SpdySession::HandleSetting(uint32_t id, uint32_t value) {
       break;
     case spdy::SETTINGS_INITIAL_WINDOW_SIZE: {
       if (value > static_cast<uint32_t>(std::numeric_limits<int32_t>::max())) {
-        net_log().AddEvent(
+        net_log().AddEventWithIntParams(
             NetLogEventType::HTTP2_SESSION_INITIAL_WINDOW_SIZE_OUT_OF_RANGE,
-            NetLog::IntCallback("initial_window_size", value));
+            "initial_window_size", value);
         return;
       }
 
@@ -2578,15 +2557,15 @@ void SpdySession::HandleSetting(uint32_t id, uint32_t value) {
           static_cast<int32_t>(value) - stream_initial_send_window_size_;
       stream_initial_send_window_size_ = static_cast<int32_t>(value);
       UpdateStreamsSendWindowSize(delta_window_size);
-      net_log().AddEvent(
+      net_log().AddEventWithIntParams(
           NetLogEventType::HTTP2_SESSION_UPDATE_STREAMS_SEND_WINDOW_SIZE,
-          NetLog::IntCallback("delta_window_size", delta_window_size));
+          "delta_window_size", delta_window_size);
       break;
     }
     case spdy::SETTINGS_ENABLE_CONNECT_PROTOCOL:
       if ((value != 0 && value != 1) || (support_websocket_ && value == 0)) {
         DoDrainSession(
-            ERR_SPDY_PROTOCOL_ERROR,
+            ERR_HTTP2_PROTOCOL_ERROR,
             "Invalid value for spdy::SETTINGS_ENABLE_CONNECT_PROTOCOL.");
         return;
       }
@@ -2601,7 +2580,7 @@ void SpdySession::UpdateStreamsSendWindowSize(int32_t delta_window_size) {
   for (const auto& value : active_streams_) {
     if (!value.second->AdjustSendWindowSize(delta_window_size)) {
       DoDrainSession(
-          ERR_SPDY_FLOW_CONTROL_ERROR,
+          ERR_HTTP2_FLOW_CONTROL_ERROR,
           base::StringPrintf(
               "New spdy::SETTINGS_INITIAL_WINDOW_SIZE value overflows "
               "flow control window of stream %d.",
@@ -2613,7 +2592,7 @@ void SpdySession::UpdateStreamsSendWindowSize(int32_t delta_window_size) {
   for (auto* const stream : created_streams_) {
     if (!stream->AdjustSendWindowSize(delta_window_size)) {
       DoDrainSession(
-          ERR_SPDY_FLOW_CONTROL_ERROR,
+          ERR_HTTP2_FLOW_CONTROL_ERROR,
           base::StringPrintf(
               "New spdy::SETTINGS_INITIAL_WINDOW_SIZE value overflows "
               "flow control window of stream %d.",
@@ -2645,9 +2624,9 @@ void SpdySession::SendWindowUpdateFrame(spdy::SpdyStreamId stream_id,
     CHECK_EQ(stream_id, spdy::kSessionFlowControlStreamId);
   }
 
-  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_SEND_WINDOW_UPDATE,
-                    base::Bind(&NetLogSpdyWindowUpdateFrameCallback, stream_id,
-                               delta_window_size));
+  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_SEND_WINDOW_UPDATE, [&] {
+    return NetLogSpdyWindowUpdateFrameParams(stream_id, delta_window_size);
+  });
 
   DCHECK(buffered_spdy_framer_.get());
   std::unique_ptr<spdy::SpdySerializedFrame> window_update_frame(
@@ -2664,9 +2643,9 @@ void SpdySession::WritePingFrame(spdy::SpdyPingId unique_id, bool is_ack) {
                       std::move(ping_frame));
 
   if (net_log().IsCapturing()) {
-    net_log().AddEvent(
-        NetLogEventType::HTTP2_SESSION_PING,
-        base::Bind(&NetLogSpdyPingCallback, unique_id, is_ack, "sent"));
+    net_log().AddEvent(NetLogEventType::HTTP2_SESSION_PING, [&] {
+      return NetLogSpdyPingParams(unique_id, is_ack, "sent");
+    });
   }
   if (!is_ack) {
     DCHECK(!ping_in_flight_);
@@ -2704,7 +2683,7 @@ void SpdySession::CheckPingStatus(base::TimeTicks last_check_time) {
   if (now > last_read_time_ + hung_interval_ ||
       last_read_time_ < last_check_time) {
     check_ping_status_pending_ = false;
-    DoDrainSession(ERR_SPDY_PING_FAILED, "Failed ping.");
+    DoDrainSession(ERR_HTTP2_PING_FAILED, "Failed ping.");
     return;
   }
 
@@ -2902,9 +2881,9 @@ void SpdySession::DoDrainSession(Error err, const std::string& description) {
   availability_state_ = STATE_DRAINING;
   error_on_close_ = err;
 
-  net_log_.AddEvent(
-      NetLogEventType::HTTP2_SESSION_CLOSE,
-      base::Bind(&NetLogSpdySessionCloseCallback, err, &description));
+  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_CLOSE, [&] {
+    return NetLogSpdySessionCloseParams(err, description);
+  });
 
   base::UmaHistogramSparse("Net.SpdySession.ClosedOnError", -err);
 
@@ -3001,15 +2980,15 @@ void SpdySession::OnStreamError(spdy::SpdyStreamId stream_id,
     return;
   }
 
-  ResetStreamIterator(it, ERR_SPDY_PROTOCOL_ERROR, description);
+  ResetStreamIterator(it, ERR_HTTP2_PROTOCOL_ERROR, description);
 }
 
 void SpdySession::OnPing(spdy::SpdyPingId unique_id, bool is_ack) {
   CHECK(in_io_loop_);
 
-  net_log_.AddEvent(
-      NetLogEventType::HTTP2_SESSION_PING,
-      base::Bind(&NetLogSpdyPingCallback, unique_id, is_ack, "received"));
+  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_PING, [&] {
+    return NetLogSpdyPingParams(unique_id, is_ack, "received");
+  });
 
   // Send response to a PING from server.
   if (!is_ack) {
@@ -3019,7 +2998,7 @@ void SpdySession::OnPing(spdy::SpdyPingId unique_id, bool is_ack) {
 
   if (!ping_in_flight_) {
     RecordProtocolErrorHistogram(PROTOCOL_ERROR_UNEXPECTED_PING);
-    DoDrainSession(ERR_SPDY_PROTOCOL_ERROR, "Unexpected PING ACK.");
+    DoDrainSession(ERR_HTTP2_PROTOCOL_ERROR, "Unexpected PING ACK.");
     return;
   }
 
@@ -3038,9 +3017,9 @@ void SpdySession::OnRstStream(spdy::SpdyStreamId stream_id,
                               spdy::SpdyErrorCode error_code) {
   CHECK(in_io_loop_);
 
-  net_log().AddEvent(
-      NetLogEventType::HTTP2_SESSION_RECV_RST_STREAM,
-      base::Bind(&NetLogSpdyRecvRstStreamCallback, stream_id, error_code));
+  net_log().AddEvent(NetLogEventType::HTTP2_SESSION_RECV_RST_STREAM, [&] {
+    return NetLogSpdyRecvRstStreamParams(stream_id, error_code);
+  });
 
   auto it = active_streams_.find(stream_id);
   if (it == active_streams_.end()) {
@@ -3054,11 +3033,11 @@ void SpdySession::OnRstStream(spdy::SpdyStreamId stream_id,
 
   if (it->second->ShouldRetryRSTPushStream()) {
     CloseActiveStreamIterator(it,
-                              ERR_SPDY_CLAIMED_PUSHED_STREAM_RESET_BY_SERVER);
+                              ERR_HTTP2_CLAIMED_PUSHED_STREAM_RESET_BY_SERVER);
   } else if (error_code == spdy::ERROR_CODE_NO_ERROR) {
-    CloseActiveStreamIterator(it, ERR_SPDY_RST_STREAM_NO_ERROR_RECEIVED);
+    CloseActiveStreamIterator(it, ERR_HTTP2_RST_STREAM_NO_ERROR_RECEIVED);
   } else if (error_code == spdy::ERROR_CODE_REFUSED_STREAM) {
-    CloseActiveStreamIterator(it, ERR_SPDY_SERVER_REFUSED_STREAM);
+    CloseActiveStreamIterator(it, ERR_HTTP2_SERVER_REFUSED_STREAM);
   } else if (error_code == spdy::ERROR_CODE_HTTP_1_1_REQUIRED) {
     // TODO(bnc): Record histogram with number of open streams capped at 50.
     if (net_log().IsCapturing()) {
@@ -3071,12 +3050,12 @@ void SpdySession::OnRstStream(spdy::SpdyStreamId stream_id,
     RecordProtocolErrorHistogram(
         PROTOCOL_ERROR_RST_STREAM_FOR_NON_ACTIVE_STREAM);
     if (net_log().IsCapturing()) {
-      it->second->LogStreamError(ERR_SPDY_PROTOCOL_ERROR,
+      it->second->LogStreamError(ERR_HTTP2_PROTOCOL_ERROR,
                                  "Server reset stream.");
     }
     // TODO(mbelshe): Map from Spdy-protocol errors to something sensical.
     //                For now, it doesn't matter much - it is a protocol error.
-    CloseActiveStreamIterator(it, ERR_SPDY_PROTOCOL_ERROR);
+    CloseActiveStreamIterator(it, ERR_HTTP2_PROTOCOL_ERROR);
   }
 }
 
@@ -3089,16 +3068,18 @@ void SpdySession::OnGoAway(spdy::SpdyStreamId last_accepted_stream_id,
 
   net_log_.AddEvent(
       NetLogEventType::HTTP2_SESSION_RECV_GOAWAY,
-      base::Bind(&NetLogSpdyRecvGoAwayCallback, last_accepted_stream_id,
-                 active_streams_.size(),
-                 pool_->push_promise_index()->CountStreamsForSession(this),
-                 error_code, debug_data));
+      [&](NetLogCaptureMode capture_mode) {
+        return NetLogSpdyRecvGoAwayParams(
+            last_accepted_stream_id, active_streams_.size(),
+            pool_->push_promise_index()->CountStreamsForSession(this),
+            error_code, debug_data, capture_mode);
+      });
   MakeUnavailable();
   if (error_code == spdy::ERROR_CODE_HTTP_1_1_REQUIRED) {
     // TODO(bnc): Record histogram with number of open streams capped at 50.
     DoDrainSession(ERR_HTTP_1_1_REQUIRED, "HTTP_1_1_REQUIRED for stream.");
   } else if (error_code == spdy::ERROR_CODE_NO_ERROR) {
-    StartGoingAway(last_accepted_stream_id, ERR_SPDY_SERVER_REFUSED_STREAM);
+    StartGoingAway(last_accepted_stream_id, ERR_HTTP2_SERVER_REFUSED_STREAM);
   } else {
     StartGoingAway(last_accepted_stream_id, ERR_ABORTED);
   }
@@ -3133,9 +3114,9 @@ void SpdySession::OnStreamFrameData(spdy::SpdyStreamId stream_id,
   CHECK(in_io_loop_);
   DCHECK_LT(len, 1u << 24);
   if (net_log().IsCapturing()) {
-    net_log().AddEvent(
-        NetLogEventType::HTTP2_SESSION_RECV_DATA,
-        base::Bind(&NetLogSpdyDataCallback, stream_id, len, false));
+    net_log().AddEvent(NetLogEventType::HTTP2_SESSION_RECV_DATA, [&] {
+      return NetLogSpdyDataParams(stream_id, len, false);
+    });
   }
 
   // Build the buffer as early as possible so that we go through the
@@ -3172,8 +3153,9 @@ void SpdySession::OnStreamFrameData(spdy::SpdyStreamId stream_id,
 void SpdySession::OnStreamEnd(spdy::SpdyStreamId stream_id) {
   CHECK(in_io_loop_);
   if (net_log().IsCapturing()) {
-    net_log().AddEvent(NetLogEventType::HTTP2_SESSION_RECV_DATA,
-                       base::Bind(&NetLogSpdyDataCallback, stream_id, 0, true));
+    net_log().AddEvent(NetLogEventType::HTTP2_SESSION_RECV_DATA, [&] {
+      return NetLogSpdyDataParams(stream_id, 0, true);
+    });
   }
 
   auto it = active_streams_.find(stream_id);
@@ -3233,23 +3215,23 @@ void SpdySession::OnSetting(spdy::SpdySettingsId id, uint32_t value) {
 
   // Log the setting.
   net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_RECV_SETTING,
-                    base::Bind(&NetLogSpdyRecvSettingCallback, id, value));
+                    [&] { return NetLogSpdyRecvSettingParams(id, value); });
 }
 
 void SpdySession::OnWindowUpdate(spdy::SpdyStreamId stream_id,
                                  int delta_window_size) {
   CHECK(in_io_loop_);
 
-  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_RECV_WINDOW_UPDATE,
-                    base::Bind(&NetLogSpdyWindowUpdateFrameCallback, stream_id,
-                               delta_window_size));
+  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_RECV_WINDOW_UPDATE, [&] {
+    return NetLogSpdyWindowUpdateFrameParams(stream_id, delta_window_size);
+  });
 
   if (stream_id == spdy::kSessionFlowControlStreamId) {
     // WINDOW_UPDATE for the session.
     if (delta_window_size < 1) {
       RecordProtocolErrorHistogram(PROTOCOL_ERROR_INVALID_WINDOW_UPDATE_SIZE);
       DoDrainSession(
-          ERR_SPDY_PROTOCOL_ERROR,
+          ERR_HTTP2_PROTOCOL_ERROR,
           "Received WINDOW_UPDATE with an invalid delta_window_size " +
               base::NumberToString(delta_window_size));
       return;
@@ -3271,7 +3253,7 @@ void SpdySession::OnWindowUpdate(spdy::SpdyStreamId stream_id,
 
     if (delta_window_size < 1) {
       ResetStreamIterator(
-          it, ERR_SPDY_FLOW_CONTROL_ERROR,
+          it, ERR_HTTP2_FLOW_CONTROL_ERROR,
           "Received WINDOW_UPDATE with an invalid delta_window_size.");
       return;
     }
@@ -3288,8 +3270,11 @@ void SpdySession::OnPushPromise(spdy::SpdyStreamId stream_id,
 
   if (net_log_.IsCapturing()) {
     net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_RECV_PUSH_PROMISE,
-                      base::Bind(&NetLogSpdyPushPromiseReceivedCallback,
-                                 &headers, stream_id, promised_stream_id));
+                      [&](NetLogCaptureMode capture_mode) {
+                        return NetLogSpdyPushPromiseReceivedParams(
+                            &headers, stream_id, promised_stream_id,
+                            capture_mode);
+                      });
   }
 
   TryCreatePushStream(promised_stream_id, stream_id, std::move(headers));
@@ -3307,8 +3292,10 @@ void SpdySession::OnHeaders(spdy::SpdyStreamId stream_id,
 
   if (net_log().IsCapturing()) {
     net_log().AddEvent(NetLogEventType::HTTP2_SESSION_RECV_HEADERS,
-                       base::Bind(&NetLogSpdyHeadersReceivedCallback, &headers,
-                                  fin, stream_id));
+                       [&](NetLogCaptureMode capture_mode) {
+                         return NetLogSpdyHeadersReceivedParams(
+                             &headers, fin, stream_id, capture_mode);
+                       });
   }
 
   auto it = active_streams_.find(stream_id);
@@ -3333,7 +3320,7 @@ void SpdySession::OnHeaders(spdy::SpdyStreamId stream_id,
         num_active_pushed_streams_ >= max_concurrent_pushed_streams_) {
       RecordSpdyPushedStreamFateHistogram(
           SpdyPushedStreamFate::kTooManyPushedStreams);
-      ResetStream(stream_id, ERR_SPDY_CLIENT_REFUSED_STREAM,
+      ResetStream(stream_id, ERR_HTTP2_CLIENT_REFUSED_STREAM,
                   "Stream concurrency limit reached.");
       return;
     }
@@ -3488,7 +3475,7 @@ void SpdySession::IncreaseSendWindowSize(int delta_window_size) {
   if (delta_window_size > max_delta_window_size) {
     RecordProtocolErrorHistogram(PROTOCOL_ERROR_INVALID_WINDOW_UPDATE_SIZE);
     DoDrainSession(
-        ERR_SPDY_PROTOCOL_ERROR,
+        ERR_HTTP2_PROTOCOL_ERROR,
         "Received WINDOW_UPDATE [delta: " +
             base::NumberToString(delta_window_size) +
             "] for session overflows session_send_window_size_ [current: " +
@@ -3498,9 +3485,10 @@ void SpdySession::IncreaseSendWindowSize(int delta_window_size) {
 
   session_send_window_size_ += delta_window_size;
 
-  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_UPDATE_SEND_WINDOW,
-                    base::Bind(&NetLogSpdySessionWindowUpdateCallback,
-                               delta_window_size, session_send_window_size_));
+  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_UPDATE_SEND_WINDOW, [&] {
+    return NetLogSpdySessionWindowUpdateParams(delta_window_size,
+                                               session_send_window_size_);
+  });
 
   DCHECK(!IsSendStalled());
   ResumeSendStalledStreams();
@@ -3518,9 +3506,10 @@ void SpdySession::DecreaseSendWindowSize(int32_t delta_window_size) {
 
   session_send_window_size_ -= delta_window_size;
 
-  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_UPDATE_SEND_WINDOW,
-                    base::Bind(&NetLogSpdySessionWindowUpdateCallback,
-                               -delta_window_size, session_send_window_size_));
+  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_UPDATE_SEND_WINDOW, [&] {
+    return NetLogSpdySessionWindowUpdateParams(-delta_window_size,
+                                               session_send_window_size_);
+  });
 }
 
 void SpdySession::OnReadBufferConsumed(
@@ -3544,9 +3533,10 @@ void SpdySession::IncreaseRecvWindowSize(int32_t delta_window_size) {
             std::numeric_limits<int32_t>::max() - session_recv_window_size_);
 
   session_recv_window_size_ += delta_window_size;
-  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_UPDATE_RECV_WINDOW,
-                    base::Bind(&NetLogSpdySessionWindowUpdateCallback,
-                               delta_window_size, session_recv_window_size_));
+  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_UPDATE_RECV_WINDOW, [&] {
+    return NetLogSpdySessionWindowUpdateParams(delta_window_size,
+                                               session_recv_window_size_);
+  });
 
   session_unacked_recv_window_bytes_ += delta_window_size;
   if (session_unacked_recv_window_bytes_ > session_max_recv_window_size_ / 2) {
@@ -3568,7 +3558,7 @@ void SpdySession::DecreaseRecvWindowSize(int32_t delta_window_size) {
       session_recv_window_size_ - session_unacked_recv_window_bytes_) {
     RecordProtocolErrorHistogram(PROTOCOL_ERROR_RECEIVE_WINDOW_VIOLATION);
     DoDrainSession(
-        ERR_SPDY_FLOW_CONTROL_ERROR,
+        ERR_HTTP2_FLOW_CONTROL_ERROR,
         "delta_window_size is " + base::NumberToString(delta_window_size) +
             " in DecreaseRecvWindowSize, which is larger than the receive " +
             "window size of " +
@@ -3577,9 +3567,10 @@ void SpdySession::DecreaseRecvWindowSize(int32_t delta_window_size) {
   }
 
   session_recv_window_size_ -= delta_window_size;
-  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_UPDATE_RECV_WINDOW,
-                    base::Bind(&NetLogSpdySessionWindowUpdateCallback,
-                               -delta_window_size, session_recv_window_size_));
+  net_log_.AddEvent(NetLogEventType::HTTP2_SESSION_UPDATE_RECV_WINDOW, [&] {
+    return NetLogSpdySessionWindowUpdateParams(-delta_window_size,
+                                               session_recv_window_size_);
+  });
 }
 
 void SpdySession::QueueSendStalledStream(const SpdyStream& stream) {
diff --git a/chromium/net/spdy/spdy_session.h b/chromium/net/spdy/spdy_session.h
index 4a1a74042f2..7de36a4be8e 100644
--- a/chromium/net/spdy/spdy_session.h
+++ b/chromium/net/spdy/spdy_session.h
@@ -285,7 +285,7 @@ class NET_EXPORT_PRIVATE SpdyStreamRequest {
   MutableNetworkTrafficAnnotationTag traffic_annotation_;
   State next_state_;
 
-  base::WeakPtrFactory<SpdyStreamRequest> weak_ptr_factory_;
+  base::WeakPtrFactory<SpdyStreamRequest> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(SpdyStreamRequest);
 };
@@ -346,7 +346,7 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface,
   // |pushed_stream_id| must not be kNoPushedStreamFound.
   //
   // Returns ERR_CONNECTION_CLOSED if the connection is being closed.
-  // Returns ERR_SPDY_PUSHED_STREAM_NOT_AVAILABLE if the pushed stream is not
+  // Returns ERR_HTTP2_PUSHED_STREAM_NOT_AVAILABLE if the pushed stream is not
   //   available any longer, for example, if the server has reset it.
   // Returns OK if the stream is still available, and returns the stream in
   //   |*spdy_stream|.  If the stream is still open, updates its priority to
@@ -1212,7 +1212,7 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface,
   // SpdySession is refcounted because we don't need to keep the SpdySession
   // alive if the last reference is within a RunnableMethod.  Just revoke the
   // method.
-  base::WeakPtrFactory<SpdySession> weak_factory_;
+  base::WeakPtrFactory<SpdySession> weak_factory_{this};
 };
 
 }  // namespace net
diff --git a/chromium/net/spdy/spdy_session_fuzzer.cc b/chromium/net/spdy/spdy_session_fuzzer.cc
index 417cd9a6a08..4e139e60e5b 100644
--- a/chromium/net/spdy/spdy_session_fuzzer.cc
+++ b/chromium/net/spdy/spdy_session_fuzzer.cc
@@ -5,7 +5,6 @@
 #include "base/logging.h"
 #include "base/run_loop.h"
 #include "base/stl_util.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
 #include "net/base/request_priority.h"
@@ -19,6 +18,7 @@
 #include "net/spdy/spdy_test_util_common.h"
 #include "net/ssl/ssl_config.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 namespace {
 
@@ -59,22 +59,22 @@ namespace {
 class FuzzedSocketFactoryWithMockSSLData : public FuzzedSocketFactory {
  public:
   explicit FuzzedSocketFactoryWithMockSSLData(
-      base::FuzzedDataProvider* data_provider);
+      FuzzedDataProvider* data_provider);
 
   void AddSSLSocketDataProvider(SSLSocketDataProvider* socket);
 
   std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
+      SSLClientContext* context,
       std::unique_ptr<StreamSocket> nested_socket,
       const HostPortPair& host_and_port,
-      const SSLConfig& ssl_config,
-      const SSLClientSocketContext& context) override;
+      const SSLConfig& ssl_config) override;
 
  private:
   SocketDataProviderArray<SSLSocketDataProvider> mock_ssl_data_;
 };
 
 FuzzedSocketFactoryWithMockSSLData::FuzzedSocketFactoryWithMockSSLData(
-    base::FuzzedDataProvider* data_provider)
+    FuzzedDataProvider* data_provider)
     : FuzzedSocketFactory(data_provider) {}
 
 void FuzzedSocketFactoryWithMockSSLData::AddSSLSocketDataProvider(
@@ -84,10 +84,10 @@ void FuzzedSocketFactoryWithMockSSLData::AddSSLSocketDataProvider(
 
 std::unique_ptr<SSLClientSocket>
 FuzzedSocketFactoryWithMockSSLData::CreateSSLClientSocket(
+    SSLClientContext* context,
     std::unique_ptr<StreamSocket> nested_socket,
     const HostPortPair& host_and_port,
-    const SSLConfig& ssl_config,
-    const SSLClientSocketContext& context) {
+    const SSLConfig& ssl_config) {
   return std::make_unique<MockSSLClientSocket>(std::move(nested_socket),
                                                host_and_port, ssl_config,
                                                mock_ssl_data_.GetNext());
@@ -102,7 +102,7 @@ FuzzedSocketFactoryWithMockSSLData::CreateSSLClientSocket(
 // |data| is used to create a FuzzedServerSocket.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   net::BoundTestNetLog bound_test_net_log;
-  base::FuzzedDataProvider data_provider(data, size);
+  FuzzedDataProvider data_provider(data, size);
   net::FuzzedSocketFactoryWithMockSSLData socket_factory(&data_provider);
   socket_factory.set_fuzz_connect_result(false);
 
diff --git a/chromium/net/spdy/spdy_session_pool.cc b/chromium/net/spdy/spdy_session_pool.cc
index 0d527b67670..e47037015b8 100644
--- a/chromium/net/spdy/spdy_session_pool.cc
+++ b/chromium/net/spdy/spdy_session_pool.cc
@@ -103,8 +103,7 @@ SpdySessionPool::SpdySessionPool(
       greased_http2_frame_(greased_http2_frame),
       time_func_(time_func),
       push_delegate_(nullptr),
-      network_quality_estimator_(network_quality_estimator),
-      weak_ptr_factory_(this) {
+      network_quality_estimator_(network_quality_estimator) {
   NetworkChangeNotifier::AddIPAddressObserver(this);
   if (ssl_config_service_)
     ssl_config_service_->AddObserver(this);
@@ -185,18 +184,18 @@ base::WeakPtr<SpdySession> SpdySessionPool::FindAvailableSession(
   if (key == it->second->spdy_session_key()) {
     UMA_HISTOGRAM_ENUMERATION("Net.SpdySessionGet", FOUND_EXISTING,
                               SPDY_SESSION_GET_MAX);
-    net_log.AddEvent(
+    net_log.AddEventReferencingSource(
         NetLogEventType::HTTP2_SESSION_POOL_FOUND_EXISTING_SESSION,
-        it->second->net_log().source().ToEventParametersCallback());
+        it->second->net_log().source());
     return it->second;
   }
 
   if (enable_ip_based_pooling) {
     UMA_HISTOGRAM_ENUMERATION("Net.SpdySessionGet", FOUND_EXISTING_FROM_IP_POOL,
                               SPDY_SESSION_GET_MAX);
-    net_log.AddEvent(
+    net_log.AddEventReferencingSource(
         NetLogEventType::HTTP2_SESSION_POOL_FOUND_EXISTING_SESSION_FROM_IP_POOL,
-        it->second->net_log().source().ToEventParametersCallback());
+        it->second->net_log().source());
     return it->second;
   }
 
@@ -496,7 +495,7 @@ void SpdySessionPool::RemoveRequestForSpdySession(SpdySessionRequest* request) {
                        weak_ptr_factory_.GetWeakPtr(), request->key()));
   }
 
-  DCHECK(base::ContainsKey(iter->second.request_set, request));
+  DCHECK(base::Contains(iter->second.request_set, request));
   RemoveRequestInternal(iter, iter->second.request_set.find(request));
 }
 
@@ -563,7 +562,7 @@ bool SpdySessionPool::IsSessionAvailable(
 void SpdySessionPool::MapKeyToAvailableSession(
     const SpdySessionKey& key,
     const base::WeakPtr<SpdySession>& session) {
-  DCHECK(base::ContainsKey(sessions_, session.get()));
+  DCHECK(base::Contains(sessions_, session.get()));
   std::pair<AvailableSessionMap::iterator, bool> result =
       available_sessions_.insert(std::make_pair(key, session));
   CHECK(result.second);
@@ -666,9 +665,9 @@ base::WeakPtr<SpdySession> SpdySessionPool::InsertSession(
       FROM_HERE, base::BindOnce(&SpdySessionPool::UpdatePendingRequests,
                                 weak_ptr_factory_.GetWeakPtr(), key));
 
-  source_net_log.AddEvent(
+  source_net_log.AddEventReferencingSource(
       NetLogEventType::HTTP2_SESSION_POOL_IMPORTED_SESSION_FROM_SOCKET,
-      available_session->net_log().source().ToEventParametersCallback());
+      available_session->net_log().source());
 
   // Look up the IP address for this session so that we can match
   // future sessions (potentially to different domains) which can
diff --git a/chromium/net/spdy/spdy_session_pool.h b/chromium/net/spdy/spdy_session_pool.h
index 143d5645aed..3dbfba25f29 100644
--- a/chromium/net/spdy/spdy_session_pool.h
+++ b/chromium/net/spdy/spdy_session_pool.h
@@ -447,7 +447,7 @@ class NET_EXPORT SpdySessionPool
 
   NetworkQualityEstimator* network_quality_estimator_;
 
-  base::WeakPtrFactory<SpdySessionPool> weak_ptr_factory_;
+  base::WeakPtrFactory<SpdySessionPool> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(SpdySessionPool);
 };
diff --git a/chromium/net/spdy/spdy_session_pool_unittest.cc b/chromium/net/spdy/spdy_session_pool_unittest.cc
index a2808fb0b6a..3013b536712 100644
--- a/chromium/net/spdy/spdy_session_pool_unittest.cc
+++ b/chromium/net/spdy/spdy_session_pool_unittest.cc
@@ -21,7 +21,6 @@
 #include "net/http/http_network_session.h"
 #include "net/log/net_log_with_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/socket/socket_tag.h"
 #include "net/socket/transport_client_socket_pool.h"
@@ -710,8 +709,7 @@ TEST_F(SpdySessionPoolTest, IPPoolingNetLog) {
 
   // FindAvailableSession() should have logged a netlog event indicating IP
   // pooling.
-  TestNetLogEntry::List entry_list;
-  net_log.GetEntries(&entry_list);
+  auto entry_list = net_log.GetEntries();
   EXPECT_EQ(
       NetLogEventType::HTTP2_SESSION_POOL_FOUND_EXISTING_SESSION_FROM_IP_POOL,
       entry_list[0].type);
@@ -892,7 +890,7 @@ TEST_F(SpdySessionPoolTest, IPAddressChanged) {
   base::WeakPtr<SpdySession> sessionC =
       CreateSpdySession(http_session_.get(), keyC, NetLogWithSource());
 
-  sessionC->CloseSessionOnError(ERR_SPDY_PROTOCOL_ERROR, "Error!");
+  sessionC->CloseSessionOnError(ERR_HTTP2_PROTOCOL_ERROR, "Error!");
   EXPECT_TRUE(sessionC->IsDraining());
 
   spdy_session_pool_->OnIPAddressChanged();
diff --git a/chromium/net/spdy/spdy_session_unittest.cc b/chromium/net/spdy/spdy_session_unittest.cc
index baabba7ad3d..a8ffdfcd426 100644
--- a/chromium/net/spdy/spdy_session_unittest.cc
+++ b/chromium/net/spdy/spdy_session_unittest.cc
@@ -32,7 +32,6 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/nqe/network_quality_estimator_test_util.h"
 #include "net/socket/client_socket_pool.h"
@@ -152,13 +151,10 @@ class SpdySessionTest : public PlatformTest, public WithScopedTaskEnvironment {
   }
 
  protected:
-  SpdySessionTest()
-      : SpdySessionTest(base::test::ScopedTaskEnvironment::MainThreadType::IO) {
-  }
-
   explicit SpdySessionTest(
-      base::test::ScopedTaskEnvironment::MainThreadType type)
-      : WithScopedTaskEnvironment(type),
+      base::test::ScopedTaskEnvironment::TimeSource time_source =
+          base::test::ScopedTaskEnvironment::TimeSource::DEFAULT)
+      : WithScopedTaskEnvironment(time_source),
         old_max_group_sockets_(ClientSocketPoolManager::max_sockets_per_group(
             HttpNetworkSession::NORMAL_SOCKET_POOL)),
         old_max_pool_sockets_(ClientSocketPoolManager::max_sockets_per_pool(
@@ -365,6 +361,8 @@ class SpdySessionTest : public PlatformTest, public WithScopedTaskEnvironment {
                url, session_.get()) != kNoPushedStreamFound;
   }
 
+  BoundTestNetLog log_;
+
   // Original socket limits.  Some tests set these.  Safest to always restore
   // them once each test has been run.
   int old_max_group_sockets_;
@@ -380,14 +378,13 @@ class SpdySessionTest : public PlatformTest, public WithScopedTaskEnvironment {
   const url::SchemeHostPort test_server_;
   SpdySessionKey key_;
   SSLSocketDataProvider ssl_;
-  BoundTestNetLog log_;
 };
 
 class SpdySessionTestWithMockTime : public SpdySessionTest {
  protected:
   SpdySessionTestWithMockTime()
       : SpdySessionTest(
-            base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME) {}
+            base::test::ScopedTaskEnvironment::TimeSource::MOCK_TIME) {}
 };
 
 // Try to create a SPDY session that will fail during
@@ -2148,8 +2145,7 @@ TEST_F(SpdySessionTest, Initialize) {
   // Flush the read completion task.
   base::RunLoop().RunUntilIdle();
 
-  TestNetLogEntry::List entries;
-  log_.GetEntries(&entries);
+  auto entries = log_.GetEntries();
   EXPECT_LT(0u, entries.size());
 
   // Check that we logged HTTP2_SESSION_INITIALIZED correctly.
@@ -2158,10 +2154,9 @@ TEST_F(SpdySessionTest, Initialize) {
       NetLogEventPhase::NONE);
   EXPECT_LT(0, pos);
 
-  TestNetLogEntry entry = entries[pos];
   NetLogSource socket_source;
   EXPECT_TRUE(
-      NetLogSource::FromEventParameters(entry.params.get(), &socket_source));
+      NetLogSource::FromEventParameters(&entries[pos].params, &socket_source));
   EXPECT_TRUE(socket_source.IsValid());
   EXPECT_NE(log_.bound().source().id, socket_source.id);
 }
@@ -2189,38 +2184,24 @@ TEST_F(SpdySessionTest, NetLogOnSessionGoaway) {
   EXPECT_FALSE(session_);
 
   // Check that the NetLog was filled reasonably.
-  TestNetLogEntry::List entries;
-  log_.GetEntries(&entries);
+  auto entries = log_.GetEntries();
   EXPECT_LT(0u, entries.size());
 
   int pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::HTTP2_SESSION_RECV_GOAWAY,
       NetLogEventPhase::NONE);
-  TestNetLogEntry entry = entries[pos];
-  int last_accepted_stream_id;
-  ASSERT_TRUE(entry.GetIntegerValue("last_accepted_stream_id",
-                                    &last_accepted_stream_id));
-  EXPECT_EQ(42, last_accepted_stream_id);
-  int active_streams;
-  ASSERT_TRUE(entry.GetIntegerValue("active_streams", &active_streams));
-  EXPECT_EQ(0, active_streams);
-  int unclaimed_streams;
-  ASSERT_TRUE(entry.GetIntegerValue("unclaimed_streams", &unclaimed_streams));
-  EXPECT_EQ(0, unclaimed_streams);
-  std::string error_code;
-  ASSERT_TRUE(entry.GetStringValue("error_code", &error_code));
-  EXPECT_EQ("11 (ENHANCE_YOUR_CALM)", error_code);
-  std::string debug_data;
-  ASSERT_TRUE(entry.GetStringValue("debug_data", &debug_data));
-  EXPECT_EQ("foo", debug_data);
+  ASSERT_EQ(42,
+            GetIntegerValueFromParams(entries[pos], "last_accepted_stream_id"));
+  ASSERT_EQ(0, GetIntegerValueFromParams(entries[pos], "active_streams"));
+  ASSERT_EQ(0, GetIntegerValueFromParams(entries[pos], "unclaimed_streams"));
+  ASSERT_EQ("11 (ENHANCE_YOUR_CALM)",
+            GetStringValueFromParams(entries[pos], "error_code"));
+  ASSERT_EQ("foo", GetStringValueFromParams(entries[pos], "debug_data"));
 
   // Check that we logged SPDY_SESSION_CLOSE correctly.
   pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::HTTP2_SESSION_CLOSE, NetLogEventPhase::NONE);
-  entry = entries[pos];
-  int net_error_code = 0;
-  ASSERT_TRUE(entry.GetNetErrorCode(&net_error_code));
-  EXPECT_THAT(net_error_code, IsOk());
+  EXPECT_THAT(GetNetErrorCodeFromParams(entries[pos]), IsOk());
 }
 
 TEST_F(SpdySessionTest, NetLogOnSessionEOF) {
@@ -2244,8 +2225,7 @@ TEST_F(SpdySessionTest, NetLogOnSessionEOF) {
   EXPECT_FALSE(session_);
 
   // Check that the NetLog was filled reasonably.
-  TestNetLogEntry::List entries;
-  log_.GetEntries(&entries);
+  auto entries = log_.GetEntries();
   EXPECT_LT(0u, entries.size());
 
   // Check that we logged SPDY_SESSION_CLOSE correctly.
@@ -2253,10 +2233,8 @@ TEST_F(SpdySessionTest, NetLogOnSessionEOF) {
       entries, 0, NetLogEventType::HTTP2_SESSION_CLOSE, NetLogEventPhase::NONE);
 
   if (pos < static_cast<int>(entries.size())) {
-    TestNetLogEntry entry = entries[pos];
-    int error_code = 0;
-    ASSERT_TRUE(entry.GetNetErrorCode(&error_code));
-    EXPECT_THAT(error_code, IsError(ERR_CONNECTION_CLOSED));
+    ASSERT_THAT(GetNetErrorCodeFromParams(entries[pos]),
+                IsError(ERR_CONNECTION_CLOSED));
   } else {
     ADD_FAILURE();
   }
@@ -2718,7 +2696,7 @@ class SessionClosingDelegate : public test::StreamDelegateDoNothing {
   ~SessionClosingDelegate() override = default;
 
   void OnClose(int status) override {
-    session_to_close_->CloseSessionOnError(ERR_SPDY_PROTOCOL_ERROR, "Error");
+    session_to_close_->CloseSessionOnError(ERR_HTTP2_PROTOCOL_ERROR, "Error");
   }
 
  private:
@@ -5187,7 +5165,7 @@ TEST_F(SpdySessionTest, GoAwayOnSessionFlowControlError) {
   data.Resume();
   base::RunLoop().RunUntilIdle();
 
-  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_SPDY_FLOW_CONTROL_ERROR));
+  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_HTTP2_FLOW_CONTROL_ERROR));
   EXPECT_FALSE(session_);
 }
 
@@ -5814,7 +5792,7 @@ TEST_F(SpdySessionTest, GetPushedStream) {
   SpdyStream* pushed_stream;
   int rv = session_->GetPushedStream(pushed_url, 2 /* pushed_stream_id */, IDLE,
                                      &pushed_stream);
-  EXPECT_THAT(rv, IsError(ERR_SPDY_PUSHED_STREAM_NOT_AVAILABLE));
+  EXPECT_THAT(rv, IsError(ERR_HTTP2_PUSHED_STREAM_NOT_AVAILABLE));
 
   // Read PUSH_PROMISE.
   data.Resume();
@@ -5845,7 +5823,7 @@ TEST_F(SpdySessionTest, GetPushedStream) {
   // stream with ID |pushed_stream_id|.
   rv = session_->GetPushedStream(pushed_url, 4 /* pushed_stream_id */, IDLE,
                                  &pushed_stream);
-  EXPECT_THAT(rv, IsError(ERR_SPDY_PUSHED_STREAM_NOT_AVAILABLE));
+  EXPECT_THAT(rv, IsError(ERR_HTTP2_PUSHED_STREAM_NOT_AVAILABLE));
 
   // GetPushedStream() should return OK and return the pushed stream in
   // |pushed_stream| outparam if |pushed_stream_id| matches.
@@ -6597,19 +6575,19 @@ TEST(MapFramerErrorToProtocolError, MapsValues) {
 }
 
 TEST(MapFramerErrorToNetError, MapsValue) {
-  CHECK_EQ(ERR_SPDY_PROTOCOL_ERROR,
+  CHECK_EQ(ERR_HTTP2_PROTOCOL_ERROR,
            MapFramerErrorToNetError(
                http2::Http2DecoderAdapter::SPDY_INVALID_CONTROL_FRAME));
-  CHECK_EQ(ERR_SPDY_COMPRESSION_ERROR,
+  CHECK_EQ(ERR_HTTP2_COMPRESSION_ERROR,
            MapFramerErrorToNetError(
                http2::Http2DecoderAdapter::SPDY_COMPRESS_FAILURE));
-  CHECK_EQ(ERR_SPDY_COMPRESSION_ERROR,
+  CHECK_EQ(ERR_HTTP2_COMPRESSION_ERROR,
            MapFramerErrorToNetError(
                http2::Http2DecoderAdapter::SPDY_DECOMPRESS_FAILURE));
-  CHECK_EQ(ERR_SPDY_FRAME_SIZE_ERROR,
+  CHECK_EQ(ERR_HTTP2_FRAME_SIZE_ERROR,
            MapFramerErrorToNetError(
                http2::Http2DecoderAdapter::SPDY_CONTROL_PAYLOAD_TOO_LARGE));
-  CHECK_EQ(ERR_SPDY_FRAME_SIZE_ERROR,
+  CHECK_EQ(ERR_HTTP2_FRAME_SIZE_ERROR,
            MapFramerErrorToNetError(
                http2::Http2DecoderAdapter::SPDY_OVERSIZED_PAYLOAD));
 }
@@ -6633,15 +6611,15 @@ TEST(MapRstStreamStatusToProtocolError, MapsValues) {
 
 TEST(MapNetErrorToGoAwayStatus, MapsValue) {
   CHECK_EQ(spdy::ERROR_CODE_INADEQUATE_SECURITY,
-           MapNetErrorToGoAwayStatus(ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY));
+           MapNetErrorToGoAwayStatus(ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY));
   CHECK_EQ(spdy::ERROR_CODE_FLOW_CONTROL_ERROR,
-           MapNetErrorToGoAwayStatus(ERR_SPDY_FLOW_CONTROL_ERROR));
+           MapNetErrorToGoAwayStatus(ERR_HTTP2_FLOW_CONTROL_ERROR));
   CHECK_EQ(spdy::ERROR_CODE_PROTOCOL_ERROR,
-           MapNetErrorToGoAwayStatus(ERR_SPDY_PROTOCOL_ERROR));
+           MapNetErrorToGoAwayStatus(ERR_HTTP2_PROTOCOL_ERROR));
   CHECK_EQ(spdy::ERROR_CODE_COMPRESSION_ERROR,
-           MapNetErrorToGoAwayStatus(ERR_SPDY_COMPRESSION_ERROR));
+           MapNetErrorToGoAwayStatus(ERR_HTTP2_COMPRESSION_ERROR));
   CHECK_EQ(spdy::ERROR_CODE_FRAME_SIZE_ERROR,
-           MapNetErrorToGoAwayStatus(ERR_SPDY_FRAME_SIZE_ERROR));
+           MapNetErrorToGoAwayStatus(ERR_HTTP2_FRAME_SIZE_ERROR));
   CHECK_EQ(spdy::ERROR_CODE_PROTOCOL_ERROR,
            MapNetErrorToGoAwayStatus(ERR_UNEXPECTED));
 }
diff --git a/chromium/net/spdy/spdy_stream.cc b/chromium/net/spdy/spdy_stream.cc
index 785de06409e..8df8a74d6fb 100644
--- a/chromium/net/spdy/spdy_stream.cc
+++ b/chromium/net/spdy/spdy_stream.cc
@@ -32,11 +32,9 @@ namespace net {
 
 namespace {
 
-base::Value NetLogSpdyStreamErrorCallback(
-    spdy::SpdyStreamId stream_id,
-    int net_error,
-    const std::string* description,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdyStreamErrorParams(spdy::SpdyStreamId stream_id,
+                                        int net_error,
+                                        const std::string* description) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("stream_id", static_cast<int>(stream_id));
   dict.SetStringKey("net_error", ErrorToShortString(net_error));
@@ -44,11 +42,9 @@ base::Value NetLogSpdyStreamErrorCallback(
   return dict;
 }
 
-base::Value NetLogSpdyStreamWindowUpdateCallback(
-    spdy::SpdyStreamId stream_id,
-    int32_t delta,
-    int32_t window_size,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogSpdyStreamWindowUpdateParams(spdy::SpdyStreamId stream_id,
+                                               int32_t delta,
+                                               int32_t window_size) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("stream_id", stream_id);
   dict.SetIntKey("delta", delta);
@@ -111,8 +107,7 @@ SpdyStream::SpdyStream(SpdyStreamType type,
       raw_sent_bytes_(0),
       recv_bytes_(0),
       write_handler_guard_(false),
-      traffic_annotation_(traffic_annotation),
-      weak_ptr_factory_(this) {
+      traffic_annotation_(traffic_annotation) {
   CHECK(type_ == SPDY_BIDIRECTIONAL_STREAM ||
         type_ == SPDY_REQUEST_RESPONSE_STREAM ||
         type_ == SPDY_PUSH_STREAM);
@@ -238,10 +233,10 @@ bool SpdyStream::AdjustSendWindowSize(int32_t delta_window_size) {
 
   send_window_size_ += delta_window_size;
 
-  net_log_.AddEvent(
-      NetLogEventType::HTTP2_STREAM_UPDATE_SEND_WINDOW,
-      base::Bind(&NetLogSpdyStreamWindowUpdateCallback, stream_id_,
-                 delta_window_size, send_window_size_));
+  net_log_.AddEvent(NetLogEventType::HTTP2_STREAM_UPDATE_SEND_WINDOW, [&] {
+    return NetLogSpdyStreamWindowUpdateParams(stream_id_, delta_window_size,
+                                              send_window_size_);
+  });
 
   PossiblyResumeIfSendStalled();
   return true;
@@ -272,7 +267,7 @@ void SpdyStream::IncreaseSendWindowSize(int32_t delta_window_size) {
         "Received WINDOW_UPDATE [delta: %d] for stream %d overflows "
         "send_window_size_ [current: %d]",
         delta_window_size, stream_id_, send_window_size_);
-    session_->ResetStream(stream_id_, ERR_SPDY_FLOW_CONTROL_ERROR, desc);
+    session_->ResetStream(stream_id_, ERR_HTTP2_FLOW_CONTROL_ERROR, desc);
   }
 }
 
@@ -291,10 +286,10 @@ void SpdyStream::DecreaseSendWindowSize(int32_t delta_window_size) {
 
   send_window_size_ -= delta_window_size;
 
-  net_log_.AddEvent(
-      NetLogEventType::HTTP2_STREAM_UPDATE_SEND_WINDOW,
-      base::Bind(&NetLogSpdyStreamWindowUpdateCallback, stream_id_,
-                 -delta_window_size, send_window_size_));
+  net_log_.AddEvent(NetLogEventType::HTTP2_STREAM_UPDATE_SEND_WINDOW, [&] {
+    return NetLogSpdyStreamWindowUpdateParams(stream_id_, -delta_window_size,
+                                              send_window_size_);
+  });
 }
 
 void SpdyStream::OnReadBufferConsumed(
@@ -320,10 +315,10 @@ void SpdyStream::IncreaseRecvWindowSize(int32_t delta_window_size) {
             std::numeric_limits<int32_t>::max() - recv_window_size_);
 
   recv_window_size_ += delta_window_size;
-  net_log_.AddEvent(
-      NetLogEventType::HTTP2_STREAM_UPDATE_RECV_WINDOW,
-      base::Bind(&NetLogSpdyStreamWindowUpdateCallback, stream_id_,
-                 delta_window_size, recv_window_size_));
+  net_log_.AddEvent(NetLogEventType::HTTP2_STREAM_UPDATE_RECV_WINDOW, [&] {
+    return NetLogSpdyStreamWindowUpdateParams(stream_id_, delta_window_size,
+                                              recv_window_size_);
+  });
 
   unacked_recv_window_bytes_ += delta_window_size;
   if (unacked_recv_window_bytes_ > max_recv_window_size_ / 2) {
@@ -342,7 +337,7 @@ void SpdyStream::DecreaseRecvWindowSize(int32_t delta_window_size) {
   // the peer, that means that the receive window is not being respected.
   if (delta_window_size > recv_window_size_ - unacked_recv_window_bytes_) {
     session_->ResetStream(
-        stream_id_, ERR_SPDY_FLOW_CONTROL_ERROR,
+        stream_id_, ERR_HTTP2_FLOW_CONTROL_ERROR,
         "delta_window_size is " + base::NumberToString(delta_window_size) +
             " in DecreaseRecvWindowSize, which is larger than the receive " +
             "window size of " + base::NumberToString(recv_window_size_));
@@ -350,10 +345,10 @@ void SpdyStream::DecreaseRecvWindowSize(int32_t delta_window_size) {
   }
 
   recv_window_size_ -= delta_window_size;
-  net_log_.AddEvent(
-      NetLogEventType::HTTP2_STREAM_UPDATE_RECV_WINDOW,
-      base::Bind(&NetLogSpdyStreamWindowUpdateCallback, stream_id_,
-                 -delta_window_size, recv_window_size_));
+  net_log_.AddEvent(NetLogEventType::HTTP2_STREAM_UPDATE_RECV_WINDOW, [&] {
+    return NetLogSpdyStreamWindowUpdateParams(stream_id_, -delta_window_size,
+                                              recv_window_size_);
+  });
 }
 
 int SpdyStream::GetPeerAddress(IPEndPoint* address) const {
@@ -389,16 +384,16 @@ void SpdyStream::OnHeadersReceived(
           response_headers.find(spdy::kHttp2StatusHeader);
       if (it == response_headers.end()) {
         const std::string error("Response headers do not include :status.");
-        LogStreamError(ERR_SPDY_PROTOCOL_ERROR, error);
-        session_->ResetStream(stream_id_, ERR_SPDY_PROTOCOL_ERROR, error);
+        LogStreamError(ERR_HTTP2_PROTOCOL_ERROR, error);
+        session_->ResetStream(stream_id_, ERR_HTTP2_PROTOCOL_ERROR, error);
         return;
       }
 
       int status;
       if (!StringToInt(it->second, &status)) {
         const std::string error("Cannot parse :status.");
-        LogStreamError(ERR_SPDY_PROTOCOL_ERROR, error);
-        session_->ResetStream(stream_id_, ERR_SPDY_PROTOCOL_ERROR, error);
+        LogStreamError(ERR_HTTP2_PROTOCOL_ERROR, error);
+        session_->ResetStream(stream_id_, ERR_HTTP2_PROTOCOL_ERROR, error);
         return;
       }
 
@@ -428,8 +423,8 @@ void SpdyStream::OnHeadersReceived(
           // the response headers only after request headers are sent.
           if (io_state_ == STATE_IDLE) {
             const std::string error("Response received before request sent.");
-            LogStreamError(ERR_SPDY_PROTOCOL_ERROR, error);
-            session_->ResetStream(stream_id_, ERR_SPDY_PROTOCOL_ERROR, error);
+            LogStreamError(ERR_HTTP2_PROTOCOL_ERROR, error);
+            session_->ResetStream(stream_id_, ERR_HTTP2_PROTOCOL_ERROR, error);
             return;
           }
           break;
@@ -458,8 +453,8 @@ void SpdyStream::OnHeadersReceived(
       // Second header block is trailers.
       if (type_ == SPDY_PUSH_STREAM) {
         const std::string error("Trailers not supported for push stream.");
-        LogStreamError(ERR_SPDY_PROTOCOL_ERROR, error);
-        session_->ResetStream(stream_id_, ERR_SPDY_PROTOCOL_ERROR, error);
+        LogStreamError(ERR_HTTP2_PROTOCOL_ERROR, error);
+        session_->ResetStream(stream_id_, ERR_HTTP2_PROTOCOL_ERROR, error);
         return;
       }
 
@@ -470,8 +465,8 @@ void SpdyStream::OnHeadersReceived(
     case TRAILERS_RECEIVED:
       // No further header blocks are allowed after trailers.
       const std::string error("Header block received after trailers.");
-      LogStreamError(ERR_SPDY_PROTOCOL_ERROR, error);
-      session_->ResetStream(stream_id_, ERR_SPDY_PROTOCOL_ERROR, error);
+      LogStreamError(ERR_HTTP2_PROTOCOL_ERROR, error);
+      session_->ResetStream(stream_id_, ERR_HTTP2_PROTOCOL_ERROR, error);
       break;
   }
 }
@@ -499,22 +494,22 @@ void SpdyStream::OnDataReceived(std::unique_ptr<SpdyBuffer> buffer) {
 
   if (response_state_ == READY_FOR_HEADERS) {
     const std::string error("DATA received before headers.");
-    LogStreamError(ERR_SPDY_PROTOCOL_ERROR, error);
-    session_->ResetStream(stream_id_, ERR_SPDY_PROTOCOL_ERROR, error);
+    LogStreamError(ERR_HTTP2_PROTOCOL_ERROR, error);
+    session_->ResetStream(stream_id_, ERR_HTTP2_PROTOCOL_ERROR, error);
     return;
   }
 
   if (response_state_ == TRAILERS_RECEIVED && buffer) {
     const std::string error("DATA received after trailers.");
-    LogStreamError(ERR_SPDY_PROTOCOL_ERROR, error);
-    session_->ResetStream(stream_id_, ERR_SPDY_PROTOCOL_ERROR, error);
+    LogStreamError(ERR_HTTP2_PROTOCOL_ERROR, error);
+    session_->ResetStream(stream_id_, ERR_HTTP2_PROTOCOL_ERROR, error);
     return;
   }
 
   if (io_state_ == STATE_HALF_CLOSED_REMOTE) {
     const std::string error("DATA received on half-closed (remove) stream.");
-    LogStreamError(ERR_SPDY_STREAM_CLOSED, error);
-    session_->ResetStream(stream_id_, ERR_SPDY_STREAM_CLOSED, error);
+    LogStreamError(ERR_HTTP2_STREAM_CLOSED, error);
+    session_->ResetStream(stream_id_, ERR_HTTP2_STREAM_CLOSED, error);
     return;
   }
 
@@ -665,18 +660,18 @@ int SpdyStream::OnDataSent(size_t frame_size) {
 }
 
 void SpdyStream::LogStreamError(int error, const std::string& description) {
-  net_log_.AddEvent(NetLogEventType::HTTP2_STREAM_ERROR,
-                    base::Bind(&NetLogSpdyStreamErrorCallback, stream_id_,
-                               error, &description));
+  net_log_.AddEvent(NetLogEventType::HTTP2_STREAM_ERROR, [&] {
+    return NetLogSpdyStreamErrorParams(stream_id_, error, &description);
+  });
 }
 
 void SpdyStream::OnClose(int status) {
   // In most cases, the stream should already be CLOSED. The exception is when a
   // SpdySession is shutting down while the stream is in an intermediate state.
   io_state_ = STATE_CLOSED;
-  if (status == ERR_SPDY_RST_STREAM_NO_ERROR_RECEIVED) {
+  if (status == ERR_HTTP2_RST_STREAM_NO_ERROR_RECEIVED) {
     if (response_state_ == READY_FOR_HEADERS) {
-      status = ERR_SPDY_PROTOCOL_ERROR;
+      status = ERR_HTTP2_PROTOCOL_ERROR;
     } else {
       status = OK;
     }
@@ -766,8 +761,9 @@ SpdyStream::ShouldRequeueStream SpdyStream::PossiblyResumeIfSendStalled() {
   if (session_->IsSendStalled() || send_window_size_ <= 0) {
     return Requeue;
   }
-  net_log_.AddEvent(NetLogEventType::HTTP2_STREAM_FLOW_CONTROL_UNSTALLED,
-                    NetLog::IntCallback("stream_id", stream_id_));
+  net_log_.AddEventWithIntParams(
+      NetLogEventType::HTTP2_STREAM_FLOW_CONTROL_UNSTALLED, "stream_id",
+      stream_id_);
   send_stalled_by_flow_control_ = false;
   QueueNextDataFrame();
   return DoNotRequeue;
@@ -881,7 +877,7 @@ void SpdyStream::SaveResponseHeaders(
     int status) {
   DCHECK(response_headers_.empty());
   if (response_headers.find("transfer-encoding") != response_headers.end()) {
-    session_->ResetStream(stream_id_, ERR_SPDY_PROTOCOL_ERROR,
+    session_->ResetStream(stream_id_, ERR_HTTP2_PROTOCOL_ERROR,
                           "Received transfer-encoding header");
     return;
   }
@@ -897,7 +893,7 @@ void SpdyStream::SaveResponseHeaders(
       (status / 100 != 2 && status / 100 != 3 && status != 416)) {
     SpdySession::RecordSpdyPushedStreamFateHistogram(
         SpdyPushedStreamFate::kUnsupportedStatusCode);
-    session_->ResetStream(stream_id_, ERR_SPDY_CLIENT_REFUSED_STREAM,
+    session_->ResetStream(stream_id_, ERR_HTTP2_CLIENT_REFUSED_STREAM,
                           "Unsupported status code for pushed stream.");
     return;
   }
diff --git a/chromium/net/spdy/spdy_stream.h b/chromium/net/spdy/spdy_stream.h
index a7a8e7b4c53..efdc0d9b022 100644
--- a/chromium/net/spdy/spdy_stream.h
+++ b/chromium/net/spdy/spdy_stream.h
@@ -530,7 +530,7 @@ class NET_EXPORT_PRIVATE SpdyStream {
 
   const NetworkTrafficAnnotationTag traffic_annotation_;
 
-  base::WeakPtrFactory<SpdyStream> weak_ptr_factory_;
+  base::WeakPtrFactory<SpdyStream> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(SpdyStream);
 };
diff --git a/chromium/net/spdy/spdy_stream_unittest.cc b/chromium/net/spdy/spdy_stream_unittest.cc
index e0dc4d759fa..78ba72a1f32 100644
--- a/chromium/net/spdy/spdy_stream_unittest.cc
+++ b/chromium/net/spdy/spdy_stream_unittest.cc
@@ -23,7 +23,6 @@
 #include "net/http/http_request_info.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/socket/socket_tag.h"
 #include "net/socket/socket_test_util.h"
@@ -449,17 +448,15 @@ TEST_F(SpdyStreamTest, StreamError) {
   EXPECT_TRUE(data.AllWriteDataConsumed());
 
   // Check that the NetLog was filled reasonably.
-  TestNetLogEntry::List entries;
-  log.GetEntries(&entries);
+  auto entries = log.GetEntries();
   EXPECT_LT(0u, entries.size());
 
   // Check that we logged SPDY_STREAM_ERROR correctly.
   int pos = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::HTTP2_STREAM_ERROR, NetLogEventPhase::NONE);
 
-  int stream_id2;
-  ASSERT_TRUE(entries[pos].GetIntegerValue("stream_id", &stream_id2));
-  EXPECT_EQ(static_cast<int>(stream_id), stream_id2);
+  EXPECT_EQ(static_cast<int>(stream_id),
+            GetIntegerValueFromParams(entries[pos], "stream_id"));
 }
 
 // Make sure that large blocks of data are properly split up into frame-sized
@@ -605,7 +602,7 @@ TEST_F(SpdyStreamTest, UpperCaseHeaders) {
       stream->SendRequestHeaders(std::move(headers), NO_MORE_DATA_TO_SEND),
       IsError(ERR_IO_PENDING));
 
-  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
 
   // Finish async network reads and writes.
   base::RunLoop().RunUntilIdle();
@@ -720,7 +717,7 @@ TEST_F(SpdyStreamTest, HeadersMustHaveStatus) {
   EXPECT_EQ(ERR_IO_PENDING, stream->SendRequestHeaders(std::move(headers),
                                                        NO_MORE_DATA_TO_SEND));
 
-  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
 
   // Finish async network reads and writes.
   base::RunLoop().RunUntilIdle();
@@ -839,7 +836,7 @@ TEST_F(SpdyStreamTest, HeadersMustPreceedData) {
   EXPECT_EQ(ERR_IO_PENDING, stream->SendRequestHeaders(std::move(headers),
                                                        NO_MORE_DATA_TO_SEND));
 
-  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
 }
 
 TEST_F(SpdyStreamTest, HeadersMustPreceedDataOnPushedStream) {
@@ -962,7 +959,7 @@ TEST_F(SpdyStreamTest, TrailersMustNotFollowTrailers) {
   EXPECT_EQ(ERR_IO_PENDING, stream->SendRequestHeaders(std::move(headers),
                                                        NO_MORE_DATA_TO_SEND));
 
-  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
 
   // Finish async network reads and writes.
   base::RunLoop().RunUntilIdle();
@@ -1021,7 +1018,7 @@ TEST_F(SpdyStreamTest, DataMustNotFollowTrailers) {
   EXPECT_EQ(ERR_IO_PENDING, stream->SendRequestHeaders(std::move(headers),
                                                        NO_MORE_DATA_TO_SEND));
 
-  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
 
   // Finish async network reads and writes.
   base::RunLoop().RunUntilIdle();
@@ -1125,7 +1122,7 @@ TEST_F(SpdyStreamTest, StatusMustBeNumber) {
   EXPECT_EQ(ERR_IO_PENDING, stream->SendRequestHeaders(std::move(headers),
                                                        NO_MORE_DATA_TO_SEND));
 
-  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
 
   // Finish async network reads and writes.
   base::RunLoop().RunUntilIdle();
@@ -1178,7 +1175,7 @@ TEST_F(SpdyStreamTest, StatusCannotHaveExtraText) {
   EXPECT_EQ(ERR_IO_PENDING, stream->SendRequestHeaders(std::move(headers),
                                                        NO_MORE_DATA_TO_SEND));
 
-  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
 
   // Finish async network reads and writes.
   base::RunLoop().RunUntilIdle();
@@ -1229,7 +1226,7 @@ TEST_F(SpdyStreamTest, StatusMustBePresent) {
   EXPECT_EQ(ERR_IO_PENDING, stream->SendRequestHeaders(std::move(headers),
                                                        NO_MORE_DATA_TO_SEND));
 
-  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_SPDY_PROTOCOL_ERROR));
+  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
 
   // Finish async network reads and writes.
   base::RunLoop().RunUntilIdle();
@@ -1291,7 +1288,7 @@ TEST_F(SpdyStreamTest, IncreaseSendWindowSizeOverflow) {
   data.Resume();
   base::RunLoop().RunUntilIdle();
 
-  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_SPDY_FLOW_CONTROL_ERROR));
+  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_HTTP2_FLOW_CONTROL_ERROR));
 }
 
 // Functions used with
@@ -1590,7 +1587,7 @@ TEST_F(SpdyStreamTest, DataOnHalfClosedRemoveStream) {
   EXPECT_THAT(stream->SendRequestHeaders(std::move(headers), MORE_DATA_TO_SEND),
               IsError(ERR_IO_PENDING));
 
-  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_SPDY_STREAM_CLOSED));
+  EXPECT_THAT(delegate.WaitForClose(), IsError(ERR_HTTP2_STREAM_CLOSED));
 
   base::RunLoop().RunUntilIdle();
 
diff --git a/chromium/net/ssl/client_cert_store_mac_unittest.cc b/chromium/net/ssl/client_cert_store_mac_unittest.cc
index 8427b7c9fad..4dd4d6fe754 100644
--- a/chromium/net/ssl/client_cert_store_mac_unittest.cc
+++ b/chromium/net/ssl/client_cert_store_mac_unittest.cc
@@ -63,7 +63,7 @@ TEST_F(ClientCertStoreMacTest, FilterOutThePreferredCert) {
   EXPECT_FALSE(cert_1->IsIssuedByEncoded(authority_2));
 
   std::vector<scoped_refptr<X509Certificate> > certs;
-  scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
+  auto request = base::MakeRefCounted<SSLCertRequestInfo>();
   request->cert_authorities = authority_2;
 
   ClientCertIdentityList selected_certs;
@@ -85,7 +85,7 @@ TEST_F(ClientCertStoreMacTest, PreferredCertGoesFirst) {
 
   std::vector<scoped_refptr<X509Certificate> > certs;
   certs.push_back(cert_2);
-  scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
+  auto request = base::MakeRefCounted<SSLCertRequestInfo>();
 
   ClientCertIdentityList selected_certs;
   bool rv = SelectClientCertsGivenPreferred(
diff --git a/chromium/net/ssl/client_cert_store_nss_unittest.cc b/chromium/net/ssl/client_cert_store_nss_unittest.cc
index c6c7f29857e..cf3a2942ae4 100644
--- a/chromium/net/ssl/client_cert_store_nss_unittest.cc
+++ b/chromium/net/ssl/client_cert_store_nss_unittest.cc
@@ -100,7 +100,7 @@ TEST(ClientCertStoreNSSTest, BuildsCertificateChain) {
 
   {
     // Request certificates matching B CA, |client_1|'s issuer.
-    scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo);
+    auto request = base::MakeRefCounted<SSLCertRequestInfo>();
     request->cert_authorities.push_back(std::string(
         reinterpret_cast<const char*>(kAuthority1DN), sizeof(kAuthority1DN)));
 
@@ -133,7 +133,7 @@ TEST(ClientCertStoreNSSTest, BuildsCertificateChain) {
 
   {
     // Request certificates matching C Root CA, |client_1_ca|'s issuer.
-    scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo);
+    auto request = base::MakeRefCounted<SSLCertRequestInfo>();
     request->cert_authorities.push_back(
         std::string(reinterpret_cast<const char*>(kAuthorityRootDN),
                     sizeof(kAuthorityRootDN)));
@@ -212,7 +212,7 @@ TEST(ClientCertStoreNSSTest, SubjectPrintableStringContainingUTF8) {
       0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
       0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
       0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64};
-  scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo);
+  auto request = base::MakeRefCounted<SSLCertRequestInfo>();
   request->cert_authorities.push_back(std::string(
       reinterpret_cast<const char*>(kAuthorityDN), sizeof(kAuthorityDN)));
 
diff --git a/chromium/net/ssl/client_cert_store_unittest-inl.h b/chromium/net/ssl/client_cert_store_unittest-inl.h
index 6cc1118e5c0..71318b519a9 100644
--- a/chromium/net/ssl/client_cert_store_unittest-inl.h
+++ b/chromium/net/ssl/client_cert_store_unittest-inl.h
@@ -67,7 +67,7 @@ TYPED_TEST_SUITE_P(ClientCertStoreTest);
 
 TYPED_TEST_P(ClientCertStoreTest, EmptyQuery) {
   CertificateList certs;
-  scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
+  auto request = base::MakeRefCounted<SSLCertRequestInfo>();
 
   ClientCertIdentityList selected_identities;
   bool rv = this->delegate_.SelectClientCerts(certs, *request.get(),
@@ -85,7 +85,7 @@ TYPED_TEST_P(ClientCertStoreTest, AllIssuersAllowed) {
 
   std::vector<scoped_refptr<X509Certificate> > certs;
   certs.push_back(cert);
-  scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
+  auto request = base::MakeRefCounted<SSLCertRequestInfo>();
 
   ClientCertIdentityList selected_identities;
   bool rv = this->delegate_.SelectClientCerts(certs, *request.get(),
@@ -120,7 +120,7 @@ TYPED_TEST_P(ClientCertStoreTest, CertAuthorityFiltering) {
   std::vector<scoped_refptr<X509Certificate> > certs;
   certs.push_back(cert_1);
   certs.push_back(cert_2);
-  scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
+  auto request = base::MakeRefCounted<SSLCertRequestInfo>();
   request->cert_authorities = authority_1;
 
   ClientCertIdentityList selected_identities;
@@ -158,7 +158,7 @@ TYPED_TEST_P(ClientCertStoreTest, PrintableStringContainingUTF8) {
                                                      options);
   ASSERT_TRUE(cert);
 
-  scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
+  auto request = base::MakeRefCounted<SSLCertRequestInfo>();
 
   ClientCertIdentityList selected_identities;
   bool rv = this->delegate_.SelectClientCerts({cert}, *request.get(),
diff --git a/chromium/net/ssl/openssl_ssl_util.cc b/chromium/net/ssl/openssl_ssl_util.cc
index fea33f4f03d..f5185218e4e 100644
--- a/chromium/net/ssl/openssl_ssl_util.cc
+++ b/chromium/net/ssl/openssl_ssl_util.cc
@@ -5,10 +5,9 @@
 #include "net/ssl/openssl_ssl_util.h"
 
 #include <errno.h>
+
 #include <utility>
 
-#include "base/bind.h"
-#include "base/callback.h"
 #include "base/lazy_instance.h"
 #include "base/location.h"
 #include "base/logging.h"
@@ -17,6 +16,7 @@
 #include "crypto/openssl_util.h"
 #include "net/base/net_errors.h"
 #include "net/cert/x509_util.h"
+#include "net/log/net_log_with_source.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "third_party/boringssl/src/include/openssl/err.h"
 #include "third_party/boringssl/src/include/openssl/ssl.h"
@@ -128,10 +128,9 @@ int MapOpenSSLErrorSSL(uint32_t error_code) {
   }
 }
 
-base::Value NetLogOpenSSLErrorCallback(int net_error,
-                                       int ssl_error,
-                                       const OpenSSLErrorInfo& error_info,
-                                       NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogOpenSSLErrorParams(int net_error,
+                                     int ssl_error,
+                                     const OpenSSLErrorInfo& error_info) {
   base::DictionaryValue dict;
   dict.SetInteger("net_error", net_error);
   dict.SetInteger("ssl_error", ssl_error);
@@ -210,12 +209,14 @@ int MapOpenSSLErrorWithDetails(int err,
   }
 }
 
-NetLogParametersCallback CreateNetLogOpenSSLErrorCallback(
-    int net_error,
-    int ssl_error,
-    const OpenSSLErrorInfo& error_info) {
-  return base::Bind(&NetLogOpenSSLErrorCallback,
-                    net_error, ssl_error, error_info);
+void NetLogOpenSSLError(const NetLogWithSource& net_log,
+                        NetLogEventType type,
+                        int net_error,
+                        int ssl_error,
+                        const OpenSSLErrorInfo& error_info) {
+  net_log.AddEvent(type, [&] {
+    return NetLogOpenSSLErrorParams(net_error, ssl_error, error_info);
+  });
 }
 
 int GetNetSSLVersion(SSL* ssl) {
diff --git a/chromium/net/ssl/openssl_ssl_util.h b/chromium/net/ssl/openssl_ssl_util.h
index e205d56d977..18c70403045 100644
--- a/chromium/net/ssl/openssl_ssl_util.h
+++ b/chromium/net/ssl/openssl_ssl_util.h
@@ -9,7 +9,7 @@
 
 #include "net/base/net_export.h"
 #include "net/cert/x509_certificate.h"
-#include "net/log/net_log_parameters_callback.h"
+#include "net/log/net_log_event_type.h"
 #include "third_party/boringssl/src/include/openssl/base.h"
 
 namespace crypto {
@@ -22,6 +22,8 @@ class Location;
 
 namespace net {
 
+class NetLogWithSource;
+
 // Puts a net error, |err|, on the error stack in OpenSSL. The file and line are
 // extracted from |posted_from|. The function code of the error is left as 0.
 void OpenSSLPutNetError(const base::Location& posted_from, int err);
@@ -68,11 +70,12 @@ int MapOpenSSLErrorWithDetails(int err,
                                const crypto::OpenSSLErrStackTracer& tracer,
                                OpenSSLErrorInfo* out_error_info);
 
-// Creates NetLog callback for an OpenSSL error.
-NetLogParametersCallback CreateNetLogOpenSSLErrorCallback(
-    int net_error,
-    int ssl_error,
-    const OpenSSLErrorInfo& error_info);
+// Logs an OpenSSL error to the NetLog.
+void NetLogOpenSSLError(const NetLogWithSource& net_log,
+                        NetLogEventType type,
+                        int net_error,
+                        int ssl_error,
+                        const OpenSSLErrorInfo& error_info);
 
 // Returns the net SSL version number (see ssl_connection_status_flags.h) for
 // this SSL connection.
diff --git a/chromium/net/ssl/ssl_client_session_cache.cc b/chromium/net/ssl/ssl_client_session_cache.cc
index 8729b84daec..da21c11510b 100644
--- a/chromium/net/ssl/ssl_client_session_cache.cc
+++ b/chromium/net/ssl/ssl_client_session_cache.cc
@@ -79,14 +79,6 @@ bssl::UniquePtr<SSL_SESSION> SSLClientSessionCache::Lookup(
   return session;
 }
 
-void SSLClientSessionCache::ResetLookupCount(const std::string& cache_key) {
-  // It's possible that the cached session for this key was deleted after the
-  // Lookup. If that's the case, don't do anything.
-  auto iter = cache_.Get(cache_key);
-  if (iter == cache_.end())
-    return;
-}
-
 void SSLClientSessionCache::Insert(const std::string& cache_key,
                                    bssl::UniquePtr<SSL_SESSION> session) {
   if (IsTLS13(session.get())) {
@@ -115,7 +107,11 @@ bool SSLClientSessionCache::IsExpired(SSL_SESSION* session, time_t now) {
   if (now < 0)
     return true;
   uint64_t now_u64 = static_cast<uint64_t>(now);
-  return now_u64 < SSL_SESSION_get_time(session) ||
+
+  // now_u64 may be slightly behind because of differences in how
+  // time is calculated at this layer versus BoringSSL.
+  // Add a second of wiggle room to account for this.
+  return now_u64 < SSL_SESSION_get_time(session) - 1 ||
          now_u64 >=
              SSL_SESSION_get_time(session) + SSL_SESSION_get_timeout(session);
 }
diff --git a/chromium/net/ssl/ssl_client_session_cache.h b/chromium/net/ssl/ssl_client_session_cache.h
index 2a372933eca..858dd61c7fd 100644
--- a/chromium/net/ssl/ssl_client_session_cache.h
+++ b/chromium/net/ssl/ssl_client_session_cache.h
@@ -53,10 +53,6 @@ class NET_EXPORT SSLClientSessionCache : public CertDatabase::Observer {
   // of the MRU list. Returns nullptr if there is none.
   bssl::UniquePtr<SSL_SESSION> Lookup(const std::string& cache_key);
 
-  // Resets the count returned by Lookup to 0 for the session associated with
-  // |cache_key|.
-  void ResetLookupCount(const std::string& cache_key);
-
   // Inserts |session| into the cache at |cache_key|. If there is an existing
   // one, it is released. Every |expiration_check_count| calls, the cache is
   // checked for stale entries.
diff --git a/chromium/net/ssl/ssl_client_session_cache_unittest.cc b/chromium/net/ssl/ssl_client_session_cache_unittest.cc
index 2fcb2563864..610c2f3ec92 100644
--- a/chromium/net/ssl/ssl_client_session_cache_unittest.cc
+++ b/chromium/net/ssl/ssl_client_session_cache_unittest.cc
@@ -350,7 +350,7 @@ TEST_F(SSLClientSessionCacheTest, LookupExpirationCheck) {
   EXPECT_EQ(1u, cache.size());
 
   // Sessions also are treated as expired if the clock rewinds.
-  clock->Advance(base::TimeDelta::FromSeconds(-1));
+  clock->Advance(base::TimeDelta::FromSeconds(-2));
   EXPECT_EQ(nullptr, cache.Lookup("key").get());
   EXPECT_EQ(0u, cache.size());
 }
diff --git a/chromium/net/ssl/ssl_config.cc b/chromium/net/ssl/ssl_config.cc
index bdcc43d32e2..4b1ce4c24ed 100644
--- a/chromium/net/ssl/ssl_config.cc
+++ b/chromium/net/ssl/ssl_config.cc
@@ -30,7 +30,8 @@ SSLConfig::SSLConfig()
       ignore_certificate_errors(false),
       disable_cert_verification_network_fetches(false),
       send_client_cert(false),
-      renego_allowed_default(false) {}
+      renego_allowed_default(false),
+      privacy_mode(PRIVACY_MODE_DISABLED) {}
 
 SSLConfig::SSLConfig(const SSLConfig& other) = default;
 
diff --git a/chromium/net/ssl/ssl_config.h b/chromium/net/ssl/ssl_config.h
index 7a23fc45936..44ea9fb18ad 100644
--- a/chromium/net/ssl/ssl_config.h
+++ b/chromium/net/ssl/ssl_config.h
@@ -9,6 +9,8 @@
 
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
+#include "net/base/network_isolation_key.h"
+#include "net/base/privacy_mode.h"
 #include "net/cert/x509_certificate.h"
 #include "net/socket/next_proto.h"
 #include "net/ssl/ssl_private_key.h"
@@ -122,7 +124,7 @@ struct NET_EXPORT SSLConfig {
   bool send_client_cert;
 
   // The list of application level protocols supported with ALPN (Application
-  // Layer Protocol Negotation), in decreasing order of preference.  Protocols
+  // Layer Protocol Negotiation), in decreasing order of preference.  Protocols
   // will be advertised in this order during TLS handshake.
   NextProtoVector alpn_protos;
 
@@ -135,6 +137,20 @@ struct NET_EXPORT SSLConfig {
 
   scoped_refptr<X509Certificate> client_cert;
   scoped_refptr<SSLPrivateKey> client_private_key;
+
+  // If the PartitionSSLSessionsByNetworkIsolationKey feature is enabled, the
+  // session cache is partitioned by this value.
+  NetworkIsolationKey network_isolation_key;
+
+  // An additional boolean to partition the session cache by.
+  //
+  // TODO(https://crbug.com/775438, https://crbug.com/951205): This should
+  // additionally disable client certificates, once client certificate handling
+  // is moved into SSLClientContext. With client certificates are disabled, the
+  // current session cache partitioning behavior will be needed to correctly
+  // implement it. For now, it acts as an incomplete version of
+  // PartitionSSLSessionsByNetworkIsolationKey.
+  PrivacyMode privacy_mode;
 };
 
 }  // namespace net
diff --git a/chromium/net/ssl/ssl_handshake_details.h b/chromium/net/ssl/ssl_handshake_details.h
new file mode 100644
index 00000000000..a9a024f40a8
--- /dev/null
+++ b/chromium/net/ssl/ssl_handshake_details.h
@@ -0,0 +1,29 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_SSL_SSL_HANDSHAKE_DETAILS_H_
+#define NET_SSL_SSL_HANDSHAKE_DETAILS_H_
+
+namespace net {
+
+// This enum is persisted into histograms. Values may not be renumbered.
+enum class SSLHandshakeDetails {
+  // TLS 1.2 (or earlier) full handshake (2-RTT)
+  kTLS12Full = 0,
+  // TLS 1.2 (or earlier) resumption (1-RTT)
+  kTLS12Resume = 1,
+  // TLS 1.2 full handshake with False Start (1-RTT)
+  kTLS12FalseStart = 2,
+  // TLS 1.3 full handshake (1-RTT, usually)
+  kTLS13Full = 3,
+  // TLS 1.3 resumption handshake (1-RTT, usually)
+  kTLS13Resume = 4,
+  // TLS 1.3 0-RTT handshake (0-RTT)
+  kTLS13Early = 5,
+  kMaxValue = kTLS13Early,
+};
+
+}  // namespace net
+
+#endif  // NET_SSL_SSL_HANDSHAKE_DETAILS_H_
diff --git a/chromium/net/ssl/ssl_platform_key_android_unittest.cc b/chromium/net/ssl/ssl_platform_key_android_unittest.cc
index bdad44ddb70..a09ebc23c54 100644
--- a/chromium/net/ssl/ssl_platform_key_android_unittest.cc
+++ b/chromium/net/ssl/ssl_platform_key_android_unittest.cc
@@ -13,10 +13,10 @@
 #include "base/files/file_util.h"
 #include "net/android/keystore.h"
 #include "net/cert/x509_certificate.h"
+#include "net/net_test_jni_headers/AndroidKeyStoreTestUtil_jni.h"
 #include "net/ssl/ssl_private_key.h"
 #include "net/ssl/ssl_private_key_test_util.h"
 #include "net/test/cert_test_util.h"
-#include "net/test/jni/AndroidKeyStoreTestUtil_jni.h"
 #include "net/test/test_data_directory.h"
 #include "net/test/test_with_scoped_task_environment.h"
 #include "testing/gtest/include/gtest/gtest.h"
diff --git a/chromium/net/ssl/ssl_platform_key_util.h b/chromium/net/ssl/ssl_platform_key_util.h
index eaf9ccc3501..02729fecba7 100644
--- a/chromium/net/ssl/ssl_platform_key_util.h
+++ b/chromium/net/ssl/ssl_platform_key_util.h
@@ -25,7 +25,8 @@ class X509Certificate;
 // background thread to avoid problems with buggy smartcards. Its underlying
 // Thread is non-joinable and as such provides
 // TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN semantics.
-scoped_refptr<base::SingleThreadTaskRunner> GetSSLPlatformKeyTaskRunner();
+NET_EXPORT_PRIVATE scoped_refptr<base::SingleThreadTaskRunner>
+GetSSLPlatformKeyTaskRunner();
 
 // Returns the public key of |certificate| as an |EVP_PKEY| or nullptr on error.
 bssl::UniquePtr<EVP_PKEY> GetClientCertPublicKey(
diff --git a/chromium/net/ssl/ssl_server_config.h b/chromium/net/ssl/ssl_server_config.h
index 5ae81d460d9..01bd03908c1 100644
--- a/chromium/net/ssl/ssl_server_config.h
+++ b/chromium/net/ssl/ssl_server_config.h
@@ -10,6 +10,7 @@
 #include <vector>
 
 #include "net/base/net_export.h"
+#include "net/socket/next_proto.h"
 #include "net/ssl/ssl_config.h"
 
 namespace net {
@@ -81,6 +82,11 @@ struct NET_EXPORT SSLServerConfig {
   // This field is meaningful only if client certificates are requested.
   // If a verifier is not provided then all certificates are accepted.
   ClientCertVerifier* client_cert_verifier;
+
+  // The list of application level protocols supported with ALPN (Application
+  // Layer Protocol Negotiation), in decreasing order of preference.  Protocols
+  // will be advertised in this order during TLS handshake.
+  NextProtoVector alpn_protos;
 };
 
 }  // namespace net
diff --git a/chromium/net/ssl/test_ssl_private_key.h b/chromium/net/ssl/test_ssl_private_key.h
index 2fa6c1a2a55..2201594885c 100644
--- a/chromium/net/ssl/test_ssl_private_key.h
+++ b/chromium/net/ssl/test_ssl_private_key.h
@@ -6,7 +6,6 @@
 #define NET_SSL_TEST_SSL_PRIVATE_KEY_H_
 
 #include "base/memory/ref_counted.h"
-#include "net/base/net_export.h"
 #include "third_party/boringssl/src/include/openssl/base.h"
 
 namespace crypto {
@@ -19,11 +18,11 @@ class SSLPrivateKey;
 
 // Returns a new SSLPrivateKey which uses |key| for signing operations or
 // nullptr on error.
-NET_EXPORT scoped_refptr<SSLPrivateKey> WrapOpenSSLPrivateKey(
+scoped_refptr<SSLPrivateKey> WrapOpenSSLPrivateKey(
     bssl::UniquePtr<EVP_PKEY> key);
-NET_EXPORT scoped_refptr<SSLPrivateKey> WrapRSAPrivateKey(
+scoped_refptr<SSLPrivateKey> WrapRSAPrivateKey(
     crypto::RSAPrivateKey* rsa_private_key);
-NET_EXPORT scoped_refptr<SSLPrivateKey> CreateFailSigningSSLPrivateKey();
+scoped_refptr<SSLPrivateKey> CreateFailSigningSSLPrivateKey();
 
 }  // namespace net
 
diff --git a/chromium/net/ssl/threaded_ssl_private_key.cc b/chromium/net/ssl/threaded_ssl_private_key.cc
index 67597609f77..df24528c8ed 100644
--- a/chromium/net/ssl/threaded_ssl_private_key.cc
+++ b/chromium/net/ssl/threaded_ssl_private_key.cc
@@ -53,8 +53,7 @@ ThreadedSSLPrivateKey::ThreadedSSLPrivateKey(
     std::unique_ptr<ThreadedSSLPrivateKey::Delegate> delegate,
     scoped_refptr<base::SingleThreadTaskRunner> task_runner)
     : core_(new Core(std::move(delegate))),
-      task_runner_(std::move(task_runner)),
-      weak_factory_(this) {}
+      task_runner_(std::move(task_runner)) {}
 
 std::string ThreadedSSLPrivateKey::GetProviderName() {
   return core_->delegate()->GetProviderName();
diff --git a/chromium/net/ssl/threaded_ssl_private_key.h b/chromium/net/ssl/threaded_ssl_private_key.h
index 87dd94a8456..a769331c980 100644
--- a/chromium/net/ssl/threaded_ssl_private_key.h
+++ b/chromium/net/ssl/threaded_ssl_private_key.h
@@ -15,6 +15,7 @@
 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
 #include "base/memory/weak_ptr.h"
+#include "net/base/net_export.h"
 #include "net/ssl/ssl_private_key.h"
 
 namespace base {
@@ -25,7 +26,7 @@ namespace net {
 
 // An SSLPrivateKey implementation which offloads key operations to a background
 // task runner.
-class ThreadedSSLPrivateKey : public SSLPrivateKey {
+class NET_EXPORT ThreadedSSLPrivateKey : public SSLPrivateKey {
  public:
   // Interface for consumers to implement to perform the actual signing
   // operation.
@@ -81,7 +82,7 @@ class ThreadedSSLPrivateKey : public SSLPrivateKey {
 
   scoped_refptr<Core> core_;
   scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
-  base::WeakPtrFactory<ThreadedSSLPrivateKey> weak_factory_;
+  base::WeakPtrFactory<ThreadedSSLPrivateKey> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(ThreadedSSLPrivateKey);
 };
diff --git a/chromium/net/test/android/javatests/AndroidManifest.xml b/chromium/net/test/android/javatests/AndroidManifest.xml
index 4f0a46e7395..22916853e94 100644
--- a/chromium/net/test/android/javatests/AndroidManifest.xml
+++ b/chromium/net/test/android/javatests/AndroidManifest.xml
@@ -8,7 +8,6 @@
     xmlns:tools="http://schemas.android.com/tools"
     package="org.chromium.net.test.support">
 
-    <uses-sdk android:minSdkVersion="19" android:targetSdkVersion="23" />
     <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
     <uses-permission android:name="android.permission.INTERNET"/>
 
diff --git a/chromium/net/test/embedded_test_server/android/embedded_test_server_android.cc b/chromium/net/test/embedded_test_server/android/embedded_test_server_android.cc
index 6f6431e1a3a..99571e16ba0 100644
--- a/chromium/net/test/embedded_test_server/android/embedded_test_server_android.cc
+++ b/chromium/net/test/embedded_test_server/android/embedded_test_server_android.cc
@@ -11,7 +11,7 @@
 #include "base/files/file_path.h"
 #include "base/test/test_support_android.h"
 #include "base/trace_event/trace_event.h"
-#include "net/test/jni/EmbeddedTestServerImpl_jni.h"
+#include "net/net_test_jni_headers/EmbeddedTestServerImpl_jni.h"
 
 using base::android::JavaParamRef;
 using base::android::JavaRef;
@@ -156,6 +156,10 @@ static void JNI_EmbeddedTestServerImpl_Init(
   base::FilePath test_data_dir(
       base::android::ConvertJavaStringToUTF8(env, jtest_data_dir));
   base::InitAndroidTestPaths(test_data_dir);
+
+  // Bare new does not leak here because the instance deletes itself when it
+  // receives a Destroy() call its Java counterpart. The Java counterpart owns
+  // the instance created here.
   new EmbeddedTestServerAndroid(env, jobj, jhttps);
 }
 
diff --git a/chromium/net/test/embedded_test_server/controllable_http_response.cc b/chromium/net/test/embedded_test_server/controllable_http_response.cc
index bb509015cf5..e7470f2bf71 100644
--- a/chromium/net/test/embedded_test_server/controllable_http_response.cc
+++ b/chromium/net/test/embedded_test_server/controllable_http_response.cc
@@ -45,8 +45,7 @@ class ControllableHttpResponse::Interceptor : public HttpResponse {
 ControllableHttpResponse::ControllableHttpResponse(
     EmbeddedTestServer* embedded_test_server,
     const std::string& relative_url,
-    bool relative_url_is_prefix)
-    : weak_ptr_factory_(this) {
+    bool relative_url_is_prefix) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   embedded_test_server->RegisterRequestHandler(base::BindRepeating(
       RequestHandler, weak_ptr_factory_.GetWeakPtr(),
diff --git a/chromium/net/test/embedded_test_server/controllable_http_response.h b/chromium/net/test/embedded_test_server/controllable_http_response.h
index efb23fda7e2..22406a70056 100644
--- a/chromium/net/test/embedded_test_server/controllable_http_response.h
+++ b/chromium/net/test/embedded_test_server/controllable_http_response.h
@@ -88,7 +88,7 @@ class ControllableHttpResponse {
 
   SEQUENCE_CHECKER(sequence_checker_);
 
-  base::WeakPtrFactory<ControllableHttpResponse> weak_ptr_factory_;
+  base::WeakPtrFactory<ControllableHttpResponse> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(ControllableHttpResponse);
 };
diff --git a/chromium/net/test/embedded_test_server/default_handlers.cc b/chromium/net/test/embedded_test_server/default_handlers.cc
index 58151d3cda0..fc81c976020 100644
--- a/chromium/net/test/embedded_test_server/default_handlers.cc
+++ b/chromium/net/test/embedded_test_server/default_handlers.cc
@@ -52,23 +52,23 @@ std::unique_ptr<HttpResponse> HandleDefaultConnect(const HttpRequest& request) {
   if (request.method != METHOD_CONNECT)
     return nullptr;
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_code(HTTP_BAD_REQUEST);
   http_response->set_content(
       "Your client has issued a malformed or illegal request.");
   http_response->set_content_type("text/html");
-  return std::move(http_response);
+  return http_response;
 }
 
 // /cachetime
 // Returns a cacheable response.
 std::unique_ptr<HttpResponse> HandleCacheTime(const HttpRequest& request) {
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_content(
       "<html><head><title>Cache: max-age=60</title></head></html>");
   http_response->set_content_type("text/html");
   http_response->AddCustomHeader("Cache-Control", "max-age=60");
-  return std::move(http_response);
+  return http_response;
 }
 
 // /echoheader?HEADERS | /echoheadercache?HEADERS
@@ -80,7 +80,7 @@ std::unique_ptr<HttpResponse> HandleEchoHeader(const std::string& url,
   if (!ShouldHandle(request, url))
     return nullptr;
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
 
   GURL request_url = request.GetURL();
   std::string vary;
@@ -103,14 +103,14 @@ std::unique_ptr<HttpResponse> HandleEchoHeader(const std::string& url,
   http_response->set_content(content);
   http_response->set_content_type("text/plain");
   http_response->AddCustomHeader("Cache-Control", cache_control);
-  return std::move(http_response);
+  return http_response;
 }
 
 // /echo?status=STATUS
 // Responds with the request body as the response body and
 // a status code of STATUS.
 std::unique_ptr<HttpResponse> HandleEcho(const HttpRequest& request) {
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
 
   GURL request_url = request.GetURL();
   if (request_url.has_query()) {
@@ -125,17 +125,17 @@ std::unique_ptr<HttpResponse> HandleEcho(const HttpRequest& request) {
     http_response->set_content("Echo");
   else
     http_response->set_content(request.content);
-  return std::move(http_response);
+  return http_response;
 }
 
 // /echotitle
 // Responds with the request body as the title.
 std::unique_ptr<HttpResponse> HandleEchoTitle(const HttpRequest& request) {
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_content_type("text/html");
   http_response->set_content("<html><head><title>" + request.content +
                              "</title></head></html>");
-  return std::move(http_response);
+  return http_response;
 }
 
 // /echoall?QUERY
@@ -144,7 +144,7 @@ std::unique_ptr<HttpResponse> HandleEchoTitle(const HttpRequest& request) {
 // Alternative form:
 // /echoall/nocache?QUERY prevents caching of the response.
 std::unique_ptr<HttpResponse> HandleEchoAll(const HttpRequest& request) {
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
 
   std::string body =
       "<html><head><title>EmbeddedTestServer - EchoAll</title><style>"
@@ -163,7 +163,7 @@ std::unique_ptr<HttpResponse> HandleEchoAll(const HttpRequest& request) {
 
   body +=
       "</pre>"
-      "<h1>Request Headers:</h1><pre>" +
+      "<h1>Request Headers:</h1><pre id='request-headers'>" +
       request.all_headers + "</pre>" +
       "<h1>Response nonce:</h1><pre id='response-nonce'>" +
       base::UnguessableToken::Create().ToString() + "</pre></body></html>";
@@ -177,7 +177,7 @@ std::unique_ptr<HttpResponse> HandleEchoAll(const HttpRequest& request) {
                                    "no-cache, no-store, must-revalidate");
   }
 
-  return std::move(http_response);
+  return http_response;
 }
 
 // /echo-raw
@@ -189,7 +189,7 @@ std::unique_ptr<HttpResponse> HandleEchoRaw(const HttpRequest& request) {
 // /set-cookie?COOKIES
 // Sets response cookies to be COOKIES.
 std::unique_ptr<HttpResponse> HandleSetCookie(const HttpRequest& request) {
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_content_type("text/html");
   std::string content;
   GURL request_url = request.GetURL();
@@ -203,7 +203,23 @@ std::unique_ptr<HttpResponse> HandleSetCookie(const HttpRequest& request) {
   }
 
   http_response->set_content(content);
-  return std::move(http_response);
+  return http_response;
+}
+
+// /set-invalid-cookie
+// Sets invalid response cookies "\x01" (chosen via fuzzer to not be a parsable
+// cookie).
+std::unique_ptr<HttpResponse> HandleSetInvalidCookie(
+    const HttpRequest& request) {
+  auto http_response = std::make_unique<BasicHttpResponse>();
+  http_response->set_content_type("text/html");
+  std::string content;
+  GURL request_url = request.GetURL();
+
+  http_response->AddCustomHeader("Set-Cookie", "\x01");
+
+  http_response->set_content("TEST");
+  return http_response;
 }
 
 // /set-many-cookies?N
@@ -216,7 +232,7 @@ std::unique_ptr<HttpResponse> HandleSetManyCookies(const HttpRequest& request) {
   if (request_url.has_query())
     num = std::atoi(request_url.query().c_str());
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_content_type("text/html");
   for (size_t i = 0; i < num; ++i) {
     http_response->AddCustomHeader("Set-Cookie", "a=");
@@ -224,7 +240,7 @@ std::unique_ptr<HttpResponse> HandleSetManyCookies(const HttpRequest& request) {
 
   http_response->set_content(
       base::StringPrintf("%" PRIuS " cookies were sent", num));
-  return std::move(http_response);
+  return http_response;
 }
 
 // /expect-and-set-cookie?expect=EXPECTED&set=SET&data=DATA
@@ -253,7 +269,7 @@ std::unique_ptr<HttpResponse> HandleExpectAndSetCookie(
     }
   }
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_content_type("text/html");
   if (got_all_expected) {
     for (const auto& cookie : query_list.at("set")) {
@@ -270,7 +286,7 @@ std::unique_ptr<HttpResponse> HandleExpectAndSetCookie(
   }
 
   http_response->set_content(content);
-  return std::move(http_response);
+  return http_response;
 }
 
 // /set-header?HEADERS
@@ -280,7 +296,7 @@ std::unique_ptr<HttpResponse> HandleSetHeader(const HttpRequest& request) {
 
   GURL request_url = request.GetURL();
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_content_type("text/html");
   if (request_url.has_query()) {
     RequestQuery headers = ParseQuery(request_url);
@@ -296,22 +312,21 @@ std::unique_ptr<HttpResponse> HandleSetHeader(const HttpRequest& request) {
   }
 
   http_response->set_content(content);
-  return std::move(http_response);
+  return http_response;
 }
 
 // /nocontent
 // Returns a NO_CONTENT response.
 std::unique_ptr<HttpResponse> HandleNoContent(const HttpRequest& request) {
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_code(HTTP_NO_CONTENT);
-  return std::move(http_response);
+  return http_response;
 }
 
 // /close-socket
 // Immediately closes the connection.
 std::unique_ptr<HttpResponse> HandleCloseSocket(const HttpRequest& request) {
-  std::unique_ptr<RawHttpResponse> http_response(new RawHttpResponse("", ""));
-  return std::move(http_response);
+  return std::make_unique<RawHttpResponse>("", "");
 }
 
 // /auth-basic?password=PASS&realm=REALM
@@ -358,7 +373,7 @@ std::unique_ptr<HttpResponse> HandleAuthBasic(const HttpRequest& request) {
     }
   }
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   if (!authed) {
     http_response->set_code(HTTP_UNAUTHORIZED);
     http_response->set_content_type("text/html");
@@ -366,13 +381,16 @@ std::unique_ptr<HttpResponse> HandleAuthBasic(const HttpRequest& request) {
                                    "Basic realm=\"" + realm + "\"");
     if (query.find("set-cookie-if-challenged") != query.end())
       http_response->AddCustomHeader("Set-Cookie", "got_challenged=true");
+    if (query.find("set-secure-cookie-if-challenged") != query.end())
+      http_response->AddCustomHeader("Set-Cookie",
+                                     "got_challenged=true;Secure");
     http_response->set_content(base::StringPrintf(
         "<html><head><title>Denied: %s</title></head>"
         "<body>auth=%s<p>b64str=%s<p>username: %s<p>userpass: %s<p>"
         "password: %s<p>You sent:<br>%s<p></body></html>",
         error.c_str(), auth.c_str(), b64str.c_str(), username.c_str(),
         userpass.c_str(), password.c_str(), request.all_headers.c_str()));
-    return std::move(http_response);
+    return http_response;
   }
 
   if (query.find("set-cookie-if-not-challenged") != query.end())
@@ -381,7 +399,7 @@ std::unique_ptr<HttpResponse> HandleAuthBasic(const HttpRequest& request) {
   if (request.headers.find("If-None-Match") != request.headers.end() &&
       request.headers.at("If-None-Match") == kEtag) {
     http_response->set_code(HTTP_NOT_MODIFIED);
-    return std::move(http_response);
+    return http_response;
   }
 
   base::FilePath file_path =
@@ -405,7 +423,7 @@ std::unique_ptr<HttpResponse> HandleAuthBasic(const HttpRequest& request) {
 
   http_response->AddCustomHeader("Cache-Control", "max-age=60000");
   http_response->AddCustomHeader("Etag", kEtag);
-  return std::move(http_response);
+  return http_response;
 }
 
 // /auth-digest
@@ -478,7 +496,7 @@ std::unique_ptr<HttpResponse> HandleAuthDigest(const HttpRequest& request) {
     }
   }
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   if (!authed) {
     http_response->set_code(HTTP_UNAUTHORIZED);
     http_response->set_content_type("text/html");
@@ -494,7 +512,7 @@ std::unique_ptr<HttpResponse> HandleAuthDigest(const HttpRequest& request) {
         "You sent:<br>%s<p>We are replying:<br>%s<p></body></html>",
         error.c_str(), auth.c_str(), request.all_headers.c_str(),
         auth_header.c_str()));
-    return std::move(http_response);
+    return http_response;
   }
 
   http_response->set_content_type("text/html");
@@ -503,7 +521,7 @@ std::unique_ptr<HttpResponse> HandleAuthDigest(const HttpRequest& request) {
                          "<body>auth=%s<p></body></html>",
                          username.c_str(), password.c_str(), auth.c_str()));
 
-  return std::move(http_response);
+  return http_response;
 }
 
 // /server-redirect?URL (Also /server-redirect-xxx?URL)
@@ -514,14 +532,14 @@ std::unique_ptr<HttpResponse> HandleServerRedirect(HttpStatusCode redirect_code,
   std::string dest = UnescapeBinaryURLComponent(request_url.query_piece());
   RequestQuery query = ParseQuery(request_url);
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_code(redirect_code);
   http_response->AddCustomHeader("Location", dest);
   http_response->set_content_type("text/html");
   http_response->set_content(base::StringPrintf(
       "<html><head></head><body>Redirecting to %s</body></html>",
       dest.c_str()));
-  return std::move(http_response);
+  return http_response;
 }
 // /server-redirect-with-cookie?URL
 // Returns a server redirect to URL, and sets the cookie server-redirect=true.
@@ -532,7 +550,7 @@ std::unique_ptr<HttpResponse> HandleServerRedirectWithCookie(
   std::string dest = UnescapeBinaryURLComponent(request_url.query_piece());
   RequestQuery query = ParseQuery(request_url);
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_code(redirect_code);
   http_response->AddCustomHeader("Location", dest);
   http_response->AddCustomHeader("Set-Cookie", "server-redirect=true");
@@ -540,7 +558,28 @@ std::unique_ptr<HttpResponse> HandleServerRedirectWithCookie(
   http_response->set_content(base::StringPrintf(
       "<html><head></head><body>Redirecting to %s</body></html>",
       dest.c_str()));
-  return std::move(http_response);
+  return http_response;
+}
+
+// /server-redirect-with-secure-cookie?URL
+// Returns a server redirect to URL, and sets the cookie
+// server-redirect=true;Secure.
+std::unique_ptr<HttpResponse> HandleServerRedirectWithSecureCookie(
+    HttpStatusCode redirect_code,
+    const HttpRequest& request) {
+  GURL request_url = request.GetURL();
+  std::string dest = UnescapeBinaryURLComponent(request_url.query_piece());
+  RequestQuery query = ParseQuery(request_url);
+
+  auto http_response = std::make_unique<BasicHttpResponse>();
+  http_response->set_code(redirect_code);
+  http_response->AddCustomHeader("Location", dest);
+  http_response->AddCustomHeader("Set-Cookie", "server-redirect=true;Secure");
+  http_response->set_content_type("text/html");
+  http_response->set_content(base::StringPrintf(
+      "<html><head></head><body>Redirecting to %s</body></html>",
+      dest.c_str()));
+  return http_response;
 }
 
 // /cross-site?URL
@@ -562,14 +601,14 @@ std::unique_ptr<HttpResponse> HandleCrossSiteRedirect(
         dest_all.substr(delimiter + 1).c_str());
   }
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_code(HTTP_MOVED_PERMANENTLY);
   http_response->AddCustomHeader("Location", dest);
   http_response->set_content_type("text/html");
   http_response->set_content(base::StringPrintf(
       "<html><head></head><body>Redirecting to %s</body></html>",
       dest.c_str()));
-  return std::move(http_response);
+  return http_response;
 }
 
 // /client-redirect?URL
@@ -578,24 +617,24 @@ std::unique_ptr<HttpResponse> HandleClientRedirect(const HttpRequest& request) {
   GURL request_url = request.GetURL();
   std::string dest = UnescapeBinaryURLComponent(request_url.query_piece());
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_content_type("text/html");
   http_response->set_content(base::StringPrintf(
       "<html><head><meta http-equiv=\"refresh\" content=\"0;url=%s\"></head>"
       "<body>Redirecting to %s</body></html>",
       dest.c_str(), dest.c_str()));
-  return std::move(http_response);
+  return http_response;
 }
 
 // /defaultresponse
 // Returns a valid 200 response.
 std::unique_ptr<HttpResponse> HandleDefaultResponse(
     const HttpRequest& request) {
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_content_type("text/html");
   http_response->set_content("Default response given for path: " +
                              request.relative_url);
-  return std::move(http_response);
+  return http_response;
 }
 
 // /slow?N
@@ -607,11 +646,11 @@ std::unique_ptr<HttpResponse> HandleSlowServer(const HttpRequest& request) {
   if (request_url.has_query())
     delay = std::atof(request_url.query().c_str());
 
-  std::unique_ptr<BasicHttpResponse> http_response(
-      new DelayedHttpResponse(base::TimeDelta::FromSecondsD(delay)));
+  auto http_response = std::make_unique<DelayedHttpResponse>(
+      base::TimeDelta::FromSecondsD(delay));
   http_response->set_content_type("text/plain");
   http_response->set_content(base::StringPrintf("waited %.1f seconds", delay));
-  return std::move(http_response);
+  return http_response;
 }
 
 // Never returns a response.
@@ -707,11 +746,11 @@ std::unique_ptr<HttpResponse> HandleGzipBody(const HttpRequest& request) {
   // CompressGzip should DCHECK itself if this fails, anyways.
   DCHECK_GE(compressed_body.size(), compressed_size);
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_content(
       std::string(compressed_body.data(), compressed_size));
   http_response->AddCustomHeader("Content-Encoding", "gzip");
-  return std::move(http_response);
+  return http_response;
 }
 
 // /self.pac
@@ -725,7 +764,7 @@ std::unique_ptr<HttpResponse> HandleSelfPac(const HttpRequest& request) {
       "return 'PROXY %s';\n"
       "}",
       net::HostPortPair::FromURL(request.base_url).ToString().c_str()));
-  return std::move(http_response);
+  return http_response;
 }
 
 }  // anonymous namespace
@@ -754,6 +793,8 @@ void RegisterDefaultHandlers(EmbeddedTestServer* server) {
   server->RegisterDefaultHandler(
       PREFIXED_HANDLER("/set-cookie", &HandleSetCookie));
   server->RegisterDefaultHandler(
+      PREFIXED_HANDLER("/set-invalid-cookie", &HandleSetInvalidCookie));
+  server->RegisterDefaultHandler(
       PREFIXED_HANDLER("/set-many-cookies", &HandleSetManyCookies));
   server->RegisterDefaultHandler(
       PREFIXED_HANDLER("/expect-and-set-cookie", &HandleExpectAndSetCookie));
@@ -784,6 +825,9 @@ void RegisterDefaultHandlers(EmbeddedTestServer* server) {
   server->RegisterDefaultHandler(SERVER_REDIRECT_HANDLER(
       "/server-redirect-with-cookie", &HandleServerRedirectWithCookie,
       HTTP_MOVED_PERMANENTLY));
+  server->RegisterDefaultHandler(SERVER_REDIRECT_HANDLER(
+      "/server-redirect-with-secure-cookie",
+      &HandleServerRedirectWithSecureCookie, HTTP_MOVED_PERMANENTLY));
 
   server->RegisterDefaultHandler(
       base::BindRepeating(&HandleCrossSiteRedirect, server));
diff --git a/chromium/net/test/embedded_test_server/embedded_test_server.cc b/chromium/net/test/embedded_test_server/embedded_test_server.cc
index b836e21d87c..6ebe322c577 100644
--- a/chromium/net/test/embedded_test_server/embedded_test_server.cc
+++ b/chromium/net/test/embedded_test_server/embedded_test_server.cc
@@ -11,13 +11,13 @@
 #include "base/files/file_util.h"
 #include "base/location.h"
 #include "base/logging.h"
-#include "base/message_loop/message_loop.h"
 #include "base/message_loop/message_loop_current.h"
 #include "base/path_service.h"
 #include "base/process/process_metrics.h"
 #include "base/run_loop.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
+#include "base/task/single_thread_task_executor.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "crypto/rsa_private_key.h"
@@ -50,8 +50,7 @@ EmbeddedTestServer::EmbeddedTestServer(Type type)
     : is_using_ssl_(type == TYPE_HTTPS),
       connection_listener_(nullptr),
       port_(0),
-      cert_(CERT_OK),
-      weak_factory_(this) {
+      cert_(CERT_OK) {
   DCHECK(thread_checker_.CalledOnValidThread());
 
   if (!is_using_ssl_)
@@ -110,7 +109,7 @@ bool EmbeddedTestServer::InitializeAndListen(int port) {
       return false;
     }
 
-    listen_socket_.reset(new TCPServerSocket(nullptr, NetLogSource()));
+    listen_socket_ = std::make_unique<TCPServerSocket>(nullptr, NetLogSource());
 
     int result =
         listen_socket_->ListenWithAddressAndPort("127.0.0.1", port, 10);
@@ -175,8 +174,8 @@ void EmbeddedTestServer::StartAcceptingConnections() {
   DCHECK(!io_thread_.get())
       << "Server must not be started while server is running";
   base::Thread::Options thread_options;
-  thread_options.message_loop_type = base::MessageLoop::TYPE_IO;
-  io_thread_.reset(new base::Thread("EmbeddedTestServer IO Thread"));
+  thread_options.message_loop_type = base::MessagePump::Type::IO;
+  io_thread_ = std::make_unique<base::Thread>("EmbeddedTestServer IO Thread");
   CHECK(io_thread_->StartWithOptions(thread_options));
   CHECK(io_thread_->WaitUntilThreadStarted());
 
@@ -237,8 +236,7 @@ void EmbeddedTestServer::HandleRequest(HttpConnection* connection,
   if (!response) {
     LOG(WARNING) << "Request not handled. Returning 404: "
                  << request->relative_url;
-    std::unique_ptr<BasicHttpResponse> not_found_response(
-        new BasicHttpResponse);
+    auto not_found_response = std::make_unique<BasicHttpResponse>();
     not_found_response->set_code(HTTP_NOT_FOUND);
     response = std::move(not_found_response);
   }
@@ -503,14 +501,14 @@ bool EmbeddedTestServer::PostTaskToIOThreadAndWait(
   // base::ThreadTaskRunnerHandle::Get() to return a task runner for posting
   // the reply task. However, in order to make EmbeddedTestServer universally
   // usable, it needs to cope with the situation where it's running on a thread
-  // on which a message loop is not (yet) available or as has been destroyed
+  // on which a task executor is not (yet) available or as has been destroyed
   // already.
   //
-  // To handle this situation, create temporary message loop to support the
-  // PostTaskAndReply operation if the current thread has no message loop.
-  std::unique_ptr<base::MessageLoop> temporary_loop;
+  // To handle this situation, create temporary task executor to support the
+  // PostTaskAndReply operation if the current thread has no task executor.
+  std::unique_ptr<base::SingleThreadTaskExecutor> temporary_loop;
   if (!base::MessageLoopCurrent::Get())
-    temporary_loop.reset(new base::MessageLoop());
+    temporary_loop = std::make_unique<base::SingleThreadTaskExecutor>();
 
   base::RunLoop run_loop;
   if (!io_thread_->task_runner()->PostTaskAndReply(FROM_HERE, closure,
diff --git a/chromium/net/test/embedded_test_server/embedded_test_server.h b/chromium/net/test/embedded_test_server/embedded_test_server.h
index e758c06c609..cb41613711f 100644
--- a/chromium/net/test/embedded_test_server/embedded_test_server.h
+++ b/chromium/net/test/embedded_test_server/embedded_test_server.h
@@ -50,7 +50,7 @@ struct HttpRequest;
 // The common use case for unit tests is below:
 //
 // void SetUp() {
-//   test_server_.reset(new EmbeddedTestServer());
+//   test_server_ = std::make_unique<EmbeddedTestServer>();
 //   test_server_->RegisterRequestHandler(
 //       base::Bind(&FooTest::HandleRequest, base::Unretained(this)));
 //   ASSERT_TRUE(test_server_.Start());
@@ -61,7 +61,7 @@ struct HttpRequest;
 //   if (absolute_url.path() != "/test")
 //     return std::unique_ptr<HttpResponse>();
 //
-//   std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse());
+//   auto http_response = std::make_unique<BasicHttpResponse>();
 //   http_response->set_code(net::HTTP_OK);
 //   http_response->set_content("hello");
 //   http_response->set_content_type("text/plain");
@@ -319,7 +319,7 @@ class EmbeddedTestServer {
   ServerCertificate cert_;
   std::unique_ptr<SSLServerContext> context_;
 
-  base::WeakPtrFactory<EmbeddedTestServer> weak_factory_;
+  base::WeakPtrFactory<EmbeddedTestServer> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(EmbeddedTestServer);
 };
diff --git a/chromium/net/test/embedded_test_server/embedded_test_server_unittest.cc b/chromium/net/test/embedded_test_server/embedded_test_server_unittest.cc
index 85155ca1615..52bae82d017 100644
--- a/chromium/net/test/embedded_test_server/embedded_test_server_unittest.cc
+++ b/chromium/net/test/embedded_test_server/embedded_test_server_unittest.cc
@@ -84,7 +84,7 @@ class TestConnectionListener
   void AcceptedSocket(const net::StreamSocket& connection) override {
     base::AutoLock lock(lock_);
     ++socket_accepted_count_;
-    task_runner_->PostTask(FROM_HERE, accept_loop_.QuitClosure());
+    accept_loop_.Quit();
   }
 
   // Get called from the EmbeddedTestServer thread to be notified that
@@ -133,10 +133,10 @@ class EmbeddedTestServerTest
     thread_options.message_loop_type = base::MessageLoop::TYPE_IO;
     ASSERT_TRUE(io_thread_.StartWithOptions(thread_options));
 
-    request_context_getter_ =
-        new TestURLRequestContextGetter(io_thread_.task_runner());
+    request_context_getter_ = base::MakeRefCounted<TestURLRequestContextGetter>(
+        io_thread_.task_runner());
 
-    server_.reset(new EmbeddedTestServer(GetParam()));
+    server_ = std::make_unique<EmbeddedTestServer>(GetParam());
     server_->SetConnectionListener(&connection_listener_);
   }
 
@@ -173,11 +173,11 @@ class EmbeddedTestServerTest
     request_absolute_url_ = request.GetURL();
 
     if (request_absolute_url_.path() == path) {
-      std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+      auto http_response = std::make_unique<BasicHttpResponse>();
       http_response->set_code(code);
       http_response->set_content(content);
       http_response->set_content_type(content_type);
-      return std::move(http_response);
+      return http_response;
     }
 
     return nullptr;
@@ -412,7 +412,7 @@ class CancelRequestDelegate : public TestDelegate {
 
 class InfiniteResponse : public BasicHttpResponse {
  public:
-  InfiniteResponse() : weak_ptr_factory_(this) {}
+  InfiniteResponse() {}
 
   void SendResponse(const SendBytesCallback& send,
                     const SendCompleteCallback& done) override {
@@ -430,7 +430,7 @@ class InfiniteResponse : public BasicHttpResponse {
                                   weak_ptr_factory_.GetWeakPtr(), send)));
   }
 
-  base::WeakPtrFactory<InfiniteResponse> weak_ptr_factory_;
+  base::WeakPtrFactory<InfiniteResponse> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(InfiniteResponse);
 };
@@ -533,7 +533,7 @@ class EmbeddedTestServerThreadingTestDelegate
 
     std::unique_ptr<base::MessageLoop> loop;
     if (message_loop_present_on_initialize_)
-      loop.reset(new base::MessageLoopForIO);
+      loop = std::make_unique<base::MessageLoopForIO>();
 
     // Create the test server instance.
     EmbeddedTestServer server(type_);
@@ -543,13 +543,14 @@ class EmbeddedTestServerThreadingTestDelegate
 
     // Make a request and wait for the reply.
     if (!loop)
-      loop.reset(new base::MessageLoopForIO);
+      loop = std::make_unique<base::MessageLoopForIO>();
 
     std::unique_ptr<URLFetcher> fetcher =
         URLFetcher::Create(server.GetURL("/test?q=foo"), URLFetcher::GET, this,
                            TRAFFIC_ANNOTATION_FOR_TESTS);
-    fetcher->SetRequestContext(
-        new TestURLRequestContextGetter(loop->task_runner()));
+    auto test_context_getter =
+        base::MakeRefCounted<TestURLRequestContextGetter>(loop->task_runner());
+    fetcher->SetRequestContext(test_context_getter.get());
     base::RunLoop run_loop;
     quit_run_loop_ = run_loop.QuitClosure();
     fetcher->Start();
diff --git a/chromium/net/test/embedded_test_server/http_connection.cc b/chromium/net/test/embedded_test_server/http_connection.cc
index 8d30091f451..9318607519b 100644
--- a/chromium/net/test/embedded_test_server/http_connection.cc
+++ b/chromium/net/test/embedded_test_server/http_connection.cc
@@ -18,8 +18,7 @@ HttpConnection::HttpConnection(std::unique_ptr<StreamSocket> socket,
                                const HandleRequestCallback& callback)
     : socket_(std::move(socket)),
       callback_(callback),
-      read_buf_(base::MakeRefCounted<IOBufferWithSize>(4096)),
-      weak_factory_(this) {}
+      read_buf_(base::MakeRefCounted<IOBufferWithSize>(4096)) {}
 
 HttpConnection::~HttpConnection() {
   weak_factory_.InvalidateWeakPtrs();
diff --git a/chromium/net/test/embedded_test_server/http_connection.h b/chromium/net/test/embedded_test_server/http_connection.h
index bbf03984695..041cea53028 100644
--- a/chromium/net/test/embedded_test_server/http_connection.h
+++ b/chromium/net/test/embedded_test_server/http_connection.h
@@ -66,7 +66,7 @@ class HttpConnection {
   HttpRequestParser request_parser_;
   scoped_refptr<IOBufferWithSize> read_buf_;
 
-  base::WeakPtrFactory<HttpConnection> weak_factory_;
+  base::WeakPtrFactory<HttpConnection> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(HttpConnection);
 };
diff --git a/chromium/net/test/embedded_test_server/http_request.cc b/chromium/net/test/embedded_test_server/http_request.cc
index a714157d8ae..7938d874197 100644
--- a/chromium/net/test/embedded_test_server/http_request.cc
+++ b/chromium/net/test/embedded_test_server/http_request.cc
@@ -45,11 +45,10 @@ GURL HttpRequest::GetURL() const {
 }
 
 HttpRequestParser::HttpRequestParser()
-    : http_request_(new HttpRequest()),
+    : http_request_(std::make_unique<HttpRequest>()),
       buffer_position_(0),
       state_(STATE_HEADERS),
-      declared_content_length_(0) {
-}
+      declared_content_length_(0) {}
 
 HttpRequestParser::~HttpRequestParser() = default;
 
@@ -162,7 +161,7 @@ HttpRequestParser::ParseResult HttpRequestParser::ParseHeaders() {
   } else if (http_request_->headers.count("Transfer-Encoding") > 0) {
     if (http_request_->headers["Transfer-Encoding"] == "chunked") {
       http_request_->has_content = true;
-      chunked_decoder_.reset(new HttpChunkedDecoder());
+      chunked_decoder_ = std::make_unique<HttpChunkedDecoder>();
       state_ = STATE_CONTENT;
       return WAITING;
     }
@@ -222,7 +221,7 @@ std::unique_ptr<HttpRequest> HttpRequestParser::GetRequest() {
 
   // Prepare for parsing a new request.
   state_ = STATE_HEADERS;
-  http_request_.reset(new HttpRequest());
+  http_request_ = std::make_unique<HttpRequest>();
   buffer_.clear();
   buffer_position_ = 0;
   declared_content_length_ = 0;
diff --git a/chromium/net/test/embedded_test_server/request_handler_util.cc b/chromium/net/test/embedded_test_server/request_handler_util.cc
index 314071af0b3..6a28316e83b 100644
--- a/chromium/net/test/embedded_test_server/request_handler_util.cc
+++ b/chromium/net/test/embedded_test_server/request_handler_util.cc
@@ -161,25 +161,25 @@ std::unique_ptr<HttpResponse> HandleFileRequest(
 
   RequestQuery query = ParseQuery(request_url);
 
-  std::unique_ptr<BasicHttpResponse> failed_response(new BasicHttpResponse);
+  auto failed_response = std::make_unique<BasicHttpResponse>();
   failed_response->set_code(HTTP_NOT_FOUND);
 
   if (query.find("expected_body") != query.end()) {
     if (request.content.find(query["expected_body"].front()) ==
         std::string::npos) {
-      return std::move(failed_response);
+      return failed_response;
     }
   }
 
   if (query.find("expected_headers") != query.end()) {
     for (const auto& header : query["expected_headers"]) {
       if (header.find(":") == std::string::npos)
-        return std::move(failed_response);
+        return failed_response;
       std::string key = header.substr(0, header.find(":"));
       std::string value = header.substr(header.find(":") + 1);
       if (request.headers.find(key) == request.headers.end() ||
           request.headers.at(key) != value) {
-        return std::move(failed_response);
+        return failed_response;
       }
     }
   }
@@ -199,7 +199,7 @@ std::unique_ptr<HttpResponse> HandleFileRequest(
     file_contents = "";
 
   if (!UpdateReplacedText(query, &file_contents))
-    return std::move(failed_response);
+    return failed_response;
 
   base::FilePath::StringPieceType mock_headers_extension;
 #if defined(OS_WIN)
@@ -222,7 +222,7 @@ std::unique_ptr<HttpResponse> HandleFileRequest(
     return std::make_unique<RawHttpResponse>(headers_contents, file_contents);
   }
 
-  std::unique_ptr<BasicHttpResponse> http_response(new BasicHttpResponse);
+  auto http_response = std::make_unique<BasicHttpResponse>();
   http_response->set_code(HTTP_OK);
 
   if (request.headers.find("Range") != request.headers.end()) {
@@ -248,7 +248,7 @@ std::unique_ptr<HttpResponse> HandleFileRequest(
   http_response->AddCustomHeader("Accept-Ranges", "bytes");
   http_response->AddCustomHeader("ETag", "'" + file_path.MaybeAsASCII() + "'");
   http_response->set_content(file_contents);
-  return std::move(http_response);
+  return http_response;
 }
 
 }  // namespace test_server
diff --git a/chromium/net/test/embedded_test_server/simple_connection_listener.cc b/chromium/net/test/embedded_test_server/simple_connection_listener.cc
index cb36d760e73..d428d7958fe 100644
--- a/chromium/net/test/embedded_test_server/simple_connection_listener.cc
+++ b/chromium/net/test/embedded_test_server/simple_connection_listener.cc
@@ -5,8 +5,6 @@
 #include "net/test/embedded_test_server/simple_connection_listener.h"
 
 #include "base/location.h"
-#include "base/sequenced_task_runner.h"
-#include "base/threading/thread_task_runner_handle.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
@@ -16,8 +14,7 @@ SimpleConnectionListener::SimpleConnectionListener(
     int expected_connections,
     AllowAdditionalConnections allow_additional_connections)
     : expected_connections_(expected_connections),
-      allow_additional_connections_(allow_additional_connections),
-      run_loop_task_runner_(base::ThreadTaskRunnerHandle::Get()) {}
+      allow_additional_connections_(allow_additional_connections) {}
 
 SimpleConnectionListener::~SimpleConnectionListener() = default;
 
@@ -26,14 +23,13 @@ void SimpleConnectionListener::AcceptedSocket(const StreamSocket& socket) {
   if (allow_additional_connections_ != ALLOW_ADDITIONAL_CONNECTIONS)
     EXPECT_LE(seen_connections_, expected_connections_);
   if (seen_connections_ == expected_connections_)
-    run_loop_task_runner_->PostTask(FROM_HERE, run_loop_.QuitClosure());
+    run_loop_.Quit();
 }
 
 void SimpleConnectionListener::ReadFromSocket(const StreamSocket& socket,
                                               int rv) {}
 
 void SimpleConnectionListener::WaitForConnections() {
-  EXPECT_TRUE(run_loop_task_runner_->RunsTasksInCurrentSequence());
   run_loop_.Run();
 }
 
diff --git a/chromium/net/test/embedded_test_server/simple_connection_listener.h b/chromium/net/test/embedded_test_server/simple_connection_listener.h
index 3370cf30238..440a3a111e3 100644
--- a/chromium/net/test/embedded_test_server/simple_connection_listener.h
+++ b/chromium/net/test/embedded_test_server/simple_connection_listener.h
@@ -6,14 +6,9 @@
 #define NET_TEST_EMBEDDED_TEST_SERVER_SIMPLE_CONNECTION_LISTENER_H_
 
 #include "base/macros.h"
-#include "base/memory/ref_counted.h"
 #include "base/run_loop.h"
 #include "net/test/embedded_test_server/embedded_test_server_connection_listener.h"
 
-namespace base {
-class SequencedTaskRunner;
-}
-
 namespace net {
 
 class StreamSocket;
@@ -54,8 +49,6 @@ class SimpleConnectionListener : public EmbeddedTestServerConnectionListener {
   const int expected_connections_;
   const AllowAdditionalConnections allow_additional_connections_;
 
-  const scoped_refptr<base::SequencedTaskRunner> run_loop_task_runner_;
-
   base::RunLoop run_loop_;
 
   DISALLOW_COPY_AND_ASSIGN(SimpleConnectionListener);
diff --git a/chromium/net/test/net_test_suite.cc b/chromium/net/test/net_test_suite.cc
index 6ef5f7c814b..088a54760fd 100644
--- a/chromium/net/test/net_test_suite.cc
+++ b/chromium/net/test/net_test_suite.cc
@@ -35,7 +35,7 @@ void NetTestSuite::Shutdown() {
 }
 
 void NetTestSuite::InitializeTestThread() {
-  network_change_notifier_.reset(net::NetworkChangeNotifier::CreateMock());
+  network_change_notifier_ = net::NetworkChangeNotifier::CreateMock();
 
   InitializeTestThreadNoNetworkChangeNotifier();
 }
diff --git a/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.cc b/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.cc
index 3ca8305587c..91aacd5038c 100644
--- a/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.cc
+++ b/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.cc
@@ -22,6 +22,7 @@
 #include "net/base/port_util.h"
 #include "net/base/upload_bytes_element_reader.h"
 #include "net/http/http_response_headers.h"
+#include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_test_util.h"
 #include "url/gurl.h"
@@ -85,7 +86,8 @@ void RemoteTestServerSpawnerRequest::Core::SendRequest(
   // Prepare the URLRequest for sending the command.
   DCHECK(!request_.get());
   context_.reset(new TestURLRequestContext);
-  request_ = context_->CreateRequest(url, DEFAULT_PRIORITY, this);
+  request_ = context_->CreateRequest(url, DEFAULT_PRIORITY, this,
+                                     TRAFFIC_ANNOTATION_FOR_TESTS);
 
   if (post_data.empty()) {
     request_->set_method("GET");
diff --git a/chromium/net/test/tcp_socket_proxy.cc b/chromium/net/test/tcp_socket_proxy.cc
index b7d79064d5a..22584a93aad 100644
--- a/chromium/net/test/tcp_socket_proxy.cc
+++ b/chromium/net/test/tcp_socket_proxy.cc
@@ -134,13 +134,13 @@ class ConnectionProxy {
 
   THREAD_CHECKER(thread_checker_);
 
-  base::WeakPtrFactory<ConnectionProxy> weak_factory_;
+  base::WeakPtrFactory<ConnectionProxy> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(ConnectionProxy);
 };
 
 ConnectionProxy::ConnectionProxy(std::unique_ptr<StreamSocket> local_socket)
-    : local_socket_(std::move(local_socket)), weak_factory_(this) {}
+    : local_socket_(std::move(local_socket)) {}
 
 ConnectionProxy::~ConnectionProxy() {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
diff --git a/chromium/net/test/test_with_scoped_task_environment.h b/chromium/net/test/test_with_scoped_task_environment.h
index 09676470fce..33427036072 100644
--- a/chromium/net/test/test_with_scoped_task_environment.h
+++ b/chromium/net/test/test_with_scoped_task_environment.h
@@ -23,16 +23,14 @@ namespace net {
 // PlatformTest at the same time).
 class WithScopedTaskEnvironment {
  protected:
-  WithScopedTaskEnvironment()
+  // Always uses MainThreadType::IO, |time_source| may optionally be provided
+  // to mock time.
+  explicit WithScopedTaskEnvironment(
+      base::test::ScopedTaskEnvironment::TimeSource time_source =
+          base::test::ScopedTaskEnvironment::TimeSource::DEFAULT)
       : scoped_task_environment_(
-            base::test::ScopedTaskEnvironment::MainThreadType::IO) {}
-  WithScopedTaskEnvironment(
-      base::test::ScopedTaskEnvironment::MainThreadType type)
-      : scoped_task_environment_(type) {}
-  WithScopedTaskEnvironment(
-      base::test::ScopedTaskEnvironment::MainThreadType type,
-      base::test::ScopedTaskEnvironment::NowSource now_source)
-      : scoped_task_environment_(type, now_source) {}
+            base::test::ScopedTaskEnvironment::MainThreadType::IO,
+            time_source) {}
 
   bool MainThreadIsIdle() const WARN_UNUSED_RESULT {
     return scoped_task_environment_.MainThreadIsIdle();
@@ -71,10 +69,7 @@ class WithScopedTaskEnvironment {
 class TestWithScopedTaskEnvironment : public ::testing::Test,
                                       public WithScopedTaskEnvironment {
  protected:
-  TestWithScopedTaskEnvironment() = default;
-  TestWithScopedTaskEnvironment(
-      base::test::ScopedTaskEnvironment::MainThreadType type)
-      : WithScopedTaskEnvironment(type) {}
+  using WithScopedTaskEnvironment::WithScopedTaskEnvironment;
 
   DISALLOW_COPY_AND_ASSIGN(TestWithScopedTaskEnvironment);
 };
diff --git a/chromium/net/test/url_request/ssl_certificate_error_job.cc b/chromium/net/test/url_request/ssl_certificate_error_job.cc
index f7bcf66f60e..5044c7495c6 100644
--- a/chromium/net/test/url_request/ssl_certificate_error_job.cc
+++ b/chromium/net/test/url_request/ssl_certificate_error_job.cc
@@ -42,8 +42,7 @@ class MockJobInterceptor : public URLRequestInterceptor {
 SSLCertificateErrorJob::SSLCertificateErrorJob(
     URLRequest* request,
     NetworkDelegate* network_delegate)
-    : URLRequestJob(request, network_delegate), weak_factory_(this) {
-}
+    : URLRequestJob(request, network_delegate) {}
 
 void SSLCertificateErrorJob::Start() {
   base::ThreadTaskRunnerHandle::Get()->PostTask(
diff --git a/chromium/net/test/url_request/ssl_certificate_error_job.h b/chromium/net/test/url_request/ssl_certificate_error_job.h
index b3b372e8b00..7a2c86f73c9 100644
--- a/chromium/net/test/url_request/ssl_certificate_error_job.h
+++ b/chromium/net/test/url_request/ssl_certificate_error_job.h
@@ -34,7 +34,7 @@ class SSLCertificateErrorJob : public URLRequestJob {
 
   void NotifyError();
 
-  base::WeakPtrFactory<SSLCertificateErrorJob> weak_factory_;
+  base::WeakPtrFactory<SSLCertificateErrorJob> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(SSLCertificateErrorJob);
 };
diff --git a/chromium/net/test/url_request/url_request_failed_job.cc b/chromium/net/test/url_request/url_request_failed_job.cc
index a893f72a943..30008616927 100644
--- a/chromium/net/test/url_request/url_request_failed_job.cc
+++ b/chromium/net/test/url_request/url_request_failed_job.cc
@@ -84,8 +84,7 @@ URLRequestFailedJob::URLRequestFailedJob(URLRequest* request,
     : URLRequestJob(request, network_delegate),
       phase_(phase),
       net_error_(net_error),
-      total_received_bytes_(0),
-      weak_factory_(this) {
+      total_received_bytes_(0) {
   CHECK_GE(phase, URLRequestFailedJob::FailurePhase::START);
   CHECK_LE(phase, URLRequestFailedJob::FailurePhase::READ_ASYNC);
   CHECK_LT(net_error, OK);
diff --git a/chromium/net/test/url_request/url_request_failed_job.h b/chromium/net/test/url_request/url_request_failed_job.h
index 1e2695c2983..8ce4763f6cb 100644
--- a/chromium/net/test/url_request/url_request_failed_job.h
+++ b/chromium/net/test/url_request/url_request_failed_job.h
@@ -81,7 +81,7 @@ class URLRequestFailedJob : public URLRequestJob {
   const int net_error_;
   int64_t total_received_bytes_;
 
-  base::WeakPtrFactory<URLRequestFailedJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestFailedJob> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(URLRequestFailedJob);
 };
diff --git a/chromium/net/test/url_request/url_request_hanging_read_job.cc b/chromium/net/test/url_request/url_request_hanging_read_job.cc
index 2cae64e308c..df9bf4485a4 100644
--- a/chromium/net/test/url_request/url_request_hanging_read_job.cc
+++ b/chromium/net/test/url_request/url_request_hanging_read_job.cc
@@ -47,8 +47,8 @@ URLRequestHangingReadJob::URLRequestHangingReadJob(
     URLRequest* request,
     NetworkDelegate* network_delegate)
     : URLRequestJob(request, network_delegate),
-      content_length_(10),  // non-zero content-length
-      weak_factory_(this) {}
+      content_length_(10)  // non-zero content-length
+{}
 
 void URLRequestHangingReadJob::Start() {
   // Start reading asynchronously so that all error reporting and data
diff --git a/chromium/net/test/url_request/url_request_hanging_read_job.h b/chromium/net/test/url_request/url_request_hanging_read_job.h
index 83ac941e8e4..bd4a4a78542 100644
--- a/chromium/net/test/url_request/url_request_hanging_read_job.h
+++ b/chromium/net/test/url_request/url_request_hanging_read_job.h
@@ -36,7 +36,7 @@ class URLRequestHangingReadJob : public URLRequestJob {
   void StartAsync();
 
   const int content_length_;
-  base::WeakPtrFactory<URLRequestHangingReadJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestHangingReadJob> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(URLRequestHangingReadJob);
 };
diff --git a/chromium/net/test/url_request/url_request_mock_data_job.cc b/chromium/net/test/url_request/url_request_mock_data_job.cc
index b1d17fd4587..59e69f969a1 100644
--- a/chromium/net/test/url_request/url_request_mock_data_job.cc
+++ b/chromium/net/test/url_request/url_request_mock_data_job.cc
@@ -101,8 +101,7 @@ URLRequestMockDataJob::URLRequestMockDataJob(URLRequest* request,
                                              bool request_client_certificate)
     : URLRequestJob(request, network_delegate),
       data_offset_(0),
-      request_client_certificate_(request_client_certificate),
-      weak_factory_(this) {
+      request_client_certificate_(request_client_certificate) {
   DCHECK_GT(data_repeat_count, 0);
   for (int i = 0; i < data_repeat_count; ++i) {
     data_.append(data);
@@ -168,7 +167,7 @@ void URLRequestMockDataJob::StartAsync() {
 
   set_expected_content_size(data_.length());
   if (request_client_certificate_) {
-    scoped_refptr<SSLCertRequestInfo> request_all(new SSLCertRequestInfo());
+    auto request_all = base::MakeRefCounted<SSLCertRequestInfo>();
     NotifyCertificateRequested(request_all.get());
     return;
   }
diff --git a/chromium/net/test/url_request/url_request_mock_data_job.h b/chromium/net/test/url_request/url_request_mock_data_job.h
index cd70f2ae6ba..1e183699872 100644
--- a/chromium/net/test/url_request/url_request_mock_data_job.h
+++ b/chromium/net/test/url_request/url_request_mock_data_job.h
@@ -73,7 +73,7 @@ class URLRequestMockDataJob : public URLRequestJob {
   std::string data_;
   size_t data_offset_;
   bool request_client_certificate_;
-  base::WeakPtrFactory<URLRequestMockDataJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestMockDataJob> weak_factory_{this};
 };
 
 }  // namespace net
diff --git a/chromium/net/test/url_request/url_request_mock_http_job.cc b/chromium/net/test/url_request/url_request_mock_http_job.cc
index 803480e2005..40495441551 100644
--- a/chromium/net/test/url_request/url_request_mock_http_job.cc
+++ b/chromium/net/test/url_request/url_request_mock_http_job.cc
@@ -130,8 +130,7 @@ URLRequestMockHTTPJob::URLRequestMockHTTPJob(URLRequest* request,
     : URLRequestFileJob(request,
                         network_delegate,
                         file_path,
-                        base::CreateTaskRunnerWithTraits({base::MayBlock()})),
-      weak_ptr_factory_(this) {}
+                        base::CreateTaskRunnerWithTraits({base::MayBlock()})) {}
 
 URLRequestMockHTTPJob::~URLRequestMockHTTPJob() = default;
 
diff --git a/chromium/net/test/url_request/url_request_mock_http_job.h b/chromium/net/test/url_request/url_request_mock_http_job.h
index e0c4ce8ba7f..9c35bf95610 100644
--- a/chromium/net/test/url_request/url_request_mock_http_job.h
+++ b/chromium/net/test/url_request/url_request_mock_http_job.h
@@ -77,7 +77,7 @@ class URLRequestMockHTTPJob : public URLRequestFileJob {
   std::string raw_headers_;
   int64_t total_received_bytes_ = 0;
 
-  base::WeakPtrFactory<URLRequestMockHTTPJob> weak_ptr_factory_;
+  base::WeakPtrFactory<URLRequestMockHTTPJob> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(URLRequestMockHTTPJob);
 };
diff --git a/chromium/net/test/url_request/url_request_slow_download_job.cc b/chromium/net/test/url_request/url_request_slow_download_job.cc
index 3b5437364fe..2195db86e6f 100644
--- a/chromium/net/test/url_request/url_request_slow_download_job.cc
+++ b/chromium/net/test/url_request/url_request_slow_download_job.cc
@@ -115,9 +115,7 @@ URLRequestSlowDownloadJob::URLRequestSlowDownloadJob(
       bytes_already_sent_(0),
       should_error_download_(false),
       should_finish_download_(false),
-      buffer_size_(0),
-      weak_factory_(this) {
-}
+      buffer_size_(0) {}
 
 void URLRequestSlowDownloadJob::StartAsync() {
   if (base::LowerCaseEqualsASCII(kFinishDownloadUrl,
diff --git a/chromium/net/test/url_request/url_request_slow_download_job.h b/chromium/net/test/url_request/url_request_slow_download_job.h
index d90acb2f4d5..c7302c9074c 100644
--- a/chromium/net/test/url_request/url_request_slow_download_job.h
+++ b/chromium/net/test/url_request/url_request_slow_download_job.h
@@ -94,7 +94,7 @@ class URLRequestSlowDownloadJob : public URLRequestJob {
   scoped_refptr<IOBuffer> buffer_;
   int buffer_size_;
 
-  base::WeakPtrFactory<URLRequestSlowDownloadJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestSlowDownloadJob> weak_factory_{this};
 };
 
 }  // namespace net
diff --git a/chromium/net/third_party/quiche/src/CONTRIBUTING.md b/chromium/net/third_party/quiche/src/CONTRIBUTING.md
index 3a93363a0f9..07824e04d4f 100644
--- a/chromium/net/third_party/quiche/src/CONTRIBUTING.md
+++ b/chromium/net/third_party/quiche/src/CONTRIBUTING.md
@@ -17,10 +17,13 @@ again.
 
 ## Code reviews
 
-All submissions, including submissions by project members, require review. We
-use Gerrit pull requests for this purpose.
+The QUICHE repository is currently not set up to accept pull requests directly.
+If you would like to make a contribution, please follow these steps:
 
-TODO: write up the contributing guidelines.
+1. Sign the Contributor License Agreement (see above).
+2. Create a Gerrit pull request at <https://quiche-review.googlesource.com>.
+3. Email a link to your pull request to <quiche-contribution@google.com>.
+4. An engineer will review your pull request and merge it internally.
 
 ## Community Guidelines
 
diff --git a/chromium/net/third_party/quiche/src/common/simple_linked_hash_map.h b/chromium/net/third_party/quiche/src/common/simple_linked_hash_map.h
index c99585e2092..b7488eb6b89 100644
--- a/chromium/net/third_party/quiche/src/common/simple_linked_hash_map.h
+++ b/chromium/net/third_party/quiche/src/common/simple_linked_hash_map.h
@@ -212,7 +212,8 @@ class SimpleLinkedHashMap {
     return std::make_pair(last, true);
   }
 
-  size_type size() const { return list_.size(); }
+  // Derive size_ from map_, as list::size might be O(N).
+  size_type size() const { return map_.size(); }
 
   template <typename... Args>
   std::pair<iterator, bool> emplace(Args&&... args) {
diff --git a/chromium/net/third_party/quiche/src/http2/decoder/frame_decoder_state.cc b/chromium/net/third_party/quiche/src/http2/decoder/frame_decoder_state.cc
index 5487997e978..479decb78aa 100644
--- a/chromium/net/third_party/quiche/src/http2/decoder/frame_decoder_state.cc
+++ b/chromium/net/third_party/quiche/src/http2/decoder/frame_decoder_state.cc
@@ -56,7 +56,6 @@ bool FrameDecoderState::SkipPadding(DecodeBuffer* db) {
                  << ", header: " << frame_header();
   DCHECK_EQ(remaining_payload_, 0u);
   DCHECK(IsPaddable()) << "header: " << frame_header();
-  DCHECK_GE(remaining_padding_, 0u);
   DCHECK(remaining_padding_ == 0 || frame_header().IsPadded())
       << "remaining_padding_=" << remaining_padding_
       << ", header: " << frame_header();
diff --git a/chromium/net/third_party/quiche/src/http2/hpack/tools/hpack_block_builder.cc b/chromium/net/third_party/quiche/src/http2/hpack/tools/hpack_block_builder.cc
index 5a79f78b20c..5b2ab756548 100644
--- a/chromium/net/third_party/quiche/src/http2/hpack/tools/hpack_block_builder.cc
+++ b/chromium/net/third_party/quiche/src/http2/hpack/tools/hpack_block_builder.cc
@@ -17,21 +17,7 @@ void HpackBlockBuilder::AppendHighBitsAndVarint(uint8_t high_bits,
   EXPECT_LE(3, prefix_length);
   EXPECT_LE(prefix_length, 8);
 
-  HpackVarintEncoder varint_encoder;
-
-  unsigned char c =
-      varint_encoder.StartEncoding(high_bits, prefix_length, varint);
-  buffer_.push_back(c);
-
-  if (!varint_encoder.IsEncodingInProgress()) {
-    return;
-  }
-
-  // After the prefix, at most 63 bits can remain to be encoded.
-  // Each octet holds 7 bits, so at most 9 octets are necessary.
-  // TODO(bnc): Move this into a constant in HpackVarintEncoder.
-  varint_encoder.ResumeEncoding(/* max_encoded_bytes = */ 10, &buffer_);
-  DCHECK(!varint_encoder.IsEncodingInProgress());
+  HpackVarintEncoder::Encode(high_bits, prefix_length, varint, &buffer_);
 }
 
 void HpackBlockBuilder::AppendEntryTypeAndVarint(HpackEntryType entry_type,
diff --git a/chromium/net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder.cc b/chromium/net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder.cc
index 2e7ad3e2597..63cf2897839 100644
--- a/chromium/net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder.cc
+++ b/chromium/net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder.cc
@@ -4,18 +4,17 @@
 
 #include "net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder.h"
 
+#include <limits>
+
 #include "net/third_party/quiche/src/http2/platform/api/http2_logging.h"
 
 namespace http2 {
 
-HpackVarintEncoder::HpackVarintEncoder()
-    : varint_(0), encoding_in_progress_(false) {}
-
-unsigned char HpackVarintEncoder::StartEncoding(uint8_t high_bits,
-                                                uint8_t prefix_length,
-                                                uint64_t varint) {
-  DCHECK(!encoding_in_progress_);
-  DCHECK_EQ(0u, varint_);
+// static
+void HpackVarintEncoder::Encode(uint8_t high_bits,
+                                uint8_t prefix_length,
+                                uint64_t varint,
+                                Http2String* output) {
   DCHECK_LE(1u, prefix_length);
   DCHECK_LE(prefix_length, 8u);
 
@@ -27,39 +26,24 @@ unsigned char HpackVarintEncoder::StartEncoding(uint8_t high_bits,
 
   if (varint < prefix_mask) {
     // The integer fits into the prefix in its entirety.
-    return high_bits | static_cast<unsigned char>(varint);
+    unsigned char first_byte = high_bits | static_cast<unsigned char>(varint);
+    output->push_back(first_byte);
+    return;
   }
 
-  // We need extension bytes.
-  varint_ = varint - prefix_mask;
-  encoding_in_progress_ = true;
-  return high_bits | prefix_mask;
-}
+  // Extension bytes are needed.
+  unsigned char first_byte = high_bits | prefix_mask;
+  output->push_back(first_byte);
 
-size_t HpackVarintEncoder::ResumeEncoding(size_t max_encoded_bytes,
-                                          Http2String* output) {
-  DCHECK(encoding_in_progress_);
-  DCHECK_NE(0u, max_encoded_bytes);
-
-  size_t encoded_bytes = 0;
-  while (encoded_bytes < max_encoded_bytes) {
-    ++encoded_bytes;
-    if (varint_ < 128) {
-      // Encode final seven bits, with continuation bit set to zero.
-      output->push_back(varint_);
-      varint_ = 0;
-      encoding_in_progress_ = false;
-      break;
-    }
+  varint -= prefix_mask;
+  while (varint >= 128) {
     // Encode the next seven bits, with continuation bit set to one.
-    output->push_back(0b10000000 | (varint_ % 128));
-    varint_ >>= 7;
+    output->push_back(0b10000000 | (varint % 128));
+    varint >>= 7;
   }
-  return encoded_bytes;
-}
 
-bool HpackVarintEncoder::IsEncodingInProgress() const {
-  return encoding_in_progress_;
+  // Encode final seven bits, with continuation bit set to zero.
+  output->push_back(varint);
 }
 
 }  // namespace http2
diff --git a/chromium/net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder.h b/chromium/net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder.h
index 68f7474817f..745222e9566 100644
--- a/chromium/net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder.h
+++ b/chromium/net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder.h
@@ -5,6 +5,7 @@
 #ifndef QUICHE_HTTP2_HPACK_VARINT_HPACK_VARINT_ENCODER_H_
 #define QUICHE_HTTP2_HPACK_VARINT_HPACK_VARINT_ENCODER_H_
 
+#include <cstddef>
 #include <cstdint>
 
 #include "net/third_party/quiche/src/http2/platform/api/http2_export.h"
@@ -12,38 +13,17 @@
 
 namespace http2 {
 
-// HPACK integer encoder class implementing variable length integer
-// representation defined in RFC7541, Section 5.1:
+// HPACK integer encoder class with single static method implementing variable
+// length integer representation defined in RFC7541, Section 5.1:
 // https://httpwg.org/specs/rfc7541.html#integer.representation
 class HTTP2_EXPORT_PRIVATE HpackVarintEncoder {
  public:
-  HpackVarintEncoder();
-
-  // Start encoding an integer.  Return the first encoded byte (composed of
-  // optional high bits and 1 to 8 bit long prefix).  It is possible that this
-  // completes the encoding.  Must not be called when previously started
-  // encoding is still in progress.
-  unsigned char StartEncoding(uint8_t high_bits,
-                              uint8_t prefix_length,
-                              uint64_t varint);
-
-  // Continue encoding the integer |varint| passed in to StartEncoding().
-  // Append the next at most |max_encoded_bytes| encoded octets to |output|.
-  // Returns the number of encoded octets.  Must not be called unless a
-  // previously started encoding is still in progress.
-  size_t ResumeEncoding(size_t max_encoded_bytes, Http2String* output);
-
-  // Returns true if encoding an integer has started and is not completed yet.
-  bool IsEncodingInProgress() const;
-
- private:
-  // The original integer shifted to the right by the number of bits already
-  // encoded.  The lower bits shifted away have already been encoded, and
-  // |varint_| has the higher bits that remain to be encoded.
-  uint64_t varint_;
-
-  // True when encoding an integer has started and is not completed yet.
-  bool encoding_in_progress_;
+  // Encode |varint|, appending encoded data to |*output|.
+  // Appends between 1 and 11 bytes in total.
+  static void Encode(uint8_t high_bits,
+                     uint8_t prefix_length,
+                     uint64_t varint,
+                     Http2String* output);
 };
 
 }  // namespace http2
diff --git a/chromium/net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder_test.cc b/chromium/net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder_test.cc
index a6043a0dd2c..94f9a9e5935 100644
--- a/chromium/net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder_test.cc
+++ b/chromium/net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder_test.cc
@@ -13,12 +13,6 @@ namespace http2 {
 namespace test {
 namespace {
 
-// Freshly constructed encoder is not in the process of encoding.
-TEST(HpackVarintEncoderTest, Done) {
-  HpackVarintEncoder varint_encoder;
-  EXPECT_FALSE(varint_encoder.IsEncodingInProgress());
-}
-
 struct {
   uint8_t high_bits;
   uint8_t prefix_length;
@@ -36,14 +30,14 @@ struct {
 
 // Encode integers that fit in the prefix.
 TEST(HpackVarintEncoderTest, Short) {
-  HpackVarintEncoder varint_encoder;
-
   for (size_t i = 0; i < HTTP2_ARRAYSIZE(kShortTestData); ++i) {
+    Http2String output;
+    HpackVarintEncoder::Encode(kShortTestData[i].high_bits,
+                               kShortTestData[i].prefix_length,
+                               kShortTestData[i].value, &output);
+    ASSERT_EQ(1u, output.size());
     EXPECT_EQ(kShortTestData[i].expected_encoding,
-              varint_encoder.StartEncoding(kShortTestData[i].high_bits,
-                                           kShortTestData[i].prefix_length,
-                                           kShortTestData[i].value));
-    EXPECT_FALSE(varint_encoder.IsEncodingInProgress());
+              static_cast<uint8_t>(output[0]));
   }
 }
 
@@ -107,38 +101,19 @@ struct {
 
 // Encode integers that do not fit in the prefix.
 TEST(HpackVarintEncoderTest, Long) {
-  HpackVarintEncoder varint_encoder;
-
   // Test encoding byte by byte, also test encoding in
   // a single ResumeEncoding() call.
-  for (bool byte_by_byte : {true, false}) {
     for (size_t i = 0; i < HTTP2_ARRAYSIZE(kLongTestData); ++i) {
       Http2String expected_encoding =
           Http2HexDecode(kLongTestData[i].expected_encoding);
-      ASSERT_FALSE(expected_encoding.empty());
-
-      EXPECT_EQ(static_cast<unsigned char>(expected_encoding[0]),
-                varint_encoder.StartEncoding(kLongTestData[i].high_bits,
-                                             kLongTestData[i].prefix_length,
-                                             kLongTestData[i].value));
-      EXPECT_TRUE(varint_encoder.IsEncodingInProgress());
 
       Http2String output;
-      if (byte_by_byte) {
-        while (varint_encoder.IsEncodingInProgress()) {
-          EXPECT_EQ(1u, varint_encoder.ResumeEncoding(1, &output));
-        }
-      } else {
-        // TODO(bnc): Factor out maximum number of extension bytes into a
-        // constant in HpackVarintEncoder.
-        EXPECT_EQ(expected_encoding.size() - 1,
-                  varint_encoder.ResumeEncoding(10, &output));
-        EXPECT_FALSE(varint_encoder.IsEncodingInProgress());
-      }
-      EXPECT_EQ(expected_encoding.size() - 1, output.size());
-      EXPECT_EQ(expected_encoding.substr(1), output);
+      HpackVarintEncoder::Encode(kLongTestData[i].high_bits,
+                                 kLongTestData[i].prefix_length,
+                                 kLongTestData[i].value, &output);
+
+      EXPECT_EQ(expected_encoding, output);
     }
-  }
 }
 
 struct {
@@ -155,24 +130,33 @@ struct {
 // Make sure that the encoder outputs the last byte even when it is zero.  This
 // happens exactly when encoding  the value 2^prefix_length - 1.
 TEST(HpackVarintEncoderTest, LastByteIsZero) {
-  HpackVarintEncoder varint_encoder;
-
   for (size_t i = 0; i < HTTP2_ARRAYSIZE(kLastByteIsZeroTestData); ++i) {
-    EXPECT_EQ(
-        kLastByteIsZeroTestData[i].expected_encoding_first_byte,
-        varint_encoder.StartEncoding(kLastByteIsZeroTestData[i].high_bits,
-                                     kLastByteIsZeroTestData[i].prefix_length,
-                                     kLastByteIsZeroTestData[i].value));
-    EXPECT_TRUE(varint_encoder.IsEncodingInProgress());
-
     Http2String output;
-    EXPECT_EQ(1u, varint_encoder.ResumeEncoding(1, &output));
-    ASSERT_EQ(1u, output.size());
-    EXPECT_EQ(0b00000000, output[0]);
-    EXPECT_FALSE(varint_encoder.IsEncodingInProgress());
+    HpackVarintEncoder::Encode(kLastByteIsZeroTestData[i].high_bits,
+                               kLastByteIsZeroTestData[i].prefix_length,
+                               kLastByteIsZeroTestData[i].value, &output);
+    ASSERT_EQ(2u, output.size());
+    EXPECT_EQ(kLastByteIsZeroTestData[i].expected_encoding_first_byte,
+              static_cast<uint8_t>(output[0]));
+    EXPECT_EQ(0b00000000, output[1]);
   }
 }
 
+// Test that encoder appends correctly to non-empty string.
+TEST(HpackVarintEncoderTest, Append) {
+  Http2String output("foo");
+  EXPECT_EQ(Http2HexDecode("666f6f"), output);
+
+  HpackVarintEncoder::Encode(0b10011000, 3, 103, &output);
+  EXPECT_EQ(Http2HexDecode("666f6f9f60"), output);
+
+  HpackVarintEncoder::Encode(0b10100000, 5, 8, &output);
+  EXPECT_EQ(Http2HexDecode("666f6f9f60a8"), output);
+
+  HpackVarintEncoder::Encode(0b10011000, 3, 202147110, &output);
+  EXPECT_EQ(Http2HexDecode("666f6f9f60a89f9f8ab260"), output);
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace http2
diff --git a/chromium/net/third_party/quiche/src/quic/core/chlo_extractor.cc b/chromium/net/third_party/quiche/src/quic/core/chlo_extractor.cc
index ec3a899b8bd..0e8e6f57402 100644
--- a/chromium/net/third_party/quiche/src/quic/core/chlo_extractor.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/chlo_extractor.cc
@@ -30,19 +30,18 @@ class ChloFramerVisitor : public QuicFramerVisitorInterface,
   ~ChloFramerVisitor() override = default;
 
   // QuicFramerVisitorInterface implementation
-  void OnError(QuicFramer* framer) override {}
-  bool OnProtocolVersionMismatch(ParsedQuicVersion version,
-                                 PacketHeaderFormat form) override;
+  void OnError(QuicFramer* /*framer*/) override {}
+  bool OnProtocolVersionMismatch(ParsedQuicVersion version) override;
   void OnPacket() override {}
-  void OnPublicResetPacket(const QuicPublicResetPacket& packet) override {}
+  void OnPublicResetPacket(const QuicPublicResetPacket& /*packet*/) override {}
   void OnVersionNegotiationPacket(
-      const QuicVersionNegotiationPacket& packet) override {}
-  void OnRetryPacket(QuicConnectionId original_connection_id,
-                     QuicConnectionId new_connection_id,
-                     QuicStringPiece retry_token) override {}
+      const QuicVersionNegotiationPacket& /*packet*/) override {}
+  void OnRetryPacket(QuicConnectionId /*original_connection_id*/,
+                     QuicConnectionId /*new_connection_id*/,
+                     QuicStringPiece /*retry_token*/) override {}
   bool OnUnauthenticatedPublicHeader(const QuicPacketHeader& header) override;
   bool OnUnauthenticatedHeader(const QuicPacketHeader& header) override;
-  void OnDecryptedPacket(EncryptionLevel level) override {}
+  void OnDecryptedPacket(EncryptionLevel /*level*/) override {}
   bool OnPacketHeader(const QuicPacketHeader& header) override;
   void OnCoalescedPacket(const QuicEncryptedPacket& packet) override;
   bool OnStreamFrame(const QuicStreamFrame& frame) override;
@@ -74,7 +73,7 @@ class ChloFramerVisitor : public QuicFramerVisitorInterface,
   void OnPacketComplete() override {}
   bool IsValidStatelessResetToken(QuicUint128 token) const override;
   void OnAuthenticatedIetfStatelessResetPacket(
-      const QuicIetfStatelessResetPacket& packet) override {}
+      const QuicIetfStatelessResetPacket& /*packet*/) override {}
 
   // CryptoFramerVisitorInterface implementation.
   void OnError(CryptoFramer* framer) override;
@@ -106,8 +105,7 @@ ChloFramerVisitor::ChloFramerVisitor(
       chlo_contains_tags_(false),
       connection_id_(EmptyQuicConnectionId()) {}
 
-bool ChloFramerVisitor::OnProtocolVersionMismatch(ParsedQuicVersion version,
-                                                  PacketHeaderFormat /*form*/) {
+bool ChloFramerVisitor::OnProtocolVersionMismatch(ParsedQuicVersion version) {
   if (!framer_->IsSupportedVersion(version)) {
     return false;
   }
@@ -138,13 +136,14 @@ bool ChloFramerVisitor::OnUnauthenticatedPublicHeader(
   return true;
 }
 bool ChloFramerVisitor::OnUnauthenticatedHeader(
-    const QuicPacketHeader& header) {
+    const QuicPacketHeader& /*header*/) {
   return true;
 }
-bool ChloFramerVisitor::OnPacketHeader(const QuicPacketHeader& header) {
+bool ChloFramerVisitor::OnPacketHeader(const QuicPacketHeader& /*header*/) {
   return true;
 }
-void ChloFramerVisitor::OnCoalescedPacket(const QuicEncryptedPacket& packet) {}
+void ChloFramerVisitor::OnCoalescedPacket(
+    const QuicEncryptedPacket& /*packet*/) {}
 bool ChloFramerVisitor::OnStreamFrame(const QuicStreamFrame& frame) {
   if (QuicVersionUsesCryptoFrames(framer_->transport_version())) {
     // CHLO will be sent in CRYPTO frames in v47 and above.
@@ -215,86 +214,90 @@ bool ChloFramerVisitor::OnAckFrameEnd(QuicPacketNumber /*start*/) {
   return true;
 }
 
-bool ChloFramerVisitor::OnStopWaitingFrame(const QuicStopWaitingFrame& frame) {
+bool ChloFramerVisitor::OnStopWaitingFrame(
+    const QuicStopWaitingFrame& /*frame*/) {
   return true;
 }
 
-bool ChloFramerVisitor::OnPingFrame(const QuicPingFrame& frame) {
+bool ChloFramerVisitor::OnPingFrame(const QuicPingFrame& /*frame*/) {
   return true;
 }
 
-bool ChloFramerVisitor::OnRstStreamFrame(const QuicRstStreamFrame& frame) {
+bool ChloFramerVisitor::OnRstStreamFrame(const QuicRstStreamFrame& /*frame*/) {
   return true;
 }
 
 bool ChloFramerVisitor::OnConnectionCloseFrame(
-    const QuicConnectionCloseFrame& frame) {
+    const QuicConnectionCloseFrame& /*frame*/) {
   return true;
 }
 
-bool ChloFramerVisitor::OnStopSendingFrame(const QuicStopSendingFrame& frame) {
+bool ChloFramerVisitor::OnStopSendingFrame(
+    const QuicStopSendingFrame& /*frame*/) {
   return true;
 }
 
 bool ChloFramerVisitor::OnPathChallengeFrame(
-    const QuicPathChallengeFrame& frame) {
+    const QuicPathChallengeFrame& /*frame*/) {
   return true;
 }
 
 bool ChloFramerVisitor::OnPathResponseFrame(
-    const QuicPathResponseFrame& frame) {
+    const QuicPathResponseFrame& /*frame*/) {
   return true;
 }
 
-bool ChloFramerVisitor::OnGoAwayFrame(const QuicGoAwayFrame& frame) {
+bool ChloFramerVisitor::OnGoAwayFrame(const QuicGoAwayFrame& /*frame*/) {
   return true;
 }
 
 bool ChloFramerVisitor::OnWindowUpdateFrame(
-    const QuicWindowUpdateFrame& frame) {
+    const QuicWindowUpdateFrame& /*frame*/) {
   return true;
 }
 
-bool ChloFramerVisitor::OnBlockedFrame(const QuicBlockedFrame& frame) {
+bool ChloFramerVisitor::OnBlockedFrame(const QuicBlockedFrame& /*frame*/) {
   return true;
 }
 
 bool ChloFramerVisitor::OnNewConnectionIdFrame(
-    const QuicNewConnectionIdFrame& frame) {
+    const QuicNewConnectionIdFrame& /*frame*/) {
   return true;
 }
 
 bool ChloFramerVisitor::OnRetireConnectionIdFrame(
-    const QuicRetireConnectionIdFrame& frame) {
+    const QuicRetireConnectionIdFrame& /*frame*/) {
   return true;
 }
 
-bool ChloFramerVisitor::OnNewTokenFrame(const QuicNewTokenFrame& frame) {
+bool ChloFramerVisitor::OnNewTokenFrame(const QuicNewTokenFrame& /*frame*/) {
   return true;
 }
 
-bool ChloFramerVisitor::OnPaddingFrame(const QuicPaddingFrame& frame) {
+bool ChloFramerVisitor::OnPaddingFrame(const QuicPaddingFrame& /*frame*/) {
   return true;
 }
 
-bool ChloFramerVisitor::OnMessageFrame(const QuicMessageFrame& frame) {
+bool ChloFramerVisitor::OnMessageFrame(const QuicMessageFrame& /*frame*/) {
   return true;
 }
 
-bool ChloFramerVisitor::IsValidStatelessResetToken(QuicUint128 token) const {
+bool ChloFramerVisitor::IsValidStatelessResetToken(
+    QuicUint128 /*token*/) const {
   return false;
 }
 
-bool ChloFramerVisitor::OnMaxStreamsFrame(const QuicMaxStreamsFrame& frame) {
+bool ChloFramerVisitor::OnMaxStreamsFrame(
+    const QuicMaxStreamsFrame& /*frame*/) {
   return true;
 }
 
 bool ChloFramerVisitor::OnStreamsBlockedFrame(
-    const QuicStreamsBlockedFrame& frame) {
+    const QuicStreamsBlockedFrame& /*frame*/) {
   return true;
 }
 
-void ChloFramerVisitor::OnError(CryptoFramer* framer) {}
+void ChloFramerVisitor::OnError(CryptoFramer* /*framer*/) {}
 
 void ChloFramerVisitor::OnHandshakeMessage(
     const CryptoHandshakeMessage& message) {
@@ -312,6 +315,8 @@ bool ChloExtractor::Extract(const QuicEncryptedPacket& packet,
                             const QuicTagVector& create_session_tag_indicators,
                             Delegate* delegate,
                             uint8_t connection_id_length) {
+  QUIC_DVLOG(1) << "Extracting CHLO using versions "
+                << ParsedQuicVersionVectorToString(versions);
   QuicFramer framer(versions, QuicTime::Zero(), Perspective::IS_SERVER,
                     connection_id_length);
   ChloFramerVisitor visitor(&framer, create_session_tag_indicators, delegate);
diff --git a/chromium/net/third_party/quiche/src/quic/core/chlo_extractor_test.cc b/chromium/net/third_party/quiche/src/quic/core/chlo_extractor_test.cc
index 258e141fe34..cc9a1d20ffc 100644
--- a/chromium/net/third_party/quiche/src/quic/core/chlo_extractor_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/chlo_extractor_test.cc
@@ -76,7 +76,8 @@ class ChloExtractorTest : public QuicTest {
                                             version.transport_version,
                                             TestConnectionId(), &crypters);
       framer.SetEncrypter(ENCRYPTION_INITIAL, std::move(crypters.encrypter));
-      framer.SetDecrypter(ENCRYPTION_INITIAL, std::move(crypters.decrypter));
+      framer.InstallDecrypter(ENCRYPTION_INITIAL,
+                              std::move(crypters.decrypter));
     }
     if (!QuicVersionUsesCryptoFrames(version.transport_version) ||
         munge_stream_id) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.cc
index 88343b41b4e..11a625c768c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.cc
@@ -20,7 +20,8 @@ BandwidthSampler::BandwidthSampler()
       last_acked_packet_sent_time_(QuicTime::Zero()),
       last_acked_packet_ack_time_(QuicTime::Zero()),
       is_app_limited_(false),
-      connection_state_map_() {}
+      connection_state_map_(),
+      max_tracked_packets_(GetQuicFlag(FLAGS_quic_max_tracked_packet_count)) {}
 
 BandwidthSampler::~BandwidthSampler() {}
 
@@ -55,7 +56,7 @@ void BandwidthSampler::OnPacketSent(
 
   if (!connection_state_map_.IsEmpty() &&
       packet_number >
-          connection_state_map_.last_packet() + kMaxTrackedPackets) {
+          connection_state_map_.last_packet() + max_tracked_packets_) {
     QUIC_BUG << "BandwidthSampler in-flight packet map has exceeded maximum "
                 "number "
                 "of tracked packets.";
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h
index 4de05b08251..9a58cf6e8de 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h
@@ -324,6 +324,9 @@ class QUIC_EXPORT_PRIVATE BandwidthSampler : public BandwidthSamplerInterface {
   // sent, indexed by the packet number.
   PacketNumberIndexedQueue<ConnectionStateOnSentPacket> connection_state_map_;
 
+  // Maximum number of tracked packets.
+  const QuicPacketCount max_tracked_packets_;
+
   // Handles the actual bandwidth calculations, whereas the outer method handles
   // retrieving and removing |sent_packet|.
   BandwidthSample OnPacketAcknowledgedInner(
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.cc
new file mode 100644
index 00000000000..a4247a41c12
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.cc
@@ -0,0 +1,64 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.h"
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h"
+
+namespace quic {
+
+void Bbr2DrainMode::Enter(const Bbr2CongestionEvent& /*congestion_event*/) {}
+
+Bbr2Mode Bbr2DrainMode::OnCongestionEvent(
+    QuicByteCount /*prior_in_flight*/,
+    QuicTime /*event_time*/,
+    const AckedPacketVector& /*acked_packets*/,
+    const LostPacketVector& /*lost_packets*/,
+    const Bbr2CongestionEvent& congestion_event) {
+  model_->set_pacing_gain(Params().drain_pacing_gain);
+
+  // Only STARTUP can transition to DRAIN, both of them use the same cwnd gain.
+  DCHECK_EQ(model_->cwnd_gain(), Params().drain_cwnd_gain);
+  model_->set_cwnd_gain(Params().drain_cwnd_gain);
+
+  QuicByteCount drain_target = DrainTarget();
+  if (congestion_event.bytes_in_flight <= drain_target) {
+    QUIC_DVLOG(3) << sender_ << " Exiting DRAIN. bytes_in_flight:"
+                  << congestion_event.bytes_in_flight
+                  << ", bdp:" << model_->BDP(model_->MaxBandwidth())
+                  << ", drain_target:" << drain_target << "  @ "
+                  << congestion_event.event_time;
+    return Bbr2Mode::PROBE_BW;
+  }
+
+  QUIC_DVLOG(3) << sender_ << " Staying in DRAIN. bytes_in_flight:"
+                << congestion_event.bytes_in_flight
+                << ", bdp:" << model_->BDP(model_->MaxBandwidth())
+                << ", drain_target:" << drain_target << "  @ "
+                << congestion_event.event_time;
+  return Bbr2Mode::DRAIN;
+}
+
+QuicByteCount Bbr2DrainMode::DrainTarget() const {
+  QuicByteCount bdp = model_->BDP(model_->MaxBandwidth());
+  return std::max<QuicByteCount>(bdp, sender_->GetMinimumCongestionWindow());
+}
+
+Bbr2DrainMode::DebugState Bbr2DrainMode::ExportDebugState() const {
+  DebugState s;
+  s.drain_target = DrainTarget();
+  return s;
+}
+
+std::ostream& operator<<(std::ostream& os,
+                         const Bbr2DrainMode::DebugState& state) {
+  os << "[DRAIN] drain_target: " << state.drain_target << "\n";
+  return os;
+}
+
+const Bbr2Params& Bbr2DrainMode::Params() const {
+  return sender_->Params();
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.h
new file mode 100644
index 00000000000..546962bfc1f
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.h
@@ -0,0 +1,53 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_DRAIN_H_
+#define QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_DRAIN_H_
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h"
+#include "net/third_party/quiche/src/quic/core/quic_time.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+
+namespace quic {
+
+class Bbr2Sender;
+class QUIC_EXPORT_PRIVATE Bbr2DrainMode final : public Bbr2ModeBase {
+ public:
+  using Bbr2ModeBase::Bbr2ModeBase;
+
+  void Enter(const Bbr2CongestionEvent& congestion_event) override;
+
+  Bbr2Mode OnCongestionEvent(
+      QuicByteCount prior_in_flight,
+      QuicTime event_time,
+      const AckedPacketVector& acked_packets,
+      const LostPacketVector& lost_packets,
+      const Bbr2CongestionEvent& congestion_event) override;
+
+  Limits<QuicByteCount> GetCwndLimits() const override {
+    return NoGreaterThan(model_->inflight_lo());
+  }
+
+  bool IsProbingForBandwidth() const override { return false; }
+
+  struct DebugState {
+    QuicByteCount drain_target;
+  };
+
+  DebugState ExportDebugState() const;
+
+ private:
+  const Bbr2Params& Params() const;
+
+  QuicByteCount DrainTarget() const;
+};
+
+QUIC_EXPORT_PRIVATE std::ostream& operator<<(
+    std::ostream& os,
+    const Bbr2DrainMode::DebugState& state);
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_DRAIN_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.cc
new file mode 100644
index 00000000000..f5e3d188e6a
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.cc
@@ -0,0 +1,329 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h"
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h"
+#include "net/third_party/quiche/src/quic/core/quic_bandwidth.h"
+#include "net/third_party/quiche/src/quic/core/quic_time.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+
+namespace quic {
+
+namespace {
+// Sensitivity in response to losses. 0 means no loss response.
+// 0.3 is also used by TCP bbr and cubic.
+const float kBeta = 0.3;
+
+const QuicTime::Delta kMinRttExpiry = QuicTime::Delta::FromSeconds(10);
+}  // namespace
+
+RoundTripCounter::RoundTripCounter() : round_trip_count_(0) {}
+
+void RoundTripCounter::OnPacketSent(QuicPacketNumber packet_number) {
+  DCHECK(!last_sent_packet_.IsInitialized() ||
+         last_sent_packet_ < packet_number);
+  last_sent_packet_ = packet_number;
+}
+
+bool RoundTripCounter::OnPacketsAcked(QuicPacketNumber last_acked_packet) {
+  if (!end_of_round_trip_.IsInitialized() ||
+      last_acked_packet > end_of_round_trip_) {
+    round_trip_count_++;
+    end_of_round_trip_ = last_sent_packet_;
+    return true;
+  }
+  return false;
+}
+
+void RoundTripCounter::RestartRound() {
+  end_of_round_trip_ = last_sent_packet_;
+}
+
+MinRttFilter::MinRttFilter(QuicTime::Delta initial_min_rtt,
+                           QuicTime initial_min_rtt_timestamp)
+    : min_rtt_(initial_min_rtt),
+      min_rtt_timestamp_(initial_min_rtt_timestamp) {}
+
+void MinRttFilter::Update(QuicTime::Delta sample_rtt, QuicTime now) {
+  if (sample_rtt < min_rtt_ || min_rtt_timestamp_ == QuicTime::Zero()) {
+    min_rtt_ = sample_rtt;
+    min_rtt_timestamp_ = now;
+  }
+}
+
+void MinRttFilter::ForceUpdate(QuicTime::Delta sample_rtt, QuicTime now) {
+  min_rtt_ = sample_rtt;
+  min_rtt_timestamp_ = now;
+}
+
+const SendTimeState& SendStateOfLargestPacket(
+    const Bbr2CongestionEvent& congestion_event) {
+  const auto& last_acked_sample = congestion_event.last_acked_sample;
+  const auto& last_lost_sample = congestion_event.last_lost_sample;
+
+  if (!last_lost_sample.packet_number.IsInitialized()) {
+    return last_acked_sample.bandwidth_sample.state_at_send;
+  }
+
+  if (!last_acked_sample.packet_number.IsInitialized()) {
+    return last_lost_sample.send_time_state;
+  }
+
+  DCHECK_NE(last_acked_sample.packet_number, last_lost_sample.packet_number);
+
+  if (last_acked_sample.packet_number < last_lost_sample.packet_number) {
+    return last_lost_sample.send_time_state;
+  }
+  return last_acked_sample.bandwidth_sample.state_at_send;
+}
+
+QuicByteCount Bbr2MaxAckHeightTracker::Update(
+    const QuicBandwidth& bandwidth_estimate,
+    QuicRoundTripCount round_trip_count,
+    QuicTime ack_time,
+    QuicByteCount bytes_acked) {
+  // TODO(wub): Find out whether TCP adds bytes_acked before or after the check.
+  aggregation_epoch_bytes_ += bytes_acked;
+
+  // Compute how many bytes are expected to be delivered, assuming max bandwidth
+  // is correct.
+  QuicByteCount expected_bytes_acked =
+      bandwidth_estimate * (ack_time - aggregation_epoch_start_time_);
+  // Reset the current aggregation epoch as soon as the ack arrival rate is less
+  // than or equal to the max bandwidth.
+  if (aggregation_epoch_bytes_ <= expected_bytes_acked) {
+    // Reset to start measuring a new aggregation epoch.
+    aggregation_epoch_bytes_ = bytes_acked;
+    aggregation_epoch_start_time_ = ack_time;
+    return 0;
+  }
+
+  // Compute how many extra bytes were delivered vs max bandwidth.
+  QuicByteCount extra_bytes_acked =
+      aggregation_epoch_bytes_ - expected_bytes_acked;
+  max_ack_height_filter_.Update(extra_bytes_acked, round_trip_count);
+  return extra_bytes_acked;
+}
+
+Bbr2NetworkModel::Bbr2NetworkModel(const Bbr2Params* params,
+                                   QuicTime::Delta initial_rtt,
+                                   QuicTime initial_rtt_timestamp,
+                                   float cwnd_gain,
+                                   float pacing_gain)
+    : params_(params),
+      min_rtt_filter_(initial_rtt, initial_rtt_timestamp),
+      max_ack_height_tracker_(params->initial_max_ack_height_filter_window),
+      cwnd_gain_(cwnd_gain),
+      pacing_gain_(pacing_gain) {}
+
+void Bbr2NetworkModel::OnPacketSent(QuicTime sent_time,
+                                    QuicByteCount bytes_in_flight,
+                                    QuicPacketNumber packet_number,
+                                    QuicByteCount bytes,
+                                    HasRetransmittableData is_retransmittable) {
+  round_trip_counter_.OnPacketSent(packet_number);
+
+  bandwidth_sampler_.OnPacketSent(sent_time, packet_number, bytes,
+                                  bytes_in_flight, is_retransmittable);
+}
+
+void Bbr2NetworkModel::OnCongestionEventStart(
+    QuicTime event_time,
+    const AckedPacketVector& acked_packets,
+    const LostPacketVector& lost_packets,
+    Bbr2CongestionEvent* congestion_event) {
+  const QuicByteCount prior_bytes_acked = total_bytes_acked();
+  const QuicByteCount prior_bytes_lost = total_bytes_lost();
+
+  congestion_event->event_time = event_time;
+  congestion_event->end_of_round_trip =
+      acked_packets.empty() ? false
+                            : round_trip_counter_.OnPacketsAcked(
+                                  acked_packets.rbegin()->packet_number);
+
+  for (const auto& packet : acked_packets) {
+    const BandwidthSample bandwidth_sample =
+        bandwidth_sampler_.OnPacketAcknowledged(event_time,
+                                                packet.packet_number);
+    if (!bandwidth_sample.state_at_send.is_valid) {
+      // From the sampler's perspective, the packet has never been sent, or
+      // the packet has been acked or marked as lost previously.
+      continue;
+    }
+
+    congestion_event->last_sample_is_app_limited =
+        bandwidth_sample.state_at_send.is_app_limited;
+    if (!bandwidth_sample.rtt.IsZero()) {
+      congestion_event->sample_min_rtt =
+          std::min(congestion_event->sample_min_rtt, bandwidth_sample.rtt);
+    }
+    if (!bandwidth_sample.state_at_send.is_app_limited ||
+        bandwidth_sample.bandwidth > MaxBandwidth()) {
+      congestion_event->sample_max_bandwidth = std::max(
+          congestion_event->sample_max_bandwidth, bandwidth_sample.bandwidth);
+    }
+
+    if (bandwidth_sample.bandwidth > bandwidth_latest_) {
+      bandwidth_latest_ = bandwidth_sample.bandwidth;
+    }
+
+    // |inflight_sample| is the total bytes acked while |packet| is inflight.
+    QuicByteCount inflight_sample =
+        total_bytes_acked() - bandwidth_sample.state_at_send.total_bytes_acked;
+    if (inflight_sample > inflight_latest_) {
+      inflight_latest_ = inflight_sample;
+    }
+
+    congestion_event->last_acked_sample = {packet.packet_number,
+                                           bandwidth_sample, inflight_sample};
+  }
+
+  min_rtt_filter_.Update(congestion_event->sample_min_rtt, event_time);
+  if (!congestion_event->sample_max_bandwidth.IsZero()) {
+    max_bandwidth_filter_.Update(congestion_event->sample_max_bandwidth);
+  }
+
+  for (const LostPacket& packet : lost_packets) {
+    const SendTimeState send_time_state =
+        bandwidth_sampler_.OnPacketLost(packet.packet_number);
+    if (send_time_state.is_valid) {
+      congestion_event->last_lost_sample = {packet.packet_number,
+                                            send_time_state};
+    }
+  }
+
+  congestion_event->bytes_in_flight = bytes_in_flight();
+
+  congestion_event->bytes_acked = total_bytes_acked() - prior_bytes_acked;
+  congestion_event->bytes_lost = total_bytes_lost() - prior_bytes_lost;
+  bytes_lost_in_round_ += congestion_event->bytes_lost;
+
+  max_ack_height_tracker_.Update(BandwidthEstimate(), RoundTripCount(),
+                                 event_time, congestion_event->bytes_acked);
+
+  if (!congestion_event->end_of_round_trip) {
+    return;
+  }
+
+  // Per round-trip updates.
+  AdaptLowerBounds(*congestion_event);
+}
+
+void Bbr2NetworkModel::AdaptLowerBounds(
+    const Bbr2CongestionEvent& congestion_event) {
+  if (!congestion_event.end_of_round_trip ||
+      congestion_event.is_probing_for_bandwidth) {
+    return;
+  }
+
+  if (bytes_lost_in_round_ > 0) {
+    if (bandwidth_lo_.IsInfinite()) {
+      bandwidth_lo_ = MaxBandwidth();
+    }
+    if (inflight_lo_ == inflight_lo_default()) {
+      inflight_lo_ = congestion_event.prior_cwnd;
+    }
+
+    bandwidth_lo_ = std::max(bandwidth_latest_, bandwidth_lo_ * (1.0 - kBeta));
+    QUIC_DVLOG(3) << "bandwidth_lo_ updated to " << bandwidth_lo_
+                  << ", bandwidth_latest_ is " << bandwidth_latest_;
+
+    inflight_lo_ =
+        std::max<QuicByteCount>(inflight_latest_, inflight_lo_ * (1.0 - kBeta));
+  }
+}
+
+void Bbr2NetworkModel::OnCongestionEventFinish(
+    QuicPacketNumber least_unacked_packet,
+    const Bbr2CongestionEvent& congestion_event) {
+  if (congestion_event.end_of_round_trip) {
+    const auto& last_acked_sample = congestion_event.last_acked_sample;
+    if (last_acked_sample.bandwidth_sample.state_at_send.is_valid) {
+      bandwidth_latest_ = last_acked_sample.bandwidth_sample.bandwidth;
+      inflight_latest_ = last_acked_sample.inflight_sample;
+    }
+
+    bytes_lost_in_round_ = 0;
+  }
+
+  bandwidth_sampler_.RemoveObsoletePackets(least_unacked_packet);
+}
+
+void Bbr2NetworkModel::UpdateNetworkParameters(QuicBandwidth bandwidth,
+                                               QuicTime::Delta rtt) {
+  if (!bandwidth.IsInfinite() && bandwidth > MaxBandwidth()) {
+    max_bandwidth_filter_.Update(bandwidth);
+  }
+
+  if (!rtt.IsZero()) {
+    min_rtt_filter_.Update(rtt, MinRttTimestamp());
+  }
+}
+
+bool Bbr2NetworkModel::MaybeExpireMinRtt(
+    const Bbr2CongestionEvent& congestion_event) {
+  if (congestion_event.event_time < (MinRttTimestamp() + kMinRttExpiry)) {
+    return false;
+  }
+  if (congestion_event.sample_min_rtt.IsInfinite()) {
+    return false;
+  }
+  QUIC_DVLOG(3) << "Replacing expired min rtt of " << min_rtt_filter_.Get()
+                << " by " << congestion_event.sample_min_rtt << "  @ "
+                << congestion_event.event_time;
+  min_rtt_filter_.ForceUpdate(congestion_event.sample_min_rtt,
+                              congestion_event.event_time);
+  return true;
+}
+
+bool Bbr2NetworkModel::IsCongestionWindowLimited(
+    const Bbr2CongestionEvent& congestion_event) const {
+  QuicByteCount prior_bytes_in_flight = congestion_event.bytes_in_flight +
+                                        congestion_event.bytes_acked +
+                                        congestion_event.bytes_lost;
+  return prior_bytes_in_flight >= congestion_event.prior_cwnd;
+}
+
+bool Bbr2NetworkModel::IsInflightTooHigh(
+    const Bbr2CongestionEvent& congestion_event) const {
+  const SendTimeState& send_state = SendStateOfLargestPacket(congestion_event);
+  if (!send_state.is_valid) {
+    // Not enough information.
+    return false;
+  }
+
+  const QuicByteCount inflight_at_send = BytesInFlight(send_state);
+  // TODO(wub): Consider total_bytes_lost() - send_state.total_bytes_lost, which
+  // is the total bytes lost when the largest numbered packet was inflight.
+  // bytes_lost_in_round_, OTOH, is the total bytes lost in the "current" round.
+  const QuicByteCount bytes_lost_in_round = bytes_lost_in_round_;
+
+  QUIC_DVLOG(3) << "IsInflightTooHigh: bytes_lost_in_round:"
+                << bytes_lost_in_round << ", lost_in_round_threshold:"
+                << inflight_at_send * Params().loss_threshold;
+
+  if (inflight_at_send > 0 && bytes_lost_in_round > 0) {
+    QuicByteCount lost_in_round_threshold =
+        inflight_at_send * Params().loss_threshold;
+    if (bytes_lost_in_round > lost_in_round_threshold) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+void Bbr2NetworkModel::RestartRound() {
+  bytes_lost_in_round_ = 0;
+  round_trip_counter_.RestartRound();
+}
+
+QuicByteCount Bbr2NetworkModel::inflight_hi_with_headroom() const {
+  QuicByteCount headroom = inflight_hi_ * Params().inflight_hi_headroom;
+
+  return inflight_hi_ > headroom ? inflight_hi_ - headroom : 0;
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h
new file mode 100644
index 00000000000..1b695e35314
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h
@@ -0,0 +1,516 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_MISC_H_
+#define QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_MISC_H_
+
+#include <algorithm>
+#include <limits>
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/windowed_filter.h"
+#include "net/third_party/quiche/src/quic/core/quic_bandwidth.h"
+#include "net/third_party/quiche/src/quic/core/quic_packet_number.h"
+#include "net/third_party/quiche/src/quic/core/quic_time.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+#include "net/quic/platform/impl/quic_export_impl.h"
+
+namespace quic {
+
+typedef uint64_t QuicRoundTripCount;
+
+template <typename T>
+class QUIC_EXPORT_PRIVATE Limits {
+ public:
+  Limits(T min, T max) : min_(min), max_(max) {}
+
+  // If [min, max] is an empty range, i.e. min > max, this function returns max,
+  // because typically a value larger than max means "risky".
+  T ApplyLimits(T raw_value) const {
+    return std::min(max_, std::max(min_, raw_value));
+  }
+
+  T Min() const { return min_; }
+  T Max() const { return max_; }
+
+ private:
+  T min_;
+  T max_;
+};
+
+template <typename T>
+QUIC_EXPORT_PRIVATE inline Limits<T> MinMax(T min, T max) {
+  return Limits<T>(min, max);
+}
+
+template <typename T>
+QUIC_EXPORT_PRIVATE inline Limits<T> NoLessThan(T min) {
+  return Limits<T>(min, std::numeric_limits<T>::max());
+}
+
+template <typename T>
+QUIC_EXPORT_PRIVATE inline Limits<T> NoGreaterThan(T max) {
+  return Limits<T>(std::numeric_limits<T>::min(), max);
+}
+
+template <typename T>
+QUIC_EXPORT_PRIVATE inline Limits<T> Unlimited() {
+  return Limits<T>(std::numeric_limits<T>::min(),
+                   std::numeric_limits<T>::max());
+}
+
+template <typename T>
+QUIC_EXPORT_PRIVATE inline std::ostream& operator<<(std::ostream& os,
+                                                    const Limits<T>& limits) {
+  return os << "[" << limits.Min() << ", " << limits.Max() << "]";
+}
+
+// Bbr2Params contains all parameters of a Bbr2Sender.
+struct QUIC_EXPORT_PRIVATE Bbr2Params {
+  Bbr2Params(QuicByteCount cwnd_min, QuicByteCount cwnd_max)
+      : cwnd_limits(cwnd_min, cwnd_max) {}
+
+  /*
+   * STARTUP parameters.
+   */
+
+  // The gain for both CWND and PacingRate at startup.
+  // TODO(wub): Maybe change to the newly derived value of 2.773 (4 * ln(2)).
+  float startup_gain = 2.885;
+
+  // Full bandwidth is declared if the total bandwidth growth is less than
+  // |startup_full_bw_threshold| times in the last |startup_full_bw_rounds|
+  // round trips.
+  float startup_full_bw_threshold = 1.25;
+
+  QuicRoundTripCount startup_full_bw_rounds = 3;
+
+  // The minimum number of loss marking events to exit STARTUP.
+  int64_t startup_full_loss_count = 8;
+
+  /*
+   * DRAIN parameters.
+   */
+  float drain_cwnd_gain = 2.885;
+  float drain_pacing_gain = 1.0 / 2.885;
+
+  /*
+   * PROBE_BW parameters.
+   */
+  // Max amount of randomness to inject in round counting for Reno-coexistence.
+  QuicRoundTripCount probe_bw_max_probe_rand_rounds = 2;
+
+  // Max number of rounds before probing for Reno-coexistence.
+  uint32_t probe_bw_probe_max_rounds = 63;
+
+  // Multiplier to get Reno-style probe epoch duration as: k * BDP round trips.
+  // If zero, disables Reno-style BDP-scaled coexistence mechanism.
+  float probe_bw_probe_reno_gain = 1.0;
+
+  // Minimum duration for BBR-native probes.
+  QuicTime::Delta probe_bw_probe_base_duration =
+      QuicTime::Delta::FromSeconds(2);
+
+  // The upper bound of the random amound of BBR-native probes.
+  QuicTime::Delta probe_bw_probe_max_rand_duration =
+      QuicTime::Delta::FromSeconds(1);
+
+  // Multiplier to get target inflight (as multiple of BDP) for PROBE_UP phase.
+  float probe_bw_probe_inflight_gain = 1.25;
+
+  // Pacing gains.
+  float probe_bw_probe_up_pacing_gain = 1.25;
+  float probe_bw_probe_down_pacing_gain = 0.75;
+  float probe_bw_default_pacing_gain = 1.0;
+
+  float probe_bw_cwnd_gain = 2.0;
+
+  /*
+   * PROBE_RTT parameters.
+   */
+  float probe_rtt_inflight_target_bdp_fraction = 0.5;
+  QuicTime::Delta probe_rtt_duration = QuicTime::Delta::FromMilliseconds(200);
+
+  /*
+   * Parameters used by multiple modes.
+   */
+
+  // The initial value of the max ack height filter's window length.
+  QuicRoundTripCount initial_max_ack_height_filter_window = 10;
+
+  // Fraction of unutilized headroom to try to leave in path upon high loss.
+  float inflight_hi_headroom = 0.15;
+
+  // Estimate startup/bw probing has gone too far if loss rate exceeds this.
+  float loss_threshold = 0.02;
+
+  Limits<QuicByteCount> cwnd_limits;
+};
+
+class QUIC_EXPORT_PRIVATE RoundTripCounter {
+ public:
+  RoundTripCounter();
+
+  QuicRoundTripCount Count() const { return round_trip_count_; }
+
+  QuicPacketNumber last_sent_packet() const { return last_sent_packet_; }
+
+  // Must be called in ascending packet number order.
+  void OnPacketSent(QuicPacketNumber packet_number);
+
+  // Return whether a round trip has just completed.
+  bool OnPacketsAcked(QuicPacketNumber last_acked_packet);
+
+  void RestartRound();
+
+ private:
+  QuicRoundTripCount round_trip_count_;
+  QuicPacketNumber last_sent_packet_;
+  // The last sent packet number of the current round trip.
+  QuicPacketNumber end_of_round_trip_;
+};
+
+class QUIC_EXPORT_PRIVATE MinRttFilter {
+ public:
+  MinRttFilter(QuicTime::Delta initial_min_rtt,
+               QuicTime initial_min_rtt_timestamp);
+
+  void Update(QuicTime::Delta sample_rtt, QuicTime now);
+
+  void ForceUpdate(QuicTime::Delta sample_rtt, QuicTime now);
+
+  QuicTime::Delta Get() const { return min_rtt_; }
+
+  QuicTime GetTimestamp() const { return min_rtt_timestamp_; }
+
+ private:
+  QuicTime::Delta min_rtt_;
+  // Time when the current value of |min_rtt_| was assigned.
+  QuicTime min_rtt_timestamp_;
+};
+
+class QUIC_EXPORT_PRIVATE Bbr2MaxBandwidthFilter {
+ public:
+  void Update(QuicBandwidth sample) {
+    max_bandwidth_[1] = std::max(sample, max_bandwidth_[1]);
+  }
+
+  void Advance() {
+    if (max_bandwidth_[1].IsZero()) {
+      return;
+    }
+
+    max_bandwidth_[0] = max_bandwidth_[1];
+    max_bandwidth_[1] = QuicBandwidth::Zero();
+  }
+
+  QuicBandwidth Get() const {
+    return std::max(max_bandwidth_[0], max_bandwidth_[1]);
+  }
+
+ private:
+  QuicBandwidth max_bandwidth_[2] = {QuicBandwidth::Zero(),
+                                     QuicBandwidth::Zero()};
+};
+
+// Information that are meaningful only when Bbr2Sender::OnCongestionEvent is
+// running.
+struct QUIC_EXPORT_PRIVATE Bbr2CongestionEvent {
+  QuicTime event_time = QuicTime::Zero();
+
+  // The congestion window prior to the processing of the ack/loss events.
+  QuicByteCount prior_cwnd;
+
+  // Total bytes inflight after the processing of the ack/loss events.
+  QuicByteCount bytes_in_flight = 0;
+
+  // Total bytes acked from acks in this event.
+  QuicByteCount bytes_acked = 0;
+
+  // Total bytes lost from losses in this event.
+  QuicByteCount bytes_lost = 0;
+
+  // Whether acked_packets indicates the end of a round trip.
+  bool end_of_round_trip = false;
+
+  // Whether the last bandwidth sample from acked_packets is app limited.
+  // false if acked_packets is empty.
+  bool last_sample_is_app_limited = false;
+
+  // When the event happened, whether the sender is probing for bandwidth.
+  bool is_probing_for_bandwidth = false;
+
+  // Minimum rtt of all bandwidth samples from acked_packets.
+  // QuicTime::Delta::Infinite() if acked_packets is empty.
+  QuicTime::Delta sample_min_rtt = QuicTime::Delta::Infinite();
+
+  // Maximum bandwidth of all bandwidth samples from acked_packets.
+  QuicBandwidth sample_max_bandwidth = QuicBandwidth::Zero();
+
+  // Send time state of the largest-numbered packet in this event.
+  // SendTimeState send_time_state;
+  struct {
+    QuicPacketNumber packet_number;
+    BandwidthSample bandwidth_sample;
+    // Total bytes acked while |packet| is inflight.
+    QuicByteCount inflight_sample;
+  } last_acked_sample;
+
+  struct {
+    QuicPacketNumber packet_number;
+    SendTimeState send_time_state;
+  } last_lost_sample;
+};
+
+QUIC_EXPORT_PRIVATE const SendTimeState& SendStateOfLargestPacket(
+    const Bbr2CongestionEvent& congestion_event);
+
+class QUIC_EXPORT_PRIVATE Bbr2MaxAckHeightTracker {
+ public:
+  explicit Bbr2MaxAckHeightTracker(QuicRoundTripCount initial_filter_window)
+      : max_ack_height_filter_(initial_filter_window, 0, 0) {}
+
+  QuicByteCount Get() const { return max_ack_height_filter_.GetBest(); }
+
+  QuicByteCount Update(const QuicBandwidth& bandwidth_estimate,
+                       QuicRoundTripCount round_trip_count,
+                       QuicTime ack_time,
+                       QuicByteCount bytes_acked);
+
+ private:
+  // Tracks the maximum number of bytes acked faster than the sending rate.
+  typedef WindowedFilter<QuicByteCount,
+                         MaxFilter<QuicByteCount>,
+                         QuicRoundTripCount,
+                         QuicRoundTripCount>
+      MaxAckHeightFilter;
+  MaxAckHeightFilter max_ack_height_filter_;
+
+  // The time this aggregation started and the number of bytes acked during it.
+  QuicTime aggregation_epoch_start_time_ = QuicTime::Zero();
+  QuicByteCount aggregation_epoch_bytes_ = 0;
+};
+
+// Bbr2NetworkModel takes low level congestion signals(packets sent/acked/lost)
+// as input and produces BBRv2 model parameters like inflight_(hi|lo),
+// bandwidth_(hi|lo), bandwidth and rtt estimates, etc.
+class QUIC_EXPORT_PRIVATE Bbr2NetworkModel {
+ public:
+  Bbr2NetworkModel(const Bbr2Params* params,
+                   QuicTime::Delta initial_rtt,
+                   QuicTime initial_rtt_timestamp,
+                   float cwnd_gain,
+                   float pacing_gain);
+
+  void OnPacketSent(QuicTime sent_time,
+                    QuicByteCount bytes_in_flight,
+                    QuicPacketNumber packet_number,
+                    QuicByteCount bytes,
+                    HasRetransmittableData is_retransmittable);
+
+  void OnCongestionEventStart(QuicTime event_time,
+                              const AckedPacketVector& acked_packets,
+                              const LostPacketVector& lost_packets,
+                              Bbr2CongestionEvent* congestion_event);
+
+  void OnCongestionEventFinish(QuicPacketNumber least_unacked_packet,
+                               const Bbr2CongestionEvent& congestion_event);
+
+  // Update the model without a congestion event.
+  // Max bandwidth is updated if |bandwidth| is larger than existing max
+  // bandwidth. Min rtt is updated if |rtt| is non-zero and smaller than
+  // existing min rtt.
+  void UpdateNetworkParameters(QuicBandwidth bandwidth, QuicTime::Delta rtt);
+
+  // Update inflight/bandwidth short-term lower bounds.
+  void AdaptLowerBounds(const Bbr2CongestionEvent& congestion_event);
+
+  // Restart the current round trip as if it is starting now.
+  void RestartRound();
+
+  void AdvanceMaxBandwidthFilter() { max_bandwidth_filter_.Advance(); }
+
+  void OnApplicationLimited() { bandwidth_sampler_.OnAppLimited(); }
+
+  QuicByteCount BDP(QuicBandwidth bandwidth) const {
+    return bandwidth * MinRtt();
+  }
+
+  QuicByteCount BDP(QuicBandwidth bandwidth, float gain) const {
+    return bandwidth * MinRtt() * gain;
+  }
+
+  QuicTime::Delta MinRtt() const { return min_rtt_filter_.Get(); }
+
+  QuicTime MinRttTimestamp() const { return min_rtt_filter_.GetTimestamp(); }
+
+  QuicBandwidth MaxBandwidth() const { return max_bandwidth_filter_.Get(); }
+
+  QuicByteCount MaxAckHeight() const { return max_ack_height_tracker_.Get(); }
+
+  bool MaybeExpireMinRtt(const Bbr2CongestionEvent& congestion_event);
+
+  QuicBandwidth BandwidthEstimate() const {
+    return std::min(MaxBandwidth(), bandwidth_lo_);
+  }
+
+  QuicRoundTripCount RoundTripCount() const {
+    return round_trip_counter_.Count();
+  }
+
+  bool IsCongestionWindowLimited(
+      const Bbr2CongestionEvent& congestion_event) const;
+
+  bool IsInflightTooHigh(const Bbr2CongestionEvent& congestion_event) const;
+
+  QuicPacketNumber last_sent_packet() const {
+    return round_trip_counter_.last_sent_packet();
+  }
+
+  QuicByteCount total_bytes_acked() const {
+    return bandwidth_sampler_.total_bytes_acked();
+  }
+
+  QuicByteCount total_bytes_lost() const {
+    return bandwidth_sampler_.total_bytes_lost();
+  }
+
+  QuicByteCount total_bytes_sent() const {
+    return bandwidth_sampler_.total_bytes_sent();
+  }
+
+  QuicByteCount bytes_in_flight() const {
+    return total_bytes_sent() - total_bytes_acked() - total_bytes_lost();
+  }
+
+  QuicPacketNumber end_of_app_limited_phase() const {
+    return bandwidth_sampler_.end_of_app_limited_phase();
+  }
+
+  QuicBandwidth bandwidth_latest() const { return bandwidth_latest_; }
+  QuicBandwidth bandwidth_lo() const { return bandwidth_lo_; }
+  void clear_bandwidth_lo() { bandwidth_lo_ = QuicBandwidth::Infinite(); }
+
+  QuicByteCount inflight_latest() const { return inflight_latest_; }
+  QuicByteCount inflight_lo() const { return inflight_lo_; }
+  static QuicByteCount inflight_lo_default() {
+    return std::numeric_limits<QuicByteCount>::max();
+  }
+  void clear_inflight_lo() { inflight_lo_ = inflight_lo_default(); }
+
+  QuicByteCount inflight_hi_with_headroom() const;
+  QuicByteCount inflight_hi() const { return inflight_hi_; }
+  static QuicByteCount inflight_hi_default() {
+    return std::numeric_limits<QuicByteCount>::max();
+  }
+  void set_inflight_hi(QuicByteCount inflight_hi) {
+    inflight_hi_ = inflight_hi;
+  }
+
+  float cwnd_gain() const { return cwnd_gain_; }
+  void set_cwnd_gain(float cwnd_gain) { cwnd_gain_ = cwnd_gain; }
+
+  float pacing_gain() const { return pacing_gain_; }
+  void set_pacing_gain(float pacing_gain) { pacing_gain_ = pacing_gain; }
+
+ private:
+  const Bbr2Params& Params() const { return *params_; }
+  const Bbr2Params* const params_;
+  RoundTripCounter round_trip_counter_;
+
+  // Bandwidth sampler provides BBR with the bandwidth measurements at
+  // individual points.
+  BandwidthSampler bandwidth_sampler_;
+  // The filter that tracks the maximum bandwidth over multiple recent round
+  // trips.
+  Bbr2MaxBandwidthFilter max_bandwidth_filter_;
+  MinRttFilter min_rtt_filter_;
+
+  Bbr2MaxAckHeightTracker max_ack_height_tracker_;
+
+  // Bytes lost in the current round. Updated once per congestion event.
+  QuicByteCount bytes_lost_in_round_ = 0;
+
+  // Max bandwidth in the current round. Updated once per congestion event.
+  QuicBandwidth bandwidth_latest_ = QuicBandwidth::Zero();
+  // Max bandwidth of recent rounds. Updated once per round.
+  QuicBandwidth bandwidth_lo_ = QuicBandwidth::Infinite();
+
+  // Max inflight in the current round. Updated once per congestion event.
+  QuicByteCount inflight_latest_ = 0;
+  // Max inflight of recent rounds. Updated once per round.
+  QuicByteCount inflight_lo_ = inflight_lo_default();
+  QuicByteCount inflight_hi_ = inflight_hi_default();
+
+  float cwnd_gain_;
+  float pacing_gain_;
+};
+
+enum class Bbr2Mode : uint8_t {
+  // Startup phase of the connection.
+  STARTUP,
+  // After achieving the highest possible bandwidth during the startup, lower
+  // the pacing rate in order to drain the queue.
+  DRAIN,
+  // Cruising mode.
+  PROBE_BW,
+  // Temporarily slow down sending in order to empty the buffer and measure
+  // the real minimum RTT.
+  PROBE_RTT,
+};
+
+QUIC_EXPORT_PRIVATE inline std::ostream& operator<<(std::ostream& os,
+                                                    const Bbr2Mode& mode) {
+  switch (mode) {
+    case Bbr2Mode::STARTUP:
+      return os << "STARTUP";
+    case Bbr2Mode::DRAIN:
+      return os << "DRAIN";
+    case Bbr2Mode::PROBE_BW:
+      return os << "PROBE_BW";
+    case Bbr2Mode::PROBE_RTT:
+      return os << "PROBE_RTT";
+  }
+  return os << "<Invalid Mode>";
+}
+
+// The base class for all BBRv2 modes. A Bbr2Sender is in one mode at a time,
+// this interface is used to implement mode-specific behaviors.
+class Bbr2Sender;
+class QUIC_EXPORT_PRIVATE Bbr2ModeBase {
+ public:
+  Bbr2ModeBase(const Bbr2Sender* sender, Bbr2NetworkModel* model)
+      : sender_(sender), model_(model) {}
+
+  virtual ~Bbr2ModeBase() = default;
+
+  virtual void Enter(const Bbr2CongestionEvent& congestion_event) = 0;
+
+  virtual Bbr2Mode OnCongestionEvent(
+      QuicByteCount prior_in_flight,
+      QuicTime event_time,
+      const AckedPacketVector& acked_packets,
+      const LostPacketVector& lost_packets,
+      const Bbr2CongestionEvent& congestion_event) = 0;
+
+  virtual Limits<QuicByteCount> GetCwndLimits() const = 0;
+
+  virtual bool IsProbingForBandwidth() const = 0;
+
+ protected:
+  const Bbr2Sender* const sender_;
+  Bbr2NetworkModel* model_;
+};
+
+QUIC_EXPORT_PRIVATE inline QuicByteCount BytesInFlight(
+    const SendTimeState& send_state) {
+  DCHECK(send_state.is_valid);
+  return send_state.total_bytes_sent - send_state.total_bytes_acked -
+         send_state.total_bytes_lost;
+}
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_MISC_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.cc
new file mode 100644
index 00000000000..ed65cf909b1
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.cc
@@ -0,0 +1,516 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.h"
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h"
+#include "net/third_party/quiche/src/quic/core/quic_bandwidth.h"
+#include "net/third_party/quiche/src/quic/core/quic_time.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+
+namespace quic {
+
+void Bbr2ProbeBwMode::Enter(const Bbr2CongestionEvent& congestion_event) {
+  if (cycle_.phase == CyclePhase::PROBE_NOT_STARTED) {
+    // First time entering PROBE_BW. Start a new probing cycle.
+    EnterProbeDown(/*probed_too_high=*/false, /*stopped_risky_probe=*/false,
+                   congestion_event);
+  } else {
+    // Transitioning from PROBE_RTT to PROBE_BW. Re-enter the last phase before
+    // PROBE_RTT.
+    DCHECK(cycle_.phase == CyclePhase::PROBE_CRUISE ||
+           cycle_.phase == CyclePhase::PROBE_REFILL);
+    cycle_.cycle_start_time = congestion_event.event_time;
+    if (cycle_.phase == CyclePhase::PROBE_CRUISE) {
+      EnterProbeCruise(congestion_event);
+    } else if (cycle_.phase == CyclePhase::PROBE_REFILL) {
+      EnterProbeRefill(cycle_.probe_up_rounds, congestion_event);
+    }
+  }
+}
+
+Bbr2Mode Bbr2ProbeBwMode::OnCongestionEvent(
+    QuicByteCount prior_in_flight,
+    QuicTime event_time,
+    const AckedPacketVector& /*acked_packets*/,
+    const LostPacketVector& /*lost_packets*/,
+    const Bbr2CongestionEvent& congestion_event) {
+  DCHECK_NE(cycle_.phase, CyclePhase::PROBE_NOT_STARTED);
+
+  if (congestion_event.end_of_round_trip) {
+    if (cycle_.cycle_start_time != event_time) {
+      ++cycle_.rounds_since_probe;
+    }
+    if (cycle_.phase_start_time != event_time) {
+      ++cycle_.rounds_in_phase;
+    }
+  }
+
+  if (cycle_.phase == CyclePhase::PROBE_UP) {
+    UpdateProbeUp(prior_in_flight, congestion_event);
+  } else if (cycle_.phase == CyclePhase::PROBE_DOWN) {
+    UpdateProbeDown(prior_in_flight, congestion_event);
+    // Maybe transition to PROBE_RTT at the end of this cycle.
+    if (cycle_.phase != CyclePhase::PROBE_DOWN &&
+        model_->MaybeExpireMinRtt(congestion_event)) {
+      return Bbr2Mode::PROBE_RTT;
+    }
+  } else if (cycle_.phase == CyclePhase::PROBE_CRUISE) {
+    UpdateProbeCruise(congestion_event);
+  } else if (cycle_.phase == CyclePhase::PROBE_REFILL) {
+    UpdateProbeRefill(congestion_event);
+  }
+
+  model_->set_pacing_gain(PacingGainForPhase(cycle_.phase));
+  model_->set_cwnd_gain(Params().probe_bw_cwnd_gain);
+
+  return Bbr2Mode::PROBE_BW;
+}
+
+Limits<QuicByteCount> Bbr2ProbeBwMode::GetCwndLimits() const {
+  if (cycle_.phase == CyclePhase::PROBE_CRUISE) {
+    return NoGreaterThan(
+        std::min(model_->inflight_lo(), model_->inflight_hi_with_headroom()));
+  }
+
+  return NoGreaterThan(std::min(model_->inflight_lo(), model_->inflight_hi()));
+}
+
+bool Bbr2ProbeBwMode::IsProbingForBandwidth() const {
+  return cycle_.phase == CyclePhase::PROBE_REFILL ||
+         cycle_.phase == CyclePhase::PROBE_UP;
+}
+
+void Bbr2ProbeBwMode::UpdateProbeDown(
+    QuicByteCount prior_in_flight,
+    const Bbr2CongestionEvent& congestion_event) {
+  DCHECK_EQ(cycle_.phase, CyclePhase::PROBE_DOWN);
+
+  if (cycle_.rounds_in_phase == 1 && congestion_event.end_of_round_trip) {
+    cycle_.is_sample_from_probing = false;
+
+    if (!congestion_event.last_sample_is_app_limited) {
+      QUIC_DVLOG(2)
+          << sender_
+          << " Advancing max bw filter after one round in PROBE_DOWN.";
+      model_->AdvanceMaxBandwidthFilter();
+      cycle_.has_advanced_max_bw = true;
+    }
+
+    if (last_cycle_stopped_risky_probe_ && !last_cycle_probed_too_high_) {
+      EnterProbeRefill(/*probe_up_rounds=*/0, congestion_event);
+      return;
+    }
+  }
+
+  MaybeAdaptUpperBounds(congestion_event);
+
+  if (IsTimeToProbeBandwidth(congestion_event)) {
+    EnterProbeRefill(/*probe_up_rounds=*/0, congestion_event);
+    return;
+  }
+
+  if (HasStayedLongEnoughInProbeDown(congestion_event)) {
+    QUIC_DVLOG(3) << sender_ << " Proportional time based PROBE_DOWN exit";
+    EnterProbeCruise(congestion_event);
+    return;
+  }
+
+  const QuicByteCount inflight_with_headroom =
+      model_->inflight_hi_with_headroom();
+  QUIC_DVLOG(3)
+      << sender_
+      << " Checking if have enough inflight headroom. prior_in_flight:"
+      << prior_in_flight
+      << ", inflight_with_headroom:" << inflight_with_headroom;
+  if (prior_in_flight > inflight_with_headroom) {
+    // Stay in PROBE_DOWN.
+    return;
+  }
+
+  // Transition to PROBE_CRUISE iff we've drained to target.
+  QuicByteCount bdp = model_->BDP(model_->MaxBandwidth());
+  QUIC_DVLOG(3) << sender_ << " Checking if drained to target. prior_in_flight:"
+                << prior_in_flight << ", bdp:" << bdp;
+  if (prior_in_flight < bdp) {
+    EnterProbeCruise(congestion_event);
+  }
+}
+
+Bbr2ProbeBwMode::AdaptUpperBoundsResult Bbr2ProbeBwMode::MaybeAdaptUpperBounds(
+    const Bbr2CongestionEvent& congestion_event) {
+  const SendTimeState& send_state = SendStateOfLargestPacket(congestion_event);
+  if (!send_state.is_valid) {
+    QUIC_DVLOG(3) << sender_ << " " << cycle_.phase
+                  << ": NOT_ADAPTED_INVALID_SAMPLE";
+    return NOT_ADAPTED_INVALID_SAMPLE;
+  }
+
+  if (model_->IsInflightTooHigh(congestion_event)) {
+    if (cycle_.is_sample_from_probing) {
+      cycle_.is_sample_from_probing = false;
+
+      if (!send_state.is_app_limited) {
+        QuicByteCount inflight_at_send = BytesInFlight(send_state);
+        model_->set_inflight_hi(inflight_at_send);
+      }
+
+      QUIC_DVLOG(3) << sender_ << " " << cycle_.phase
+                    << ": ADAPTED_PROBED_TOO_HIGH";
+      return ADAPTED_PROBED_TOO_HIGH;
+    }
+    return ADAPTED_OK;
+  }
+
+  if (model_->inflight_hi() == model_->inflight_hi_default()) {
+    QUIC_DVLOG(3) << sender_ << " " << cycle_.phase
+                  << ": NOT_ADAPTED_INFLIGHT_HIGH_NOT_SET";
+    return NOT_ADAPTED_INFLIGHT_HIGH_NOT_SET;
+  }
+
+  const QuicByteCount inflight_at_send = BytesInFlight(send_state);
+
+  // Raise the upper bound for inflight.
+  if (inflight_at_send > model_->inflight_hi()) {
+    QUIC_DVLOG(3)
+        << sender_ << " " << cycle_.phase
+        << ": Adapting inflight_hi from inflight_at_send. inflight_at_send:"
+        << inflight_at_send << ", old inflight_hi:" << model_->inflight_hi();
+    model_->set_inflight_hi(inflight_at_send);
+  }
+
+  return ADAPTED_OK;
+}
+
+bool Bbr2ProbeBwMode::IsTimeToProbeBandwidth(
+    const Bbr2CongestionEvent& congestion_event) const {
+  return HasCycleLasted(cycle_.probe_wait_time, congestion_event) ||
+         IsTimeToProbeForRenoCoexistence(1.0, congestion_event);
+}
+
+// QUIC only. Used to prevent a Bbr2 flow from staying in PROBE_DOWN for too
+// long, as seen in some multi-sender simulator tests.
+bool Bbr2ProbeBwMode::HasStayedLongEnoughInProbeDown(
+    const Bbr2CongestionEvent& congestion_event) const {
+  // The amount of time to stay in PROBE_DOWN, as a fraction of probe wait time.
+  const double kProbeWaitFraction = 0.2;
+  return HasCycleLasted(cycle_.probe_wait_time * kProbeWaitFraction,
+                        congestion_event) ||
+         IsTimeToProbeForRenoCoexistence(kProbeWaitFraction, congestion_event);
+}
+
+bool Bbr2ProbeBwMode::HasCycleLasted(
+    QuicTime::Delta duration,
+    const Bbr2CongestionEvent& congestion_event) const {
+  bool result =
+      (congestion_event.event_time - cycle_.cycle_start_time) > duration;
+  QUIC_DVLOG(3) << sender_ << " " << cycle_.phase
+                << ": HasCycleLasted=" << result << ". elapsed:"
+                << (congestion_event.event_time - cycle_.cycle_start_time)
+                << ", duration:" << duration;
+  return result;
+}
+
+bool Bbr2ProbeBwMode::HasPhaseLasted(
+    QuicTime::Delta duration,
+    const Bbr2CongestionEvent& congestion_event) const {
+  bool result =
+      (congestion_event.event_time - cycle_.phase_start_time) > duration;
+  QUIC_DVLOG(3) << sender_ << " " << cycle_.phase
+                << ": HasPhaseLasted=" << result << ". elapsed:"
+                << (congestion_event.event_time - cycle_.phase_start_time)
+                << ", duration:" << duration;
+  return result;
+}
+
+bool Bbr2ProbeBwMode::IsTimeToProbeForRenoCoexistence(
+    double probe_wait_fraction,
+    const Bbr2CongestionEvent& /*congestion_event*/) const {
+  uint64_t rounds = Params().probe_bw_probe_max_rounds;
+  if (Params().probe_bw_probe_reno_gain > 0.0) {
+    QuicByteCount bdp = model_->BDP(model_->BandwidthEstimate());
+    QuicByteCount inflight_bytes =
+        std::min(bdp, sender_->GetCongestionWindow());
+    uint64_t reno_rounds =
+        Params().probe_bw_probe_reno_gain * inflight_bytes / kDefaultTCPMSS;
+    rounds = std::min(rounds, reno_rounds);
+  }
+  bool result = cycle_.rounds_since_probe >= (rounds * probe_wait_fraction);
+  QUIC_DVLOG(3) << sender_ << " " << cycle_.phase
+                << ": IsTimeToProbeForRenoCoexistence=" << result
+                << ". rounds_since_probe:" << cycle_.rounds_since_probe
+                << ", rounds:" << rounds
+                << ", probe_wait_fraction:" << probe_wait_fraction;
+  return result;
+}
+
+void Bbr2ProbeBwMode::RaiseInflightHighSlope() {
+  DCHECK_EQ(cycle_.phase, CyclePhase::PROBE_UP);
+  uint64_t growth_this_round = 1 << cycle_.probe_up_rounds;
+  // The number 30 below means |growth_this_round| is capped at 1G and the lower
+  // bound of |probe_up_bytes| is (practically) 1 mss, at this speed inflight_hi
+  // grows by approximately 1 packet per packet acked.
+  cycle_.probe_up_rounds = std::min<uint64_t>(cycle_.probe_up_rounds + 1, 30);
+  uint64_t probe_up_bytes = sender_->GetCongestionWindow() / growth_this_round;
+  cycle_.probe_up_bytes =
+      std::max<QuicByteCount>(probe_up_bytes, kDefaultTCPMSS);
+  QUIC_DVLOG(3) << sender_ << " Rasing inflight_hi slope. probe_up_rounds:"
+                << cycle_.probe_up_rounds
+                << ", probe_up_bytes:" << cycle_.probe_up_bytes;
+}
+
+void Bbr2ProbeBwMode::ProbeInflightHighUpward(
+    const Bbr2CongestionEvent& congestion_event) {
+  DCHECK_EQ(cycle_.phase, CyclePhase::PROBE_UP);
+  if (!model_->IsCongestionWindowLimited(congestion_event)) {
+    QUIC_DVLOG(3) << sender_
+                  << " Rasing inflight_hi early return: Not cwnd limited.";
+    // Not fully utilizing cwnd, so can't safely grow.
+    return;
+  }
+
+  // Increase inflight_hi by the number of probe_up_bytes within probe_up_acked.
+  cycle_.probe_up_acked += congestion_event.bytes_acked;
+  if (cycle_.probe_up_acked >= cycle_.probe_up_bytes) {
+    uint64_t delta = cycle_.probe_up_acked / cycle_.probe_up_bytes;
+    cycle_.probe_up_acked -= delta * cycle_.probe_up_bytes;
+    QUIC_DVLOG(3) << sender_ << " Rasing inflight_hi from "
+                  << model_->inflight_hi() << " to "
+                  << model_->inflight_hi() + delta * kDefaultTCPMSS
+                  << ". probe_up_bytes:" << cycle_.probe_up_bytes
+                  << ", delta:" << delta
+                  << ", (new)probe_up_acked:" << cycle_.probe_up_acked;
+    model_->set_inflight_hi(model_->inflight_hi() + delta * kDefaultTCPMSS);
+  }
+
+  if (congestion_event.end_of_round_trip) {
+    RaiseInflightHighSlope();
+  }
+}
+
+void Bbr2ProbeBwMode::UpdateProbeCruise(
+    const Bbr2CongestionEvent& congestion_event) {
+  DCHECK_EQ(cycle_.phase, CyclePhase::PROBE_CRUISE);
+  MaybeAdaptUpperBounds(congestion_event);
+  DCHECK(!cycle_.is_sample_from_probing);
+
+  if (IsTimeToProbeBandwidth(congestion_event)) {
+    EnterProbeRefill(/*probe_up_rounds=*/0, congestion_event);
+    return;
+  }
+}
+
+void Bbr2ProbeBwMode::UpdateProbeRefill(
+    const Bbr2CongestionEvent& congestion_event) {
+  DCHECK_EQ(cycle_.phase, CyclePhase::PROBE_REFILL);
+  MaybeAdaptUpperBounds(congestion_event);
+  DCHECK(!cycle_.is_sample_from_probing);
+
+  if (cycle_.rounds_in_phase > 0 && congestion_event.end_of_round_trip) {
+    EnterProbeUp(congestion_event);
+    return;
+  }
+}
+
+void Bbr2ProbeBwMode::UpdateProbeUp(
+    QuicByteCount prior_in_flight,
+    const Bbr2CongestionEvent& congestion_event) {
+  DCHECK_EQ(cycle_.phase, CyclePhase::PROBE_UP);
+  if (MaybeAdaptUpperBounds(congestion_event) == ADAPTED_PROBED_TOO_HIGH) {
+    EnterProbeDown(/*probed_too_high=*/true, /*stopped_risky_probe=*/false,
+                   congestion_event);
+    return;
+  }
+
+  // TODO(wub): Consider exit PROBE_UP after a certain number(e.g. 64) of RTTs.
+
+  ProbeInflightHighUpward(congestion_event);
+
+  bool is_risky = false;
+  bool is_queuing = false;
+  if (last_cycle_probed_too_high_ && prior_in_flight >= model_->inflight_hi()) {
+    is_risky = true;
+    QUIC_DVLOG(3) << sender_
+                  << " Probe is too risky. last_cycle_probed_too_high_:"
+                  << last_cycle_probed_too_high_
+                  << ", prior_in_flight:" << prior_in_flight
+                  << ", inflight_hi:" << model_->inflight_hi();
+    // TCP uses min_rtt instead of a full round:
+    //   HasPhaseLasted(model_->MinRtt(), congestion_event)
+  } else if (cycle_.rounds_in_phase > 0) {
+    QuicByteCount bdp = model_->BDP(model_->MaxBandwidth());
+    QuicByteCount queuing_threshold =
+        (Params().probe_bw_probe_inflight_gain * bdp) + 2 * kDefaultTCPMSS;
+    is_queuing = prior_in_flight >= queuing_threshold;
+    QUIC_DVLOG(3) << sender_
+                  << " Checking if building up a queue. prior_in_flight:"
+                  << prior_in_flight << ", threshold:" << queuing_threshold
+                  << ", is_queuing:" << is_queuing
+                  << ", max_bw:" << model_->MaxBandwidth()
+                  << ", min_rtt:" << model_->MinRtt();
+  }
+
+  if (is_risky || is_queuing) {
+    EnterProbeDown(/*probed_too_high=*/false, /*stopped_risky_probe=*/is_risky,
+                   congestion_event);
+  }
+}
+
+void Bbr2ProbeBwMode::EnterProbeDown(
+    bool probed_too_high,
+    bool stopped_risky_probe,
+    const Bbr2CongestionEvent& congestion_event) {
+  QUIC_DVLOG(2) << sender_ << " Phase change: " << cycle_.phase << " ==> "
+                << CyclePhase::PROBE_DOWN << " after "
+                << congestion_event.event_time - cycle_.phase_start_time
+                << ", or " << cycle_.rounds_in_phase
+                << " rounds. probed_too_high:" << probed_too_high
+                << ", stopped_risky_probe:" << stopped_risky_probe << "  @ "
+                << congestion_event.event_time;
+  last_cycle_probed_too_high_ = probed_too_high;
+  last_cycle_stopped_risky_probe_ = stopped_risky_probe;
+
+  cycle_.cycle_start_time = congestion_event.event_time;
+  cycle_.phase = CyclePhase::PROBE_DOWN;
+  cycle_.rounds_in_phase = 0;
+  cycle_.phase_start_time = congestion_event.event_time;
+
+  // Pick probe wait time.
+  cycle_.rounds_since_probe =
+      sender_->RandomUint64(Params().probe_bw_max_probe_rand_rounds);
+  cycle_.probe_wait_time =
+      Params().probe_bw_probe_base_duration +
+      QuicTime::Delta::FromMicroseconds(sender_->RandomUint64(
+          Params().probe_bw_probe_max_rand_duration.ToMicroseconds()));
+
+  cycle_.probe_up_bytes = std::numeric_limits<QuicByteCount>::max();
+  cycle_.has_advanced_max_bw = false;
+  model_->RestartRound();
+}
+
+void Bbr2ProbeBwMode::EnterProbeCruise(
+    const Bbr2CongestionEvent& congestion_event) {
+  if (cycle_.phase == CyclePhase::PROBE_DOWN) {
+    ExitProbeDown(congestion_event);
+  }
+  QUIC_DVLOG(2) << sender_ << " Phase change: " << cycle_.phase << " ==> "
+                << CyclePhase::PROBE_CRUISE << " after "
+                << congestion_event.event_time - cycle_.phase_start_time
+                << ", or " << cycle_.rounds_in_phase << " rounds.  @ "
+                << congestion_event.event_time;
+  cycle_.phase = CyclePhase::PROBE_CRUISE;
+  cycle_.rounds_in_phase = 0;
+  cycle_.phase_start_time = congestion_event.event_time;
+  cycle_.is_sample_from_probing = false;
+}
+
+void Bbr2ProbeBwMode::EnterProbeRefill(
+    uint64_t probe_up_rounds,
+    const Bbr2CongestionEvent& congestion_event) {
+  if (cycle_.phase == CyclePhase::PROBE_DOWN) {
+    ExitProbeDown(congestion_event);
+  }
+  QUIC_DVLOG(2) << sender_ << " Phase change: " << cycle_.phase << " ==> "
+                << CyclePhase::PROBE_REFILL << " after "
+                << congestion_event.event_time - cycle_.phase_start_time
+                << ", or " << cycle_.rounds_in_phase
+                << " rounds. probe_up_rounds:" << probe_up_rounds << "  @ "
+                << congestion_event.event_time;
+  cycle_.phase = CyclePhase::PROBE_REFILL;
+  cycle_.rounds_in_phase = 0;
+  cycle_.phase_start_time = congestion_event.event_time;
+  cycle_.is_sample_from_probing = false;
+  last_cycle_stopped_risky_probe_ = false;
+
+  model_->clear_bandwidth_lo();
+  model_->clear_inflight_lo();
+  cycle_.probe_up_rounds = probe_up_rounds;
+  cycle_.probe_up_acked = 0;
+  model_->RestartRound();
+}
+
+void Bbr2ProbeBwMode::EnterProbeUp(
+    const Bbr2CongestionEvent& congestion_event) {
+  DCHECK_EQ(cycle_.phase, CyclePhase::PROBE_REFILL);
+  QUIC_DVLOG(2) << sender_ << " Phase change: " << cycle_.phase << " ==> "
+                << CyclePhase::PROBE_UP << " after "
+                << congestion_event.event_time - cycle_.phase_start_time
+                << ", or " << cycle_.rounds_in_phase << " rounds.  @ "
+                << congestion_event.event_time;
+  cycle_.phase = CyclePhase::PROBE_UP;
+  cycle_.rounds_in_phase = 0;
+  cycle_.phase_start_time = congestion_event.event_time;
+  cycle_.is_sample_from_probing = true;
+  RaiseInflightHighSlope();
+
+  model_->RestartRound();
+}
+
+void Bbr2ProbeBwMode::ExitProbeDown(
+    const Bbr2CongestionEvent& /*congestion_event*/) {
+  DCHECK_EQ(cycle_.phase, CyclePhase::PROBE_DOWN);
+  if (!cycle_.has_advanced_max_bw) {
+    QUIC_DVLOG(2) << sender_ << " Advancing max bw filter at end of cycle.";
+    model_->AdvanceMaxBandwidthFilter();
+    cycle_.has_advanced_max_bw = true;
+  }
+}
+
+// static
+const char* Bbr2ProbeBwMode::CyclePhaseToString(CyclePhase phase) {
+  switch (phase) {
+    case CyclePhase::PROBE_NOT_STARTED:
+      return "PROBE_NOT_STARTED";
+    case CyclePhase::PROBE_UP:
+      return "PROBE_UP";
+    case CyclePhase::PROBE_DOWN:
+      return "PROBE_DOWN";
+    case CyclePhase::PROBE_CRUISE:
+      return "PROBE_CRUISE";
+    case CyclePhase::PROBE_REFILL:
+      return "PROBE_REFILL";
+    default:
+      break;
+  }
+  return "<Invalid CyclePhase>";
+}
+
+std::ostream& operator<<(std::ostream& os,
+                         const Bbr2ProbeBwMode::CyclePhase phase) {
+  return os << Bbr2ProbeBwMode::CyclePhaseToString(phase);
+}
+
+Bbr2ProbeBwMode::DebugState Bbr2ProbeBwMode::ExportDebugState() const {
+  DebugState s;
+  s.phase = cycle_.phase;
+  s.cycle_start_time = cycle_.cycle_start_time;
+  s.phase_start_time = cycle_.phase_start_time;
+  return s;
+}
+
+std::ostream& operator<<(std::ostream& os,
+                         const Bbr2ProbeBwMode::DebugState& state) {
+  os << "[PROBE_BW] phase: " << state.phase << "\n";
+  os << "[PROBE_BW] cycle_start_time: " << state.cycle_start_time << "\n";
+  os << "[PROBE_BW] phase_start_time: " << state.phase_start_time << "\n";
+  return os;
+}
+
+const Bbr2Params& Bbr2ProbeBwMode::Params() const {
+  return sender_->Params();
+}
+
+float Bbr2ProbeBwMode::PacingGainForPhase(
+    Bbr2ProbeBwMode::CyclePhase phase) const {
+  if (phase == Bbr2ProbeBwMode::CyclePhase::PROBE_UP) {
+    return Params().probe_bw_probe_up_pacing_gain;
+  }
+  if (phase == Bbr2ProbeBwMode::CyclePhase::PROBE_DOWN) {
+    return Params().probe_bw_probe_down_pacing_gain;
+  }
+  return Params().probe_bw_default_pacing_gain;
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.h
new file mode 100644
index 00000000000..407056b5f49
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.h
@@ -0,0 +1,135 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_PROBE_BW_H_
+#define QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_PROBE_BW_H_
+
+#include <cstdint>
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h"
+#include "net/third_party/quiche/src/quic/core/quic_time.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+
+namespace quic {
+
+class Bbr2Sender;
+class QUIC_EXPORT_PRIVATE Bbr2ProbeBwMode final : public Bbr2ModeBase {
+ public:
+  using Bbr2ModeBase::Bbr2ModeBase;
+
+  void Enter(const Bbr2CongestionEvent& congestion_event) override;
+
+  Bbr2Mode OnCongestionEvent(
+      QuicByteCount prior_in_flight,
+      QuicTime event_time,
+      const AckedPacketVector& acked_packets,
+      const LostPacketVector& lost_packets,
+      const Bbr2CongestionEvent& congestion_event) override;
+
+  Limits<QuicByteCount> GetCwndLimits() const override;
+
+  bool IsProbingForBandwidth() const override;
+
+  enum class CyclePhase : uint8_t {
+    PROBE_NOT_STARTED,
+    PROBE_UP,
+    PROBE_DOWN,
+    PROBE_CRUISE,
+    PROBE_REFILL,
+  };
+
+  static const char* CyclePhaseToString(CyclePhase phase);
+
+  struct DebugState {
+    CyclePhase phase;
+    QuicTime cycle_start_time = QuicTime::Zero();
+    QuicTime phase_start_time = QuicTime::Zero();
+  };
+
+  DebugState ExportDebugState() const;
+
+ private:
+  const Bbr2Params& Params() const;
+  float PacingGainForPhase(CyclePhase phase) const;
+
+  void UpdateProbeUp(QuicByteCount prior_in_flight,
+                     const Bbr2CongestionEvent& congestion_event);
+  void UpdateProbeDown(QuicByteCount prior_in_flight,
+                       const Bbr2CongestionEvent& congestion_event);
+  void UpdateProbeCruise(const Bbr2CongestionEvent& congestion_event);
+  void UpdateProbeRefill(const Bbr2CongestionEvent& congestion_event);
+
+  enum AdaptUpperBoundsResult : uint8_t {
+    ADAPTED_OK,
+    ADAPTED_PROBED_TOO_HIGH,
+    NOT_ADAPTED_INFLIGHT_HIGH_NOT_SET,
+    NOT_ADAPTED_INVALID_SAMPLE,
+  };
+
+  // Return whether adapted inflight_hi. If inflight is too high, this function
+  // will not adapt inflight_hi and will return false.
+  AdaptUpperBoundsResult MaybeAdaptUpperBounds(
+      const Bbr2CongestionEvent& congestion_event);
+
+  void EnterProbeDown(bool probed_too_high,
+                      bool stopped_risky_probe,
+                      const Bbr2CongestionEvent& congestion_event);
+  void EnterProbeCruise(const Bbr2CongestionEvent& congestion_event);
+  void EnterProbeRefill(uint64_t probe_up_rounds,
+                        const Bbr2CongestionEvent& congestion_event);
+  void EnterProbeUp(const Bbr2CongestionEvent& congestion_event);
+
+  // Call right before the exit of PROBE_DOWN.
+  void ExitProbeDown(const Bbr2CongestionEvent& congestion_event);
+
+  float PercentTimeElapsedToProbeBandwidth(
+      const Bbr2CongestionEvent& congestion_event) const;
+
+  bool IsTimeToProbeBandwidth(
+      const Bbr2CongestionEvent& congestion_event) const;
+  bool HasStayedLongEnoughInProbeDown(
+      const Bbr2CongestionEvent& congestion_event) const;
+  bool HasCycleLasted(QuicTime::Delta duration,
+                      const Bbr2CongestionEvent& congestion_event) const;
+  bool HasPhaseLasted(QuicTime::Delta duration,
+                      const Bbr2CongestionEvent& congestion_event) const;
+  bool IsTimeToProbeForRenoCoexistence(
+      double probe_wait_fraction,
+      const Bbr2CongestionEvent& congestion_event) const;
+
+  void RaiseInflightHighSlope();
+  void ProbeInflightHighUpward(const Bbr2CongestionEvent& congestion_event);
+
+  struct Cycle {
+    QuicTime cycle_start_time = QuicTime::Zero();
+    CyclePhase phase = CyclePhase::PROBE_NOT_STARTED;
+    uint64_t rounds_in_phase = 0;
+    QuicTime phase_start_time = QuicTime::Zero();
+    QuicRoundTripCount rounds_since_probe = 0;
+    QuicTime::Delta probe_wait_time = QuicTime::Delta::Zero();
+    uint64_t probe_up_rounds = 0;
+    QuicByteCount probe_up_bytes = std::numeric_limits<QuicByteCount>::max();
+    QuicByteCount probe_up_acked = 0;
+    // Whether max bandwidth filter window has advanced in this cycle. It is
+    // advanced once per cycle.
+    bool has_advanced_max_bw = false;
+    bool is_sample_from_probing = false;
+  } cycle_;
+
+  bool last_cycle_probed_too_high_;
+  bool last_cycle_stopped_risky_probe_;
+};
+
+QUIC_EXPORT_PRIVATE std::ostream& operator<<(
+    std::ostream& os,
+    const Bbr2ProbeBwMode::DebugState& state);
+
+QUIC_EXPORT_PRIVATE std::ostream& operator<<(
+    std::ostream& os,
+    const Bbr2ProbeBwMode::CyclePhase phase);
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_PROBE_BW_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.cc
new file mode 100644
index 00000000000..fe4506b5bc0
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.cc
@@ -0,0 +1,66 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.h"
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h"
+#include "net/third_party/quiche/src/quic/core/quic_time.h"
+
+namespace quic {
+
+void Bbr2ProbeRttMode::Enter(const Bbr2CongestionEvent& /*congestion_event*/) {
+  model_->set_pacing_gain(1.0);
+  model_->set_cwnd_gain(1.0);
+  exit_time_ = QuicTime::Zero();
+}
+
+Bbr2Mode Bbr2ProbeRttMode::OnCongestionEvent(
+    QuicByteCount /*prior_in_flight*/,
+    QuicTime /*event_time*/,
+    const AckedPacketVector& /*acked_packets*/,
+    const LostPacketVector& /*lost_packets*/,
+    const Bbr2CongestionEvent& congestion_event) {
+  if (exit_time_ == QuicTime::Zero()) {
+    if (congestion_event.bytes_in_flight <= InflightTarget() ||
+        congestion_event.bytes_in_flight <=
+            sender_->GetMinimumCongestionWindow()) {
+      exit_time_ = congestion_event.event_time + Params().probe_rtt_duration;
+    }
+    return Bbr2Mode::PROBE_RTT;
+  }
+
+  return congestion_event.event_time > exit_time_ ? Bbr2Mode::PROBE_BW
+                                                  : Bbr2Mode::PROBE_RTT;
+}
+
+QuicByteCount Bbr2ProbeRttMode::InflightTarget() const {
+  return model_->BDP(model_->MaxBandwidth(),
+                     Params().probe_rtt_inflight_target_bdp_fraction);
+}
+
+Limits<QuicByteCount> Bbr2ProbeRttMode::GetCwndLimits() const {
+  QuicByteCount inflight_upper_bound =
+      std::min(model_->inflight_lo(), model_->inflight_hi_with_headroom());
+  return NoGreaterThan(std::min(inflight_upper_bound, InflightTarget()));
+}
+
+Bbr2ProbeRttMode::DebugState Bbr2ProbeRttMode::ExportDebugState() const {
+  DebugState s;
+  s.inflight_target = InflightTarget();
+  s.exit_time = exit_time_;
+  return s;
+}
+
+std::ostream& operator<<(std::ostream& os,
+                         const Bbr2ProbeRttMode::DebugState& state) {
+  os << "[PROBE_RTT] inflight_target: " << state.inflight_target << "\n";
+  os << "[PROBE_RTT] exit_time: " << state.exit_time << "\n";
+  return os;
+}
+
+const Bbr2Params& Bbr2ProbeRttMode::Params() const {
+  return sender_->Params();
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.h
new file mode 100644
index 00000000000..811c6467fa0
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.h
@@ -0,0 +1,54 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_PROBE_RTT_H_
+#define QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_PROBE_RTT_H_
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h"
+#include "net/third_party/quiche/src/quic/core/quic_time.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+
+namespace quic {
+
+class Bbr2Sender;
+class QUIC_EXPORT_PRIVATE Bbr2ProbeRttMode final : public Bbr2ModeBase {
+ public:
+  using Bbr2ModeBase::Bbr2ModeBase;
+
+  void Enter(const Bbr2CongestionEvent& congestion_event) override;
+
+  Bbr2Mode OnCongestionEvent(
+      QuicByteCount prior_in_flight,
+      QuicTime event_time,
+      const AckedPacketVector& acked_packets,
+      const LostPacketVector& lost_packets,
+      const Bbr2CongestionEvent& congestion_event) override;
+
+  Limits<QuicByteCount> GetCwndLimits() const override;
+
+  bool IsProbingForBandwidth() const override { return false; }
+
+  struct DebugState {
+    QuicByteCount inflight_target;
+    QuicTime exit_time = QuicTime::Zero();
+  };
+
+  DebugState ExportDebugState() const;
+
+ private:
+  const Bbr2Params& Params() const;
+
+  QuicByteCount InflightTarget() const;
+
+  QuicTime exit_time_ = QuicTime::Zero();
+};
+
+QUIC_EXPORT_PRIVATE std::ostream& operator<<(
+    std::ostream& os,
+    const Bbr2ProbeRttMode::DebugState& state);
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_PROBE_RTT_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.cc
new file mode 100644
index 00000000000..66aa123d78a
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.cc
@@ -0,0 +1,410 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h"
+
+#include <cstddef>
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h"
+#include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
+#include "net/third_party/quiche/src/quic/core/quic_bandwidth.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
+
+namespace quic {
+
+namespace {
+// Constants based on TCP defaults.
+// The minimum CWND to ensure delayed acks don't reduce bandwidth measurements.
+// Does not inflate the pacing rate.
+const QuicByteCount kDefaultMinimumCongestionWindow = 4 * kMaxSegmentSize;
+
+const float kInitialPacingGain = 2.885f;
+
+const int kMaxModeChangesPerCongestionEvent = 4;
+}  // namespace
+
+// Call |member_function_call| based on the current Bbr2Mode we are in. e.g.
+//
+//   auto result = BBR2_MODE_DISPATCH(Foo());
+//
+// is equivalent to:
+//
+//   Bbr2ModeBase& Bbr2Sender::GetCurrentMode() {
+//     if (mode_ == Bbr2Mode::STARTUP) { return startup_; }
+//     if (mode_ == Bbr2Mode::DRAIN) { return drain_; }
+//     ...
+//   }
+//   auto result = GetCurrentMode().Foo();
+//
+// Except that BBR2_MODE_DISPATCH guarantees the call to Foo() is non-virtual.
+//
+#define BBR2_MODE_DISPATCH(member_function_call)     \
+  (mode_ == Bbr2Mode::STARTUP                        \
+       ? (startup_.member_function_call)             \
+       : (mode_ == Bbr2Mode::PROBE_BW                \
+              ? (probe_bw_.member_function_call)     \
+              : (mode_ == Bbr2Mode::DRAIN            \
+                     ? (drain_.member_function_call) \
+                     : (probe_rtt_or_die().member_function_call))))
+
+Bbr2Sender::Bbr2Sender(QuicTime now,
+                       const RttStats* rtt_stats,
+                       const QuicUnackedPacketMap* unacked_packets,
+                       QuicPacketCount initial_cwnd_in_packets,
+                       QuicPacketCount max_cwnd_in_packets,
+                       QuicRandom* random,
+                       QuicConnectionStats* /*stats*/)
+    : mode_(Bbr2Mode::STARTUP),
+      rtt_stats_(rtt_stats),
+      unacked_packets_(unacked_packets),
+      random_(random),
+      params_(kDefaultMinimumCongestionWindow,
+              max_cwnd_in_packets * kDefaultTCPMSS),
+      model_(&params_,
+             rtt_stats->SmoothedOrInitialRtt(),
+             rtt_stats->last_update_time(),
+             /*cwnd_gain=*/1.0,
+             /*pacing_gain=*/kInitialPacingGain),
+      cwnd_(
+          cwnd_limits().ApplyLimits(initial_cwnd_in_packets * kDefaultTCPMSS)),
+      pacing_rate_(kInitialPacingGain * QuicBandwidth::FromBytesAndTimeDelta(
+                                            cwnd_,
+                                            rtt_stats->SmoothedOrInitialRtt())),
+      startup_(this, &model_),
+      drain_(this, &model_),
+      probe_bw_(this, &model_),
+      probe_rtt_(this, &model_),
+      flexible_app_limited_(false),
+      last_sample_is_app_limited_(false) {
+  QUIC_DVLOG(2) << this << " Initializing Bbr2Sender. mode:" << mode_
+                << ", PacingRate:" << pacing_rate_ << ", Cwnd:" << cwnd_
+                << ", CwndLimits:" << cwnd_limits() << "  @ " << now;
+  DCHECK_EQ(mode_, Bbr2Mode::STARTUP);
+}
+
+void Bbr2Sender::SetFromConfig(const QuicConfig& config,
+                               Perspective perspective) {
+  if (config.HasClientRequestedIndependentOption(kBBR9, perspective)) {
+    flexible_app_limited_ = true;
+  }
+}
+
+Limits<QuicByteCount> Bbr2Sender::GetCwndLimitsByMode() const {
+  switch (mode_) {
+    case Bbr2Mode::STARTUP:
+      return startup_.GetCwndLimits();
+    case Bbr2Mode::PROBE_BW:
+      return probe_bw_.GetCwndLimits();
+    case Bbr2Mode::DRAIN:
+      return drain_.GetCwndLimits();
+    case Bbr2Mode::PROBE_RTT:
+      return probe_rtt_.GetCwndLimits();
+    default:
+      QUIC_NOTREACHED();
+      return Unlimited<QuicByteCount>();
+  }
+}
+
+const Limits<QuicByteCount>& Bbr2Sender::cwnd_limits() const {
+  return params_.cwnd_limits;
+}
+
+void Bbr2Sender::AdjustNetworkParameters(QuicBandwidth bandwidth,
+                                         QuicTime::Delta rtt,
+                                         bool allow_cwnd_to_decrease) {
+  model_.UpdateNetworkParameters(bandwidth, rtt);
+
+  if (mode_ == Bbr2Mode::STARTUP) {
+    const QuicByteCount prior_cwnd = cwnd_;
+
+    // Normally UpdateCongestionWindow updates |cwnd_| towards the target by a
+    // small step per congestion event, by changing |cwnd_| to the bdp at here
+    // we are reducing the number of updates needed to arrive at the target.
+    cwnd_ = model_.BDP(model_.BandwidthEstimate());
+    UpdateCongestionWindow(0);
+    if (!allow_cwnd_to_decrease) {
+      cwnd_ = std::max(cwnd_, prior_cwnd);
+    }
+  }
+}
+
+void Bbr2Sender::SetInitialCongestionWindowInPackets(
+    QuicPacketCount congestion_window) {
+  if (mode_ == Bbr2Mode::STARTUP) {
+    // The cwnd limits is unchanged and still applies to the new cwnd.
+    cwnd_ = cwnd_limits().ApplyLimits(congestion_window * kDefaultTCPMSS);
+  }
+}
+
+void Bbr2Sender::OnCongestionEvent(bool /*rtt_updated*/,
+                                   QuicByteCount prior_in_flight,
+                                   QuicTime event_time,
+                                   const AckedPacketVector& acked_packets,
+                                   const LostPacketVector& lost_packets) {
+  QUIC_DVLOG(3) << this
+                << " OnCongestionEvent. prior_in_flight:" << prior_in_flight
+                << " prior_cwnd:" << cwnd_ << "  @ " << event_time;
+  Bbr2CongestionEvent congestion_event;
+  congestion_event.prior_cwnd = cwnd_;
+  congestion_event.is_probing_for_bandwidth =
+      BBR2_MODE_DISPATCH(IsProbingForBandwidth());
+
+  model_.OnCongestionEventStart(event_time, acked_packets, lost_packets,
+                                &congestion_event);
+
+  // Number of mode changes allowed for this congestion event.
+  int mode_changes_allowed = kMaxModeChangesPerCongestionEvent;
+  while (true) {
+    Bbr2Mode next_mode = BBR2_MODE_DISPATCH(
+        OnCongestionEvent(prior_in_flight, event_time, acked_packets,
+                          lost_packets, congestion_event));
+
+    if (next_mode == mode_) {
+      break;
+    }
+
+    QUIC_DVLOG(2) << this << " Mode change:  " << mode_ << " ==> " << next_mode
+                  << "  @ " << event_time;
+    mode_ = next_mode;
+    BBR2_MODE_DISPATCH(Enter(congestion_event));
+    --mode_changes_allowed;
+    if (mode_changes_allowed < 0) {
+      QUIC_BUG << "Exceeded max number of mode changes per congestion event.";
+      break;
+    }
+  }
+
+  UpdatePacingRate(congestion_event.bytes_acked);
+  QUIC_BUG_IF(pacing_rate_.IsZero()) << "Pacing rate must not be zero!";
+
+  UpdateCongestionWindow(congestion_event.bytes_acked);
+  QUIC_BUG_IF(cwnd_ == 0u) << "Congestion window must not be zero!";
+
+  model_.OnCongestionEventFinish(unacked_packets_->GetLeastUnacked(),
+                                 congestion_event);
+  last_sample_is_app_limited_ = congestion_event.last_sample_is_app_limited;
+
+  QUIC_DVLOG(3)
+      << this << " END CongestionEvent(acked:" << acked_packets
+      << ", lost:" << lost_packets.size() << ") "
+      << ", Mode:" << mode_ << ", RttCount:" << model_.RoundTripCount()
+      << ", BytesInFlight:" << model_.bytes_in_flight()
+      << ", PacingRate:" << PacingRate(0) << ", CWND:" << GetCongestionWindow()
+      << ", PacingGain:" << model_.pacing_gain()
+      << ", CwndGain:" << model_.cwnd_gain()
+      << ", BandwidthEstimate(kbps):" << BandwidthEstimate().ToKBitsPerSecond()
+      << ", MinRTT(us):" << model_.MinRtt().ToMicroseconds()
+      << ", BDP:" << model_.BDP(BandwidthEstimate())
+      << ", BandwidthLatest(kbps):"
+      << model_.bandwidth_latest().ToKBitsPerSecond()
+      << ", BandwidthLow(kbps):" << model_.bandwidth_lo().ToKBitsPerSecond()
+      << ", BandwidthHigh(kbps):" << model_.MaxBandwidth().ToKBitsPerSecond()
+      << ", InflightLatest:" << model_.inflight_latest()
+      << ", InflightLow:" << model_.inflight_lo()
+      << ", InflightHigh:" << model_.inflight_hi()
+      << ", TotalAcked:" << model_.total_bytes_acked()
+      << ", TotalLost:" << model_.total_bytes_lost()
+      << ", TotalSent:" << model_.total_bytes_sent() << "  @ " << event_time;
+}
+
+void Bbr2Sender::UpdatePacingRate(QuicByteCount bytes_acked) {
+  if (BandwidthEstimate().IsZero()) {
+    return;
+  }
+
+  if (model_.total_bytes_acked() == bytes_acked) {
+    // After the first ACK, cwnd_ is still the initial congestion window.
+    pacing_rate_ = QuicBandwidth::FromBytesAndTimeDelta(cwnd_, model_.MinRtt());
+    return;
+  }
+
+  QuicBandwidth target_rate = model_.pacing_gain() * model_.BandwidthEstimate();
+  if (startup_.FullBandwidthReached()) {
+    pacing_rate_ = target_rate;
+    return;
+  }
+
+  if (target_rate > pacing_rate_) {
+    pacing_rate_ = target_rate;
+  }
+}
+
+void Bbr2Sender::UpdateCongestionWindow(QuicByteCount bytes_acked) {
+  QuicByteCount target_cwnd = GetTargetCongestionWindow(model_.cwnd_gain());
+
+  const QuicByteCount prior_cwnd = cwnd_;
+  if (startup_.FullBandwidthReached()) {
+    target_cwnd += model_.MaxAckHeight();
+    cwnd_ = std::min(prior_cwnd + bytes_acked, target_cwnd);
+  } else if (prior_cwnd < target_cwnd || prior_cwnd < 2 * cwnd_limits().Min()) {
+    cwnd_ = prior_cwnd + bytes_acked;
+  }
+  const QuicByteCount desired_cwnd = cwnd_;
+
+  cwnd_ = GetCwndLimitsByMode().ApplyLimits(cwnd_);
+  const QuicByteCount model_limited_cwnd = cwnd_;
+
+  cwnd_ = cwnd_limits().ApplyLimits(cwnd_);
+
+  QUIC_DVLOG(3) << this << " Updating CWND. target_cwnd:" << target_cwnd
+                << ", max_ack_height:" << model_.MaxAckHeight()
+                << ", full_bw:" << startup_.FullBandwidthReached()
+                << ", bytes_acked:" << bytes_acked
+                << ", inflight_lo:" << model_.inflight_lo()
+                << ", inflight_hi:" << model_.inflight_hi() << ". (prior_cwnd) "
+                << prior_cwnd << " => (desired_cwnd) " << desired_cwnd
+                << " => (model_limited_cwnd) " << model_limited_cwnd
+                << " => (final_cwnd) " << cwnd_;
+}
+
+QuicByteCount Bbr2Sender::GetTargetCongestionWindow(float gain) const {
+  return std::max(model_.BDP(model_.BandwidthEstimate(), gain),
+                  cwnd_limits().Min());
+}
+
+void Bbr2Sender::OnPacketSent(QuicTime sent_time,
+                              QuicByteCount bytes_in_flight,
+                              QuicPacketNumber packet_number,
+                              QuicByteCount bytes,
+                              HasRetransmittableData is_retransmittable) {
+  QUIC_DVLOG(3) << this << " OnPacketSent: pkn:" << packet_number
+                << ", bytes:" << bytes << ", cwnd:" << cwnd_
+                << ", inflight:" << model_.bytes_in_flight() + bytes
+                << ", total_sent:" << model_.total_bytes_sent() + bytes
+                << ", total_acked:" << model_.total_bytes_acked()
+                << ", total_lost:" << model_.total_bytes_lost() << "  @ "
+                << sent_time;
+  model_.OnPacketSent(sent_time, bytes_in_flight, packet_number, bytes,
+                      is_retransmittable);
+}
+
+bool Bbr2Sender::CanSend(QuicByteCount bytes_in_flight) {
+  const bool result = bytes_in_flight < GetCongestionWindow();
+  return result;
+}
+
+QuicByteCount Bbr2Sender::GetCongestionWindow() const {
+  // TODO(wub): Implement Recovery?
+  return cwnd_;
+}
+
+QuicBandwidth Bbr2Sender::PacingRate(QuicByteCount /*bytes_in_flight*/) const {
+  return pacing_rate_;
+}
+
+void Bbr2Sender::OnApplicationLimited(QuicByteCount bytes_in_flight) {
+  if (bytes_in_flight >= GetCongestionWindow()) {
+    return;
+  }
+  if (flexible_app_limited_ && IsPipeSufficientlyFull()) {
+    return;
+  }
+
+  model_.OnApplicationLimited();
+  QUIC_DVLOG(2) << this << " Becoming application limited. Last sent packet: "
+                << model_.last_sent_packet()
+                << ", CWND: " << GetCongestionWindow();
+}
+
+bool Bbr2Sender::ShouldSendProbingPacket() const {
+  // TODO(wub): Implement ShouldSendProbingPacket properly.
+  if (!BBR2_MODE_DISPATCH(IsProbingForBandwidth())) {
+    return false;
+  }
+
+  // TODO(b/77975811): If the pipe is highly under-utilized, consider not
+  // sending a probing transmission, because the extra bandwidth is not needed.
+  // If flexible_app_limited is enabled, check if the pipe is sufficiently full.
+  if (flexible_app_limited_) {
+    const bool is_pipe_sufficiently_full = IsPipeSufficientlyFull();
+    QUIC_DVLOG(3) << this << " CWND: " << GetCongestionWindow()
+                  << ", inflight: " << model_.bytes_in_flight()
+                  << ", pacing_rate: " << PacingRate(0)
+                  << ", flexible_app_limited_: true, ShouldSendProbingPacket: "
+                  << !is_pipe_sufficiently_full;
+    return !is_pipe_sufficiently_full;
+  } else {
+    return true;
+  }
+}
+
+bool Bbr2Sender::IsPipeSufficientlyFull() const {
+  // See if we need more bytes in flight to see more bandwidth.
+  if (mode_ == Bbr2Mode::STARTUP) {
+    // STARTUP exits if it doesn't observe a 25% bandwidth increase, so the CWND
+    // must be more than 25% above the target.
+    return model_.bytes_in_flight() >= GetTargetCongestionWindow(1.5);
+  }
+  if (model_.pacing_gain() > 1) {
+    // Super-unity PROBE_BW doesn't exit until 1.25 * BDP is achieved.
+    return model_.bytes_in_flight() >=
+           GetTargetCongestionWindow(model_.pacing_gain());
+  }
+  // If bytes_in_flight are above the target congestion window, it should be
+  // possible to observe the same or more bandwidth if it's available.
+  return model_.bytes_in_flight() >= GetTargetCongestionWindow(1.1);
+}
+
+std::string Bbr2Sender::GetDebugState() const {
+  std::ostringstream stream;
+  stream << ExportDebugState();
+  return stream.str();
+}
+
+Bbr2Sender::DebugState Bbr2Sender::ExportDebugState() const {
+  DebugState s;
+  s.mode = mode_;
+  s.round_trip_count = model_.RoundTripCount();
+  s.bandwidth_hi = model_.MaxBandwidth();
+  s.bandwidth_lo = model_.bandwidth_lo();
+  s.bandwidth_est = BandwidthEstimate();
+  s.min_rtt = model_.MinRtt();
+  s.min_rtt_timestamp = model_.MinRttTimestamp();
+  s.congestion_window = cwnd_;
+  s.pacing_rate = pacing_rate_;
+  s.last_sample_is_app_limited = last_sample_is_app_limited_;
+  s.end_of_app_limited_phase = model_.end_of_app_limited_phase();
+
+  s.startup = startup_.ExportDebugState();
+  s.drain = drain_.ExportDebugState();
+  s.probe_bw = probe_bw_.ExportDebugState();
+  s.probe_rtt = probe_rtt_.ExportDebugState();
+
+  return s;
+}
+
+std::ostream& operator<<(std::ostream& os, const Bbr2Sender::DebugState& s) {
+  os << "mode: " << s.mode << "\n";
+  os << "round_trip_count: " << s.round_trip_count << "\n";
+  os << "bandwidth_hi ~ lo ~ est: " << s.bandwidth_hi << " ~ " << s.bandwidth_lo
+     << " ~ " << s.bandwidth_est << "\n";
+  os << "min_rtt: " << s.min_rtt << "\n";
+  os << "min_rtt_timestamp: " << s.min_rtt_timestamp << "\n";
+  os << "congestion_window: " << s.congestion_window << "\n";
+  os << "pacing_rate: " << s.pacing_rate << "\n";
+  os << "last_sample_is_app_limited: " << s.last_sample_is_app_limited << "\n";
+
+  if (s.mode == Bbr2Mode::STARTUP) {
+    os << s.startup;
+  }
+
+  if (s.mode == Bbr2Mode::DRAIN) {
+    os << s.drain;
+  }
+
+  if (s.mode == Bbr2Mode::PROBE_BW) {
+    os << s.probe_bw;
+  }
+
+  if (s.mode == Bbr2Mode::PROBE_RTT) {
+    os << s.probe_rtt;
+  }
+
+  return os;
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h
new file mode 100644
index 00000000000..64f63477558
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h
@@ -0,0 +1,192 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_SENDER_H_
+#define QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_SENDER_H_
+
+#include <cstdint>
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/windowed_filter.h"
+#include "net/third_party/quiche/src/quic/core/quic_bandwidth.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+
+namespace quic {
+
+class QUIC_EXPORT_PRIVATE Bbr2Sender final : public SendAlgorithmInterface {
+ public:
+  Bbr2Sender(QuicTime now,
+             const RttStats* rtt_stats,
+             const QuicUnackedPacketMap* unacked_packets,
+             QuicPacketCount initial_cwnd_in_packets,
+             QuicPacketCount max_cwnd_in_packets,
+             QuicRandom* random,
+             QuicConnectionStats* /*stats*/);
+
+  ~Bbr2Sender() override = default;
+
+  // Start implementation of SendAlgorithmInterface.
+  bool InSlowStart() const override { return mode_ == Bbr2Mode::STARTUP; }
+
+  bool InRecovery() const override {
+    // TODO(wub): Implement Recovery.
+    return false;
+  }
+
+  bool ShouldSendProbingPacket() const override;
+
+  void SetFromConfig(const QuicConfig& config,
+                     Perspective perspective) override;
+
+  void AdjustNetworkParameters(QuicBandwidth bandwidth,
+                               QuicTime::Delta rtt,
+                               bool allow_cwnd_to_decrease) override;
+
+  void SetInitialCongestionWindowInPackets(
+      QuicPacketCount congestion_window) override;
+
+  void OnCongestionEvent(bool rtt_updated,
+                         QuicByteCount prior_in_flight,
+                         QuicTime event_time,
+                         const AckedPacketVector& acked_packets,
+                         const LostPacketVector& lost_packets) override;
+
+  void OnPacketSent(QuicTime sent_time,
+                    QuicByteCount bytes_in_flight,
+                    QuicPacketNumber packet_number,
+                    QuicByteCount bytes,
+                    HasRetransmittableData is_retransmittable) override;
+
+  void OnRetransmissionTimeout(bool /*packets_retransmitted*/) override {}
+
+  void OnConnectionMigration() override {}
+
+  bool CanSend(QuicByteCount bytes_in_flight) override;
+
+  QuicBandwidth PacingRate(QuicByteCount bytes_in_flight) const override;
+
+  QuicBandwidth BandwidthEstimate() const override {
+    return model_.BandwidthEstimate();
+  }
+
+  QuicByteCount GetCongestionWindow() const override;
+
+  QuicByteCount GetSlowStartThreshold() const override { return 0; }
+
+  CongestionControlType GetCongestionControlType() const override {
+    return kBBRv2;
+  }
+
+  std::string GetDebugState() const override;
+
+  void OnApplicationLimited(QuicByteCount bytes_in_flight) override;
+  // End implementation of SendAlgorithmInterface.
+
+  const Bbr2Params& Params() const { return params_; }
+
+  QuicByteCount GetMinimumCongestionWindow() const {
+    return cwnd_limits().Min();
+  }
+
+  struct DebugState {
+    Bbr2Mode mode;
+
+    // Shared states.
+    QuicRoundTripCount round_trip_count;
+    QuicBandwidth bandwidth_hi = QuicBandwidth::Zero();
+    QuicBandwidth bandwidth_lo = QuicBandwidth::Zero();
+    QuicBandwidth bandwidth_est = QuicBandwidth::Zero();
+    QuicTime::Delta min_rtt = QuicTime::Delta::Zero();
+    QuicTime min_rtt_timestamp = QuicTime::Zero();
+    QuicByteCount congestion_window;
+    QuicBandwidth pacing_rate = QuicBandwidth::Zero();
+    bool last_sample_is_app_limited;
+    QuicPacketNumber end_of_app_limited_phase;
+
+    // Mode-specific debug states.
+    Bbr2StartupMode::DebugState startup;
+    Bbr2DrainMode::DebugState drain;
+    Bbr2ProbeBwMode::DebugState probe_bw;
+    Bbr2ProbeRttMode::DebugState probe_rtt;
+  };
+
+  DebugState ExportDebugState() const;
+
+ private:
+  void UpdatePacingRate(QuicByteCount bytes_acked);
+  void UpdateCongestionWindow(QuicByteCount bytes_acked);
+  QuicByteCount GetTargetCongestionWindow(float gain) const;
+
+  // Helper function for BBR2_MODE_DISPATCH.
+  Bbr2ProbeRttMode& probe_rtt_or_die() {
+    DCHECK_EQ(mode_, Bbr2Mode::PROBE_RTT);
+    return probe_rtt_;
+  }
+
+  const Bbr2ProbeRttMode& probe_rtt_or_die() const {
+    DCHECK_EQ(mode_, Bbr2Mode::PROBE_RTT);
+    return probe_rtt_;
+  }
+
+  uint64_t RandomUint64(uint64_t max) const {
+    return random_->RandUint64() % max;
+  }
+
+  // Returns true if there are enough bytes in flight to ensure more bandwidth
+  // will be observed if present.
+  bool IsPipeSufficientlyFull() const;
+
+  // Cwnd limits imposed by the current Bbr2 mode.
+  Limits<QuicByteCount> GetCwndLimitsByMode() const;
+
+  // Cwnd limits imposed by caller.
+  const Limits<QuicByteCount>& cwnd_limits() const;
+
+  Bbr2Mode mode_;
+
+  const RttStats* const rtt_stats_;
+  const QuicUnackedPacketMap* const unacked_packets_;
+  QuicRandom* random_;
+
+  const Bbr2Params params_;
+
+  Bbr2NetworkModel model_;
+
+  // Current cwnd and pacing rate.
+  QuicByteCount cwnd_;
+  QuicBandwidth pacing_rate_;
+
+  Bbr2StartupMode startup_;
+  Bbr2DrainMode drain_;
+  Bbr2ProbeBwMode probe_bw_;
+  Bbr2ProbeRttMode probe_rtt_;
+
+  // Indicates app-limited calls should be ignored as long as there's
+  // enough data inflight to see more bandwidth when necessary.
+  bool flexible_app_limited_;
+
+  // Debug only.
+  bool last_sample_is_app_limited_;
+
+  friend class Bbr2StartupMode;
+  friend class Bbr2DrainMode;
+  friend class Bbr2ProbeBwMode;
+  friend class Bbr2ProbeRttMode;
+};
+
+QUIC_EXPORT_PRIVATE std::ostream& operator<<(
+    std::ostream& os,
+    const Bbr2Sender::DebugState& state);
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_SENDER_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_simulator_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_simulator_test.cc
new file mode 100644
index 00000000000..736327fc0d4
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_simulator_test.cc
@@ -0,0 +1,1014 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <sstream>
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.h"
+#include "net/third_party/quiche/src/quic/core/quic_bandwidth.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/simulator/link.h"
+#include "net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.h"
+#include "net/third_party/quiche/src/quic/test_tools/simulator/simulator.h"
+#include "net/third_party/quiche/src/quic/test_tools/simulator/switch.h"
+
+namespace quic {
+
+using CyclePhase = Bbr2ProbeBwMode::CyclePhase;
+
+namespace test {
+
+// Use the initial CWND of 10, as 32 is too much for the test network.
+const uint32_t kDefaultInitialCwndPackets = 10;
+const uint32_t kDefaultInitialCwndBytes =
+    kDefaultInitialCwndPackets * kDefaultTCPMSS;
+
+struct LinkParams {
+ public:
+  LinkParams(int64_t kilo_bits_per_sec, int64_t delay_us)
+      : bandwidth(QuicBandwidth::FromKBitsPerSecond(kilo_bits_per_sec)),
+        delay(QuicTime::Delta::FromMicroseconds(delay_us)) {}
+  QuicBandwidth bandwidth;
+  QuicTime::Delta delay;
+};
+
+// All Bbr2DefaultTopologyTests uses the default network topology:
+//
+//            Sender
+//               |
+//               |  <-- local_link
+//               |
+//        Network switch
+//               *  <-- the bottleneck queue in the direction
+//               |          of the receiver
+//               |
+//               |  <-- test_link
+//               |
+//               |
+//           Receiver
+class DefaultTopologyParams {
+ public:
+  LinkParams local_link = {10000, 2000};
+  LinkParams test_link = {4000, 30000};
+
+  const simulator::SwitchPortNumber switch_port_count = 2;
+  // Network switch queue capacity, in number of BDPs.
+  float switch_queue_capacity_in_bdp = 2;
+
+  QuicBandwidth BottleneckBandwidth() const {
+    return std::min(local_link.bandwidth, test_link.bandwidth);
+  }
+
+  // Round trip time of a single full size packet.
+  QuicTime::Delta RTT() const {
+    return 2 * (local_link.delay + test_link.delay +
+                local_link.bandwidth.TransferTime(kMaxOutgoingPacketSize) +
+                test_link.bandwidth.TransferTime(kMaxOutgoingPacketSize));
+  }
+
+  QuicByteCount BDP() const { return BottleneckBandwidth() * RTT(); }
+
+  QuicByteCount SwitchQueueCapacity() const {
+    return switch_queue_capacity_in_bdp * BDP();
+  }
+
+  std::string ToString() const {
+    std::ostringstream os;
+    os << "{ BottleneckBandwidth: " << BottleneckBandwidth()
+       << " RTT: " << RTT() << " BDP: " << BDP()
+       << " BottleneckQueueSize: " << SwitchQueueCapacity() << "}";
+    return os.str();
+  }
+};
+
+class Bbr2SimulatorTest : public QuicTest {
+ protected:
+  Bbr2SimulatorTest() {
+    // Disable Ack Decimation by default, because it can significantly increase
+    // srtt. Individual test can enable it via QuicConnectionPeer::SetAckMode().
+    SetQuicReloadableFlag(quic_enable_ack_decimation, false);
+  }
+};
+
+class Bbr2DefaultTopologyTest : public Bbr2SimulatorTest {
+ protected:
+  Bbr2DefaultTopologyTest()
+      : sender_endpoint_(&simulator_,
+                         "Sender",
+                         "Receiver",
+                         Perspective::IS_CLIENT,
+                         TestConnectionId(42)),
+        receiver_endpoint_(&simulator_,
+                           "Receiver",
+                           "Sender",
+                           Perspective::IS_SERVER,
+                           TestConnectionId(42)) {
+    sender_ = SetupBbr2Sender(&sender_endpoint_);
+
+    uint64_t seed = QuicRandom::GetInstance()->RandUint64();
+    random_.set_seed(seed);
+    QUIC_LOG(INFO) << "Bbr2DefaultTopologyTest set up.  Seed: " << seed;
+
+    simulator_.set_random_generator(&random_);
+  }
+
+  ~Bbr2DefaultTopologyTest() {
+    const auto* test_info =
+        ::testing::UnitTest::GetInstance()->current_test_info();
+    QUIC_LOG(INFO) << "Bbr2DefaultTopologyTest." << test_info->name()
+                   << " completed at simulated time: "
+                   << SimulatedNow().ToDebuggingValue() / 1e6 << " sec.";
+  }
+
+  Bbr2Sender* SetupBbr2Sender(simulator::QuicEndpoint* endpoint) {
+    // Ownership of the sender will be overtaken by the endpoint.
+    Bbr2Sender* sender = new Bbr2Sender(
+        endpoint->connection()->clock()->Now(),
+        endpoint->connection()->sent_packet_manager().GetRttStats(),
+        QuicSentPacketManagerPeer::GetUnackedPacketMap(
+            QuicConnectionPeer::GetSentPacketManager(endpoint->connection())),
+        kDefaultInitialCwndPackets, kDefaultMaxCongestionWindowPackets,
+        &random_, QuicConnectionPeer::GetStats(endpoint->connection()));
+    QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
+    endpoint->RecordTrace();
+    return sender;
+  }
+
+  void CreateNetwork(const DefaultTopologyParams& params) {
+    QUIC_LOG(INFO) << "CreateNetwork with parameters: " << params.ToString();
+    switch_ = QuicMakeUnique<simulator::Switch>(&simulator_, "Switch",
+                                                params.switch_port_count,
+                                                params.SwitchQueueCapacity());
+
+    // WARNING: The order to add links to network_links_ matters, because some
+    // tests adjusts the link bandwidth on the fly.
+
+    // Local link connects sender and port 1.
+    network_links_.push_back(QuicMakeUnique<simulator::SymmetricLink>(
+        &sender_endpoint_, switch_->port(1), params.local_link.bandwidth,
+        params.local_link.delay));
+
+    // Test link connects receiver and port 2.
+    network_links_.push_back(QuicMakeUnique<simulator::SymmetricLink>(
+        &receiver_endpoint_, switch_->port(2), params.test_link.bandwidth,
+        params.test_link.delay));
+  }
+
+  simulator::SymmetricLink* TestLink() { return network_links_[1].get(); }
+
+  void DoSimpleTransfer(QuicByteCount transfer_size, QuicTime::Delta timeout) {
+    sender_endpoint_.AddBytesToTransfer(transfer_size);
+    // TODO(wub): consider rewriting this to run until the receiver actually
+    // receives the intended amount of bytes.
+    bool simulator_result = simulator_.RunUntilOrTimeout(
+        [this]() { return sender_endpoint_.bytes_to_transfer() == 0; },
+        timeout);
+    EXPECT_TRUE(simulator_result)
+        << "Simple transfer failed.  Bytes remaining: "
+        << sender_endpoint_.bytes_to_transfer();
+    QUIC_LOG(INFO) << "Simple transfer state: " << sender_->ExportDebugState();
+  }
+
+  // Drive the simulator by sending enough data to enter PROBE_BW.
+  void DriveOutOfStartup(const DefaultTopologyParams& params) {
+    ASSERT_FALSE(sender_->ExportDebugState().startup.full_bandwidth_reached);
+    DoSimpleTransfer(1024 * 1024, QuicTime::Delta::FromSeconds(15));
+    EXPECT_EQ(Bbr2Mode::PROBE_BW, sender_->ExportDebugState().mode);
+    EXPECT_APPROX_EQ(params.BottleneckBandwidth(),
+                     sender_->ExportDebugState().bandwidth_hi, 0.02f);
+  }
+
+  // Send |bytes|-sized bursts of data |number_of_bursts| times, waiting for
+  // |wait_time| between each burst.
+  void SendBursts(const DefaultTopologyParams& params,
+                  size_t number_of_bursts,
+                  QuicByteCount bytes,
+                  QuicTime::Delta wait_time) {
+    ASSERT_EQ(0u, sender_endpoint_.bytes_to_transfer());
+    for (size_t i = 0; i < number_of_bursts; i++) {
+      sender_endpoint_.AddBytesToTransfer(bytes);
+
+      // Transfer data and wait for three seconds between each transfer.
+      simulator_.RunFor(wait_time);
+
+      // Ensure the connection did not time out.
+      ASSERT_TRUE(sender_endpoint_.connection()->connected());
+      ASSERT_TRUE(receiver_endpoint_.connection()->connected());
+    }
+
+    simulator_.RunFor(wait_time + params.RTT());
+    ASSERT_EQ(0u, sender_endpoint_.bytes_to_transfer());
+  }
+
+  template <class TerminationPredicate>
+  bool SendUntilOrTimeout(TerminationPredicate termination_predicate,
+                          QuicTime::Delta timeout) {
+    EXPECT_EQ(0u, sender_endpoint_.bytes_to_transfer());
+    const QuicTime deadline = SimulatedNow() + timeout;
+    do {
+      sender_endpoint_.AddBytesToTransfer(4 * kDefaultTCPMSS);
+      if (simulator_.RunUntilOrTimeout(
+              [this]() { return sender_endpoint_.bytes_to_transfer() == 0; },
+              deadline - SimulatedNow()) &&
+          termination_predicate()) {
+        return true;
+      }
+    } while (SimulatedNow() < deadline);
+    return false;
+  }
+
+  void EnableAggregation(QuicByteCount aggregation_bytes,
+                         QuicTime::Delta aggregation_timeout) {
+    switch_->port_queue(1)->EnableAggregation(aggregation_bytes,
+                                              aggregation_timeout);
+  }
+
+  bool Bbr2ModeIsOneOf(const std::vector<Bbr2Mode>& expected_modes) const {
+    const Bbr2Mode mode = sender_->ExportDebugState().mode;
+    for (Bbr2Mode expected_mode : expected_modes) {
+      if (mode == expected_mode) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  QuicTime SimulatedNow() const { return simulator_.GetClock()->Now(); }
+
+  const RttStats* rtt_stats() {
+    return sender_endpoint_.connection()->sent_packet_manager().GetRttStats();
+  }
+
+  QuicConnection* sender_connection() { return sender_endpoint_.connection(); }
+
+  const QuicConnectionStats& sender_connection_stats() {
+    return sender_connection()->GetStats();
+  }
+
+  float sender_loss_rate_in_packets() {
+    return static_cast<float>(sender_connection_stats().packets_lost) /
+           sender_connection_stats().packets_sent;
+  }
+
+  simulator::Simulator simulator_;
+  simulator::QuicEndpoint sender_endpoint_;
+  simulator::QuicEndpoint receiver_endpoint_;
+  Bbr2Sender* sender_;
+  SimpleRandom random_;
+
+  std::unique_ptr<simulator::Switch> switch_;
+  std::vector<std::unique_ptr<simulator::SymmetricLink>> network_links_;
+};
+
+TEST_F(Bbr2DefaultTopologyTest, NormalStartup) {
+  DefaultTopologyParams params;
+  CreateNetwork(params);
+
+  // Run until the full bandwidth is reached and check how many rounds it was.
+  sender_endpoint_.AddBytesToTransfer(12 * 1024 * 1024);
+  QuicRoundTripCount max_bw_round = 0;
+  QuicBandwidth max_bw(QuicBandwidth::Zero());
+  bool simulator_result = simulator_.RunUntilOrTimeout(
+      [this, &max_bw, &max_bw_round]() {
+        if (max_bw < sender_->ExportDebugState().bandwidth_hi) {
+          max_bw = sender_->ExportDebugState().bandwidth_hi;
+          max_bw_round = sender_->ExportDebugState().round_trip_count;
+        }
+        return sender_->ExportDebugState().startup.full_bandwidth_reached;
+      },
+      QuicTime::Delta::FromSeconds(5));
+  ASSERT_TRUE(simulator_result);
+  EXPECT_EQ(Bbr2Mode::DRAIN, sender_->ExportDebugState().mode);
+  EXPECT_EQ(3u, sender_->ExportDebugState().round_trip_count - max_bw_round);
+  EXPECT_EQ(
+      3u,
+      sender_->ExportDebugState().startup.round_trips_without_bandwidth_growth);
+  EXPECT_EQ(0u, sender_connection_stats().packets_lost);
+  EXPECT_FALSE(sender_->ExportDebugState().last_sample_is_app_limited);
+}
+
+// Test a simple long data transfer in the default setup.
+TEST_F(Bbr2DefaultTopologyTest, SimpleTransfer) {
+  DefaultTopologyParams params;
+  CreateNetwork(params);
+
+  // At startup make sure we are at the default.
+  EXPECT_EQ(kDefaultInitialCwndBytes, sender_->GetCongestionWindow());
+  // At startup make sure we can send.
+  EXPECT_TRUE(sender_->CanSend(0));
+  // And that window is un-affected.
+  EXPECT_EQ(kDefaultInitialCwndBytes, sender_->GetCongestionWindow());
+
+  // Verify that Sender is in slow start.
+  EXPECT_TRUE(sender_->InSlowStart());
+
+  // Verify that pacing rate is based on the initial RTT.
+  QuicBandwidth expected_pacing_rate = QuicBandwidth::FromBytesAndTimeDelta(
+      2.885 * kDefaultInitialCwndBytes, rtt_stats()->initial_rtt());
+  EXPECT_APPROX_EQ(expected_pacing_rate.ToBitsPerSecond(),
+                   sender_->PacingRate(0).ToBitsPerSecond(), 0.01f);
+
+  ASSERT_GE(params.BDP(), kDefaultInitialCwndBytes + kDefaultTCPMSS);
+
+  DoSimpleTransfer(12 * 1024 * 1024, QuicTime::Delta::FromSeconds(30));
+  EXPECT_TRUE(Bbr2ModeIsOneOf({Bbr2Mode::PROBE_BW, Bbr2Mode::PROBE_RTT}));
+  EXPECT_EQ(0u, sender_connection_stats().packets_lost);
+  EXPECT_FALSE(sender_->ExportDebugState().last_sample_is_app_limited);
+
+  // The margin here is quite high, since there exists a possibility that the
+  // connection just exited high gain cycle.
+  EXPECT_APPROX_EQ(params.RTT(), rtt_stats()->smoothed_rtt(), 0.2f);
+}
+
+TEST_F(Bbr2DefaultTopologyTest, SimpleTransferSmallBuffer) {
+  DefaultTopologyParams params;
+  params.switch_queue_capacity_in_bdp = 0.5;
+  CreateNetwork(params);
+
+  DoSimpleTransfer(12 * 1024 * 1024, QuicTime::Delta::FromSeconds(30));
+  EXPECT_TRUE(Bbr2ModeIsOneOf({Bbr2Mode::PROBE_BW, Bbr2Mode::PROBE_RTT}));
+  EXPECT_APPROX_EQ(params.BottleneckBandwidth(),
+                   sender_->ExportDebugState().bandwidth_hi, 0.01f);
+  EXPECT_GE(sender_connection_stats().packets_lost, 0u);
+  EXPECT_FALSE(sender_->ExportDebugState().last_sample_is_app_limited);
+}
+
+TEST_F(Bbr2DefaultTopologyTest, SimpleTransfer2RTTAggregationBytes) {
+  DefaultTopologyParams params;
+  CreateNetwork(params);
+  // 2 RTTs of aggregation, with a max of 10kb.
+  EnableAggregation(10 * 1024, 2 * params.RTT());
+
+  // Transfer 12MB.
+  DoSimpleTransfer(12 * 1024 * 1024, QuicTime::Delta::FromSeconds(35));
+  EXPECT_TRUE(Bbr2ModeIsOneOf({Bbr2Mode::PROBE_BW, Bbr2Mode::PROBE_RTT}));
+
+  EXPECT_LE(params.BottleneckBandwidth() * 0.99f,
+            sender_->ExportDebugState().bandwidth_hi);
+  // TODO(b/36022633): Bandwidth sampler overestimates with aggregation.
+  EXPECT_GE(params.BottleneckBandwidth() * 1.5f,
+            sender_->ExportDebugState().bandwidth_hi);
+  EXPECT_LE(sender_loss_rate_in_packets(), 0.05);
+  // The margin here is high, because the aggregation greatly increases
+  // smoothed rtt.
+  EXPECT_GE(params.RTT() * 4, rtt_stats()->smoothed_rtt());
+  EXPECT_APPROX_EQ(params.RTT(), rtt_stats()->min_rtt(), 0.2f);
+}
+
+TEST_F(Bbr2DefaultTopologyTest, SimpleTransferAckDecimation) {
+  // Enable Ack Decimation on the receiver.
+  QuicConnectionPeer::SetAckMode(receiver_endpoint_.connection(),
+                                 AckMode::ACK_DECIMATION);
+  DefaultTopologyParams params;
+  CreateNetwork(params);
+
+  // Transfer 12MB.
+  DoSimpleTransfer(12 * 1024 * 1024, QuicTime::Delta::FromSeconds(35));
+  EXPECT_TRUE(Bbr2ModeIsOneOf({Bbr2Mode::PROBE_BW, Bbr2Mode::PROBE_RTT}));
+
+  EXPECT_LE(params.BottleneckBandwidth() * 0.99f,
+            sender_->ExportDebugState().bandwidth_hi);
+  // TODO(b/36022633): Bandwidth sampler overestimates with aggregation.
+  EXPECT_GE(params.BottleneckBandwidth() * 1.1f,
+            sender_->ExportDebugState().bandwidth_hi);
+  EXPECT_LE(sender_loss_rate_in_packets(), 0.001);
+  EXPECT_FALSE(sender_->ExportDebugState().last_sample_is_app_limited);
+  // The margin here is high, because the aggregation greatly increases
+  // smoothed rtt.
+  EXPECT_GE(params.RTT() * 2, rtt_stats()->smoothed_rtt());
+  EXPECT_APPROX_EQ(params.RTT(), rtt_stats()->min_rtt(), 0.1f);
+}
+
+// Test Bbr2's reaction to a 100x bandwidth decrease during a transfer.
+TEST_F(Bbr2DefaultTopologyTest, BandwidthDecrease) {
+  DefaultTopologyParams params;
+  params.local_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(15000);
+  params.test_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(10000);
+  CreateNetwork(params);
+
+  sender_endpoint_.AddBytesToTransfer(20 * 1024 * 1024);
+
+  // We can transfer ~12MB in the first 10 seconds. The rest ~8MB needs about
+  // 640 seconds.
+  simulator_.RunFor(QuicTime::Delta::FromSeconds(10));
+  EXPECT_TRUE(Bbr2ModeIsOneOf({Bbr2Mode::PROBE_BW, Bbr2Mode::PROBE_RTT}));
+  QUIC_LOG(INFO) << "Bandwidth decreasing at time " << SimulatedNow();
+
+  EXPECT_APPROX_EQ(params.test_link.bandwidth,
+                   sender_->ExportDebugState().bandwidth_est, 0.1f);
+  EXPECT_EQ(0u, sender_connection_stats().packets_lost);
+
+  // Now decrease the bottleneck bandwidth from 10Mbps to 100Kbps.
+  params.test_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(100);
+  TestLink()->set_bandwidth(params.test_link.bandwidth);
+
+  bool simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() { return sender_endpoint_.bytes_to_transfer() == 0; },
+      QuicTime::Delta::FromSeconds(800));
+  EXPECT_TRUE(simulator_result);
+}
+
+// Test Bbr2's reaction to a 100x bandwidth increase during a transfer.
+TEST_F(Bbr2DefaultTopologyTest, BandwidthIncrease) {
+  DefaultTopologyParams params;
+  params.local_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(15000);
+  params.test_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(100);
+  CreateNetwork(params);
+
+  sender_endpoint_.AddBytesToTransfer(20 * 1024 * 1024);
+
+  simulator_.RunFor(QuicTime::Delta::FromSeconds(10));
+  EXPECT_TRUE(Bbr2ModeIsOneOf({Bbr2Mode::PROBE_BW, Bbr2Mode::PROBE_RTT}));
+  QUIC_LOG(INFO) << "Bandwidth increasing at time " << SimulatedNow();
+
+  EXPECT_APPROX_EQ(params.test_link.bandwidth,
+                   sender_->ExportDebugState().bandwidth_est, 0.1f);
+  EXPECT_LE(sender_loss_rate_in_packets(), 0.20);
+
+  // Now increase the bottleneck bandwidth from 100Kbps to 10Mbps.
+  params.test_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(10000);
+  TestLink()->set_bandwidth(params.test_link.bandwidth);
+
+  bool simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() { return sender_endpoint_.bytes_to_transfer() == 0; },
+      QuicTime::Delta::FromSeconds(50));
+  EXPECT_TRUE(simulator_result);
+}
+
+// Test the number of losses incurred by the startup phase in a situation when
+// the buffer is less than BDP.
+TEST_F(Bbr2DefaultTopologyTest, PacketLossOnSmallBufferStartup) {
+  DefaultTopologyParams params;
+  params.switch_queue_capacity_in_bdp = 0.5;
+  CreateNetwork(params);
+
+  DriveOutOfStartup(params);
+  EXPECT_LE(sender_loss_rate_in_packets(), 0.20);
+}
+
+// Verify the behavior of the algorithm in the case when the connection sends
+// small bursts of data after sending continuously for a while.
+TEST_F(Bbr2DefaultTopologyTest, ApplicationLimitedBursts) {
+  DefaultTopologyParams params;
+  CreateNetwork(params);
+
+  DriveOutOfStartup(params);
+  EXPECT_FALSE(sender_->ExportDebugState().last_sample_is_app_limited);
+
+  SendBursts(params, 20, 512, QuicTime::Delta::FromSeconds(3));
+  EXPECT_TRUE(sender_->ExportDebugState().last_sample_is_app_limited);
+  EXPECT_APPROX_EQ(params.BottleneckBandwidth(),
+                   sender_->ExportDebugState().bandwidth_hi, 0.01f);
+}
+
+// Verify the behavior of the algorithm in the case when the connection sends
+// small bursts of data and then starts sending continuously.
+TEST_F(Bbr2DefaultTopologyTest, ApplicationLimitedBurstsWithoutPrior) {
+  DefaultTopologyParams params;
+  CreateNetwork(params);
+
+  SendBursts(params, 40, 512, QuicTime::Delta::FromSeconds(3));
+  EXPECT_TRUE(sender_->ExportDebugState().last_sample_is_app_limited);
+
+  DriveOutOfStartup(params);
+  EXPECT_APPROX_EQ(params.BottleneckBandwidth(),
+                   sender_->ExportDebugState().bandwidth_hi, 0.01f);
+  EXPECT_FALSE(sender_->ExportDebugState().last_sample_is_app_limited);
+}
+
+// Verify that the DRAIN phase works correctly.
+TEST_F(Bbr2DefaultTopologyTest, Drain) {
+  DefaultTopologyParams params;
+  CreateNetwork(params);
+
+  const QuicTime::Delta timeout = QuicTime::Delta::FromSeconds(10);
+  // Get the queue at the bottleneck, which is the outgoing queue at the port to
+  // which the receiver is connected.
+  const simulator::Queue* queue = switch_->port_queue(2);
+  bool simulator_result;
+
+  // We have no intention of ever finishing this transfer.
+  sender_endpoint_.AddBytesToTransfer(100 * 1024 * 1024);
+
+  // Run the startup, and verify that it fills up the queue.
+  ASSERT_EQ(Bbr2Mode::STARTUP, sender_->ExportDebugState().mode);
+  simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        return sender_->ExportDebugState().mode != Bbr2Mode::STARTUP;
+      },
+      timeout);
+  ASSERT_TRUE(simulator_result);
+  ASSERT_EQ(Bbr2Mode::DRAIN, sender_->ExportDebugState().mode);
+  EXPECT_APPROX_EQ(sender_->BandwidthEstimate() * (1 / 2.885f),
+                   sender_->PacingRate(0), 0.01f);
+  // BBR uses CWND gain of 2.88 during STARTUP, hence it will fill the buffer
+  // with approximately 1.88 BDPs.  Here, we use 1.5 to give some margin for
+  // error.
+  EXPECT_GE(queue->bytes_queued(), 1.5 * params.BDP());
+
+  // Observe increased RTT due to bufferbloat.
+  const QuicTime::Delta queueing_delay =
+      params.test_link.bandwidth.TransferTime(queue->bytes_queued());
+  EXPECT_APPROX_EQ(params.RTT() + queueing_delay, rtt_stats()->latest_rtt(),
+                   0.1f);
+
+  // Transition to the drain phase and verify that it makes the queue
+  // have at most a BDP worth of packets.
+  simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() { return sender_->ExportDebugState().mode != Bbr2Mode::DRAIN; },
+      timeout);
+  ASSERT_TRUE(simulator_result);
+  ASSERT_EQ(Bbr2Mode::PROBE_BW, sender_->ExportDebugState().mode);
+  EXPECT_LE(queue->bytes_queued(), params.BDP());
+
+  // Wait for a few round trips and ensure we're in appropriate phase of gain
+  // cycling before taking an RTT measurement.
+  const QuicRoundTripCount start_round_trip =
+      sender_->ExportDebugState().round_trip_count;
+  simulator_result = simulator_.RunUntilOrTimeout(
+      [this, start_round_trip]() {
+        const auto& debug_state = sender_->ExportDebugState();
+        QuicRoundTripCount rounds_passed =
+            debug_state.round_trip_count - start_round_trip;
+        return rounds_passed >= 4 && debug_state.mode == Bbr2Mode::PROBE_BW &&
+               debug_state.probe_bw.phase == CyclePhase::PROBE_REFILL;
+      },
+      timeout);
+  ASSERT_TRUE(simulator_result);
+
+  // Observe the bufferbloat go away.
+  EXPECT_APPROX_EQ(params.RTT(), rtt_stats()->smoothed_rtt(), 0.1f);
+}
+
+// Ensure that a connection that is app-limited and is at sufficiently low
+// bandwidth will not exit high gain phase, and similarly ensure that the
+// connection will exit low gain early if the number of bytes in flight is low.
+TEST_F(Bbr2DefaultTopologyTest, InFlightAwareGainCycling) {
+  DefaultTopologyParams params;
+  CreateNetwork(params);
+  DriveOutOfStartup(params);
+
+  const QuicTime::Delta timeout = QuicTime::Delta::FromSeconds(5);
+  bool simulator_result;
+
+  // Start a few cycles prior to the high gain one.
+  simulator_result = SendUntilOrTimeout(
+      [this]() {
+        return sender_->ExportDebugState().probe_bw.phase ==
+               CyclePhase::PROBE_REFILL;
+      },
+      timeout);
+  ASSERT_TRUE(simulator_result);
+
+  // Send at 10% of available rate.  Run for 3 seconds, checking in the middle
+  // and at the end.  The pacing gain should be high throughout.
+  QuicBandwidth target_bandwidth = 0.1f * params.BottleneckBandwidth();
+  QuicTime::Delta burst_interval = QuicTime::Delta::FromMilliseconds(300);
+  for (int i = 0; i < 2; i++) {
+    SendBursts(params, 5, target_bandwidth * burst_interval, burst_interval);
+    EXPECT_EQ(Bbr2Mode::PROBE_BW, sender_->ExportDebugState().mode);
+    EXPECT_EQ(CyclePhase::PROBE_UP, sender_->ExportDebugState().probe_bw.phase);
+    EXPECT_APPROX_EQ(params.BottleneckBandwidth(),
+                     sender_->ExportDebugState().bandwidth_hi, 0.01f);
+  }
+
+  // Now that in-flight is almost zero and the pacing gain is still above 1,
+  // send approximately 1.25 BDPs worth of data.  This should cause the
+  // PROBE_BW mode to enter low gain cycle(PROBE_DOWN), and exit it earlier than
+  // one min_rtt due to running out of data to send.
+  sender_endpoint_.AddBytesToTransfer(1.3 * params.BDP());
+  simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        return sender_->ExportDebugState().probe_bw.phase ==
+               CyclePhase::PROBE_DOWN;
+      },
+      timeout);
+  ASSERT_TRUE(simulator_result);
+  simulator_.RunFor(0.75 * sender_->ExportDebugState().min_rtt);
+  EXPECT_EQ(Bbr2Mode::PROBE_BW, sender_->ExportDebugState().mode);
+  EXPECT_EQ(CyclePhase::PROBE_CRUISE,
+            sender_->ExportDebugState().probe_bw.phase);
+}
+
+// Test exiting STARTUP earlier upon loss due to loss.
+TEST_F(Bbr2DefaultTopologyTest, ExitStartupDueToLoss) {
+  DefaultTopologyParams params;
+  params.switch_queue_capacity_in_bdp = 0.5;
+  CreateNetwork(params);
+
+  // Run until the full bandwidth is reached and check how many rounds it was.
+  sender_endpoint_.AddBytesToTransfer(12 * 1024 * 1024);
+  QuicRoundTripCount max_bw_round = 0;
+  QuicBandwidth max_bw(QuicBandwidth::Zero());
+  bool simulator_result = simulator_.RunUntilOrTimeout(
+      [this, &max_bw, &max_bw_round]() {
+        if (max_bw < sender_->ExportDebugState().bandwidth_hi) {
+          max_bw = sender_->ExportDebugState().bandwidth_hi;
+          max_bw_round = sender_->ExportDebugState().round_trip_count;
+        }
+        return sender_->ExportDebugState().startup.full_bandwidth_reached;
+      },
+      QuicTime::Delta::FromSeconds(5));
+  ASSERT_TRUE(simulator_result);
+  EXPECT_EQ(Bbr2Mode::DRAIN, sender_->ExportDebugState().mode);
+  EXPECT_GE(2u, sender_->ExportDebugState().round_trip_count - max_bw_round);
+  EXPECT_EQ(
+      1u,
+      sender_->ExportDebugState().startup.round_trips_without_bandwidth_growth);
+  EXPECT_NE(0u, sender_connection_stats().packets_lost);
+  EXPECT_FALSE(sender_->ExportDebugState().last_sample_is_app_limited);
+}
+
+// All Bbr2MultiSenderTests uses the following network topology:
+//
+//   Sender 0  (A Bbr2Sender)
+//       |
+//       | <-- local_links[0]
+//       |
+//       |  Sender N (1 <= N < kNumLocalLinks) (May or may not be a Bbr2Sender)
+//       |      |
+//       |      | <-- local_links[N]
+//       |      |
+//    Network switch
+//           *  <-- the bottleneck queue in the direction
+//           |          of the receiver
+//           |
+//           |  <-- test_link
+//           |
+//           |
+//       Receiver
+class MultiSenderTopologyParams {
+ public:
+  static const size_t kNumLocalLinks = 8;
+  std::array<LinkParams, kNumLocalLinks> local_links = {
+      LinkParams(10000, 1987), LinkParams(10000, 1993), LinkParams(10000, 1997),
+      LinkParams(10000, 1999), LinkParams(10000, 2003), LinkParams(10000, 2011),
+      LinkParams(10000, 2017), LinkParams(10000, 2027),
+  };
+
+  LinkParams test_link = LinkParams(4000, 30000);
+
+  const simulator::SwitchPortNumber switch_port_count = kNumLocalLinks + 1;
+
+  // Network switch queue capacity, in number of BDPs.
+  float switch_queue_capacity_in_bdp = 2;
+
+  QuicBandwidth BottleneckBandwidth() const {
+    // Make sure all local links have a higher bandwidth than the test link.
+    for (size_t i = 0; i < local_links.size(); ++i) {
+      CHECK_GT(local_links[i].bandwidth, test_link.bandwidth);
+    }
+    return test_link.bandwidth;
+  }
+
+  // Sender n's round trip time of a single full size packet.
+  QuicTime::Delta Rtt(size_t n) const {
+    return 2 * (local_links[n].delay + test_link.delay +
+                local_links[n].bandwidth.TransferTime(kMaxOutgoingPacketSize) +
+                test_link.bandwidth.TransferTime(kMaxOutgoingPacketSize));
+  }
+
+  QuicByteCount Bdp(size_t n) const { return BottleneckBandwidth() * Rtt(n); }
+
+  QuicByteCount SwitchQueueCapacity() const {
+    return switch_queue_capacity_in_bdp * Bdp(1);
+  }
+
+  std::string ToString() const {
+    std::ostringstream os;
+    os << "{ BottleneckBandwidth: " << BottleneckBandwidth();
+    for (size_t i = 0; i < local_links.size(); ++i) {
+      os << " RTT_" << i << ": " << Rtt(i) << " BDP_" << i << ": " << Bdp(i);
+    }
+    os << " BottleneckQueueSize: " << SwitchQueueCapacity() << "}";
+    return os.str();
+  }
+};
+
+class Bbr2MultiSenderTest : public Bbr2SimulatorTest {
+ protected:
+  Bbr2MultiSenderTest() {
+    uint64_t first_connection_id = 42;
+    std::vector<simulator::QuicEndpoint*> receiver_endpoint_pointers;
+    for (size_t i = 0; i < MultiSenderTopologyParams::kNumLocalLinks; ++i) {
+      std::string sender_name = QuicStrCat("Sender", i + 1);
+      std::string receiver_name = QuicStrCat("Receiver", i + 1);
+      sender_endpoints_.push_back(QuicMakeUnique<simulator::QuicEndpoint>(
+          &simulator_, sender_name, receiver_name, Perspective::IS_CLIENT,
+          TestConnectionId(first_connection_id + i)));
+      receiver_endpoints_.push_back(QuicMakeUnique<simulator::QuicEndpoint>(
+          &simulator_, receiver_name, sender_name, Perspective::IS_SERVER,
+          TestConnectionId(first_connection_id + i)));
+      receiver_endpoint_pointers.push_back(receiver_endpoints_.back().get());
+    }
+    receiver_multiplexer_ = QuicMakeUnique<simulator::QuicEndpointMultiplexer>(
+        "Receiver multiplexer", receiver_endpoint_pointers);
+    sender_1_ = SetupBbr2Sender(sender_endpoints_[0].get());
+
+    uint64_t seed = QuicRandom::GetInstance()->RandUint64();
+    random_.set_seed(seed);
+    QUIC_LOG(INFO) << "Bbr2MultiSenderTest set up.  Seed: " << seed;
+
+    simulator_.set_random_generator(&random_);
+  }
+
+  ~Bbr2MultiSenderTest() {
+    const auto* test_info =
+        ::testing::UnitTest::GetInstance()->current_test_info();
+    QUIC_LOG(INFO) << "Bbr2MultiSenderTest." << test_info->name()
+                   << " completed at simulated time: "
+                   << SimulatedNow().ToDebuggingValue() / 1e6 << " sec.";
+  }
+
+  Bbr2Sender* SetupBbr2Sender(simulator::QuicEndpoint* endpoint) {
+    // Ownership of the sender will be overtaken by the endpoint.
+    Bbr2Sender* sender = new Bbr2Sender(
+        endpoint->connection()->clock()->Now(),
+        endpoint->connection()->sent_packet_manager().GetRttStats(),
+        QuicSentPacketManagerPeer::GetUnackedPacketMap(
+            QuicConnectionPeer::GetSentPacketManager(endpoint->connection())),
+        kDefaultInitialCwndPackets, kDefaultMaxCongestionWindowPackets,
+        &random_, QuicConnectionPeer::GetStats(endpoint->connection()));
+    QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
+    endpoint->RecordTrace();
+    return sender;
+  }
+
+  BbrSender* SetupBbrSender(simulator::QuicEndpoint* endpoint) {
+    // Ownership of the sender will be overtaken by the endpoint.
+    BbrSender* sender = new BbrSender(
+        endpoint->connection()->clock()->Now(),
+        endpoint->connection()->sent_packet_manager().GetRttStats(),
+        QuicSentPacketManagerPeer::GetUnackedPacketMap(
+            QuicConnectionPeer::GetSentPacketManager(endpoint->connection())),
+        kDefaultInitialCwndPackets, kDefaultMaxCongestionWindowPackets,
+        &random_, QuicConnectionPeer::GetStats(endpoint->connection()));
+    QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
+    endpoint->RecordTrace();
+    return sender;
+  }
+
+  // reno => Reno. !reno => Cubic.
+  TcpCubicSenderBytes* SetupTcpSender(simulator::QuicEndpoint* endpoint,
+                                      bool reno) {
+    // Ownership of the sender will be overtaken by the endpoint.
+    TcpCubicSenderBytes* sender = new TcpCubicSenderBytes(
+        endpoint->connection()->clock(),
+        endpoint->connection()->sent_packet_manager().GetRttStats(), reno,
+        kDefaultInitialCwndPackets, kDefaultMaxCongestionWindowPackets,
+        QuicConnectionPeer::GetStats(endpoint->connection()));
+    QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
+    endpoint->RecordTrace();
+    return sender;
+  }
+
+  void CreateNetwork(const MultiSenderTopologyParams& params) {
+    QUIC_LOG(INFO) << "CreateNetwork with parameters: " << params.ToString();
+    switch_ = QuicMakeUnique<simulator::Switch>(&simulator_, "Switch",
+                                                params.switch_port_count,
+                                                params.SwitchQueueCapacity());
+
+    network_links_.push_back(QuicMakeUnique<simulator::SymmetricLink>(
+        receiver_multiplexer_.get(), switch_->port(1),
+        params.test_link.bandwidth, params.test_link.delay));
+    for (size_t i = 0; i < MultiSenderTopologyParams::kNumLocalLinks; ++i) {
+      simulator::SwitchPortNumber port_number = i + 2;
+      network_links_.push_back(QuicMakeUnique<simulator::SymmetricLink>(
+          sender_endpoints_[i].get(), switch_->port(port_number),
+          params.local_links[i].bandwidth, params.local_links[i].delay));
+    }
+  }
+
+  QuicTime SimulatedNow() const { return simulator_.GetClock()->Now(); }
+
+  simulator::Simulator simulator_;
+  std::vector<std::unique_ptr<simulator::QuicEndpoint>> sender_endpoints_;
+  std::vector<std::unique_ptr<simulator::QuicEndpoint>> receiver_endpoints_;
+  std::unique_ptr<simulator::QuicEndpointMultiplexer> receiver_multiplexer_;
+  Bbr2Sender* sender_1_;
+  SimpleRandom random_;
+
+  std::unique_ptr<simulator::Switch> switch_;
+  std::vector<std::unique_ptr<simulator::SymmetricLink>> network_links_;
+};
+
+TEST_F(Bbr2MultiSenderTest, Bbr2VsBbr2) {
+  SetupBbr2Sender(sender_endpoints_[1].get());
+
+  MultiSenderTopologyParams params;
+  CreateNetwork(params);
+
+  const QuicByteCount transfer_size = 10 * 1024 * 1024;
+  const QuicTime::Delta transfer_time =
+      params.BottleneckBandwidth().TransferTime(transfer_size);
+  QUIC_LOG(INFO) << "Single flow transfer time: " << transfer_time;
+
+  // Transfer 10% of data in first transfer.
+  sender_endpoints_[0]->AddBytesToTransfer(transfer_size);
+  bool simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        return receiver_endpoints_[0]->bytes_received() >= 0.1 * transfer_size;
+      },
+      transfer_time);
+  ASSERT_TRUE(simulator_result);
+
+  // Start the second transfer and wait until both finish.
+  sender_endpoints_[1]->AddBytesToTransfer(transfer_size);
+  simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        return receiver_endpoints_[0]->bytes_received() == transfer_size &&
+               receiver_endpoints_[1]->bytes_received() == transfer_size;
+      },
+      3 * transfer_time);
+  ASSERT_TRUE(simulator_result);
+}
+
+TEST_F(Bbr2MultiSenderTest, MultipleBbr2s) {
+  const int kTotalNumSenders = 6;
+  for (int i = 1; i < kTotalNumSenders; ++i) {
+    SetupBbr2Sender(sender_endpoints_[i].get());
+  }
+
+  MultiSenderTopologyParams params;
+  CreateNetwork(params);
+
+  const QuicByteCount transfer_size = 10 * 1024 * 1024;
+  const QuicTime::Delta transfer_time =
+      params.BottleneckBandwidth().TransferTime(transfer_size);
+  QUIC_LOG(INFO) << "Single flow transfer time: " << transfer_time
+                 << ". Now: " << SimulatedNow();
+
+  // Start all transfers.
+  for (int i = 0; i < kTotalNumSenders; ++i) {
+    if (i != 0) {
+      const QuicTime sender_start_time =
+          SimulatedNow() + QuicTime::Delta::FromSeconds(2);
+      bool simulator_result = simulator_.RunUntilOrTimeout(
+          [&]() { return SimulatedNow() >= sender_start_time; }, transfer_time);
+      ASSERT_TRUE(simulator_result);
+    }
+
+    sender_endpoints_[i]->AddBytesToTransfer(transfer_size);
+  }
+
+  // Wait for all transfers to finish.
+  QuicTime::Delta expected_total_transfer_time_upper_bound =
+      QuicTime::Delta::FromMicroseconds(kTotalNumSenders *
+                                        transfer_time.ToMicroseconds() * 1.1);
+  bool simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        for (int i = 0; i < kTotalNumSenders; ++i) {
+          if (receiver_endpoints_[i]->bytes_received() < transfer_size) {
+            return false;
+          }
+        }
+        return true;
+      },
+      expected_total_transfer_time_upper_bound);
+  ASSERT_TRUE(simulator_result)
+      << "Expected upper bound: " << expected_total_transfer_time_upper_bound;
+}
+
+/* The first 11 packets are sent at the same time, but the duration between the
+ * acks of the 1st and the 11th packet is 49 milliseconds, causing very low bw
+ * samples. This happens for both large and small buffers.
+ */
+/*
+TEST_F(Bbr2MultiSenderTest, Bbr2VsBbr2LargeRttTinyBuffer) {
+  SetupBbr2Sender(sender_endpoints_[1].get());
+
+  MultiSenderTopologyParams params;
+  params.switch_queue_capacity_in_bdp = 0.05;
+  params.test_link.delay = QuicTime::Delta::FromSeconds(1);
+  CreateNetwork(params);
+
+  const QuicByteCount transfer_size = 10 * 1024 * 1024;
+  const QuicTime::Delta transfer_time =
+      params.BottleneckBandwidth().TransferTime(transfer_size);
+  QUIC_LOG(INFO) << "Single flow transfer time: " << transfer_time;
+
+  // Transfer 10% of data in first transfer.
+  sender_endpoints_[0]->AddBytesToTransfer(transfer_size);
+  bool simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        return receiver_endpoints_[0]->bytes_received() >= 0.1 * transfer_size;
+      },
+      transfer_time);
+  ASSERT_TRUE(simulator_result);
+
+  // Start the second transfer and wait until both finish.
+  sender_endpoints_[1]->AddBytesToTransfer(transfer_size);
+  simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        return receiver_endpoints_[0]->bytes_received() == transfer_size &&
+               receiver_endpoints_[1]->bytes_received() == transfer_size;
+      },
+      3 * transfer_time);
+  ASSERT_TRUE(simulator_result);
+}
+*/
+
+TEST_F(Bbr2MultiSenderTest, Bbr2VsBbr1) {
+  SetupBbrSender(sender_endpoints_[1].get());
+
+  MultiSenderTopologyParams params;
+  CreateNetwork(params);
+
+  const QuicByteCount transfer_size = 10 * 1024 * 1024;
+  const QuicTime::Delta transfer_time =
+      params.BottleneckBandwidth().TransferTime(transfer_size);
+  QUIC_LOG(INFO) << "Single flow transfer time: " << transfer_time;
+
+  // Transfer 10% of data in first transfer.
+  sender_endpoints_[0]->AddBytesToTransfer(transfer_size);
+  bool simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        return receiver_endpoints_[0]->bytes_received() >= 0.1 * transfer_size;
+      },
+      transfer_time);
+  ASSERT_TRUE(simulator_result);
+
+  // Start the second transfer and wait until both finish.
+  sender_endpoints_[1]->AddBytesToTransfer(transfer_size);
+  simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        return receiver_endpoints_[0]->bytes_received() == transfer_size &&
+               receiver_endpoints_[1]->bytes_received() == transfer_size;
+      },
+      3 * transfer_time);
+  ASSERT_TRUE(simulator_result);
+}
+
+TEST_F(Bbr2MultiSenderTest, Bbr2VsReno) {
+  SetupTcpSender(sender_endpoints_[1].get(), /*reno=*/true);
+
+  MultiSenderTopologyParams params;
+  CreateNetwork(params);
+
+  const QuicByteCount transfer_size = 50 * 1024 * 1024;
+  const QuicTime::Delta transfer_time =
+      params.BottleneckBandwidth().TransferTime(transfer_size);
+  QUIC_LOG(INFO) << "Single flow transfer time: " << transfer_time;
+
+  // Transfer 10% of data in first transfer.
+  sender_endpoints_[0]->AddBytesToTransfer(transfer_size);
+  bool simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        return receiver_endpoints_[0]->bytes_received() >= 0.1 * transfer_size;
+      },
+      transfer_time);
+  ASSERT_TRUE(simulator_result);
+
+  // Start the second transfer and wait until both finish.
+  sender_endpoints_[1]->AddBytesToTransfer(transfer_size);
+  simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        return receiver_endpoints_[0]->bytes_received() == transfer_size &&
+               receiver_endpoints_[1]->bytes_received() == transfer_size;
+      },
+      3 * transfer_time);
+  ASSERT_TRUE(simulator_result);
+}
+
+TEST_F(Bbr2MultiSenderTest, Bbr2VsCubic) {
+  SetupTcpSender(sender_endpoints_[1].get(), /*reno=*/false);
+
+  MultiSenderTopologyParams params;
+  CreateNetwork(params);
+
+  const QuicByteCount transfer_size = 50 * 1024 * 1024;
+  const QuicTime::Delta transfer_time =
+      params.BottleneckBandwidth().TransferTime(transfer_size);
+  QUIC_LOG(INFO) << "Single flow transfer time: " << transfer_time;
+
+  // Transfer 10% of data in first transfer.
+  sender_endpoints_[0]->AddBytesToTransfer(transfer_size);
+  bool simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        return receiver_endpoints_[0]->bytes_received() >= 0.1 * transfer_size;
+      },
+      transfer_time);
+  ASSERT_TRUE(simulator_result);
+
+  // Start the second transfer and wait until both finish.
+  sender_endpoints_[1]->AddBytesToTransfer(transfer_size);
+  simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() {
+        return receiver_endpoints_[0]->bytes_received() == transfer_size &&
+               receiver_endpoints_[1]->bytes_received() == transfer_size;
+      },
+      3 * transfer_time);
+  ASSERT_TRUE(simulator_result);
+}
+
+}  // namespace test
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.cc
new file mode 100644
index 00000000000..5ff10503025
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.cc
@@ -0,0 +1,138 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.h"
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h"
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h"
+#include "net/third_party/quiche/src/quic/core/quic_bandwidth.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+
+namespace quic {
+
+Bbr2StartupMode::Bbr2StartupMode(const Bbr2Sender* sender,
+                                 Bbr2NetworkModel* model)
+    : Bbr2ModeBase(sender, model),
+      full_bandwidth_reached_(false),
+      full_bandwidth_baseline_(QuicBandwidth::Zero()),
+      rounds_without_bandwidth_growth_(0),
+      loss_events_in_round_(0) {}
+
+void Bbr2StartupMode::Enter(const Bbr2CongestionEvent& /*congestion_event*/) {
+  QUIC_BUG << "Bbr2StartupMode::Enter should not be called";
+}
+
+Bbr2Mode Bbr2StartupMode::OnCongestionEvent(
+    QuicByteCount /*prior_in_flight*/,
+    QuicTime /*event_time*/,
+    const AckedPacketVector& /*acked_packets*/,
+    const LostPacketVector& lost_packets,
+    const Bbr2CongestionEvent& congestion_event) {
+  CheckFullBandwidthReached(congestion_event);
+
+  CheckExcessiveLosses(lost_packets, congestion_event);
+
+  model_->set_pacing_gain(Params().startup_gain);
+  model_->set_cwnd_gain(Params().startup_gain);
+
+  // TODO(wub): Maybe implement STARTUP => PROBE_RTT.
+  return full_bandwidth_reached_ ? Bbr2Mode::DRAIN : Bbr2Mode::STARTUP;
+}
+
+void Bbr2StartupMode::CheckFullBandwidthReached(
+    const Bbr2CongestionEvent& congestion_event) {
+  DCHECK(!full_bandwidth_reached_);
+  if (full_bandwidth_reached_ || !congestion_event.end_of_round_trip ||
+      congestion_event.last_sample_is_app_limited) {
+    return;
+  }
+
+  QuicBandwidth threshold =
+      full_bandwidth_baseline_ * Params().startup_full_bw_threshold;
+
+  if (model_->MaxBandwidth() >= threshold) {
+    QUIC_DVLOG(3)
+        << sender_
+        << " CheckFullBandwidthReached at end of round. max_bandwidth:"
+        << model_->MaxBandwidth() << ", threshold:" << threshold
+        << " (Still growing)  @ " << congestion_event.event_time;
+    full_bandwidth_baseline_ = model_->MaxBandwidth();
+    rounds_without_bandwidth_growth_ = 0;
+    return;
+  }
+
+  ++rounds_without_bandwidth_growth_;
+  full_bandwidth_reached_ =
+      rounds_without_bandwidth_growth_ >= Params().startup_full_bw_rounds;
+  QUIC_DVLOG(3) << sender_
+                << " CheckFullBandwidthReached at end of round. max_bandwidth:"
+                << model_->MaxBandwidth() << ", threshold:" << threshold
+                << " rounds_without_growth:" << rounds_without_bandwidth_growth_
+                << " full_bw_reached:" << full_bandwidth_reached_ << "  @ "
+                << congestion_event.event_time;
+}
+
+void Bbr2StartupMode::CheckExcessiveLosses(
+    const LostPacketVector& lost_packets,
+    const Bbr2CongestionEvent& congestion_event) {
+  if (full_bandwidth_reached_) {
+    return;
+  }
+
+  if (!lost_packets.empty()) {
+    ++loss_events_in_round_;
+  }
+
+  // TODO(wub): In TCP, loss based exit only happens at end of a loss round, in
+  // QUIC we use the end of the normal round here. It is possible to exit after
+  // any congestion event, using information of the "rolling round".
+  if (!congestion_event.end_of_round_trip) {
+    return;
+  }
+
+  QUIC_DVLOG(3)
+      << sender_
+      << " CheckExcessiveLosses at end of round. loss_events_in_round_:"
+      << loss_events_in_round_
+      << ", threshold:" << Params().startup_full_loss_count << "  @ "
+      << congestion_event.event_time;
+
+  // At the end of a round trip. Check if loss is too high in this round.
+  if (loss_events_in_round_ >= Params().startup_full_loss_count &&
+      model_->IsInflightTooHigh(congestion_event)) {
+    const QuicByteCount bdp = model_->BDP(model_->MaxBandwidth());
+    QUIC_DVLOG(3) << sender_
+                  << " Exiting STARTUP due to loss. inflight_hi:" << bdp;
+    model_->set_inflight_hi(bdp);
+
+    full_bandwidth_reached_ = true;
+  }
+
+  loss_events_in_round_ = 0;
+}
+
+Bbr2StartupMode::DebugState Bbr2StartupMode::ExportDebugState() const {
+  DebugState s;
+  s.full_bandwidth_reached = full_bandwidth_reached_;
+  s.full_bandwidth_baseline = full_bandwidth_baseline_;
+  s.round_trips_without_bandwidth_growth = rounds_without_bandwidth_growth_;
+  return s;
+}
+
+std::ostream& operator<<(std::ostream& os,
+                         const Bbr2StartupMode::DebugState& state) {
+  os << "[STARTUP] full_bandwidth_reached: " << state.full_bandwidth_reached
+     << "\n";
+  os << "[STARTUP] full_bandwidth_baseline: " << state.full_bandwidth_baseline
+     << "\n";
+  os << "[STARTUP] round_trips_without_bandwidth_growth: "
+     << state.round_trips_without_bandwidth_growth << "\n";
+  return os;
+}
+
+const Bbr2Params& Bbr2StartupMode::Params() const {
+  return sender_->Params();
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.h
new file mode 100644
index 00000000000..df3f9a747c7
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.h
@@ -0,0 +1,68 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_STARTUP_H_
+#define QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_STARTUP_H_
+
+#include "net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h"
+#include "net/third_party/quiche/src/quic/core/quic_bandwidth.h"
+#include "net/third_party/quiche/src/quic/core/quic_time.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+
+namespace quic {
+
+class Bbr2Sender;
+class QUIC_EXPORT_PRIVATE Bbr2StartupMode final : public Bbr2ModeBase {
+ public:
+  Bbr2StartupMode(const Bbr2Sender* sender, Bbr2NetworkModel* model);
+
+  void Enter(const Bbr2CongestionEvent& congestion_event) override;
+
+  Bbr2Mode OnCongestionEvent(
+      QuicByteCount prior_in_flight,
+      QuicTime event_time,
+      const AckedPacketVector& acked_packets,
+      const LostPacketVector& lost_packets,
+      const Bbr2CongestionEvent& congestion_event) override;
+
+  Limits<QuicByteCount> GetCwndLimits() const override {
+    return NoGreaterThan(model_->inflight_lo());
+  }
+
+  bool IsProbingForBandwidth() const override { return true; }
+
+  bool FullBandwidthReached() const { return full_bandwidth_reached_; }
+
+  struct DebugState {
+    bool full_bandwidth_reached;
+    QuicBandwidth full_bandwidth_baseline = QuicBandwidth::Zero();
+    QuicRoundTripCount round_trips_without_bandwidth_growth;
+  };
+
+  DebugState ExportDebugState() const;
+
+ private:
+  const Bbr2Params& Params() const;
+
+  void CheckFullBandwidthReached(const Bbr2CongestionEvent& congestion_event);
+
+  void CheckExcessiveLosses(const LostPacketVector& lost_packets,
+                            const Bbr2CongestionEvent& congestion_event);
+
+  bool full_bandwidth_reached_;
+  QuicBandwidth full_bandwidth_baseline_;
+  QuicRoundTripCount rounds_without_bandwidth_growth_;
+
+  // Number of loss events in the current round trip.
+  int64_t loss_events_in_round_;
+};
+
+QUIC_EXPORT_PRIVATE std::ostream& operator<<(
+    std::ostream& os,
+    const Bbr2StartupMode::DebugState& state);
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_CONGESTION_CONTROL_BBR2_STARTUP_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.cc
index 5844987b3cb..65a637c1611 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.cc
@@ -109,7 +109,7 @@ BbrSender::BbrSender(QuicTime now,
       pacing_gain_(1),
       congestion_window_gain_(1),
       congestion_window_gain_constant_(
-          static_cast<float>(FLAGS_quic_bbr_cwnd_gain)),
+          static_cast<float>(GetQuicFlag(FLAGS_quic_bbr_cwnd_gain))),
       num_startup_rtts_(kRoundTripsWithoutGrowthBeforeExitingStartup),
       exit_startup_on_loss_(false),
       cycle_current_offset_(0),
@@ -125,7 +125,6 @@ BbrSender::BbrSender(QuicTime now,
       flexible_app_limited_(false),
       recovery_state_(NOT_IN_RECOVERY),
       recovery_window_(max_congestion_window_),
-      is_app_limited_recovery_(false),
       slower_startup_(false),
       rate_based_startup_(false),
       startup_rate_reduction_multiplier_(0),
@@ -137,9 +136,7 @@ BbrSender::BbrSender(QuicTime now,
       probe_rtt_skipped_if_similar_rtt_(false),
       probe_rtt_disabled_if_app_limited_(false),
       app_limited_since_last_probe_rtt_(false),
-      min_rtt_since_last_probe_rtt_(QuicTime::Delta::Infinite()),
-      always_get_bw_sample_when_acked_(
-          GetQuicReloadableFlag(quic_always_get_bw_sample_when_acked)) {
+      min_rtt_since_last_probe_rtt_(QuicTime::Delta::Infinite()) {
   if (stats_) {
     stats_->slowstart_count = 0;
     stats_->slowstart_start_time = QuicTime::Zero();
@@ -189,7 +186,7 @@ bool BbrSender::CanSend(QuicByteCount bytes_in_flight) {
   return bytes_in_flight < GetCongestionWindow();
 }
 
-QuicBandwidth BbrSender::PacingRate(QuicByteCount bytes_in_flight) const {
+QuicBandwidth BbrSender::PacingRate(QuicByteCount /*bytes_in_flight*/) const {
   if (pacing_rate_.IsZero()) {
     return high_gain_ * QuicBandwidth::FromBytesAndTimeDelta(
                             initial_congestion_window_, GetMinRtt());
@@ -312,21 +309,15 @@ void BbrSender::SetFromConfig(const QuicConfig& config,
     QUIC_RELOADABLE_FLAG_COUNT(quic_bbr_flexible_app_limited);
     flexible_app_limited_ = true;
   }
-  if (GetQuicReloadableFlag(quic_bbr_slower_startup3) &&
-      config.HasClientRequestedIndependentOption(kBBQ1, perspective)) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_bbr_slower_startup3, 1, 4);
+  if (config.HasClientRequestedIndependentOption(kBBQ1, perspective)) {
     set_high_gain(kDerivedHighGain);
     set_high_cwnd_gain(kDerivedHighGain);
     set_drain_gain(1.f / kDerivedHighGain);
   }
-  if (GetQuicReloadableFlag(quic_bbr_slower_startup3) &&
-      config.HasClientRequestedIndependentOption(kBBQ2, perspective)) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_bbr_slower_startup3, 2, 4);
+  if (config.HasClientRequestedIndependentOption(kBBQ2, perspective)) {
     set_high_cwnd_gain(kDerivedHighCWNDGain);
   }
-  if (GetQuicReloadableFlag(quic_bbr_slower_startup3) &&
-      config.HasClientRequestedIndependentOption(kBBQ3, perspective)) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_bbr_slower_startup3, 3, 4);
+  if (config.HasClientRequestedIndependentOption(kBBQ3, perspective)) {
     enable_ack_aggregation_during_startup_ = true;
   }
   if (GetQuicReloadableFlag(quic_bbr_slower_startup4) &&
@@ -360,6 +351,14 @@ void BbrSender::AdjustNetworkParameters(QuicBandwidth bandwidth,
         std::max(kMinInitialCongestionWindow * kDefaultTCPMSS,
                  std::min(kMaxInitialCongestionWindow * kDefaultTCPMSS,
                           bandwidth * rtt_stats_->SmoothedOrInitialRtt()));
+    if (!rtt_stats_->smoothed_rtt().IsZero()) {
+      QUIC_CODE_COUNT(quic_smoothed_rtt_available);
+    } else if (rtt_stats_->initial_rtt() !=
+               QuicTime::Delta::FromMilliseconds(kInitialRttMs)) {
+      QUIC_CODE_COUNT(quic_client_initial_rtt_available);
+    } else {
+      QUIC_CODE_COUNT(quic_default_initial_rtt);
+    }
     if (new_cwnd > congestion_window_) {
       QUIC_RELOADABLE_FLAG_COUNT_N(quic_fix_bbr_cwnd_in_bandwidth_resumption, 1,
                                    3);
@@ -371,10 +370,13 @@ void BbrSender::AdjustNetworkParameters(QuicBandwidth bandwidth,
       // Only decrease cwnd if allow_cwnd_to_decrease is true.
       return;
     }
-    // Decreases cwnd gain and pacing gain. Please note, if pacing_rate_ has
-    // been calculated, it cannot decrease in STARTUP phase.
-    set_high_gain(kDerivedHighCWNDGain);
-    set_high_cwnd_gain(kDerivedHighCWNDGain);
+    if (GetQuicReloadableFlag(quic_conservative_cwnd_and_pacing_gains)) {
+      // Decreases cwnd gain and pacing gain. Please note, if pacing_rate_ has
+      // been calculated, it cannot decrease in STARTUP phase.
+      QUIC_RELOADABLE_FLAG_COUNT(quic_conservative_cwnd_and_pacing_gains);
+      set_high_gain(kDerivedHighCWNDGain);
+      set_high_cwnd_gain(kDerivedHighCWNDGain);
+    }
     congestion_window_ = new_cwnd;
   }
 }
@@ -526,14 +528,9 @@ bool BbrSender::UpdateBandwidthAndMinRtt(
     const AckedPacketVector& acked_packets) {
   QuicTime::Delta sample_min_rtt = QuicTime::Delta::Infinite();
   for (const auto& packet : acked_packets) {
-    if (!always_get_bw_sample_when_acked_ && packet.bytes_acked == 0) {
-      // Skip acked packets with 0 in flight bytes when updating bandwidth.
-      continue;
-    }
     BandwidthSample bandwidth_sample =
         sampler_.OnPacketAcknowledged(now, packet.packet_number);
-    if (always_get_bw_sample_when_acked_ &&
-        !bandwidth_sample.state_at_send.is_valid) {
+    if (!bandwidth_sample.state_at_send.is_valid) {
       // From the sampler's perspective, the packet has never been sent, or the
       // packet has been acked or marked as lost previously.
       continue;
@@ -752,11 +749,6 @@ void BbrSender::UpdateRecoveryState(QuicPacketNumber last_acked_packet,
         // Since the conservation phase is meant to be lasting for a whole
         // round, extend the current round as if it were started right now.
         current_round_trip_end_ = last_sent_packet_;
-        if (GetQuicReloadableFlag(quic_bbr_app_limited_recovery) &&
-            last_sample_is_app_limited_) {
-          QUIC_RELOADABLE_FLAG_COUNT(quic_bbr_app_limited_recovery);
-          is_app_limited_recovery_ = true;
-        }
       }
       break;
 
@@ -770,14 +762,10 @@ void BbrSender::UpdateRecoveryState(QuicPacketNumber last_acked_packet,
       // Exit recovery if appropriate.
       if (!has_losses && last_acked_packet > end_recovery_at_) {
         recovery_state_ = NOT_IN_RECOVERY;
-        is_app_limited_recovery_ = false;
       }
 
       break;
   }
-  if (recovery_state_ != NOT_IN_RECOVERY && is_app_limited_recovery_) {
-    sampler_.OnAppLimited();
-  }
 }
 
 // TODO(ianswett): Move this logic into BandwidthSampler.
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.h
index a49a5efd579..a4d9925b535 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.h
@@ -110,7 +110,6 @@ class QUIC_EXPORT_PRIVATE BbrSender : public SendAlgorithmInterface {
   void AdjustNetworkParameters(QuicBandwidth bandwidth,
                                QuicTime::Delta rtt,
                                bool allow_cwnd_to_decrease) override;
-  void SetNumEmulatedConnections(int num_connections) override {}
   void SetInitialCongestionWindowInPackets(
       QuicPacketCount congestion_window) override;
   void OnCongestionEvent(bool rtt_updated,
@@ -123,7 +122,7 @@ class QUIC_EXPORT_PRIVATE BbrSender : public SendAlgorithmInterface {
                     QuicPacketNumber packet_number,
                     QuicByteCount bytes,
                     HasRetransmittableData is_retransmittable) override;
-  void OnRetransmissionTimeout(bool packets_retransmitted) override {}
+  void OnRetransmissionTimeout(bool /*packets_retransmitted*/) override {}
   void OnConnectionMigration() override {}
   bool CanSend(QuicByteCount bytes_in_flight) override;
   QuicBandwidth PacingRate(QuicByteCount bytes_in_flight) const override;
@@ -402,9 +401,6 @@ class QUIC_EXPORT_PRIVATE BbrSender : public SendAlgorithmInterface {
   bool probe_rtt_disabled_if_app_limited_;
   bool app_limited_since_last_probe_rtt_;
   QuicTime::Delta min_rtt_since_last_probe_rtt_;
-
-  // Latched value of --quic_always_get_bw_sample_when_acked.
-  const bool always_get_bw_sample_when_acked_;
 };
 
 QUIC_EXPORT_PRIVATE std::ostream& operator<<(std::ostream& os,
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender_test.cc
index be4f291406b..d175bdff853 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender_test.cc
@@ -374,7 +374,7 @@ TEST_F(BbrSenderTest, SimpleTransfer2RTTAggregationBytes) {
 // Test a simple long data transfer with 2 rtts of aggregation.
 TEST_F(BbrSenderTest, SimpleTransferAckDecimation) {
   // Decrease the CWND gain so extra CWND is required with stretch acks.
-  FLAGS_quic_bbr_cwnd_gain = 1.0;
+  SetQuicFlag(FLAGS_quic_bbr_cwnd_gain, 1.0);
   sender_ = new BbrSender(
       bbr_sender_.connection()->clock()->Now(), rtt_stats_,
       QuicSentPacketManagerPeer::GetUnackedPacketMap(
@@ -417,7 +417,8 @@ TEST_F(BbrSenderTest, SimpleTransfer2RTTAggregationBytes20RTTWindow) {
 
   // Transfer 12MB.
   DoSimpleTransfer(12 * 1024 * 1024, QuicTime::Delta::FromSeconds(35));
-  EXPECT_EQ(BbrSender::PROBE_BW, sender_->ExportDebugState().mode);
+  EXPECT_TRUE(sender_->ExportDebugState().mode == BbrSender::PROBE_BW ||
+              sender_->ExportDebugState().mode == BbrSender::PROBE_RTT);
   // It's possible to read a bandwidth as much as 50% too high with aggregation.
   EXPECT_LE(kTestLinkBandwidth * 0.99f,
             sender_->ExportDebugState().max_bandwidth);
@@ -430,7 +431,7 @@ TEST_F(BbrSenderTest, SimpleTransfer2RTTAggregationBytes20RTTWindow) {
   // The margin here is high, because the aggregation greatly increases
   // smoothed rtt.
   EXPECT_GE(kTestRtt * 4, rtt_stats_->smoothed_rtt());
-  EXPECT_APPROX_EQ(kTestRtt, rtt_stats_->min_rtt(), 0.12f);
+  EXPECT_APPROX_EQ(kTestRtt, rtt_stats_->min_rtt(), 0.25f);
 }
 
 // Test a simple long data transfer with 2 rtts of aggregation.
@@ -444,7 +445,8 @@ TEST_F(BbrSenderTest, SimpleTransfer2RTTAggregationBytes40RTTWindow) {
 
   // Transfer 12MB.
   DoSimpleTransfer(12 * 1024 * 1024, QuicTime::Delta::FromSeconds(35));
-  EXPECT_EQ(BbrSender::PROBE_BW, sender_->ExportDebugState().mode);
+  EXPECT_TRUE(sender_->ExportDebugState().mode == BbrSender::PROBE_BW ||
+              sender_->ExportDebugState().mode == BbrSender::PROBE_RTT);
   // It's possible to read a bandwidth as much as 50% too high with aggregation.
   EXPECT_LE(kTestLinkBandwidth * 0.99f,
             sender_->ExportDebugState().max_bandwidth);
@@ -457,7 +459,7 @@ TEST_F(BbrSenderTest, SimpleTransfer2RTTAggregationBytes40RTTWindow) {
   // The margin here is high, because the aggregation greatly increases
   // smoothed rtt.
   EXPECT_GE(kTestRtt * 4, rtt_stats_->smoothed_rtt());
-  EXPECT_APPROX_EQ(kTestRtt, rtt_stats_->min_rtt(), 0.12f);
+  EXPECT_APPROX_EQ(kTestRtt, rtt_stats_->min_rtt(), 0.25f);
 }
 
 // Test the number of losses incurred by the startup phase in a situation when
@@ -475,7 +477,6 @@ TEST_F(BbrSenderTest, PacketLossOnSmallBufferStartup) {
 // Test the number of losses incurred by the startup phase in a situation when
 // the buffer is less than BDP, with a STARTUP CWND gain of 2.
 TEST_F(BbrSenderTest, PacketLossOnSmallBufferStartupDerivedCWNDGain) {
-  SetQuicReloadableFlag(quic_bbr_slower_startup3, true);
   CreateSmallBufferSetup();
 
   SetConnectionOption(kBBQ2);
@@ -620,7 +621,6 @@ TEST_F(BbrSenderTest, Drain) {
 // TODO(wub): Re-enable this test once default drain_gain changed to 0.75.
 // Verify that the DRAIN phase works correctly.
 TEST_F(BbrSenderTest, DISABLED_ShallowDrain) {
-  SetQuicReloadableFlag(quic_bbr_slower_startup3, true);
   // Disable Ack Decimation on the receiver, because it can increase srtt.
   QuicConnectionPeer::SetAckMode(receiver_.connection(), AckMode::TCP_ACKING);
 
@@ -708,47 +708,6 @@ TEST_F(BbrSenderTest, ProbeRtt) {
   EXPECT_GE(sender_->ExportDebugState().min_rtt_timestamp, probe_rtt_start);
 }
 
-// Verify that the first sample after PROBE_RTT is not used as the bandwidth,
-// because the round counter doesn't advance during PROBE_RTT.
-TEST_F(BbrSenderTest, AppLimitedRecoveryNoBandwidthDecrease) {
-  SetQuicReloadableFlag(quic_bbr_app_limited_recovery, true);
-  CreateDefaultSetup();
-  DriveOutOfStartup();
-
-  // We have no intention of ever finishing this transfer.
-  bbr_sender_.AddBytesToTransfer(100 * 1024 * 1024);
-
-  // Wait until the connection enters PROBE_RTT.
-  const QuicTime::Delta timeout = QuicTime::Delta::FromSeconds(12);
-  bool simulator_result = simulator_.RunUntilOrTimeout(
-      [this]() {
-        return sender_->ExportDebugState().mode == BbrSender::PROBE_RTT;
-      },
-      timeout);
-  ASSERT_TRUE(simulator_result);
-  ASSERT_EQ(BbrSender::PROBE_RTT, sender_->ExportDebugState().mode);
-
-  const QuicBandwidth beginning_bw = sender_->BandwidthEstimate();
-
-  // Run for most of PROBE_RTT.
-  const QuicTime probe_rtt_start = clock_->Now();
-  const QuicTime::Delta time_to_exit_probe_rtt =
-      kTestRtt + QuicTime::Delta::FromMilliseconds(200);
-  simulator_.RunFor(0.60 * time_to_exit_probe_rtt);
-  EXPECT_EQ(BbrSender::PROBE_RTT, sender_->ExportDebugState().mode);
-  // Lose a packet before exiting PROBE_RTT, which puts us in packet
-  // conservation and then continue there for a while and ensure the bandwidth
-  // estimate doesn't decrease.
-  for (int i = 0; i < 20; ++i) {
-    receiver_.DropNextIncomingPacket();
-    simulator_.RunFor(0.9 * kTestRtt);
-    // Ensure the bandwidth didn't decrease and the samples are app limited.
-    EXPECT_LE(beginning_bw, sender_->BandwidthEstimate());
-    EXPECT_TRUE(sender_->ExportDebugState().last_sample_is_app_limited);
-  }
-  EXPECT_GE(sender_->ExportDebugState().min_rtt_timestamp, probe_rtt_start);
-}
-
 // Verify that the connection enters and exits PROBE_RTT correctly.
 TEST_F(BbrSenderTest, ProbeRttBDPBasedCWNDTarget) {
   CreateDefaultSetup();
@@ -1171,7 +1130,6 @@ TEST_F(BbrSenderTest, SimpleTransferDoubleStartupRateReduction) {
 }
 
 TEST_F(BbrSenderTest, DerivedPacingGainStartup) {
-  SetQuicReloadableFlag(quic_bbr_slower_startup3, true);
   CreateDefaultSetup();
 
   SetConnectionOption(kBBQ1);
@@ -1199,7 +1157,6 @@ TEST_F(BbrSenderTest, DerivedPacingGainStartup) {
 }
 
 TEST_F(BbrSenderTest, DerivedCWNDGainStartup) {
-  SetQuicReloadableFlag(quic_bbr_slower_startup3, true);
   CreateSmallBufferSetup();
 
   SetConnectionOption(kBBQ2);
@@ -1232,7 +1189,6 @@ TEST_F(BbrSenderTest, DerivedCWNDGainStartup) {
 }
 
 TEST_F(BbrSenderTest, AckAggregationInStartup) {
-  SetQuicReloadableFlag(quic_bbr_slower_startup3, true);
   // Disable Ack Decimation on the receiver to avoid loss and make results
   // consistent.
   QuicConnectionPeer::SetAckMode(receiver_.connection(), AckMode::TCP_ACKING);
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.cc
index 8cd5e712b3c..d42896cee57 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.cc
@@ -66,8 +66,16 @@ void GeneralLossAlgorithm::DetectLosses(
   loss_detection_timeout_ = QuicTime::Zero();
   if (!packets_acked.empty() &&
       packets_acked.front().packet_number == least_in_flight_) {
-    if (least_in_flight_ + packets_acked.size() - 1 == largest_newly_acked) {
-      // Optimization for the case when no packet is missing.
+    if (GetQuicReloadableFlag(quic_fix_packets_acked)) {
+      QUIC_RELOADABLE_FLAG_COUNT(quic_fix_packets_acked);
+    }
+    if ((!GetQuicReloadableFlag(quic_fix_packets_acked) ||
+         packets_acked.back().packet_number == largest_newly_acked) &&
+        least_in_flight_ + packets_acked.size() - 1 == largest_newly_acked) {
+      // Optimization for the case when no packet is missing. Please note,
+      // packets_acked can include packets of different packet number space, so
+      // do not use this optimization if largest_newly_acked is not the largest
+      // packet in packets_acked.
       least_in_flight_ = largest_newly_acked + 1;
       largest_previously_acked_ = largest_newly_acked;
       return;
@@ -99,14 +107,12 @@ void GeneralLossAlgorithm::DetectLosses(
   }
   // Clear least_in_flight_.
   least_in_flight_.Clear();
-  DCHECK(!unacked_packets.use_uber_loss_algorithm() ||
-         packet_number_space_ ==
-             unacked_packets.GetPacketNumberSpace(largest_newly_acked));
+  DCHECK_EQ(packet_number_space_,
+            unacked_packets.GetPacketNumberSpace(largest_newly_acked));
   for (; it != unacked_packets.end() && packet_number <= largest_newly_acked;
        ++it, ++packet_number) {
-    if (unacked_packets.use_uber_loss_algorithm() &&
-        unacked_packets.GetPacketNumberSpace(it->encryption_level) !=
-            packet_number_space_) {
+    if (unacked_packets.GetPacketNumberSpace(it->encryption_level) !=
+        packet_number_space_) {
       // Skip packets of different packet number space.
       continue;
     }
@@ -138,16 +144,11 @@ void GeneralLossAlgorithm::DetectLosses(
     // there are retransmittable packets in flight.
     // This also implements a timer-protected variant of FACK.
     QuicPacketNumber largest_sent_retransmittable_packet;
-    if (unacked_packets.use_uber_loss_algorithm()) {
-      // Use largest_sent_retransmittable_packet of corresponding packet number
-      // space for timer based loss detection.
-      largest_sent_retransmittable_packet =
-          unacked_packets.GetLargestSentRetransmittableOfPacketNumberSpace(
-              packet_number_space_);
-    } else {
-      largest_sent_retransmittable_packet =
-          unacked_packets.largest_sent_retransmittable_packet();
-    }
+    // Use largest_sent_retransmittable_packet of corresponding packet number
+    // space for timer based loss detection.
+    largest_sent_retransmittable_packet =
+        unacked_packets.GetLargestSentRetransmittableOfPacketNumberSpace(
+            packet_number_space_);
     if (largest_sent_retransmittable_packet <= largest_newly_acked ||
         loss_type_ == kTime || loss_type_ == kAdaptiveTime) {
       QuicTime when_lost = it->sent_time + loss_delay;
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.h
index 319203a9bdc..1dd5b2a0522 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.h
@@ -75,7 +75,6 @@ class QUIC_EXPORT_PRIVATE GeneralLossAlgorithm : public LossDetectionInterface {
   // The least in flight packet. Loss detection should start from this. Please
   // note, least_in_flight_ could be largest packet ever sent + 1.
   QuicPacketNumber least_in_flight_;
-  // This is only used when quic_use_uber_loss_algorithm is true.
   PacketNumberSpace packet_number_space_;
 };
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm_test.cc
index a2496793893..f2ebbb2a68b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm_test.cc
@@ -27,9 +27,7 @@ class GeneralLossAlgorithmTest : public QuicTest {
     rtt_stats_.UpdateRtt(QuicTime::Delta::FromMilliseconds(100),
                          QuicTime::Delta::Zero(), clock_.Now());
     EXPECT_LT(0, rtt_stats_.smoothed_rtt().ToMicroseconds());
-    if (unacked_packets_.use_uber_loss_algorithm()) {
-      loss_algorithm_.SetPacketNumberSpace(HANDSHAKE_DATA);
-    }
+    loss_algorithm_.SetPacketNumberSpace(HANDSHAKE_DATA);
   }
 
   ~GeneralLossAlgorithmTest() override {}
@@ -57,15 +55,8 @@ class GeneralLossAlgorithmTest : public QuicTest {
   void VerifyLosses(uint64_t largest_newly_acked,
                     const AckedPacketVector& packets_acked,
                     const std::vector<uint64_t>& losses_expected) {
-    if (unacked_packets_.use_uber_loss_algorithm()) {
-      unacked_packets_.MaybeUpdateLargestAckedOfPacketNumberSpace(
-          APPLICATION_DATA, QuicPacketNumber(largest_newly_acked));
-    } else if (!unacked_packets_.largest_acked().IsInitialized() ||
-               QuicPacketNumber(largest_newly_acked) >
-                   unacked_packets_.largest_acked()) {
-      unacked_packets_.IncreaseLargestAcked(
-          QuicPacketNumber(largest_newly_acked));
-    }
+    unacked_packets_.MaybeUpdateLargestAckedOfPacketNumberSpace(
+        APPLICATION_DATA, QuicPacketNumber(largest_newly_acked));
     LostPacketVector lost_packets;
     loss_algorithm_.DetectLosses(unacked_packets_, clock_.Now(), rtt_stats_,
                                  QuicPacketNumber(largest_newly_acked),
@@ -215,12 +206,8 @@ TEST_F(GeneralLossAlgorithmTest, DontEarlyRetransmitNeuteredPacket) {
   clock_.AdvanceTime(rtt_stats_.smoothed_rtt());
 
   // Early retransmit when the final packet gets acked and the first is nacked.
-  if (unacked_packets_.use_uber_loss_algorithm()) {
-    unacked_packets_.MaybeUpdateLargestAckedOfPacketNumberSpace(
-        APPLICATION_DATA, QuicPacketNumber(2));
-  } else {
-    unacked_packets_.IncreaseLargestAcked(QuicPacketNumber(2));
-  }
+  unacked_packets_.MaybeUpdateLargestAckedOfPacketNumberSpace(
+      APPLICATION_DATA, QuicPacketNumber(2));
   unacked_packets_.RemoveFromInFlight(QuicPacketNumber(2));
   packets_acked.push_back(AckedPacket(
       QuicPacketNumber(2), kMaxOutgoingPacketSize, QuicTime::Zero()));
@@ -238,12 +225,8 @@ TEST_F(GeneralLossAlgorithmTest, EarlyRetransmitWithLargerUnackablePackets) {
   clock_.AdvanceTime(rtt_stats_.smoothed_rtt());
 
   // Early retransmit when the final packet gets acked and the first is nacked.
-  if (unacked_packets_.use_uber_loss_algorithm()) {
-    unacked_packets_.MaybeUpdateLargestAckedOfPacketNumberSpace(
-        APPLICATION_DATA, QuicPacketNumber(2));
-  } else {
-    unacked_packets_.IncreaseLargestAcked(QuicPacketNumber(2));
-  }
+  unacked_packets_.MaybeUpdateLargestAckedOfPacketNumberSpace(
+      APPLICATION_DATA, QuicPacketNumber(2));
   unacked_packets_.RemoveFromInFlight(QuicPacketNumber(2));
   packets_acked.push_back(AckedPacket(
       QuicPacketNumber(2), kMaxOutgoingPacketSize, QuicTime::Zero()));
@@ -270,12 +253,8 @@ TEST_F(GeneralLossAlgorithmTest, AlwaysLosePacketSent1RTTEarlier) {
   AckedPacketVector packets_acked;
   // Wait another RTT and ack 2.
   clock_.AdvanceTime(rtt_stats_.smoothed_rtt());
-  if (unacked_packets_.use_uber_loss_algorithm()) {
-    unacked_packets_.MaybeUpdateLargestAckedOfPacketNumberSpace(
-        APPLICATION_DATA, QuicPacketNumber(2));
-  } else {
-    unacked_packets_.IncreaseLargestAcked(QuicPacketNumber(2));
-  }
+  unacked_packets_.MaybeUpdateLargestAckedOfPacketNumberSpace(
+      APPLICATION_DATA, QuicPacketNumber(2));
   unacked_packets_.RemoveFromInFlight(QuicPacketNumber(2));
   packets_acked.push_back(AckedPacket(
       QuicPacketNumber(2), kMaxOutgoingPacketSize, QuicTime::Zero()));
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/pacing_sender.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/pacing_sender.cc
index 0968935492d..c58e3689f1e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/pacing_sender.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/pacing_sender.cc
@@ -26,10 +26,18 @@ PacingSender::PacingSender()
       initial_burst_size_(kInitialUnpacedBurst),
       lumpy_tokens_(0),
       alarm_granularity_(QuicTime::Delta::FromMilliseconds(1)),
-      pacing_limited_(false) {
+      pacing_limited_(false),
+      lumpy_pacing_size_((GetQuicReloadableFlag(
+                              quic_change_default_lumpy_pacing_size_to_two) &&
+                          GetQuicFlag(FLAGS_quic_lumpy_pacing_size) == 1)
+                             ? 2
+                             : GetQuicFlag(FLAGS_quic_lumpy_pacing_size)) {
   if (GetQuicReloadableFlag(quic_donot_reset_ideal_next_packet_send_time)) {
     QUIC_RELOADABLE_FLAG_COUNT(quic_donot_reset_ideal_next_packet_send_time);
   }
+  if (GetQuicReloadableFlag(quic_change_default_lumpy_pacing_size_to_two)) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_change_default_lumpy_pacing_size_to_two);
+  }
 }
 
 PacingSender::~PacingSender() {}
@@ -90,16 +98,13 @@ void PacingSender::OnPacketSent(
     // Reset lumpy_tokens_ if either application or cwnd throttles sending or
     // token runs out.
     lumpy_tokens_ = std::max(
-        1u, std::min(static_cast<uint32_t>(
-                         GetQuicFlag(FLAGS_quic_lumpy_pacing_size)),
+        1u, std::min(static_cast<uint32_t>(lumpy_pacing_size_),
                      static_cast<uint32_t>(
                          (sender_->GetCongestionWindow() *
                           GetQuicFlag(FLAGS_quic_lumpy_pacing_cwnd_fraction)) /
                          kDefaultTCPMSS)));
-    if (GetQuicReloadableFlag(quic_no_lumpy_pacing_at_low_bw) &&
-        sender_->BandwidthEstimate() <
-            QuicBandwidth::FromKBitsPerSecond(1200)) {
-      QUIC_RELOADABLE_FLAG_COUNT(quic_no_lumpy_pacing_at_low_bw);
+    if (sender_->BandwidthEstimate() <
+        QuicBandwidth::FromKBitsPerSecond(1200)) {
       // Below 1.2Mbps, send 1 packet at once, because one full-sized packet
       // is about 10ms of queueing.
       lumpy_tokens_ = 1u;
@@ -141,6 +146,9 @@ QuicTime::Delta PacingSender::TimeUntilSend(
 
   if (burst_tokens_ > 0 || bytes_in_flight == 0 || lumpy_tokens_ > 0) {
     // Don't pace if we have burst tokens available or leaving quiescence.
+    QUIC_DVLOG(1) << "Sending packet now. burst_tokens:" << burst_tokens_
+                  << ", bytes_in_flight:" << bytes_in_flight
+                  << ", lumpy_tokens:" << lumpy_tokens_;
     return QuicTime::Delta::Zero();
   }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/pacing_sender.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/pacing_sender.h
index 781a9211951..f53f17af6af 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/pacing_sender.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/pacing_sender.h
@@ -103,6 +103,9 @@ class QUIC_EXPORT_PRIVATE PacingSender {
   // Indicates whether pacing throttles the sending. If true, make up for lost
   // time.
   bool pacing_limited_;
+
+  // Latched value of --quic_lumpy_pacing_size.
+  const int32_t lumpy_pacing_size_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/pacing_sender_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/pacing_sender_test.cc
index 4e4c401229d..066a3b5d8ed 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/pacing_sender_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/pacing_sender_test.cc
@@ -280,8 +280,9 @@ TEST_F(PacingSenderTest, InitialBurstNoRttMeasurement) {
 }
 
 TEST_F(PacingSenderTest, FastSending) {
-  // Ensure the pacing sender paces, even when the inter-packet spacing is less
-  // than the pacing granularity.
+  SetQuicReloadableFlag(quic_change_default_lumpy_pacing_size_to_two, true);
+  // Ensure the pacing sender paces, even when the inter-packet spacing(0.5ms)
+  // is less than the pacing granularity(1ms).
   InitPacingRate(10, QuicBandwidth::FromBytesAndTimeDelta(
                          2 * kMaxOutgoingPacketSize,
                          QuicTime::Delta::FromMilliseconds(1)));
@@ -293,12 +294,11 @@ TEST_F(PacingSenderTest, FastSending) {
     CheckPacketIsSentImmediately();
   }
 
-  // The first packet was a "make up", then we sent two packets "into the
-  // future", since it's 2 packets/ms, so the delay should be 1.5ms.
-  CheckPacketIsSentImmediately();
-  CheckPacketIsSentImmediately();
-  CheckPacketIsSentImmediately();
-  CheckPacketIsDelayed(QuicTime::Delta::FromMicroseconds(1500));
+  CheckPacketIsSentImmediately();  // Make up
+  CheckPacketIsSentImmediately();  // Lumpy token
+  CheckPacketIsSentImmediately();  // "In the future" but within granularity.
+  CheckPacketIsSentImmediately();  // Lumpy token
+  CheckPacketIsDelayed(QuicTime::Delta::FromMicroseconds(2000));
 
   clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
   CheckPacketIsSentImmediately();
@@ -312,10 +312,11 @@ TEST_F(PacingSenderTest, FastSending) {
 
   // The first packet was a "make up", then we sent two packets "into the
   // future", so the delay should be 1.5ms.
-  CheckPacketIsSentImmediately();
-  CheckPacketIsSentImmediately();
-  CheckPacketIsSentImmediately();
-  CheckPacketIsDelayed(QuicTime::Delta::FromMicroseconds(1500));
+  CheckPacketIsSentImmediately();  // Make up
+  CheckPacketIsSentImmediately();  // Lumpy token
+  CheckPacketIsSentImmediately();  // "In the future" but within granularity.
+  CheckPacketIsSentImmediately();  // Lumpy token
+  CheckPacketIsDelayed(QuicTime::Delta::FromMicroseconds(2000));
 }
 
 TEST_F(PacingSenderTest, NoBurstEnteringRecovery) {
@@ -444,7 +445,6 @@ TEST_F(PacingSenderTest, NoLumpyPacingForLowBandwidthFlows) {
   // Set lumpy size to be 3, and cwnd faction to 0.5
   SetQuicFlag(FLAGS_quic_lumpy_pacing_size, 3);
   SetQuicFlag(FLAGS_quic_lumpy_pacing_cwnd_fraction, 0.5f);
-  SetQuicReloadableFlag(quic_no_lumpy_pacing_at_low_bw, true);
 
   // Configure pacing rate of 1 packet per 100 ms.
   QuicTime::Delta inter_packet_delay = QuicTime::Delta::FromMilliseconds(100);
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.cc
index e1a63722cb8..f4cbf381cf3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.cc
@@ -14,8 +14,6 @@ namespace quic {
 
 namespace {
 
-// Default initial rtt used before any samples are received.
-const int kInitialRttMs = 100;
 const float kAlpha = 0.125f;
 const float kOneMinusAlpha = (1 - kAlpha);
 const float kBeta = 0.25f;
@@ -31,6 +29,7 @@ RttStats::RttStats()
       mean_deviation_(QuicTime::Delta::Zero()),
       initial_rtt_(QuicTime::Delta::FromMilliseconds(kInitialRttMs)),
       max_ack_delay_(QuicTime::Delta::Zero()),
+      last_update_time_(QuicTime::Zero()),
       ignore_max_ack_delay_(false) {}
 
 void RttStats::ExpireSmoothedMetrics() {
@@ -52,6 +51,8 @@ void RttStats::UpdateRtt(QuicTime::Delta send_delta,
     return;
   }
 
+  last_update_time_ = now;
+
   // Update min_rtt_ first. min_rtt_ does not use an rtt_sample corrected for
   // ack_delay but the raw observed send_delta, since poor clock granularity at
   // the client may cause a high ack_delay to result in underestimation of the
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.h
index 65791b1ae3e..7b58276aa86 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.h
@@ -75,6 +75,8 @@ class QUIC_EXPORT_PRIVATE RttStats {
 
   QuicTime::Delta max_ack_delay() const { return max_ack_delay_; }
 
+  QuicTime last_update_time() const { return last_update_time_; }
+
   bool ignore_max_ack_delay() const { return ignore_max_ack_delay_; }
 
   void set_ignore_max_ack_delay(bool ignore_max_ack_delay) {
@@ -100,6 +102,7 @@ class QUIC_EXPORT_PRIVATE RttStats {
   // The maximum ack delay observed over the connection after excluding ack
   // delays that were too large to be included in an RTT measurement.
   QuicTime::Delta max_ack_delay_;
+  QuicTime last_update_time_;
   // Whether to ignore the peer's max ack delay.
   bool ignore_max_ack_delay_;
 };
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.cc
index 0b3c6c85339..b641eb4bb3d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.cc
@@ -7,6 +7,7 @@
 #include "net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.h"
 #include "net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_bbr2_sender.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_fallthrough.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
@@ -33,6 +34,10 @@ SendAlgorithmInterface* SendAlgorithmInterface::Create(
       return new BbrSender(clock->ApproximateNow(), rtt_stats, unacked_packets,
                            initial_congestion_window, max_congestion_window,
                            random, stats);
+    case kBBRv2:
+      return new QuicBbr2Sender(clock->ApproximateNow(), rtt_stats,
+                                unacked_packets, initial_congestion_window,
+                                max_congestion_window, random, stats);
     case kPCC:
       if (GetQuicReloadableFlag(quic_enable_pcc3)) {
         return CreatePccSender(clock, rtt_stats, unacked_packets, random, stats,
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.h
index 9db67b5abd1..69f7455219c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.h
@@ -45,10 +45,6 @@ class QUIC_EXPORT_PRIVATE SendAlgorithmInterface {
   virtual void SetFromConfig(const QuicConfig& config,
                              Perspective perspective) = 0;
 
-  // Sets the number of connections to emulate when doing congestion control,
-  // particularly for congestion avoidance.  Can be set any time.
-  virtual void SetNumEmulatedConnections(int num_connections) = 0;
-
   // Sets the initial congestion window in number of packets.  May be ignored
   // if called after the initial congestion window is no longer relevant.
   virtual void SetInitialCongestionWindowInPackets(QuicPacketCount packets) = 0;
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.cc
index 7cbf332ffcd..28f284e4ce0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.cc
@@ -261,7 +261,8 @@ std::string TcpCubicSenderBytes::GetDebugState() const {
   return "";
 }
 
-void TcpCubicSenderBytes::OnApplicationLimited(QuicByteCount bytes_in_flight) {}
+void TcpCubicSenderBytes::OnApplicationLimited(
+    QuicByteCount /*bytes_in_flight*/) {}
 
 void TcpCubicSenderBytes::SetCongestionWindowFromBandwidthAndRtt(
     QuicBandwidth bandwidth,
@@ -360,7 +361,7 @@ QuicByteCount TcpCubicSenderBytes::GetSlowStartThreshold() const {
 // Called when we receive an ack. Normal TCP tracks how many packets one ack
 // represents, but quic has a separate ack for each packet.
 void TcpCubicSenderBytes::MaybeIncreaseCwnd(
-    QuicPacketNumber acked_packet_number,
+    QuicPacketNumber /*acked_packet_number*/,
     QuicByteCount acked_bytes,
     QuicByteCount prior_in_flight,
     QuicTime event_time) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.h
index dd8be128be3..50f7981b81e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.h
@@ -49,7 +49,7 @@ class QUIC_EXPORT_PRIVATE TcpCubicSenderBytes : public SendAlgorithmInterface {
   void AdjustNetworkParameters(QuicBandwidth bandwidth,
                                QuicTime::Delta rtt,
                                bool allow_cwnd_to_decrease) override;
-  void SetNumEmulatedConnections(int num_connections) override;
+  void SetNumEmulatedConnections(int num_connections);
   void SetInitialCongestionWindowInPackets(
       QuicPacketCount congestion_window) override;
   void OnConnectionMigration() override;
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc
index 32451a51020..2d2789681d0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc
@@ -64,7 +64,7 @@ class TcpCubicSenderBytesTest : public QuicTest {
     return SendAvailableSendWindow(kDefaultTCPMSS);
   }
 
-  int SendAvailableSendWindow(QuicPacketLength packet_length) {
+  int SendAvailableSendWindow(QuicPacketLength /*packet_length*/) {
     // Send as long as TimeUntilSend returns Zero.
     int packets_sent = 0;
     bool can_send = sender_->CanSend(bytes_in_flight_);
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.cc
index 8db151b2eff..e0dff988eec 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.cc
@@ -37,7 +37,6 @@ void UberLossAlgorithm::DetectLosses(
     QuicPacketNumber /*largest_newly_acked*/,
     const AckedPacketVector& packets_acked,
     LostPacketVector* packets_lost) {
-  DCHECK(unacked_packets.use_uber_loss_algorithm());
   for (int8_t i = INITIAL_DATA; i < NUM_PACKET_NUMBER_SPACES; ++i) {
     const QuicPacketNumber largest_acked =
         unacked_packets.GetLargestAckedOfPacketNumberSpace(
@@ -76,7 +75,6 @@ void UberLossAlgorithm::SpuriousRetransmitDetected(
     QuicTime time,
     const RttStats& rtt_stats,
     QuicPacketNumber spurious_retransmission) {
-  DCHECK(unacked_packets.use_uber_loss_algorithm());
   general_loss_algorithms_[unacked_packets.GetPacketNumberSpace(
                                spurious_retransmission)]
       .SpuriousRetransmitDetected(unacked_packets, time, rtt_stats,
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm_test.cc
index 1fe346534e3..0c79ac55352 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm_test.cc
@@ -21,7 +21,6 @@ const uint32_t kDefaultLength = 1000;
 class UberLossAlgorithmTest : public QuicTest {
  protected:
   UberLossAlgorithmTest() {
-    SetQuicReloadableFlag(quic_use_uber_loss_algorithm, true);
     unacked_packets_ =
         QuicMakeUnique<QuicUnackedPacketMap>(Perspective::IS_CLIENT);
     rtt_stats_.UpdateRtt(QuicTime::Delta::FromMilliseconds(100),
@@ -159,6 +158,40 @@ TEST_F(UberLossAlgorithmTest, ScenarioC) {
   VerifyLosses(5, packets_acked_, std::vector<uint64_t>{2, 3});
 }
 
+// Regression test for b/133771183.
+TEST_F(UberLossAlgorithmTest, PacketInLimbo) {
+  // This test mimics a scenario: server sends 1-SHLO, 2-1RTT, 3-1RTT,
+  // 4-retransmit SHLO. Client receives and ACKs packets 1, 3 and 4.
+  QuicUnackedPacketMapPeer::SetPerspective(unacked_packets_.get(),
+                                           Perspective::IS_SERVER);
+
+  SendPacket(1, ENCRYPTION_ZERO_RTT);
+  SendPacket(2, ENCRYPTION_FORWARD_SECURE);
+  SendPacket(3, ENCRYPTION_FORWARD_SECURE);
+  SendPacket(4, ENCRYPTION_ZERO_RTT);
+
+  SendPacket(5, ENCRYPTION_FORWARD_SECURE);
+  AckPackets({1, 3, 4});
+  unacked_packets_->MaybeUpdateLargestAckedOfPacketNumberSpace(
+      APPLICATION_DATA, QuicPacketNumber(3));
+  unacked_packets_->MaybeUpdateLargestAckedOfPacketNumberSpace(
+      HANDSHAKE_DATA, QuicPacketNumber(4));
+  // No packet loss detected.
+  VerifyLosses(4, packets_acked_, std::vector<uint64_t>{});
+
+  SendPacket(6, ENCRYPTION_FORWARD_SECURE);
+  AckPackets({5, 6});
+  unacked_packets_->MaybeUpdateLargestAckedOfPacketNumberSpace(
+      APPLICATION_DATA, QuicPacketNumber(6));
+  if (GetQuicReloadableFlag(quic_fix_packets_acked)) {
+    // Verify packet 2 is detected lost.
+    VerifyLosses(6, packets_acked_, std::vector<uint64_t>{2});
+  } else {
+    // No losses, packet 2 is in limbo.
+    VerifyLosses(6, packets_acked_, std::vector<uint64_t>{});
+  }
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_decrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_decrypter_test.cc
index fefd09fc109..dd8a680ec32 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_decrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_decrypter_test.cc
@@ -86,7 +86,7 @@ const TestVector test_group_0[] = {
         "a2be08210d8c470a8df6e8fbd79ec5cf",
         nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_1[] = {
     {
@@ -97,7 +97,7 @@ const TestVector test_group_1[] = {
     {"2370e320d4344208e0ff5683f243b213", "04dbb82f044d30831c441228", "",
      "d43a8e5089eea0d026c03a85178b27da", "2a049c049d25aa95969b451d93c31c6e",
      ""},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_2[] = {
     {"e98b72a9881a84ca6b76e0f43e68647a", "8b23299fde174053f3d652ba",
@@ -112,7 +112,7 @@ const TestVector test_group_2[] = {
         "a145319896329c96df291f64efbe0e3a",
         nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_3[] = {
     {"af57f42c60c0fc5a09adb81ab86ca1c3", "a2dc01871f37025dc0fc9a79",
@@ -137,7 +137,7 @@ const TestVector test_group_3[] = {
         "8ca4e38aa3dfa6b1d0297021ccf3ea5f",
         nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_4[] = {
     {"da2bb7d581493d692380c77105590201", "44aa3e7856ca279d2eb020c6",
@@ -168,7 +168,7 @@ const TestVector test_group_4[] = {
         "8b347853f11d75e81e8a95010be81f17",
         nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_5[] = {
     {"387218b246c1a8257748b56980e50c94", "dd7e014198672be39f95b69d",
@@ -185,7 +185,7 @@ const TestVector test_group_5[] = {
         "a85b66c3cb5eab91d5bdc8bc0e", "", "dc054efc01f3afd21d9c2484819f569a",
         nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector* const test_group_array[] = {
     test_group_0, test_group_1, test_group_2,
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_encrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_encrypter_test.cc
index 578c3be33cb..5ccc44da3c6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_encrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_encrypter_test.cc
@@ -78,7 +78,7 @@ const TestVector test_group_0[] = {
      "250327c674aaf477aef2675748cf6971"},
     {"ca47248ac0b6f8372a97ac43508308ed", "ffd2b598feabc9019262d2be", "", "", "",
      "60d20404af527d248d893ae495707d1a"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_1[] = {
     {"77be63708971c4e240d1cb79e8d77feb", "e0e00f19fed7ba0136a797f3", "",
@@ -87,7 +87,7 @@ const TestVector test_group_1[] = {
     {"7680c5d3ca6154758e510f4d25b98820", "f8f105f9c3df4965780321f8", "",
      "c94c410194c765e3dcc7964379758ed3", "",
      "94dca8edfcf90bb74b153c8d48a17930"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_2[] = {
     {"7fddb57453c241d03efbed3ac44e371c", "ee283a3fc75575e33efd4887",
@@ -96,7 +96,7 @@ const TestVector test_group_2[] = {
     {"ab72c77b97cb5fe9a382d9fe81ffdbed", "54cc7dc2c37ec006bcc6d1da",
      "007c5e5b3e59df24a7c355584fc1518d", "", "0e1bde206a07a9c2c1b65300f8c64997",
      "2b4401346697138c7a4891ee59867d0c"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_3[] = {
     {"fe47fcce5fc32665d2ae399e4eec72ba", "5adb9609dbaeb58cbd6e7275",
@@ -113,7 +113,7 @@ const TestVector test_group_3[] = {
      "a7443d31c26bdf2a1c945e29ee4bd344a99cfaf3aa71f8b3f191f83c2adfc7a0716299"
      "5506fde6309ffc19e716eddf1a828c5a",
      "890147971946b627c40016da1ecf3e77"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_4[] = {
     {"2c1f21cf0f6fb3661943155c3e3d8492", "23cb5ff362e22426984d1907",
@@ -134,7 +134,7 @@ const TestVector test_group_4[] = {
      "aaadbd5c92e9151ce3db7210b8714126b73e43436d242677afa50384f2149b831f1d57"
      "3c7891c2a91fbc48db29967ec9542b23",
      "21b51ca862cb637cdd03b99a0f93b134"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_5[] = {
     {"fe9bb47deb3a61e423c2231841cfd1fb", "4d328eb776f500a2f7fb47aa",
@@ -143,7 +143,7 @@ const TestVector test_group_5[] = {
     {"6703df3701a7f54911ca72e24dca046a", "12823ab601c350ea4bc2488c",
      "793cd125b0b84a043e3ac67717", "", "b2051c80014f42f08735a7b0cd",
      "38e6bcd29962e5f2c13626b85a877101"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector* const test_group_array[] = {
     test_group_0, test_group_1, test_group_2,
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_decrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_decrypter_test.cc
index 13c6827f006..54793f8c6e2 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_decrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_decrypter_test.cc
@@ -86,7 +86,7 @@ const TestVector test_group_0[] = {
         "a2be08210d8c470a8df6e8fbd79ec5cf",
         nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_1[] = {
     {
@@ -97,7 +97,7 @@ const TestVector test_group_1[] = {
     {"2370e320d4344208e0ff5683f243b213", "04dbb82f044d30831c441228", "",
      "d43a8e5089eea0d026c03a85178b27da", "2a049c049d25aa95969b451d93c31c6e",
      ""},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_2[] = {
     {"e98b72a9881a84ca6b76e0f43e68647a", "8b23299fde174053f3d652ba",
@@ -112,7 +112,7 @@ const TestVector test_group_2[] = {
         "a145319896329c96df291f64efbe0e3a",
         nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_3[] = {
     {"af57f42c60c0fc5a09adb81ab86ca1c3", "a2dc01871f37025dc0fc9a79",
@@ -137,7 +137,7 @@ const TestVector test_group_3[] = {
         "8ca4e38aa3dfa6b1d0297021ccf3ea5f",
         nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_4[] = {
     {"da2bb7d581493d692380c77105590201", "44aa3e7856ca279d2eb020c6",
@@ -168,7 +168,7 @@ const TestVector test_group_4[] = {
         "8b347853f11d75e81e8a95010be81f17",
         nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_5[] = {
     {"387218b246c1a8257748b56980e50c94", "dd7e014198672be39f95b69d",
@@ -185,7 +185,7 @@ const TestVector test_group_5[] = {
         "a85b66c3cb5eab91d5bdc8bc0e", "", "dc054efc01f3afd21d9c2484819f569a",
         nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector* const test_group_array[] = {
     test_group_0, test_group_1, test_group_2,
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_encrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_encrypter_test.cc
index 3efe5291136..c557e118170 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_encrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_encrypter_test.cc
@@ -78,7 +78,7 @@ const TestVector test_group_0[] = {
      "250327c674aaf477aef2675748cf6971"},
     {"ca47248ac0b6f8372a97ac43508308ed", "ffd2b598feabc9019262d2be", "", "", "",
      "60d20404af527d248d893ae495707d1a"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_1[] = {
     {"77be63708971c4e240d1cb79e8d77feb", "e0e00f19fed7ba0136a797f3", "",
@@ -87,7 +87,7 @@ const TestVector test_group_1[] = {
     {"7680c5d3ca6154758e510f4d25b98820", "f8f105f9c3df4965780321f8", "",
      "c94c410194c765e3dcc7964379758ed3", "",
      "94dca8edfcf90bb74b153c8d48a17930"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_2[] = {
     {"7fddb57453c241d03efbed3ac44e371c", "ee283a3fc75575e33efd4887",
@@ -96,7 +96,7 @@ const TestVector test_group_2[] = {
     {"ab72c77b97cb5fe9a382d9fe81ffdbed", "54cc7dc2c37ec006bcc6d1da",
      "007c5e5b3e59df24a7c355584fc1518d", "", "0e1bde206a07a9c2c1b65300f8c64997",
      "2b4401346697138c7a4891ee59867d0c"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_3[] = {
     {"fe47fcce5fc32665d2ae399e4eec72ba", "5adb9609dbaeb58cbd6e7275",
@@ -113,7 +113,7 @@ const TestVector test_group_3[] = {
      "a7443d31c26bdf2a1c945e29ee4bd344a99cfaf3aa71f8b3f191f83c2adfc7a0716299"
      "5506fde6309ffc19e716eddf1a828c5a",
      "890147971946b627c40016da1ecf3e77"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_4[] = {
     {"2c1f21cf0f6fb3661943155c3e3d8492", "23cb5ff362e22426984d1907",
@@ -134,7 +134,7 @@ const TestVector test_group_4[] = {
      "aaadbd5c92e9151ce3db7210b8714126b73e43436d242677afa50384f2149b831f1d57"
      "3c7891c2a91fbc48db29967ec9542b23",
      "21b51ca862cb637cdd03b99a0f93b134"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_5[] = {
     {"fe9bb47deb3a61e423c2231841cfd1fb", "4d328eb776f500a2f7fb47aa",
@@ -143,7 +143,7 @@ const TestVector test_group_5[] = {
     {"6703df3701a7f54911ca72e24dca046a", "12823ab601c350ea4bc2488c",
      "793cd125b0b84a043e3ac67717", "", "b2051c80014f42f08735a7b0cd",
      "38e6bcd29962e5f2c13626b85a877101"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector* const test_group_array[] = {
     test_group_0, test_group_1, test_group_2,
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_256_gcm_decrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_256_gcm_decrypter_test.cc
index 4e7e05b5e81..73a3b3deec4 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_256_gcm_decrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_256_gcm_decrypter_test.cc
@@ -88,7 +88,7 @@ const TestVector test_group_0[] = {
         "51e43385bf533e168427e1ad", "", "", "38fe845c66e66bdd884c2aecafd280e6",
         nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_1[] = {
     {"6dfdafd6703c285c01f14fd10a6012862b2af950d4733abb403b2e745b26945d",
@@ -99,7 +99,7 @@ const TestVector test_group_1[] = {
         "0723fb84a08f4ea09841f32a", "", "140be561b6171eab942c486a94d33d43",
         "aa0e1c9b57975bfc91aa137231977d2c", nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_2[] = {
     {"4c8ebfe1444ec1b2d503c6986659af2c94fafe945f72c1e8486a5acfedb8a0f8",
@@ -113,7 +113,7 @@ const TestVector test_group_2[] = {
         "835090aed9552dbdd45277e2", "9f6607d68e22ccf21928db0986be126e", "",
         "f32617f67c574fd9f44ef76ff880ab9f", nullptr  // FAIL
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_3[] = {
     {
@@ -141,7 +141,7 @@ const TestVector test_group_3[] = {
      "9cb3d04637048bc0bddef803ffbb56cf",
      "1d21639640e11638a2769e3fab78778f84be3f4a8ce28dfd99cb2e75171e05ea8e94e30aa"
      "78b54bb402b39d613616a8ed951dc"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_4[] = {
     {
@@ -175,7 +175,7 @@ const TestVector test_group_4[] = {
      "e0299e079bff46fd12e36d1c60e41434",
      "e5a3ce804a8516cdd12122c091256b789076576040dbf3c55e8be3c016025896b8a72532b"
      "fd51196cc82efca47aa0fd8e2e0dc"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_5[] = {
     {
@@ -189,7 +189,7 @@ const TestVector test_group_5[] = {
     {"dc1f64681014be221b00793bbcf5a5bc675b968eb7a3a3d5aa5978ef4fa45ecc",
      "056ae9a1a69e38af603924fe", "33013a48d9ea0df2911d583271", "",
      "5b8f9cc22303e979cd1524187e9f70fe", "2a7e05612191c8bce2f529dca9"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector* const test_group_array[] = {
     test_group_0, test_group_1, test_group_2,
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_256_gcm_encrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_256_gcm_encrypter_test.cc
index 86bf0c430cb..03f6b752399 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_256_gcm_encrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_256_gcm_encrypter_test.cc
@@ -81,7 +81,7 @@ const TestVector test_group_0[] = {
     {"5fe0861cdc2690ce69b3658c7f26f8458eec1c9243c5ba0845305d897e96ca0f",
      "770ac1a5a3d476d5d96944a1", "", "", "",
      "196d691e1047093ca4b3d2ef4baba216"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_1[] = {
     {"78dc4e0aaf52d935c3c01eea57428f00ca1fd475f5da86a49c8dd73d68c8e223",
@@ -90,7 +90,7 @@ const TestVector test_group_1[] = {
     {"4457ff33683cca6ca493878bdc00373893a9763412eef8cddb54f91318e0da88",
      "699d1f29d7b8c55300bb1fd2", "", "6749daeea367d0e9809e2dc2f309e6e3", "",
      "d60c74d2517fde4a74e0cd4709ed43a9"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_2[] = {
     {"31bdadd96698c204aa9ce1448ea94ae1fb4a9a0b3c9d773b51bb1822666b8f22",
@@ -99,7 +99,7 @@ const TestVector test_group_2[] = {
     {"460fc864972261c2560e1eb88761ff1c992b982497bd2ac36c04071cbb8e5d99",
      "8a4a16b9e210eb68bcb6f58d", "99e4e926ffe927f691893fb79a96b067", "",
      "133fc15751621b5f325c7ff71ce08324", "ec4e87e0cf74a13618d0b68636ba9fa7"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_3[] = {
     {"24501ad384e473963d476edcfe08205237acfd49b5b8f33857f8114e863fec7f",
@@ -118,7 +118,7 @@ const TestVector test_group_3[] = {
      "871cd53d95a8b806bd4821e6c4456204d27fd704ba3d07ce25872dc604ea5c5ea13322186"
      "b7489db4fa060c1fd4159692612c8",
      "07b48e4a32fac47e115d7ac7445d8330"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_4[] = {
     {"148579a3cbca86d5520d66c0ec71ca5f7e41ba78e56dc6eebd566fed547fe691",
@@ -141,7 +141,7 @@ const TestVector test_group_4[] = {
      "32ca3588e3e56eb4c8301b009d8b84b8a900b2b88ca3c21944205e9dd7311757b51394ae9"
      "0d8bb3807b471677614f4198af909",
      "3e403d035c71d88f1be1a256c89ba6ad"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector test_group_5[] = {
     {"82c4f12eeec3b2d3d157b0f992d292b237478d2cecc1d5f161389b97f999057a",
@@ -150,7 +150,7 @@ const TestVector test_group_5[] = {
     {"db4340af2f835a6c6d7ea0ca9d83ca81ba02c29b7410f221cb6071114e393240",
      "40e438357dd80a85cac3349e", "8ddb3397bd42853193cb0f80c9", "",
      "b694118c85c41abf69e229cb0f", "c07f1b8aafbd152f697eb67f2a85fe45"},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 const TestVector* const test_group_array[] = {
     test_group_0, test_group_1, test_group_2,
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_decrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_decrypter_test.cc
index 39c0e8ab7a0..a9c4999683b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_decrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_decrypter_test.cc
@@ -103,7 +103,7 @@ const TestVector test_vectors[] = {
      "1ae10b594f09e26a7e902ecb",  // "d0600691" truncated
 
      nullptr},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 }  // namespace
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_encrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_encrypter_test.cc
index e04d864202e..4584d9673b2 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_encrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_encrypter_test.cc
@@ -60,7 +60,7 @@ const TestVector test_vectors[] = {
         "6116"
         "1ae10b594f09e26a7e902ecb",  // "d0600691" truncated
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 }  // namespace
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_tls_decrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_tls_decrypter_test.cc
index 02ecc730c64..ce4dea9f385 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_tls_decrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_tls_decrypter_test.cc
@@ -103,7 +103,7 @@ const TestVector test_vectors[] = {
      "1ae10b594f09e26a7e902ecbd0600691",
 
      nullptr},
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 }  // namespace
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_tls_encrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_tls_encrypter_test.cc
index 32fde507a77..ef4a8e869fe 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_tls_encrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_tls_encrypter_test.cc
@@ -30,36 +30,37 @@ struct TestVector {
   const char* ct;
 };
 
-const TestVector test_vectors[] = {{
-                                       "808182838485868788898a8b8c8d8e8f"
-                                       "909192939495969798999a9b9c9d9e9f",
-
-                                       "4c616469657320616e642047656e746c"
-                                       "656d656e206f662074686520636c6173"
-                                       "73206f66202739393a20496620492063"
-                                       "6f756c64206f6666657220796f75206f"
-                                       "6e6c79206f6e652074697020666f7220"
-                                       "746865206675747572652c2073756e73"
-                                       "637265656e20776f756c642062652069"
-                                       "742e",
-
-                                       "4041424344454647",
-
-                                       "07000000",
-
-                                       "50515253c0c1c2c3c4c5c6c7",
-
-                                       "d31a8d34648e60db7b86afbc53ef7ec2"
-                                       "a4aded51296e08fea9e2b5a736ee62d6"
-                                       "3dbea45e8ca9671282fafb69da92728b"
-                                       "1a71de0a9e060b2905d6a5b67ecd3b36"
-                                       "92ddbd7f2d778b8c9803aee328091b58"
-                                       "fab324e4fad675945585808b4831d7bc"
-                                       "3ff4def08e4b7a9de576d26586cec64b"
-                                       "6116"
-                                       "1ae10b594f09e26a7e902ecbd0600691",
-                                   },
-                                   {nullptr}};
+const TestVector test_vectors[] = {
+    {
+        "808182838485868788898a8b8c8d8e8f"
+        "909192939495969798999a9b9c9d9e9f",
+
+        "4c616469657320616e642047656e746c"
+        "656d656e206f662074686520636c6173"
+        "73206f66202739393a20496620492063"
+        "6f756c64206f6666657220796f75206f"
+        "6e6c79206f6e652074697020666f7220"
+        "746865206675747572652c2073756e73"
+        "637265656e20776f756c642062652069"
+        "742e",
+
+        "4041424344454647",
+
+        "07000000",
+
+        "50515253c0c1c2c3c4c5c6c7",
+
+        "d31a8d34648e60db7b86afbc53ef7ec2"
+        "a4aded51296e08fea9e2b5a736ee62d6"
+        "3dbea45e8ca9671282fafb69da92728b"
+        "1a71de0a9e060b2905d6a5b67ecd3b36"
+        "92ddbd7f2d778b8c9803aee328091b58"
+        "fab324e4fad675945585808b4831d7bc"
+        "3ff4def08e4b7a9de576d26586cec64b"
+        "6116"
+        "1ae10b594f09e26a7e902ecbd0600691",
+    },
+    {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
 
 }  // namespace
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/channel_id_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/channel_id_test.cc
index d3673826d27..c69e3289be4 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/channel_id_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/channel_id_test.cc
@@ -197,7 +197,7 @@ const TestVector test_vector[] = {
         "62b5cdd591e5b507e560167ba8f6f7cda74673eb315680cb89ccbc4eec477dce",
         true  // P (0 )
     },
-    {nullptr}};
+    {nullptr, nullptr, nullptr, nullptr, nullptr, false}};
 
 // Returns true if |ch| is a lowercase hexadecimal digit.
 bool IsHexDigit(char ch) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_framer.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_framer.cc
index ddfd4660e38..931ac992c29 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_framer.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_framer.cc
@@ -29,7 +29,7 @@ class OneShotVisitor : public CryptoFramerVisitorInterface {
  public:
   OneShotVisitor() : error_(false) {}
 
-  void OnError(CryptoFramer* framer) override { error_ = true; }
+  void OnError(CryptoFramer* /*framer*/) override { error_ = true; }
 
   void OnHandshakeMessage(const CryptoHandshakeMessage& message) override {
     out_ = QuicMakeUnique<CryptoHandshakeMessage>(message);
@@ -80,7 +80,8 @@ const std::string& CryptoFramer::error_detail() const {
   return error_detail_;
 }
 
-bool CryptoFramer::ProcessInput(QuicStringPiece input, EncryptionLevel level) {
+bool CryptoFramer::ProcessInput(QuicStringPiece input,
+                                EncryptionLevel /*level*/) {
   return ProcessInput(input);
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake.h b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake.h
index 4608889df45..424727fc674 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake.h
@@ -177,10 +177,6 @@ class QUIC_EXPORT_PRIVATE QuicCryptoConfig {
   // Authenticated encryption with associated data (AEAD) algorithms.
   QuicTagVector aead;
 
-  // Supported Token Binding key parameters that can be negotiated in the client
-  // hello.
-  QuicTagVector tb_key_params;
-
   const CommonCertSets* common_cert_sets;
 };
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.cc
index 457d0fb054e..bf1df2b5396 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.cc
@@ -286,7 +286,6 @@ std::string CryptoHandshakeMessage::DebugStringInternal(size_t indent) const {
           done = true;
         }
         break;
-      case kTBKP:
       case kKEXS:
       case kAEAD:
       case kCOPT:
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h
index e63224a38ed..f2033e1228b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h
@@ -27,7 +27,7 @@ namespace quic {
 typedef std::string ServerConfigID;
 
 // The following tags have been deprecated and should not be reused:
-// "BBQ4", "RCID", "SREJ"
+// "1CON", "BBQ4", "NCON", "RCID", "SREJ", "TBKP", "TB10"
 
 // clang-format off
 const QuicTag kCHLO = TAG('C', 'H', 'L', 'O');   // Client hello
@@ -125,7 +125,7 @@ const QuicTag kIW03 = TAG('I', 'W', '0', '3');   // Force ICWND to 3
 const QuicTag kIW10 = TAG('I', 'W', '1', '0');   // Force ICWND to 10
 const QuicTag kIW20 = TAG('I', 'W', '2', '0');   // Force ICWND to 20
 const QuicTag kIW50 = TAG('I', 'W', '5', '0');   // Force ICWND to 50
-const QuicTag k1CON = TAG('1', 'C', 'O', 'N');   // Emulate a single connection
+const QuicTag kB2ON = TAG('B', '2', 'O', 'N');   // Enable BBRv2
 const QuicTag kNTLP = TAG('N', 'T', 'L', 'P');   // No tail loss probe
 const QuicTag k1TLP = TAG('1', 'T', 'L', 'P');   // 1 tail loss probe
 const QuicTag k1RTO = TAG('1', 'R', 'T', 'O');   // Send 1 packet upon RTO
@@ -237,10 +237,6 @@ const QuicTag kCFCW = TAG('C', 'F', 'C', 'W');   // Initial session/connection
                                                  // flow control receive window.
 const QuicTag kUAID = TAG('U', 'A', 'I', 'D');   // Client's User Agent ID.
 const QuicTag kXLCT = TAG('X', 'L', 'C', 'T');   // Expected leaf certificate.
-const QuicTag kTBKP = TAG('T', 'B', 'K', 'P');   // Token Binding key params.
-
-// Token Binding tags
-const QuicTag kTB10 = TAG('T', 'B', '1', '0');   // TB draft 10 with P256.
 
 // Rejection tags
 const QuicTag kRREJ = TAG('R', 'R', 'E', 'J');   // Reasons for server sending
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_server_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_server_test.cc
index 306a28b8ebf..5cc4d363c95 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_server_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_server_test.cc
@@ -17,10 +17,9 @@
 #include "net/third_party/quiche/src/quic/core/crypto/proof_source.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
-#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_socket_address_coder.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
@@ -45,9 +44,9 @@ class DummyProofVerifierCallback : public ProofVerifierCallback {
   DummyProofVerifierCallback() {}
   ~DummyProofVerifierCallback() override {}
 
-  void Run(bool ok,
-           const std::string& error_details,
-           std::unique_ptr<ProofVerifyDetails>* details) override {
+  void Run(bool /*ok*/,
+           const std::string& /*error_details*/,
+           std::unique_ptr<ProofVerifyDetails>* /*details*/) override {
     DCHECK(false);
   }
 };
@@ -93,8 +92,7 @@ class CryptoServerTest : public QuicTestWithParam<TestParams> {
         config_(QuicCryptoServerConfig::TESTING,
                 rand_,
                 crypto_test_utils::ProofSourceForTesting(),
-                KeyExchangeSource::Default(),
-                TlsServerHandshaker::CreateSslCtx()),
+                KeyExchangeSource::Default()),
         peer_(&config_),
         compressed_certs_cache_(
             QuicCompressedCertsCache::kQuicCompressedCertsCacheSize),
@@ -254,12 +252,12 @@ class CryptoServerTest : public QuicTestWithParam<TestParams> {
       *called_ = false;
     }
 
-    void Run(
-        QuicErrorCode error,
-        const std::string& error_details,
-        std::unique_ptr<CryptoHandshakeMessage> message,
-        std::unique_ptr<DiversificationNonce> diversification_nonce,
-        std::unique_ptr<ProofSource::Details> proof_source_details) override {
+    void Run(QuicErrorCode error,
+             const std::string& error_details,
+             std::unique_ptr<CryptoHandshakeMessage> message,
+             std::unique_ptr<DiversificationNonce> /*diversification_nonce*/,
+             std::unique_ptr<ProofSource::Details> /*proof_source_details*/)
+        override {
       if (should_succeed_) {
         ASSERT_EQ(error, QUIC_NO_ERROR)
             << "Message failed with error " << error_details << ": "
@@ -290,15 +288,12 @@ class CryptoServerTest : public QuicTestWithParam<TestParams> {
       bool should_succeed,
       const char* error_substr) {
     QuicSocketAddress server_address(QuicIpAddress::Any4(), 5);
-    QuicConnectionId server_designated_connection_id =
-        TestConnectionId(rand_for_id_generation_.RandUint64());
     bool called;
     config_.ProcessClientHello(
         result, /*reject_only=*/false,
         /*connection_id=*/TestConnectionId(1), server_address, client_address_,
-        supported_versions_.front(), supported_versions_,
-        /*use_stateless_rejects=*/false, server_designated_connection_id,
-        &clock_, rand_, &compressed_certs_cache_, params_, signed_config_,
+        supported_versions_.front(), supported_versions_, &clock_, rand_,
+        &compressed_certs_cache_, params_, signed_config_,
         /*total_framing_overhead=*/50, chlo_packet_size_,
         QuicMakeUnique<ProcessCallback>(result, should_succeed, error_substr,
                                         &called, &out_));
@@ -975,12 +970,10 @@ TEST_F(CryptoServerConfigGenerationTest, Determinism) {
 
   QuicCryptoServerConfig a(QuicCryptoServerConfig::TESTING, &rand_a,
                            crypto_test_utils::ProofSourceForTesting(),
-                           KeyExchangeSource::Default(),
-                           TlsServerHandshaker::CreateSslCtx());
+                           KeyExchangeSource::Default());
   QuicCryptoServerConfig b(QuicCryptoServerConfig::TESTING, &rand_b,
                            crypto_test_utils::ProofSourceForTesting(),
-                           KeyExchangeSource::Default(),
-                           TlsServerHandshaker::CreateSslCtx());
+                           KeyExchangeSource::Default());
   std::unique_ptr<CryptoHandshakeMessage> scfg_a(
       a.AddDefaultConfig(&rand_a, &clock, options));
   std::unique_ptr<CryptoHandshakeMessage> scfg_b(
@@ -999,13 +992,11 @@ TEST_F(CryptoServerConfigGenerationTest, SCIDVaries) {
 
   QuicCryptoServerConfig a(QuicCryptoServerConfig::TESTING, &rand_a,
                            crypto_test_utils::ProofSourceForTesting(),
-                           KeyExchangeSource::Default(),
-                           TlsServerHandshaker::CreateSslCtx());
+                           KeyExchangeSource::Default());
   rand_b.ChangeValue();
   QuicCryptoServerConfig b(QuicCryptoServerConfig::TESTING, &rand_b,
                            crypto_test_utils::ProofSourceForTesting(),
-                           KeyExchangeSource::Default(),
-                           TlsServerHandshaker::CreateSslCtx());
+                           KeyExchangeSource::Default());
   std::unique_ptr<CryptoHandshakeMessage> scfg_a(
       a.AddDefaultConfig(&rand_a, &clock, options));
   std::unique_ptr<CryptoHandshakeMessage> scfg_b(
@@ -1025,8 +1016,7 @@ TEST_F(CryptoServerConfigGenerationTest, SCIDIsHashOfServerConfig) {
 
   QuicCryptoServerConfig a(QuicCryptoServerConfig::TESTING, &rand_a,
                            crypto_test_utils::ProofSourceForTesting(),
-                           KeyExchangeSource::Default(),
-                           TlsServerHandshaker::CreateSslCtx());
+                           KeyExchangeSource::Default());
   std::unique_ptr<CryptoHandshakeMessage> scfg(
       a.AddDefaultConfig(&rand_a, &clock, options));
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_utils.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_utils.cc
index be12ad42034..085a65a52bb 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_utils.cc
@@ -88,9 +88,9 @@ void CryptoUtils::SetKeyAndIV(const EVP_MD* prf,
 
 namespace {
 
-const uint8_t kInitialSalt[] = {0xef, 0x4f, 0xb0, 0xab, 0xb4, 0x74, 0x70,
-                                0xc4, 0x1b, 0xef, 0xcf, 0x80, 0x31, 0x33,
-                                0x4f, 0xae, 0x48, 0x5e, 0x09, 0xa0};
+const uint8_t kInitialSalt[] = {0x7f, 0xbc, 0xdb, 0x0e, 0x7c, 0x66, 0xbb,
+                                0xe9, 0x19, 0x3a, 0x96, 0xcd, 0x21, 0x51,
+                                0x9e, 0xbd, 0x7a, 0x02, 0x64, 0x4a};
 
 const char kPreSharedKeyLabel[] = "QUIC PSK";
 
@@ -476,7 +476,7 @@ const char* CryptoUtils::HandshakeFailureReasonToString(
 // static
 std::string CryptoUtils::HashHandshakeMessage(
     const CryptoHandshakeMessage& message,
-    Perspective perspective) {
+    Perspective /*perspective*/) {
   std::string output;
   const QuicData& serialized = message.GetSerialized();
   uint8_t digest[SHA256_DIGEST_LENGTH];
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/null_decrypter.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/null_decrypter.cc
index 4934f6286a3..e89fecc9c05 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/null_decrypter.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/null_decrypter.cc
@@ -32,12 +32,13 @@ bool NullDecrypter::SetHeaderProtectionKey(QuicStringPiece key) {
   return key.empty();
 }
 
-bool NullDecrypter::SetPreliminaryKey(QuicStringPiece key) {
+bool NullDecrypter::SetPreliminaryKey(QuicStringPiece /*key*/) {
   QUIC_BUG << "Should not be called";
   return false;
 }
 
-bool NullDecrypter::SetDiversificationNonce(const DiversificationNonce& nonce) {
+bool NullDecrypter::SetDiversificationNonce(
+    const DiversificationNonce& /*nonce*/) {
   QUIC_BUG << "Should not be called";
   return true;
 }
@@ -71,7 +72,7 @@ bool NullDecrypter::DecryptPacket(uint64_t /*packet_number*/,
 }
 
 std::string NullDecrypter::GenerateHeaderProtectionMask(
-    QuicDataReader* sample_reader) {
+    QuicDataReader* /*sample_reader*/) {
   return std::string(5, 0);
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/null_encrypter.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/null_encrypter.cc
index 69db96d313a..4ad9b2ad382 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/null_encrypter.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/null_encrypter.cc
@@ -58,7 +58,7 @@ bool NullEncrypter::EncryptPacket(uint64_t /*packet_number*/,
 }
 
 std::string NullEncrypter::GenerateHeaderProtectionMask(
-    QuicStringPiece sample) {
+    QuicStringPiece /*sample*/) {
   return std::string(5, 0);
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.cc
index 4fca4bb00a3..2b458ffa5fa 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.cc
@@ -21,6 +21,7 @@
 #include "net/third_party/quiche/src/quic/core/crypto/proof_verifier.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
+#include "net/third_party/quiche/src/quic/core/crypto/tls_client_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection_id.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
@@ -59,9 +60,9 @@ void RecordDiskCacheServerConfigState(
 }  // namespace
 
 QuicCryptoClientConfig::QuicCryptoClientConfig(
-    std::unique_ptr<ProofVerifier> proof_verifier,
-    bssl::UniquePtr<SSL_CTX> ssl_ctx)
-    : proof_verifier_(std::move(proof_verifier)), ssl_ctx_(std::move(ssl_ctx)) {
+    std::unique_ptr<ProofVerifier> proof_verifier)
+    : proof_verifier_(std::move(proof_verifier)),
+      ssl_ctx_(TlsClientConnection::CreateSslCtx()) {
   DCHECK(proof_verifier_.get());
   SetDefaults();
 }
@@ -575,24 +576,6 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
   out->SetVector(kAEAD, QuicTagVector{out_params->aead});
   out->SetVector(kKEXS, QuicTagVector{out_params->key_exchange});
 
-  if (!tb_key_params.empty() && !server_id.privacy_mode_enabled()) {
-    QuicTagVector their_tbkps;
-    switch (scfg->GetTaglist(kTBKP, &their_tbkps)) {
-      case QUIC_CRYPTO_MESSAGE_PARAMETER_NOT_FOUND:
-        break;
-      case QUIC_NO_ERROR:
-        if (FindMutualQuicTag(tb_key_params, their_tbkps,
-                              &out_params->token_binding_key_param, nullptr)) {
-          out->SetVector(kTBKP,
-                         QuicTagVector{out_params->token_binding_key_param});
-        }
-        break;
-      default:
-        *error_details = "Invalid TBKP";
-        return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
-    }
-  }
-
   QuicStringPiece public_value;
   if (scfg->GetNthValue24(kPUBS, key_exchange_index, &public_value) !=
       QUIC_NO_ERROR) {
@@ -682,7 +665,7 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
 QuicErrorCode QuicCryptoClientConfig::CacheNewServerConfig(
     const CryptoHandshakeMessage& message,
     QuicWallTime now,
-    QuicTransportVersion version,
+    QuicTransportVersion /*version*/,
     QuicStringPiece chlo_hash,
     const std::vector<std::string>& cached_certs,
     CachedState* cached,
@@ -783,8 +766,8 @@ QuicErrorCode QuicCryptoClientConfig::ProcessRejection(
 
 QuicErrorCode QuicCryptoClientConfig::ProcessServerHello(
     const CryptoHandshakeMessage& server_hello,
-    QuicConnectionId connection_id,
-    ParsedQuicVersion version,
+    QuicConnectionId /*connection_id*/,
+    ParsedQuicVersion /*version*/,
     const ParsedQuicVersionVector& negotiated_versions,
     CachedState* cached,
     QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> out_params,
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.h b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.h
index 2918a23bb13..2de7cd0d989 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.h
@@ -203,8 +203,8 @@ class QUIC_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
     virtual bool Matches(const QuicServerId& server_id) const = 0;
   };
 
-  QuicCryptoClientConfig(std::unique_ptr<ProofVerifier> proof_verifier,
-                         bssl::UniquePtr<SSL_CTX> ssl_ctx);
+  explicit QuicCryptoClientConfig(
+      std::unique_ptr<ProofVerifier> proof_verifier);
   QuicCryptoClientConfig(const QuicCryptoClientConfig&) = delete;
   QuicCryptoClientConfig& operator=(const QuicCryptoClientConfig&) = delete;
   ~QuicCryptoClientConfig();
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config_test.cc
index 563c7f1cc80..d337fdc2ce9 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config_test.cc
@@ -10,7 +10,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_server_id.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
@@ -47,7 +46,9 @@ class OneServerIdFilter : public QuicCryptoClientConfig::ServerIdFilter {
 
 class AllServerIdsFilter : public QuicCryptoClientConfig::ServerIdFilter {
  public:
-  bool Matches(const QuicServerId& server_id) const override { return true; }
+  bool Matches(const QuicServerId& /*server_id*/) const override {
+    return true;
+  }
 };
 
 }  // namespace
@@ -178,8 +179,7 @@ TEST_F(QuicCryptoClientConfigTest, CachedState_InitializeFrom) {
 
 TEST_F(QuicCryptoClientConfigTest, InchoateChlo) {
   QuicCryptoClientConfig::CachedState state;
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   config.set_user_agent_id("quic-tester");
   config.set_alpn("hq");
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> params(
@@ -208,8 +208,7 @@ TEST_F(QuicCryptoClientConfigTest, InchoateChlo) {
 
 TEST_F(QuicCryptoClientConfigTest, InchoateChloIsNotPadded) {
   QuicCryptoClientConfig::CachedState state;
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   config.set_pad_inchoate_hello(false);
   config.set_user_agent_id("quic-tester");
   config.set_alpn("hq");
@@ -227,8 +226,7 @@ TEST_F(QuicCryptoClientConfigTest, InchoateChloIsNotPadded) {
 // Make sure AES-GCM is the preferred encryption algorithm if it has hardware
 // acceleration.
 TEST_F(QuicCryptoClientConfigTest, PreferAesGcm) {
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   if (EVP_has_aes_hardware() == 1) {
     EXPECT_EQ(kAESG, config.aead[0]);
   } else {
@@ -238,8 +236,7 @@ TEST_F(QuicCryptoClientConfigTest, PreferAesGcm) {
 
 TEST_F(QuicCryptoClientConfigTest, InchoateChloSecure) {
   QuicCryptoClientConfig::CachedState state;
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> params(
       new QuicCryptoNegotiatedParameters);
   CryptoHandshakeMessage msg;
@@ -268,8 +265,7 @@ TEST_F(QuicCryptoClientConfigTest, InchoateChloSecureWithSCIDNoEXPY) {
   state.SetServerConfig(scfg.GetSerialized().AsStringPiece(), now, expiry,
                         &details);
 
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> params(
       new QuicCryptoNegotiatedParameters);
   CryptoHandshakeMessage msg;
@@ -295,8 +291,7 @@ TEST_F(QuicCryptoClientConfigTest, InchoateChloSecureWithSCID) {
                         QuicWallTime::FromUNIXSeconds(1),
                         QuicWallTime::FromUNIXSeconds(0), &details);
 
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> params(
       new QuicCryptoNegotiatedParameters);
   CryptoHandshakeMessage msg;
@@ -312,8 +307,7 @@ TEST_F(QuicCryptoClientConfigTest, InchoateChloSecureWithSCID) {
 
 TEST_F(QuicCryptoClientConfigTest, FillClientHello) {
   QuicCryptoClientConfig::CachedState state;
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> params(
       new QuicCryptoNegotiatedParameters);
   QuicConnectionId kConnectionId = TestConnectionId(1234);
@@ -333,8 +327,7 @@ TEST_F(QuicCryptoClientConfigTest, FillClientHello) {
 
 TEST_F(QuicCryptoClientConfigTest, FillClientHelloNoPadding) {
   QuicCryptoClientConfig::CachedState state;
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   config.set_pad_full_hello(false);
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> params(
       new QuicCryptoNegotiatedParameters);
@@ -374,8 +367,7 @@ TEST_F(QuicCryptoClientConfigTest, ProcessServerDowngradeAttack) {
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> out_params(
       new QuicCryptoNegotiatedParameters);
   std::string error;
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   EXPECT_EQ(QUIC_VERSION_NEGOTIATION_MISMATCH,
             config.ProcessServerHello(
                 msg, EmptyQuicConnectionId(), supported_versions.front(),
@@ -384,8 +376,7 @@ TEST_F(QuicCryptoClientConfigTest, ProcessServerDowngradeAttack) {
 }
 
 TEST_F(QuicCryptoClientConfigTest, InitializeFrom) {
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   QuicServerId canonical_server_id("www.google.com", 443, false);
   QuicCryptoClientConfig::CachedState* state =
       config.LookupOrCreate(canonical_server_id);
@@ -405,8 +396,7 @@ TEST_F(QuicCryptoClientConfigTest, InitializeFrom) {
 }
 
 TEST_F(QuicCryptoClientConfigTest, Canonical) {
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   config.AddCanonicalSuffix(".google.com");
   QuicServerId canonical_id1("www.google.com", 443, false);
   QuicServerId canonical_id2("mail.google.com", 443, false);
@@ -430,8 +420,7 @@ TEST_F(QuicCryptoClientConfigTest, Canonical) {
 }
 
 TEST_F(QuicCryptoClientConfigTest, CanonicalNotUsedIfNotValid) {
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   config.AddCanonicalSuffix(".google.com");
   QuicServerId canonical_id1("www.google.com", 443, false);
   QuicServerId canonical_id2("mail.google.com", 443, false);
@@ -446,8 +435,7 @@ TEST_F(QuicCryptoClientConfigTest, CanonicalNotUsedIfNotValid) {
 }
 
 TEST_F(QuicCryptoClientConfigTest, ClearCachedStates) {
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
 
   // Create two states on different origins.
   struct TestCase {
@@ -542,8 +530,7 @@ TEST_F(QuicCryptoClientConfigTest, ProcessReject) {
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> out_params(
       new QuicCryptoNegotiatedParameters);
   std::string error;
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   EXPECT_EQ(QUIC_NO_ERROR,
             config.ProcessRejection(rej, QuicWallTime::FromUNIXSeconds(0),
                                     AllSupportedTransportVersions().front(), "",
@@ -564,8 +551,7 @@ TEST_F(QuicCryptoClientConfigTest, ProcessRejectWithLongTTL) {
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> out_params(
       new QuicCryptoNegotiatedParameters);
   std::string error;
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   EXPECT_EQ(QUIC_NO_ERROR,
             config.ProcessRejection(rej, QuicWallTime::FromUNIXSeconds(0),
                                     AllSupportedTransportVersions().front(), "",
@@ -588,8 +574,7 @@ TEST_F(QuicCryptoClientConfigTest, ServerNonceinSHLO) {
   supported_versions.push_back(version);
   msg.SetVersionVector(kVER, supported_versions);
 
-  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting(),
-                                TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig config(crypto_test_utils::ProofVerifierForTesting());
   QuicCryptoClientConfig::CachedState cached;
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> out_params(
       new QuicCryptoNegotiatedParameters);
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.cc
index 54d4bf48fec..50ea2f88264 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.cc
@@ -27,8 +27,9 @@
 #include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_hkdf.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
-#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config.pb.h"
-#include "net/third_party/quiche/src/quic/core/proto/source_address_token.pb.h"
+#include "net/third_party/quiche/src/quic/core/crypto/tls_server_connection.h"
+#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config_proto.h"
+#include "net/third_party/quiche/src/quic/core/proto/source_address_token_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_socket_address_coder.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
@@ -75,7 +76,7 @@ class DefaultKeyExchangeSource : public KeyExchangeSource {
   ~DefaultKeyExchangeSource() override = default;
 
   std::unique_ptr<AsynchronousKeyExchange> Create(
-      std::string server_config_id,
+      std::string /*server_config_id*/,
       bool /* is_fallback */,
       QuicTag type,
       QuicStringPiece private_key) override {
@@ -231,8 +232,7 @@ QuicCryptoServerConfig::QuicCryptoServerConfig(
     QuicStringPiece source_address_token_secret,
     QuicRandom* server_nonce_entropy,
     std::unique_ptr<ProofSource> proof_source,
-    std::unique_ptr<KeyExchangeSource> key_exchange_source,
-    bssl::UniquePtr<SSL_CTX> ssl_ctx)
+    std::unique_ptr<KeyExchangeSource> key_exchange_source)
     : replay_protection_(true),
       chlo_multiplier_(kMultiplier),
       configs_lock_(),
@@ -240,7 +240,7 @@ QuicCryptoServerConfig::QuicCryptoServerConfig(
       next_config_promotion_time_(QuicWallTime::Zero()),
       proof_source_(std::move(proof_source)),
       key_exchange_source_(std::move(key_exchange_source)),
-      ssl_ctx_(std::move(ssl_ctx)),
+      ssl_ctx_(TlsServerConnection::CreateSslCtx()),
       source_address_token_future_secs_(3600),
       source_address_token_lifetime_secs_(86400),
       enable_serving_sct_(false),
@@ -656,8 +656,6 @@ void QuicCryptoServerConfig::ProcessClientHello(
     const QuicSocketAddress& client_address,
     ParsedQuicVersion version,
     const ParsedQuicVersionVector& supported_versions,
-    bool use_stateless_rejects,
-    QuicConnectionId server_designated_connection_id,
     const QuicClock* clock,
     QuicRandom* rand,
     QuicCompressedCertsCache* compressed_certs_cache,
@@ -669,10 +667,9 @@ void QuicCryptoServerConfig::ProcessClientHello(
   DCHECK(done_cb);
   auto context = QuicMakeUnique<ProcessClientHelloContext>(
       validate_chlo_result, reject_only, connection_id, server_address,
-      client_address, version, supported_versions, use_stateless_rejects,
-      server_designated_connection_id, clock, rand, compressed_certs_cache,
-      params, signed_config, total_framing_overhead, chlo_packet_size,
-      std::move(done_cb));
+      client_address, version, supported_versions, clock, rand,
+      compressed_certs_cache, params, signed_config, total_framing_overhead,
+      chlo_packet_size, std::move(done_cb));
 
   // Verify that various parts of the CHLO are valid
   std::string error_details;
@@ -787,25 +784,6 @@ void QuicCryptoServerConfig::ProcessClientHelloAfterGetProof(
     return;
   }
 
-  if (!configs.requested->tb_key_params.empty()) {
-    QuicTagVector their_tbkps;
-    switch (context->client_hello().GetTaglist(kTBKP, &their_tbkps)) {
-      case QUIC_CRYPTO_MESSAGE_PARAMETER_NOT_FOUND:
-        break;
-      case QUIC_NO_ERROR:
-        if (FindMutualQuicTag(configs.requested->tb_key_params, their_tbkps,
-                              &context->params()->token_binding_key_param,
-                              nullptr)) {
-          break;
-        }
-        QUIC_FALLTHROUGH_INTENDED;
-      default:
-        context->Fail(QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER,
-                      "Invalid Token Binding key parameter");
-        return;
-    }
-  }
-
   QuicStringPiece public_value;
   if (!context->client_hello().GetStringPiece(kPUBS, &public_value)) {
     context->Fail(QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER,
@@ -1209,7 +1187,7 @@ void QuicCryptoServerConfig::SelectNewPrimaryConfig(
 
 void QuicCryptoServerConfig::EvaluateClientHello(
     const QuicSocketAddress& server_address,
-    QuicTransportVersion version,
+    QuicTransportVersion /*version*/,
     const Configs& configs,
     QuicReferenceCountedPointer<ValidateClientHelloResultCallback::Result>
         client_hello_state,
@@ -1394,7 +1372,7 @@ void QuicCryptoServerConfig::FinishBuildServerConfigUpdateMessage(
     const QuicReferenceCountedPointer<ProofSource::Chain>& chain,
     const std::string& signature,
     const std::string& leaf_cert_sct,
-    std::unique_ptr<ProofSource::Details> details,
+    std::unique_ptr<ProofSource::Details> /*details*/,
     CryptoHandshakeMessage message,
     std::unique_ptr<BuildServerConfigUpdateMessageResultCallback> cb) const {
   if (!ok) {
@@ -1607,14 +1585,6 @@ QuicCryptoServerConfig::ParseConfigProtobuf(
     return nullptr;
   }
 
-  QuicErrorCode err;
-  if ((err = msg->GetTaglist(kTBKP, &config->tb_key_params)) !=
-          QUIC_CRYPTO_MESSAGE_PARAMETER_NOT_FOUND &&
-      err != QUIC_NO_ERROR) {
-    QUIC_LOG(WARNING) << "Server config message is missing or has invalid TBKP";
-    return nullptr;
-  }
-
   QuicStringPiece orbit;
   if (!msg->GetStringPiece(kORBT, &orbit)) {
     QUIC_LOG(WARNING) << "Server config message is missing ORBT";
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h
index 039da84bf6c..d8d9cab7a51 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h
@@ -21,8 +21,8 @@
 #include "net/third_party/quiche/src/quic/core/crypto/proof_source.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_compressed_certs_cache.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_proof.h"
-#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
-#include "net/third_party/quiche/src/quic/core/proto/source_address_token.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
+#include "net/third_party/quiche/src/quic/core/proto/source_address_token_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_time.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_mutex.h"
@@ -212,12 +212,11 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerConfig {
   //     server. Not owned.
   // |proof_source|: provides certificate chains and signatures.
   // |key_exchange_source|: provides key-exchange functionality.
-  // |ssl_ctx|: The SSL_CTX used for doing TLS handshakes.
-  QuicCryptoServerConfig(QuicStringPiece source_address_token_secret,
-                         QuicRandom* server_nonce_entropy,
-                         std::unique_ptr<ProofSource> proof_source,
-                         std::unique_ptr<KeyExchangeSource> key_exchange_source,
-                         bssl::UniquePtr<SSL_CTX> ssl_ctx);
+  QuicCryptoServerConfig(
+      QuicStringPiece source_address_token_secret,
+      QuicRandom* server_nonce_entropy,
+      std::unique_ptr<ProofSource> proof_source,
+      std::unique_ptr<KeyExchangeSource> key_exchange_source);
   QuicCryptoServerConfig(const QuicCryptoServerConfig&) = delete;
   QuicCryptoServerConfig& operator=(const QuicCryptoServerConfig&) = delete;
   ~QuicCryptoServerConfig();
@@ -338,10 +337,6 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerConfig {
       const QuicSocketAddress& client_address,
       ParsedQuicVersion version,
       const ParsedQuicVersionVector& supported_versions,
-      // TODO(wub): Deprecate use_stateless_rejects and
-      // server_designated_connection_id.
-      bool use_stateless_rejects,
-      QuicConnectionId server_designated_connection_id,
       const QuicClock* clock,
       QuicRandom* rand,
       QuicCompressedCertsCache* compressed_certs_cache,
@@ -568,8 +563,6 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerConfig {
         const QuicSocketAddress& client_address,
         ParsedQuicVersion version,
         const ParsedQuicVersionVector& supported_versions,
-        bool use_stateless_rejects,
-        QuicConnectionId server_designated_connection_id,
         const QuicClock* clock,
         QuicRandom* rand,
         QuicCompressedCertsCache* compressed_certs_cache,
@@ -585,8 +578,6 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerConfig {
           client_address_(client_address),
           version_(version),
           supported_versions_(supported_versions),
-          use_stateless_rejects_(use_stateless_rejects),
-          server_designated_connection_id_(server_designated_connection_id),
           clock_(clock),
           rand_(rand),
           compressed_certs_cache_(compressed_certs_cache),
@@ -619,10 +610,6 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerConfig {
     ParsedQuicVersionVector supported_versions() const {
       return supported_versions_;
     }
-    bool use_stateless_rejects() const { return use_stateless_rejects_; }
-    QuicConnectionId server_designated_connection_id() const {
-      return server_designated_connection_id_;
-    }
     const QuicClock* clock() const { return clock_; }
     QuicRandom* rand() const { return rand_; }  // NOLINT
     QuicCompressedCertsCache* compressed_certs_cache() const {
@@ -657,8 +644,6 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerConfig {
     const QuicSocketAddress client_address_;
     const ParsedQuicVersion version_;
     const ParsedQuicVersionVector supported_versions_;
-    const bool use_stateless_rejects_;
-    const QuicConnectionId server_designated_connection_id_;
     const QuicClock* const clock_;
     QuicRandom* const rand_;
     QuicCompressedCertsCache* const compressed_certs_cache_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config_test.cc
index b3f8f77b51d..bc9b2efe200 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config_test.cc
@@ -14,9 +14,8 @@
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.h"
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_secret_boxer.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
-#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_time.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
@@ -43,8 +42,7 @@ TEST_F(QuicCryptoServerConfigTest, ServerConfig) {
   QuicRandom* rand = QuicRandom::GetInstance();
   QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand,
                                 crypto_test_utils::ProofSourceForTesting(),
-                                KeyExchangeSource::Default(),
-                                TlsServerHandshaker::CreateSslCtx());
+                                KeyExchangeSource::Default());
   MockClock clock;
 
   std::unique_ptr<CryptoHandshakeMessage> message(server.AddDefaultConfig(
@@ -65,8 +63,7 @@ TEST_F(QuicCryptoServerConfigTest, CompressCerts) {
   QuicRandom* rand = QuicRandom::GetInstance();
   QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand,
                                 crypto_test_utils::ProofSourceForTesting(),
-                                KeyExchangeSource::Default(),
-                                TlsServerHandshaker::CreateSslCtx());
+                                KeyExchangeSource::Default());
   QuicCryptoServerConfigPeer peer(&server);
 
   std::vector<std::string> certs = {"testcert"};
@@ -86,8 +83,7 @@ TEST_F(QuicCryptoServerConfigTest, CompressSameCertsTwice) {
   QuicRandom* rand = QuicRandom::GetInstance();
   QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand,
                                 crypto_test_utils::ProofSourceForTesting(),
-                                KeyExchangeSource::Default(),
-                                TlsServerHandshaker::CreateSslCtx());
+                                KeyExchangeSource::Default());
   QuicCryptoServerConfigPeer peer(&server);
 
   // Compress the certs for the first time.
@@ -117,8 +113,7 @@ TEST_F(QuicCryptoServerConfigTest, CompressDifferentCerts) {
   QuicRandom* rand = QuicRandom::GetInstance();
   QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand,
                                 crypto_test_utils::ProofSourceForTesting(),
-                                KeyExchangeSource::Default(),
-                                TlsServerHandshaker::CreateSslCtx());
+                                KeyExchangeSource::Default());
   QuicCryptoServerConfigPeer peer(&server);
 
   std::vector<std::string> certs = {"testcert"};
@@ -162,8 +157,7 @@ class SourceAddressTokenTest : public QuicTest {
         server_(QuicCryptoServerConfig::TESTING,
                 rand_,
                 crypto_test_utils::ProofSourceForTesting(),
-                KeyExchangeSource::Default(),
-                TlsServerHandshaker::CreateSslCtx()),
+                KeyExchangeSource::Default()),
         peer_(&server_) {
     // Advance the clock to some non-zero time.
     clock_.AdvanceTime(QuicTime::Delta::FromSeconds(1000000));
@@ -305,8 +299,7 @@ class CryptoServerConfigsTest : public QuicTest {
         config_(QuicCryptoServerConfig::TESTING,
                 rand_,
                 crypto_test_utils::ProofSourceForTesting(),
-                KeyExchangeSource::Default(),
-                TlsServerHandshaker::CreateSslCtx()),
+                KeyExchangeSource::Default()),
         test_peer_(&config_) {}
 
   void SetUp() override {
@@ -472,8 +465,8 @@ TEST_F(CryptoServerConfigsTest, AdvancePrimary) {
 
 class ValidateCallback : public ValidateClientHelloResultCallback {
  public:
-  void Run(QuicReferenceCountedPointer<Result> result,
-           std::unique_ptr<ProofSource::Details> /* details */) override {}
+  void Run(QuicReferenceCountedPointer<Result> /*result*/,
+           std::unique_ptr<ProofSource::Details> /*details*/) override {}
 };
 
 TEST_F(CryptoServerConfigsTest, AdvancePrimaryViaValidate) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_hkdf.h b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_hkdf.h
index c57b894b52c..09006eef4db 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_hkdf.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_hkdf.h
@@ -5,6 +5,8 @@
 #ifndef QUICHE_QUIC_CORE_CRYPTO_QUIC_HKDF_H_
 #define QUICHE_QUIC_CORE_CRYPTO_QUIC_HKDF_H_
 
+#include <vector>
+
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.cc
new file mode 100644
index 00000000000..f28af660e90
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.cc
@@ -0,0 +1,33 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/crypto/tls_client_connection.h"
+
+namespace quic {
+
+TlsClientConnection::TlsClientConnection(SSL_CTX* ssl_ctx, Delegate* delegate)
+    : TlsConnection(ssl_ctx, delegate->ConnectionDelegate()),
+      delegate_(delegate) {}
+
+// static
+bssl::UniquePtr<SSL_CTX> TlsClientConnection::CreateSslCtx() {
+  bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsConnection::CreateSslCtx();
+  // Configure certificate verification.
+  // TODO(nharper): This only verifies certs on initial connection, not on
+  // resumption. Chromium has this callback be a no-op and verifies the
+  // certificate after the connection is complete. We need to re-verify on
+  // resumption in case of expiration or revocation/distrust.
+  SSL_CTX_set_custom_verify(ssl_ctx.get(), SSL_VERIFY_PEER, &VerifyCallback);
+  return ssl_ctx;
+}
+
+// static
+enum ssl_verify_result_t TlsClientConnection::VerifyCallback(
+    SSL* ssl,
+    uint8_t* out_alert) {
+  return static_cast<TlsClientConnection*>(ConnectionFromSsl(ssl))
+      ->delegate_->VerifyCert(out_alert);
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.h b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.h
new file mode 100644
index 00000000000..a9212ff2a72
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.h
@@ -0,0 +1,51 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_CRYPTO_TLS_CLIENT_CONNECTION_H_
+#define QUICHE_QUIC_CORE_CRYPTO_TLS_CLIENT_CONNECTION_H_
+
+#include "net/third_party/quiche/src/quic/core/crypto/tls_connection.h"
+
+namespace quic {
+
+// TlsClientConnection receives calls for client-specific BoringSSL callbacks
+// and calls its Delegate for the implementation of those callbacks.
+class QUIC_EXPORT_PRIVATE TlsClientConnection : public TlsConnection {
+ public:
+  // A TlsClientConnection::Delegate implements the client-specific methods that
+  // are set as callbacks for an SSL object.
+  class Delegate {
+   public:
+    virtual ~Delegate() {}
+
+   protected:
+    // Verifies the peer's certificate chain. It may use
+    // SSL_get0_peer_certificates to get the cert chain. This method returns
+    // ssl_verify_ok if the cert is valid, ssl_verify_invalid if it is invalid,
+    // or ssl_verify_retry if verification is happening asynchronously.
+    virtual enum ssl_verify_result_t VerifyCert(uint8_t* out_alert) = 0;
+
+    // Provides the delegate for callbacks that are shared between client and
+    // server.
+    virtual TlsConnection::Delegate* ConnectionDelegate() = 0;
+
+    friend class TlsClientConnection;
+  };
+
+  TlsClientConnection(SSL_CTX* ssl_ctx, Delegate* delegate);
+
+  // Creates and configures an SSL_CTX that is appropriate for clients to use.
+  static bssl::UniquePtr<SSL_CTX> CreateSslCtx();
+
+ private:
+  // Registered as the callback for SSL_CTX_set_custom_verify. The
+  // implementation is delegated to Delegate::VerifyCert.
+  static enum ssl_verify_result_t VerifyCallback(SSL* ssl, uint8_t* out_alert);
+
+  Delegate* delegate_;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_CRYPTO_TLS_CLIENT_CONNECTION_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_connection.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_connection.cc
new file mode 100644
index 00000000000..d28db2292e4
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_connection.cc
@@ -0,0 +1,158 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/crypto/tls_connection.h"
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
+
+namespace quic {
+
+namespace {
+
+// BoringSSL allows storing extra data off of some of its data structures,
+// including the SSL struct. To allow for multiple callers to store data, each
+// caller can use a different index for setting and getting data. These indices
+// are globals handed out by calling SSL_get_ex_new_index.
+//
+// SslIndexSingleton calls SSL_get_ex_new_index on its construction, and then
+// provides this index to be used in calls to SSL_get_ex_data/SSL_set_ex_data.
+// This is used to store in the SSL struct a pointer to the TlsConnection which
+// owns it.
+class SslIndexSingleton {
+ public:
+  static SslIndexSingleton* GetInstance() {
+    static SslIndexSingleton* instance = new SslIndexSingleton();
+    return instance;
+  }
+
+  int ssl_ex_data_index_connection() const {
+    return ssl_ex_data_index_connection_;
+  }
+
+ private:
+  SslIndexSingleton() {
+    CRYPTO_library_init();
+    ssl_ex_data_index_connection_ =
+        SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
+    CHECK_LE(0, ssl_ex_data_index_connection_);
+  }
+
+  SslIndexSingleton(const SslIndexSingleton&) = delete;
+  SslIndexSingleton& operator=(const SslIndexSingleton&) = delete;
+
+  // The index to supply to SSL_get_ex_data/SSL_set_ex_data for getting/setting
+  // the TlsConnection pointer.
+  int ssl_ex_data_index_connection_;
+};
+
+}  // namespace
+
+// static
+EncryptionLevel TlsConnection::QuicEncryptionLevel(
+    enum ssl_encryption_level_t level) {
+  switch (level) {
+    case ssl_encryption_initial:
+      return ENCRYPTION_INITIAL;
+    case ssl_encryption_early_data:
+      return ENCRYPTION_ZERO_RTT;
+    case ssl_encryption_handshake:
+      return ENCRYPTION_HANDSHAKE;
+    case ssl_encryption_application:
+      return ENCRYPTION_FORWARD_SECURE;
+    default:
+      QUIC_BUG << "Invalid ssl_encryption_level_t " << static_cast<int>(level);
+      return ENCRYPTION_INITIAL;
+  }
+}
+
+// static
+enum ssl_encryption_level_t TlsConnection::BoringEncryptionLevel(
+    EncryptionLevel level) {
+  switch (level) {
+    case ENCRYPTION_INITIAL:
+      return ssl_encryption_initial;
+    case ENCRYPTION_HANDSHAKE:
+      return ssl_encryption_handshake;
+    case ENCRYPTION_ZERO_RTT:
+      return ssl_encryption_early_data;
+    case ENCRYPTION_FORWARD_SECURE:
+      return ssl_encryption_application;
+    default:
+      QUIC_BUG << "Invalid encryption level " << static_cast<int>(level);
+      return ssl_encryption_initial;
+  }
+}
+
+TlsConnection::TlsConnection(SSL_CTX* ssl_ctx,
+                             TlsConnection::Delegate* delegate)
+    : delegate_(delegate), ssl_(SSL_new(ssl_ctx)) {
+  SSL_set_ex_data(
+      ssl(), SslIndexSingleton::GetInstance()->ssl_ex_data_index_connection(),
+      this);
+}
+// static
+bssl::UniquePtr<SSL_CTX> TlsConnection::CreateSslCtx() {
+  CRYPTO_library_init();
+  bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_with_buffers_method()));
+  SSL_CTX_set_min_proto_version(ssl_ctx.get(), TLS1_3_VERSION);
+  SSL_CTX_set_max_proto_version(ssl_ctx.get(), TLS1_3_VERSION);
+  SSL_CTX_set_quic_method(ssl_ctx.get(), &kSslQuicMethod);
+  return ssl_ctx;
+}
+
+// static
+TlsConnection* TlsConnection::ConnectionFromSsl(const SSL* ssl) {
+  return reinterpret_cast<TlsConnection*>(SSL_get_ex_data(
+      ssl, SslIndexSingleton::GetInstance()->ssl_ex_data_index_connection()));
+}
+
+const SSL_QUIC_METHOD TlsConnection::kSslQuicMethod{
+    TlsConnection::SetEncryptionSecretCallback,
+    TlsConnection::WriteMessageCallback, TlsConnection::FlushFlightCallback,
+    TlsConnection::SendAlertCallback};
+
+// static
+int TlsConnection::SetEncryptionSecretCallback(
+    SSL* ssl,
+    enum ssl_encryption_level_t level,
+    const uint8_t* read_key,
+    const uint8_t* write_key,
+    size_t key_length) {
+  // TODO(nharper): replace these vectors and memcpys with spans (which
+  // unfortunately doesn't yet exist in quic/platform/api).
+  std::vector<uint8_t> read_secret(key_length), write_secret(key_length);
+  memcpy(read_secret.data(), read_key, key_length);
+  memcpy(write_secret.data(), write_key, key_length);
+  ConnectionFromSsl(ssl)->delegate_->SetEncryptionSecret(
+      QuicEncryptionLevel(level), read_secret, write_secret);
+  return 1;
+}
+
+// static
+int TlsConnection::WriteMessageCallback(SSL* ssl,
+                                        enum ssl_encryption_level_t level,
+                                        const uint8_t* data,
+                                        size_t len) {
+  ConnectionFromSsl(ssl)->delegate_->WriteMessage(
+      QuicEncryptionLevel(level),
+      QuicStringPiece(reinterpret_cast<const char*>(data), len));
+  return 1;
+}
+
+// static
+int TlsConnection::FlushFlightCallback(SSL* ssl) {
+  ConnectionFromSsl(ssl)->delegate_->FlushFlight();
+  return 1;
+}
+
+// static
+int TlsConnection::SendAlertCallback(SSL* ssl,
+                                     enum ssl_encryption_level_t level,
+                                     uint8_t desc) {
+  ConnectionFromSsl(ssl)->delegate_->SendAlert(QuicEncryptionLevel(level),
+                                               desc);
+  return 1;
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_connection.h b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_connection.h
new file mode 100644
index 00000000000..c15d9202af4
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_connection.h
@@ -0,0 +1,116 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_CRYPTO_TLS_CONNECTION_H_
+#define QUICHE_QUIC_CORE_CRYPTO_TLS_CONNECTION_H_
+
+#include <vector>
+
+#include "third_party/boringssl/src/include/openssl/ssl.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+
+namespace quic {
+
+// TlsConnection wraps BoringSSL's SSL object which represents a single TLS
+// connection. Callbacks set in BoringSSL which are called with an SSL* argument
+// will get dispatched to the TlsConnection object owning that SSL. In turn, the
+// TlsConnection will delegate the implementation of that callback to its
+// Delegate.
+//
+// The owner of the TlsConnection is responsible for driving the TLS handshake
+// (and other interactions with the SSL*). This class only handles mapping
+// callbacks to the correct instance.
+class QUIC_EXPORT_PRIVATE TlsConnection {
+ public:
+  // A TlsConnection::Delegate implements the methods that are set as callbacks
+  // of TlsConnection.
+  class Delegate {
+   public:
+    virtual ~Delegate() {}
+
+   protected:
+    // SetEncryptionSecret provides the encryption secrets to use at a
+    // particular encryption level |level|. The secrets provided here are the
+    // ones from the TLS 1.3 key schedule (RFC 8446 section 7.1), in particular
+    // the handshake traffic secrets and application traffic secrets. For a
+    // given level |level|, |read_secret| is the secret used for reading data,
+    // and |write_secret| is the secret used for writing data.
+    virtual void SetEncryptionSecret(
+        EncryptionLevel level,
+        const std::vector<uint8_t>& read_secret,
+        const std::vector<uint8_t>& write_secret) = 0;
+
+    // WriteMessage is called when there is |data| from the TLS stack ready for
+    // the QUIC stack to write in a crypto frame. The data must be transmitted
+    // at encryption level |level|.
+    virtual void WriteMessage(EncryptionLevel level, QuicStringPiece data) = 0;
+
+    // FlushFlight is called to signal that the current flight of messages have
+    // all been written (via calls to WriteMessage) and can be flushed to the
+    // underlying transport.
+    virtual void FlushFlight() = 0;
+
+    // SendAlert causes this TlsConnection to close the QUIC connection with an
+    // error code corersponding to the TLS alert description |desc| sent at
+    // level |level|.
+    virtual void SendAlert(EncryptionLevel level, uint8_t desc) = 0;
+
+    friend class TlsConnection;
+  };
+
+  TlsConnection(const TlsConnection&) = delete;
+  TlsConnection& operator=(const TlsConnection&) = delete;
+
+  // Functions to convert between BoringSSL's enum ssl_encryption_level_t and
+  // QUIC's EncryptionLevel.
+  static EncryptionLevel QuicEncryptionLevel(enum ssl_encryption_level_t level);
+  static enum ssl_encryption_level_t BoringEncryptionLevel(
+      EncryptionLevel level);
+
+  SSL* ssl() { return ssl_.get(); }
+
+ protected:
+  // TlsConnection does not take ownership of any of its arguments; they must
+  // outlive the TlsConnection object.
+  TlsConnection(SSL_CTX* ssl_ctx, Delegate* delegate);
+
+  // Creates an SSL_CTX and configures it with the options that are appropriate
+  // for both client and server. The caller is responsible for ownership of the
+  // newly created struct.
+  static bssl::UniquePtr<SSL_CTX> CreateSslCtx();
+
+  // From a given SSL* |ssl|, returns a pointer to the TlsConnection that it
+  // belongs to. This helper method allows the callbacks set in BoringSSL to be
+  // dispatched to the correct TlsConnection from the SSL* passed into the
+  // callback.
+  static TlsConnection* ConnectionFromSsl(const SSL* ssl);
+
+ private:
+  // TlsConnection implements SSL_QUIC_METHOD, which provides the interface
+  // between BoringSSL's TLS stack and a QUIC implementation.
+  static const SSL_QUIC_METHOD kSslQuicMethod;
+
+  // The following static functions make up the members of kSslQuicMethod:
+  static int SetEncryptionSecretCallback(SSL* ssl,
+                                         enum ssl_encryption_level_t level,
+                                         const uint8_t* read_key,
+                                         const uint8_t* write_key,
+                                         size_t key_length);
+  static int WriteMessageCallback(SSL* ssl,
+                                  enum ssl_encryption_level_t level,
+                                  const uint8_t* data,
+                                  size_t len);
+  static int FlushFlightCallback(SSL* ssl);
+  static int SendAlertCallback(SSL* ssl,
+                               enum ssl_encryption_level_t level,
+                               uint8_t desc);
+
+  Delegate* delegate_;
+  bssl::UniquePtr<SSL> ssl_;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_CRYPTO_TLS_CONNECTION_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.cc
new file mode 100644
index 00000000000..927c75af318
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.cc
@@ -0,0 +1,81 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/crypto/tls_server_connection.h"
+
+namespace quic {
+
+TlsServerConnection::TlsServerConnection(SSL_CTX* ssl_ctx, Delegate* delegate)
+    : TlsConnection(ssl_ctx, delegate->ConnectionDelegate()),
+      delegate_(delegate) {}
+
+// static
+bssl::UniquePtr<SSL_CTX> TlsServerConnection::CreateSslCtx() {
+  bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsConnection::CreateSslCtx();
+  SSL_CTX_set_tlsext_servername_callback(ssl_ctx.get(),
+                                         &SelectCertificateCallback);
+  SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), &SelectAlpnCallback, nullptr);
+  return ssl_ctx;
+}
+
+void TlsServerConnection::SetCertChain(
+    const std::vector<CRYPTO_BUFFER*>& cert_chain) {
+  SSL_set_chain_and_key(ssl(), cert_chain.data(), cert_chain.size(), nullptr,
+                        &TlsServerConnection::kPrivateKeyMethod);
+}
+
+const SSL_PRIVATE_KEY_METHOD TlsServerConnection::kPrivateKeyMethod{
+    &TlsServerConnection::PrivateKeySign,
+    nullptr,  // decrypt
+    &TlsServerConnection::PrivateKeyComplete,
+};
+
+// static
+TlsServerConnection* TlsServerConnection::ConnectionFromSsl(SSL* ssl) {
+  return static_cast<TlsServerConnection*>(
+      TlsConnection::ConnectionFromSsl(ssl));
+}
+
+// static
+int TlsServerConnection::SelectCertificateCallback(SSL* ssl,
+                                                   int* out_alert,
+                                                   void* /*arg*/) {
+  return ConnectionFromSsl(ssl)->delegate_->SelectCertificate(out_alert);
+}
+
+// static
+int TlsServerConnection::SelectAlpnCallback(SSL* ssl,
+                                            const uint8_t** out,
+                                            uint8_t* out_len,
+                                            const uint8_t* in,
+                                            unsigned in_len,
+                                            void* /*arg*/) {
+  return ConnectionFromSsl(ssl)->delegate_->SelectAlpn(out, out_len, in,
+                                                       in_len);
+}
+
+// static
+ssl_private_key_result_t TlsServerConnection::PrivateKeySign(SSL* ssl,
+                                                             uint8_t* out,
+                                                             size_t* out_len,
+                                                             size_t max_out,
+                                                             uint16_t sig_alg,
+                                                             const uint8_t* in,
+                                                             size_t in_len) {
+  return ConnectionFromSsl(ssl)->delegate_->PrivateKeySign(
+      out, out_len, max_out, sig_alg,
+      QuicStringPiece(reinterpret_cast<const char*>(in), in_len));
+}
+
+// static
+ssl_private_key_result_t TlsServerConnection::PrivateKeyComplete(
+    SSL* ssl,
+    uint8_t* out,
+    size_t* out_len,
+    size_t max_out) {
+  return ConnectionFromSsl(ssl)->delegate_->PrivateKeyComplete(out, out_len,
+                                                               max_out);
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.h b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.h
new file mode 100644
index 00000000000..0e78d1bf015
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.h
@@ -0,0 +1,111 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_CRYPTO_TLS_SERVER_CONNECTION_H_
+#define QUICHE_QUIC_CORE_CRYPTO_TLS_SERVER_CONNECTION_H_
+
+#include "net/third_party/quiche/src/quic/core/crypto/tls_connection.h"
+
+namespace quic {
+
+// TlsServerConnection receives calls for client-specific BoringSSL callbacks
+// and calls its Delegate for the implementation of those callbacks.
+class QUIC_EXPORT_PRIVATE TlsServerConnection : public TlsConnection {
+ public:
+  // A TlsServerConnection::Delegate implement the server-specific methods that
+  // are set as callbacks for an SSL object.
+  class Delegate {
+   public:
+    virtual ~Delegate() {}
+
+   protected:
+    // Configures the certificate to use on |ssl_| based on the SNI sent by the
+    // client. Returns an SSL_TLSEXT_ERR_* value (see
+    // https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_tlsext_servername_callback).
+    //
+    // If SelectCertificate returns SSL_TLSEXT_ERR_ALERT_FATAL, then it puts in
+    // |*out_alert| the TLS alert value that the server will send.
+    virtual int SelectCertificate(int* out_alert) = 0;
+
+    // Selects which ALPN to use based on the list sent by the client.
+    virtual int SelectAlpn(const uint8_t** out,
+                           uint8_t* out_len,
+                           const uint8_t* in,
+                           unsigned in_len) = 0;
+
+    // Signs |in| using the signature algorithm specified by |sig_alg| (an
+    // SSL_SIGN_* value). If the signing operation cannot be completed
+    // synchronously, ssl_private_key_retry is returned. If there is an error
+    // signing, or if the signature is longer than |max_out|, then
+    // ssl_private_key_failure is returned. Otherwise, ssl_private_key_success
+    // is returned with the signature put in |*out| and the length in
+    // |*out_len|.
+    virtual ssl_private_key_result_t PrivateKeySign(uint8_t* out,
+                                                    size_t* out_len,
+                                                    size_t max_out,
+                                                    uint16_t sig_alg,
+                                                    QuicStringPiece in) = 0;
+
+    // When PrivateKeySign returns ssl_private_key_retry, PrivateKeyComplete
+    // will be called after the async sign operation has completed.
+    // PrivateKeyComplete puts the resulting signature in |*out| and length in
+    // |*out_len|. If the length is greater than |max_out| or if there was an
+    // error in signing, then ssl_private_key_failure is returned. Otherwise,
+    // ssl_private_key_success is returned.
+    virtual ssl_private_key_result_t PrivateKeyComplete(uint8_t* out,
+                                                        size_t* out_len,
+                                                        size_t max_out) = 0;
+
+    // Provides the delegate for callbacks that are shared between client and
+    // server.
+    virtual TlsConnection::Delegate* ConnectionDelegate() = 0;
+
+    friend class TlsServerConnection;
+  };
+
+  TlsServerConnection(SSL_CTX* ssl_ctx, Delegate* delegate);
+
+  // Creates and configures an SSL_CTX that is appropriate for servers to use.
+  static bssl::UniquePtr<SSL_CTX> CreateSslCtx();
+
+  void SetCertChain(const std::vector<CRYPTO_BUFFER*>& cert_chain);
+
+ private:
+  // Specialization of TlsConnection::ConnectionFromSsl.
+  static TlsServerConnection* ConnectionFromSsl(SSL* ssl);
+
+  // These functions are registered as callbacks in BoringSSL and delegate their
+  // implementation to the matching methods in Delegate above.
+  static int SelectCertificateCallback(SSL* ssl, int* out_alert, void* arg);
+  static int SelectAlpnCallback(SSL* ssl,
+                                const uint8_t** out,
+                                uint8_t* out_len,
+                                const uint8_t* in,
+                                unsigned in_len,
+                                void* arg);
+
+  // |kPrivateKeyMethod| is a vtable pointing to PrivateKeySign and
+  // PrivateKeyComplete used by the TLS stack to compute the signature for the
+  // CertificateVerify message (using the server's private key).
+  static const SSL_PRIVATE_KEY_METHOD kPrivateKeyMethod;
+
+  // The following functions make up the contents of |kPrivateKeyMethod|.
+  static ssl_private_key_result_t PrivateKeySign(SSL* ssl,
+                                                 uint8_t* out,
+                                                 size_t* out_len,
+                                                 size_t max_out,
+                                                 uint16_t sig_alg,
+                                                 const uint8_t* in,
+                                                 size_t in_len);
+  static ssl_private_key_result_t PrivateKeyComplete(SSL* ssl,
+                                                     uint8_t* out,
+                                                     size_t* out_len,
+                                                     size_t max_out);
+
+  Delegate* delegate_;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_CRYPTO_TLS_SERVER_CONNECTION_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.cc
index ee0ebf094a4..247f4071c32 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.cc
@@ -40,6 +40,7 @@ enum TransportParameters::TransportParameterId : uint16_t {
   kMaxAckDelay = 0xb,
   kDisableMigration = 0xc,
   kPreferredAddress = 0xd,
+  kActiveConnectionIdLimit = 0xe,
 
   kGoogleQuicParam = 18257,  // Used for non-standard Google-specific params.
   kGoogleQuicVersion =
@@ -62,37 +63,39 @@ const size_t kStatelessResetTokenLength = 16;
 std::string TransportParameterIdToString(
     TransportParameters::TransportParameterId param_id) {
   switch (param_id) {
-    case kOriginalConnectionId:
+    case TransportParameters::kOriginalConnectionId:
       return "original_connection_id";
-    case kIdleTimeout:
+    case TransportParameters::kIdleTimeout:
       return "idle_timeout";
-    case kStatelessResetToken:
+    case TransportParameters::kStatelessResetToken:
       return "stateless_reset_token";
-    case kMaxPacketSize:
+    case TransportParameters::kMaxPacketSize:
       return "max_packet_size";
-    case kInitialMaxData:
+    case TransportParameters::kInitialMaxData:
       return "initial_max_data";
-    case kInitialMaxStreamDataBidiLocal:
+    case TransportParameters::kInitialMaxStreamDataBidiLocal:
       return "initial_max_stream_data_bidi_local";
-    case kInitialMaxStreamDataBidiRemote:
+    case TransportParameters::kInitialMaxStreamDataBidiRemote:
       return "initial_max_stream_data_bidi_remote";
-    case kInitialMaxStreamDataUni:
+    case TransportParameters::kInitialMaxStreamDataUni:
       return "initial_max_stream_data_uni";
-    case kInitialMaxStreamsBidi:
+    case TransportParameters::kInitialMaxStreamsBidi:
       return "initial_max_streams_bidi";
-    case kInitialMaxStreamsUni:
+    case TransportParameters::kInitialMaxStreamsUni:
       return "initial_max_streams_uni";
-    case kAckDelayExponent:
+    case TransportParameters::kAckDelayExponent:
       return "ack_delay_exponent";
-    case kMaxAckDelay:
+    case TransportParameters::kMaxAckDelay:
       return "max_ack_delay";
-    case kDisableMigration:
+    case TransportParameters::kDisableMigration:
       return "disable_migration";
-    case kPreferredAddress:
+    case TransportParameters::kPreferredAddress:
       return "preferred_address";
-    case kGoogleQuicParam:
+    case TransportParameters::kActiveConnectionIdLimit:
+      return "active_connection_id_limit";
+    case TransportParameters::kGoogleQuicParam:
       return "google";
-    case kGoogleQuicVersion:
+    case TransportParameters::kGoogleQuicVersion:
       return "google-version";
   }
   return "Unknown(" + QuicTextUtils::Uint64ToString(param_id) + ")";
@@ -273,6 +276,7 @@ std::string TransportParameters::ToString() const {
     rv += " " + TransportParameterIdToString(kPreferredAddress) + " " +
           preferred_address->ToString();
   }
+  rv += active_connection_id_limit.ToString(/*for_use_in_list=*/true);
   if (google_quic_params) {
     rv += " " + TransportParameterIdToString(kGoogleQuicParam);
   }
@@ -302,7 +306,8 @@ TransportParameters::TransportParameters()
                     kDefaultMaxAckDelayTransportParam,
                     0,
                     kMaxMaxAckDelayTransportParam),
-      disable_migration(false)
+      disable_migration(false),
+      active_connection_id_limit(kActiveConnectionIdLimit)
 // Important note: any new transport parameters must be added
 // to TransportParameters::AreValid, SerializeTransportParameters and
 // ParseTransportParameters.
@@ -350,7 +355,8 @@ bool TransportParameters::AreValid() const {
                   initial_max_stream_data_uni.IsValid() &&
                   initial_max_streams_bidi.IsValid() &&
                   initial_max_streams_uni.IsValid() &&
-                  ack_delay_exponent.IsValid() && max_ack_delay.IsValid();
+                  ack_delay_exponent.IsValid() && max_ack_delay.IsValid() &&
+                  active_connection_id_limit.IsValid();
   if (!ok) {
     QUIC_DLOG(ERROR) << "Invalid transport parameters " << *this;
   }
@@ -390,7 +396,7 @@ bool SerializeTransportParameters(const TransportParameters& in,
   CBB original_connection_id_param;
   if (!in.original_connection_id.IsEmpty()) {
     DCHECK_EQ(Perspective::IS_SERVER, in.perspective);
-    if (!CBB_add_u16(&params, kOriginalConnectionId) ||
+    if (!CBB_add_u16(&params, TransportParameters::kOriginalConnectionId) ||
         !CBB_add_u16_length_prefixed(&params, &original_connection_id_param) ||
         !CBB_add_bytes(
             &original_connection_id_param,
@@ -412,7 +418,7 @@ bool SerializeTransportParameters(const TransportParameters& in,
   if (!in.stateless_reset_token.empty()) {
     DCHECK_EQ(kStatelessResetTokenLength, in.stateless_reset_token.size());
     DCHECK_EQ(Perspective::IS_SERVER, in.perspective);
-    if (!CBB_add_u16(&params, kStatelessResetToken) ||
+    if (!CBB_add_u16(&params, TransportParameters::kStatelessResetToken) ||
         !CBB_add_u16_length_prefixed(&params, &stateless_reset_token_param) ||
         !CBB_add_bytes(&stateless_reset_token_param,
                        in.stateless_reset_token.data(),
@@ -431,14 +437,15 @@ bool SerializeTransportParameters(const TransportParameters& in,
       !in.initial_max_streams_bidi.WriteToCbb(&params) ||
       !in.initial_max_streams_uni.WriteToCbb(&params) ||
       !in.ack_delay_exponent.WriteToCbb(&params) ||
-      !in.max_ack_delay.WriteToCbb(&params)) {
+      !in.max_ack_delay.WriteToCbb(&params) ||
+      !in.active_connection_id_limit.WriteToCbb(&params)) {
     QUIC_BUG << "Failed to write integers for " << in;
     return false;
   }
 
   // disable_migration
   if (in.disable_migration) {
-    if (!CBB_add_u16(&params, kDisableMigration) ||
+    if (!CBB_add_u16(&params, TransportParameters::kDisableMigration) ||
         !CBB_add_u16(&params, 0u)) {  // 0 is the length of this parameter.
       QUIC_BUG << "Failed to write disable_migration for " << in;
       return false;
@@ -458,7 +465,7 @@ bool SerializeTransportParameters(const TransportParameters& in,
       QUIC_BUG << "Bad lengths " << *in.preferred_address;
       return false;
     }
-    if (!CBB_add_u16(&params, kPreferredAddress) ||
+    if (!CBB_add_u16(&params, TransportParameters::kPreferredAddress) ||
         !CBB_add_u16_length_prefixed(&params, &preferred_address_params) ||
         !CBB_add_bytes(
             &preferred_address_params,
@@ -491,7 +498,7 @@ bool SerializeTransportParameters(const TransportParameters& in,
   if (in.google_quic_params) {
     const QuicData& serialized_google_quic_params =
         in.google_quic_params->GetSerialized();
-    if (!CBB_add_u16(&params, kGoogleQuicParam) ||
+    if (!CBB_add_u16(&params, TransportParameters::kGoogleQuicParam) ||
         !CBB_add_u16_length_prefixed(&params, &google_quic_params) ||
         !CBB_add_bytes(&google_quic_params,
                        reinterpret_cast<const uint8_t*>(
@@ -505,7 +512,7 @@ bool SerializeTransportParameters(const TransportParameters& in,
 
   // Google-specific version extension.
   CBB google_version_params;
-  if (!CBB_add_u16(&params, kGoogleQuicVersion) ||
+  if (!CBB_add_u16(&params, TransportParameters::kGoogleQuicVersion) ||
       !CBB_add_u16_length_prefixed(&params, &google_version_params) ||
       !CBB_add_u32(&google_version_params, in.version)) {
     QUIC_BUG << "Failed to write Google version extension for " << in;
@@ -565,7 +572,7 @@ bool ParseTransportParameters(const uint8_t* in,
     }
     bool parse_success = true;
     switch (param_id) {
-      case kOriginalConnectionId:
+      case TransportParameters::kOriginalConnectionId:
         if (!out->original_connection_id.IsEmpty()) {
           QUIC_DLOG(ERROR) << "Received a second original connection ID";
           return false;
@@ -581,10 +588,10 @@ bool ParseTransportParameters(const uint8_t* in,
                  CBS_len(&value));
         }
         break;
-      case kIdleTimeout:
+      case TransportParameters::kIdleTimeout:
         parse_success = out->idle_timeout_milliseconds.ReadFromCbs(&value);
         break;
-      case kStatelessResetToken:
+      case TransportParameters::kStatelessResetToken:
         if (!out->stateless_reset_token.empty()) {
           QUIC_DLOG(ERROR) << "Received a second stateless reset token";
           return false;
@@ -597,36 +604,36 @@ bool ParseTransportParameters(const uint8_t* in,
         out->stateless_reset_token.assign(CBS_data(&value),
                                           CBS_data(&value) + CBS_len(&value));
         break;
-      case kMaxPacketSize:
+      case TransportParameters::kMaxPacketSize:
         parse_success = out->max_packet_size.ReadFromCbs(&value);
         break;
-      case kInitialMaxData:
+      case TransportParameters::kInitialMaxData:
         parse_success = out->initial_max_data.ReadFromCbs(&value);
         break;
-      case kInitialMaxStreamDataBidiLocal:
+      case TransportParameters::kInitialMaxStreamDataBidiLocal:
         parse_success =
             out->initial_max_stream_data_bidi_local.ReadFromCbs(&value);
         break;
-      case kInitialMaxStreamDataBidiRemote:
+      case TransportParameters::kInitialMaxStreamDataBidiRemote:
         parse_success =
             out->initial_max_stream_data_bidi_remote.ReadFromCbs(&value);
         break;
-      case kInitialMaxStreamDataUni:
+      case TransportParameters::kInitialMaxStreamDataUni:
         parse_success = out->initial_max_stream_data_uni.ReadFromCbs(&value);
         break;
-      case kInitialMaxStreamsBidi:
+      case TransportParameters::kInitialMaxStreamsBidi:
         parse_success = out->initial_max_streams_bidi.ReadFromCbs(&value);
         break;
-      case kInitialMaxStreamsUni:
+      case TransportParameters::kInitialMaxStreamsUni:
         parse_success = out->initial_max_streams_uni.ReadFromCbs(&value);
         break;
-      case kAckDelayExponent:
+      case TransportParameters::kAckDelayExponent:
         parse_success = out->ack_delay_exponent.ReadFromCbs(&value);
         break;
-      case kMaxAckDelay:
+      case TransportParameters::kMaxAckDelay:
         parse_success = out->max_ack_delay.ReadFromCbs(&value);
         break;
-      case kDisableMigration:
+      case TransportParameters::kDisableMigration:
         if (out->disable_migration) {
           QUIC_DLOG(ERROR) << "Received a second disable migration";
           return false;
@@ -638,7 +645,7 @@ bool ParseTransportParameters(const uint8_t* in,
         }
         out->disable_migration = true;
         break;
-      case kPreferredAddress: {
+      case TransportParameters::kPreferredAddress: {
         uint16_t ipv4_port, ipv6_port;
         in_addr ipv4_address;
         in6_addr ipv6_address;
@@ -692,7 +699,10 @@ bool ParseTransportParameters(const uint8_t* in,
             QuicMakeUnique<TransportParameters::PreferredAddress>(
                 preferred_address);
       } break;
-      case kGoogleQuicParam: {
+      case TransportParameters::kActiveConnectionIdLimit:
+        parse_success = out->active_connection_id_limit.ReadFromCbs(&value);
+        break;
+      case TransportParameters::kGoogleQuicParam: {
         if (out->google_quic_params) {
           QUIC_DLOG(ERROR) << "Received a second Google parameter";
           return false;
@@ -701,7 +711,7 @@ bool ParseTransportParameters(const uint8_t* in,
             reinterpret_cast<const char*>(CBS_data(&value)), CBS_len(&value));
         out->google_quic_params = CryptoFramer::ParseMessage(serialized_params);
       } break;
-      case kGoogleQuicVersion: {
+      case TransportParameters::kGoogleQuicVersion: {
         if (!CBS_get_u32(&value, &out->version)) {
           QUIC_DLOG(ERROR) << "Failed to parse Google version extension";
           return false;
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.h b/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.h
index 27b5fe77e38..368a7bf6aba 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.h
@@ -161,6 +161,10 @@ struct QUIC_EXPORT_PRIVATE TransportParameters {
   // Used to effect a change in server address at the end of the handshake.
   std::unique_ptr<PreferredAddress> preferred_address;
 
+  // Maximum number of connection IDs from the peer that an endpoint is willing
+  // to store.
+  IntegerParameter active_connection_id_limit;
+
   // Transport parameters used by Google QUIC but not IETF QUIC. This is
   // serialized into a TransportParameter struct with a TransportParameterId of
   // kGoogleQuicParamId.
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters_test.cc
index 7776af14b13..3f7e339339b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters_test.cc
@@ -36,6 +36,7 @@ const uint64_t kFakeInitialMaxStreamsUni = 22;
 const uint64_t kFakeAckDelayExponent = 10;
 const uint64_t kFakeMaxAckDelay = 51;
 const bool kFakeDisableMigration = true;
+const uint64_t kFakeActiveConnectionIdLimit = 52;
 const QuicConnectionId kFakePreferredConnectionId = TestConnectionId(0xBEEF);
 const uint8_t kFakePreferredStatelessResetTokenData[16] = {
     0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
@@ -96,6 +97,8 @@ TEST_F(TransportParametersTest, RoundTripClient) {
   orig_params.ack_delay_exponent.set_value(kFakeAckDelayExponent);
   orig_params.max_ack_delay.set_value(kFakeMaxAckDelay);
   orig_params.disable_migration = kFakeDisableMigration;
+  orig_params.active_connection_id_limit.set_value(
+      kFakeActiveConnectionIdLimit);
 
   std::vector<uint8_t> serialized;
   ASSERT_TRUE(SerializeTransportParameters(orig_params, &serialized));
@@ -126,6 +129,8 @@ TEST_F(TransportParametersTest, RoundTripClient) {
   EXPECT_EQ(kFakeAckDelayExponent, new_params.ack_delay_exponent.value());
   EXPECT_EQ(kFakeMaxAckDelay, new_params.max_ack_delay.value());
   EXPECT_EQ(kFakeDisableMigration, new_params.disable_migration);
+  EXPECT_EQ(kFakeActiveConnectionIdLimit,
+            new_params.active_connection_id_limit.value());
 }
 
 TEST_F(TransportParametersTest, RoundTripServer) {
@@ -151,6 +156,8 @@ TEST_F(TransportParametersTest, RoundTripServer) {
   orig_params.max_ack_delay.set_value(kFakeMaxAckDelay);
   orig_params.disable_migration = kFakeDisableMigration;
   orig_params.preferred_address = CreateFakePreferredAddress();
+  orig_params.active_connection_id_limit.set_value(
+      kFakeActiveConnectionIdLimit);
 
   std::vector<uint8_t> serialized;
   ASSERT_TRUE(SerializeTransportParameters(orig_params, &serialized));
@@ -192,6 +199,8 @@ TEST_F(TransportParametersTest, RoundTripServer) {
             new_params.preferred_address->connection_id);
   EXPECT_EQ(kFakePreferredStatelessResetToken,
             new_params.preferred_address->stateless_reset_token);
+  EXPECT_EQ(kFakeActiveConnectionIdLimit,
+            new_params.active_connection_id_limit.value());
 }
 
 TEST_F(TransportParametersTest, IsValid) {
@@ -252,7 +261,7 @@ TEST_F(TransportParametersTest, NoClientParamsWithStatelessResetToken) {
 TEST_F(TransportParametersTest, ParseClientParams) {
   // clang-format off
   const uint8_t kClientParams[] = {
-      0x00, 0x44,              // length of the parameters array that follows
+      0x00, 0x49,              // length of the parameters array that follows
       // idle_timeout
       0x00, 0x01,  // parameter id
       0x00, 0x02,  // length
@@ -296,6 +305,10 @@ TEST_F(TransportParametersTest, ParseClientParams) {
       // disable_migration
       0x00, 0x0c,  // parameter id
       0x00, 0x00,  // length
+      // active_connection_id_limit
+      0x00, 0x0e,  // parameter id
+      0x00, 0x01,  // length
+      0x34,  // value
       // Google version extension
       0x47, 0x52,  // parameter id
       0x00, 0x04,  // length
@@ -330,6 +343,8 @@ TEST_F(TransportParametersTest, ParseClientParams) {
   EXPECT_EQ(kFakeAckDelayExponent, new_params.ack_delay_exponent.value());
   EXPECT_EQ(kFakeMaxAckDelay, new_params.max_ack_delay.value());
   EXPECT_EQ(kFakeDisableMigration, new_params.disable_migration);
+  EXPECT_EQ(kFakeActiveConnectionIdLimit,
+            new_params.active_connection_id_limit.value());
 }
 
 TEST_F(TransportParametersTest, ParseClientParamsFailsWithStatelessResetToken) {
@@ -418,7 +433,7 @@ TEST_F(TransportParametersTest, ParseClientParametersRepeated) {
 TEST_F(TransportParametersTest, ParseServerParams) {
   // clang-format off
   const uint8_t kServerParams[] = {
-      0x00, 0xa2,  // length of parameters array that follows
+      0x00, 0xa7,  // length of parameters array that follows
       // original_connection_id
       0x00, 0x00,  // parameter id
       0x00, 0x08,  // length
@@ -483,6 +498,10 @@ TEST_F(TransportParametersTest, ParseServerParams) {
       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBE, 0xEF,  // connection ID
       0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,  // stateless reset token
       0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x8D, 0x8E, 0x8F,
+      // active_connection_id_limit
+      0x00, 0x0e,  // parameter id
+      0x00, 0x01,  // length
+      0x34,  // value
       // Google version extension
       0x47, 0x52,  // parameter id
       0x00, 0x0d,  // length
@@ -531,6 +550,8 @@ TEST_F(TransportParametersTest, ParseServerParams) {
             new_params.preferred_address->connection_id);
   EXPECT_EQ(kFakePreferredStatelessResetToken,
             new_params.preferred_address->stateless_reset_token);
+  EXPECT_EQ(kFakeActiveConnectionIdLimit,
+            new_params.active_connection_id_limit.value());
 }
 
 TEST_F(TransportParametersTest, ParseServerParametersRepeated) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_connection_close_frame.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_connection_close_frame.cc
index 3587ebd063f..d436499ca0c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_connection_close_frame.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_connection_close_frame.cc
@@ -15,13 +15,6 @@ QuicConnectionCloseFrame::QuicConnectionCloseFrame()
       extracted_error_code(QUIC_IETF_GQUIC_ERROR_MISSING),
       transport_close_frame_type(0) {}
 
-QuicConnectionCloseFrame::QuicConnectionCloseFrame(QuicErrorCode error_code)
-    // Default close type ensures that existing, pre-V99 code works as expected.
-    : close_type(GOOGLE_QUIC_CONNECTION_CLOSE),
-      quic_error_code(error_code),
-      extracted_error_code(QUIC_IETF_GQUIC_ERROR_MISSING),
-      transport_close_frame_type(0) {}
-
 QuicConnectionCloseFrame::QuicConnectionCloseFrame(QuicErrorCode error_code,
                                                    std::string error_details)
     // Default close type ensures that existing, pre-V99 code works as expected.
@@ -32,16 +25,25 @@ QuicConnectionCloseFrame::QuicConnectionCloseFrame(QuicErrorCode error_code,
       transport_close_frame_type(0) {}
 
 QuicConnectionCloseFrame::QuicConnectionCloseFrame(
-    QuicIetfTransportErrorCodes transport_error_code,
-    QuicErrorCode extracted_error_code,
+    QuicErrorCode quic_error_code,
     std::string error_details,
-    uint64_t transport_close_frame_type)
-    // Default close type ensures that existing, pre-V99 code works as expected.
-    : close_type(GOOGLE_QUIC_CONNECTION_CLOSE),
+    uint64_t ietf_application_error_code)
+    : close_type(IETF_QUIC_APPLICATION_CONNECTION_CLOSE),
+      application_error_code(ietf_application_error_code),
+      extracted_error_code(quic_error_code),
+      error_details(std::move(error_details)),
+      transport_close_frame_type(0) {}
+
+QuicConnectionCloseFrame::QuicConnectionCloseFrame(
+    QuicErrorCode quic_error_code,
+    std::string error_details,
+    QuicIetfTransportErrorCodes transport_error_code,
+    uint64_t transport_frame_type)
+    : close_type(IETF_QUIC_TRANSPORT_CONNECTION_CLOSE),
       transport_error_code(transport_error_code),
-      extracted_error_code(extracted_error_code),
+      extracted_error_code(quic_error_code),
       error_details(std::move(error_details)),
-      transport_close_frame_type(transport_close_frame_type) {}
+      transport_close_frame_type(transport_frame_type) {}
 
 std::ostream& operator<<(
     std::ostream& os,
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_connection_close_frame.h b/chromium/net/third_party/quiche/src/quic/core/frames/quic_connection_close_frame.h
index 7997fbcc329..aba67b9a88f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_connection_close_frame.h
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_connection_close_frame.h
@@ -26,12 +26,21 @@ QUIC_EXPORT_PRIVATE std::ostream& operator<<(
 
 struct QUIC_EXPORT_PRIVATE QuicConnectionCloseFrame {
   QuicConnectionCloseFrame();
-  QuicConnectionCloseFrame(QuicErrorCode error_code);
+
+  // TODO(fkastenholz): After migration to supporting IETF QUIC, this probably
+  // should be deprecated.
   QuicConnectionCloseFrame(QuicErrorCode error_code, std::string error_details);
-  QuicConnectionCloseFrame(QuicIetfTransportErrorCodes transport_error_code,
-                           QuicErrorCode extracted_error_code,
+
+  // Sets close_type to IETF_QUIC_APPLICATION_CONNECTION_CLOSE.
+  QuicConnectionCloseFrame(QuicErrorCode quic_error_code,
+                           std::string error_details,
+                           uint64_t ietf_application_error_code);
+
+  // Sets close_type to IETF_QUIC_TRANSPORT_CONNECTION_CLOSE.
+  QuicConnectionCloseFrame(QuicErrorCode quic_error_code,
                            std::string error_details,
-                           uint64_t frame_type);
+                           QuicIetfTransportErrorCodes transport_error_code,
+                           uint64_t transport_frame_type);
 
   friend QUIC_EXPORT_PRIVATE std::ostream& operator<<(
       std::ostream& os,
@@ -42,13 +51,15 @@ struct QUIC_EXPORT_PRIVATE QuicConnectionCloseFrame {
   QuicConnectionCloseType close_type;
 
   // This is the error field in the frame.
-  // The CONNECTION_CLOSE frame reports a 16-bit error code:
+  // The CONNECTION_CLOSE frame reports an error code:
   // - The transport error code as reported in a CONNECTION_CLOSE/Transport
-  //   frame,
-  // - An opaque 16-bit code as reported in CONNECTION_CLOSE/Application frames,
-  // - A QuicErrorCode, which is used in Google QUIC.
+  //   frame (serialized as a VarInt),
+  // - An opaque 64-bit code as reported in CONNECTION_CLOSE/Application frames
+  //  (serialized as a VarInt),,
+  // - A 16 bit QuicErrorCode, which is used in Google QUIC.
   union {
     QuicIetfTransportErrorCodes transport_error_code;
+    // TODO(fkastenholz): Change this to uint64_t to reflect -22 of the ID.
     uint16_t application_error_code;
     QuicErrorCode quic_error_code;
   };
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.cc
index 0f3e7344cc2..b23f9c0946e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.cc
@@ -341,4 +341,12 @@ std::ostream& operator<<(std::ostream& os, const QuicFrame& frame) {
   return os;
 }
 
+std::string QuicFramesToString(const QuicFrames& frames) {
+  std::ostringstream os;
+  for (const QuicFrame& frame : frames) {
+    os << frame;
+  }
+  return os.str();
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.h b/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.h
index caa5fcecf36..1fa9e01af56 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.h
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.h
@@ -140,6 +140,9 @@ QUIC_EXPORT_PRIVATE void SetControlFrameId(QuicControlFrameId control_frame_id,
 QUIC_EXPORT_PRIVATE QuicFrame
 CopyRetransmittableControlFrame(const QuicFrame& frame);
 
+// Human-readable description suitable for logging.
+QUIC_EXPORT_PRIVATE std::string QuicFramesToString(const QuicFrames& frames);
+
 }  // namespace quic
 
 #endif  // QUICHE_QUIC_CORE_FRAMES_QUIC_FRAME_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_frames_test.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_frames_test.cc
index bf60b7b8917..3467c7849f1 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_frames_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_frames_test.cc
@@ -78,11 +78,13 @@ TEST_F(QuicFramesTest, RstStreamFrameToString) {
   SetControlFrameId(1, &frame);
   EXPECT_EQ(1u, GetControlFrameId(frame));
   rst_stream.stream_id = 1;
+  rst_stream.byte_offset = 3;
   rst_stream.error_code = QUIC_STREAM_CANCELLED;
   std::ostringstream stream;
   stream << rst_stream;
-  EXPECT_EQ("{ control_frame_id: 1, stream_id: 1, error_code: 6 }\n",
-            stream.str());
+  EXPECT_EQ(
+      "{ control_frame_id: 1, stream_id: 1, byte_offset: 3, error_code: 6 }\n",
+      stream.str());
   EXPECT_TRUE(IsControlFrame(frame.type));
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_new_connection_id_frame.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_new_connection_id_frame.cc
index b7f63e22000..f6c86617a67 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_new_connection_id_frame.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_new_connection_id_frame.cc
@@ -16,17 +16,22 @@ QuicNewConnectionIdFrame::QuicNewConnectionIdFrame(
     QuicControlFrameId control_frame_id,
     QuicConnectionId connection_id,
     QuicConnectionIdSequenceNumber sequence_number,
-    const QuicUint128 stateless_reset_token)
+    const QuicUint128 stateless_reset_token,
+    uint64_t retire_prior_to)
     : control_frame_id(control_frame_id),
       connection_id(connection_id),
       sequence_number(sequence_number),
-      stateless_reset_token(stateless_reset_token) {}
+      stateless_reset_token(stateless_reset_token),
+      retire_prior_to(retire_prior_to) {
+  DCHECK(retire_prior_to <= sequence_number);
+}
 
 std::ostream& operator<<(std::ostream& os,
                          const QuicNewConnectionIdFrame& frame) {
   os << "{ control_frame_id: " << frame.control_frame_id
      << ", connection_id: " << frame.connection_id
-     << ", sequence_number: " << frame.sequence_number << " }\n";
+     << ", sequence_number: " << frame.sequence_number
+     << ", retire_prior_to: " << frame.retire_prior_to << " }\n";
   return os;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_new_connection_id_frame.h b/chromium/net/third_party/quiche/src/quic/core/frames/quic_new_connection_id_frame.h
index 1948d224cb8..441ca1aaf4d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_new_connection_id_frame.h
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_new_connection_id_frame.h
@@ -18,7 +18,8 @@ struct QUIC_EXPORT_PRIVATE QuicNewConnectionIdFrame {
   QuicNewConnectionIdFrame(QuicControlFrameId control_frame_id,
                            QuicConnectionId connection_id,
                            QuicConnectionIdSequenceNumber sequence_number,
-                           const QuicUint128 stateless_reset_token);
+                           const QuicUint128 stateless_reset_token,
+                           uint64_t retire_prior_to);
 
   friend QUIC_EXPORT_PRIVATE std::ostream& operator<<(
       std::ostream& os,
@@ -30,6 +31,7 @@ struct QUIC_EXPORT_PRIVATE QuicNewConnectionIdFrame {
   QuicConnectionId connection_id;
   QuicConnectionIdSequenceNumber sequence_number;
   QuicUint128 stateless_reset_token;
+  uint64_t retire_prior_to;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_new_token_frame.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_new_token_frame.cc
index 6e368666002..51d03e769bd 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_new_token_frame.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_new_token_frame.cc
@@ -3,8 +3,10 @@
 // found in the LICENSE file.
 
 #include "net/third_party/quiche/src/quic/core/frames/quic_new_token_frame.h"
+
 #include "net/third_party/quiche/src/quic/core/quic_constants.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 
 namespace quic {
 
@@ -16,8 +18,8 @@ QuicNewTokenFrame::QuicNewTokenFrame(QuicControlFrameId control_frame_id,
     : control_frame_id(control_frame_id), token(token) {}
 
 std::ostream& operator<<(std::ostream& os, const QuicNewTokenFrame& s) {
-  os << "{ control_frame_id: " << s.control_frame_id << ", token: " << s.token
-     << " }\n";
+  os << "{ control_frame_id: " << s.control_frame_id
+     << ", token: " << QuicTextUtils::HexEncode(s.token) << " }\n";
   return os;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_path_challenge_frame.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_path_challenge_frame.cc
index c1ca6a85dac..feaa71c4414 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_path_challenge_frame.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_path_challenge_frame.cc
@@ -3,8 +3,10 @@
 // found in the LICENSE file.
 
 #include "net/third_party/quiche/src/quic/core/frames/quic_path_challenge_frame.h"
+
 #include "net/third_party/quiche/src/quic/core/quic_constants.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 
 namespace quic {
 
@@ -22,15 +24,11 @@ QuicPathChallengeFrame::~QuicPathChallengeFrame() {}
 
 std::ostream& operator<<(std::ostream& os,
                          const QuicPathChallengeFrame& frame) {
-  os << "{ control_frame_id: " << frame.control_frame_id
-     << ", data: " << static_cast<unsigned>(frame.data_buffer[0]) << " "
-     << static_cast<unsigned>(frame.data_buffer[1]) << " "
-     << static_cast<unsigned>(frame.data_buffer[2]) << " "
-     << static_cast<unsigned>(frame.data_buffer[3]) << " "
-     << static_cast<unsigned>(frame.data_buffer[4]) << " "
-     << static_cast<unsigned>(frame.data_buffer[5]) << " "
-     << static_cast<unsigned>(frame.data_buffer[6]) << " "
-     << static_cast<unsigned>(frame.data_buffer[7]) << " }\n";
+  os << "{ control_frame_id: " << frame.control_frame_id << ", data: "
+     << QuicTextUtils::HexEncode(
+            reinterpret_cast<const char*>(frame.data_buffer.data()),
+            frame.data_buffer.size())
+     << " }\n";
   return os;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_path_response_frame.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_path_response_frame.cc
index 85e9712b583..bf36ab4ff8d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_path_response_frame.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_path_response_frame.cc
@@ -3,8 +3,10 @@
 // found in the LICENSE file.
 
 #include "net/third_party/quiche/src/quic/core/frames/quic_path_response_frame.h"
+
 #include "net/third_party/quiche/src/quic/core/quic_constants.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 
 namespace quic {
 
@@ -21,15 +23,11 @@ QuicPathResponseFrame::QuicPathResponseFrame(
 QuicPathResponseFrame::~QuicPathResponseFrame() {}
 
 std::ostream& operator<<(std::ostream& os, const QuicPathResponseFrame& frame) {
-  os << "{ control_frame_id: " << frame.control_frame_id
-     << ", data: " << static_cast<unsigned>(frame.data_buffer[0]) << " "
-     << static_cast<unsigned>(frame.data_buffer[1]) << " "
-     << static_cast<unsigned>(frame.data_buffer[2]) << " "
-     << static_cast<unsigned>(frame.data_buffer[3]) << " "
-     << static_cast<unsigned>(frame.data_buffer[4]) << " "
-     << static_cast<unsigned>(frame.data_buffer[5]) << " "
-     << static_cast<unsigned>(frame.data_buffer[6]) << " "
-     << static_cast<unsigned>(frame.data_buffer[7]) << " }\n";
+  os << "{ control_frame_id: " << frame.control_frame_id << ", data: "
+     << QuicTextUtils::HexEncode(
+            reinterpret_cast<const char*>(frame.data_buffer.data()),
+            frame.data_buffer.size())
+     << " }\n";
   return os;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_rst_stream_frame.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_rst_stream_frame.cc
index 7fbf365692f..63cf6eaf6a3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_rst_stream_frame.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_rst_stream_frame.cc
@@ -35,6 +35,7 @@ std::ostream& operator<<(std::ostream& os,
                          const QuicRstStreamFrame& rst_frame) {
   os << "{ control_frame_id: " << rst_frame.control_frame_id
      << ", stream_id: " << rst_frame.stream_id
+     << ", byte_offset: " << rst_frame.byte_offset
      << ", error_code: " << rst_frame.error_code << " }\n";
   return os;
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_rst_stream_frame.h b/chromium/net/third_party/quiche/src/quic/core/frames/quic_rst_stream_frame.h
index 0957614153e..9a9ed56abb0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_rst_stream_frame.h
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_rst_stream_frame.h
@@ -39,6 +39,7 @@ struct QUIC_EXPORT_PRIVATE QuicRstStreamFrame {
     QuicRstStreamErrorCode error_code;
     // In IETF QUIC the code is up to the app on top of quic, so is
     // more general than QuicRstStreamErrorCode allows.
+    // TODO(fkastenholz): Upgrade to uint64_t
     uint16_t ietf_error_code;
   };
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/end_to_end_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/end_to_end_test.cc
index 0a0326ce437..578df127ddd 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/end_to_end_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/end_to_end_test.cc
@@ -12,6 +12,7 @@
 #include <vector>
 
 #include "net/third_party/quiche/src/quic/core/crypto/null_encrypter.h"
+#include "net/third_party/quiche/src/quic/core/http/http_constants.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_epoll_connection_helper.h"
@@ -142,7 +143,12 @@ std::vector<TestParams> GetTestParams(bool use_tls_handshake) {
   }
 
   std::vector<TestParams> params;
-  for (const QuicTag congestion_control_tag : {kRENO, kTBBR, kQBIC, kTPCC}) {
+  for (const QuicTag congestion_control_tag :
+       {kRENO, kTBBR, kQBIC, kTPCC, kB2ON}) {
+    if (!GetQuicReloadableFlag(quic_allow_client_enabled_bbr_v2) &&
+        congestion_control_tag == kB2ON) {
+      continue;
+    }
     for (const ParsedQuicVersionVector& client_versions : version_buckets) {
       if (FilterSupportedVersions(client_versions).empty()) {
         continue;
@@ -173,6 +179,14 @@ std::vector<TestParams> GetTestParams(bool use_tls_handshake) {
   return params;
 }
 
+void WriteHeadersOnStream(QuicSpdyStream* stream) {
+  // Since QuicSpdyStream uses QuicHeaderList::empty() to detect too large
+  // headers, it also fails when receiving empty headers.
+  SpdyHeaderBlock headers;
+  headers["foo"] = "bar";
+  stream->WriteHeaders(std::move(headers), /* fin = */ false, nullptr);
+}
+
 class ServerDelegate : public PacketDroppingTestWriter::Delegate {
  public:
   explicit ServerDelegate(QuicDispatcher* dispatcher)
@@ -212,10 +226,9 @@ class EndToEndTest : public QuicTestWithParam<TestParams> {
         stream_factory_(nullptr),
         support_server_push_(false),
         override_server_connection_id_(nullptr),
+        override_client_connection_id_(nullptr),
         expected_server_connection_id_length_(kQuicDefaultConnectionIdLength) {
     SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
-    SetQuicRestartFlag(quic_no_server_conn_ver_negotiation2, true);
-    SetQuicReloadableFlag(quic_no_client_conn_ver_negotiation, true);
     client_supported_versions_ = GetParam().client_supported_versions;
     server_supported_versions_ = GetParam().server_supported_versions;
     negotiated_version_ = GetParam().negotiated_version;
@@ -262,6 +275,10 @@ class EndToEndTest : public QuicTestWithParam<TestParams> {
     if (override_server_connection_id_ != nullptr) {
       client->UseConnectionId(*override_server_connection_id_);
     }
+    if (override_client_connection_id_ != nullptr) {
+      client->UseClientConnectionId(*override_client_connection_id_);
+    }
+    client->client()->set_max_allowed_push_id(kMaxQuicStreamId);
     client->Connect();
     return client;
   }
@@ -456,8 +473,6 @@ class EndToEndTest : public QuicTestWithParam<TestParams> {
       EXPECT_EQ(client_stats.packets_received, client_stats.packets_processed);
     }
 
-    EXPECT_EQ(0, client_->client()->num_stateless_rejects_received());
-
     server_thread_->Pause();
     QuicConnectionStats server_stats = GetServerConnection()->GetStats();
     if (!had_packet_loss) {
@@ -472,20 +487,21 @@ class EndToEndTest : public QuicTestWithParam<TestParams> {
 
   // Client supports IETF QUIC, while it is not supported by server.
   bool ClientSupportsIetfQuicNotSupportedByServer() {
-    return client_supported_versions_[0].transport_version > QUIC_VERSION_43 &&
-           FilterSupportedVersions(GetParam().server_supported_versions)[0]
-                   .transport_version <= QUIC_VERSION_43;
+    return VersionHasIetfInvariantHeader(
+               client_supported_versions_[0].transport_version) &&
+           !VersionHasIetfInvariantHeader(
+               FilterSupportedVersions(GetParam().server_supported_versions)[0]
+                   .transport_version);
   }
 
   // Returns true when client starts with an unsupported version, and client
   // closes connection when version negotiation is received.
   bool ServerSendsVersionNegotiation() {
-    return GetQuicReloadableFlag(quic_no_client_conn_ver_negotiation) &&
-           client_supported_versions_[0] != GetParam().negotiated_version;
+    return client_supported_versions_[0] != GetParam().negotiated_version;
   }
 
   bool SupportsIetfQuicWithTls(ParsedQuicVersion version) {
-    return version.transport_version > QUIC_VERSION_43 &&
+    return VersionHasIetfInvariantHeader(version.transport_version) &&
            version.handshake_protocol == PROTOCOL_TLS1_3;
   }
 
@@ -539,6 +555,7 @@ class EndToEndTest : public QuicTestWithParam<TestParams> {
   std::string pre_shared_key_client_;
   std::string pre_shared_key_server_;
   QuicConnectionId* override_server_connection_id_;
+  QuicConnectionId* override_client_connection_id_;
   uint8_t expected_server_connection_id_length_;
 };
 
@@ -588,6 +605,12 @@ TEST_P(EndToEndTest, SimpleRequestResponse) {
             client_->client()->GetNumSentClientHellos());
 }
 
+TEST_P(EndToEndTestWithTls, SimpleRequestResponse) {
+  ASSERT_TRUE(Initialize());
+  EXPECT_EQ(kFooResponseBody, client_->SendSynchronousRequest("/foo"));
+  EXPECT_EQ("200", client_->response_headers()->find(":status")->second);
+}
+
 TEST_P(EndToEndTest, SimpleRequestResponseForcedVersionNegotiation) {
   client_supported_versions_.insert(client_supported_versions_.begin(),
                                     QuicVersionReservedForNegotiation());
@@ -600,6 +623,16 @@ TEST_P(EndToEndTest, SimpleRequestResponseForcedVersionNegotiation) {
   EXPECT_EQ(3, client_->client()->GetNumSentClientHellos());
 }
 
+TEST_P(EndToEndTestWithTls, ForcedVersionNegotiation) {
+  client_supported_versions_.insert(client_supported_versions_.begin(),
+                                    QuicVersionReservedForNegotiation());
+  ASSERT_TRUE(Initialize());
+  ASSERT_TRUE(ServerSendsVersionNegotiation());
+
+  EXPECT_EQ(kFooResponseBody, client_->SendSynchronousRequest("/foo"));
+  EXPECT_EQ("200", client_->response_headers()->find(":status")->second);
+}
+
 TEST_P(EndToEndTest, SimpleRequestResponseZeroConnectionID) {
   QuicConnectionId connection_id = QuicUtils::CreateZeroConnectionId(
       GetParam().negotiated_version.transport_version);
@@ -620,7 +653,21 @@ TEST_P(EndToEndTest, SimpleRequestResponseZeroConnectionID) {
                 GetParam().negotiated_version.transport_version));
 }
 
-TEST_P(EndToEndTest, BadConnectionIdLength) {
+TEST_P(EndToEndTestWithTls, ZeroConnectionID) {
+  QuicConnectionId connection_id = QuicUtils::CreateZeroConnectionId(
+      GetParam().negotiated_version.transport_version);
+  override_server_connection_id_ = &connection_id;
+  expected_server_connection_id_length_ = connection_id.length();
+  ASSERT_TRUE(Initialize());
+
+  EXPECT_EQ(kFooResponseBody, client_->SendSynchronousRequest("/foo"));
+  EXPECT_EQ("200", client_->response_headers()->find(":status")->second);
+  EXPECT_EQ(client_->client()->client_session()->connection()->connection_id(),
+            QuicUtils::CreateZeroConnectionId(
+                GetParam().negotiated_version.transport_version));
+}
+
+TEST_P(EndToEndTestWithTls, BadConnectionIdLength) {
   if (!QuicUtils::VariableLengthConnectionIdAllowedForVersion(
           GetParam().negotiated_version.transport_version)) {
     ASSERT_TRUE(Initialize());
@@ -639,12 +686,68 @@ TEST_P(EndToEndTest, BadConnectionIdLength) {
                                                 .length());
 }
 
-TEST_P(EndToEndTest, ForcedVersionNegotiationAndBadConnectionIdLength) {
-  if (!GetQuicRestartFlag(
-          quic_allow_variable_length_connection_id_for_negotiation)) {
+// Tests a very long (16-byte) initial destination connection ID to make
+// sure the dispatcher properly replaces it with an 8-byte one.
+TEST_P(EndToEndTestWithTls, LongBadConnectionIdLength) {
+  if (!QuicUtils::VariableLengthConnectionIdAllowedForVersion(
+          GetParam().negotiated_version.transport_version)) {
+    ASSERT_TRUE(Initialize());
+    return;
+  }
+  const char connection_id_bytes[16] = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5,
+                                        0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb,
+                                        0xbc, 0xbd, 0xbe, 0xbf};
+  QuicConnectionId connection_id =
+      QuicConnectionId(connection_id_bytes, sizeof(connection_id_bytes));
+  override_server_connection_id_ = &connection_id;
+  ASSERT_TRUE(Initialize());
+  EXPECT_EQ(kFooResponseBody, client_->SendSynchronousRequest("/foo"));
+  EXPECT_EQ("200", client_->response_headers()->find(":status")->second);
+  EXPECT_EQ(kQuicDefaultConnectionIdLength, client_->client()
+                                                ->client_session()
+                                                ->connection()
+                                                ->connection_id()
+                                                .length());
+}
+
+TEST_P(EndToEndTestWithTls, ClientConnectionId) {
+  if (!GetParam().negotiated_version.SupportsClientConnectionIds()) {
+    ASSERT_TRUE(Initialize());
+    return;
+  }
+  QuicConnectionId client_connection_id =
+      TestConnectionId(UINT64_C(0xc1c2c3c4c5c6c7c8));
+  override_client_connection_id_ = &client_connection_id;
+  ASSERT_TRUE(Initialize());
+  EXPECT_EQ(kFooResponseBody, client_->SendSynchronousRequest("/foo"));
+  EXPECT_EQ("200", client_->response_headers()->find(":status")->second);
+  EXPECT_EQ(client_connection_id, client_->client()
+                                      ->client_session()
+                                      ->connection()
+                                      ->client_connection_id());
+}
+
+TEST_P(EndToEndTestWithTls, ForcedVersionNegotiationAndClientConnectionId) {
+  if (!GetParam().negotiated_version.SupportsClientConnectionIds()) {
     ASSERT_TRUE(Initialize());
     return;
   }
+  client_supported_versions_.insert(client_supported_versions_.begin(),
+                                    QuicVersionReservedForNegotiation());
+  QuicConnectionId client_connection_id =
+      TestConnectionId(UINT64_C(0xc1c2c3c4c5c6c7c8));
+  override_client_connection_id_ = &client_connection_id;
+  ASSERT_TRUE(Initialize());
+  ASSERT_TRUE(ServerSendsVersionNegotiation());
+  EXPECT_EQ(kFooResponseBody, client_->SendSynchronousRequest("/foo"));
+  EXPECT_EQ("200", client_->response_headers()->find(":status")->second);
+  EXPECT_EQ(client_connection_id, client_->client()
+                                      ->client_session()
+                                      ->connection()
+                                      ->client_connection_id());
+}
+
+TEST_P(EndToEndTestWithTls, ForcedVersionNegotiationAndBadConnectionIdLength) {
   if (!QuicUtils::VariableLengthConnectionIdAllowedForVersion(
           GetParam().negotiated_version.transport_version)) {
     ASSERT_TRUE(Initialize());
@@ -666,6 +769,44 @@ TEST_P(EndToEndTest, ForcedVersionNegotiationAndBadConnectionIdLength) {
                                                 .length());
 }
 
+// Forced Version Negotiation with a client connection ID and a long
+// connection ID.
+TEST_P(EndToEndTestWithTls, ForcedVersNegoAndClientCIDAndLongCID) {
+  if (!GetParam().negotiated_version.SupportsClientConnectionIds() ||
+      !QuicUtils::VariableLengthConnectionIdAllowedForVersion(
+          GetParam().negotiated_version.transport_version)) {
+    ASSERT_TRUE(Initialize());
+    return;
+  }
+  client_supported_versions_.insert(client_supported_versions_.begin(),
+                                    QuicVersionReservedForNegotiation());
+  const char connection_id_bytes[16] = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5,
+                                        0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb,
+                                        0xbc, 0xbd, 0xbe, 0xbf};
+  QuicConnectionId connection_id =
+      QuicConnectionId(connection_id_bytes, sizeof(connection_id_bytes));
+  override_server_connection_id_ = &connection_id;
+  const char client_connection_id_bytes[18] = {
+      0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8,
+      0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xc0, 0xc1};
+  QuicConnectionId client_connection_id = QuicConnectionId(
+      client_connection_id_bytes, sizeof(client_connection_id_bytes));
+  override_client_connection_id_ = &client_connection_id;
+  ASSERT_TRUE(Initialize());
+  ASSERT_TRUE(ServerSendsVersionNegotiation());
+  EXPECT_EQ(kFooResponseBody, client_->SendSynchronousRequest("/foo"));
+  EXPECT_EQ("200", client_->response_headers()->find(":status")->second);
+  EXPECT_EQ(kQuicDefaultConnectionIdLength, client_->client()
+                                                ->client_session()
+                                                ->connection()
+                                                ->connection_id()
+                                                .length());
+  EXPECT_EQ(client_connection_id, client_->client()
+                                      ->client_session()
+                                      ->connection()
+                                      ->client_connection_id());
+}
+
 TEST_P(EndToEndTest, MixGoodAndBadConnectionIdLengths) {
   if (!QuicUtils::VariableLengthConnectionIdAllowedForVersion(
           GetParam().negotiated_version.transport_version)) {
@@ -709,6 +850,19 @@ TEST_P(EndToEndTest, MixGoodAndBadConnectionIdLengths) {
                                                 .length());
 }
 
+TEST_P(EndToEndTestWithTls, SimpleRequestResponseWithIetfDraftSupport) {
+  if (GetParam().negotiated_version.transport_version != QUIC_VERSION_99 ||
+      GetParam().negotiated_version.handshake_protocol != PROTOCOL_TLS1_3) {
+    ASSERT_TRUE(Initialize());
+    return;
+  }
+  QuicVersionInitializeSupportForIetfDraft(1);
+  ASSERT_TRUE(Initialize());
+
+  EXPECT_EQ(kFooResponseBody, client_->SendSynchronousRequest("/foo"));
+  EXPECT_EQ("200", client_->response_headers()->find(":status")->second);
+}
+
 TEST_P(EndToEndTest, SimpleRequestResponseWithLargeReject) {
   chlo_multiplier_ = 1;
   ASSERT_TRUE(Initialize());
@@ -1418,8 +1572,9 @@ TEST_P(EndToEndTestWithTls, MaxIncomingDynamicStreamsLimitRespected) {
   server_config_.SetMaxIncomingBidirectionalStreamsToSend(
       kServerMaxIncomingDynamicStreams);
   ASSERT_TRUE(Initialize());
-  if (GetParam().negotiated_version.transport_version == QUIC_VERSION_99) {
-    // Do not run this test for version 99/IETF QUIC. Note that the test needs
+  if (VersionHasIetfQuicFrames(
+          GetParam().negotiated_version.transport_version)) {
+    // Do not run this test for /IETF QUIC. Note that the test needs
     // to be here, after calling Initialize(), because all tests end up calling
     // EndToEndTest::TearDown(), which asserts that Initialize has been called
     // and then proceeds to tear things down -- which fails if they are not
@@ -1477,7 +1632,8 @@ TEST_P(EndToEndTest, SetIndependentMaxIncomingDynamicStreamsLimits) {
   // returned by max_allowed... by 2 to remove the static streams from the
   // count.
   size_t client_max_open_outgoing_bidirectional_streams =
-      client_session->connection()->transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(
+          client_session->connection()->transport_version())
           ? QuicSessionPeer::v99_streamid_manager(client_session)
                     ->max_allowed_outgoing_bidirectional_streams() -
                 QuicSessionPeer::v99_bidirectional_stream_id_manager(
@@ -1486,9 +1642,13 @@ TEST_P(EndToEndTest, SetIndependentMaxIncomingDynamicStreamsLimits) {
           : QuicSessionPeer::GetStreamIdManager(client_session)
                 ->max_open_outgoing_streams();
   size_t client_max_open_outgoing_unidirectional_streams =
-      client_session->connection()->transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(
+          client_session->connection()->transport_version())
           ? QuicSessionPeer::v99_streamid_manager(client_session)
-                ->max_allowed_outgoing_unidirectional_streams()
+                    ->max_allowed_outgoing_unidirectional_streams() -
+                QuicSessionPeer::v99_unidirectional_stream_id_manager(
+                    client_session)
+                    ->outgoing_static_stream_count()
           : QuicSessionPeer::GetStreamIdManager(client_session)
                 ->max_open_outgoing_streams();
   EXPECT_EQ(kServerMaxIncomingDynamicStreams,
@@ -1498,15 +1658,20 @@ TEST_P(EndToEndTest, SetIndependentMaxIncomingDynamicStreamsLimits) {
   server_thread_->Pause();
   QuicSession* server_session = GetServerSession();
   size_t server_max_open_outgoing_bidirectional_streams =
-      server_session->connection()->transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(
+          server_session->connection()->transport_version())
           ? QuicSessionPeer::v99_streamid_manager(server_session)
                 ->max_allowed_outgoing_bidirectional_streams()
           : QuicSessionPeer::GetStreamIdManager(server_session)
                 ->max_open_outgoing_streams();
   size_t server_max_open_outgoing_unidirectional_streams =
-      server_session->connection()->transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(
+          server_session->connection()->transport_version())
           ? QuicSessionPeer::v99_streamid_manager(server_session)
-                ->max_allowed_outgoing_unidirectional_streams()
+                    ->max_allowed_outgoing_unidirectional_streams() -
+                QuicSessionPeer::v99_unidirectional_stream_id_manager(
+                    server_session)
+                    ->outgoing_static_stream_count()
           : QuicSessionPeer::GetStreamIdManager(server_session)
                 ->max_open_outgoing_streams();
   EXPECT_EQ(kClientMaxIncomingDynamicStreams,
@@ -1538,6 +1703,9 @@ TEST_P(EndToEndTest, NegotiateCongestionControl) {
     case kQBIC:
       expected_congestion_control_type = kCubicBytes;
       break;
+    case kB2ON:
+      expected_congestion_control_type = kBBRv2;
+      break;
     default:
       QUIC_DLOG(FATAL) << "Unexpected congestion control tag";
   }
@@ -1662,7 +1830,8 @@ TEST_P(EndToEndTest, MinInitialRTT) {
 }
 
 TEST_P(EndToEndTest, 0ByteConnectionId) {
-  if (GetParam().negotiated_version.transport_version > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(
+          GetParam().negotiated_version.transport_version)) {
     // SetBytesForConnectionIdToSend only applies to Google QUIC encoding.
     ASSERT_TRUE(Initialize());
     return;
@@ -1684,7 +1853,8 @@ TEST_P(EndToEndTest, 0ByteConnectionId) {
 }
 
 TEST_P(EndToEndTestWithTls, 8ByteConnectionId) {
-  if (GetParam().negotiated_version.transport_version > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(
+          GetParam().negotiated_version.transport_version)) {
     // SetBytesForConnectionIdToSend only applies to Google QUIC encoding.
     ASSERT_TRUE(Initialize());
     return;
@@ -1702,7 +1872,8 @@ TEST_P(EndToEndTestWithTls, 8ByteConnectionId) {
 }
 
 TEST_P(EndToEndTestWithTls, 15ByteConnectionId) {
-  if (GetParam().negotiated_version.transport_version > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(
+          GetParam().negotiated_version.transport_version)) {
     // SetBytesForConnectionIdToSend only applies to Google QUIC encoding.
     ASSERT_TRUE(Initialize());
     return;
@@ -1734,6 +1905,7 @@ TEST_P(EndToEndTestWithTls, ResetConnection) {
 // TODO(nharper): Needs to get turned back to EndToEndTestWithTls
 // when we figure out why the test doesn't work on chrome.
 TEST_P(EndToEndTest, MaxStreamsUberTest) {
+  SetQuicFlag(FLAGS_quic_headers_stream_id_in_v99, 0);
   // Connect with lower fake packet loss than we'd like to test.  Until
   // b/10126687 is fixed, losing handshake packets is pretty brutal.
   SetPacketLossPercentage(1);
@@ -1898,6 +2070,7 @@ TEST_P(EndToEndTest, DifferentFlowControlWindows) {
 
   // Open a data stream to make sure the stream level flow control is updated.
   QuicSpdyClientStream* stream = client_->GetOrCreateStream();
+  WriteHeadersOnStream(stream);
   stream->WriteOrBufferBody("hello", false);
 
   // Client should have the right values for server's receive window.
@@ -1954,6 +2127,7 @@ TEST_P(EndToEndTest, NegotiatedServerInitialFlowControlWindow) {
 
   // Open a data stream to make sure the stream level flow control is updated.
   QuicSpdyClientStream* stream = client_->GetOrCreateStream();
+  WriteHeadersOnStream(stream);
   stream->WriteOrBufferBody("hello", false);
 
   // Client should have the right values for server's receive window.
@@ -2003,9 +2177,13 @@ TEST_P(EndToEndTest, HeadersAndCryptoStreamsNoConnectionFlowControl) {
                   crypto_stream->flow_controller()),
               kStreamIFCW);
   }
-  EXPECT_EQ(kSessionIFCW,
-            QuicFlowControllerPeer::SendWindowSize(
-                client_->client()->client_session()->flow_controller()));
+  // When stream type is enabled, control streams will send settings and
+  // contribute to flow control windows, so this expectation is no longer valid.
+  if (!VersionHasStreamType(transport_version)) {
+    EXPECT_EQ(kSessionIFCW,
+              QuicFlowControllerPeer::SendWindowSize(
+                  client_->client()->client_session()->flow_controller()));
+  }
 
   // Send a request with no body, and verify that the connection level window
   // has not been affected.
@@ -2047,6 +2225,40 @@ TEST_P(EndToEndTest, FlowControlsSynced) {
   server_thread_->Pause();
   QuicSpdySession* const client_session = client_->client()->client_session();
   auto* server_session = static_cast<QuicSpdySession*>(GetServerSession());
+
+  if (VersionHasStreamType(client_->client()
+                               ->client_session()
+                               ->connection()
+                               ->transport_version())) {
+    // Settings frame will be sent through control streams, which contribute
+    // to the session's flow controller. And due to the timing issue described
+    // below, the settings frame might not be received.
+    HttpEncoder encoder;
+    SettingsFrame settings;
+    settings.values[6] = kDefaultMaxUncompressedHeaderSize;
+    std::unique_ptr<char[]> buffer;
+    auto header_length = encoder.SerializeSettingsFrame(settings, &buffer);
+    QuicByteCount win_difference1 = QuicFlowControllerPeer::ReceiveWindowSize(
+                                        server_session->flow_controller()) -
+                                    QuicFlowControllerPeer::SendWindowSize(
+                                        client_session->flow_controller());
+    QuicByteCount win_difference2 = QuicFlowControllerPeer::ReceiveWindowSize(
+                                        client_session->flow_controller()) -
+                                    QuicFlowControllerPeer::SendWindowSize(
+                                        server_session->flow_controller());
+    EXPECT_TRUE(win_difference1 == 0 ||
+                win_difference1 ==
+                    header_length +
+                        QuicDataWriter::GetVarInt62Len(kControlStream));
+    EXPECT_TRUE(win_difference2 == 0 ||
+                win_difference2 ==
+                    header_length +
+                        QuicDataWriter::GetVarInt62Len(kControlStream));
+    // The test returns early because in this version, headers stream no longer
+    // sends settings.
+    return;
+  }
+
   ExpectFlowControlsSynced(client_session->flow_controller(),
                            server_session->flow_controller());
   if (!QuicVersionUsesCryptoFrames(client_->client()
@@ -2189,17 +2401,11 @@ TEST_P(EndToEndTest, AckNotifierWithPacketLossAndBlockedSocket) {
                            ->transport_version())) {
     // Determine size of compressed headers.
     NoopDecoderStreamErrorDelegate decoder_stream_error_delegate;
-    NoopEncoderStreamSenderDelegate encoder_stream_sender_delegate;
+    NoopQpackStreamSenderDelegate encoder_stream_sender_delegate;
     QpackEncoder qpack_encoder(&decoder_stream_error_delegate,
                                &encoder_stream_sender_delegate);
-    auto progressive_encoder =
+    std::string encoded_headers =
         qpack_encoder.EncodeHeaderList(/* stream_id = */ 0, &headers);
-    std::string encoded_headers;
-    while (progressive_encoder->HasNext()) {
-      progressive_encoder->Next(
-          /* max_encoded_bytes = */ std::numeric_limits<size_t>::max(),
-          &encoded_headers);
-    }
     header_size = encoded_headers.size();
   }
 
@@ -2253,7 +2459,7 @@ TEST_P(EndToEndTestWithTls, ServerSendPublicReset) {
   QuicFramer framer(server_supported_versions_, QuicTime::Zero(),
                     Perspective::IS_SERVER, kQuicDefaultConnectionIdLength);
   std::unique_ptr<QuicEncryptedPacket> packet;
-  if (client_connection->transport_version() > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(client_connection->transport_version())) {
     packet = framer.BuildIetfStatelessResetPacket(connection_id,
                                                   stateless_reset_token);
   } else {
@@ -2302,7 +2508,7 @@ TEST_P(EndToEndTestWithTls, ServerSendPublicResetWithDifferentConnectionId) {
   testing::NiceMock<MockQuicConnectionDebugVisitor> visitor;
   client_->client()->client_session()->connection()->set_debug_visitor(
       &visitor);
-  if (client_connection->transport_version() > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(client_connection->transport_version())) {
     packet = framer.BuildIetfStatelessResetPacket(incorrect_connection_id,
                                                   stateless_reset_token);
     EXPECT_CALL(visitor, OnIncorrectConnectionId(incorrect_connection_id))
@@ -2320,7 +2526,7 @@ TEST_P(EndToEndTestWithTls, ServerSendPublicResetWithDifferentConnectionId) {
       client_->client()->network_helper()->GetLatestClientAddress(), nullptr);
   server_thread_->Resume();
 
-  if (client_connection->transport_version() > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(client_connection->transport_version())) {
     // The request should fail. IETF stateless reset does not include connection
     // ID.
     EXPECT_EQ("", client_->SendSynchronousRequest("/foo"));
@@ -2377,7 +2583,7 @@ TEST_P(EndToEndTestWithTls,
   std::unique_ptr<QuicEncryptedPacket> packet(
       QuicFramer::BuildVersionNegotiationPacket(
           incorrect_connection_id, EmptyQuicConnectionId(),
-          client_connection->transport_version() > QUIC_VERSION_43,
+          VersionHasIetfInvariantHeader(client_connection->transport_version()),
           server_supported_versions_));
   testing::NiceMock<MockQuicConnectionDebugVisitor> visitor;
   client_connection->set_debug_visitor(&visitor);
@@ -2802,6 +3008,7 @@ class EndToEndTestServerPush : public EndToEndTest {
   const size_t kNumMaxStreams = 10;
 
   EndToEndTestServerPush() : EndToEndTest() {
+    SetQuicFlag(FLAGS_quic_headers_stream_id_in_v99, 0);
     client_config_.SetMaxIncomingBidirectionalStreamsToSend(kNumMaxStreams);
     server_config_.SetMaxIncomingBidirectionalStreamsToSend(kNumMaxStreams);
     client_config_.SetMaxIncomingUnidirectionalStreamsToSend(kNumMaxStreams);
@@ -3219,12 +3426,14 @@ class WindowUpdateObserver : public QuicConnectionDebugVisitor {
 
   size_t num_ping_frames() const { return num_ping_frames_; }
 
-  void OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame,
-                           const QuicTime& receive_time) override {
+  void OnWindowUpdateFrame(const QuicWindowUpdateFrame& /*frame*/,
+                           const QuicTime& /*receive_time*/) override {
     ++num_window_update_frames_;
   }
 
-  void OnPingFrame(const QuicPingFrame& frame) override { ++num_ping_frames_; }
+  void OnPingFrame(const QuicPingFrame& /*frame*/) override {
+    ++num_ping_frames_;
+  }
 
  private:
   size_t num_window_update_frames_;
@@ -3284,21 +3493,14 @@ TEST_P(EndToEndTest,
 
   client_.reset(CreateQuicClient(client_writer_));
   EXPECT_EQ("", client_->SendSynchronousRequest("/foo"));
-
-  if (client_->client()->client_session()->connection()->transport_version() >
-          QUIC_VERSION_43 ||
-      GetQuicReloadableFlag(quic_terminate_gquic_connection_as_ietf)) {
-    EXPECT_EQ(QUIC_HANDSHAKE_FAILED, client_->connection_error());
-  } else {
-    EXPECT_EQ(QUIC_PUBLIC_RESET, client_->connection_error());
-  }
+  EXPECT_EQ(QUIC_HANDSHAKE_FAILED, client_->connection_error());
 }
 
 // Regression test for b/116200989.
 TEST_P(EndToEndTest,
        SendStatelessResetIfServerConnectionClosedLocallyAfterHandshake) {
   // Prevent the connection from expiring in the time wait list.
-  FLAGS_quic_time_wait_list_seconds = 10000;
+  SetQuicFlag(FLAGS_quic_time_wait_list_seconds, 10000);
   connect_to_server_on_initialize_ = false;
   ASSERT_TRUE(Initialize());
 
@@ -3474,6 +3676,7 @@ TEST_P(EndToEndTest, ResetStreamOnTtlExpires) {
   // Set a TTL which expires immediately.
   stream->MaybeSetTtl(QuicTime::Delta::FromMicroseconds(1));
 
+  WriteHeadersOnStream(stream);
   // 1 MB body.
   std::string body(1024 * 1024, 'a');
   stream->WriteOrBufferBody(body, true);
@@ -3486,7 +3689,7 @@ TEST_P(EndToEndTest, SendMessages) {
   EXPECT_TRUE(client_->client()->WaitForCryptoHandshakeConfirmed());
   QuicSession* client_session = client_->client()->client_session();
   QuicConnection* client_connection = client_session->connection();
-  if (client_connection->transport_version() <= QUIC_VERSION_44) {
+  if (!VersionSupportsMessageFrames(client_connection->transport_version())) {
     return;
   }
 
@@ -3501,8 +3704,7 @@ TEST_P(EndToEndTest, SendMessages) {
       QuicConnectionPeer::GetHelper(client_connection)->GetRandomGenerator();
   QuicMemSliceStorage storage(nullptr, 0, nullptr, 0);
   {
-    QuicConnection::ScopedPacketFlusher flusher(
-        client_session->connection(), QuicConnection::SEND_ACK_IF_PENDING);
+    QuicConnection::ScopedPacketFlusher flusher(client_session->connection());
     // Verify the largest message gets successfully sent.
     EXPECT_EQ(
         MessageResult(MESSAGE_STATUS_SUCCESS, 1),
@@ -3659,7 +3861,7 @@ TEST_P(EndToEndPacketReorderingTest, Buffer0RttRequest) {
 TEST_P(EndToEndTest, SimpleStopSendingTest) {
   const uint16_t kStopSendingTestCode = 123;
   ASSERT_TRUE(Initialize());
-  if (negotiated_version_.transport_version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(negotiated_version_.transport_version)) {
     return;
   }
   QuicSession* client_session = client_->client()->client_session();
@@ -3762,9 +3964,9 @@ TEST_P(EndToEndTest, ZeroRttProtectedConnectionClose) {
   // This test ensures ZERO_RTT_PROTECTED connection close could close a client
   // which has switched to forward secure.
   connect_to_server_on_initialize_ =
-      negotiated_version_.transport_version <= QUIC_VERSION_43;
+      !VersionHasIetfInvariantHeader(negotiated_version_.transport_version);
   ASSERT_TRUE(Initialize());
-  if (negotiated_version_.transport_version <= QUIC_VERSION_43) {
+  if (!VersionHasIetfInvariantHeader(negotiated_version_.transport_version)) {
     // Only runs for IETF QUIC header.
     return;
   }
@@ -3823,9 +4025,9 @@ TEST_P(EndToEndTest, ForwardSecureConnectionClose) {
   // This test ensures ZERO_RTT_PROTECTED connection close is sent to a client
   // which has ZERO_RTT_PROTECTED encryption level.
   connect_to_server_on_initialize_ =
-      negotiated_version_.transport_version <= QUIC_VERSION_43;
+      !VersionHasIetfInvariantHeader(negotiated_version_.transport_version);
   ASSERT_TRUE(Initialize());
-  if (negotiated_version_.transport_version <= QUIC_VERSION_43) {
+  if (!VersionHasIetfInvariantHeader(negotiated_version_.transport_version)) {
     // Only runs for IETF QUIC header.
     return;
   }
@@ -3853,7 +4055,7 @@ TEST_P(EndToEndTest, ForwardSecureConnectionClose) {
 TEST_P(EndToEndTest, TooBigStreamIdClosesConnection) {
   // Has to be before version test, see EndToEndTest::TearDown()
   ASSERT_TRUE(Initialize());
-  if (negotiated_version_.transport_version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(negotiated_version_.transport_version)) {
     // Only runs for IETF QUIC.
     return;
   }
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_constants.h b/chromium/net/third_party/quiche/src/quic/core/http/http_constants.h
new file mode 100644
index 00000000000..2641790a847
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_constants.h
@@ -0,0 +1,32 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_HTTP_HTTP_CONSTANTS_H_
+#define QUICHE_QUIC_CORE_HTTP_HTTP_CONSTANTS_H_
+
+#include <cstdint>
+
+namespace quic {
+
+// Unidirectional stream types.
+
+// https://quicwg.org/base-drafts/draft-ietf-quic-http.html#unidirectional-streams
+const uint64_t kControlStream = 0x00;
+const uint64_t kServerPushStream = 0x01;
+// https://quicwg.org/base-drafts/draft-ietf-quic-qpack.html#enc-dec-stream-def
+const uint64_t kQpackEncoderStream = 0x02;
+const uint64_t kQpackDecoderStream = 0x03;
+
+// Settings identifiers.
+
+// https://quicwg.org/base-drafts/draft-ietf-quic-http.html#settings-parameters
+const uint64_t kSettingsMaxHeaderListSize = 0x06;
+const uint64_t kSettingsNumPlaceholders = 0x09;
+// https://quicwg.org/base-drafts/draft-ietf-quic-qpack.html#configuration
+const uint64_t kSettingsQpackMaxTableCapacity = 0x01;
+const uint64_t kSettingsQpackBlockedStream = 0x07;
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_HTTP_HTTP_CONSTANTS_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_decoder.cc b/chromium/net/third_party/quiche/src/quic/core/http/http_decoder.cc
index c59e8b0699b..f8de0835c74 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/http_decoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_decoder.cc
@@ -4,35 +4,17 @@
 
 #include "net/third_party/quiche/src/quic/core/http/http_decoder.h"
 
-#include <type_traits>
+#include <cstdint>
 
+#include "net/third_party/quiche/src/quic/core/http/http_frames.h"
 #include "net/third_party/quiche/src/quic/core/quic_data_reader.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_fallthrough.h"
 
 namespace quic {
 
-namespace {
-
-// Create a mask that sets the last |num_bits| to 1 and the rest to 0.
-inline uint8_t GetMaskFromNumBits(uint8_t num_bits) {
-  return (1u << num_bits) - 1;
-}
-
-// Extract |num_bits| from |flags| offset by |offset|.
-uint8_t ExtractBits(uint8_t flags, uint8_t num_bits, uint8_t offset) {
-  return (flags >> offset) & GetMaskFromNumBits(num_bits);
-}
-
-// Length of the weight field of a priority frame.
-static const size_t kPriorityWeightLength = 1;
-// Length of a priority frame's first byte.
-static const size_t kPriorityFirstByteLength = 1;
-
-}  // namespace
-
-HttpDecoder::HttpDecoder()
-    : visitor_(nullptr),
+HttpDecoder::HttpDecoder(Visitor* visitor)
+    : visitor_(visitor),
       state_(STATE_READING_FRAME_TYPE),
       current_frame_type_(0),
       current_length_field_length_(0),
@@ -42,26 +24,36 @@ HttpDecoder::HttpDecoder()
       current_type_field_length_(0),
       remaining_type_field_length_(0),
       error_(QUIC_NO_ERROR),
-      error_detail_("") {}
+      error_detail_("") {
+  DCHECK(visitor_);
+}
 
 HttpDecoder::~HttpDecoder() {}
 
 QuicByteCount HttpDecoder::ProcessInput(const char* data, QuicByteCount len) {
+  DCHECK_EQ(QUIC_NO_ERROR, error_);
+  DCHECK_NE(STATE_ERROR, state_);
+
   QuicDataReader reader(data, len);
-  while (error_ == QUIC_NO_ERROR &&
+  bool continue_processing = true;
+  while (continue_processing &&
          (reader.BytesRemaining() != 0 || state_ == STATE_FINISH_PARSING)) {
+    // |continue_processing| must have been set to false upon error.
+    DCHECK_EQ(QUIC_NO_ERROR, error_);
+    DCHECK_NE(STATE_ERROR, state_);
+
     switch (state_) {
       case STATE_READING_FRAME_TYPE:
         ReadFrameType(&reader);
         break;
       case STATE_READING_FRAME_LENGTH:
-        ReadFrameLength(&reader);
+        continue_processing = ReadFrameLength(&reader);
         break;
       case STATE_READING_FRAME_PAYLOAD:
-        ReadFramePayload(&reader);
+        continue_processing = ReadFramePayload(&reader);
         break;
       case STATE_FINISH_PARSING:
-        FinishParsing();
+        continue_processing = FinishParsing();
         break;
       case STATE_ERROR:
         break;
@@ -70,10 +62,6 @@ QuicByteCount HttpDecoder::ProcessInput(const char* data, QuicByteCount len) {
     }
   }
 
-  if (error_ != QUIC_NO_ERROR) {
-    return 0;
-  }
-
   return len - reader.BytesRemaining();
 }
 
@@ -82,23 +70,16 @@ void HttpDecoder::ReadFrameType(QuicDataReader* reader) {
   if (current_type_field_length_ == 0) {
     // A new frame is coming.
     current_type_field_length_ = reader->PeekVarInt62Length();
-    if (current_type_field_length_ == 0) {
-      RaiseError(QUIC_INTERNAL_ERROR, "Unable to read frame type length");
-      visitor_->OnError(this);
-      return;
-    }
-    if (current_type_field_length_ <= reader->BytesRemaining()) {
-      // The reader has all type data needed, so no need to buffer.
-      if (!reader->ReadVarInt62(&current_frame_type_)) {
-        RaiseError(QUIC_INTERNAL_ERROR, "Unable to read frame type");
-        return;
-      }
-    } else {
+    DCHECK_NE(0u, current_type_field_length_);
+    if (current_type_field_length_ > reader->BytesRemaining()) {
       // Buffer a new type field.
       remaining_type_field_length_ = current_type_field_length_;
       BufferFrameType(reader);
       return;
     }
+    // The reader has all type data needed, so no need to buffer.
+    bool success = reader->ReadVarInt62(&current_frame_type_);
+    DCHECK(success);
   } else {
     // Buffer the existing type field.
     BufferFrameType(reader);
@@ -107,137 +88,150 @@ void HttpDecoder::ReadFrameType(QuicDataReader* reader) {
       return;
     }
     QuicDataReader type_reader(type_buffer_.data(), current_type_field_length_);
-    if (!type_reader.ReadVarInt62(&current_frame_type_)) {
-      RaiseError(QUIC_INTERNAL_ERROR, "Unable to read buffered frame type");
-      visitor_->OnError(this);
-      return;
-    }
+    bool success = type_reader.ReadVarInt62(&current_frame_type_);
+    DCHECK(success);
   }
 
   state_ = STATE_READING_FRAME_LENGTH;
 }
 
-void HttpDecoder::ReadFrameLength(QuicDataReader* reader) {
+bool HttpDecoder::ReadFrameLength(QuicDataReader* reader) {
   DCHECK_NE(0u, reader->BytesRemaining());
   if (current_length_field_length_ == 0) {
     // A new frame is coming.
     current_length_field_length_ = reader->PeekVarInt62Length();
-    if (current_length_field_length_ == 0) {
-      RaiseError(QUIC_INTERNAL_ERROR,
-                 "Unable to read the length of frame length");
-      visitor_->OnError(this);
-      return;
-    }
-    if (current_length_field_length_ <= reader->BytesRemaining()) {
-      // The reader has all length data needed, so no need to buffer.
-      if (!reader->ReadVarInt62(&current_frame_length_)) {
-        RaiseError(QUIC_INTERNAL_ERROR, "Unable to read frame length");
-        return;
-      }
-    } else {
+    DCHECK_NE(0u, current_length_field_length_);
+    if (current_length_field_length_ > reader->BytesRemaining()) {
       // Buffer a new length field.
       remaining_length_field_length_ = current_length_field_length_;
       BufferFrameLength(reader);
-      return;
+      return true;
     }
+    // The reader has all length data needed, so no need to buffer.
+    bool success = reader->ReadVarInt62(&current_frame_length_);
+    DCHECK(success);
   } else {
     // Buffer the existing length field.
     BufferFrameLength(reader);
     // The frame is still not buffered completely.
     if (remaining_length_field_length_ != 0) {
-      return;
+      return true;
     }
     QuicDataReader length_reader(length_buffer_.data(),
                                  current_length_field_length_);
-    if (!length_reader.ReadVarInt62(&current_frame_length_)) {
-      RaiseError(QUIC_INTERNAL_ERROR, "Unable to read buffered frame length");
-      visitor_->OnError(this);
-      return;
-    }
+    bool success = length_reader.ReadVarInt62(&current_frame_length_);
+    DCHECK(success);
   }
 
   if (current_frame_length_ > MaxFrameLength(current_frame_type_)) {
+    // TODO(bnc): Signal HTTP_EXCESSIVE_LOAD or similar to peer.
     RaiseError(QUIC_INTERNAL_ERROR, "Frame is too large");
     visitor_->OnError(this);
-    return;
+    return false;
   }
 
-  // Calling the following two visitor methods does not require parsing of any
+  // Calling the following visitor methods does not require parsing of any
   // frame payload.
-  if (current_frame_type_ == 0x0) {
-    visitor_->OnDataFrameStart(Http3FrameLengths(
-        current_length_field_length_ + current_type_field_length_,
-        current_frame_length_));
-  } else if (current_frame_type_ == 0x1) {
-    visitor_->OnHeadersFrameStart(Http3FrameLengths(
-        current_length_field_length_ + current_type_field_length_,
-        current_frame_length_));
-  } else if (current_frame_type_ == 0x4) {
-    visitor_->OnSettingsFrameStart(Http3FrameLengths(
-        current_length_field_length_ + current_type_field_length_,
-        current_frame_length_));
+  bool continue_processing = true;
+  auto frame_meta = Http3FrameLengths(
+      current_length_field_length_ + current_type_field_length_,
+      current_frame_length_);
+
+  switch (current_frame_type_) {
+    case static_cast<uint64_t>(HttpFrameType::DATA):
+      continue_processing = visitor_->OnDataFrameStart(frame_meta);
+      break;
+    case static_cast<uint64_t>(HttpFrameType::HEADERS):
+      continue_processing = visitor_->OnHeadersFrameStart(frame_meta);
+      break;
+    case static_cast<uint64_t>(HttpFrameType::PRIORITY):
+      continue_processing = visitor_->OnPriorityFrameStart(frame_meta);
+      break;
+    case static_cast<uint64_t>(HttpFrameType::CANCEL_PUSH):
+      break;
+    case static_cast<uint64_t>(HttpFrameType::SETTINGS):
+      continue_processing = visitor_->OnSettingsFrameStart(frame_meta);
+      break;
+    case static_cast<uint64_t>(HttpFrameType::PUSH_PROMISE):
+      break;
+    case static_cast<uint64_t>(HttpFrameType::GOAWAY):
+      break;
+    case static_cast<uint64_t>(HttpFrameType::MAX_PUSH_ID):
+      break;
+    case static_cast<uint64_t>(HttpFrameType::DUPLICATE_PUSH):
+      break;
+    default:
+      continue_processing =
+          visitor_->OnUnknownFrameStart(current_frame_type_, frame_meta);
+      break;
   }
 
   remaining_frame_length_ = current_frame_length_;
   state_ = (remaining_frame_length_ == 0) ? STATE_FINISH_PARSING
                                           : STATE_READING_FRAME_PAYLOAD;
+  return continue_processing;
 }
 
-void HttpDecoder::ReadFramePayload(QuicDataReader* reader) {
+bool HttpDecoder::ReadFramePayload(QuicDataReader* reader) {
   DCHECK_NE(0u, reader->BytesRemaining());
   DCHECK_NE(0u, remaining_frame_length_);
+
+  bool continue_processing = true;
+
   switch (current_frame_type_) {
-    case 0x0: {  // DATA
+    case static_cast<uint64_t>(HttpFrameType::DATA): {
       QuicByteCount bytes_to_read = std::min<QuicByteCount>(
           remaining_frame_length_, reader->BytesRemaining());
       QuicStringPiece payload;
-      if (!reader->ReadStringPiece(&payload, bytes_to_read)) {
-        RaiseError(QUIC_INTERNAL_ERROR, "Unable to read data");
-        return;
-      }
+      bool success = reader->ReadStringPiece(&payload, bytes_to_read);
+      DCHECK(success);
       DCHECK(!payload.empty());
-      visitor_->OnDataFramePayload(payload);
+      continue_processing = visitor_->OnDataFramePayload(payload);
       remaining_frame_length_ -= payload.length();
       break;
     }
-    case 0x1: {  // HEADERS
+    case static_cast<uint64_t>(HttpFrameType::HEADERS): {
       QuicByteCount bytes_to_read = std::min<QuicByteCount>(
           remaining_frame_length_, reader->BytesRemaining());
       QuicStringPiece payload;
-      if (!reader->ReadStringPiece(&payload, bytes_to_read)) {
-        RaiseError(QUIC_INTERNAL_ERROR, "Unable to read data");
-        return;
-      }
+      bool success = reader->ReadStringPiece(&payload, bytes_to_read);
+      DCHECK(success);
       DCHECK(!payload.empty());
-      visitor_->OnHeadersFramePayload(payload);
+      continue_processing = visitor_->OnHeadersFramePayload(payload);
       remaining_frame_length_ -= payload.length();
       break;
     }
-    case 0x2: {  // PRIORITY
+    case static_cast<uint64_t>(HttpFrameType::PRIORITY): {
       // TODO(rch): avoid buffering if the entire frame is present, and
       // instead parse directly out of |reader|.
       BufferFramePayload(reader);
       break;
     }
-    case 0x3: {  // CANCEL_PUSH
+    case static_cast<uint64_t>(HttpFrameType::CANCEL_PUSH): {
       BufferFramePayload(reader);
       break;
     }
-    case 0x4: {  // SETTINGS
+    case static_cast<uint64_t>(HttpFrameType::SETTINGS): {
       BufferFramePayload(reader);
       break;
     }
-    case 0x5: {  // PUSH_PROMISE
+    case static_cast<uint64_t>(HttpFrameType::PUSH_PROMISE): {
       if (current_frame_length_ == remaining_frame_length_) {
         QuicByteCount bytes_remaining = reader->BytesRemaining();
         PushId push_id;
         // TODO(rch): Handle partial delivery of this field.
         if (!reader->ReadVarInt62(&push_id)) {
           RaiseError(QUIC_INTERNAL_ERROR, "Unable to read push_id");
-          return;
+          return false;
         }
         remaining_frame_length_ -= bytes_remaining - reader->BytesRemaining();
-        visitor_->OnPushPromiseFrameStart(push_id);
+        if (!visitor_->OnPushPromiseFrameStart(
+                push_id, Http3FrameLengths(current_length_field_length_ +
+                                               current_type_field_length_,
+                                           current_frame_length_))) {
+          continue_processing = false;
+          break;
+        }
       }
       DCHECK_LT(remaining_frame_length_, current_frame_length_);
       QuicByteCount bytes_to_read = std::min<QuicByteCount>(
@@ -246,106 +240,97 @@ void HttpDecoder::ReadFramePayload(QuicDataReader* reader) {
         break;
       }
       QuicStringPiece payload;
-      if (!reader->ReadStringPiece(&payload, bytes_to_read)) {
-        RaiseError(QUIC_INTERNAL_ERROR, "Unable to read data");
-        return;
-      }
+      bool success = reader->ReadStringPiece(&payload, bytes_to_read);
+      DCHECK(success);
       DCHECK(!payload.empty());
-      visitor_->OnPushPromiseFramePayload(payload);
+      continue_processing = visitor_->OnPushPromiseFramePayload(payload);
       remaining_frame_length_ -= payload.length();
       break;
     }
-    case 0x7: {  // GOAWAY
+    case static_cast<uint64_t>(HttpFrameType::GOAWAY): {
       BufferFramePayload(reader);
       break;
     }
-
-    case 0xD: {  // MAX_PUSH_ID
+    case static_cast<uint64_t>(HttpFrameType::MAX_PUSH_ID): {
       // TODO(rch): Handle partial delivery.
       BufferFramePayload(reader);
       break;
     }
-
-    case 0xE: {  // DUPLICATE_PUSH
+    case static_cast<uint64_t>(HttpFrameType::DUPLICATE_PUSH): {
       BufferFramePayload(reader);
       break;
     }
-    // Reserved frame types.
-    // TODO(rch): Since these are actually the same behavior as the
-    // default, we probably don't need to special case them here?
-    case 0xB:
-      QUIC_FALLTHROUGH_INTENDED;
-    case 0xB + 0x1F:
-      QUIC_FALLTHROUGH_INTENDED;
-    case 0xB + 0x1F * 2:
-      QUIC_FALLTHROUGH_INTENDED;
-    case 0xB + 0x1F * 3:
-      QUIC_FALLTHROUGH_INTENDED;
-    case 0xB + 0x1F * 4:
-      QUIC_FALLTHROUGH_INTENDED;
-    case 0xB + 0x1F * 5:
-      QUIC_FALLTHROUGH_INTENDED;
-    case 0xB + 0x1F * 6:
-      QUIC_FALLTHROUGH_INTENDED;
-    case 0xB + 0x1F * 7:
-      QUIC_FALLTHROUGH_INTENDED;
-    default:
-      DiscardFramePayload(reader);
-      return;
+    default: {
+      QuicByteCount bytes_to_read = std::min<QuicByteCount>(
+          remaining_frame_length_, reader->BytesRemaining());
+      QuicStringPiece payload;
+      bool success = reader->ReadStringPiece(&payload, bytes_to_read);
+      DCHECK(success);
+      DCHECK(!payload.empty());
+      continue_processing = visitor_->OnUnknownFramePayload(payload);
+      remaining_frame_length_ -= payload.length();
+      break;
+    }
   }
 
   if (remaining_frame_length_ == 0) {
     state_ = STATE_FINISH_PARSING;
   }
+
+  return continue_processing;
 }
 
-void HttpDecoder::FinishParsing() {
+bool HttpDecoder::FinishParsing() {
   DCHECK_EQ(0u, remaining_frame_length_);
+
+  bool continue_processing = true;
+
   switch (current_frame_type_) {
-    case 0x0: {  // DATA
-      visitor_->OnDataFrameEnd();
+    case static_cast<uint64_t>(HttpFrameType::DATA): {
+      continue_processing = visitor_->OnDataFrameEnd();
       break;
     }
-    case 0x1: {  // HEADERS
-      visitor_->OnHeadersFrameEnd();
+    case static_cast<uint64_t>(HttpFrameType::HEADERS): {
+      continue_processing = visitor_->OnHeadersFrameEnd();
       break;
     }
-    case 0x2: {  // PRIORITY
+    case static_cast<uint64_t>(HttpFrameType::PRIORITY): {
       // TODO(rch): avoid buffering if the entire frame is present, and
       // instead parse directly out of |reader|.
       PriorityFrame frame;
       QuicDataReader reader(buffer_.data(), current_frame_length_);
       if (!ParsePriorityFrame(&reader, &frame)) {
-        return;
+        return false;
       }
-      visitor_->OnPriorityFrame(frame);
+      continue_processing = visitor_->OnPriorityFrame(frame);
       break;
     }
-    case 0x3: {  // CANCEL_PUSH
+    case static_cast<uint64_t>(HttpFrameType::CANCEL_PUSH): {
       // TODO(rch): Handle partial delivery.
       CancelPushFrame frame;
       QuicDataReader reader(buffer_.data(), current_frame_length_);
       if (!reader.ReadVarInt62(&frame.push_id)) {
         RaiseError(QUIC_INTERNAL_ERROR, "Unable to read push_id");
-        return;
+        return false;
       }
-      visitor_->OnCancelPushFrame(frame);
+      continue_processing = visitor_->OnCancelPushFrame(frame);
       break;
     }
-    case 0x4: {  // SETTINGS
+    case static_cast<uint64_t>(HttpFrameType::SETTINGS): {
       SettingsFrame frame;
       QuicDataReader reader(buffer_.data(), current_frame_length_);
       if (!ParseSettingsFrame(&reader, &frame)) {
-        return;
+        return false;
       }
-      visitor_->OnSettingsFrame(frame);
+      continue_processing = visitor_->OnSettingsFrame(frame);
       break;
     }
-    case 0x5: {  // PUSH_PROMISE
-      visitor_->OnPushPromiseFrameEnd();
+    case static_cast<uint64_t>(HttpFrameType::PUSH_PROMISE): {
+      continue_processing = visitor_->OnPushPromiseFrameEnd();
       break;
     }
-    case 0x7: {  // GOAWAY
+    case static_cast<uint64_t>(HttpFrameType::GOAWAY): {
+      // TODO(bnc): Handle partial delivery.
       QuicDataReader reader(buffer_.data(), current_frame_length_);
       GoAwayFrame frame;
       static_assert(!std::is_same<decltype(frame.stream_id), uint64_t>::value,
@@ -355,32 +340,36 @@ void HttpDecoder::FinishParsing() {
       uint64_t stream_id;
       if (!reader.ReadVarInt62(&stream_id)) {
         RaiseError(QUIC_INTERNAL_ERROR, "Unable to read GOAWAY stream_id");
-        return;
+        return false;
       }
       frame.stream_id = static_cast<QuicStreamId>(stream_id);
-      visitor_->OnGoAwayFrame(frame);
+      continue_processing = visitor_->OnGoAwayFrame(frame);
       break;
     }
-
-    case 0xD: {  // MAX_PUSH_ID
+    case static_cast<uint64_t>(HttpFrameType::MAX_PUSH_ID): {
+      // TODO(bnc): Handle partial delivery.
       QuicDataReader reader(buffer_.data(), current_frame_length_);
       MaxPushIdFrame frame;
       if (!reader.ReadVarInt62(&frame.push_id)) {
         RaiseError(QUIC_INTERNAL_ERROR, "Unable to read push_id");
-        return;
+        return false;
       }
-      visitor_->OnMaxPushIdFrame(frame);
+      continue_processing = visitor_->OnMaxPushIdFrame(frame);
       break;
     }
-
-    case 0xE: {  // DUPLICATE_PUSH
+    case static_cast<uint64_t>(HttpFrameType::DUPLICATE_PUSH): {
+      // TODO(bnc): Handle partial delivery.
       QuicDataReader reader(buffer_.data(), current_frame_length_);
       DuplicatePushFrame frame;
       if (!reader.ReadVarInt62(&frame.push_id)) {
         RaiseError(QUIC_INTERNAL_ERROR, "Unable to read push_id");
-        return;
+        return false;
       }
-      visitor_->OnDuplicatePushFrame(frame);
+      continue_processing = visitor_->OnDuplicatePushFrame(frame);
+      break;
+    }
+    default: {
+      continue_processing = visitor_->OnUnknownFrameEnd();
       break;
     }
   }
@@ -388,16 +377,15 @@ void HttpDecoder::FinishParsing() {
   current_length_field_length_ = 0;
   current_type_field_length_ = 0;
   state_ = STATE_READING_FRAME_TYPE;
+  return continue_processing;
 }
 
 void HttpDecoder::DiscardFramePayload(QuicDataReader* reader) {
   QuicByteCount bytes_to_read = std::min<QuicByteCount>(
       remaining_frame_length_, reader->BytesRemaining());
   QuicStringPiece payload;
-  if (!reader->ReadStringPiece(&payload, bytes_to_read)) {
-    RaiseError(QUIC_INTERNAL_ERROR, "Unable to read frame payload");
-    return;
-  }
+  bool success = reader->ReadStringPiece(&payload, bytes_to_read);
+  DCHECK(success);
   remaining_frame_length_ -= payload.length();
   if (remaining_frame_length_ == 0) {
     state_ = STATE_READING_FRAME_TYPE;
@@ -413,12 +401,10 @@ void HttpDecoder::BufferFramePayload(QuicDataReader* reader) {
   }
   QuicByteCount bytes_to_read = std::min<QuicByteCount>(
       remaining_frame_length_, reader->BytesRemaining());
-  if (!reader->ReadBytes(
-          &(buffer_[0]) + current_frame_length_ - remaining_frame_length_,
-          bytes_to_read)) {
-    RaiseError(QUIC_INTERNAL_ERROR, "Unable to read frame payload");
-    return;
-  }
+  bool success = reader->ReadBytes(
+      &(buffer_[0]) + current_frame_length_ - remaining_frame_length_,
+      bytes_to_read);
+  DCHECK(success);
   remaining_frame_length_ -= bytes_to_read;
 }
 
@@ -428,13 +414,11 @@ void HttpDecoder::BufferFrameLength(QuicDataReader* reader) {
   }
   QuicByteCount bytes_to_read = std::min<QuicByteCount>(
       remaining_length_field_length_, reader->BytesRemaining());
-  if (!reader->ReadBytes(length_buffer_.data() + current_length_field_length_ -
-                             remaining_length_field_length_,
-                         bytes_to_read)) {
-    RaiseError(QUIC_INTERNAL_ERROR, "Unable to buffer frame length bytes.");
-    visitor_->OnError(this);
-    return;
-  }
+  bool success =
+      reader->ReadBytes(length_buffer_.data() + current_length_field_length_ -
+                            remaining_length_field_length_,
+                        bytes_to_read);
+  DCHECK(success);
   remaining_length_field_length_ -= bytes_to_read;
 }
 
@@ -444,13 +428,11 @@ void HttpDecoder::BufferFrameType(QuicDataReader* reader) {
   }
   QuicByteCount bytes_to_read = std::min<QuicByteCount>(
       remaining_type_field_length_, reader->BytesRemaining());
-  if (!reader->ReadBytes(type_buffer_.data() + current_type_field_length_ -
-                             remaining_type_field_length_,
-                         bytes_to_read)) {
-    RaiseError(QUIC_INTERNAL_ERROR, "Unable to buffer frame type bytes.");
-    visitor_->OnError(this);
-    return;
-  }
+  bool success =
+      reader->ReadBytes(type_buffer_.data() + current_type_field_length_ -
+                            remaining_type_field_length_,
+                        bytes_to_read);
+  DCHECK(success);
   remaining_type_field_length_ -= bytes_to_read;
 }
 
@@ -464,25 +446,43 @@ bool HttpDecoder::ParsePriorityFrame(QuicDataReader* reader,
                                      PriorityFrame* frame) {
   uint8_t flags;
   if (!reader->ReadUInt8(&flags)) {
-    RaiseError(QUIC_INTERNAL_ERROR, "Unable to read priority frame flags");
+    // TODO(b/124216424): Use HTTP_MALFORMED_FRAME.
+    RaiseError(QUIC_INVALID_FRAME_DATA, "Unable to read PRIORITY frame flags.");
     return false;
   }
 
-  frame->prioritized_type =
-      static_cast<PriorityElementType>(ExtractBits(flags, 2, 6));
-  frame->dependency_type =
-      static_cast<PriorityElementType>(ExtractBits(flags, 2, 4));
-  frame->exclusive = flags % 2 == 1;
-  if (!reader->ReadVarInt62(&frame->prioritized_element_id)) {
-    RaiseError(QUIC_INTERNAL_ERROR, "Unable to read prioritized_element_id");
+  // Assign two most significant bits to prioritized_type.
+  frame->prioritized_type = static_cast<PriorityElementType>((flags >> 6) & 3);
+  // Assign the next two most significant bits to dependency type.
+  frame->dependency_type = static_cast<PriorityElementType>((flags >> 4) & 3);
+  frame->exclusive = flags & kPriorityExclusiveBit;
+  // TODO(bnc): Close connection with HTTP_MALFORMED_FRAME
+  // if lowest three bits are not all zero.
+
+  // TODO(b/137359636): Handle partial delivery.
+  if (frame->prioritized_type != ROOT_OF_TREE &&
+      !reader->ReadVarInt62(&frame->prioritized_element_id)) {
+    // TODO(b/124216424): Use HTTP_MALFORMED_FRAME.
+    RaiseError(QUIC_INVALID_FRAME_DATA,
+               "Unable to read prioritized_element_id.");
     return false;
   }
-  if (!reader->ReadVarInt62(&frame->element_dependency_id)) {
-    RaiseError(QUIC_INTERNAL_ERROR, "Unable to read element_dependency_id");
+  if (frame->dependency_type != ROOT_OF_TREE &&
+      !reader->ReadVarInt62(&frame->element_dependency_id)) {
+    // TODO(b/124216424): Use HTTP_MALFORMED_FRAME.
+    RaiseError(QUIC_INVALID_FRAME_DATA,
+               "Unable to read element_dependency_id.");
     return false;
   }
   if (!reader->ReadUInt8(&frame->weight)) {
-    RaiseError(QUIC_INTERNAL_ERROR, "Unable to read priority frame weight");
+    // TODO(b/124216424): Use HTTP_MALFORMED_FRAME.
+    RaiseError(QUIC_INVALID_FRAME_DATA,
+               "Unable to read priority frame weight.");
+    return false;
+  }
+  if (!reader->IsDoneReading()) {
+    // TODO(b/124216424): Use HTTP_MALFORMED_FRAME.
+    RaiseError(QUIC_INVALID_FRAME_DATA, "Superfluous data in priority frame.");
     return false;
   }
   return true;
@@ -491,6 +491,7 @@ bool HttpDecoder::ParsePriorityFrame(QuicDataReader* reader,
 bool HttpDecoder::ParseSettingsFrame(QuicDataReader* reader,
                                      SettingsFrame* frame) {
   while (!reader->IsDoneReading()) {
+    // TODO(bnc): Handle partial delivery of both fields.
     uint64_t id;
     if (!reader->ReadVarInt62(&id)) {
       RaiseError(QUIC_INTERNAL_ERROR,
@@ -507,21 +508,21 @@ bool HttpDecoder::ParseSettingsFrame(QuicDataReader* reader,
   return true;
 }
 
-QuicByteCount HttpDecoder::MaxFrameLength(uint8_t frame_type) {
+QuicByteCount HttpDecoder::MaxFrameLength(uint64_t frame_type) {
   switch (frame_type) {
-    case 0x2:  // PRIORITY
+    case static_cast<uint64_t>(HttpFrameType::PRIORITY):
       return kPriorityFirstByteLength + VARIABLE_LENGTH_INTEGER_LENGTH_8 * 2 +
              kPriorityWeightLength;
-    case 0x3:  // CANCEL_PUSH
+    case static_cast<uint64_t>(HttpFrameType::CANCEL_PUSH):
       return sizeof(PushId);
-    case 0x4:  // SETTINGS
+    case static_cast<uint64_t>(HttpFrameType::SETTINGS):
       // This limit is arbitrary.
       return 1024 * 1024;
-    case 0x7:  // GOAWAY
+    case static_cast<uint64_t>(HttpFrameType::GOAWAY):
       return sizeof(QuicStreamId);
-    case 0xD:  // MAX_PUSH_ID
+    case static_cast<uint64_t>(HttpFrameType::MAX_PUSH_ID):
       return sizeof(PushId);
-    case 0xE:  // DUPLICATE_PUSH
+    case static_cast<uint64_t>(HttpFrameType::DUPLICATE_PUSH):
       return sizeof(PushId);
     default:
       // Other frames require no data buffering, so it's safe to have no limit.
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_decoder.h b/chromium/net/third_party/quiche/src/quic/core/http/http_decoder.h
index a392962149e..99c4d100701 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/http_decoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_decoder.h
@@ -5,16 +5,19 @@
 #ifndef QUICHE_QUIC_CORE_HTTP_HTTP_DECODER_H_
 #define QUICHE_QUIC_CORE_HTTP_HTTP_DECODER_H_
 
-#include <cstddef>
-
 #include "net/third_party/quiche/src/quic/core/http/http_frames.h"
 #include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
-#include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 
 namespace quic {
 
+namespace test {
+
+class HttpDecoderPeer;
+
+}  // namespace test
+
 class QuicDataReader;
 
 // Struct that stores meta data of an HTTP/3 frame.
@@ -44,82 +47,100 @@ class QUIC_EXPORT_PRIVATE HttpDecoder {
     // Called if an error is detected.
     virtual void OnError(HttpDecoder* decoder) = 0;
 
+    // All the following methods return true to continue decoding,
+    // and false to pause it.
+
+    // Called when a PRIORITY frame has been received.
+    // |frame_length| contains PRIORITY frame length and payload length.
+    virtual bool OnPriorityFrameStart(Http3FrameLengths frame_length) = 0;
+
     // Called when a PRIORITY frame has been successfully parsed.
-    virtual void OnPriorityFrame(const PriorityFrame& frame) = 0;
+    virtual bool OnPriorityFrame(const PriorityFrame& frame) = 0;
 
     // Called when a CANCEL_PUSH frame has been successfully parsed.
-    virtual void OnCancelPushFrame(const CancelPushFrame& frame) = 0;
+    virtual bool OnCancelPushFrame(const CancelPushFrame& frame) = 0;
 
     // Called when a MAX_PUSH_ID frame has been successfully parsed.
-    virtual void OnMaxPushIdFrame(const MaxPushIdFrame& frame) = 0;
+    virtual bool OnMaxPushIdFrame(const MaxPushIdFrame& frame) = 0;
 
     // Called when a GOAWAY frame has been successfully parsed.
-    virtual void OnGoAwayFrame(const GoAwayFrame& frame) = 0;
+    virtual bool OnGoAwayFrame(const GoAwayFrame& frame) = 0;
 
     // Called when a SETTINGS frame has been received.
-    virtual void OnSettingsFrameStart(Http3FrameLengths frame_length) = 0;
+    virtual bool OnSettingsFrameStart(Http3FrameLengths frame_length) = 0;
 
     // Called when a SETTINGS frame has been successfully parsed.
-    virtual void OnSettingsFrame(const SettingsFrame& frame) = 0;
+    virtual bool OnSettingsFrame(const SettingsFrame& frame) = 0;
 
     // Called when a DUPLICATE_PUSH frame has been successfully parsed.
-    virtual void OnDuplicatePushFrame(const DuplicatePushFrame& frame) = 0;
+    virtual bool OnDuplicatePushFrame(const DuplicatePushFrame& frame) = 0;
 
     // Called when a DATA frame has been received.
     // |frame_length| contains DATA frame length and payload length.
-    virtual void OnDataFrameStart(Http3FrameLengths frame_length) = 0;
+    virtual bool OnDataFrameStart(Http3FrameLengths frame_length) = 0;
     // Called when part of the payload of a DATA frame has been read.  May be
     // called multiple times for a single frame.  |payload| is guaranteed to be
     // non-empty.
-    virtual void OnDataFramePayload(QuicStringPiece payload) = 0;
+    virtual bool OnDataFramePayload(QuicStringPiece payload) = 0;
     // Called when a DATA frame has been completely processed.
-    virtual void OnDataFrameEnd() = 0;
+    virtual bool OnDataFrameEnd() = 0;
 
     // Called when a HEADERS frame has been received.
     // |frame_length| contains HEADERS frame length and payload length.
-    virtual void OnHeadersFrameStart(Http3FrameLengths frame_length) = 0;
+    virtual bool OnHeadersFrameStart(Http3FrameLengths frame_length) = 0;
     // Called when part of the payload of a HEADERS frame has been read.  May be
     // called multiple times for a single frame.  |payload| is guaranteed to be
     // non-empty.
-    virtual void OnHeadersFramePayload(QuicStringPiece payload) = 0;
+    virtual bool OnHeadersFramePayload(QuicStringPiece payload) = 0;
     // Called when a HEADERS frame has been completely processed.
     // |frame_len| is the length of the HEADERS frame payload.
-    virtual void OnHeadersFrameEnd() = 0;
+    virtual bool OnHeadersFrameEnd() = 0;
 
     // Called when a PUSH_PROMISE frame has been received for |push_id|.
-    virtual void OnPushPromiseFrameStart(PushId push_id) = 0;
+    virtual bool OnPushPromiseFrameStart(PushId push_id,
+                                         Http3FrameLengths frame_length) = 0;
     // Called when part of the payload of a PUSH_PROMISE frame has been read.
     // May be called multiple times for a single frame.  |payload| is guaranteed
     // to be non-empty.
-    virtual void OnPushPromiseFramePayload(QuicStringPiece payload) = 0;
+    virtual bool OnPushPromiseFramePayload(QuicStringPiece payload) = 0;
     // Called when a PUSH_PROMISE frame has been completely processed.
-    virtual void OnPushPromiseFrameEnd() = 0;
-
-    // TODO(rch): Consider adding methods like:
-    // OnUnknownFrame{Start,Payload,End}()
-    // to allow callers to handle unknown frames.
+    virtual bool OnPushPromiseFrameEnd() = 0;
+
+    // Called when a frame of unknown type |frame_type| has been received.
+    // Frame type might be reserved, Visitor must make sure to ignore.
+    // |frame_length| contains frame length and payload length.
+    virtual bool OnUnknownFrameStart(uint64_t frame_type,
+                                     Http3FrameLengths frame_length) = 0;
+    // Called when part of the payload of the unknown frame has been read.  May
+    // be called multiple times for a single frame.  |payload| is guaranteed to
+    // be non-empty.
+    virtual bool OnUnknownFramePayload(QuicStringPiece payload) = 0;
+    // Called when the unknown frame has been completely processed.
+    virtual bool OnUnknownFrameEnd() = 0;
   };
 
-  HttpDecoder();
+  // |visitor| must be non-null, and must outlive HttpDecoder.
+  explicit HttpDecoder(Visitor* visitor);
 
   ~HttpDecoder();
 
-  // Set callbacks to be called from the decoder.  A visitor must be set, or
-  // else the decoder will crash.  It is acceptable for the visitor to do
-  // nothing.  If this is called multiple times, only the last visitor
-  // will be used.  |visitor| will be owned by the caller.
-  void set_visitor(Visitor* visitor) { visitor_ = visitor; }
-
-  // Processes the input and invokes the visitor for any frames.
-  // Returns the number of bytes consumed, or 0 if there was an error, in which
-  // case error() should be consulted.
+  // Processes the input and invokes the appropriate visitor methods, until a
+  // visitor method returns false or an error occurs.  Returns the number of
+  // bytes processed.  Does not process any input if called after an error.
+  // Paused processing can be resumed by calling ProcessInput() again with the
+  // unprocessed portion of data.  Must not be called after an error has
+  // occurred.
   QuicByteCount ProcessInput(const char* data, QuicByteCount len);
 
+  // Returns an error code other than QUIC_NO_ERROR if and only if
+  // Visitor::OnError() has been called.
   QuicErrorCode error() const { return error_; }
+
   const std::string& error_detail() const { return error_detail_; }
-  uint64_t current_frame_type() const { return current_frame_type_; }
 
  private:
+  friend test::HttpDecoderPeer;
+
   // Represents the current state of the parsing state machine.
   enum HttpDecoderState {
     STATE_READING_FRAME_LENGTH,
@@ -135,16 +156,17 @@ class QUIC_EXPORT_PRIVATE HttpDecoder {
   void ReadFrameType(QuicDataReader* reader);
 
   // Reads the length of a frame from |reader|. Sets error_ and error_detail_
-  // if there are any errors.
-  void ReadFrameLength(QuicDataReader* reader);
+  // if there are any errors.  Returns whether processing should continue.
+  bool ReadFrameLength(QuicDataReader* reader);
 
   // Reads the payload of the current frame from |reader| and processes it,
-  // possibly buffering the data or invoking the visitor.
-  void ReadFramePayload(QuicDataReader* reader);
+  // possibly buffering the data or invoking the visitor.  Returns whether
+  // processing should continue.
+  bool ReadFramePayload(QuicDataReader* reader);
 
   // Optionally parses buffered data; calls visitor method to signal that frame
-  // had been parsed completely.
-  void FinishParsing();
+  // had been parsed completely.  Returns whether processing should continue.
+  bool FinishParsing();
 
   // Discards any remaining frame payload from |reader|.
   void DiscardFramePayload(QuicDataReader* reader);
@@ -169,10 +191,10 @@ class QUIC_EXPORT_PRIVATE HttpDecoder {
   bool ParseSettingsFrame(QuicDataReader* reader, SettingsFrame* frame);
 
   // Returns the max frame size of a given |frame_type|.
-  QuicByteCount MaxFrameLength(uint8_t frame_type);
+  QuicByteCount MaxFrameLength(uint64_t frame_type);
 
   // Visitor to invoke when messages are parsed.
-  Visitor* visitor_;  // Unowned.
+  Visitor* const visitor_;  // Unowned.
   // Current state of the parsing.
   HttpDecoderState state_;
   // Type of the frame currently being parsed.
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_decoder_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/http_decoder_test.cc
index a4903b5db18..635268bb368 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/http_decoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_decoder_test.cc
@@ -8,45 +8,121 @@
 #include "net/third_party/quiche/src/quic/core/quic_data_writer.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 
-using testing::InSequence;
+using ::testing::_;
+using ::testing::Eq;
+using ::testing::InSequence;
+using ::testing::Return;
 
 namespace quic {
 
+namespace test {
+
+class HttpDecoderPeer {
+ public:
+  static uint64_t current_frame_type(HttpDecoder* decoder) {
+    return decoder->current_frame_type_;
+  }
+};
+
 class MockVisitor : public HttpDecoder::Visitor {
  public:
-  virtual ~MockVisitor() = default;
+  ~MockVisitor() override = default;
 
   // Called if an error is detected.
   MOCK_METHOD1(OnError, void(HttpDecoder* decoder));
 
-  MOCK_METHOD1(OnPriorityFrame, void(const PriorityFrame& frame));
-  MOCK_METHOD1(OnCancelPushFrame, void(const CancelPushFrame& frame));
-  MOCK_METHOD1(OnMaxPushIdFrame, void(const MaxPushIdFrame& frame));
-  MOCK_METHOD1(OnGoAwayFrame, void(const GoAwayFrame& frame));
-  MOCK_METHOD1(OnSettingsFrameStart, void(Http3FrameLengths frame_lengths));
-  MOCK_METHOD1(OnSettingsFrame, void(const SettingsFrame& frame));
-  MOCK_METHOD1(OnDuplicatePushFrame, void(const DuplicatePushFrame& frame));
-
-  MOCK_METHOD1(OnDataFrameStart, void(Http3FrameLengths frame_lengths));
-  MOCK_METHOD1(OnDataFramePayload, void(QuicStringPiece payload));
-  MOCK_METHOD0(OnDataFrameEnd, void());
-
-  MOCK_METHOD1(OnHeadersFrameStart, void(Http3FrameLengths frame_lengths));
-  MOCK_METHOD1(OnHeadersFramePayload, void(QuicStringPiece payload));
-  MOCK_METHOD0(OnHeadersFrameEnd, void());
-
-  MOCK_METHOD1(OnPushPromiseFrameStart, void(PushId push_id));
-  MOCK_METHOD1(OnPushPromiseFramePayload, void(QuicStringPiece payload));
-  MOCK_METHOD0(OnPushPromiseFrameEnd, void());
+  MOCK_METHOD1(OnPriorityFrameStart, bool(Http3FrameLengths frame_lengths));
+  MOCK_METHOD1(OnPriorityFrame, bool(const PriorityFrame& frame));
+  MOCK_METHOD1(OnCancelPushFrame, bool(const CancelPushFrame& frame));
+  MOCK_METHOD1(OnMaxPushIdFrame, bool(const MaxPushIdFrame& frame));
+  MOCK_METHOD1(OnGoAwayFrame, bool(const GoAwayFrame& frame));
+  MOCK_METHOD1(OnSettingsFrameStart, bool(Http3FrameLengths frame_lengths));
+  MOCK_METHOD1(OnSettingsFrame, bool(const SettingsFrame& frame));
+  MOCK_METHOD1(OnDuplicatePushFrame, bool(const DuplicatePushFrame& frame));
+
+  MOCK_METHOD1(OnDataFrameStart, bool(Http3FrameLengths frame_lengths));
+  MOCK_METHOD1(OnDataFramePayload, bool(QuicStringPiece payload));
+  MOCK_METHOD0(OnDataFrameEnd, bool());
+
+  MOCK_METHOD1(OnHeadersFrameStart, bool(Http3FrameLengths frame_lengths));
+  MOCK_METHOD1(OnHeadersFramePayload, bool(QuicStringPiece payload));
+  MOCK_METHOD0(OnHeadersFrameEnd, bool());
+
+  MOCK_METHOD2(OnPushPromiseFrameStart,
+               bool(PushId push_id, Http3FrameLengths frame_lengths));
+  MOCK_METHOD1(OnPushPromiseFramePayload, bool(QuicStringPiece payload));
+  MOCK_METHOD0(OnPushPromiseFrameEnd, bool());
+
+  MOCK_METHOD2(OnUnknownFrameStart, bool(uint64_t, Http3FrameLengths));
+  MOCK_METHOD1(OnUnknownFramePayload, bool(QuicStringPiece));
+  MOCK_METHOD0(OnUnknownFrameEnd, bool());
 };
 
 class HttpDecoderTest : public QuicTest {
  public:
-  HttpDecoderTest() { decoder_.set_visitor(&visitor_); }
-  HttpDecoder decoder_;
+  HttpDecoderTest() : decoder_(&visitor_) {
+    ON_CALL(visitor_, OnPriorityFrameStart(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnPriorityFrame(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnCancelPushFrame(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnMaxPushIdFrame(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnGoAwayFrame(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnSettingsFrameStart(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnSettingsFrame(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnDuplicatePushFrame(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnDataFrameStart(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnDataFramePayload(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnDataFrameEnd()).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnHeadersFrameStart(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnHeadersFramePayload(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnHeadersFrameEnd()).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnPushPromiseFrameStart(_, _))
+        .WillByDefault(Return(true));
+    ON_CALL(visitor_, OnPushPromiseFramePayload(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnPushPromiseFrameEnd()).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnUnknownFrameStart(_, _)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnUnknownFramePayload(_)).WillByDefault(Return(true));
+    ON_CALL(visitor_, OnUnknownFrameEnd()).WillByDefault(Return(true));
+  }
+  ~HttpDecoderTest() override = default;
+
+  uint64_t current_frame_type() {
+    return HttpDecoderPeer::current_frame_type(&decoder_);
+  }
+
+  // Process |input| in a single call to HttpDecoder::ProcessInput().
+  QuicByteCount ProcessInput(QuicStringPiece input) {
+    return decoder_.ProcessInput(input.data(), input.size());
+  }
+
+  // Feed |input| to |decoder_| one character at a time,
+  // verifying that each character gets processed.
+  void ProcessInputCharByChar(QuicStringPiece input) {
+    for (char c : input) {
+      EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
+    }
+  }
+
+  // Append garbage to |input|, then process it in a single call to
+  // HttpDecoder::ProcessInput().  Verify that garbage is not read.
+  QuicByteCount ProcessInputWithGarbageAppended(QuicStringPiece input) {
+    std::string input_with_garbage_appended = QuicStrCat(input, "blahblah");
+    QuicByteCount processed_bytes = ProcessInput(input_with_garbage_appended);
+
+    // Guaranteed by HttpDecoder::ProcessInput() contract.
+    DCHECK_LE(processed_bytes, input_with_garbage_appended.size());
+
+    // Caller should set up visitor to pause decoding
+    // before HttpDecoder would read garbage.
+    EXPECT_LE(processed_bytes, input.size());
+
+    return processed_bytes;
+  }
+
   testing::StrictMock<MockVisitor> visitor_;
+  HttpDecoder decoder_;
 };
 
 TEST_F(HttpDecoderTest, InitialState) {
@@ -54,148 +130,113 @@ TEST_F(HttpDecoderTest, InitialState) {
   EXPECT_EQ("", decoder_.error_detail());
 }
 
-TEST_F(HttpDecoderTest, ReservedFramesNoPayload) {
+TEST_F(HttpDecoderTest, UnknownFrame) {
   std::unique_ptr<char[]> input;
-  for (int n = 0; n < 8; ++n) {
-    const uint8_t type = 0xB + 0x1F * n;
-    QuicByteCount total_length = QuicDataWriter::GetVarInt62Len(0x00) +
-                                 QuicDataWriter::GetVarInt62Len(type);
-    input = QuicMakeUnique<char[]>(total_length);
-    QuicDataWriter writer(total_length, input.get());
-    writer.WriteVarInt62(type);
-    writer.WriteVarInt62(0x00);
-
-    EXPECT_EQ(total_length, decoder_.ProcessInput(input.get(), total_length))
-        << n;
-    EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
-    ASSERT_EQ("", decoder_.error_detail());
-    EXPECT_EQ(type, decoder_.current_frame_type());
-  }
-  // Test on a arbitrary reserved frame with 2-byte type field by hard coding
-  // variable length integer.
-  char in[] = {// type 0xB + 0x1F*3
-               0x40, 0x68,
-               // length
-               0x00};
-  EXPECT_EQ(3u, decoder_.ProcessInput(in, QUIC_ARRAYSIZE(in)));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
-  ASSERT_EQ("", decoder_.error_detail());
-  EXPECT_EQ(0xB + 0x1F * 3u, decoder_.current_frame_type());
-}
 
-TEST_F(HttpDecoderTest, ReservedFramesSmallPayload) {
-  std::unique_ptr<char[]> input;
-  const uint8_t payload_size = 50;
-  std::string data(payload_size, 'a');
-  for (int n = 0; n < 8; ++n) {
-    const uint8_t type = 0xB + 0x1F * n;
-    QuicByteCount total_length = QuicDataWriter::GetVarInt62Len(payload_size) +
-                                 QuicDataWriter::GetVarInt62Len(type) +
-                                 payload_size;
-    input = QuicMakeUnique<char[]>(total_length);
-    QuicDataWriter writer(total_length, input.get());
-    writer.WriteVarInt62(type);
-    writer.WriteVarInt62(payload_size);
-    writer.WriteStringPiece(data);
-    EXPECT_EQ(total_length, decoder_.ProcessInput(input.get(), total_length))
-        << n;
-    EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
-    ASSERT_EQ("", decoder_.error_detail());
-    EXPECT_EQ(type, decoder_.current_frame_type());
+  const QuicByteCount payload_lengths[] = {0, 14, 100};
+  const uint64_t frame_types[] = {
+      0x21, 0x40, 0x5f, 0x7e, 0x9d,  // some reserved frame types
+      0x06, 0x0f, 0x14               // some unknown, not reserved frame types
+  };
+
+  for (auto payload_length : payload_lengths) {
+    std::string data(payload_length, 'a');
+
+    for (auto frame_type : frame_types) {
+      const QuicByteCount total_length =
+          QuicDataWriter::GetVarInt62Len(frame_type) +
+          QuicDataWriter::GetVarInt62Len(payload_length) + payload_length;
+      input = QuicMakeUnique<char[]>(total_length);
+
+      QuicDataWriter writer(total_length, input.get());
+      writer.WriteVarInt62(frame_type);
+      writer.WriteVarInt62(payload_length);
+      const QuicByteCount header_length = writer.length();
+      if (payload_length > 0) {
+        writer.WriteStringPiece(data);
+      }
+
+      EXPECT_CALL(visitor_, OnUnknownFrameStart(
+                                frame_type, Http3FrameLengths(header_length,
+                                                              payload_length)));
+      if (payload_length > 0) {
+        EXPECT_CALL(visitor_, OnUnknownFramePayload(Eq(data)));
+      }
+      EXPECT_CALL(visitor_, OnUnknownFrameEnd());
+
+      EXPECT_EQ(total_length, decoder_.ProcessInput(input.get(), total_length));
+
+      EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+      ASSERT_EQ("", decoder_.error_detail());
+      EXPECT_EQ(frame_type, current_frame_type());
+    }
   }
-
-  // Test on a arbitrary reserved frame with 2-byte type field by hard coding
-  // variable length integer.
-  char in[payload_size + 3] = {// type 0xB + 0x1F*3
-                               0x40, 0x68,
-                               // length
-                               payload_size};
-  EXPECT_EQ(QUIC_ARRAYSIZE(in), decoder_.ProcessInput(in, QUIC_ARRAYSIZE(in)));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
-  ASSERT_EQ("", decoder_.error_detail());
-  EXPECT_EQ(0xB + 0x1F * 3u, decoder_.current_frame_type());
 }
 
-TEST_F(HttpDecoderTest, ReservedFramesLargePayload) {
-  std::unique_ptr<char[]> input;
-  const QuicByteCount payload_size = 256;
-  std::string data(payload_size, 'a');
-  for (int n = 0; n < 8; ++n) {
-    const uint8_t type = 0xB + 0x1F * n;
-    QuicByteCount total_length = QuicDataWriter::GetVarInt62Len(payload_size) +
-                                 QuicDataWriter::GetVarInt62Len(type) +
-                                 payload_size;
-    input = QuicMakeUnique<char[]>(total_length);
-    QuicDataWriter writer(total_length, input.get());
-    writer.WriteVarInt62(type);
-    writer.WriteVarInt62(payload_size);
-    writer.WriteStringPiece(data);
-
-    EXPECT_EQ(total_length, decoder_.ProcessInput(input.get(), total_length))
-        << n;
-    EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
-    ASSERT_EQ("", decoder_.error_detail());
-    EXPECT_EQ(type, decoder_.current_frame_type());
-  }
+TEST_F(HttpDecoderTest, CancelPush) {
+  InSequence s;
+  std::string input =
+      "\x03"   // type (CANCEL_PUSH)
+      "\x01"   // length
+      "\x01";  // Push Id
 
-  // Test on a arbitrary reserved frame with 2-byte type field by hard coding
-  // variable length integer.
-  char in[payload_size + 4] = {// type 0xB + 0x1F*3
-                               0x40, 0x68,
-                               // length
-                               0x40 + 0x01, 0x00};
-  EXPECT_EQ(QUIC_ARRAYSIZE(in), decoder_.ProcessInput(in, QUIC_ARRAYSIZE(in)));
+  // Visitor pauses processing.
+  EXPECT_CALL(visitor_, OnCancelPushFrame(CancelPushFrame({1})))
+      .WillOnce(Return(false));
+  EXPECT_EQ(input.size(), ProcessInputWithGarbageAppended(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
-  ASSERT_EQ("", decoder_.error_detail());
-  EXPECT_EQ(0xB + 0x1F * 3u, decoder_.current_frame_type());
-}
-
-TEST_F(HttpDecoderTest, CancelPush) {
-  char input[] = {// type (CANCEL_PUSH)
-                  0x03,
-                  // length
-                  0x1,
-                  // Push Id
-                  0x01};
+  EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
   EXPECT_CALL(visitor_, OnCancelPushFrame(CancelPushFrame({1})));
-  EXPECT_EQ(QUIC_ARRAYSIZE(input),
-            decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(input.size(), ProcessInput(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 
-  // Process the frame incremently.
+  // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnCancelPushFrame(CancelPushFrame({1})));
-  for (char c : input) {
-    EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
-  }
+  ProcessInputCharByChar(input);
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
 TEST_F(HttpDecoderTest, PushPromiseFrame) {
-  char input[] = {// type (PUSH_PROMISE)
-                  0x05,
-                  // length
-                  0x8,
-                  // Push Id
-                  0x01,
-                  // Header Block
-                  'H', 'e', 'a', 'd', 'e', 'r', 's'};
+  InSequence s;
+  std::string input =
+      "\x05"      // type (PUSH_PROMISE)
+      "\x08"      // length
+      "\x01"      // Push Id
+      "Headers";  // Header Block
+
+  // Visitor pauses processing.
+  EXPECT_CALL(visitor_, OnPushPromiseFrameStart(1, Http3FrameLengths(2, 8)))
+      .WillOnce(Return(false));
+  QuicStringPiece remaining_input(input);
+  QuicByteCount processed_bytes =
+      ProcessInputWithGarbageAppended(remaining_input);
+  EXPECT_EQ(3u, processed_bytes);
+  remaining_input = remaining_input.substr(processed_bytes);
+
+  EXPECT_CALL(visitor_, OnPushPromiseFramePayload(QuicStringPiece("Headers")))
+      .WillOnce(Return(false));
+  processed_bytes = ProcessInputWithGarbageAppended(remaining_input);
+  EXPECT_EQ(remaining_input.size(), processed_bytes);
+
+  EXPECT_CALL(visitor_, OnPushPromiseFrameEnd()).WillOnce(Return(false));
+  EXPECT_EQ(0u, ProcessInputWithGarbageAppended(""));
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
-  InSequence s;
-  EXPECT_CALL(visitor_, OnPushPromiseFrameStart(1));
+  EXPECT_CALL(visitor_, OnPushPromiseFrameStart(1, Http3FrameLengths(2, 8)));
   EXPECT_CALL(visitor_, OnPushPromiseFramePayload(QuicStringPiece("Headers")));
   EXPECT_CALL(visitor_, OnPushPromiseFrameEnd());
-  EXPECT_EQ(QUIC_ARRAYSIZE(input),
-            decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(input.size(), ProcessInput(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 
-  // Process the frame incremently.
-  EXPECT_CALL(visitor_, OnPushPromiseFrameStart(1));
+  // Process the frame incrementally.
+  EXPECT_CALL(visitor_, OnPushPromiseFrameStart(1, Http3FrameLengths(2, 8)));
   EXPECT_CALL(visitor_, OnPushPromiseFramePayload(QuicStringPiece("H")));
   EXPECT_CALL(visitor_, OnPushPromiseFramePayload(QuicStringPiece("e")));
   EXPECT_CALL(visitor_, OnPushPromiseFramePayload(QuicStringPiece("a")));
@@ -204,73 +245,74 @@ TEST_F(HttpDecoderTest, PushPromiseFrame) {
   EXPECT_CALL(visitor_, OnPushPromiseFramePayload(QuicStringPiece("r")));
   EXPECT_CALL(visitor_, OnPushPromiseFramePayload(QuicStringPiece("s")));
   EXPECT_CALL(visitor_, OnPushPromiseFrameEnd());
-  for (char c : input) {
-    EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
-  }
+  ProcessInputCharByChar(input);
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
 TEST_F(HttpDecoderTest, MaxPushId) {
-  char input[] = {// type (MAX_PUSH_ID)
-                  0x0D,
-                  // length
-                  0x1,
-                  // Push Id
-                  0x01};
+  InSequence s;
+  std::string input =
+      "\x0D"   // type (MAX_PUSH_ID)
+      "\x01"   // length
+      "\x01";  // Push Id
+
+  // Visitor pauses processing.
+  EXPECT_CALL(visitor_, OnMaxPushIdFrame(MaxPushIdFrame({1})))
+      .WillOnce(Return(false));
+  EXPECT_EQ(input.size(), ProcessInputWithGarbageAppended(input));
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
   EXPECT_CALL(visitor_, OnMaxPushIdFrame(MaxPushIdFrame({1})));
-  EXPECT_EQ(QUIC_ARRAYSIZE(input),
-            decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(input.size(), ProcessInput(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 
-  // Process the frame incremently.
+  // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnMaxPushIdFrame(MaxPushIdFrame({1})));
-  for (char c : input) {
-    EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
-  }
+  ProcessInputCharByChar(input);
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
 TEST_F(HttpDecoderTest, DuplicatePush) {
-  char input[] = {// type (DUPLICATE_PUSH)
-                  0x0E,
-                  // length
-                  0x1,
-                  // Push Id
-                  0x01};
+  InSequence s;
+  std::string input =
+      "\x0E"   // type (DUPLICATE_PUSH)
+      "\x01"   // length
+      "\x01";  // Push Id
+
+  // Visitor pauses processing.
+  EXPECT_CALL(visitor_, OnDuplicatePushFrame(DuplicatePushFrame({1})))
+      .WillOnce(Return(false));
+  EXPECT_EQ(input.size(), ProcessInputWithGarbageAppended(input));
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
+
   // Process the full frame.
   EXPECT_CALL(visitor_, OnDuplicatePushFrame(DuplicatePushFrame({1})));
-  EXPECT_EQ(QUIC_ARRAYSIZE(input),
-            decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(input.size(), ProcessInput(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 
-  // Process the frame incremently.
+  // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnDuplicatePushFrame(DuplicatePushFrame({1})));
-  for (char c : input) {
-    EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
-  }
+  ProcessInputCharByChar(input);
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
 TEST_F(HttpDecoderTest, PriorityFrame) {
-  char input[] = {// type (PRIORITY)
-                  0x2,
-                  // length
-                  0x4,
-                  // request stream, request stream, exclusive
-                  0x01,
-                  // prioritized_element_id
-                  0x03,
-                  // element_dependency_id
-                  0x04,
-                  // weight
-                  0xFF};
+  InSequence s;
+  std::string input =
+      "\x02"   // type (PRIORITY)
+      "\x04"   // length
+      "\x08"   // request stream, request stream, exclusive
+      "\x03"   // prioritized_element_id
+      "\x04"   // element_dependency_id
+      "\xFF";  // weight
 
   PriorityFrame frame;
   frame.prioritized_type = REQUEST_STREAM;
@@ -280,88 +322,183 @@ TEST_F(HttpDecoderTest, PriorityFrame) {
   frame.element_dependency_id = 0x04;
   frame.weight = 0xFF;
 
+  // Visitor pauses processing.
+  EXPECT_CALL(visitor_, OnPriorityFrameStart(Http3FrameLengths(2, 4)))
+      .WillOnce(Return(false));
+  QuicStringPiece remaining_input(input);
+  QuicByteCount processed_bytes =
+      ProcessInputWithGarbageAppended(remaining_input);
+  EXPECT_EQ(2u, processed_bytes);
+  remaining_input = remaining_input.substr(processed_bytes);
+
+  EXPECT_CALL(visitor_, OnPriorityFrame(frame)).WillOnce(Return(false));
+  processed_bytes = ProcessInputWithGarbageAppended(remaining_input);
+  EXPECT_EQ(remaining_input.size(), processed_bytes);
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
+
   // Process the full frame.
+  EXPECT_CALL(visitor_, OnPriorityFrameStart(Http3FrameLengths(2, 4)));
   EXPECT_CALL(visitor_, OnPriorityFrame(frame));
-  EXPECT_EQ(QUIC_ARRAYSIZE(input),
-            decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(input.size(), ProcessInput(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 
-  /*
-  // Process the frame incremently.
+  // Process the frame incrementally.
+  EXPECT_CALL(visitor_, OnPriorityFrameStart(Http3FrameLengths(2, 4)));
   EXPECT_CALL(visitor_, OnPriorityFrame(frame));
-  for (char c : input) {
-    EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
-  }
+  ProcessInputCharByChar(input);
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
+
+  std::string input2 =
+      "\x02"   // type (PRIORITY)
+      "\x02"   // length
+      "\xf8"   // root of tree, root of tree, exclusive
+      "\xFF";  // weight
+  PriorityFrame frame2;
+  frame2.prioritized_type = ROOT_OF_TREE;
+  frame2.dependency_type = ROOT_OF_TREE;
+  frame2.exclusive = true;
+  frame2.weight = 0xFF;
+
+  EXPECT_CALL(visitor_, OnPriorityFrameStart(Http3FrameLengths(2, 2)));
+  EXPECT_CALL(visitor_, OnPriorityFrame(frame2));
+  EXPECT_EQ(input2.size(), ProcessInput(input2));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
-  */
+}
+
+// Regression test for https://crbug.com/981291 and https://crbug.com/981646.
+TEST_F(HttpDecoderTest, CorruptPriorityFrame) {
+  const char* const payload1 =
+      "\x01"   // request stream, request stream, exclusive
+      "\x03"   // prioritized_element_id
+      "\x04"   // element_dependency_id
+      "\xFF"   // weight
+      "\xFF";  // superfluous data
+  const char* const payload2 =
+      "\xf1"   // root of tree, root of tree, exclusive
+      "\xFF"   // weight
+      "\xFF";  // superfluous data
+  struct {
+    const char* const payload;
+    size_t payload_length;
+    const char* const error_message;
+  } kTestData[] = {
+      {payload1, 0, "Unable to read PRIORITY frame flags."},
+      {payload1, 1, "Unable to read prioritized_element_id."},
+      {payload1, 2, "Unable to read element_dependency_id."},
+      {payload1, 3, "Unable to read priority frame weight."},
+      {payload1, 5, "Superfluous data in priority frame."},
+      {payload2, 0, "Unable to read PRIORITY frame flags."},
+      {payload2, 1, "Unable to read priority frame weight."},
+      {payload2, 3, "Superfluous data in priority frame."},
+  };
+
+  for (const auto& test_data : kTestData) {
+    std::string input;
+    input.push_back(2u);  // type PRIORITY
+    input.push_back(test_data.payload_length);
+    size_t header_length = input.size();
+    input.append(test_data.payload, test_data.payload_length);
+
+    HttpDecoder decoder(&visitor_);
+    EXPECT_CALL(visitor_, OnPriorityFrameStart(Http3FrameLengths(
+                              header_length, test_data.payload_length)));
+
+    QuicByteCount processed_bytes =
+        decoder.ProcessInput(input.data(), input.size());
+    EXPECT_EQ(input.size(), processed_bytes);
+    EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder.error());
+    EXPECT_EQ(test_data.error_message, decoder.error_detail());
+  }
 }
 
 TEST_F(HttpDecoderTest, SettingsFrame) {
-  // clang-format off
-  char input[] = {
-      // type (SETTINGS)
-      0x04,
-      // length
-      0x07,
-      // identifier (SETTINGS_NUM_PLACEHOLDERS)
-      0x03,
-      // content
-      0x02,
-      // identifier (SETTINGS_MAX_HEADER_LIST_SIZE)
-      0x06,
-      // content
-      0x05,
-      // identifier (256 in variable length integer)
-      0x40 + 0x01,
-      0x00,
-      // content
-      0x04};
-  // clang-format on
+  InSequence s;
+  std::string input(
+      "\x04"      // type (SETTINGS)
+      "\x07"      // length
+      "\x03"      // identifier (SETTINGS_NUM_PLACEHOLDERS)
+      "\x02"      // content
+      "\x06"      // identifier (SETTINGS_MAX_HEADER_LIST_SIZE)
+      "\x05"      // content
+      "\x41\x00"  // identifier, encoded on 2 bytes (0x40), value is 256 (0x100)
+      "\x04",     // content
+      9);         // length of string
 
   SettingsFrame frame;
   frame.values[3] = 2;
   frame.values[6] = 5;
   frame.values[256] = 4;
 
+  // Visitor pauses processing.
+  QuicStringPiece remaining_input(input);
+  EXPECT_CALL(visitor_, OnSettingsFrameStart(Http3FrameLengths(2, 7)))
+      .WillOnce(Return(false));
+  QuicByteCount processed_bytes =
+      ProcessInputWithGarbageAppended(remaining_input);
+  EXPECT_EQ(2u, processed_bytes);
+  remaining_input = remaining_input.substr(processed_bytes);
+
+  EXPECT_CALL(visitor_, OnSettingsFrame(frame)).WillOnce(Return(false));
+  processed_bytes = ProcessInputWithGarbageAppended(remaining_input);
+  EXPECT_EQ(remaining_input.size(), processed_bytes);
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
+
   // Process the full frame.
   EXPECT_CALL(visitor_, OnSettingsFrameStart(Http3FrameLengths(2, 7)));
   EXPECT_CALL(visitor_, OnSettingsFrame(frame));
-  EXPECT_EQ(QUIC_ARRAYSIZE(input),
-            decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(input.size(), ProcessInput(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 
-  // Process the frame incremently.
+  // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnSettingsFrameStart(Http3FrameLengths(2, 7)));
   EXPECT_CALL(visitor_, OnSettingsFrame(frame));
-  for (char c : input) {
-    EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
-  }
+  ProcessInputCharByChar(input);
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
 TEST_F(HttpDecoderTest, DataFrame) {
-  char input[] = {// type (DATA)
-                  0x00,
-                  // length
-                  0x05,
-                  // data
-                  'D', 'a', 't', 'a', '!'};
+  InSequence s;
+  std::string input(
+      "\x00"    // type (DATA)
+      "\x05"    // length
+      "Data!",  // data
+      7);
+
+  // Visitor pauses processing.
+  EXPECT_CALL(visitor_, OnDataFrameStart(Http3FrameLengths(2, 5)))
+      .WillOnce(Return(false));
+  QuicStringPiece remaining_input(input);
+  QuicByteCount processed_bytes =
+      ProcessInputWithGarbageAppended(remaining_input);
+  EXPECT_EQ(2u, processed_bytes);
+  remaining_input = remaining_input.substr(processed_bytes);
+
+  EXPECT_CALL(visitor_, OnDataFramePayload(QuicStringPiece("Data!")))
+      .WillOnce(Return(false));
+  processed_bytes = ProcessInputWithGarbageAppended(remaining_input);
+  EXPECT_EQ(remaining_input.size(), processed_bytes);
+
+  EXPECT_CALL(visitor_, OnDataFrameEnd()).WillOnce(Return(false));
+  EXPECT_EQ(0u, ProcessInputWithGarbageAppended(""));
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
-  InSequence s;
   EXPECT_CALL(visitor_, OnDataFrameStart(Http3FrameLengths(2, 5)));
   EXPECT_CALL(visitor_, OnDataFramePayload(QuicStringPiece("Data!")));
   EXPECT_CALL(visitor_, OnDataFrameEnd());
-  EXPECT_EQ(QUIC_ARRAYSIZE(input),
-            decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(input.size(), ProcessInput(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 
-  // Process the frame incremently.
+  // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnDataFrameStart(Http3FrameLengths(2, 5)));
   EXPECT_CALL(visitor_, OnDataFramePayload(QuicStringPiece("D")));
   EXPECT_CALL(visitor_, OnDataFramePayload(QuicStringPiece("a")));
@@ -369,14 +506,13 @@ TEST_F(HttpDecoderTest, DataFrame) {
   EXPECT_CALL(visitor_, OnDataFramePayload(QuicStringPiece("a")));
   EXPECT_CALL(visitor_, OnDataFramePayload(QuicStringPiece("!")));
   EXPECT_CALL(visitor_, OnDataFrameEnd());
-  for (char c : input) {
-    EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
-  }
+  ProcessInputCharByChar(input);
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
 TEST_F(HttpDecoderTest, FrameHeaderPartialDelivery) {
+  InSequence s;
   // A large input that will occupy more than 1 byte in the length field.
   std::string input(2048, 'x');
   HttpEncoder encoder;
@@ -405,69 +541,96 @@ TEST_F(HttpDecoderTest, FrameHeaderPartialDelivery) {
 }
 
 TEST_F(HttpDecoderTest, PartialDeliveryOfLargeFrameType) {
-  // Use a reserved type that's more than 1 byte in VarInt62.
-  const uint8_t type = 0xB + 0x1F * 3;
-  std::unique_ptr<char[]> input;
-  QuicByteCount total_length = QuicDataWriter::GetVarInt62Len(0x00) +
-                               QuicDataWriter::GetVarInt62Len(type);
-  input.reset(new char[total_length]);
+  // Use a reserved type that takes four bytes as a varint.
+  const uint64_t frame_type = 0x1f * 0x222 + 0x21;
+  const QuicByteCount payload_length = 0;
+  const QuicByteCount total_length =
+      QuicDataWriter::GetVarInt62Len(frame_type) +
+      QuicDataWriter::GetVarInt62Len(payload_length);
+
+  auto input = QuicMakeUnique<char[]>(total_length);
   QuicDataWriter writer(total_length, input.get());
-  writer.WriteVarInt62(type);
-  writer.WriteVarInt62(0x00);
+  writer.WriteVarInt62(frame_type);
+  writer.WriteVarInt62(payload_length);
+
+  EXPECT_CALL(visitor_,
+              OnUnknownFrameStart(
+                  frame_type, Http3FrameLengths(total_length, payload_length)));
+  EXPECT_CALL(visitor_, OnUnknownFrameEnd());
 
   auto raw_input = input.get();
   for (uint64_t i = 0; i < total_length; ++i) {
     char c = raw_input[i];
     EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
   }
+
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
-  EXPECT_EQ(type, decoder_.current_frame_type());
+  EXPECT_EQ(frame_type, current_frame_type());
 }
 
 TEST_F(HttpDecoderTest, GoAway) {
-  char input[] = {// type (GOAWAY)
-                  0x07,
-                  // length
-                  0x1,
-                  // StreamId
-                  0x01};
+  InSequence s;
+  std::string input =
+      "\x07"   // type (GOAWAY)
+      "\x01"   // length
+      "\x01";  // StreamId
+
+  // Visitor pauses processing.
+  EXPECT_CALL(visitor_, OnGoAwayFrame(GoAwayFrame({1})))
+      .WillOnce(Return(false));
+  EXPECT_EQ(input.size(), ProcessInputWithGarbageAppended(input));
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
   EXPECT_CALL(visitor_, OnGoAwayFrame(GoAwayFrame({1})));
-  EXPECT_EQ(QUIC_ARRAYSIZE(input),
-            decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(input.size(), ProcessInput(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 
-  // Process the frame incremently.
+  // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnGoAwayFrame(GoAwayFrame({1})));
-  for (char c : input) {
-    EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
-  }
+  ProcessInputCharByChar(input);
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
 TEST_F(HttpDecoderTest, HeadersFrame) {
-  char input[] = {// type (HEADERS)
-                  0x01,
-                  // length
-                  0x07,
-                  // headers
-                  'H', 'e', 'a', 'd', 'e', 'r', 's'};
+  InSequence s;
+  std::string input =
+      "\x01"      // type (HEADERS)
+      "\x07"      // length
+      "Headers";  // headers
+
+  // Visitor pauses processing.
+  EXPECT_CALL(visitor_, OnHeadersFrameStart(Http3FrameLengths(2, 7)))
+      .WillOnce(Return(false));
+  QuicStringPiece remaining_input(input);
+  QuicByteCount processed_bytes =
+      ProcessInputWithGarbageAppended(remaining_input);
+  EXPECT_EQ(2u, processed_bytes);
+  remaining_input = remaining_input.substr(processed_bytes);
+
+  EXPECT_CALL(visitor_, OnHeadersFramePayload(QuicStringPiece("Headers")))
+      .WillOnce(Return(false));
+  processed_bytes = ProcessInputWithGarbageAppended(remaining_input);
+  EXPECT_EQ(remaining_input.size(), processed_bytes);
+
+  EXPECT_CALL(visitor_, OnHeadersFrameEnd()).WillOnce(Return(false));
+  EXPECT_EQ(0u, ProcessInputWithGarbageAppended(""));
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
-  InSequence s;
   EXPECT_CALL(visitor_, OnHeadersFrameStart(Http3FrameLengths(2, 7)));
   EXPECT_CALL(visitor_, OnHeadersFramePayload(QuicStringPiece("Headers")));
   EXPECT_CALL(visitor_, OnHeadersFrameEnd());
-  EXPECT_EQ(QUIC_ARRAYSIZE(input),
-            decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(input.size(), ProcessInput(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 
-  // Process the frame incremently.
+  // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnHeadersFrameStart(Http3FrameLengths(2, 7)));
   EXPECT_CALL(visitor_, OnHeadersFramePayload(QuicStringPiece("H")));
   EXPECT_CALL(visitor_, OnHeadersFramePayload(QuicStringPiece("e")));
@@ -477,90 +640,115 @@ TEST_F(HttpDecoderTest, HeadersFrame) {
   EXPECT_CALL(visitor_, OnHeadersFramePayload(QuicStringPiece("r")));
   EXPECT_CALL(visitor_, OnHeadersFramePayload(QuicStringPiece("s")));
   EXPECT_CALL(visitor_, OnHeadersFrameEnd());
-  for (char c : input) {
-    EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
-  }
+  ProcessInputCharByChar(input);
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
 TEST_F(HttpDecoderTest, EmptyDataFrame) {
-  char input[] = {0x00,   // type (DATA)
-                  0x00};  // length
+  InSequence s;
+  std::string input(
+      "\x00"   // type (DATA)
+      "\x00",  // length
+      2);
+
+  // Visitor pauses processing.
+  EXPECT_CALL(visitor_, OnDataFrameStart(Http3FrameLengths(2, 0)))
+      .WillOnce(Return(false));
+  EXPECT_EQ(input.size(), ProcessInputWithGarbageAppended(input));
+
+  EXPECT_CALL(visitor_, OnDataFrameEnd()).WillOnce(Return(false));
+  EXPECT_EQ(0u, ProcessInputWithGarbageAppended(""));
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
-  InSequence s;
   EXPECT_CALL(visitor_, OnDataFrameStart(Http3FrameLengths(2, 0)));
   EXPECT_CALL(visitor_, OnDataFrameEnd());
-  EXPECT_EQ(QUIC_ARRAYSIZE(input),
-            decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(input.size(), ProcessInput(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 
-  // Process the frame incremently.
+  // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnDataFrameStart(Http3FrameLengths(2, 0)));
   EXPECT_CALL(visitor_, OnDataFrameEnd());
-  for (char c : input) {
-    EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
-  }
+  ProcessInputCharByChar(input);
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
 TEST_F(HttpDecoderTest, EmptyHeadersFrame) {
-  char input[] = {0x01,   // type (HEADERS)
-                  0x00};  // length
+  InSequence s;
+  std::string input(
+      "\x01"   // type (HEADERS)
+      "\x00",  // length
+      2);
+
+  // Visitor pauses processing.
+  EXPECT_CALL(visitor_, OnHeadersFrameStart(Http3FrameLengths(2, 0)))
+      .WillOnce(Return(false));
+  EXPECT_EQ(input.size(), ProcessInputWithGarbageAppended(input));
+
+  EXPECT_CALL(visitor_, OnHeadersFrameEnd()).WillOnce(Return(false));
+  EXPECT_EQ(0u, ProcessInputWithGarbageAppended(""));
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
-  InSequence s;
   EXPECT_CALL(visitor_, OnHeadersFrameStart(Http3FrameLengths(2, 0)));
   EXPECT_CALL(visitor_, OnHeadersFrameEnd());
-  EXPECT_EQ(QUIC_ARRAYSIZE(input),
-            decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(input.size(), ProcessInput(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 
-  // Process the frame incremently.
+  // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnHeadersFrameStart(Http3FrameLengths(2, 0)));
   EXPECT_CALL(visitor_, OnHeadersFrameEnd());
-  for (char c : input) {
-    EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
-  }
+  ProcessInputCharByChar(input);
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
 TEST_F(HttpDecoderTest, PushPromiseFrameNoHeaders) {
-  char input[] = {0x05,   // type (PUSH_PROMISE)
-                  0x01,   // length
-                  0x01};  // Push Id
+  InSequence s;
+  std::string input =
+      "\x05"   // type (PUSH_PROMISE)
+      "\x01"   // length
+      "\x01";  // Push Id
+
+  // Visitor pauses processing.
+  EXPECT_CALL(visitor_, OnPushPromiseFrameStart(1, Http3FrameLengths(2, 1)))
+      .WillOnce(Return(false));
+  EXPECT_EQ(input.size(), ProcessInputWithGarbageAppended(input));
+
+  EXPECT_CALL(visitor_, OnPushPromiseFrameEnd()).WillOnce(Return(false));
+  EXPECT_EQ(0u, ProcessInputWithGarbageAppended(""));
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
-  InSequence s;
-  EXPECT_CALL(visitor_, OnPushPromiseFrameStart(1));
+  EXPECT_CALL(visitor_, OnPushPromiseFrameStart(1, Http3FrameLengths(2, 1)));
   EXPECT_CALL(visitor_, OnPushPromiseFrameEnd());
-  EXPECT_EQ(QUIC_ARRAYSIZE(input),
-            decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(input.size(), ProcessInput(input));
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 
-  // Process the frame incremently.
-  EXPECT_CALL(visitor_, OnPushPromiseFrameStart(1));
+  // Process the frame incrementally.
+  EXPECT_CALL(visitor_, OnPushPromiseFrameStart(1, Http3FrameLengths(2, 1)));
   EXPECT_CALL(visitor_, OnPushPromiseFrameEnd());
-  for (char c : input) {
-    EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
-  }
+  ProcessInputCharByChar(input);
   EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
 TEST_F(HttpDecoderTest, MalformedFrameWithOverlyLargePayload) {
-  char input[] = {0x03,   // type (CANCEL_PUSH)
-                  0x10,   // length
-                  0x15};  // malformed payload
+  std::string input =
+      "\x03"   // type (CANCEL_PUSH)
+      "\x10"   // length
+      "\x15";  // malformed payload
   // Process the full frame.
   EXPECT_CALL(visitor_, OnError(&decoder_));
-  EXPECT_EQ(0u, decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(2u, ProcessInput(input));
   EXPECT_EQ(QUIC_INTERNAL_ERROR, decoder_.error());
   EXPECT_EQ("Frame is too large", decoder_.error_detail());
 }
@@ -575,9 +763,44 @@ TEST_F(HttpDecoderTest, MalformedSettingsFrame) {
 
   writer.WriteStringPiece("Malformed payload");
   EXPECT_CALL(visitor_, OnError(&decoder_));
-  EXPECT_EQ(0u, decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(5u, decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
   EXPECT_EQ(QUIC_INTERNAL_ERROR, decoder_.error());
   EXPECT_EQ("Frame is too large", decoder_.error_detail());
 }
 
+TEST_F(HttpDecoderTest, HeadersPausedThenData) {
+  InSequence s;
+  std::string input(
+      "\x01"     // type (HEADERS)
+      "\x07"     // length
+      "Headers"  // headers
+      "\x00"     // type (DATA)
+      "\x05"     // length
+      "Data!",   // data
+      16);
+
+  // Visitor pauses processing, maybe because header decompression is blocked.
+  EXPECT_CALL(visitor_, OnHeadersFrameStart(Http3FrameLengths(2, 7)));
+  EXPECT_CALL(visitor_, OnHeadersFramePayload(QuicStringPiece("Headers")));
+  EXPECT_CALL(visitor_, OnHeadersFrameEnd()).WillOnce(Return(false));
+  QuicStringPiece remaining_input(input);
+  QuicByteCount processed_bytes =
+      ProcessInputWithGarbageAppended(remaining_input);
+  EXPECT_EQ(9u, processed_bytes);
+  remaining_input = remaining_input.substr(processed_bytes);
+
+  // Process DATA frame.
+  EXPECT_CALL(visitor_, OnDataFrameStart(Http3FrameLengths(2, 5)));
+  EXPECT_CALL(visitor_, OnDataFramePayload(QuicStringPiece("Data!")));
+  EXPECT_CALL(visitor_, OnDataFrameEnd());
+
+  processed_bytes = ProcessInput(remaining_input);
+  EXPECT_EQ(remaining_input.size(), processed_bytes);
+
+  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_EQ("", decoder_.error_detail());
+}
+
+}  // namespace test
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.cc b/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.cc
index 01f9c10bea0..b97f7f79619 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.cc
@@ -2,13 +2,9 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include <string>
-
 #include "net/third_party/quiche/src/quic/core/http/http_encoder.h"
+
 #include "net/third_party/quiche/src/quic/core/quic_data_writer.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_fallthrough.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 
 namespace quic {
 
@@ -44,11 +40,6 @@ uint8_t SetPriorityFields(uint8_t num,
   }
 }
 
-// Length of the weight field of a priority frame.
-static const size_t kPriorityWeightLength = 1;
-// Length of a priority frame's first byte.
-static const size_t kPriorityFirstByteLength = 1;
-
 }  // namespace
 
 HttpEncoder::HttpEncoder() {}
@@ -100,8 +91,12 @@ QuicByteCount HttpEncoder::SerializePriorityFrame(
     std::unique_ptr<char[]>* output) {
   QuicByteCount payload_length =
       kPriorityFirstByteLength +
-      QuicDataWriter::GetVarInt62Len(priority.prioritized_element_id) +
-      QuicDataWriter::GetVarInt62Len(priority.element_dependency_id) +
+      (priority.prioritized_type == ROOT_OF_TREE
+           ? 0
+           : QuicDataWriter::GetVarInt62Len(priority.prioritized_element_id)) +
+      (priority.dependency_type == ROOT_OF_TREE
+           ? 0
+           : QuicDataWriter::GetVarInt62Len(priority.element_dependency_id)) +
       kPriorityWeightLength;
   QuicByteCount total_length =
       GetTotalLength(payload_length, HttpFrameType::PRIORITY);
@@ -116,16 +111,14 @@ QuicByteCount HttpEncoder::SerializePriorityFrame(
   }
 
   // Set the first byte of the payload.
-  uint8_t bits = 0;
-  bits = SetPriorityFields(bits, priority.prioritized_type, true);
-  bits = SetPriorityFields(bits, priority.dependency_type, false);
+  uint8_t firstByte = 0;
+  firstByte = SetPriorityFields(firstByte, priority.prioritized_type, true);
+  firstByte = SetPriorityFields(firstByte, priority.dependency_type, false);
   if (priority.exclusive) {
-    bits |= 1;
+    firstByte |= kPriorityExclusiveBit;
   }
 
-  if (writer.WriteUInt8(bits) &&
-      writer.WriteVarInt62(priority.prioritized_element_id) &&
-      writer.WriteVarInt62(priority.element_dependency_id) &&
+  if (writer.WriteUInt8(firstByte) && MaybeWriteIds(priority, &writer) &&
       writer.WriteUInt8(priority.weight)) {
     return total_length;
   }
@@ -287,4 +280,27 @@ QuicByteCount HttpEncoder::GetTotalLength(QuicByteCount payload_length,
          payload_length;
 }
 
+bool HttpEncoder::MaybeWriteIds(const PriorityFrame& priority,
+                                QuicDataWriter* writer) {
+  if (priority.prioritized_type != ROOT_OF_TREE) {
+    if (!writer->WriteVarInt62(priority.prioritized_element_id)) {
+      return false;
+    }
+  } else {
+    DCHECK_EQ(0u, priority.prioritized_element_id)
+        << "Prioritized element id should be 0 when prioritized type is "
+           "ROOT_OF_TREE";
+  }
+  if (priority.dependency_type != ROOT_OF_TREE) {
+    if (!writer->WriteVarInt62(priority.element_dependency_id)) {
+      return false;
+    }
+  } else {
+    DCHECK_EQ(0u, priority.element_dependency_id)
+        << "Element dependency id should be 0 when dependency type is "
+           "ROOT_OF_TREE";
+  }
+  return true;
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.h b/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.h
index 6691e315700..12c5bab56c2 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.h
@@ -5,12 +5,9 @@
 #ifndef QUICHE_QUIC_CORE_HTTP_HTTP_ENCODER_H_
 #define QUICHE_QUIC_CORE_HTTP_HTTP_ENCODER_H_
 
-#include <cstddef>
-
 #include "net/third_party/quiche/src/quic/core/http/http_frames.h"
 #include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 
 namespace quic {
 
@@ -79,6 +76,9 @@ class QUIC_EXPORT_PRIVATE HttpEncoder {
 
   QuicByteCount GetTotalLength(QuicByteCount payload_length,
                                HttpFrameType type);
+
+  // Write prioritized element id and element dependency id if needed.
+  bool MaybeWriteIds(const PriorityFrame& priority, QuicDataWriter* writer);
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_encoder_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/http_encoder_test.cc
index 1ff5d8984c0..eb5e5745ac9 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/http_encoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_encoder_test.cc
@@ -2,9 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include <string>
-
 #include "net/third_party/quiche/src/quic/core/http/http_encoder.h"
+
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
@@ -57,7 +56,7 @@ TEST_F(HttpEncoderTest, SerializePriorityFrame) {
                    // length
                    0x4,
                    // request stream, request stream, exclusive
-                   0x01,
+                   0x08,
                    // prioritized_element_id
                    0x03,
                    // element_dependency_id
@@ -70,6 +69,45 @@ TEST_F(HttpEncoderTest, SerializePriorityFrame) {
   EXPECT_EQ(QUIC_ARRAYSIZE(output), length);
   CompareCharArraysWithHexError("PRIORITY", buffer.get(), length, output,
                                 QUIC_ARRAYSIZE(output));
+
+  PriorityFrame priority2;
+  priority2.prioritized_type = ROOT_OF_TREE;
+  priority2.dependency_type = REQUEST_STREAM;
+  priority2.exclusive = true;
+  priority2.element_dependency_id = 0x04;
+  priority2.weight = 0xFF;
+  char output2[] = {// type (PRIORIRTY)
+                    0x2,
+                    // length
+                    0x3,
+                    // root of tree, request stream, exclusive
+                    0xc8,
+                    // element_dependency_id
+                    0x04,
+                    // weight
+                    0xff};
+  length = encoder_.SerializePriorityFrame(priority2, &buffer);
+  EXPECT_EQ(QUIC_ARRAYSIZE(output2), length);
+  CompareCharArraysWithHexError("PRIORITY", buffer.get(), length, output2,
+                                QUIC_ARRAYSIZE(output2));
+
+  PriorityFrame priority3;
+  priority3.prioritized_type = ROOT_OF_TREE;
+  priority3.dependency_type = ROOT_OF_TREE;
+  priority3.exclusive = true;
+  priority3.weight = 0xFF;
+  char output3[] = {// type (PRIORITY)
+                    0x2,
+                    // length
+                    0x2,
+                    // root of tree, root of tree, exclusive
+                    0xf8,
+                    // weight
+                    0xff};
+  length = encoder_.SerializePriorityFrame(priority3, &buffer);
+  EXPECT_EQ(QUIC_ARRAYSIZE(output3), length);
+  CompareCharArraysWithHexError("PRIORITY", buffer.get(), length, output3,
+                                QUIC_ARRAYSIZE(output3));
 }
 
 TEST_F(HttpEncoderTest, SerializeCancelPushFrame) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_frames.h b/chromium/net/third_party/quiche/src/quic/core/http/http_frames.h
index f1aa7ff81f2..ced203258ec 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/http_frames.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_frames.h
@@ -5,10 +5,14 @@
 #ifndef QUICHE_QUIC_CORE_HTTP_HTTP_FRAMES_H_
 #define QUICHE_QUIC_CORE_HTTP_HTTP_FRAMES_H_
 
+#include <cstdint>
 #include <map>
+#include <ostream>
 
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_utils.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_framer.h"
 
 namespace quic {
@@ -45,7 +49,15 @@ struct HeadersFrame {
 //
 //   The PRIORITY (type=0x02) frame specifies the sender-advised priority
 //   of a stream
-enum PriorityElementType {
+
+// Length of the weight field of a priority frame.
+const QuicByteCount kPriorityWeightLength = 1;
+// Length of a priority frame's first byte.
+const QuicByteCount kPriorityFirstByteLength = 1;
+// The bit that indicates Priority frame is exclusive.
+const uint8_t kPriorityExclusiveBit = 8;
+
+enum PriorityElementType : uint8_t {
   REQUEST_STREAM = 0,
   PUSH_STREAM = 1,
   PLACEHOLDER = 2,
@@ -53,12 +65,12 @@ enum PriorityElementType {
 };
 
 struct PriorityFrame {
-  PriorityElementType prioritized_type;
-  PriorityElementType dependency_type;
-  bool exclusive;
-  uint64_t prioritized_element_id;
-  uint64_t element_dependency_id;
-  uint8_t weight;
+  PriorityElementType prioritized_type = REQUEST_STREAM;
+  PriorityElementType dependency_type = REQUEST_STREAM;
+  bool exclusive = false;
+  uint64_t prioritized_element_id = 0;
+  uint64_t element_dependency_id = 0;
+  uint8_t weight = 0;
 
   bool operator==(const PriorityFrame& rhs) const {
     return prioritized_type == rhs.prioritized_type &&
@@ -68,6 +80,20 @@ struct PriorityFrame {
            element_dependency_id == rhs.element_dependency_id &&
            weight == rhs.weight;
   }
+  std::string ToString() const {
+    return QuicStrCat("Priority Frame : {prioritized_type: ", prioritized_type,
+                      ", dependency_type: ", dependency_type,
+                      ", exclusive: ", exclusive,
+                      ", prioritized_element_id: ", prioritized_element_id,
+                      ", element_dependency_id: ", element_dependency_id,
+                      ", weight: ", weight, "}");
+  }
+
+  friend QUIC_EXPORT_PRIVATE std::ostream& operator<<(std::ostream& os,
+                                                      const PriorityFrame& s) {
+    os << s.ToString();
+    return os;
+  }
 };
 
 // 4.2.4.  CANCEL_PUSH
@@ -98,6 +124,21 @@ struct SettingsFrame {
   bool operator==(const SettingsFrame& rhs) const {
     return values == rhs.values;
   }
+
+  std::string ToString() const {
+    std::string s;
+    for (auto it : values) {
+      std::string setting =
+          QuicStrCat("[id->", it.first, " | value->", it.second, "] ");
+      QuicStrAppend(&s, setting);
+    }
+    return s;
+  }
+  friend QUIC_EXPORT_PRIVATE std::ostream& operator<<(std::ostream& os,
+                                                      const SettingsFrame& s) {
+    os << s.ToString();
+    return os;
+  }
 };
 
 // 4.2.6.  PUSH_PROMISE
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info.cc
index 8b549692e4c..6af35d532da 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info.cc
@@ -7,7 +7,7 @@
 #include <string>
 #include <utility>
 
-#include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
+#include "net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
@@ -56,14 +56,14 @@ bool QuicClientPromisedInfo::OnPromiseHeaders(const SpdyHeaderBlock& headers) {
     Reset(QUIC_INVALID_PROMISE_METHOD);
     return false;
   }
-  if (!SpdyUtils::PromisedUrlIsValid(headers)) {
+  if (!SpdyServerPushUtils::PromisedUrlIsValid(headers)) {
     QUIC_DVLOG(1) << "Promise for stream " << id_ << " has invalid URL "
                   << url_;
     Reset(QUIC_INVALID_PROMISE_URL);
     return false;
   }
   if (!session_->IsAuthorized(
-          SpdyUtils::GetPromisedHostNameFromHeaders(headers))) {
+          SpdyServerPushUtils::GetPromisedHostNameFromHeaders(headers))) {
     Reset(QUIC_UNAUTHORIZED_PROMISE_URL);
     return false;
   }
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info_test.cc
index 104c049e87e..cd54dde4c9d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info_test.cc
@@ -8,9 +8,8 @@
 #include <string>
 
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.h"
-#include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
+#include "net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
@@ -40,15 +39,14 @@ class MockQuicSpdyClientSession : public QuicSpdyClientSession {
                               QuicServerId("example.com", 443, false),
                               &crypto_config_,
                               push_promise_index),
-        crypto_config_(crypto_test_utils::ProofVerifierForTesting(),
-                       TlsClientHandshaker::CreateSslCtx()),
+        crypto_config_(crypto_test_utils::ProofVerifierForTesting()),
         authorized_(true) {}
   MockQuicSpdyClientSession(const MockQuicSpdyClientSession&) = delete;
   MockQuicSpdyClientSession& operator=(const MockQuicSpdyClientSession&) =
       delete;
   ~MockQuicSpdyClientSession() override {}
 
-  bool IsAuthorized(const std::string& authority) override {
+  bool IsAuthorized(const std::string& /*authority*/) override {
     return authorized_;
   }
 
@@ -95,7 +93,8 @@ class QuicClientPromisedInfoTest : public QuicTest {
     push_promise_[":method"] = "GET";
     push_promise_[":scheme"] = "https";
 
-    promise_url_ = SpdyUtils::GetPromisedUrlFromHeaders(push_promise_);
+    promise_url_ =
+        SpdyServerPushUtils::GetPromisedUrlFromHeaders(push_promise_);
 
     client_request_ = push_promise_.Clone();
     promise_id_ = GetNthServerInitiatedUnidirectionalStreamId(
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index.cc
index 0f11af40ba3..877525a31e5 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index.cc
@@ -7,7 +7,7 @@
 #include <string>
 
 #include "net/third_party/quiche/src/quic/core/http/quic_client_promised_info.h"
-#include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
+#include "net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h"
 
 using spdy::SpdyHeaderBlock;
 
@@ -32,7 +32,7 @@ QuicAsyncStatus QuicClientPushPromiseIndex::Try(
     const spdy::SpdyHeaderBlock& request,
     QuicClientPushPromiseIndex::Delegate* delegate,
     TryHandle** handle) {
-  std::string url(SpdyUtils::GetPromisedUrlFromHeaders(request));
+  std::string url(SpdyServerPushUtils::GetPromisedUrlFromHeaders(request));
   auto it = promised_by_url_.find(url);
   if (it != promised_by_url_.end()) {
     QuicClientPromisedInfo* promised = it->second;
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index_test.cc
index c12a3285af8..933ef6bb808 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index_test.cc
@@ -7,8 +7,7 @@
 #include <string>
 
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.h"
-#include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
+#include "net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_quic_client_promised_info.h"
@@ -35,8 +34,7 @@ class MockQuicSpdyClientSession : public QuicSpdyClientSession {
                               QuicServerId("example.com", 443, false),
                               &crypto_config_,
                               push_promise_index),
-        crypto_config_(crypto_test_utils::ProofVerifierForTesting(),
-                       TlsClientHandshaker::CreateSslCtx()) {}
+        crypto_config_(crypto_test_utils::ProofVerifierForTesting()) {}
   MockQuicSpdyClientSession(const MockQuicSpdyClientSession&) = delete;
   MockQuicSpdyClientSession& operator=(const MockQuicSpdyClientSession&) =
       delete;
@@ -65,7 +63,7 @@ class QuicClientPushPromiseIndexTest : public QuicTest {
     request_[":version"] = "HTTP/1.1";
     request_[":method"] = "GET";
     request_[":scheme"] = "https";
-    url_ = SpdyUtils::GetPromisedUrlFromHeaders(request_);
+    url_ = SpdyServerPushUtils::GetPromisedUrlFromHeaders(request_);
   }
 
   MockQuicConnectionHelper helper_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_headers_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_headers_stream_test.cc
index a41235fbc31..ebfa6cc7e3a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_headers_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_headers_stream_test.cc
@@ -144,14 +144,20 @@ class MockVisitor : public SpdyFramerVisitorInterface {
 struct TestParams {
   TestParams(const ParsedQuicVersion& version, Perspective perspective)
       : version(version), perspective(perspective) {
-    QUIC_LOG(INFO) << "TestParams: version: "
-                   << ParsedQuicVersionToString(version)
-                   << ", perspective: " << perspective;
+    QUIC_LOG(INFO) << "TestParams:  " << *this;
   }
 
   TestParams(const TestParams& other)
       : version(other.version), perspective(other.perspective) {}
 
+  friend std::ostream& operator<<(std::ostream& os, const TestParams& tp) {
+    os << "{ version: " << ParsedQuicVersionToString(tp.version)
+       << ", perspective: "
+       << (tp.perspective == Perspective::IS_CLIENT ? "client" : "server")
+       << "}";
+    return os;
+  }
+
   ParsedQuicVersion version;
   Perspective perspective;
 };
@@ -182,6 +188,7 @@ class QuicHeadersStreamTest : public QuicTestWithParam<TestParams> {
             /*offset=*/0,
             ""),
         next_promised_stream_id_(2) {
+    QuicSpdySessionPeer::SetMaxInboundHeaderListSize(&session_, 256 * 1024);
     session_.Initialize();
     headers_stream_ = QuicSpdySessionPeer::GetHeadersStream(&session_);
     headers_[":version"] = "HTTP/1.1";
@@ -390,6 +397,9 @@ TEST_P(QuicHeadersStreamTest, WriteHeaders) {
 }
 
 TEST_P(QuicHeadersStreamTest, WritePushPromises) {
+  if (GetParam().version.DoesNotHaveHeadersStream()) {
+    return;
+  }
   for (QuicStreamId stream_id = client_id_1_; stream_id < client_id_3_;
        stream_id += next_stream_id_) {
     QuicStreamId promised_stream_id = NextPromisedStreamId();
@@ -461,6 +471,9 @@ TEST_P(QuicHeadersStreamTest, ProcessRawData) {
 }
 
 TEST_P(QuicHeadersStreamTest, ProcessPushPromise) {
+  if (GetParam().version.DoesNotHaveHeadersStream()) {
+    return;
+  }
   if (perspective() == Perspective::IS_SERVER) {
     return;
   }
@@ -470,6 +483,7 @@ TEST_P(QuicHeadersStreamTest, ProcessPushPromise) {
     SpdyPushPromiseIR push_promise(stream_id, promised_stream_id,
                                    headers_.Clone());
     SpdySerializedFrame frame(framer_->SerializeFrame(push_promise));
+    bool connection_closed = false;
     if (perspective() == Perspective::IS_SERVER) {
       EXPECT_CALL(*connection_,
                   CloseConnection(QUIC_INVALID_HEADERS_STREAM_DATA,
@@ -477,6 +491,8 @@ TEST_P(QuicHeadersStreamTest, ProcessPushPromise) {
           .WillRepeatedly(InvokeWithoutArgs(
               this, &QuicHeadersStreamTest::TearDownLocalConnectionState));
     } else {
+      ON_CALL(*connection_, CloseConnection(_, _, _))
+          .WillByDefault(testing::Assign(&connection_closed, true));
       EXPECT_CALL(session_, OnPromiseHeaderList(stream_id, promised_stream_id,
                                                 frame.size(), _))
           .WillOnce(
@@ -487,12 +503,18 @@ TEST_P(QuicHeadersStreamTest, ProcessPushPromise) {
     headers_stream_->OnStreamFrame(stream_frame_);
     if (perspective() == Perspective::IS_CLIENT) {
       stream_frame_.offset += frame.size();
+      // CheckHeaders crashes if the connection is closed so this ensures we
+      // fail the test instead of crashing.
+      ASSERT_FALSE(connection_closed);
       CheckHeaders();
     }
   }
 }
 
 TEST_P(QuicHeadersStreamTest, ProcessPriorityFrame) {
+  if (GetParam().version.DoesNotHaveHeadersStream()) {
+    return;
+  }
   QuicStreamId parent_stream_id = 0;
   for (SpdyPriority priority = 0; priority < 7; ++priority) {
     for (QuicStreamId stream_id = client_id_1_; stream_id < client_id_3_;
@@ -548,7 +570,6 @@ TEST_P(QuicHeadersStreamTest, ProcessLargeRawData) {
     return;
   }
 
-  QuicSpdySessionPeer::SetMaxUncompressedHeaderBytes(&session_, 256 * 1024);
   // We want to create a frame that is more than the SPDY Framer's max control
   // frame size, which is 16K, but less than the HPACK decoders max decode
   // buffer size, which is 32K.
@@ -984,6 +1005,22 @@ TEST_P(QuicHeadersStreamTest, HeadersGetAckedMultipleTimes) {
   EXPECT_EQ(17u, newly_acked_length);
 }
 
+TEST_P(QuicHeadersStreamTest, CloseOnPushPromiseToServer) {
+  if (perspective() == Perspective::IS_CLIENT) {
+    return;
+  }
+  QuicStreamId promised_id = 1;
+  SpdyPushPromiseIR push_promise(client_id_1_, promised_id, headers_.Clone());
+  SpdySerializedFrame frame = framer_->SerializeFrame(push_promise);
+  stream_frame_.data_buffer = frame.data();
+  stream_frame_.data_length = frame.size();
+  EXPECT_CALL(session_, OnStreamHeaderList(_, _, _, _));
+  // TODO(lassey): Check for HTTP_WRONG_STREAM error code.
+  EXPECT_CALL(*connection_, CloseConnection(QUIC_INVALID_HEADERS_STREAM_DATA,
+                                            "PUSH_PROMISE not supported.", _));
+  headers_stream_->OnStreamFrame(stream_frame_);
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.cc
index b53d4e9e1a2..93fae3a0111 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.cc
@@ -1,19 +1,16 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.h"
 
+#include "net/third_party/quiche/src/quic/core/http/http_constants.h"
+#include "net/third_party/quiche/src/quic/core/http/http_decoder.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_session.h"
-#include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 
 namespace quic {
 
-const uint16_t kSettingsMaxHeaderListSize = 6;
-const uint16_t kSettingsNumPlaceholders = 8;
-
 // Visitor of HttpDecoder that passes data frame to QuicSpdyStream and closes
 // the connection on unexpected frames.
 class QuicReceiveControlStream::HttpDecoderVisitor
@@ -24,70 +21,120 @@ class QuicReceiveControlStream::HttpDecoderVisitor
   HttpDecoderVisitor(const HttpDecoderVisitor&) = delete;
   HttpDecoderVisitor& operator=(const HttpDecoderVisitor&) = delete;
 
-  void OnError(HttpDecoder* decoder) override {
+  void OnError(HttpDecoder* /*decoder*/) override {
     stream_->session()->connection()->CloseConnection(
         QUIC_HTTP_DECODER_ERROR, "Http decoder internal error",
         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
   }
 
-  void OnPriorityFrame(const PriorityFrame& frame) override {
-    CloseConnectionOnWrongFrame("Priority");
+  bool OnPriorityFrameStart(Http3FrameLengths frame_lengths) override {
+    if (stream_->session()->perspective() == Perspective::IS_CLIENT) {
+      stream_->session()->connection()->CloseConnection(
+          QUIC_HTTP_DECODER_ERROR, "Server must not send Priority frames.",
+          ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+      return false;
+    }
+    return stream_->OnPriorityFrameStart(frame_lengths);
   }
 
-  void OnCancelPushFrame(const CancelPushFrame& frame) override {
+  bool OnPriorityFrame(const PriorityFrame& frame) override {
+    if (stream_->session()->perspective() == Perspective::IS_CLIENT) {
+      stream_->session()->connection()->CloseConnection(
+          QUIC_HTTP_DECODER_ERROR, "Server must not send Priority frames.",
+          ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+      return false;
+    }
+    return stream_->OnPriorityFrame(frame);
+  }
+
+  bool OnCancelPushFrame(const CancelPushFrame& /*frame*/) override {
     CloseConnectionOnWrongFrame("Cancel Push");
+    return false;
   }
 
-  void OnMaxPushIdFrame(const MaxPushIdFrame& frame) override {
+  bool OnMaxPushIdFrame(const MaxPushIdFrame& /*frame*/) override {
     CloseConnectionOnWrongFrame("Max Push Id");
+    return false;
   }
 
-  void OnGoAwayFrame(const GoAwayFrame& frame) override {
+  bool OnGoAwayFrame(const GoAwayFrame& /*frame*/) override {
     CloseConnectionOnWrongFrame("Goaway");
+    return false;
   }
 
-  void OnSettingsFrameStart(Http3FrameLengths frame_lengths) override {
-    stream_->OnSettingsFrameStart(frame_lengths);
+  bool OnSettingsFrameStart(Http3FrameLengths frame_lengths) override {
+    return stream_->OnSettingsFrameStart(frame_lengths);
   }
 
-  void OnSettingsFrame(const SettingsFrame& frame) override {
-    stream_->OnSettingsFrame(frame);
+  bool OnSettingsFrame(const SettingsFrame& frame) override {
+    return stream_->OnSettingsFrame(frame);
   }
 
-  void OnDuplicatePushFrame(const DuplicatePushFrame& frame) override {
+  bool OnDuplicatePushFrame(const DuplicatePushFrame& /*frame*/) override {
     CloseConnectionOnWrongFrame("Duplicate Push");
+    return false;
   }
 
-  void OnDataFrameStart(Http3FrameLengths frame_lengths) override {
+  bool OnDataFrameStart(Http3FrameLengths /*frame_lengths*/) override {
     CloseConnectionOnWrongFrame("Data");
+    return false;
   }
 
-  void OnDataFramePayload(QuicStringPiece payload) override {
+  bool OnDataFramePayload(QuicStringPiece /*payload*/) override {
     CloseConnectionOnWrongFrame("Data");
+    return false;
   }
 
-  void OnDataFrameEnd() override { CloseConnectionOnWrongFrame("Data"); }
+  bool OnDataFrameEnd() override {
+    CloseConnectionOnWrongFrame("Data");
+    return false;
+  }
 
-  void OnHeadersFrameStart(Http3FrameLengths frame_length) override {
+  bool OnHeadersFrameStart(Http3FrameLengths /*frame_length*/) override {
     CloseConnectionOnWrongFrame("Headers");
+    return false;
   }
 
-  void OnHeadersFramePayload(QuicStringPiece payload) override {
+  bool OnHeadersFramePayload(QuicStringPiece /*payload*/) override {
     CloseConnectionOnWrongFrame("Headers");
+    return false;
   }
 
-  void OnHeadersFrameEnd() override { CloseConnectionOnWrongFrame("Headers"); }
+  bool OnHeadersFrameEnd() override {
+    CloseConnectionOnWrongFrame("Headers");
+    return false;
+  }
 
-  void OnPushPromiseFrameStart(PushId push_id) override {
+  bool OnPushPromiseFrameStart(PushId /*push_id*/,
+                               Http3FrameLengths /*frame_length*/) override {
     CloseConnectionOnWrongFrame("Push Promise");
+    return false;
   }
 
-  void OnPushPromiseFramePayload(QuicStringPiece payload) override {
+  bool OnPushPromiseFramePayload(QuicStringPiece /*payload*/) override {
     CloseConnectionOnWrongFrame("Push Promise");
+    return false;
   }
 
-  void OnPushPromiseFrameEnd() override {
+  bool OnPushPromiseFrameEnd() override {
     CloseConnectionOnWrongFrame("Push Promise");
+    return false;
+  }
+
+  bool OnUnknownFrameStart(uint64_t /* frame_type */,
+                           Http3FrameLengths /* frame_length */) override {
+    // Ignore unknown frame types.
+    return true;
+  }
+
+  bool OnUnknownFramePayload(QuicStringPiece /* payload */) override {
+    // Ignore unknown frame types.
+    return true;
+  }
+
+  bool OnUnknownFrameEnd() override {
+    // Ignore unknown frame types.
+    return true;
   }
 
  private:
@@ -102,26 +149,18 @@ class QuicReceiveControlStream::HttpDecoderVisitor
   QuicReceiveControlStream* stream_;
 };
 
-QuicReceiveControlStream::QuicReceiveControlStream(QuicStreamId id,
-                                                   QuicSpdySession* session)
-    : QuicStream(id, session, /*is_static = */ true, READ_UNIDIRECTIONAL),
-      received_settings_length_(0),
-      http_decoder_visitor_(new HttpDecoderVisitor(this)) {
-  decoder_.set_visitor(http_decoder_visitor_.get());
-  sequencer()->set_level_triggered(true);
-}
-
-QuicReceiveControlStream::QuicReceiveControlStream(PendingStream pending)
-    : QuicStream(std::move(pending), READ_UNIDIRECTIONAL, /*is_static=*/true),
-      received_settings_length_(0),
-      http_decoder_visitor_(new HttpDecoderVisitor(this)) {
-  decoder_.set_visitor(http_decoder_visitor_.get());
+QuicReceiveControlStream::QuicReceiveControlStream(PendingStream* pending)
+    : QuicStream(pending, READ_UNIDIRECTIONAL, /*is_static=*/true),
+      settings_frame_received_(false),
+      http_decoder_visitor_(QuicMakeUnique<HttpDecoderVisitor>(this)),
+      decoder_(http_decoder_visitor_.get()) {
   sequencer()->set_level_triggered(true);
 }
 
 QuicReceiveControlStream::~QuicReceiveControlStream() {}
 
-void QuicReceiveControlStream::OnStreamReset(const QuicRstStreamFrame& frame) {
+void QuicReceiveControlStream::OnStreamReset(
+    const QuicRstStreamFrame& /*frame*/) {
   // TODO(renjietang) Change the error code to H/3 specific
   // HTTP_CLOSED_CRITICAL_STREAM.
   session()->connection()->CloseConnection(
@@ -131,32 +170,48 @@ void QuicReceiveControlStream::OnStreamReset(const QuicRstStreamFrame& frame) {
 
 void QuicReceiveControlStream::OnDataAvailable() {
   iovec iov;
-  while (!reading_stopped() && sequencer()->PrefetchNextRegion(&iov)) {
-    decoder_.ProcessInput(reinterpret_cast<const char*>(iov.iov_base),
-                          iov.iov_len);
+  while (!reading_stopped() && decoder_.error() == QUIC_NO_ERROR &&
+         sequencer()->GetReadableRegion(&iov)) {
+    DCHECK(!sequencer()->IsClosed());
+
+    QuicByteCount processed_bytes = decoder_.ProcessInput(
+        reinterpret_cast<const char*>(iov.iov_base), iov.iov_len);
+    sequencer()->MarkConsumed(processed_bytes);
+
+    if (!session()->connection()->connected()) {
+      return;
+    }
+
+    // The only reason QuicReceiveControlStream pauses HttpDecoder is an error,
+    // in which case the connection would have already been closed.
+    DCHECK_EQ(iov.iov_len, processed_bytes);
   }
 }
 
-void QuicReceiveControlStream::OnSettingsFrameStart(
-    Http3FrameLengths frame_lengths) {
-  if (received_settings_length_ != 0) {
+bool QuicReceiveControlStream::OnSettingsFrameStart(
+    Http3FrameLengths /* frame_lengths */) {
+  if (settings_frame_received_) {
     // TODO(renjietang): Change error code to HTTP_UNEXPECTED_FRAME.
     session()->connection()->CloseConnection(
         QUIC_INVALID_STREAM_ID, "Settings frames are received twice.",
         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-    return;
+    return false;
   }
-  received_settings_length_ +=
-      frame_lengths.header_length + frame_lengths.payload_length;
+
+  settings_frame_received_ = true;
+
+  return true;
 }
 
-void QuicReceiveControlStream::OnSettingsFrame(const SettingsFrame& settings) {
+bool QuicReceiveControlStream::OnSettingsFrame(const SettingsFrame& settings) {
+  QUIC_DVLOG(1) << "Control Stream " << id()
+                << " received settings frame: " << settings;
   QuicSpdySession* spdy_session = static_cast<QuicSpdySession*>(session());
   for (auto& it : settings.values) {
-    uint16_t setting_id = it.first;
+    uint64_t setting_id = it.first;
     switch (setting_id) {
       case kSettingsMaxHeaderListSize:
-        spdy_session->set_max_inbound_header_list_size(it.second);
+        spdy_session->set_max_outbound_header_list_size(it.second);
         break;
       case kSettingsNumPlaceholders:
         // TODO: Support placeholder setting
@@ -165,7 +220,26 @@ void QuicReceiveControlStream::OnSettingsFrame(const SettingsFrame& settings) {
         break;
     }
   }
-  sequencer()->MarkConsumed(received_settings_length_);
+  return true;
+}
+
+bool QuicReceiveControlStream::OnPriorityFrameStart(
+    Http3FrameLengths /* frame_lengths */) {
+  DCHECK_EQ(Perspective::IS_SERVER, session()->perspective());
+  return true;
+}
+
+bool QuicReceiveControlStream::OnPriorityFrame(const PriorityFrame& priority) {
+  DCHECK_EQ(Perspective::IS_SERVER, session()->perspective());
+  QuicStream* stream =
+      session()->GetOrCreateStream(priority.prioritized_element_id);
+  // It's possible that the client sends a Priority frame for a request stream
+  // that the server is not permitted to open. In that case, simply drop the
+  // frame.
+  if (stream) {
+    stream->SetPriority(priority.weight);
+  }
+  return true;
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.h
index 61e4299e118..f83b980b8b4 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -17,12 +17,7 @@ class QuicSpdySession;
 // The receive control stream is peer initiated and is read only.
 class QUIC_EXPORT_PRIVATE QuicReceiveControlStream : public QuicStream {
  public:
-  // |session| can't be nullptr, and the ownership is not passed. The stream can
-  // only be accessed through the session.
-  explicit QuicReceiveControlStream(QuicStreamId id, QuicSpdySession* session);
-  // Construct control stream from pending stream, the |pending| object will no
-  // longer exist after the construction.
-  explicit QuicReceiveControlStream(PendingStream pending);
+  explicit QuicReceiveControlStream(PendingStream* pending);
   QuicReceiveControlStream(const QuicReceiveControlStream&) = delete;
   QuicReceiveControlStream& operator=(const QuicReceiveControlStream&) = delete;
   ~QuicReceiveControlStream() override;
@@ -34,21 +29,24 @@ class QUIC_EXPORT_PRIVATE QuicReceiveControlStream : public QuicStream {
   // Implementation of QuicStream.
   void OnDataAvailable() override;
 
- protected:
-  // Called from HttpDecoderVisitor.
-  void OnSettingsFrameStart(Http3FrameLengths frame_lengths);
-  void OnSettingsFrame(const SettingsFrame& settings);
+  void SetUnblocked() { sequencer()->SetUnblocked(); }
 
  private:
   class HttpDecoderVisitor;
 
-  HttpDecoder decoder_;
+  // Called from HttpDecoderVisitor.
+  bool OnSettingsFrameStart(Http3FrameLengths frame_lengths);
+  bool OnSettingsFrame(const SettingsFrame& settings);
+  bool OnPriorityFrameStart(Http3FrameLengths frame_lengths);
+  // TODO(renjietang): Decode Priority in HTTP/3 style.
+  bool OnPriorityFrame(const PriorityFrame& priority);
 
-  // Track the number of settings bytes received.
-  size_t received_settings_length_;
+  // False until a SETTINGS frame is received.
+  bool settings_frame_received_;
 
-  // HttpDecoder's visitor.
+  // HttpDecoder and its visitor.
   std::unique_ptr<HttpDecoderVisitor> http_decoder_visitor_;
+  HttpDecoder decoder_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream_test.cc
index 73e8fedabd2..aaf60e9770e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream_test.cc
@@ -1,35 +1,24 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.h"
 
-#include <cstdint>
-#include <ostream>
-#include <utility>
-#include <vector>
-
-#include "net/third_party/quiche/src/quic/core/http/http_decoder.h"
-#include "net/third_party/quiche/src/quic/core/http/http_encoder.h"
-#include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
+#include "net/third_party/quiche/src/quic/core/http/http_constants.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_stream_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 
 namespace quic {
 namespace test {
 
 namespace {
-using testing::_;
-using testing::StrictMock;
+using ::testing::_;
+using ::testing::AtLeast;
+using ::testing::StrictMock;
 
 struct TestParams {
   TestParams(const ParsedQuicVersion& version, Perspective perspective)
@@ -60,6 +49,15 @@ std::vector<TestParams> GetTestParams() {
   return params;
 }
 
+class TestStream : public QuicSpdyStream {
+ public:
+  TestStream(QuicStreamId id, QuicSpdySession* session)
+      : QuicSpdyStream(id, session, BIDIRECTIONAL) {}
+  ~TestStream() override = default;
+
+  void OnBodyAvailable() override {}
+};
+
 class QuicReceiveControlStreamTest : public QuicTestWithParam<TestParams> {
  public:
   QuicReceiveControlStreamTest()
@@ -70,12 +68,17 @@ class QuicReceiveControlStreamTest : public QuicTestWithParam<TestParams> {
             SupportedVersions(GetParam().version))),
         session_(connection_) {
     session_.Initialize();
-    receive_control_stream_ = QuicMakeUnique<QuicReceiveControlStream>(
+    auto pending = QuicMakeUnique<PendingStream>(
         QuicUtils::GetFirstUnidirectionalStreamId(
             GetParam().version.transport_version,
-            perspective() == Perspective::IS_CLIENT ? Perspective::IS_SERVER
-                                                    : Perspective::IS_CLIENT),
+            QuicUtils::InvertPerspective(perspective())),
         &session_);
+    receive_control_stream_ =
+        QuicMakeUnique<QuicReceiveControlStream>(pending.get());
+    stream_ = new TestStream(GetNthClientInitiatedBidirectionalStreamId(
+                                 GetParam().version.transport_version, 0),
+                             &session_);
+    session_.ActivateStream(QuicWrapUnique(stream_));
   }
 
   Perspective perspective() const { return GetParam().perspective; }
@@ -83,16 +86,30 @@ class QuicReceiveControlStreamTest : public QuicTestWithParam<TestParams> {
   std::string EncodeSettings(const SettingsFrame& settings) {
     HttpEncoder encoder;
     std::unique_ptr<char[]> buffer;
-    auto header_length = encoder.SerializeSettingsFrame(settings, &buffer);
-    return std::string(buffer.get(), header_length);
+    QuicByteCount settings_frame_length =
+        encoder.SerializeSettingsFrame(settings, &buffer);
+    return std::string(buffer.get(), settings_frame_length);
+  }
+
+  std::string PriorityFrame(const PriorityFrame& frame) {
+    HttpEncoder encoder;
+    std::unique_ptr<char[]> priority_buffer;
+    QuicByteCount priority_frame_length =
+        encoder.SerializePriorityFrame(frame, &priority_buffer);
+    return std::string(priority_buffer.get(), priority_frame_length);
+  }
+
+  QuicStreamOffset NumBytesConsumed() {
+    return QuicStreamPeer::sequencer(receive_control_stream_.get())
+        ->NumBytesConsumed();
   }
 
   MockQuicConnectionHelper helper_;
   MockAlarmFactory alarm_factory_;
   StrictMock<MockQuicConnection>* connection_;
   StrictMock<MockQuicSpdySession> session_;
-  HttpDecoder decoder_;
   std::unique_ptr<QuicReceiveControlStream> receive_control_stream_;
+  TestStream* stream_;
 };
 
 INSTANTIATE_TEST_SUITE_P(Tests,
@@ -111,35 +128,60 @@ TEST_P(QuicReceiveControlStreamTest, ResetControlStream) {
 TEST_P(QuicReceiveControlStreamTest, ReceiveSettings) {
   SettingsFrame settings;
   settings.values[3] = 2;
-  settings.values[6] = 5;
+  settings.values[kSettingsMaxHeaderListSize] = 5;
   std::string data = EncodeSettings(settings);
   QuicStreamFrame frame(receive_control_stream_->id(), false, 0,
                         QuicStringPiece(data));
-  EXPECT_NE(5u, session_.max_inbound_header_list_size());
+  EXPECT_NE(5u, session_.max_outbound_header_list_size());
   receive_control_stream_->OnStreamFrame(frame);
-  EXPECT_EQ(5u, session_.max_inbound_header_list_size());
+  EXPECT_EQ(5u, session_.max_outbound_header_list_size());
 }
 
+// Regression test for https://crbug.com/982648.
+// QuicReceiveControlStream::OnDataAvailable() must stop processing input as
+// soon as OnSettingsFrameStart() is called by HttpDecoder for the second frame.
 TEST_P(QuicReceiveControlStreamTest, ReceiveSettingsTwice) {
   SettingsFrame settings;
-  settings.values[3] = 2;
-  settings.values[6] = 5;
-  std::string data = EncodeSettings(settings);
-  QuicStreamFrame frame(receive_control_stream_->id(), false, 0,
-                        QuicStringPiece(data));
-  QuicStreamFrame frame2(receive_control_stream_->id(), false, data.length(),
-                         QuicStringPiece(data));
-  receive_control_stream_->OnStreamFrame(frame);
+  // Reserved identifiers, must be ignored.
+  settings.values[0x21] = 100;
+  settings.values[0x40] = 200;
+
+  std::string settings_frame = EncodeSettings(settings);
+
+  EXPECT_EQ(0u, NumBytesConsumed());
+
+  // Receive first SETTINGS frame.
+  receive_control_stream_->OnStreamFrame(
+      QuicStreamFrame(receive_control_stream_->id(), /* fin = */ false,
+                      /* offset = */ 0, settings_frame));
+
+  // First SETTINGS frame is consumed.
+  EXPECT_EQ(settings_frame.size(), NumBytesConsumed());
+
+  // Second SETTINGS frame causes the connection to be closed.
   EXPECT_CALL(*connection_,
               CloseConnection(QUIC_INVALID_STREAM_ID,
-                              "Settings frames are received twice.", _));
-  receive_control_stream_->OnStreamFrame(frame2);
+                              "Settings frames are received twice.", _))
+      .WillOnce(
+          Invoke(connection_, &MockQuicConnection::ReallyCloseConnection));
+  EXPECT_CALL(*connection_, SendConnectionClosePacket(_, _));
+  EXPECT_CALL(session_, OnConnectionClosed(_, _));
+
+  // Receive second SETTINGS frame.
+  receive_control_stream_->OnStreamFrame(
+      QuicStreamFrame(receive_control_stream_->id(), /* fin = */ false,
+                      /* offset = */ settings_frame.size(), settings_frame));
+
+  // Frame header of second SETTINGS frame is consumed, but not frame payload.
+  QuicByteCount settings_frame_header_length = 2;
+  EXPECT_EQ(settings_frame.size() + settings_frame_header_length,
+            NumBytesConsumed());
 }
 
 TEST_P(QuicReceiveControlStreamTest, ReceiveSettingsFragments) {
   SettingsFrame settings;
   settings.values[3] = 2;
-  settings.values[6] = 5;
+  settings.values[kSettingsMaxHeaderListSize] = 5;
   std::string data = EncodeSettings(settings);
   std::string data1 = data.substr(0, 1);
   std::string data2 = data.substr(1, data.length() - 1);
@@ -148,10 +190,10 @@ TEST_P(QuicReceiveControlStreamTest, ReceiveSettingsFragments) {
                         QuicStringPiece(data.data(), 1));
   QuicStreamFrame frame2(receive_control_stream_->id(), false, 1,
                          QuicStringPiece(data.data() + 1, data.length() - 1));
-  EXPECT_NE(5u, session_.max_inbound_header_list_size());
+  EXPECT_NE(5u, session_.max_outbound_header_list_size());
   receive_control_stream_->OnStreamFrame(frame);
   receive_control_stream_->OnStreamFrame(frame2);
-  EXPECT_EQ(5u, session_.max_inbound_header_list_size());
+  EXPECT_EQ(5u, session_.max_outbound_header_list_size());
 }
 
 TEST_P(QuicReceiveControlStreamTest, ReceiveWrongFrame) {
@@ -168,6 +210,56 @@ TEST_P(QuicReceiveControlStreamTest, ReceiveWrongFrame) {
   receive_control_stream_->OnStreamFrame(frame);
 }
 
+TEST_P(QuicReceiveControlStreamTest, ReceivePriorityFrame) {
+  if (perspective() == Perspective::IS_CLIENT) {
+    return;
+  }
+  struct PriorityFrame frame;
+  frame.prioritized_type = REQUEST_STREAM;
+  frame.dependency_type = ROOT_OF_TREE;
+  frame.prioritized_element_id = stream_->id();
+  frame.weight = 1;
+  std::string serialized_frame = PriorityFrame(frame);
+  QuicStreamFrame data(receive_control_stream_->id(), false, 0,
+                       QuicStringPiece(serialized_frame));
+
+  EXPECT_EQ(3u, stream_->priority());
+  receive_control_stream_->OnStreamFrame(data);
+  EXPECT_EQ(1u, stream_->priority());
+}
+
+TEST_P(QuicReceiveControlStreamTest, PushPromiseOnControlStreamShouldClose) {
+  PushPromiseFrame push_promise;
+  push_promise.push_id = 0x01;
+  push_promise.headers = "Headers";
+  std::unique_ptr<char[]> buffer;
+  HttpEncoder encoder;
+  uint64_t length =
+      encoder.SerializePushPromiseFrameWithOnlyPushId(push_promise, &buffer);
+  QuicStreamFrame frame(receive_control_stream_->id(), false, 0, buffer.get(),
+                        length);
+  // TODO(lassey) Check for HTTP_WRONG_STREAM error code.
+  EXPECT_CALL(*connection_, CloseConnection(QUIC_HTTP_DECODER_ERROR, _, _))
+      .Times(AtLeast(1));
+  receive_control_stream_->OnStreamFrame(frame);
+}
+
+// Regression test for b/137554973: unknown frames should be consumed.
+TEST_P(QuicReceiveControlStreamTest, ConsumeUnknownFrame) {
+  std::string unknown_frame = QuicTextUtils::HexDecode(
+      "21"        // reserved frame type
+      "03"        // payload length
+      "666f6f");  // payload "foo"
+
+  EXPECT_EQ(0u, NumBytesConsumed());
+
+  receive_control_stream_->OnStreamFrame(
+      QuicStreamFrame(receive_control_stream_->id(), /* fin = */ false,
+                      /* offset = */ 0, unknown_frame));
+
+  EXPECT_EQ(unknown_frame.size(), NumBytesConsumed());
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.cc
index 40b6111133b..348f63d808c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.cc
@@ -1,22 +1,24 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h"
 
-#include "net/third_party/quiche/src/quic/core/http/quic_spdy_session.h"
-#include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
+#include "net/third_party/quiche/src/quic/core/http/http_constants.h"
+#include "net/third_party/quiche/src/quic/core/quic_session.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 
 namespace quic {
 
-QuicSendControlStream::QuicSendControlStream(QuicStreamId id,
-                                             QuicSpdySession* session)
+QuicSendControlStream::QuicSendControlStream(
+    QuicStreamId id,
+    QuicSession* session,
+    uint64_t max_inbound_header_list_size)
     : QuicStream(id, session, /*is_static = */ true, WRITE_UNIDIRECTIONAL),
-      settings_sent_(false) {}
+      settings_sent_(false),
+      max_inbound_header_list_size_(max_inbound_header_list_size) {}
 
-void QuicSendControlStream::OnStreamReset(const QuicRstStreamFrame& frame) {
+void QuicSendControlStream::OnStreamReset(const QuicRstStreamFrame& /*frame*/) {
   // TODO(renjietang) Change the error code to H/3 specific
   // HTTP_CLOSED_CRITICAL_STREAM.
   session()->connection()->CloseConnection(
@@ -24,14 +26,42 @@ void QuicSendControlStream::OnStreamReset(const QuicRstStreamFrame& frame) {
       ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
 }
 
-void QuicSendControlStream::SendSettingsFrame(const SettingsFrame& settings) {
-  DCHECK(!settings_sent_);
+void QuicSendControlStream::SendSettingsFrame() {
+  if (settings_sent_) {
+    return;
+  }
+
+  QuicConnection::ScopedPacketFlusher flusher(session()->connection());
+  // Send the stream type on so the peer knows about this stream.
+  char data[sizeof(kControlStream)];
+  QuicDataWriter writer(QUIC_ARRAYSIZE(data), data);
+  writer.WriteVarInt62(kControlStream);
+  WriteOrBufferData(QuicStringPiece(writer.data(), writer.length()), false,
+                    nullptr);
+
+  SettingsFrame settings;
+  settings.values[kSettingsMaxHeaderListSize] = max_inbound_header_list_size_;
   std::unique_ptr<char[]> buffer;
   QuicByteCount frame_length =
       encoder_.SerializeSettingsFrame(settings, &buffer);
+  QUIC_DVLOG(1) << "Control stream " << id() << " is writing settings frame "
+                << settings;
   WriteOrBufferData(QuicStringPiece(buffer.get(), frame_length),
                     /*fin = */ false, nullptr);
   settings_sent_ = true;
 }
 
+void QuicSendControlStream::WritePriority(const PriorityFrame& priority) {
+  QuicConnection::ScopedPacketFlusher flusher(session()->connection());
+  if (!settings_sent_) {
+    SendSettingsFrame();
+  }
+  std::unique_ptr<char[]> buffer;
+  QuicByteCount frame_length =
+      encoder_.SerializePriorityFrame(priority, &buffer);
+  QUIC_DVLOG(1) << "Control Stream " << id() << " is writing " << priority;
+  WriteOrBufferData(QuicStringPiece(buffer.get(), frame_length), false,
+                    nullptr);
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h
index 09bdafb26a6..566bcc8f6f1 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,7 +11,7 @@
 
 namespace quic {
 
-class QuicSpdySession;
+class QuicSession;
 
 // 3.2.1 Control Stream.
 // The send control stream is self initiated and is write only.
@@ -19,7 +19,9 @@ class QUIC_EXPORT_PRIVATE QuicSendControlStream : public QuicStream {
  public:
   // |session| can't be nullptr, and the ownership is not passed. The stream can
   // only be accessed through the session.
-  explicit QuicSendControlStream(QuicStreamId id, QuicSpdySession* session);
+  explicit QuicSendControlStream(QuicStreamId id,
+                                 QuicSession* session,
+                                 uint64_t max_inbound_header_list_size);
   QuicSendControlStream(const QuicSendControlStream&) = delete;
   QuicSendControlStream& operator=(const QuicSendControlStream&) = delete;
   ~QuicSendControlStream() override = default;
@@ -28,9 +30,12 @@ class QUIC_EXPORT_PRIVATE QuicSendControlStream : public QuicStream {
   // closed before connection.
   void OnStreamReset(const QuicRstStreamFrame& frame) override;
 
-  // Send |settings| on this stream.
-  // Settings frame must be the first frame sent on this stream.
-  void SendSettingsFrame(const SettingsFrame& settings);
+  // Consult the Spdy session to construct Settings frame and sends it on this
+  // stream. Settings frame must be the first frame sent on this stream.
+  void SendSettingsFrame();
+
+  // Send |Priority| on this stream. It must be sent after settings.
+  void WritePriority(const PriorityFrame& priority);
 
   // The send control stream is write unidirectional, so this method should
   // never be called.
@@ -40,6 +45,9 @@ class QUIC_EXPORT_PRIVATE QuicSendControlStream : public QuicStream {
   HttpEncoder encoder_;
   // Track if a settings frame is already sent.
   bool settings_sent_;
+
+  // Max inbound header list size that will send as setting.
+  const uint64_t max_inbound_header_list_size_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream_test.cc
index a015c5fae30..7c0ee125366 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream_test.cc
@@ -1,25 +1,9 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h"
 
-#include <cstdint>
-#include <ostream>
-#include <utility>
-#include <vector>
-
-#include "net/third_party/quiche/src/quic/core/http/http_encoder.h"
-#include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
-#include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 
@@ -27,9 +11,9 @@ namespace quic {
 namespace test {
 
 namespace {
-using testing::_;
-using testing::Invoke;
-using testing::StrictMock;
+using ::testing::_;
+using ::testing::Invoke;
+using ::testing::StrictMock;
 
 struct TestParams {
   TestParams(const ParsedQuicVersion& version, Perspective perspective)
@@ -72,7 +56,7 @@ class QuicSendControlStreamTest : public QuicTestWithParam<TestParams> {
     session_.Initialize();
     send_control_stream_ = QuicMakeUnique<QuicSendControlStream>(
         QuicSpdySessionPeer::GetNextOutgoingUnidirectionalStreamId(&session_),
-        &session_);
+        &session_, /* max_inbound_header_list_size = */ 100);
     ON_CALL(session_, WritevData(_, _, _, _, _))
         .WillByDefault(Invoke(MockQuicSession::ConsumeData));
   }
@@ -91,16 +75,40 @@ INSTANTIATE_TEST_SUITE_P(Tests,
                          QuicSendControlStreamTest,
                          ::testing::ValuesIn(GetTestParams()));
 
-TEST_P(QuicSendControlStreamTest, WriteSettingsOnStartUp) {
-  SettingsFrame settings;
-  settings.values[3] = 2;
-  settings.values[6] = 5;
-  std::unique_ptr<char[]> buffer;
-  QuicByteCount frame_length =
-      encoder_.SerializeSettingsFrame(settings, &buffer);
+TEST_P(QuicSendControlStreamTest, WriteSettingsOnlyForOnce) {
+  if (GetParam().version.handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+  testing::InSequence s;
+
+  EXPECT_CALL(session_, WritevData(_, _, 1, _, _));
+  EXPECT_CALL(session_, WritevData(_, _, _, _, _));
+  send_control_stream_->SendSettingsFrame();
+
+  // No data should be written the sencond time SendSettingsFrame() is called.
+  send_control_stream_->SendSettingsFrame();
+}
+
+TEST_P(QuicSendControlStreamTest, WritePriorityBeforeSettings) {
+  if (GetParam().version.handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
+  testing::InSequence s;
+
+  // The first write will trigger the control stream to write stream type and a
+  // Settings frame before the Priority frame.
+  EXPECT_CALL(session_, WritevData(_, send_control_stream_->id(), _, _, _))
+      .Times(3);
+  PriorityFrame frame;
+  send_control_stream_->WritePriority(frame);
 
-  EXPECT_CALL(session_, WritevData(_, _, frame_length, _, _));
-  send_control_stream_->SendSettingsFrame(settings);
+  EXPECT_CALL(session_, WritevData(_, send_control_stream_->id(), _, _, _));
+  send_control_stream_->WritePriority(frame);
 }
 
 TEST_P(QuicSendControlStreamTest, ResetControlStream) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base.cc
index 683793dc838..29bce86f885 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base.cc
@@ -6,7 +6,7 @@
 
 #include <string>
 
-#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
@@ -80,10 +80,10 @@ void QuicServerSessionBase::OnConfigNegotiated() {
   }
 }
 
-void QuicServerSessionBase::OnConnectionClosed(QuicErrorCode error,
-                                               const std::string& error_details,
-                                               ConnectionCloseSource source) {
-  QuicSession::OnConnectionClosed(error, error_details, source);
+void QuicServerSessionBase::OnConnectionClosed(
+    const QuicConnectionCloseFrame& frame,
+    ConnectionCloseSource source) {
+  QuicSession::OnConnectionClosed(frame, source);
   // In the unlikely event we get a connection close while doing an asynchronous
   // crypto event, make sure we cancel the callback.
   if (crypto_stream_ != nullptr) {
@@ -224,7 +224,7 @@ bool QuicServerSessionBase::ShouldCreateOutgoingBidirectionalStream() {
   }
 
   if (!GetQuicReloadableFlag(quic_use_common_stream_check) &&
-      connection()->transport_version() != QUIC_VERSION_99) {
+      !VersionHasIetfQuicFrames(connection()->transport_version())) {
     if (GetNumOpenOutgoingStreams() >=
         stream_id_manager().max_open_outgoing_streams()) {
       QUIC_VLOG(1) << "No more streams should be created. "
@@ -248,7 +248,7 @@ bool QuicServerSessionBase::ShouldCreateOutgoingUnidirectionalStream() {
   }
 
   if (!GetQuicReloadableFlag(quic_use_common_stream_check) &&
-      connection()->transport_version() != QUIC_VERSION_99) {
+      !VersionHasIetfQuicFrames(connection()->transport_version())) {
     if (GetNumOpenOutgoingStreams() >=
         stream_id_manager().max_open_outgoing_streams()) {
       QUIC_VLOG(1) << "No more streams should be created. "
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base.h
index 8f071f3fed4..672bb0c4590 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base.h
@@ -45,8 +45,7 @@ class QUIC_EXPORT_PRIVATE QuicServerSessionBase : public QuicSpdySession {
   QuicServerSessionBase& operator=(const QuicServerSessionBase&) = delete;
 
   // Override the base class to cancel any ongoing asychronous crypto.
-  void OnConnectionClosed(QuicErrorCode error,
-                          const std::string& error_details,
+  void OnConnectionClosed(const QuicConnectionCloseFrame& frame,
                           ConnectionCloseSource source) override;
 
   // Sends a server config update to the client, containing new bandwidth
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base_test.cc
index 94ebb67a0bf..0041c85baf6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base_test.cc
@@ -10,11 +10,10 @@
 
 #include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
-#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
@@ -78,9 +77,9 @@ class TestServerSession : public QuicServerSessionBase {
     return stream;
   }
 
-  QuicSpdyStream* CreateIncomingStream(PendingStream pending) override {
+  QuicSpdyStream* CreateIncomingStream(PendingStream* pending) override {
     QuicSpdyStream* stream = new QuicSimpleServerStream(
-        std::move(pending), this, BIDIRECTIONAL, quic_simple_server_backend_);
+        pending, this, BIDIRECTIONAL, quic_simple_server_backend_);
     ActivateStream(QuicWrapUnique(stream));
     return stream;
   }
@@ -125,8 +124,7 @@ class QuicServerSessionBaseTest : public QuicTestWithParam<ParsedQuicVersion> {
       : crypto_config_(QuicCryptoServerConfig::TESTING,
                        QuicRandom::GetInstance(),
                        std::move(proof_source),
-                       KeyExchangeSource::Default(),
-                       TlsServerHandshaker::CreateSslCtx()),
+                       KeyExchangeSource::Default()),
         compressed_certs_cache_(
             QuicCompressedCertsCache::kQuicCompressedCertsCacheSize) {
     config_.SetMaxIncomingBidirectionalStreamsToSend(kMaxStreamsForTest);
@@ -151,6 +149,7 @@ class QuicServerSessionBaseTest : public QuicTestWithParam<ParsedQuicVersion> {
     handshake_message_ = crypto_config_.AddDefaultConfig(
         QuicRandom::GetInstance(), &clock,
         QuicCryptoServerConfig::ConfigOptions());
+    SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
     session_->Initialize();
     QuicSessionPeer::GetMutableCryptoStream(session_.get())
         ->OnSuccessfulVersionNegotiation(supported_versions.front());
@@ -179,7 +178,7 @@ class QuicServerSessionBaseTest : public QuicTestWithParam<ParsedQuicVersion> {
   // expects needed to ensure that the STOP_SENDING worked as expected.
   void InjectStopSendingFrame(QuicStreamId stream_id,
                               QuicRstStreamErrorCode rst_stream_code) {
-    if (transport_version() != QUIC_VERSION_99) {
+    if (!VersionHasIetfQuicFrames(transport_version())) {
       // Only needed for version 99/IETF QUIC. Noop otherwise.
       return;
     }
@@ -240,7 +239,7 @@ TEST_P(QuicServerSessionBaseTest, CloseStreamDueToReset) {
                           GetNthClientInitiatedBidirectionalId(0),
                           QUIC_ERROR_PROCESSING_STREAM, 0);
   EXPECT_CALL(owner_, OnRstStreamReceived(_)).Times(1);
-  if (transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // For non-version 99, the RESET_STREAM will do the full close.
     // Set up expects accordingly.
     EXPECT_CALL(*connection_, SendControlFrame(_));
@@ -271,7 +270,7 @@ TEST_P(QuicServerSessionBaseTest, NeverOpenStreamDueToReset) {
                           GetNthClientInitiatedBidirectionalId(0),
                           QUIC_ERROR_PROCESSING_STREAM, 0);
   EXPECT_CALL(owner_, OnRstStreamReceived(_)).Times(1);
-  if (transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // For non-version 99, the RESET_STREAM will do the full close.
     // Set up expects accordingly.
     EXPECT_CALL(*connection_, SendControlFrame(_));
@@ -313,7 +312,7 @@ TEST_P(QuicServerSessionBaseTest, AcceptClosedStream) {
                          GetNthClientInitiatedBidirectionalId(0),
                          QUIC_ERROR_PROCESSING_STREAM, 0);
   EXPECT_CALL(owner_, OnRstStreamReceived(_)).Times(1);
-  if (transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // For non-version 99, the RESET_STREAM will do the full close.
     // Set up expects accordingly.
     EXPECT_CALL(*connection_, SendControlFrame(_));
@@ -349,7 +348,7 @@ TEST_P(QuicServerSessionBaseTest, MaxOpenStreams) {
   // client FIN/RST is lost.
 
   session_->OnConfigNegotiated();
-  if (transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // The slightly increased stream limit is set during config negotiation.  It
     // is either an increase of 10 over negotiated limit, or a fixed percentage
     // scaling, whichever is larger. Test both before continuing.
@@ -362,24 +361,24 @@ TEST_P(QuicServerSessionBaseTest, MaxOpenStreams) {
   QuicStreamId stream_id = GetNthClientInitiatedBidirectionalId(0);
   // Open the max configured number of streams, should be no problem.
   for (size_t i = 0; i < kMaxStreamsForTest; ++i) {
-    EXPECT_TRUE(QuicServerSessionBasePeer::GetOrCreateDynamicStream(
-        session_.get(), stream_id));
+    EXPECT_TRUE(QuicServerSessionBasePeer::GetOrCreateStream(session_.get(),
+                                                             stream_id));
     stream_id += QuicUtils::StreamIdDelta(connection_->transport_version());
   }
 
-  if (transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // Open more streams: server should accept slightly more than the limit.
     // Excess streams are for non-version-99 only.
     for (size_t i = 0; i < kMaxStreamsMinimumIncrement; ++i) {
-      EXPECT_TRUE(QuicServerSessionBasePeer::GetOrCreateDynamicStream(
-          session_.get(), stream_id));
+      EXPECT_TRUE(QuicServerSessionBasePeer::GetOrCreateStream(session_.get(),
+                                                               stream_id));
       stream_id += QuicUtils::StreamIdDelta(connection_->transport_version());
     }
   }
   // Now violate the server's internal stream limit.
   stream_id += QuicUtils::StreamIdDelta(connection_->transport_version());
 
-  if (transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // For non-version 99, QUIC responds to an attempt to exceed the stream
     // limit by resetting the stream.
     EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
@@ -391,8 +390,8 @@ TEST_P(QuicServerSessionBaseTest, MaxOpenStreams) {
     EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(1);
   }
   // Even if the connection remains open, the stream creation should fail.
-  EXPECT_FALSE(QuicServerSessionBasePeer::GetOrCreateDynamicStream(
-      session_.get(), stream_id));
+  EXPECT_FALSE(
+      QuicServerSessionBasePeer::GetOrCreateStream(session_.get(), stream_id));
 }
 
 TEST_P(QuicServerSessionBaseTest, MaxAvailableBidirectionalStreams) {
@@ -405,7 +404,7 @@ TEST_P(QuicServerSessionBaseTest, MaxAvailableBidirectionalStreams) {
       session_->MaxAvailableBidirectionalStreams();
 
   EXPECT_EQ(0u, session_->GetNumOpenIncomingStreams());
-  EXPECT_TRUE(QuicServerSessionBasePeer::GetOrCreateDynamicStream(
+  EXPECT_TRUE(QuicServerSessionBasePeer::GetOrCreateStream(
       session_.get(), GetNthClientInitiatedBidirectionalId(0)));
 
   // Establish available streams up to the server's limit.
@@ -413,11 +412,11 @@ TEST_P(QuicServerSessionBaseTest, MaxAvailableBidirectionalStreams) {
       QuicUtils::StreamIdDelta(connection_->transport_version());
   const int kLimitingStreamId =
       GetNthClientInitiatedBidirectionalId(kAvailableStreamLimit + 1);
-  if (transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // This exceeds the stream limit. In versions other than 99
     // this is allowed. Version 99 hews to the IETF spec and does
     // not allow it.
-    EXPECT_TRUE(QuicServerSessionBasePeer::GetOrCreateDynamicStream(
+    EXPECT_TRUE(QuicServerSessionBasePeer::GetOrCreateStream(
         session_.get(), kLimitingStreamId));
     // A further available stream will result in connection close.
     EXPECT_CALL(*connection_,
@@ -429,16 +428,16 @@ TEST_P(QuicServerSessionBaseTest, MaxAvailableBidirectionalStreams) {
 
   // This forces stream kLimitingStreamId + 2 to become available, which
   // violates the quota.
-  EXPECT_FALSE(QuicServerSessionBasePeer::GetOrCreateDynamicStream(
+  EXPECT_FALSE(QuicServerSessionBasePeer::GetOrCreateStream(
       session_.get(), kLimitingStreamId + 2 * next_id));
 }
 
 TEST_P(QuicServerSessionBaseTest, GetEvenIncomingError) {
   // Incoming streams on the server session must be odd.
   EXPECT_CALL(*connection_, CloseConnection(QUIC_INVALID_STREAM_ID, _, _));
-  EXPECT_EQ(nullptr,
-            QuicServerSessionBasePeer::GetOrCreateDynamicStream(
-                session_.get(), GetNthServerInitiatedUnidirectionalId(0)));
+  EXPECT_EQ(nullptr, QuicServerSessionBasePeer::GetOrCreateStream(
+                         session_.get(),
+                         session_->next_outgoing_unidirectional_stream_id()));
 }
 
 TEST_P(QuicServerSessionBaseTest, GetStreamDisconnected) {
@@ -449,7 +448,7 @@ TEST_P(QuicServerSessionBaseTest, GetStreamDisconnected) {
 
   // Don't create new streams if the connection is disconnected.
   QuicConnectionPeer::TearDownLocalConnectionState(connection_);
-  EXPECT_QUIC_BUG(QuicServerSessionBasePeer::GetOrCreateDynamicStream(
+  EXPECT_QUIC_BUG(QuicServerSessionBasePeer::GetOrCreateStream(
                       session_.get(), GetNthClientInitiatedBidirectionalId(0)),
                   "ShouldCreateIncomingStream called when disconnected");
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.cc
index 458b8a05e81..50ed00d8015 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.cc
@@ -53,7 +53,7 @@ bool QuicSpdyClientSession::ShouldCreateOutgoingBidirectionalStream() {
     return false;
   }
   if (!GetQuicReloadableFlag(quic_use_common_stream_check) &&
-      connection()->transport_version() != QUIC_VERSION_99) {
+      !VersionHasIetfQuicFrames(connection()->transport_version())) {
     if (GetNumOpenOutgoingStreams() >=
         stream_id_manager().max_open_outgoing_streams()) {
       QUIC_DLOG(INFO) << "Failed to create a new outgoing stream. "
@@ -138,7 +138,7 @@ bool QuicSpdyClientSession::ShouldCreateIncomingStream(QuicStreamId id) {
   }
   if (QuicUtils::IsClientInitiatedStreamId(connection()->transport_version(),
                                            id) ||
-      (connection()->transport_version() == QUIC_VERSION_99 &&
+      (VersionHasIetfQuicFrames(connection()->transport_version()) &&
        QuicUtils::IsBidirectionalStreamId(id))) {
     QUIC_LOG(WARNING) << "Received invalid push stream id " << id;
     connection()->CloseConnection(
@@ -151,9 +151,9 @@ bool QuicSpdyClientSession::ShouldCreateIncomingStream(QuicStreamId id) {
 }
 
 QuicSpdyStream* QuicSpdyClientSession::CreateIncomingStream(
-    PendingStream pending) {
+    PendingStream* pending) {
   QuicSpdyStream* stream =
-      new QuicSpdyClientStream(std::move(pending), this, READ_UNIDIRECTIONAL);
+      new QuicSpdyClientStream(pending, this, READ_UNIDIRECTIONAL);
   ActivateStream(QuicWrapUnique(stream));
   return stream;
 }
@@ -176,7 +176,7 @@ QuicSpdyClientSession::CreateQuicCryptoStream() {
       this);
 }
 
-bool QuicSpdyClientSession::IsAuthorized(const std::string& authority) {
+bool QuicSpdyClientSession::IsAuthorized(const std::string& /*authority*/) {
   return true;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.h
index 747033a2fe8..3611c69bcf0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.h
@@ -66,7 +66,7 @@ class QuicSpdyClientSession : public QuicSpdyClientSessionBase {
  protected:
   // QuicSession methods:
   QuicSpdyStream* CreateIncomingStream(QuicStreamId id) override;
-  QuicSpdyStream* CreateIncomingStream(PendingStream pending) override;
+  QuicSpdyStream* CreateIncomingStream(PendingStream* pending) override;
   // If an outgoing stream can be created, return true.
   bool ShouldCreateOutgoingBidirectionalStream() override;
   bool ShouldCreateOutgoingUnidirectionalStream() override;
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.cc
index 93f68808d42..f27411aec34 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.cc
@@ -7,7 +7,7 @@
 #include <string>
 
 #include "net/third_party/quiche/src/quic/core/http/quic_client_promised_info.h"
-#include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
+#include "net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
@@ -24,7 +24,8 @@ QuicSpdyClientSessionBase::QuicSpdyClientSessionBase(
     : QuicSpdySession(connection, nullptr, config, supported_versions),
       push_promise_index_(push_promise_index),
       largest_promised_stream_id_(
-          QuicUtils::GetInvalidStreamId(connection->transport_version())) {}
+          QuicUtils::GetInvalidStreamId(connection->transport_version())),
+      max_allowed_push_id_(0) {}
 
 QuicSpdyClientSessionBase::~QuicSpdyClientSessionBase() {
   //  all promised streams for this session
@@ -88,6 +89,14 @@ void QuicSpdyClientSessionBase::OnPromiseHeaderList(
         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
     return;
   }
+
+  if (VersionHasIetfQuicFrames(connection()->transport_version()) &&
+      promised_stream_id > max_allowed_push_id()) {
+    connection()->CloseConnection(
+        QUIC_INVALID_STREAM_ID,
+        "Received push stream id higher than MAX_PUSH_ID.",
+        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+  }
   largest_promised_stream_id_ = promised_stream_id;
 
   QuicSpdyStream* stream = GetSpdyDataStream(stream_id);
@@ -119,7 +128,8 @@ bool QuicSpdyClientSessionBase::HandlePromised(QuicStreamId /* associated_id */,
     return false;
   }
 
-  const std::string url = SpdyUtils::GetPromisedUrlFromHeaders(headers);
+  const std::string url =
+      SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers);
   QuicClientPromisedInfo* old_promised = GetPromisedByUrl(url);
   if (old_promised) {
     QUIC_DVLOG(1) << "Promise for stream " << promised_id
@@ -170,8 +180,8 @@ QuicClientPromisedInfo* QuicSpdyClientSessionBase::GetPromisedById(
 
 QuicSpdyStream* QuicSpdyClientSessionBase::GetPromisedStream(
     const QuicStreamId id) {
-  DynamicStreamMap::iterator it = dynamic_streams().find(id);
-  if (it != dynamic_streams().end()) {
+  StreamMap::iterator it = stream_map().find(id);
+  if (it != stream_map().end()) {
     return static_cast<QuicSpdyStream*>(it->second.get());
   }
   return nullptr;
@@ -186,7 +196,8 @@ void QuicSpdyClientSessionBase::DeletePromised(
   headers_stream()->MaybeReleaseSequencerBuffer();
 }
 
-void QuicSpdyClientSessionBase::OnPushStreamTimedOut(QuicStreamId stream_id) {}
+void QuicSpdyClientSessionBase::OnPushStreamTimedOut(
+    QuicStreamId /*stream_id*/) {}
 
 void QuicSpdyClientSessionBase::ResetPromised(
     QuicStreamId id,
@@ -207,4 +218,9 @@ bool QuicSpdyClientSessionBase::ShouldReleaseHeadersStreamSequencerBuffer() {
   return !HasActiveRequestStreams() && promised_by_id_.empty();
 }
 
+void QuicSpdyClientSessionBase::set_max_allowed_push_id(
+    QuicStreamId max_allowed_push_id) {
+  max_allowed_push_id_ = max_allowed_push_id;
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.h
index aec5e75947f..98b85899c40 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.h
@@ -111,6 +111,10 @@ class QUIC_EXPORT_PRIVATE QuicSpdyClientSessionBase
   // Returns true if there are no active requests and no promised streams.
   bool ShouldReleaseHeadersStreamSequencerBuffer() override;
 
+  void set_max_allowed_push_id(QuicStreamId max_allowed_push_id);
+
+  QuicStreamId max_allowed_push_id() { return max_allowed_push_id_; }
+
   size_t get_max_promises() const {
     return max_open_incoming_unidirectional_streams() *
            kMaxPromisedStreamsMultiplier;
@@ -134,6 +138,7 @@ class QUIC_EXPORT_PRIVATE QuicSpdyClientSessionBase
   QuicClientPushPromiseIndex* push_promise_index_;
   QuicPromisedByIdMap promised_by_id_;
   QuicStreamId largest_promised_stream_id_;
+  QuicStreamId max_allowed_push_id_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_test.cc
index ea9e0585967..070acdfa6e3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_test.cc
@@ -11,9 +11,8 @@
 #include "net/third_party/quiche/src/quic/core/crypto/null_decrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/null_encrypter.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.h"
-#include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
+#include "net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
@@ -77,12 +76,12 @@ class TestQuicSpdyClientSession : public QuicSpdyClientSession {
 class QuicSpdyClientSessionTest : public QuicTestWithParam<ParsedQuicVersion> {
  protected:
   QuicSpdyClientSessionTest()
-      : crypto_config_(crypto_test_utils::ProofVerifierForTesting(),
-                       TlsClientHandshaker::CreateSslCtx()),
+      : crypto_config_(crypto_test_utils::ProofVerifierForTesting()),
         promised_stream_id_(
             QuicUtils::GetInvalidStreamId(GetParam().transport_version)),
         associated_stream_id_(
             QuicUtils::GetInvalidStreamId(GetParam().transport_version)) {
+    SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
     Initialize();
     // Advance the time, because timers do not like uninitialized times.
     connection_->AdvanceTime(QuicTime::Delta::FromSeconds(1));
@@ -108,7 +107,8 @@ class QuicSpdyClientSessionTest : public QuicTestWithParam<ParsedQuicVersion> {
     push_promise_[":version"] = "HTTP/1.1";
     push_promise_[":method"] = "GET";
     push_promise_[":scheme"] = "https";
-    promise_url_ = SpdyUtils::GetPromisedUrlFromHeaders(push_promise_);
+    promise_url_ =
+        SpdyServerPushUtils::GetPromisedUrlFromHeaders(push_promise_);
     promised_stream_id_ = GetNthServerInitiatedUnidirectionalStreamId(
         connection_->transport_version(), 0);
     associated_stream_id_ = GetNthClientInitiatedBidirectionalStreamId(
@@ -143,7 +143,7 @@ class QuicSpdyClientSessionTest : public QuicTestWithParam<ParsedQuicVersion> {
   }
 
   void CompleteCryptoHandshake(uint32_t server_max_incoming_streams) {
-    if (connection_->transport_version() == QUIC_VERSION_99) {
+    if (VersionHasIetfQuicFrames(connection_->transport_version())) {
       EXPECT_CALL(*connection_, SendControlFrame(_))
           .Times(testing::AnyNumber())
           .WillRepeatedly(Invoke(
@@ -153,7 +153,7 @@ class QuicSpdyClientSessionTest : public QuicTestWithParam<ParsedQuicVersion> {
     QuicCryptoClientStream* stream = static_cast<QuicCryptoClientStream*>(
         session_->GetMutableCryptoStream());
     QuicConfig config = DefaultQuicConfig();
-    if (connection_->transport_version() == QUIC_VERSION_99) {
+    if (VersionHasIetfQuicFrames(connection_->transport_version())) {
       config.SetMaxIncomingUnidirectionalStreamsToSend(
           server_max_incoming_streams);
       config.SetMaxIncomingBidirectionalStreamsToSend(
@@ -242,7 +242,10 @@ TEST_P(QuicSpdyClientSessionTest, MaxNumStreamsWithNoFinOrRst) {
   EXPECT_CALL(*connection_, SendControlFrame(_)).Times(AnyNumber());
   EXPECT_CALL(*connection_, OnStreamReset(_, _)).Times(AnyNumber());
 
-  const uint32_t kServerMaxIncomingStreams = 1;
+  uint32_t kServerMaxIncomingStreams = 1;
+  if (VersionLacksHeadersStream(GetParam().transport_version)) {
+    kServerMaxIncomingStreams = 0;
+  }
   CompleteCryptoHandshake(kServerMaxIncomingStreams);
 
   QuicSpdyClientStream* stream = session_->CreateOutgoingBidirectionalStream();
@@ -257,16 +260,23 @@ TEST_P(QuicSpdyClientSessionTest, MaxNumStreamsWithNoFinOrRst) {
   stream = session_->CreateOutgoingBidirectionalStream();
   EXPECT_FALSE(stream);
 
-  if (GetParam().transport_version == QUIC_VERSION_99) {
-    // Ensure that we have/have had 3 open streams, crypto, header, and the
-    // 1 test stream. Primary purpose of this is to fail when crypto
-    // no longer uses a normal stream. Some above constants will then need
-    // to be changed.
-    EXPECT_EQ(QuicSessionPeer::v99_bidirectional_stream_id_manager(&*session_)
-                      ->outgoing_static_stream_count() +
-                  1,
-              QuicSessionPeer::v99_bidirectional_stream_id_manager(&*session_)
-                  ->outgoing_stream_count());
+  if (VersionHasIetfQuicFrames(GetParam().transport_version)) {
+    if (VersionLacksHeadersStream(GetParam().transport_version)) {
+      EXPECT_EQ(1u,
+                QuicSessionPeer::v99_bidirectional_stream_id_manager(&*session_)
+                    ->outgoing_stream_count());
+
+    } else {
+      // Ensure that we have/have had 3 open streams, crypto, header, and the
+      // 1 test stream. Primary purpose of this is to fail when crypto
+      // no longer uses a normal stream. Some above constants will then need
+      // to be changed.
+      EXPECT_EQ(QuicSessionPeer::v99_bidirectional_stream_id_manager(&*session_)
+                        ->outgoing_static_stream_count() +
+                    1,
+                QuicSessionPeer::v99_bidirectional_stream_id_manager(&*session_)
+                    ->outgoing_stream_count());
+    }
   }
 }
 
@@ -280,7 +290,10 @@ TEST_P(QuicSpdyClientSessionTest, MaxNumStreamsWithRst) {
   EXPECT_CALL(*connection_, SendControlFrame(_)).Times(AnyNumber());
   EXPECT_CALL(*connection_, OnStreamReset(_, _)).Times(AnyNumber());
 
-  const uint32_t kServerMaxIncomingStreams = 1;
+  uint32_t kServerMaxIncomingStreams = 1;
+  if (VersionLacksHeadersStream(GetParam().transport_version)) {
+    kServerMaxIncomingStreams = 0;
+  }
   CompleteCryptoHandshake(kServerMaxIncomingStreams);
 
   QuicSpdyClientStream* stream = session_->CreateOutgoingBidirectionalStream();
@@ -293,7 +306,7 @@ TEST_P(QuicSpdyClientSessionTest, MaxNumStreamsWithRst) {
                                            QUIC_RST_ACKNOWLEDGEMENT, 0));
   // Check that a new one can be created.
   EXPECT_EQ(0u, session_->GetNumOpenOutgoingStreams());
-  if (GetParam().transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(GetParam().transport_version)) {
     // In V99 the stream limit increases only if we get a MAX_STREAMS
     // frame; pretend we got one.
 
@@ -310,10 +323,14 @@ TEST_P(QuicSpdyClientSessionTest, MaxNumStreamsWithRst) {
   }
   stream = session_->CreateOutgoingBidirectionalStream();
   EXPECT_NE(nullptr, stream);
-  if (GetParam().transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(GetParam().transport_version)) {
     // Ensure that we have/have had three open streams: two test streams and the
     // header stream.
-    EXPECT_EQ(3u,
+    QuicStreamCount expected_stream_count = 3;
+    if (VersionLacksHeadersStream(GetParam().transport_version)) {
+      expected_stream_count = 2;
+    }
+    EXPECT_EQ(expected_stream_count,
               QuicSessionPeer::v99_bidirectional_stream_id_manager(&*session_)
                   ->outgoing_stream_count());
   }
@@ -330,13 +347,16 @@ TEST_P(QuicSpdyClientSessionTest, ResetAndTrailers) {
   // the server sends trailing headers (trailers). Receipt of the trailers by
   // the client should result in all outstanding stream state being tidied up
   // (including flow control, and number of available outgoing streams).
-  const uint32_t kServerMaxIncomingStreams = 1;
+  uint32_t kServerMaxIncomingStreams = 1;
+  if (VersionLacksHeadersStream(GetParam().transport_version)) {
+    kServerMaxIncomingStreams = 0;
+  }
   CompleteCryptoHandshake(kServerMaxIncomingStreams);
 
   QuicSpdyClientStream* stream = session_->CreateOutgoingBidirectionalStream();
   ASSERT_NE(nullptr, stream);
 
-  if (GetParam().transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(GetParam().transport_version)) {
     // For v99, trying to open a stream and failing due to lack
     // of stream ids will result in a STREAMS_BLOCKED. Make
     // sure we get one. Also clear out the frame because if it's
@@ -375,7 +395,7 @@ TEST_P(QuicSpdyClientSessionTest, ResetAndTrailers) {
   // The stream is now complete from the client's perspective, and it should
   // be able to create a new outgoing stream.
   EXPECT_EQ(0u, session_->GetNumOpenOutgoingStreams());
-  if (GetParam().transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(GetParam().transport_version)) {
     // Note that this is to be the second stream created, hence
     // the stream count is 3 (the two streams created as a part of
     // the test plus the header stream, internally created).
@@ -390,10 +410,14 @@ TEST_P(QuicSpdyClientSessionTest, ResetAndTrailers) {
   }
   stream = session_->CreateOutgoingBidirectionalStream();
   EXPECT_NE(nullptr, stream);
-  if (GetParam().transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(GetParam().transport_version)) {
     // Ensure that we have/have had three open streams: two test streams and the
     // header stream.
-    EXPECT_EQ(3u,
+    QuicStreamCount expected_stream_count = 3;
+    if (VersionLacksHeadersStream(GetParam().transport_version)) {
+      expected_stream_count = 2;
+    }
+    EXPECT_EQ(expected_stream_count,
               QuicSessionPeer::v99_bidirectional_stream_id_manager(&*session_)
                   ->outgoing_stream_count());
   }
@@ -457,7 +481,7 @@ TEST_P(QuicSpdyClientSessionTest, OnPromiseHeaderListWithStaticStream) {
 }
 
 TEST_P(QuicSpdyClientSessionTest, GoAwayReceived) {
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     return;
   }
   CompleteCryptoHandshake();
@@ -528,6 +552,11 @@ TEST_P(QuicSpdyClientSessionTest, InvalidPacketReceived) {
 
 // A packet with invalid framing should cause a connection to be closed.
 TEST_P(QuicSpdyClientSessionTest, InvalidFramedPacketReceived) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   QuicSocketAddress server_address(TestPeerIPAddress(), kTestPort);
   QuicSocketAddress client_address(TestPeerIPAddress(), kTestPort);
   if (GetParam().KnowsWhichDecrypterToUse()) {
@@ -554,7 +583,7 @@ TEST_P(QuicSpdyClientSessionTest, InvalidFramedPacketReceived) {
   ParsedQuicVersionVector versions = {GetParam()};
   bool version_flag = false;
   QuicConnectionIdIncluded scid_included = CONNECTION_ID_ABSENT;
-  if (GetParam().transport_version > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(GetParam().transport_version)) {
     version_flag = true;
     source_connection_id = destination_connection_id;
     scid_included = CONNECTION_ID_PRESENT;
@@ -581,6 +610,38 @@ TEST_P(QuicSpdyClientSessionTest, PushPromiseOnPromiseHeaders) {
                                 QuicHeaderList());
 }
 
+TEST_P(QuicSpdyClientSessionTest, PushPromiseStreamIdTooHigh) {
+  // Initialize crypto before the client session will create a stream.
+  CompleteCryptoHandshake();
+  QuicStreamId stream_id =
+      QuicSessionPeer::GetNextOutgoingBidirectionalStreamId(session_.get());
+  QuicSessionPeer::ActivateStream(
+      session_.get(), QuicMakeUnique<QuicSpdyClientStream>(
+                          stream_id, session_.get(), BIDIRECTIONAL));
+
+  session_->set_max_allowed_push_id(GetNthServerInitiatedUnidirectionalStreamId(
+      connection_->transport_version(), 10));
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
+    // TODO(b/136295430) Use PushId to represent Push IDs instead of
+    // QuicStreamId.
+    EXPECT_CALL(
+        *connection_,
+        CloseConnection(QUIC_INVALID_STREAM_ID,
+                        "Received push stream id higher than MAX_PUSH_ID.", _));
+  }
+  auto promise_id = GetNthServerInitiatedUnidirectionalStreamId(
+      connection_->transport_version(), 11);
+  auto headers = QuicHeaderList();
+  headers.OnHeaderBlockStart();
+  headers.OnHeader(":path", "/bar");
+  headers.OnHeader(":authority", "www.google.com");
+  headers.OnHeader(":version", "HTTP/1.1");
+  headers.OnHeader(":method", "GET");
+  headers.OnHeader(":scheme", "https");
+  headers.OnHeaderBlockEnd(0, 0);
+  session_->OnPromiseHeaderList(stream_id, promise_id, 0, headers);
+}
+
 TEST_P(QuicSpdyClientSessionTest, PushPromiseOnPromiseHeadersAlreadyClosed) {
   // Initialize crypto before the client session will create a stream.
   CompleteCryptoHandshake();
@@ -708,7 +769,7 @@ TEST_P(QuicSpdyClientSessionTest, ReceivingPromiseEnhanceYourCalm) {
 
     // Verify that the promise is in the unclaimed streams map.
     std::string promise_url(
-        SpdyUtils::GetPromisedUrlFromHeaders(push_promise_));
+        SpdyServerPushUtils::GetPromisedUrlFromHeaders(push_promise_));
     EXPECT_NE(session_->GetPromisedByUrl(promise_url), nullptr);
     EXPECT_NE(session_->GetPromisedById(id), nullptr);
   }
@@ -726,7 +787,8 @@ TEST_P(QuicSpdyClientSessionTest, ReceivingPromiseEnhanceYourCalm) {
       session_->HandlePromised(associated_stream_id_, id, push_promise_));
 
   // Verify that the promise was not created.
-  std::string promise_url(SpdyUtils::GetPromisedUrlFromHeaders(push_promise_));
+  std::string promise_url(
+      SpdyServerPushUtils::GetPromisedUrlFromHeaders(push_promise_));
   EXPECT_EQ(session_->GetPromisedById(id), nullptr);
   EXPECT_EQ(session_->GetPromisedByUrl(promise_url), nullptr);
 }
@@ -846,7 +908,7 @@ TEST_P(QuicSpdyClientSessionTest, PushPromiseInvalidHost) {
 
 TEST_P(QuicSpdyClientSessionTest,
        TryToCreateServerInitiatedBidirectionalStream) {
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     EXPECT_CALL(*connection_, CloseConnection(QUIC_INVALID_STREAM_ID, _, _));
   } else {
     EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
@@ -855,6 +917,35 @@ TEST_P(QuicSpdyClientSessionTest,
       connection_->transport_version(), 0));
 }
 
+TEST_P(QuicSpdyClientSessionTest, TooManyPushPromises) {
+  // Initialize crypto before the client session will create a stream.
+  CompleteCryptoHandshake();
+  QuicStreamId stream_id =
+      QuicSessionPeer::GetNextOutgoingBidirectionalStreamId(session_.get());
+  QuicSessionPeer::ActivateStream(
+      session_.get(), QuicMakeUnique<QuicSpdyClientStream>(
+                          stream_id, session_.get(), BIDIRECTIONAL));
+
+  session_->set_max_allowed_push_id(kMaxQuicStreamId);
+
+  EXPECT_CALL(*connection_, OnStreamReset(_, QUIC_REFUSED_STREAM));
+
+  for (size_t promise_count = 0; promise_count <= session_->get_max_promises();
+       promise_count++) {
+    auto promise_id = GetNthServerInitiatedUnidirectionalStreamId(
+        connection_->transport_version(), promise_count);
+    auto headers = QuicHeaderList();
+    headers.OnHeaderBlockStart();
+    headers.OnHeader(":path", QuicStrCat("/", promise_count));
+    headers.OnHeader(":authority", "www.google.com");
+    headers.OnHeader(":version", "HTTP/1.1");
+    headers.OnHeader(":method", "GET");
+    headers.OnHeader(":scheme", "https");
+    headers.OnHeaderBlockEnd(0, 0);
+    session_->OnPromiseHeaderList(stream_id, promise_id, 0, headers);
+  }
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.cc
index d4e8a69bb17..5cbb79d234d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.cc
@@ -28,10 +28,10 @@ QuicSpdyClientStream::QuicSpdyClientStream(QuicStreamId id,
       session_(session),
       has_preliminary_headers_(false) {}
 
-QuicSpdyClientStream::QuicSpdyClientStream(PendingStream pending,
+QuicSpdyClientStream::QuicSpdyClientStream(PendingStream* pending,
                                            QuicSpdyClientSession* session,
                                            StreamType type)
-    : QuicSpdyStream(std::move(pending), session, type),
+    : QuicSpdyStream(pending, session, type),
       content_length_(-1),
       response_code_(0),
       header_bytes_read_(0),
@@ -142,8 +142,7 @@ void QuicSpdyClientStream::OnBodyAvailable() {
 size_t QuicSpdyClientStream::SendRequest(SpdyHeaderBlock headers,
                                          QuicStringPiece body,
                                          bool fin) {
-  QuicConnection::ScopedPacketFlusher flusher(
-      session_->connection(), QuicConnection::SEND_ACK_IF_QUEUED);
+  QuicConnection::ScopedPacketFlusher flusher(session_->connection());
   bool send_fin_with_headers = fin && body.empty();
   size_t bytes_sent = body.size();
   header_bytes_written_ =
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.h
index ba59ca622ef..9c94b700936 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.h
@@ -24,7 +24,7 @@ class QuicSpdyClientStream : public QuicSpdyStream {
   QuicSpdyClientStream(QuicStreamId id,
                        QuicSpdyClientSession* session,
                        StreamType type);
-  QuicSpdyClientStream(PendingStream pending,
+  QuicSpdyClientStream(PendingStream* pending,
                        QuicSpdyClientSession* spdy_session,
                        StreamType type);
   QuicSpdyClientStream(const QuicSpdyClientStream&) = delete;
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream_test.cc
index 5f5d5c13466..4354a2f9871 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream_test.cc
@@ -10,7 +10,6 @@
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.h"
 #include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
@@ -41,8 +40,7 @@ class MockQuicSpdyClientSession : public QuicSpdyClientSession {
                               QuicServerId("example.com", 443, false),
                               &crypto_config_,
                               push_promise_index),
-        crypto_config_(crypto_test_utils::ProofVerifierForTesting(),
-                       TlsClientHandshaker::CreateSslCtx()) {}
+        crypto_config_(crypto_test_utils::ProofVerifierForTesting()) {}
   MockQuicSpdyClientSession(const MockQuicSpdyClientSession&) = delete;
   MockQuicSpdyClientSession& operator=(const MockQuicSpdyClientSession&) =
       delete;
@@ -68,6 +66,7 @@ class QuicSpdyClientStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
                  connection_,
                  &push_promise_index_),
         body_("hello world") {
+    SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
     session_.Initialize();
 
     headers_[":status"] = "200";
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base.cc
index cbe479efab7..2e2e2ec4cda 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base.cc
@@ -15,10 +15,10 @@ QuicSpdyServerStreamBase::QuicSpdyServerStreamBase(QuicStreamId id,
                                                    StreamType type)
     : QuicSpdyStream(id, session, type) {}
 
-QuicSpdyServerStreamBase::QuicSpdyServerStreamBase(PendingStream pending,
+QuicSpdyServerStreamBase::QuicSpdyServerStreamBase(PendingStream* pending,
                                                    QuicSpdySession* session,
                                                    StreamType type)
-    : QuicSpdyStream(std::move(pending), session, type) {}
+    : QuicSpdyStream(pending, session, type) {}
 
 void QuicSpdyServerStreamBase::CloseWriteSide() {
   if (!fin_received() && !rst_received() && sequencer()->ignore_read_data() &&
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base.h
index 438d152b941..ad0d32699f0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base.h
@@ -14,7 +14,7 @@ class QuicSpdyServerStreamBase : public QuicSpdyStream {
   QuicSpdyServerStreamBase(QuicStreamId id,
                            QuicSpdySession* session,
                            StreamType type);
-  QuicSpdyServerStreamBase(PendingStream pending,
+  QuicSpdyServerStreamBase(PendingStream* pending,
                            QuicSpdySession* session,
                            StreamType type);
   QuicSpdyServerStreamBase(const QuicSpdyServerStreamBase&) = delete;
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base_test.cc
index 4e1aa1bd3e9..15638cafc06 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base_test.cc
@@ -59,7 +59,7 @@ TEST_F(QuicSpdyServerStreamBaseTest,
 
   EXPECT_CALL(session_, SendRstStream(_, QUIC_STREAM_NO_ERROR, _)).Times(0);
 
-  if (session_.connection()->transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(session_.connection()->transport_version())) {
     EXPECT_CALL(session_, SendRstStream(_, QUIC_RST_ACKNOWLEDGEMENT, _))
         .Times(1);
   } else {
@@ -76,7 +76,7 @@ TEST_F(QuicSpdyServerStreamBaseTest,
   QuicRstStreamFrame rst_frame(kInvalidControlFrameId, stream_->id(),
                                QUIC_STREAM_CANCELLED, 1234);
   stream_->OnStreamReset(rst_frame);
-  if (session_.connection()->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(session_.connection()->transport_version())) {
     // Create and inject a STOP SENDING frame to complete the close
     // of the stream. This is only needed for version 99/IETF QUIC.
     QuicStopSendingFrame stop_sending(
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.cc
index 35b2d5ef305..e306062ba75 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.cc
@@ -9,6 +9,7 @@
 #include <string>
 #include <utility>
 
+#include "net/third_party/quiche/src/quic/core/http/http_constants.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_headers_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
@@ -106,19 +107,19 @@ class QuicSpdySession::SpdyFramerVisitor
     header_list_.Clear();
   }
 
-  void OnStreamFrameData(SpdyStreamId stream_id,
-                         const char* data,
-                         size_t len) override {
+  void OnStreamFrameData(SpdyStreamId /*stream_id*/,
+                         const char* /*data*/,
+                         size_t /*len*/) override {
     CloseConnection("SPDY DATA frame received.",
                     QUIC_INVALID_HEADERS_STREAM_DATA);
   }
 
-  void OnStreamEnd(SpdyStreamId stream_id) override {
+  void OnStreamEnd(SpdyStreamId /*stream_id*/) override {
     // The framer invokes OnStreamEnd after processing a frame that had the fin
     // bit set.
   }
 
-  void OnStreamPadding(SpdyStreamId stream_id, size_t len) override {
+  void OnStreamPadding(SpdyStreamId /*stream_id*/, size_t /*len*/) override {
     CloseConnection("SPDY frame padding received.",
                     QUIC_INVALID_HEADERS_STREAM_DATA);
   }
@@ -138,14 +139,15 @@ class QuicSpdySession::SpdyFramerVisitor
         code);
   }
 
-  void OnDataFrameHeader(SpdyStreamId stream_id,
-                         size_t length,
-                         bool fin) override {
+  void OnDataFrameHeader(SpdyStreamId /*stream_id*/,
+                         size_t /*length*/,
+                         bool /*fin*/) override {
     CloseConnection("SPDY DATA frame received.",
                     QUIC_INVALID_HEADERS_STREAM_DATA);
   }
 
-  void OnRstStream(SpdyStreamId stream_id, SpdyErrorCode error_code) override {
+  void OnRstStream(SpdyStreamId /*stream_id*/,
+                   SpdyErrorCode /*error_code*/) override {
     CloseConnection("SPDY RST_STREAM frame received.",
                     QUIC_INVALID_HEADERS_STREAM_DATA);
   }
@@ -185,13 +187,13 @@ class QuicSpdySession::SpdyFramerVisitor
 
   void OnSettingsEnd() override {}
 
-  void OnPing(SpdyPingId unique_id, bool is_ack) override {
+  void OnPing(SpdyPingId /*unique_id*/, bool /*is_ack*/) override {
     CloseConnection("SPDY PING frame received.",
                     QUIC_INVALID_HEADERS_STREAM_DATA);
   }
 
-  void OnGoAway(SpdyStreamId last_accepted_stream_id,
-                SpdyErrorCode error_code) override {
+  void OnGoAway(SpdyStreamId /*last_accepted_stream_id*/,
+                SpdyErrorCode /*error_code*/) override {
     CloseConnection("SPDY GOAWAY frame received.",
                     QUIC_INVALID_HEADERS_STREAM_DATA);
   }
@@ -202,7 +204,7 @@ class QuicSpdySession::SpdyFramerVisitor
                  SpdyStreamId /*parent_stream_id*/,
                  bool /*exclusive*/,
                  bool fin,
-                 bool end) override {
+                 bool /*end*/) override {
     if (!session_->IsConnected()) {
       return;
     }
@@ -220,14 +222,15 @@ class QuicSpdySession::SpdyFramerVisitor
     session_->OnHeaders(stream_id, has_priority, priority, fin);
   }
 
-  void OnWindowUpdate(SpdyStreamId stream_id, int delta_window_size) override {
+  void OnWindowUpdate(SpdyStreamId /*stream_id*/,
+                      int /*delta_window_size*/) override {
     CloseConnection("SPDY WINDOW_UPDATE frame received.",
                     QUIC_INVALID_HEADERS_STREAM_DATA);
   }
 
   void OnPushPromise(SpdyStreamId stream_id,
                      SpdyStreamId promised_stream_id,
-                     bool end) override {
+                     bool /*end*/) override {
     if (!session_->supports_push_promise()) {
       CloseConnection("PUSH_PROMISE not supported.",
                       QUIC_INVALID_HEADERS_STREAM_DATA);
@@ -236,15 +239,15 @@ class QuicSpdySession::SpdyFramerVisitor
     if (!session_->IsConnected()) {
       return;
     }
-    session_->OnPushPromise(stream_id, promised_stream_id, end);
+    session_->OnPushPromise(stream_id, promised_stream_id);
   }
 
-  void OnContinuation(SpdyStreamId stream_id, bool end) override {}
+  void OnContinuation(SpdyStreamId /*stream_id*/, bool /*end*/) override {}
 
   void OnPriority(SpdyStreamId stream_id,
-                  SpdyStreamId parent_id,
+                  SpdyStreamId /*parent_id*/,
                   int weight,
-                  bool exclusive) override {
+                  bool /*exclusive*/) override {
     if (session_->connection()->transport_version() <= QUIC_VERSION_39) {
       CloseConnection("SPDY PRIORITY frame received.",
                       QUIC_INVALID_HEADERS_STREAM_DATA);
@@ -259,15 +262,16 @@ class QuicSpdySession::SpdyFramerVisitor
     session_->OnPriority(stream_id, priority);
   }
 
-  bool OnUnknownFrame(SpdyStreamId stream_id, uint8_t frame_type) override {
+  bool OnUnknownFrame(SpdyStreamId /*stream_id*/,
+                      uint8_t /*frame_type*/) override {
     CloseConnection("Unknown frame type received.",
                     QUIC_INVALID_HEADERS_STREAM_DATA);
     return false;
   }
 
   // SpdyFramerDebugVisitorInterface implementation
-  void OnSendCompressedFrame(SpdyStreamId stream_id,
-                             SpdyFrameType type,
+  void OnSendCompressedFrame(SpdyStreamId /*stream_id*/,
+                             SpdyFrameType /*type*/,
                              size_t payload_len,
                              size_t frame_len) override {
     if (payload_len == 0) {
@@ -278,17 +282,16 @@ class QuicSpdySession::SpdyFramerVisitor
     QUIC_DVLOG(1) << "Net.QuicHpackCompressionPercentage: " << compression_pct;
   }
 
-  void OnReceiveCompressedFrame(SpdyStreamId stream_id,
-                                SpdyFrameType type,
+  void OnReceiveCompressedFrame(SpdyStreamId /*stream_id*/,
+                                SpdyFrameType /*type*/,
                                 size_t frame_len) override {
     if (session_->IsConnected()) {
       session_->OnCompressedFrameSize(frame_len);
     }
   }
 
-  void set_max_uncompressed_header_bytes(
-      size_t set_max_uncompressed_header_bytes) {
-    header_list_.set_max_header_list_size(set_max_uncompressed_header_bytes);
+  void set_max_header_list_size(size_t max_header_list_size) {
+    header_list_.set_max_header_list_size(max_header_list_size);
   }
 
  private:
@@ -314,6 +317,7 @@ QuicSpdySession::QuicSpdySession(
     const ParsedQuicVersionVector& supported_versions)
     : QuicSession(connection, visitor, config, supported_versions),
       max_inbound_header_list_size_(kDefaultMaxUncompressedHeaderSize),
+      max_outbound_header_list_size_(kDefaultMaxUncompressedHeaderSize),
       server_push_enabled_(true),
       stream_id_(
           QuicUtils::GetInvalidStreamId(connection->transport_version())),
@@ -339,77 +343,76 @@ QuicSpdySession::~QuicSpdySession() {
   for (auto const& kv : zombie_streams()) {
     static_cast<QuicSpdyStream*>(kv.second.get())->ClearSession();
   }
-  for (auto const& kv : dynamic_streams()) {
-    if (eliminate_static_stream_map() && kv.second->is_static()) {
-      continue;
+  for (auto const& kv : stream_map()) {
+    if (!kv.second->is_static()) {
+      static_cast<QuicSpdyStream*>(kv.second.get())->ClearSession();
     }
-    static_cast<QuicSpdyStream*>(kv.second.get())->ClearSession();
   }
 }
 
 void QuicSpdySession::Initialize() {
   QuicSession::Initialize();
 
-  if (perspective() == Perspective::IS_SERVER) {
-    set_largest_peer_created_stream_id(
-        QuicUtils::GetHeadersStreamId(connection()->transport_version()));
-  } else {
-    QuicStreamId headers_stream_id = GetNextOutgoingBidirectionalStreamId();
-    DCHECK_EQ(headers_stream_id,
-              QuicUtils::GetHeadersStreamId(connection()->transport_version()));
+  if (!connection()->version().DoesNotHaveHeadersStream()) {
+    if (perspective() == Perspective::IS_SERVER) {
+      set_largest_peer_created_stream_id(
+          QuicUtils::GetHeadersStreamId(connection()->transport_version()));
+    } else {
+      QuicStreamId headers_stream_id = GetNextOutgoingBidirectionalStreamId();
+      DCHECK_EQ(headers_stream_id, QuicUtils::GetHeadersStreamId(
+                                       connection()->transport_version()));
+    }
   }
 
   if (VersionUsesQpack(connection()->transport_version())) {
-    qpack_encoder_ = QuicMakeUnique<QpackEncoder>(this, this);
-    qpack_decoder_ = QuicMakeUnique<QpackDecoder>(this, this);
+    qpack_encoder_ =
+        QuicMakeUnique<QpackEncoder>(this, &encoder_stream_sender_delegate_);
+    qpack_decoder_ =
+        QuicMakeUnique<QpackDecoder>(this, &decoder_stream_sender_delegate_);
+    // TODO(b/112770235): Send SETTINGS_QPACK_MAX_TABLE_CAPACITY with value
+    // kDefaultQpackMaxDynamicTableCapacity.
+    qpack_decoder_->SetMaximumDynamicTableCapacity(
+        kDefaultQpackMaxDynamicTableCapacity);
   }
 
-  headers_stream_ = QuicMakeUnique<QuicHeadersStream>((this));
+  auto headers_stream = QuicMakeUnique<QuicHeadersStream>((this));
   DCHECK_EQ(QuicUtils::GetHeadersStreamId(connection()->transport_version()),
-            headers_stream_->id());
-  if (!eliminate_static_stream_map()) {
-    RegisterStaticStream(
-        QuicUtils::GetHeadersStreamId(connection()->transport_version()),
-        headers_stream_.get());
-  } else {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 7, 17);
-    unowned_headers_stream_ = headers_stream_.get();
-    RegisterStaticStreamNew(std::move(headers_stream_));
+            headers_stream->id());
+
+  headers_stream_ = headers_stream.get();
+  RegisterStaticStream(std::move(headers_stream),
+                       /*stream_already_counted = */ false);
+
+  if (VersionHasStreamType(connection()->transport_version())) {
+    auto send_control = QuicMakeUnique<QuicSendControlStream>(
+        GetNextOutgoingUnidirectionalStreamId(), this,
+        max_inbound_header_list_size_);
+    send_control_stream_ = send_control.get();
+    RegisterStaticStream(std::move(send_control),
+                         /*stream_already_counted = */ false);
   }
 
-  set_max_uncompressed_header_bytes(max_inbound_header_list_size_);
+  spdy_framer_visitor_->set_max_header_list_size(max_inbound_header_list_size_);
 
   // Limit HPACK buffering to 2x header list size limit.
-  set_max_decode_buffer_size_bytes(2 * max_inbound_header_list_size_);
+  h2_deframer_.GetHpackDecoder()->set_max_decode_buffer_size_bytes(
+      2 * max_inbound_header_list_size_);
 }
 
-void QuicSpdySession::OnDecoderStreamError(QuicStringPiece error_message) {
+void QuicSpdySession::OnDecoderStreamError(QuicStringPiece /*error_message*/) {
   DCHECK(VersionUsesQpack(connection()->transport_version()));
 
   // TODO(112770235): Signal connection error on decoder stream errors.
   QUIC_NOTREACHED();
 }
 
-void QuicSpdySession::WriteEncoderStreamData(QuicStringPiece data) {
-  DCHECK(VersionUsesQpack(connection()->transport_version()));
-
-  // TODO(112770235): Send encoder stream data on encoder stream.
-  QUIC_NOTREACHED();
-}
-
-void QuicSpdySession::OnEncoderStreamError(QuicStringPiece error_message) {
+void QuicSpdySession::OnEncoderStreamError(QuicStringPiece /*error_message*/) {
   DCHECK(VersionUsesQpack(connection()->transport_version()));
 
   // TODO(112770235): Signal connection error on encoder stream errors.
   QUIC_NOTREACHED();
 }
 
-void QuicSpdySession::WriteDecoderStreamData(QuicStringPiece data) {
-  DCHECK(VersionUsesQpack(connection()->transport_version()));
-
-  // TODO(112770235): Send decoder stream data on decoder stream.
-}
-
 void QuicSpdySession::OnStreamHeadersPriority(QuicStreamId stream_id,
                                               SpdyPriority priority) {
   QuicSpdyStream* stream = GetSpdyDataStream(stream_id);
@@ -502,12 +505,20 @@ size_t QuicSpdySession::WritePriority(QuicStreamId id,
   return frame.size();
 }
 
-size_t QuicSpdySession::WritePushPromise(QuicStreamId original_stream_id,
-                                         QuicStreamId promised_stream_id,
-                                         SpdyHeaderBlock headers) {
+void QuicSpdySession::WriteH3Priority(const PriorityFrame& priority) {
+  DCHECK(VersionHasStreamType(connection()->transport_version()));
+  DCHECK(perspective() == Perspective::IS_CLIENT)
+      << "Server must not send priority";
+
+  send_control_stream_->WritePriority(priority);
+}
+
+void QuicSpdySession::WritePushPromise(QuicStreamId original_stream_id,
+                                       QuicStreamId promised_stream_id,
+                                       SpdyHeaderBlock headers) {
   if (perspective() == Perspective::IS_CLIENT) {
     QUIC_BUG << "Client shouldn't send PUSH_PROMISE";
-    return 0;
+    return;
   }
 
   SpdyPushPromiseIR push_promise(original_stream_id, promised_stream_id,
@@ -519,10 +530,13 @@ size_t QuicSpdySession::WritePushPromise(QuicStreamId original_stream_id,
   SpdySerializedFrame frame(spdy_framer_.SerializeFrame(push_promise));
   headers_stream()->WriteOrBufferData(
       QuicStringPiece(frame.data(), frame.size()), false, nullptr);
-  return frame.size();
 }
 
 void QuicSpdySession::SendMaxHeaderListSize(size_t value) {
+  if (VersionHasStreamType(connection()->transport_version())) {
+    send_control_stream_->SendSettingsFrame();
+    return;
+  }
   SpdySettingsIR settings_frame;
   settings_frame.AddSetting(SETTINGS_MAX_HEADER_LIST_SIZE, value);
 
@@ -545,7 +559,23 @@ QpackDecoder* QuicSpdySession::qpack_decoder() {
 
 QuicSpdyStream* QuicSpdySession::GetSpdyDataStream(
     const QuicStreamId stream_id) {
-  QuicStream* stream = GetOrCreateDynamicStream(stream_id);
+  QuicStream* stream = nullptr;
+  if (GetQuicReloadableFlag(quic_inline_getorcreatedynamicstream) &&
+      GetQuicReloadableFlag(quic_handle_staticness_for_spdy_stream)) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_inline_getorcreatedynamicstream);
+    stream = GetOrCreateStream(stream_id);
+  } else {
+    stream = GetOrCreateDynamicStream(stream_id);
+  }
+  if (GetQuicReloadableFlag(quic_handle_staticness_for_spdy_stream) && stream &&
+      stream->is_static()) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_handle_staticness_for_spdy_stream);
+    QUIC_BUG << "GetSpdyDataStream returns static stream";
+    connection()->CloseConnection(
+        QUIC_INVALID_STREAM_ID, "stream is static",
+        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+    return nullptr;
+  }
   DCHECK(!stream || !stream->is_static());
   return static_cast<QuicSpdyStream*>(stream);
 }
@@ -566,8 +596,10 @@ bool QuicSpdySession::ShouldKeepConnectionAlive() const {
 }
 
 bool QuicSpdySession::UsesPendingStreams() const {
-  DCHECK(VersionHasStreamType(connection()->transport_version()));
-  return true;
+  // QuicSpdySession supports PendingStreams, therefore this method should
+  // eventually just return true.  However, pending streams can only be used if
+  // unidirectional stream type is supported.
+  return VersionHasStreamType(connection()->transport_version());
 }
 
 size_t QuicSpdySession::WriteHeadersOnHeadersStreamImpl(
@@ -595,10 +627,11 @@ size_t QuicSpdySession::WriteHeadersOnHeadersStreamImpl(
   return frame.size();
 }
 
-void QuicSpdySession::OnPromiseHeaderList(QuicStreamId stream_id,
-                                          QuicStreamId promised_stream_id,
-                                          size_t frame_len,
-                                          const QuicHeaderList& header_list) {
+void QuicSpdySession::OnPromiseHeaderList(
+    QuicStreamId /*stream_id*/,
+    QuicStreamId /*promised_stream_id*/,
+    size_t /*frame_len*/,
+    const QuicHeaderList& /*header_list*/) {
   std::string error =
       "OnPromiseHeaderList should be overridden in client code.";
   QUIC_BUG << error;
@@ -637,8 +670,7 @@ void QuicSpdySession::OnHeaders(SpdyStreamId stream_id,
 }
 
 void QuicSpdySession::OnPushPromise(SpdyStreamId stream_id,
-                                    SpdyStreamId promised_stream_id,
-                                    bool end) {
+                                    SpdyStreamId promised_stream_id) {
   DCHECK_EQ(QuicUtils::GetInvalidStreamId(connection()->transport_version()),
             stream_id_);
   DCHECK_EQ(QuicUtils::GetInvalidStreamId(connection()->transport_version()),
@@ -704,12 +736,6 @@ void QuicSpdySession::UpdateEnableServerPush(bool value) {
   set_server_push_enabled(value);
 }
 
-void QuicSpdySession::set_max_uncompressed_header_bytes(
-    size_t set_max_uncompressed_header_bytes) {
-  spdy_framer_visitor_->set_max_uncompressed_header_bytes(
-      set_max_uncompressed_header_bytes);
-}
-
 void QuicSpdySession::CloseConnectionWithDetails(QuicErrorCode error,
                                                  const std::string& details) {
   connection()->CloseConnection(
@@ -717,16 +743,12 @@ void QuicSpdySession::CloseConnectionWithDetails(QuicErrorCode error,
 }
 
 bool QuicSpdySession::HasActiveRequestStreams() const {
-  if (!eliminate_static_stream_map()) {
-    return !dynamic_streams().empty();
-  }
   // In the case where session is destructed by calling
-  // dynamic_streams().clear(), we will have incorrect accounting here.
+  // stream_map().clear(), we will have incorrect accounting here.
   // TODO(renjietang): Modify destructors and make this a DCHECK.
-  QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 9, 17);
-  if (static_cast<size_t>(dynamic_streams().size()) >
+  if (static_cast<size_t>(stream_map().size()) >
       num_incoming_static_streams() + num_outgoing_static_streams()) {
-    return dynamic_streams().size() - num_incoming_static_streams() -
+    return stream_map().size() - num_incoming_static_streams() -
                num_outgoing_static_streams() >
            0;
   }
@@ -735,6 +757,7 @@ bool QuicSpdySession::HasActiveRequestStreams() const {
 
 bool QuicSpdySession::ProcessPendingStream(PendingStream* pending) {
   DCHECK(VersionHasStreamType(connection()->transport_version()));
+  DCHECK(connection()->connected());
   struct iovec iov;
   if (!pending->sequencer()->GetReadableRegion(&iov)) {
     // The first byte hasn't been received yet.
@@ -750,11 +773,16 @@ bool QuicSpdySession::ProcessPendingStream(PendingStream* pending) {
   pending->MarkConsumed(stream_type_length);
 
   switch (stream_type) {
-    case kControlStream:  // HTTP/3 control stream.
-      // TODO(renjietang): Create incoming control stream.
-      break;
+    case kControlStream: {  // HTTP/3 control stream.
+      auto receive_stream = QuicMakeUnique<QuicReceiveControlStream>(pending);
+      receive_control_stream_ = receive_stream.get();
+      RegisterStaticStream(std::move(receive_stream),
+                           /*stream_already_counted = */ true);
+      receive_control_stream_->SetUnblocked();
+      return true;
+    }
     case kServerPushStream: {  // Push Stream.
-      QuicSpdyStream* stream = CreateIncomingStream(std::move(*pending));
+      QuicSpdyStream* stream = CreateIncomingStream(pending);
       stream->SetUnblocked();
       return true;
     }
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.h
index d0978c1e0ce..aa2c27d067f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.h
@@ -11,11 +11,14 @@
 
 #include "net/third_party/quiche/src/quic/core/http/quic_header_list.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_headers_stream.h"
+#include "net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.h"
+#include "net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_stream.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_session.h"
 #include "net/third_party/quiche/src/quic/core/quic_versions.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
@@ -28,12 +31,6 @@ namespace test {
 class QuicSpdySessionPeer;
 }  // namespace test
 
-// Unidirectional stream types define by IETF HTTP/3 draft in section 3.2.
-const uint64_t kControlStream = 0;
-const uint64_t kServerPushStream = 1;
-const uint64_t kQpackEncoderStream = 2;
-const uint64_t kQpackDecoderStream = 3;
-
 // QuicHpackDebugVisitor gathers data used for understanding HPACK HoL
 // dynamics.  Specifically, it is to help predict the compression
 // penalty of avoiding HoL by chagning how the dynamic table is used.
@@ -57,9 +54,7 @@ class QUIC_EXPORT_PRIVATE QuicHpackDebugVisitor {
 class QUIC_EXPORT_PRIVATE QuicSpdySession
     : public QuicSession,
       public QpackEncoder::DecoderStreamErrorDelegate,
-      public QpackEncoderStreamSender::Delegate,
-      public QpackDecoder::EncoderStreamErrorDelegate,
-      public QpackDecoderStreamSender::Delegate {
+      public QpackDecoder::EncoderStreamErrorDelegate {
  public:
   // Does not take ownership of |connection| or |visitor|.
   QuicSpdySession(QuicConnection* connection,
@@ -76,15 +71,9 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
   // QpackEncoder::DecoderStreamErrorDelegate implementation.
   void OnDecoderStreamError(QuicStringPiece error_message) override;
 
-  // QpackEncoderStreamSender::Delegate implemenation.
-  void WriteEncoderStreamData(QuicStringPiece data) override;
-
   // QpackDecoder::EncoderStreamErrorDelegate implementation.
   void OnEncoderStreamError(QuicStringPiece error_message) override;
 
-  // QpackDecoderStreamSender::Delegate implementation.
-  void WriteDecoderStreamData(QuicStringPiece data) override;
-
   // Called by |headers_stream_| when headers with a priority have been
   // received for a stream.  This method will only be called for server streams.
   virtual void OnStreamHeadersPriority(QuicStreamId stream_id,
@@ -133,27 +122,23 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
                        int weight,
                        bool exclusive);
 
+  // Writes a HTTP/3 PRIORITY frame to the peer.
+  void WriteH3Priority(const PriorityFrame& priority);
+
   // Write |headers| for |promised_stream_id| on |original_stream_id| in a
   // PUSH_PROMISE frame to peer.
-  // Return the size, in bytes, of the resulting PUSH_PROMISE frame.
-  virtual size_t WritePushPromise(QuicStreamId original_stream_id,
-                                  QuicStreamId promised_stream_id,
-                                  spdy::SpdyHeaderBlock headers);
+  virtual void WritePushPromise(QuicStreamId original_stream_id,
+                                QuicStreamId promised_stream_id,
+                                spdy::SpdyHeaderBlock headers);
 
   // Sends SETTINGS_MAX_HEADER_LIST_SIZE SETTINGS frame.
   void SendMaxHeaderListSize(size_t value);
 
   QpackEncoder* qpack_encoder();
   QpackDecoder* qpack_decoder();
-  QuicHeadersStream* headers_stream() {
-    return eliminate_static_stream_map() ? unowned_headers_stream_
-                                         : headers_stream_.get();
-  }
+  QuicHeadersStream* headers_stream() { return headers_stream_; }
 
-  const QuicHeadersStream* headers_stream() const {
-    return eliminate_static_stream_map() ? unowned_headers_stream_
-                                         : headers_stream_.get();
-  }
+  const QuicHeadersStream* headers_stream() const { return headers_stream_; }
 
   bool server_push_enabled() const { return server_push_enabled_; }
 
@@ -168,10 +153,20 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
   void CloseConnectionWithDetails(QuicErrorCode error,
                                   const std::string& details);
 
+  // Must be called before Initialize().
+  // TODO(bnc): Move to constructor argument.
   void set_max_inbound_header_list_size(size_t max_inbound_header_list_size) {
     max_inbound_header_list_size_ = max_inbound_header_list_size;
   }
 
+  void set_max_outbound_header_list_size(size_t max_outbound_header_list_size) {
+    max_outbound_header_list_size_ = max_outbound_header_list_size;
+  }
+
+  size_t max_outbound_header_list_size() const {
+    return max_outbound_header_list_size_;
+  }
+
   size_t max_inbound_header_list_size() const {
     return max_inbound_header_list_size_;
   }
@@ -184,7 +179,7 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
   // CreateOutgoingUnidirectionalStream() with QuicSpdyStream return type to
   // make sure that all data streams are QuicSpdyStreams.
   QuicSpdyStream* CreateIncomingStream(QuicStreamId id) override = 0;
-  QuicSpdyStream* CreateIncomingStream(PendingStream pending) override = 0;
+  QuicSpdyStream* CreateIncomingStream(PendingStream* pending) override = 0;
   virtual QuicSpdyStream* CreateOutgoingBidirectionalStream() = 0;
   virtual QuicSpdyStream* CreateOutgoingUnidirectionalStream() = 0;
 
@@ -238,16 +233,6 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
 
   bool IsConnected() { return connection()->connected(); }
 
-  // Sets how much encoded data the hpack decoder of h2_deframer_ is willing to
-  // buffer.
-  void set_max_decode_buffer_size_bytes(size_t max_decode_buffer_size_bytes) {
-    h2_deframer_.GetHpackDecoder()->set_max_decode_buffer_size_bytes(
-        max_decode_buffer_size_bytes);
-  }
-
-  void set_max_uncompressed_header_bytes(
-      size_t set_max_uncompressed_header_bytes);
-
  private:
   friend class test::QuicSpdySessionPeer;
 
@@ -263,8 +248,7 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
 
   // Called when a PUSH_PROMISE frame has been received.
   void OnPushPromise(spdy::SpdyStreamId stream_id,
-                     spdy::SpdyStreamId promised_stream_id,
-                     bool end);
+                     spdy::SpdyStreamId promised_stream_id);
 
   // Called when a PRIORITY frame has been received.
   void OnPriority(spdy::SpdyStreamId stream_id, spdy::SpdyPriority priority);
@@ -278,20 +262,23 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
   std::unique_ptr<QpackEncoder> qpack_encoder_;
   std::unique_ptr<QpackDecoder> qpack_decoder_;
 
-  // TODO(123528590): Remove this member.
-  std::unique_ptr<QuicHeadersStream> headers_stream_;
+  // Pointer to the header stream in stream_map_.
+  QuicHeadersStream* headers_stream_;
 
-  // Unowned headers stream pointer that points to the stream
-  // in dynamic_stream_map.
-  // TODO(renjietang): Merge this with headers_stream_ and clean up other
-  // static_stream_map logic when flag eliminate_static_stream_map
-  // is deprecated.
-  QuicHeadersStream* unowned_headers_stream_;
+  // HTTP/3 control streams. They are owned by QuicSession inside dynamic
+  // stream map, and can be accessed by those unowned pointers below.
+  QuicSendControlStream* send_control_stream_;
+  QuicReceiveControlStream* receive_control_stream_;
 
   // The maximum size of a header block that will be accepted from the peer,
   // defined per spec as key + value + overhead per field (uncompressed).
   size_t max_inbound_header_list_size_;
 
+  // The maximum size of a header block that can be sent to the peer. This field
+  // is informed and set by the peer via SETTINGS frame.
+  // TODO(renjietang): Honor this field when sending headers.
+  size_t max_outbound_header_list_size_;
+
   // Set during handshake. If true, resources in x-associated-content and link
   // headers will be pushed.
   bool server_push_enabled_;
@@ -308,6 +295,10 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
   spdy::SpdyFramer spdy_framer_;
   http2::Http2DecoderAdapter h2_deframer_;
   std::unique_ptr<SpdyFramerVisitor> spdy_framer_visitor_;
+
+  // TODO(renjietang): Replace these two members with actual QPACK send streams.
+  NoopQpackStreamSenderDelegate encoder_stream_sender_delegate_;
+  NoopQpackStreamSenderDelegate decoder_stream_sender_delegate_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session_test.cc
index 942688a62e7..2042f88019e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session_test.cc
@@ -11,6 +11,7 @@
 
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
 #include "net/third_party/quiche/src/quic/core/crypto/null_encrypter.h"
+#include "net/third_party/quiche/src/quic/core/http/http_constants.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_data_writer.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
@@ -119,8 +120,8 @@ class TestStream : public QuicSpdyStream {
   TestStream(QuicStreamId id, QuicSpdySession* session, StreamType type)
       : QuicSpdyStream(id, session, type) {}
 
-  TestStream(PendingStream pending, QuicSpdySession* session, StreamType type)
-      : QuicSpdyStream(std::move(pending), session, type) {}
+  TestStream(PendingStream* pending, QuicSpdySession* session, StreamType type)
+      : QuicSpdyStream(pending, session, type) {}
 
   using QuicStream::CloseWriteSide;
 
@@ -176,7 +177,7 @@ class TestSession : public QuicSpdySession {
     // Enforce the limit on the number of open streams.
     if (GetNumOpenIncomingStreams() + 1 >
             max_open_incoming_bidirectional_streams() &&
-        connection()->transport_version() != QUIC_VERSION_99) {
+        !VersionHasIetfQuicFrames(connection()->transport_version())) {
       connection()->CloseConnection(
           QUIC_TOO_MANY_OPEN_STREAMS, "Too many streams!",
           ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
@@ -192,10 +193,10 @@ class TestSession : public QuicSpdySession {
     }
   }
 
-  TestStream* CreateIncomingStream(PendingStream pending) override {
-    QuicStreamId id = pending.id();
+  TestStream* CreateIncomingStream(PendingStream* pending) override {
+    QuicStreamId id = pending->id();
     TestStream* stream =
-        new TestStream(std::move(pending), this,
+        new TestStream(pending, this,
                        DetermineStreamType(
                            id, connection()->transport_version(), perspective(),
                            /*is_incoming=*/true, BIDIRECTIONAL));
@@ -212,8 +213,8 @@ class TestSession : public QuicSpdySession {
     return QuicSession::IsClosedStream(id);
   }
 
-  QuicStream* GetOrCreateDynamicStream(QuicStreamId stream_id) {
-    return QuicSpdySession::GetOrCreateDynamicStream(stream_id);
+  QuicStream* GetOrCreateStream(QuicStreamId stream_id) {
+    return QuicSpdySession::GetOrCreateStream(stream_id);
   }
 
   QuicConsumedData WritevData(QuicStream* stream,
@@ -254,11 +255,6 @@ class TestSession : public QuicSpdySession {
     return consumed;
   }
 
-  bool ClearControlFrame(const QuicFrame& frame) {
-    DeleteFrame(&const_cast<QuicFrame&>(frame));
-    return true;
-  }
-
   QuicConsumedData SendLargeFakeData(QuicStream* stream, int bytes) {
     DCHECK(writev_consumes_all_data_);
     return WritevData(stream, stream->id(), bytes, 0, FIN);
@@ -297,33 +293,6 @@ class QuicSpdySessionTestBase : public QuicTestWithParam<ParsedQuicVersion> {
         kInitialStreamFlowControlWindowForTest);
     session_.config()->SetInitialSessionFlowControlWindowToSend(
         kInitialSessionFlowControlWindowForTest);
-    headers_[":host"] = "www.google.com";
-    headers_[":path"] = "/index.hml";
-    headers_[":scheme"] = "http";
-    headers_["cookie"] =
-        "__utma=208381060.1228362404.1372200928.1372200928.1372200928.1; "
-        "__utmc=160408618; "
-        "GX=DQAAAOEAAACWJYdewdE9rIrW6qw3PtVi2-d729qaa-74KqOsM1NVQblK4VhX"
-        "hoALMsy6HOdDad2Sz0flUByv7etmo3mLMidGrBoljqO9hSVA40SLqpG_iuKKSHX"
-        "RW3Np4bq0F0SDGDNsW0DSmTS9ufMRrlpARJDS7qAI6M3bghqJp4eABKZiRqebHT"
-        "pMU-RXvTI5D5oCF1vYxYofH_l1Kviuiy3oQ1kS1enqWgbhJ2t61_SNdv-1XJIS0"
-        "O3YeHLmVCs62O6zp89QwakfAWK9d3IDQvVSJzCQsvxvNIvaZFa567MawWlXg0Rh"
-        "1zFMi5vzcns38-8_Sns; "
-        "GA=v*2%2Fmem*57968640*47239936%2Fmem*57968640*47114716%2Fno-nm-"
-        "yj*15%2Fno-cc-yj*5%2Fpc-ch*133685%2Fpc-s-cr*133947%2Fpc-s-t*1339"
-        "47%2Fno-nm-yj*4%2Fno-cc-yj*1%2Fceft-as*1%2Fceft-nqas*0%2Fad-ra-c"
-        "v_p%2Fad-nr-cv_p-f*1%2Fad-v-cv_p*859%2Fad-ns-cv_p-f*1%2Ffn-v-ad%"
-        "2Fpc-t*250%2Fpc-cm*461%2Fpc-s-cr*722%2Fpc-s-t*722%2Fau_p*4"
-        "SICAID=AJKiYcHdKgxum7KMXG0ei2t1-W4OD1uW-ecNsCqC0wDuAXiDGIcT_HA2o1"
-        "3Rs1UKCuBAF9g8rWNOFbxt8PSNSHFuIhOo2t6bJAVpCsMU5Laa6lewuTMYI8MzdQP"
-        "ARHKyW-koxuhMZHUnGBJAM1gJODe0cATO_KGoX4pbbFxxJ5IicRxOrWK_5rU3cdy6"
-        "edlR9FsEdH6iujMcHkbE5l18ehJDwTWmBKBzVD87naobhMMrF6VvnDGxQVGp9Ir_b"
-        "Rgj3RWUoPumQVCxtSOBdX0GlJOEcDTNCzQIm9BSfetog_eP_TfYubKudt5eMsXmN6"
-        "QnyXHeGeK2UINUzJ-D30AFcpqYgH9_1BvYSpi7fc7_ydBU8TaD8ZRxvtnzXqj0RfG"
-        "tuHghmv3aD-uzSYJ75XDdzKdizZ86IG6Fbn1XFhYZM-fbHhm3mVEXnyRW4ZuNOLFk"
-        "Fas6LMcVC6Q8QLlHYbXBpdNFuGbuZGUnav5C-2I_-46lL0NGg3GewxGKGHvHEfoyn"
-        "EFFlEYHsBQ98rXImL8ySDycdLEFvBPdtctPmWCfTxwmoSMLHU2SCVDhbqMWU5b0yr"
-        "JBCScs_ejbKaqBDoB7ZGxTvqlrB__2ZmnHHjCr8RgMRtKNtIeuZAo ";
     connection_->AdvanceTime(QuicTime::Delta::FromSeconds(1));
     TestCryptoStream* crypto_stream = session_.GetMutableCryptoStream();
     EXPECT_CALL(*crypto_stream, HasPendingRetransmission())
@@ -347,14 +316,14 @@ class QuicSpdySessionTestBase : public QuicTestWithParam<ParsedQuicVersion> {
   }
 
   void CloseStream(QuicStreamId id) {
-    if (!IsVersion99()) {
+    if (!VersionHasIetfQuicFrames(transport_version())) {
       EXPECT_CALL(*connection_, SendControlFrame(_))
-          .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+          .WillOnce(Invoke(&ClearControlFrame));
     } else {
       // V99 has two frames, RST_STREAM and STOP_SENDING
       EXPECT_CALL(*connection_, SendControlFrame(_))
           .Times(2)
-          .WillRepeatedly(Invoke(&session_, &TestSession::ClearControlFrame));
+          .WillRepeatedly(Invoke(&ClearControlFrame));
     }
     EXPECT_CALL(*connection_, OnStreamReset(id, _));
     session_.CloseStream(id);
@@ -365,8 +334,6 @@ class QuicSpdySessionTestBase : public QuicTestWithParam<ParsedQuicVersion> {
     return connection_->transport_version();
   }
 
-  bool IsVersion99() const { return transport_version() == QUIC_VERSION_99; }
-
   QuicStreamId GetNthClientInitiatedBidirectionalId(int n) {
     return GetNthClientInitiatedBidirectionalStreamId(transport_version(), n);
   }
@@ -380,6 +347,13 @@ class QuicSpdySessionTestBase : public QuicTestWithParam<ParsedQuicVersion> {
     return QuicUtils::StreamIdDelta(connection_->transport_version());
   }
 
+  std::string EncodeSettings(const SettingsFrame& settings) {
+    HttpEncoder encoder;
+    std::unique_ptr<char[]> buffer;
+    auto header_length = encoder.SerializeSettingsFrame(settings, &buffer);
+    return std::string(buffer.get(), header_length);
+  }
+
   QuicStreamId StreamCountToId(QuicStreamCount stream_count,
                                Perspective perspective,
                                bool bidirectional) {
@@ -388,7 +362,7 @@ class QuicSpdySessionTestBase : public QuicTestWithParam<ParsedQuicVersion> {
     // needs to do the stream count where #1 is 0/1/2/3, and not
     // take into account that stream 0 is special.
     QuicStreamId id =
-        ((stream_count - 1) * QuicUtils::StreamIdDelta(QUIC_VERSION_99));
+        ((stream_count - 1) * QuicUtils::StreamIdDelta(transport_version()));
     if (!bidirectional) {
       id |= 0x2;
     }
@@ -403,7 +377,6 @@ class QuicSpdySessionTestBase : public QuicTestWithParam<ParsedQuicVersion> {
   StrictMock<MockQuicConnection>* connection_;
   TestSession session_;
   std::set<QuicStreamId> closed_streams_;
-  SpdyHeaderBlock headers_;
 };
 
 class QuicSpdySessionTestServer : public QuicSpdySessionTestBase {
@@ -454,16 +427,16 @@ TEST_P(QuicSpdySessionTestServer, IsClosedStreamDefault) {
 }
 
 TEST_P(QuicSpdySessionTestServer, AvailableStreams) {
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthClientInitiatedBidirectionalId(2)) != nullptr);
   // Both client initiated streams with smaller stream IDs are available.
   EXPECT_TRUE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthClientInitiatedBidirectionalId(0)));
   EXPECT_TRUE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthClientInitiatedBidirectionalId(1)));
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthClientInitiatedBidirectionalId(1)) != nullptr);
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthClientInitiatedBidirectionalId(0)) != nullptr);
 }
 
@@ -483,15 +456,15 @@ TEST_P(QuicSpdySessionTestServer, IsClosedStreamLocallyCreated) {
 TEST_P(QuicSpdySessionTestServer, IsClosedStreamPeerCreated) {
   QuicStreamId stream_id1 = GetNthClientInitiatedBidirectionalId(0);
   QuicStreamId stream_id2 = GetNthClientInitiatedBidirectionalId(1);
-  session_.GetOrCreateDynamicStream(stream_id1);
-  session_.GetOrCreateDynamicStream(stream_id2);
+  session_.GetOrCreateStream(stream_id1);
+  session_.GetOrCreateStream(stream_id2);
 
   CheckClosedStreams();
   CloseStream(stream_id1);
   CheckClosedStreams();
   CloseStream(stream_id2);
   // Create a stream, and make another available.
-  QuicStream* stream3 = session_.GetOrCreateDynamicStream(stream_id2 + 4);
+  QuicStream* stream3 = session_.GetOrCreateStream(stream_id2 + 4);
   CheckClosedStreams();
   // Close one, but make sure the other is still not closed
   CloseStream(stream3->id());
@@ -499,32 +472,35 @@ TEST_P(QuicSpdySessionTestServer, IsClosedStreamPeerCreated) {
 }
 
 TEST_P(QuicSpdySessionTestServer, MaximumAvailableOpenedStreams) {
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // For IETF QUIC, we should be able to obtain the max allowed
     // stream ID, the next ID should fail. Since the actual limit
     // is not the number of open streams, we allocate the max and the max+2.
     // Get the max allowed stream ID, this should succeed.
+    QuicStreamCount headers_stream_offset =
+        VersionLacksHeadersStream(QUIC_VERSION_99) ? 1 : 0;
     QuicStreamId stream_id = StreamCountToId(
         QuicSessionPeer::v99_streamid_manager(&session_)
-            ->actual_max_allowed_incoming_bidirectional_streams(),
+                ->actual_max_allowed_incoming_bidirectional_streams() -
+            headers_stream_offset,
         Perspective::IS_CLIENT,  // Client initates stream, allocs stream id.
         /*bidirectional=*/true);
-    EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(stream_id));
+    EXPECT_NE(nullptr, session_.GetOrCreateStream(stream_id));
     stream_id = StreamCountToId(
         QuicSessionPeer::v99_streamid_manager(&session_)
             ->actual_max_allowed_incoming_unidirectional_streams(),
         Perspective::IS_CLIENT,
         /*bidirectional=*/false);
-    EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(stream_id));
+    EXPECT_NE(nullptr, session_.GetOrCreateStream(stream_id));
     EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(2);
     // Get the (max allowed stream ID)++. These should all fail.
     stream_id = StreamCountToId(
         QuicSessionPeer::v99_streamid_manager(&session_)
                 ->actual_max_allowed_incoming_bidirectional_streams() +
-            1,
+            1 - headers_stream_offset,
         Perspective::IS_CLIENT,
         /*bidirectional=*/true);
-    EXPECT_EQ(nullptr, session_.GetOrCreateDynamicStream(stream_id));
+    EXPECT_EQ(nullptr, session_.GetOrCreateStream(stream_id));
 
     stream_id = StreamCountToId(
         QuicSessionPeer::v99_streamid_manager(&session_)
@@ -532,14 +508,14 @@ TEST_P(QuicSpdySessionTestServer, MaximumAvailableOpenedStreams) {
             1,
         Perspective::IS_CLIENT,
         /*bidirectional=*/false);
-    EXPECT_EQ(nullptr, session_.GetOrCreateDynamicStream(stream_id));
+    EXPECT_EQ(nullptr, session_.GetOrCreateStream(stream_id));
   } else {
     QuicStreamId stream_id = GetNthClientInitiatedBidirectionalId(0);
-    session_.GetOrCreateDynamicStream(stream_id);
+    session_.GetOrCreateStream(stream_id);
     EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
     EXPECT_NE(
         nullptr,
-        session_.GetOrCreateDynamicStream(
+        session_.GetOrCreateStream(
             stream_id +
             IdDelta() *
                 (session_.max_open_incoming_bidirectional_streams() - 1)));
@@ -549,35 +525,35 @@ TEST_P(QuicSpdySessionTestServer, MaximumAvailableOpenedStreams) {
 TEST_P(QuicSpdySessionTestServer, TooManyAvailableStreams) {
   QuicStreamId stream_id1 = GetNthClientInitiatedBidirectionalId(0);
   QuicStreamId stream_id2;
-  EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(stream_id1));
+  EXPECT_NE(nullptr, session_.GetOrCreateStream(stream_id1));
   // A stream ID which is too large to create.
   stream_id2 = GetNthClientInitiatedBidirectionalId(
       2 * session_.MaxAvailableBidirectionalStreams() + 4);
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     EXPECT_CALL(*connection_, CloseConnection(QUIC_INVALID_STREAM_ID, _, _));
   } else {
     EXPECT_CALL(*connection_,
                 CloseConnection(QUIC_TOO_MANY_AVAILABLE_STREAMS, _, _));
   }
-  EXPECT_EQ(nullptr, session_.GetOrCreateDynamicStream(stream_id2));
+  EXPECT_EQ(nullptr, session_.GetOrCreateStream(stream_id2));
 }
 
 TEST_P(QuicSpdySessionTestServer, ManyAvailableStreams) {
   // When max_open_streams_ is 200, should be able to create 200 streams
   // out-of-order, that is, creating the one with the largest stream ID first.
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     QuicSessionPeer::SetMaxOpenIncomingBidirectionalStreams(&session_, 200);
   } else {
     QuicSessionPeer::SetMaxOpenIncomingStreams(&session_, 200);
   }
   QuicStreamId stream_id = GetNthClientInitiatedBidirectionalId(0);
   // Create one stream.
-  session_.GetOrCreateDynamicStream(stream_id);
+  session_.GetOrCreateStream(stream_id);
   EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
   // Stream count is 200, GetNth... starts counting at 0, so the 200'th stream
   // is 199. BUT actually we need to do 198 because the crypto stream (Stream
   // ID 0) has not been registered, but GetNth... assumes that it has.
-  EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(
+  EXPECT_NE(nullptr, session_.GetOrCreateStream(
                          GetNthClientInitiatedBidirectionalId(198)));
 }
 
@@ -601,6 +577,11 @@ TEST_P(QuicSpdySessionTestServer,
 }
 
 TEST_P(QuicSpdySessionTestServer, OnCanWrite) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   session_.set_writev_consumes_all_data(true);
   TestStream* stream2 = session_.CreateOutgoingBidirectionalStream();
   TestStream* stream4 = session_.CreateOutgoingBidirectionalStream();
@@ -630,6 +611,11 @@ TEST_P(QuicSpdySessionTestServer, OnCanWrite) {
 }
 
 TEST_P(QuicSpdySessionTestServer, TestBatchedWrites) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   session_.set_writev_consumes_all_data(true);
   TestStream* stream2 = session_.CreateOutgoingBidirectionalStream();
   TestStream* stream4 = session_.CreateOutgoingBidirectionalStream();
@@ -696,7 +682,7 @@ TEST_P(QuicSpdySessionTestServer, TestBatchedWrites) {
 }
 
 TEST_P(QuicSpdySessionTestServer, OnCanWriteBundlesStreams) {
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     EXPECT_CALL(*connection_, SendControlFrame(_))
         .WillRepeatedly(Invoke(
             this, &QuicSpdySessionTestServer::ClearMaxStreamsControlFrame));
@@ -746,6 +732,11 @@ TEST_P(QuicSpdySessionTestServer, OnCanWriteBundlesStreams) {
 }
 
 TEST_P(QuicSpdySessionTestServer, OnCanWriteCongestionControlBlocks) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   session_.set_writev_consumes_all_data(true);
   InSequence s;
 
@@ -792,6 +783,11 @@ TEST_P(QuicSpdySessionTestServer, OnCanWriteCongestionControlBlocks) {
 }
 
 TEST_P(QuicSpdySessionTestServer, OnCanWriteWriterBlocks) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Drive congestion control manually in order to ensure that
   // application-limited signaling is handled correctly.
   MockSendAlgorithm* send_algorithm = new StrictMock<MockSendAlgorithm>;
@@ -870,6 +866,11 @@ TEST_P(QuicSpdySessionTestServer, BufferedHandshake) {
 }
 
 TEST_P(QuicSpdySessionTestServer, OnCanWriteWithClosedStream) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   session_.set_writev_consumes_all_data(true);
   TestStream* stream2 = session_.CreateOutgoingBidirectionalStream();
   TestStream* stream4 = session_.CreateOutgoingBidirectionalStream();
@@ -882,7 +883,7 @@ TEST_P(QuicSpdySessionTestServer, OnCanWriteWithClosedStream) {
 
   InSequence s;
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillRepeatedly(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_CALL(*stream2, OnCanWrite()).WillOnce(Invoke([this, stream2]() {
     session_.SendStreamData(stream2);
   }));
@@ -927,16 +928,10 @@ TEST_P(QuicSpdySessionTestServer,
     EXPECT_CALL(*crypto_stream, OnCanWrite());
   }
   TestHeadersStream* headers_stream;
-  if (!GetQuicReloadableFlag(quic_eliminate_static_stream_map_3) &&
-      !QuicVersionUsesCryptoFrames(connection_->transport_version())) {
-    QuicSpdySessionPeer::SetHeadersStream(&session_, nullptr);
-    headers_stream = new TestHeadersStream(&session_);
-    QuicSpdySessionPeer::SetHeadersStream(&session_, headers_stream);
-  } else {
-    QuicSpdySessionPeer::SetUnownedHeadersStream(&session_, nullptr);
-    headers_stream = new TestHeadersStream(&session_);
-    QuicSpdySessionPeer::SetUnownedHeadersStream(&session_, headers_stream);
-  }
+
+  QuicSpdySessionPeer::SetHeadersStream(&session_, nullptr);
+  headers_stream = new TestHeadersStream(&session_);
+  QuicSpdySessionPeer::SetHeadersStream(&session_, headers_stream);
   session_.MarkConnectionLevelWriteBlocked(
       QuicUtils::GetHeadersStreamId(connection_->transport_version()));
   EXPECT_CALL(*headers_stream, OnCanWrite());
@@ -950,7 +945,7 @@ TEST_P(QuicSpdySessionTestServer,
 }
 
 TEST_P(QuicSpdySessionTestServer, SendGoAway) {
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // GoAway frames are not in version 99
     return;
   }
@@ -970,24 +965,24 @@ TEST_P(QuicSpdySessionTestServer, SendGoAway) {
   EXPECT_CALL(*connection_,
               OnStreamReset(kTestStreamId, QUIC_STREAM_PEER_GOING_AWAY))
       .Times(0);
-  EXPECT_TRUE(session_.GetOrCreateDynamicStream(kTestStreamId));
+  EXPECT_TRUE(session_.GetOrCreateStream(kTestStreamId));
 }
 
 TEST_P(QuicSpdySessionTestServer, DoNotSendGoAwayTwice) {
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // TODO(b/118808809): Enable this test for version 99 when GOAWAY is
     // supported.
     return;
   }
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   session_.SendGoAway(QUIC_PEER_GOING_AWAY, "Going Away.");
   EXPECT_TRUE(session_.goaway_sent());
   session_.SendGoAway(QUIC_PEER_GOING_AWAY, "Going Away.");
 }
 
 TEST_P(QuicSpdySessionTestServer, InvalidGoAway) {
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // TODO(b/118808809): Enable this test for version 99 when GOAWAY is
     // supported.
     return;
@@ -1009,7 +1004,7 @@ TEST_P(QuicSpdySessionTestServer, ServerReplyToConnecitivityProbe) {
 
   EXPECT_CALL(*connection_,
               SendConnectivityProbingResponsePacket(new_peer_address));
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // Need to explicitly do this to emulate the reception of a PathChallenge,
     // which stores its payload for use in generating the response.
     connection_->OnPathChallengeFrame(
@@ -1038,7 +1033,7 @@ TEST_P(QuicSpdySessionTestServer, RstStreamBeforeHeadersDecompressed) {
   EXPECT_EQ(1u, session_.GetNumOpenIncomingStreams());
 
   EXPECT_CALL(*connection_, SendControlFrame(_));
-  if (!IsVersion99()) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // For version99, OnStreamReset gets called because of the STOP_SENDING,
     // below. EXPECT the call there.
     EXPECT_CALL(*connection_,
@@ -1052,7 +1047,7 @@ TEST_P(QuicSpdySessionTestServer, RstStreamBeforeHeadersDecompressed) {
   // Create and inject a STOP_SENDING frame. In GOOGLE QUIC, receiving a
   // RST_STREAM frame causes a two-way close. For IETF QUIC, RST_STREAM causes a
   // one-way close.
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // Only needed for version 99/IETF QUIC.
     QuicStopSendingFrame stop_sending(
         kInvalidControlFrameId, GetNthClientInitiatedBidirectionalId(0),
@@ -1121,6 +1116,11 @@ TEST_P(QuicSpdySessionTestServer, OnRstStreamInvalidStreamId) {
 }
 
 TEST_P(QuicSpdySessionTestServer, HandshakeUnblocksFlowControlBlockedStream) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Test that if a stream is flow control blocked, then on receipt of the SHLO
   // containing a suitable send window offset, the stream becomes unblocked.
 
@@ -1170,12 +1170,12 @@ TEST_P(QuicSpdySessionTestServer,
   EXPECT_FALSE(headers_stream->flow_controller()->IsBlocked());
   EXPECT_FALSE(session_.IsConnectionFlowControlBlocked());
   EXPECT_FALSE(session_.IsStreamFlowControlBlocked());
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     EXPECT_CALL(*connection_, SendControlFrame(_))
-        .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+        .WillOnce(Invoke(&ClearControlFrame));
   } else {
     EXPECT_CALL(*connection_, SendControlFrame(_))
-        .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+        .WillOnce(Invoke(&ClearControlFrame));
   }
   for (QuicStreamId i = 0;
        !crypto_stream->flow_controller()->IsBlocked() && i < 1000u; i++) {
@@ -1245,7 +1245,7 @@ TEST_P(QuicSpdySessionTestServer,
   QuicStreamId stream_id = 5;
   // Write until the header stream is flow control blocked.
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   SpdyHeaderBlock headers;
   SimpleRandom random;
   while (!headers_stream->flow_controller()->IsBlocked() && stream_id < 2000) {
@@ -1298,8 +1298,8 @@ TEST_P(QuicSpdySessionTestServer,
 
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(2)
-      .WillRepeatedly(Invoke(&session_, &TestSession::ClearControlFrame));
-  if (!IsVersion99()) {
+      .WillRepeatedly(Invoke(&ClearControlFrame));
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // For version99 the call to OnStreamReset happens as a result of receiving
     // the STOP_SENDING, so set up the EXPECT there.
     EXPECT_CALL(*connection_, OnStreamReset(stream->id(), _));
@@ -1310,7 +1310,7 @@ TEST_P(QuicSpdySessionTestServer,
   // Create and inject a STOP_SENDING frame. In GOOGLE QUIC, receiving a
   // RST_STREAM frame causes a two-way close. For IETF QUIC, RST_STREAM causes a
   // one-way close.
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // Only needed for version 99/IETF QUIC.
     QuicStopSendingFrame stop_sending(
         kInvalidControlFrameId, stream->id(),
@@ -1427,6 +1427,11 @@ TEST_P(QuicSpdySessionTestServer, ConnectionFlowControlAccountingRstAfterRst) {
 }
 
 TEST_P(QuicSpdySessionTestServer, InvalidStreamFlowControlWindowInHandshake) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Test that receipt of an invalid (< default) stream flow control window from
   // the peer results in the connection being torn down.
   const uint32_t kInvalidWindow = kMinimumFlowControlSendWindow - 1;
@@ -1439,6 +1444,11 @@ TEST_P(QuicSpdySessionTestServer, InvalidStreamFlowControlWindowInHandshake) {
 }
 
 TEST_P(QuicSpdySessionTestServer, InvalidSessionFlowControlWindowInHandshake) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Test that receipt of an invalid (< default) session flow control window
   // from the peer results in the connection being torn down.
   const uint32_t kInvalidWindow = kMinimumFlowControlSendWindow - 1;
@@ -1484,6 +1494,11 @@ TEST_P(QuicSpdySessionTestServer, FlowControlWithInvalidFinalOffset) {
 }
 
 TEST_P(QuicSpdySessionTestServer, WindowUpdateUnblocksHeadersStream) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Test that a flow control blocked headers stream gets unblocked on recipt of
   // a WINDOW_UPDATE frame.
 
@@ -1512,7 +1527,7 @@ TEST_P(QuicSpdySessionTestServer,
   // with a FIN or RST then we send an RST to refuse streams for versions other
   // than version 99. In version 99 the connection gets closed.
   const QuicStreamId kMaxStreams = 5;
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     QuicSessionPeer::SetMaxOpenIncomingBidirectionalStreams(&session_,
                                                             kMaxStreams);
   } else {
@@ -1539,14 +1554,14 @@ TEST_P(QuicSpdySessionTestServer,
     QuicStreamFrame data1(i, false, 0, QuicStringPiece("HT"));
     session_.OnStreamFrame(data1);
     // EXPECT_EQ(1u, session_.GetNumOpenStreams());
-    if (!IsVersion99()) {
+    if (!VersionHasIetfQuicFrames(transport_version())) {
       EXPECT_CALL(*connection_, SendControlFrame(_))
-          .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+          .WillOnce(Invoke(&ClearControlFrame));
     } else {
       // V99 has two frames, RST_STREAM and STOP_SENDING
       EXPECT_CALL(*connection_, SendControlFrame(_))
           .Times(2)
-          .WillRepeatedly(Invoke(&session_, &TestSession::ClearControlFrame));
+          .WillRepeatedly(Invoke(&ClearControlFrame));
     }
     // Close the stream only if not version 99. If we are version 99
     // then closing the stream opens up the available stream id space,
@@ -1555,7 +1570,7 @@ TEST_P(QuicSpdySessionTestServer,
     session_.CloseStream(i);
   }
   // Try and open a stream that exceeds the limit.
-  if (!IsVersion99()) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // On versions other than 99, opening such a stream results in a
     // RST_STREAM.
     EXPECT_CALL(*connection_, SendControlFrame(_)).Times(1);
@@ -1567,7 +1582,9 @@ TEST_P(QuicSpdySessionTestServer,
     EXPECT_CALL(
         *connection_,
         CloseConnection(QUIC_INVALID_STREAM_ID,
-                        "Stream id 24 would exceed stream count limit 6", _));
+                        testing::MatchesRegex(
+                            "Stream id \\d+ would exceed stream count limit 6"),
+                        _));
   }
   // Create one more data streams to exceed limit of open stream.
   QuicStreamFrame data1(kFinalStreamId, false, 0, QuicStringPiece("HT"));
@@ -1578,7 +1595,7 @@ TEST_P(QuicSpdySessionTestServer, DrainingStreamsDoNotCountAsOpened) {
   // Verify that a draining stream (which has received a FIN but not consumed
   // it) does not count against the open quota (because it is closed from the
   // protocol point of view).
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // Version 99 will result in a MAX_STREAMS frame as streams are consumed
     // (via the OnStreamFrame call) and then released (via
     // StreamDraining). Eventually this node will believe that the peer is
@@ -1590,7 +1607,7 @@ TEST_P(QuicSpdySessionTestServer, DrainingStreamsDoNotCountAsOpened) {
   }
   EXPECT_CALL(*connection_, OnStreamReset(_, QUIC_REFUSED_STREAM)).Times(0);
   const QuicStreamId kMaxStreams = 5;
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     QuicSessionPeer::SetMaxOpenIncomingBidirectionalStreams(&session_,
                                                             kMaxStreams);
   } else {
@@ -1627,23 +1644,70 @@ TEST_P(QuicSpdySessionTestClient, UsesPendingStreams) {
   EXPECT_TRUE(session_.UsesPendingStreams());
 }
 
+// Regression test for crbug.com/977581.
+TEST_P(QuicSpdySessionTestClient, BadStreamFramePendingStream) {
+  if (!VersionHasStreamType(transport_version())) {
+    return;
+  }
+
+  EXPECT_EQ(0u, session_.GetNumOpenIncomingStreams());
+  QuicStreamId stream_id1 =
+      GetNthServerInitiatedUnidirectionalStreamId(transport_version(), 0);
+  // A bad stream frame with no data and no fin.
+  QuicStreamFrame data1(stream_id1, false, 0, 0);
+  EXPECT_CALL(*connection_, CloseConnection(_, _, _))
+      .WillOnce(
+          Invoke(connection_, &MockQuicConnection::ReallyCloseConnection));
+  EXPECT_CALL(*connection_, SendConnectionClosePacket(_, _));
+  session_.OnStreamFrame(data1);
+}
+
 TEST_P(QuicSpdySessionTestClient, AvailableStreamsClient) {
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthServerInitiatedBidirectionalId(2)) != nullptr);
   // Both server initiated streams with smaller stream IDs should be available.
   EXPECT_TRUE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthServerInitiatedBidirectionalId(0)));
   EXPECT_TRUE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthServerInitiatedBidirectionalId(1)));
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthServerInitiatedBidirectionalId(0)) != nullptr);
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthServerInitiatedBidirectionalId(1)) != nullptr);
   // And client initiated stream ID should be not available.
   EXPECT_FALSE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthClientInitiatedBidirectionalId(0)));
 }
 
+// Regression test for b/130740258 and https://crbug.com/971779.
+// If headers that are too large or empty are received (these cases are handled
+// the same way, as QuicHeaderList clears itself when headers exceed the limit),
+// then the stream is reset.  No more frames must be sent in this case.
+TEST_P(QuicSpdySessionTestClient, TooLargeHeadersMustNotCauseWriteAfterReset) {
+  // In IETF QUIC, HEADERS do not carry FIN flag, and OnStreamHeaderList() is
+  // never called after an error, including too large headers.
+  if (VersionUsesQpack(transport_version())) {
+    return;
+  }
+
+  SetQuicReloadableFlag(quic_avoid_empty_frame_after_empty_headers, true);
+
+  TestStream* stream = session_.CreateOutgoingBidirectionalStream();
+
+  // Write headers with FIN set to close write side of stream.
+  // Header block does not matter.
+  stream->WriteHeaders(SpdyHeaderBlock(), /* fin = */ true, nullptr);
+
+  // Receive headers that are too large or empty, with FIN set.
+  // This causes the stream to be reset.  No frames must be written after this.
+  QuicHeaderList headers;
+  EXPECT_CALL(*connection_, SendControlFrame(_));
+  EXPECT_CALL(*connection_,
+              OnStreamReset(stream->id(), QUIC_HEADERS_TOO_LARGE));
+  stream->OnStreamHeaderList(/* fin = */ true,
+                             headers.uncompressed_header_bytes(), headers);
+}
+
 TEST_P(QuicSpdySessionTestClient, RecordFinAfterReadSideClosed) {
   // Verify that an incoming FIN is recorded in a stream object even if the read
   // side has been closed.  This prevents an entry from being made in
@@ -1677,17 +1741,13 @@ TEST_P(QuicSpdySessionTestClient, RecordFinAfterReadSideClosed) {
 }
 
 TEST_P(QuicSpdySessionTestClient, WritePriority) {
-  TestHeadersStream* headers_stream;
-  if (!GetQuicReloadableFlag(quic_eliminate_static_stream_map_3) &&
-      !QuicVersionUsesCryptoFrames(connection_->transport_version())) {
-    QuicSpdySessionPeer::SetHeadersStream(&session_, nullptr);
-    headers_stream = new TestHeadersStream(&session_);
-    QuicSpdySessionPeer::SetHeadersStream(&session_, headers_stream);
-  } else {
-    QuicSpdySessionPeer::SetUnownedHeadersStream(&session_, nullptr);
-    headers_stream = new TestHeadersStream(&session_);
-    QuicSpdySessionPeer::SetUnownedHeadersStream(&session_, headers_stream);
+  if (VersionHasStreamType(transport_version())) {
+    return;
   }
+  TestHeadersStream* headers_stream;
+  QuicSpdySessionPeer::SetHeadersStream(&session_, nullptr);
+  headers_stream = new TestHeadersStream(&session_);
+  QuicSpdySessionPeer::SetHeadersStream(&session_, headers_stream);
 
   // Make packet writer blocked so |headers_stream| will buffer its write data.
   MockPacketWriter* writer = static_cast<MockPacketWriter*>(
@@ -1733,7 +1793,7 @@ TEST_P(QuicSpdySessionTestClient, Http3ServerPush) {
   QuicStreamFrame data1(stream_id1, false, 0, QuicStringPiece(data));
   session_.OnStreamFrame(data1);
   EXPECT_EQ(1u, session_.GetNumOpenIncomingStreams());
-  QuicStream* stream = session_.GetOrCreateDynamicStream(stream_id1);
+  QuicStream* stream = session_.GetOrCreateStream(stream_id1);
   EXPECT_EQ(1u, stream->flow_controller()->bytes_consumed());
   EXPECT_EQ(1u, session_.flow_controller()->bytes_consumed());
 
@@ -1744,7 +1804,7 @@ TEST_P(QuicSpdySessionTestClient, Http3ServerPush) {
   QuicStreamFrame data2(stream_id2, false, 0, QuicStringPiece(data));
   session_.OnStreamFrame(data2);
   EXPECT_EQ(2u, session_.GetNumOpenIncomingStreams());
-  stream = session_.GetOrCreateDynamicStream(stream_id2);
+  stream = session_.GetOrCreateStream(stream_id2);
   EXPECT_EQ(4u, stream->flow_controller()->bytes_consumed());
   EXPECT_EQ(5u, session_.flow_controller()->bytes_consumed());
 }
@@ -1787,6 +1847,11 @@ TEST_P(QuicSpdySessionTestServer, ZombieStreams) {
 }
 
 TEST_P(QuicSpdySessionTestServer, OnStreamFrameLost) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
   InSequence s;
 
@@ -1861,6 +1926,11 @@ TEST_P(QuicSpdySessionTestServer, OnStreamFrameLost) {
 }
 
 TEST_P(QuicSpdySessionTestServer, DonotRetransmitDataOfClosedStreams) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
   InSequence s;
 
@@ -1894,7 +1964,7 @@ TEST_P(QuicSpdySessionTestServer, DonotRetransmitDataOfClosedStreams) {
   EXPECT_CALL(*stream2, OnCanWrite());
   EXPECT_CALL(*stream2, HasPendingRetransmission()).WillOnce(Return(false));
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillRepeatedly(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_CALL(*stream2, OnCanWrite());
   EXPECT_CALL(*stream6, OnCanWrite());
   session_.OnCanWrite();
@@ -1910,7 +1980,7 @@ TEST_P(QuicSpdySessionTestServer, RetransmitFrames) {
   TestStream* stream4 = session_.CreateOutgoingBidirectionalStream();
   TestStream* stream6 = session_.CreateOutgoingBidirectionalStream();
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   session_.SendWindowUpdate(stream2->id(), 9);
 
   QuicStreamFrame frame1(stream2->id(), false, 0, 9);
@@ -1926,7 +1996,7 @@ TEST_P(QuicSpdySessionTestServer, RetransmitFrames) {
 
   EXPECT_CALL(*stream2, RetransmitStreamData(_, _, _)).WillOnce(Return(true));
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   EXPECT_CALL(*stream4, RetransmitStreamData(_, _, _)).WillOnce(Return(true));
   EXPECT_CALL(*stream6, RetransmitStreamData(_, _, _)).WillOnce(Return(true));
   EXPECT_CALL(*send_algorithm, OnApplicationLimited(_));
@@ -2009,6 +2079,53 @@ TEST_P(QuicSpdySessionTestServer,
   session_.ProcessPendingStream(&pending);
 }
 
+TEST_P(QuicSpdySessionTestServer, ReceiveControlStream) {
+  if (!VersionHasStreamType(transport_version())) {
+    return;
+  }
+  // Use a arbitrary stream id.
+  QuicStreamId stream_id =
+      GetNthClientInitiatedUnidirectionalStreamId(transport_version(), 3);
+  char type[] = {kControlStream};
+
+  QuicStreamFrame data1(stream_id, false, 0, QuicStringPiece(type, 1));
+  session_.OnStreamFrame(data1);
+  EXPECT_EQ(stream_id,
+            QuicSpdySessionPeer::GetReceiveControlStream(&session_)->id());
+
+  SettingsFrame settings;
+  settings.values[3] = 2;
+  settings.values[kSettingsMaxHeaderListSize] = 5;
+  std::string data = EncodeSettings(settings);
+  QuicStreamFrame frame(stream_id, false, 1, QuicStringPiece(data));
+
+  EXPECT_NE(5u, session_.max_outbound_header_list_size());
+  session_.OnStreamFrame(frame);
+  EXPECT_EQ(5u, session_.max_outbound_header_list_size());
+}
+
+TEST_P(QuicSpdySessionTestServer, ReceiveControlStreamOutOfOrderDelivery) {
+  if (!VersionHasStreamType(transport_version())) {
+    return;
+  }
+  // Use an arbitrary stream id.
+  QuicStreamId stream_id =
+      GetNthClientInitiatedUnidirectionalStreamId(transport_version(), 3);
+  char type[] = {kControlStream};
+  SettingsFrame settings;
+  settings.values[3] = 2;
+  settings.values[kSettingsMaxHeaderListSize] = 5;
+  std::string data = EncodeSettings(settings);
+
+  QuicStreamFrame data1(stream_id, false, 1, QuicStringPiece(data));
+  QuicStreamFrame data2(stream_id, false, 0, QuicStringPiece(type, 1));
+
+  session_.OnStreamFrame(data1);
+  EXPECT_NE(5u, session_.max_outbound_header_list_size());
+  session_.OnStreamFrame(data2);
+  EXPECT_EQ(5u, session_.max_outbound_header_list_size());
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.cc
index d424cc04bc7..97991e8b42b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.cc
@@ -8,9 +8,10 @@
 #include <string>
 #include <utility>
 
+#include "net/third_party/quiche/src/quic/core/http/http_constants.h"
+#include "net/third_party/quiche/src/quic/core/http/http_decoder.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_session.h"
 #include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
@@ -22,6 +23,7 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_mem_slice_storage.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
@@ -39,92 +41,121 @@ class QuicSpdyStream::HttpDecoderVisitor : public HttpDecoder::Visitor {
   HttpDecoderVisitor(const HttpDecoderVisitor&) = delete;
   HttpDecoderVisitor& operator=(const HttpDecoderVisitor&) = delete;
 
-  void OnError(HttpDecoder* decoder) override {
+  void OnError(HttpDecoder* /*decoder*/) override {
     stream_->session()->connection()->CloseConnection(
         QUIC_HTTP_DECODER_ERROR, "Http decoder internal error",
         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
   }
 
-  void OnPriorityFrame(const PriorityFrame& frame) override {
+  bool OnPriorityFrameStart(Http3FrameLengths /*frame_lengths*/) override {
     CloseConnectionOnWrongFrame("Priority");
+    return false;
+  }
+
+  bool OnPriorityFrame(const PriorityFrame& /*frame*/) override {
+    CloseConnectionOnWrongFrame("Priority");
+    return false;
   }
 
-  void OnCancelPushFrame(const CancelPushFrame& frame) override {
+  bool OnCancelPushFrame(const CancelPushFrame& /*frame*/) override {
     CloseConnectionOnWrongFrame("Cancel Push");
+    return false;
   }
 
-  void OnMaxPushIdFrame(const MaxPushIdFrame& frame) override {
+  bool OnMaxPushIdFrame(const MaxPushIdFrame& /*frame*/) override {
     CloseConnectionOnWrongFrame("Max Push Id");
+    return false;
   }
 
-  void OnGoAwayFrame(const GoAwayFrame& frame) override {
+  bool OnGoAwayFrame(const GoAwayFrame& /*frame*/) override {
     CloseConnectionOnWrongFrame("Goaway");
+    return false;
   }
 
-  void OnSettingsFrameStart(Http3FrameLengths frame_lengths) override {
+  bool OnSettingsFrameStart(Http3FrameLengths /*frame_lengths*/) override {
     CloseConnectionOnWrongFrame("Settings");
+    return false;
   }
 
-  void OnSettingsFrame(const SettingsFrame& frame) override {
+  bool OnSettingsFrame(const SettingsFrame& /*frame*/) override {
     CloseConnectionOnWrongFrame("Settings");
+    return false;
   }
 
-  void OnDuplicatePushFrame(const DuplicatePushFrame& frame) override {
+  bool OnDuplicatePushFrame(const DuplicatePushFrame& /*frame*/) override {
+    // TODO(b/137554973): Consume frame.
     CloseConnectionOnWrongFrame("Duplicate Push");
+    return false;
   }
 
-  void OnDataFrameStart(Http3FrameLengths frame_lengths) override {
-    stream_->OnDataFrameStart(frame_lengths);
+  bool OnDataFrameStart(Http3FrameLengths frame_lengths) override {
+    return stream_->OnDataFrameStart(frame_lengths);
   }
 
-  void OnDataFramePayload(QuicStringPiece payload) override {
+  bool OnDataFramePayload(QuicStringPiece payload) override {
     DCHECK(!payload.empty());
-    stream_->OnDataFramePayload(payload);
+    return stream_->OnDataFramePayload(payload);
   }
 
-  void OnDataFrameEnd() override { stream_->OnDataFrameEnd(); }
+  bool OnDataFrameEnd() override { return stream_->OnDataFrameEnd(); }
 
-  void OnHeadersFrameStart(Http3FrameLengths frame_length) override {
-    if (!VersionUsesQpack(
-            stream_->session()->connection()->transport_version())) {
+  bool OnHeadersFrameStart(Http3FrameLengths frame_length) override {
+    if (!VersionUsesQpack(stream_->transport_version())) {
       CloseConnectionOnWrongFrame("Headers");
-      return;
+      return false;
     }
-    stream_->OnHeadersFrameStart(frame_length);
+    return stream_->OnHeadersFrameStart(frame_length);
   }
 
-  void OnHeadersFramePayload(QuicStringPiece payload) override {
+  bool OnHeadersFramePayload(QuicStringPiece payload) override {
     DCHECK(!payload.empty());
-    if (!VersionUsesQpack(
-            stream_->session()->connection()->transport_version())) {
+    if (!VersionUsesQpack(stream_->transport_version())) {
       CloseConnectionOnWrongFrame("Headers");
-      return;
+      return false;
     }
-    stream_->OnHeadersFramePayload(payload);
+    return stream_->OnHeadersFramePayload(payload);
   }
 
-  void OnHeadersFrameEnd() override {
-    if (!VersionUsesQpack(
-            stream_->session()->connection()->transport_version())) {
+  bool OnHeadersFrameEnd() override {
+    if (!VersionUsesQpack(stream_->transport_version())) {
       CloseConnectionOnWrongFrame("Headers");
-      return;
+      return false;
     }
-    stream_->OnHeadersFrameEnd();
+    return stream_->OnHeadersFrameEnd();
   }
 
-  void OnPushPromiseFrameStart(PushId push_id) override {
+  bool OnPushPromiseFrameStart(PushId /*push_id*/,
+                               Http3FrameLengths /*frame_length*/) override {
+    // TODO(b/137554973): Consume frame header.
     CloseConnectionOnWrongFrame("Push Promise");
+    return false;
   }
 
-  void OnPushPromiseFramePayload(QuicStringPiece payload) override {
+  bool OnPushPromiseFramePayload(QuicStringPiece payload) override {
+    // TODO(b/137554973): Consume frame payload.
     DCHECK(!payload.empty());
     CloseConnectionOnWrongFrame("Push Promise");
+    return false;
   }
 
-  void OnPushPromiseFrameEnd() override {
+  bool OnPushPromiseFrameEnd() override {
     CloseConnectionOnWrongFrame("Push Promise");
+    return false;
+  }
+
+  bool OnUnknownFrameStart(uint64_t /* frame_type */,
+                           Http3FrameLengths /* frame_length */) override {
+    // TODO(b/137554973): Consume frame header.
+    return true;
+  }
+
+  bool OnUnknownFramePayload(QuicStringPiece /* payload */) override {
+    // TODO(b/137554973): Consume frame payload.
+    return true;
   }
 
+  bool OnUnknownFrameEnd() override { return true; }
+
  private:
   void CloseConnectionOnWrongFrame(std::string frame_type) {
     stream_->session()->connection()->CloseConnection(
@@ -147,57 +178,68 @@ QuicSpdyStream::QuicSpdyStream(QuicStreamId id,
       spdy_session_(spdy_session),
       on_body_available_called_because_sequencer_is_closed_(false),
       visitor_(nullptr),
+      blocked_on_decoding_headers_(false),
       headers_decompressed_(false),
-      headers_length_(0, 0),
-      trailers_length_(0, 0),
+      headers_payload_length_(0),
+      trailers_payload_length_(0),
       trailers_decompressed_(false),
       trailers_consumed_(false),
-      http_decoder_visitor_(new HttpDecoderVisitor(this)),
-      body_buffer_(sequencer()),
+      priority_sent_(false),
+      headers_bytes_to_be_marked_consumed_(0),
+      http_decoder_visitor_(QuicMakeUnique<HttpDecoderVisitor>(this)),
+      decoder_(http_decoder_visitor_.get()),
+      sequencer_offset_(0),
+      is_decoder_processing_input_(false),
       ack_listener_(nullptr) {
-  DCHECK(!QuicUtils::IsCryptoStreamId(
-      spdy_session->connection()->transport_version(), id));
+  DCHECK_EQ(session()->connection(), spdy_session->connection());
+  DCHECK_EQ(transport_version(),
+            spdy_session->connection()->transport_version());
+  DCHECK(!QuicUtils::IsCryptoStreamId(transport_version(), id));
+  DCHECK_EQ(0u, sequencer()->NumBytesConsumed());
   // If headers are sent on the headers stream, then do not receive any
   // callbacks from the sequencer until headers are complete.
-  if (!VersionUsesQpack(spdy_session_->connection()->transport_version())) {
+  if (!VersionUsesQpack(transport_version())) {
     sequencer()->SetBlockedUntilFlush();
   }
 
-  if (VersionHasDataFrameHeader(
-          spdy_session_->connection()->transport_version())) {
+  if (VersionHasDataFrameHeader(transport_version())) {
     sequencer()->set_level_triggered(true);
   }
-  decoder_.set_visitor(http_decoder_visitor_.get());
 }
 
-QuicSpdyStream::QuicSpdyStream(PendingStream pending,
+QuicSpdyStream::QuicSpdyStream(PendingStream* pending,
                                QuicSpdySession* spdy_session,
                                StreamType type)
-    : QuicStream(std::move(pending), type, /*is_static=*/false),
+    : QuicStream(pending, type, /*is_static=*/false),
       spdy_session_(spdy_session),
       on_body_available_called_because_sequencer_is_closed_(false),
       visitor_(nullptr),
+      blocked_on_decoding_headers_(false),
       headers_decompressed_(false),
-      headers_length_(0, 0),
-      trailers_length_(0, 0),
+      headers_payload_length_(0),
+      trailers_payload_length_(0),
       trailers_decompressed_(false),
       trailers_consumed_(false),
-      http_decoder_visitor_(new HttpDecoderVisitor(this)),
-      body_buffer_(sequencer()),
+      priority_sent_(false),
+      headers_bytes_to_be_marked_consumed_(0),
+      http_decoder_visitor_(QuicMakeUnique<HttpDecoderVisitor>(this)),
+      decoder_(http_decoder_visitor_.get()),
+      sequencer_offset_(sequencer()->NumBytesConsumed()),
+      is_decoder_processing_input_(false),
       ack_listener_(nullptr) {
-  DCHECK(!QuicUtils::IsCryptoStreamId(
-      spdy_session->connection()->transport_version(), id()));
+  DCHECK_EQ(session()->connection(), spdy_session->connection());
+  DCHECK_EQ(transport_version(),
+            spdy_session->connection()->transport_version());
+  DCHECK(!QuicUtils::IsCryptoStreamId(transport_version(), id()));
   // If headers are sent on the headers stream, then do not receive any
   // callbacks from the sequencer until headers are complete.
-  if (!VersionUsesQpack(spdy_session_->connection()->transport_version())) {
+  if (!VersionUsesQpack(transport_version())) {
     sequencer()->SetBlockedUntilFlush();
   }
 
-  if (VersionHasDataFrameHeader(
-          spdy_session_->connection()->transport_version())) {
+  if (VersionHasDataFrameHeader(transport_version())) {
     sequencer()->set_level_triggered(true);
   }
-  decoder_.set_visitor(http_decoder_visitor_.get());
 }
 
 QuicSpdyStream::~QuicSpdyStream() {}
@@ -206,10 +248,9 @@ size_t QuicSpdyStream::WriteHeaders(
     SpdyHeaderBlock header_block,
     bool fin,
     QuicReferenceCountedPointer<QuicAckListenerInterface> ack_listener) {
-  QuicConnection::ScopedPacketFlusher flusher(
-      spdy_session_->connection(), QuicConnection::SEND_ACK_IF_PENDING);
+  QuicConnection::ScopedPacketFlusher flusher(spdy_session_->connection());
   // Send stream type for server push stream
-  if (VersionHasStreamType(session()->connection()->transport_version()) &&
+  if (VersionHasStreamType(transport_version()) &&
       type() == WRITE_UNIDIRECTIONAL && send_buffer().stream_offset() == 0) {
     char data[sizeof(kServerPushStream)];
     QuicDataWriter writer(QUIC_ARRAYSIZE(data), data);
@@ -225,8 +266,7 @@ size_t QuicSpdyStream::WriteHeaders(
   }
   size_t bytes_written =
       WriteHeadersImpl(std::move(header_block), fin, std::move(ack_listener));
-  if (!VersionUsesQpack(spdy_session_->connection()->transport_version()) &&
-      fin) {
+  if (!VersionUsesQpack(transport_version()) && fin) {
     // If HEADERS are sent on the headers stream, then |fin_sent_| needs to be
     // set and write side needs to be closed without actually sending a FIN on
     // this stream.
@@ -238,14 +278,11 @@ size_t QuicSpdyStream::WriteHeaders(
 }
 
 void QuicSpdyStream::WriteOrBufferBody(QuicStringPiece data, bool fin) {
-  if (!VersionHasDataFrameHeader(
-          spdy_session_->connection()->transport_version()) ||
-      data.length() == 0) {
+  if (!VersionHasDataFrameHeader(transport_version()) || data.length() == 0) {
     WriteOrBufferData(data, fin, nullptr);
     return;
   }
-  QuicConnection::ScopedPacketFlusher flusher(
-      spdy_session_->connection(), QuicConnection::SEND_ACK_IF_PENDING);
+  QuicConnection::ScopedPacketFlusher flusher(spdy_session_->connection());
 
   // Write frame header.
   std::unique_ptr<char[]> buffer;
@@ -275,7 +312,7 @@ size_t QuicSpdyStream::WriteTrailers(
     return 0;
   }
 
-  if (!VersionUsesQpack(spdy_session_->connection()->transport_version())) {
+  if (!VersionUsesQpack(transport_version())) {
     // The header block must contain the final offset for this stream, as the
     // trailers may be processed out of order at the peer.
     const QuicStreamOffset final_offset =
@@ -294,7 +331,7 @@ size_t QuicSpdyStream::WriteTrailers(
 
   // If trailers are sent on the headers stream, then |fin_sent_| needs to be
   // set without actually sending a FIN on this stream.
-  if (!VersionUsesQpack(spdy_session_->connection()->transport_version())) {
+  if (!VersionUsesQpack(transport_version())) {
     set_fin_sent(kFin);
 
     // Also, write side of this stream needs to be closed.  However, only do
@@ -319,9 +356,7 @@ QuicConsumedData QuicSpdyStream::WritevBody(const struct iovec* iov,
 
 QuicConsumedData QuicSpdyStream::WriteBodySlices(QuicMemSliceSpan slices,
                                                  bool fin) {
-  if (!VersionHasDataFrameHeader(
-          spdy_session_->connection()->transport_version()) ||
-      slices.empty()) {
+  if (!VersionHasDataFrameHeader(transport_version()) || slices.empty()) {
     return WriteMemSlices(slices, fin);
   }
 
@@ -332,8 +367,7 @@ QuicConsumedData QuicSpdyStream::WriteBodySlices(QuicMemSliceSpan slices,
     return {0, false};
   }
 
-  QuicConnection::ScopedPacketFlusher flusher(
-      spdy_session_->connection(), QuicConnection::SEND_ACK_IF_PENDING);
+  QuicConnection::ScopedPacketFlusher flusher(spdy_session_->connection());
 
   // Write frame header.
   struct iovec header_iov = {static_cast<void*>(buffer.get()), header_length};
@@ -358,17 +392,24 @@ QuicConsumedData QuicSpdyStream::WriteBodySlices(QuicMemSliceSpan slices,
 
 size_t QuicSpdyStream::Readv(const struct iovec* iov, size_t iov_len) {
   DCHECK(FinishedReadingHeaders());
-  if (!VersionHasDataFrameHeader(
-          spdy_session_->connection()->transport_version())) {
+  if (!VersionHasDataFrameHeader(transport_version())) {
     return sequencer()->Readv(iov, iov_len);
   }
-  return body_buffer_.ReadBody(iov, iov_len);
+  size_t bytes_read = 0;
+  sequencer()->MarkConsumed(body_buffer_.ReadBody(iov, iov_len, &bytes_read));
+
+  if (VersionUsesQpack(transport_version())) {
+    // Maybe all DATA frame bytes have been read and some trailing HEADERS had
+    // already been processed, in which case MarkConsumed() should be called.
+    MaybeMarkHeadersBytesConsumed();
+  }
+
+  return bytes_read;
 }
 
 int QuicSpdyStream::GetReadableRegions(iovec* iov, size_t iov_len) const {
   DCHECK(FinishedReadingHeaders());
-  if (!VersionHasDataFrameHeader(
-          spdy_session_->connection()->transport_version())) {
+  if (!VersionHasDataFrameHeader(transport_version())) {
     return sequencer()->GetReadableRegions(iov, iov_len);
   }
   return body_buffer_.PeekBody(iov, iov_len);
@@ -376,12 +417,17 @@ int QuicSpdyStream::GetReadableRegions(iovec* iov, size_t iov_len) const {
 
 void QuicSpdyStream::MarkConsumed(size_t num_bytes) {
   DCHECK(FinishedReadingHeaders());
-  if (!VersionHasDataFrameHeader(
-          spdy_session_->connection()->transport_version())) {
+  if (!VersionHasDataFrameHeader(transport_version())) {
     sequencer()->MarkConsumed(num_bytes);
     return;
   }
-  body_buffer_.MarkBodyConsumed(num_bytes);
+  sequencer()->MarkConsumed(body_buffer_.OnBodyConsumed(num_bytes));
+
+  if (VersionUsesQpack(transport_version())) {
+    // Maybe all DATA frame bytes have been read and some trailing HEADERS had
+    // already been processed, in which case MarkConsumed() should be called.
+    MaybeMarkHeadersBytesConsumed();
+  }
 }
 
 bool QuicSpdyStream::IsDoneReading() const {
@@ -392,29 +438,18 @@ bool QuicSpdyStream::IsDoneReading() const {
 }
 
 bool QuicSpdyStream::HasBytesToRead() const {
-  if (!VersionHasDataFrameHeader(
-          spdy_session_->connection()->transport_version())) {
+  if (!VersionHasDataFrameHeader(transport_version())) {
     return sequencer()->HasBytesToRead();
   }
   return body_buffer_.HasBytesToRead();
 }
 
 void QuicSpdyStream::MarkTrailersConsumed() {
-  if (VersionUsesQpack(spdy_session_->connection()->transport_version()) &&
-      !reading_stopped()) {
-    const QuicByteCount trailers_total_length =
-        trailers_length_.header_length + trailers_length_.payload_length;
-    if (trailers_total_length > 0) {
-      sequencer()->MarkConsumed(trailers_total_length);
-    }
-  }
-
   trailers_consumed_ = true;
 }
 
 uint64_t QuicSpdyStream::total_body_bytes_read() const {
-  if (VersionHasDataFrameHeader(
-          spdy_session_->connection()->transport_version())) {
+  if (VersionHasDataFrameHeader(transport_version())) {
     return body_buffer_.total_body_bytes_received();
   }
   return sequencer()->NumBytesConsumed();
@@ -423,22 +458,12 @@ uint64_t QuicSpdyStream::total_body_bytes_read() const {
 void QuicSpdyStream::ConsumeHeaderList() {
   header_list_.Clear();
 
-  if (!VersionUsesQpack(spdy_session_->connection()->transport_version())) {
-    if (FinishedReadingHeaders()) {
-      sequencer()->SetUnblocked();
-    }
+  if (!FinishedReadingHeaders()) {
     return;
   }
 
-  if (!reading_stopped()) {
-    const QuicByteCount headers_total_length =
-        headers_length_.header_length + headers_length_.payload_length;
-    if (headers_total_length > 0) {
-      sequencer()->MarkConsumed(headers_total_length);
-    }
-  }
-
-  if (!FinishedReadingHeaders()) {
+  if (!VersionUsesQpack(transport_version())) {
+    sequencer()->SetUnblocked();
     return;
   }
 
@@ -462,6 +487,7 @@ void QuicSpdyStream::OnStreamHeadersPriority(SpdyPriority priority) {
 void QuicSpdyStream::OnStreamHeaderList(bool fin,
                                         size_t frame_len,
                                         const QuicHeaderList& header_list) {
+  // TODO(b/134706391): remove |fin| argument.
   // The headers list avoid infinite buffering by clearing the headers list
   // if the current headers are too large. So if the list is empty here
   // then the headers list must have been too large, and the stream should
@@ -481,8 +507,26 @@ void QuicSpdyStream::OnStreamHeaderList(bool fin,
   }
 }
 
+void QuicSpdyStream::OnHeadersDecoded(QuicHeaderList headers) {
+  blocked_on_decoding_headers_ = false;
+  ProcessDecodedHeaders(headers);
+  // Continue decoding HTTP/3 frames.
+  OnDataAvailable();
+}
+
+void QuicSpdyStream::OnHeaderDecodingError() {
+  // TODO(b/124216424): Use HTTP_EXCESSIVE_LOAD or
+  // HTTP_QPACK_DECOMPRESSION_FAILED error code as indicated by
+  // |qpack_decoded_headers_accumulator_|.
+  std::string error_message = QuicStrCat(
+      "Error during async decoding of ",
+      headers_decompressed_ ? "trailers" : "headers", " on stream ", id(), ": ",
+      qpack_decoded_headers_accumulator_->error_message());
+  CloseConnectionWithDetails(QUIC_DECOMPRESSION_FAILURE, error_message);
+}
+
 void QuicSpdyStream::OnHeadersTooLarge() {
-  if (VersionUsesQpack(spdy_session_->connection()->transport_version())) {
+  if (VersionUsesQpack(transport_version())) {
     // TODO(124216424): Use HTTP_EXCESSIVE_LOAD error code.
     std::string error_message =
         QuicStrCat("Too large headers received on stream ", id());
@@ -497,10 +541,11 @@ void QuicSpdyStream::OnInitialHeadersComplete(
     bool fin,
     size_t /*frame_len*/,
     const QuicHeaderList& header_list) {
+  // TODO(b/134706391): remove |fin| argument.
   headers_decompressed_ = true;
   header_list_ = header_list;
 
-  if (VersionUsesQpack(spdy_session_->connection()->transport_version())) {
+  if (VersionUsesQpack(transport_version())) {
     if (fin) {
       OnStreamFrame(
           QuicStreamFrame(id(), /* fin = */ true,
@@ -511,8 +556,13 @@ void QuicSpdyStream::OnInitialHeadersComplete(
   }
 
   if (fin) {
-    OnStreamFrame(
-        QuicStreamFrame(id(), fin, /* offset = */ 0, QuicStringPiece()));
+    if (rst_sent() &&
+        GetQuicReloadableFlag(quic_avoid_empty_frame_after_empty_headers)) {
+      QUIC_RELOADABLE_FLAG_COUNT(quic_avoid_empty_frame_after_empty_headers);
+    } else {
+      OnStreamFrame(
+          QuicStreamFrame(id(), fin, /* offset = */ 0, QuicStringPiece()));
+    }
   }
   if (FinishedReadingHeaders()) {
     sequencer()->SetUnblocked();
@@ -534,11 +584,9 @@ void QuicSpdyStream::OnTrailingHeadersComplete(
     bool fin,
     size_t /*frame_len*/,
     const QuicHeaderList& header_list) {
+  // TODO(b/134706391): remove |fin| argument.
   DCHECK(!trailers_decompressed_);
-  if ((VersionUsesQpack(spdy_session_->connection()->transport_version()) &&
-       sequencer()->IsClosed()) ||
-      (!VersionUsesQpack(spdy_session_->connection()->transport_version()) &&
-       fin_received())) {
+  if (!VersionUsesQpack(transport_version()) && fin_received()) {
     QUIC_DLOG(INFO) << "Received Trailers after FIN, on stream: " << id();
     session()->connection()->CloseConnection(
         QUIC_INVALID_HEADERS_STREAM_DATA, "Trailers after fin",
@@ -546,8 +594,7 @@ void QuicSpdyStream::OnTrailingHeadersComplete(
     return;
   }
 
-  if (!VersionUsesQpack(spdy_session_->connection()->transport_version()) &&
-      !fin) {
+  if (!VersionUsesQpack(transport_version()) && !fin) {
     QUIC_DLOG(INFO) << "Trailers must have FIN set, on stream: " << id();
     session()->connection()->CloseConnection(
         QUIC_INVALID_HEADERS_STREAM_DATA, "Fin missing from trailers",
@@ -556,8 +603,7 @@ void QuicSpdyStream::OnTrailingHeadersComplete(
   }
 
   size_t final_byte_offset = 0;
-  const bool expect_final_byte_offset =
-      !VersionUsesQpack(spdy_session_->connection()->transport_version());
+  const bool expect_final_byte_offset = !VersionUsesQpack(transport_version());
   if (!SpdyUtils::CopyAndValidateTrailers(header_list, expect_final_byte_offset,
                                           &final_byte_offset,
                                           &received_trailers_)) {
@@ -568,12 +614,13 @@ void QuicSpdyStream::OnTrailingHeadersComplete(
     return;
   }
   trailers_decompressed_ = true;
-  const QuicStreamOffset offset =
-      VersionUsesQpack(spdy_session_->connection()->transport_version())
-          ? flow_controller()->highest_received_byte_offset()
-          : final_byte_offset;
-  OnStreamFrame(
-      QuicStreamFrame(id(), /* fin = */ true, offset, QuicStringPiece()));
+  if (fin) {
+    const QuicStreamOffset offset =
+        VersionUsesQpack(transport_version())
+            ? flow_controller()->highest_received_byte_offset()
+            : final_byte_offset;
+    OnStreamFrame(QuicStreamFrame(id(), fin, offset, QuicStringPiece()));
+  }
 }
 
 void QuicSpdyStream::OnPriorityFrame(SpdyPriority priority) {
@@ -594,21 +641,42 @@ void QuicSpdyStream::OnStreamReset(const QuicRstStreamFrame& frame) {
 }
 
 void QuicSpdyStream::OnDataAvailable() {
-  if (!VersionUsesQpack(spdy_session_->connection()->transport_version())) {
+  if (!VersionUsesQpack(transport_version())) {
     // Sequencer must be blocked until headers are consumed.
     DCHECK(FinishedReadingHeaders());
   }
 
-  if (!VersionHasDataFrameHeader(
-          session()->connection()->transport_version())) {
+  if (!VersionHasDataFrameHeader(transport_version())) {
     OnBodyAvailable();
     return;
   }
 
+  if (is_decoder_processing_input_) {
+    // Let the outermost nested OnDataAvailable() call do the work.
+    return;
+  }
+
+  if (blocked_on_decoding_headers_) {
+    return;
+  }
+
   iovec iov;
-  while (!reading_stopped() && sequencer()->PrefetchNextRegion(&iov)) {
-    decoder_.ProcessInput(reinterpret_cast<const char*>(iov.iov_base),
-                          iov.iov_len);
+  while (session()->connection()->connected() && !reading_stopped() &&
+         decoder_.error() == QUIC_NO_ERROR) {
+    DCHECK_GE(sequencer_offset_, sequencer()->NumBytesConsumed());
+    if (!sequencer()->PeekRegion(sequencer_offset_, &iov)) {
+      break;
+    }
+
+    DCHECK(!sequencer()->IsClosed());
+    is_decoder_processing_input_ = true;
+    QuicByteCount processed_bytes = decoder_.ProcessInput(
+        reinterpret_cast<const char*>(iov.iov_base), iov.iov_len);
+    is_decoder_processing_input_ = false;
+    sequencer_offset_ += processed_bytes;
+    if (blocked_on_decoding_headers_) {
+      return;
+    }
   }
 
   // Do not call OnBodyAvailable() until headers are consumed.
@@ -653,8 +721,9 @@ bool QuicSpdyStream::FinishedReadingHeaders() const {
   return headers_decompressed_ && header_list_.empty();
 }
 
+// static
 bool QuicSpdyStream::ParseHeaderStatusCode(const SpdyHeaderBlock& header,
-                                           int* status_code) const {
+                                           int* status_code) {
   SpdyHeaderBlock::const_iterator it = header.find(spdy::kHttp2StatusHeader);
   if (it == header.end()) {
     return false;
@@ -690,25 +759,32 @@ void QuicSpdyStream::ClearSession() {
   spdy_session_ = nullptr;
 }
 
-void QuicSpdyStream::OnDataFrameStart(Http3FrameLengths frame_lengths) {
-  DCHECK(
-      VersionHasDataFrameHeader(session()->connection()->transport_version()));
+bool QuicSpdyStream::OnDataFrameStart(Http3FrameLengths frame_lengths) {
+  DCHECK(VersionHasDataFrameHeader(transport_version()));
+  if (!headers_decompressed_ || trailers_decompressed_) {
+    // TODO(b/124216424): Change error code to HTTP_UNEXPECTED_FRAME.
+    session()->connection()->CloseConnection(
+        QUIC_INVALID_HEADERS_STREAM_DATA, "Unexpected DATA frame received.",
+        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+    return false;
+  }
 
   body_buffer_.OnDataHeader(frame_lengths);
+  return true;
 }
 
-void QuicSpdyStream::OnDataFramePayload(QuicStringPiece payload) {
-  DCHECK(
-      VersionHasDataFrameHeader(session()->connection()->transport_version()));
+bool QuicSpdyStream::OnDataFramePayload(QuicStringPiece payload) {
+  DCHECK(VersionHasDataFrameHeader(transport_version()));
 
   body_buffer_.OnDataPayload(payload);
+  return true;
 }
 
-void QuicSpdyStream::OnDataFrameEnd() {
-  DCHECK(
-      VersionHasDataFrameHeader(session()->connection()->transport_version()));
+bool QuicSpdyStream::OnDataFrameEnd() {
+  DCHECK(VersionHasDataFrameHeader(transport_version()));
   QUIC_DVLOG(1) << "Reaches the end of a data frame. Total bytes received are "
                 << body_buffer_.total_body_bytes_received();
+  return true;
 }
 
 bool QuicSpdyStream::OnStreamFrameAcked(QuicStreamOffset offset,
@@ -746,6 +822,16 @@ void QuicSpdyStream::OnStreamFrameRetransmitted(QuicStreamOffset offset,
   }
 }
 
+void QuicSpdyStream::MaybeMarkHeadersBytesConsumed() {
+  DCHECK(VersionUsesQpack(transport_version()));
+
+  if (!body_buffer_.HasBytesToRead() && !reading_stopped() &&
+      headers_bytes_to_be_marked_consumed_ > 0) {
+    sequencer()->MarkConsumed(headers_bytes_to_be_marked_consumed_);
+    headers_bytes_to_be_marked_consumed_ = 0;
+  }
+}
+
 QuicByteCount QuicSpdyStream::GetNumFrameHeadersInInterval(
     QuicStreamOffset offset,
     QuicByteCount data_length) const {
@@ -758,53 +844,86 @@ QuicByteCount QuicSpdyStream::GetNumFrameHeadersInInterval(
   return header_acked_length;
 }
 
-void QuicSpdyStream::OnHeadersFrameStart(Http3FrameLengths frame_length) {
-  DCHECK(VersionUsesQpack(spdy_session_->connection()->transport_version()));
+bool QuicSpdyStream::OnHeadersFrameStart(Http3FrameLengths frame_length) {
+  DCHECK(VersionUsesQpack(transport_version()));
   DCHECK(!qpack_decoded_headers_accumulator_);
 
+  if (trailers_decompressed_) {
+    // TODO(b/124216424): Change error code to HTTP_UNEXPECTED_FRAME.
+    session()->connection()->CloseConnection(
+        QUIC_INVALID_HEADERS_STREAM_DATA,
+        "HEADERS frame received after trailing HEADERS.",
+        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+    return false;
+  }
+
   if (headers_decompressed_) {
-    trailers_length_ = frame_length;
+    trailers_payload_length_ = frame_length.payload_length;
   } else {
-    headers_length_ = frame_length;
+    headers_payload_length_ = frame_length.payload_length;
   }
 
   qpack_decoded_headers_accumulator_ =
       QuicMakeUnique<QpackDecodedHeadersAccumulator>(
-          id(), spdy_session_->qpack_decoder(),
+          id(), spdy_session_->qpack_decoder(), this,
           spdy_session_->max_inbound_header_list_size());
+
+  // Do not call MaybeMarkHeadersBytesConsumed() yet, because
+  // HEADERS frame header bytes might not have been parsed completely.
+  headers_bytes_to_be_marked_consumed_ += frame_length.header_length;
+
+  return true;
 }
 
-void QuicSpdyStream::OnHeadersFramePayload(QuicStringPiece payload) {
-  DCHECK(VersionUsesQpack(spdy_session_->connection()->transport_version()));
+bool QuicSpdyStream::OnHeadersFramePayload(QuicStringPiece payload) {
+  DCHECK(VersionUsesQpack(transport_version()));
 
-  if (!qpack_decoded_headers_accumulator_->Decode(payload)) {
+  const bool success = qpack_decoded_headers_accumulator_->Decode(payload);
+
+  headers_bytes_to_be_marked_consumed_ += payload.size();
+  MaybeMarkHeadersBytesConsumed();
+
+  if (!success) {
     // TODO(124216424): Use HTTP_QPACK_DECOMPRESSION_FAILED error code.
     std::string error_message =
         QuicStrCat("Error decompressing header block on stream ", id(), ": ",
                    qpack_decoded_headers_accumulator_->error_message());
     CloseConnectionWithDetails(QUIC_DECOMPRESSION_FAILURE, error_message);
-    return;
+    return false;
   }
+  return true;
 }
 
-void QuicSpdyStream::OnHeadersFrameEnd() {
-  DCHECK(VersionUsesQpack(spdy_session_->connection()->transport_version()));
+bool QuicSpdyStream::OnHeadersFrameEnd() {
+  DCHECK(VersionUsesQpack(transport_version()));
+
+  auto result = qpack_decoded_headers_accumulator_->EndHeaderBlock();
 
-  if (!qpack_decoded_headers_accumulator_->EndHeaderBlock()) {
+  if (result == QpackDecodedHeadersAccumulator::Status::kError) {
     // TODO(124216424): Use HTTP_QPACK_DECOMPRESSION_FAILED error code.
     std::string error_message =
         QuicStrCat("Error decompressing header block on stream ", id(), ": ",
                    qpack_decoded_headers_accumulator_->error_message());
     CloseConnectionWithDetails(QUIC_DECOMPRESSION_FAILURE, error_message);
-    return;
+    return false;
   }
 
-  const QuicByteCount frame_length = headers_decompressed_
-                                         ? trailers_length_.payload_length
-                                         : headers_length_.payload_length;
-  OnStreamHeaderList(/* fin = */ false, frame_length,
-                     qpack_decoded_headers_accumulator_->quic_header_list());
+  if (result == QpackDecodedHeadersAccumulator::Status::kBlocked) {
+    blocked_on_decoding_headers_ = true;
+    return false;
+  }
+
+  DCHECK(result == QpackDecodedHeadersAccumulator::Status::kSuccess);
 
+  ProcessDecodedHeaders(qpack_decoded_headers_accumulator_->quic_header_list());
+  return !sequencer()->IsClosed() && !reading_stopped();
+}
+
+void QuicSpdyStream::ProcessDecodedHeaders(const QuicHeaderList& headers) {
+  const QuicByteCount frame_length = headers_decompressed_
+                                         ? trailers_payload_length_
+                                         : headers_payload_length_;
+  OnStreamHeaderList(/* fin = */ false, frame_length, headers);
   qpack_decoded_headers_accumulator_.reset();
 }
 
@@ -812,22 +931,23 @@ size_t QuicSpdyStream::WriteHeadersImpl(
     spdy::SpdyHeaderBlock header_block,
     bool fin,
     QuicReferenceCountedPointer<QuicAckListenerInterface> ack_listener) {
-  if (!VersionUsesQpack(spdy_session_->connection()->transport_version())) {
+  if (!VersionUsesQpack(transport_version())) {
     return spdy_session_->WriteHeadersOnHeadersStream(
         id(), std::move(header_block), fin, priority(),
         std::move(ack_listener));
   }
 
-  // Encode header list.
-  auto progressive_encoder = spdy_session_->qpack_encoder()->EncodeHeaderList(
-      /* stream_id = */ id(), &header_block);
-  std::string encoded_headers;
-  while (progressive_encoder->HasNext()) {
-    progressive_encoder->Next(
-        /* max_encoded_bytes = */ std::numeric_limits<size_t>::max(),
-        &encoded_headers);
+  if (session()->perspective() == Perspective::IS_CLIENT && !priority_sent_) {
+    PriorityFrame frame;
+    PopulatePriorityFrame(&frame);
+    spdy_session_->WriteH3Priority(frame);
+    priority_sent_ = true;
   }
 
+  // Encode header list.
+  std::string encoded_headers =
+      spdy_session_->qpack_encoder()->EncodeHeaderList(id(), &header_block);
+
   // Write HEADERS frame.
   std::unique_ptr<char[]> headers_frame_header;
   const size_t headers_frame_header_length =
@@ -852,5 +972,12 @@ size_t QuicSpdyStream::WriteHeadersImpl(
   return encoded_headers.size();
 }
 
+void QuicSpdyStream::PopulatePriorityFrame(PriorityFrame* frame) {
+  frame->weight = priority();
+  frame->dependency_type = ROOT_OF_TREE;
+  frame->prioritized_type = REQUEST_STREAM;
+  frame->prioritized_element_id = id();
+}
+
 #undef ENDPOINT  // undef for jumbo builds
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.h
index dc0d6f5a318..bdb87529d1c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.h
@@ -19,6 +19,7 @@
 #include "net/third_party/quiche/src/quic/core/http/http_encoder.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_header_list.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_stream_sequencer.h"
@@ -34,11 +35,12 @@ class QuicSpdyStreamPeer;
 class QuicStreamPeer;
 }  // namespace test
 
-class QpackDecodedHeadersAccumulator;
 class QuicSpdySession;
 
 // A QUIC stream that can send and receive HTTP2 (SPDY) headers.
-class QUIC_EXPORT_PRIVATE QuicSpdyStream : public QuicStream {
+class QUIC_EXPORT_PRIVATE QuicSpdyStream
+    : public QuicStream,
+      public QpackDecodedHeadersAccumulator::Visitor {
  public:
   // Visitor receives callbacks from the stream.
   class QUIC_EXPORT_PRIVATE Visitor {
@@ -51,8 +53,8 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream : public QuicStream {
     virtual void OnClose(QuicSpdyStream* stream) = 0;
 
     // Allows subclasses to override and do work.
-    virtual void OnPromiseHeadersComplete(QuicStreamId promised_id,
-                                          size_t frame_len) {}
+    virtual void OnPromiseHeadersComplete(QuicStreamId /*promised_id*/,
+                                          size_t /*frame_len*/) {}
 
    protected:
     virtual ~Visitor() {}
@@ -61,7 +63,7 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream : public QuicStream {
   QuicSpdyStream(QuicStreamId id,
                  QuicSpdySession* spdy_session,
                  StreamType type);
-  QuicSpdyStream(PendingStream pending,
+  QuicSpdyStream(PendingStream* pending,
                  QuicSpdySession* spdy_session,
                  StreamType type);
   QuicSpdyStream(const QuicSpdyStream&) = delete;
@@ -147,7 +149,8 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream : public QuicStream {
 
   // Marks the trailers as consumed. This applies to the case where this object
   // receives headers and trailers as QuicHeaderLists via calls to
-  // OnStreamHeaderList().
+  // OnStreamHeaderList(). Trailer data will be consumed from the sequencer only
+  // once all body data has been consumed.
   void MarkTrailersConsumed();
 
   // Clears |header_list_|.
@@ -164,10 +167,11 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream : public QuicStream {
 
   // Returns true if header contains a valid 3-digit status and parse the status
   // code to |status_code|.
-  bool ParseHeaderStatusCode(const spdy::SpdyHeaderBlock& header,
-                             int* status_code) const;
+  static bool ParseHeaderStatusCode(const spdy::SpdyHeaderBlock& header,
+                                    int* status_code);
 
-  // Returns true when all data has been read from the peer, including the fin.
+  // Returns true when all data from the peer has been read and consumed,
+  // including the fin.
   bool IsDoneReading() const;
   bool HasBytesToRead() const;
 
@@ -190,8 +194,8 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream : public QuicStream {
   // Returns true if headers have been fully read and consumed.
   bool FinishedReadingHeaders() const;
 
-  // Returns true if trailers have been fully read and consumed, or FIN has
-  // been received and there are no trailers.
+  // Returns true if FIN has been received and either trailers have been fully
+  // read and consumed or there are no trailers.
   bool FinishedReadingTrailers() const;
 
   // Called when owning session is getting deleted to avoid subsequent
@@ -204,15 +208,11 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream : public QuicStream {
 
   using QuicStream::CloseWriteSide;
 
- protected:
-  // HTTP/3
-  void OnDataFrameStart(Http3FrameLengths frame_lengths);
-  void OnDataFramePayload(QuicStringPiece payload);
-  void OnDataFrameEnd();
-  void OnHeadersFrameStart(Http3FrameLengths frame_length);
-  void OnHeadersFramePayload(QuicStringPiece payload);
-  void OnHeadersFrameEnd();
+  // QpackDecodedHeadersAccumulator::Visitor implementation.
+  void OnHeadersDecoded(QuicHeaderList headers) override;
+  void OnHeaderDecodingError() override;
 
+ protected:
   // Called when the received headers are too large. By default this will
   // reset the stream.
   virtual void OnHeadersTooLarge();
@@ -238,12 +238,30 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream : public QuicStream {
     ack_listener_ = std::move(ack_listener);
   }
 
+  // Fills in |frame| with appropriate fields.
+  virtual void PopulatePriorityFrame(PriorityFrame* frame);
+
  private:
   friend class test::QuicSpdyStreamPeer;
   friend class test::QuicStreamPeer;
   friend class QuicStreamUtils;
   class HttpDecoderVisitor;
 
+  // Called by HttpDecoderVisitor.
+  bool OnDataFrameStart(Http3FrameLengths frame_lengths);
+  bool OnDataFramePayload(QuicStringPiece payload);
+  bool OnDataFrameEnd();
+  bool OnHeadersFrameStart(Http3FrameLengths frame_length);
+  bool OnHeadersFramePayload(QuicStringPiece payload);
+  bool OnHeadersFrameEnd();
+
+  // Called internally when headers are decoded.
+  void ProcessDecodedHeaders(const QuicHeaderList& headers);
+
+  // Call QuicStreamSequencer::MarkConsumed() with
+  // |headers_bytes_to_be_marked_consumed_| if appropriate.
+  void MaybeMarkHeadersBytesConsumed();
+
   // Given the interval marked by [|offset|, |offset| + |data_length|), return
   // the number of frame header bytes contained in it.
   QuicByteCount GetNumFrameHeadersInInterval(QuicStreamOffset offset,
@@ -254,35 +272,56 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream : public QuicStream {
   bool on_body_available_called_because_sequencer_is_closed_;
 
   Visitor* visitor_;
+
+  // True if read side processing is blocked while waiting for callback from
+  // QPACK decoder.
+  bool blocked_on_decoding_headers_;
   // True if the headers have been completely decompressed.
   bool headers_decompressed_;
   // Contains a copy of the decompressed header (name, value) pairs until they
   // are consumed via Readv.
   QuicHeaderList header_list_;
-  // Length of HEADERS frame, including frame header and payload.
-  Http3FrameLengths headers_length_;
-  // Length of TRAILERS frame, including frame header and payload.
-  Http3FrameLengths trailers_length_;
+  // Length of HEADERS frame payload.
+  QuicByteCount headers_payload_length_;
+  // Length of TRAILERS frame payload.
+  QuicByteCount trailers_payload_length_;
 
   // True if the trailers have been completely decompressed.
   bool trailers_decompressed_;
   // True if the trailers have been consumed.
   bool trailers_consumed_;
+
+  // True if the stream has already sent an priority frame.
+  bool priority_sent_;
+
+  // Number of bytes consumed while decoding HEADERS frames that cannot be
+  // marked consumed in QuicStreamSequencer until later.
+  QuicByteCount headers_bytes_to_be_marked_consumed_;
   // The parsed trailers received from the peer.
   spdy::SpdyHeaderBlock received_trailers_;
 
   // Http encoder for writing streams.
   HttpEncoder encoder_;
-  // Http decoder for processing raw incoming stream frames.
-  HttpDecoder decoder_;
   // Headers accumulator for decoding HEADERS frame payload.
   std::unique_ptr<QpackDecodedHeadersAccumulator>
       qpack_decoded_headers_accumulator_;
   // Visitor of the HttpDecoder.
   std::unique_ptr<HttpDecoderVisitor> http_decoder_visitor_;
+  // HttpDecoder for processing raw incoming stream frames.
+  HttpDecoder decoder_;
   // Buffer that contains decoded data of the stream.
   QuicSpdyStreamBodyBuffer body_buffer_;
 
+  // Sequencer offset keeping track of how much data HttpDecoder has processed.
+  // Initial value is zero for fresh streams, or sequencer()->NumBytesConsumed()
+  // at time of construction if a PendingStream is converted to account for the
+  // length of the unidirectional stream type at the beginning of the stream.
+  QuicStreamOffset sequencer_offset_;
+
+  // True when inside an HttpDecoder::ProcessInput() call.
+  // Used for detecting reentrancy.
+  bool is_decoder_processing_input_;
+
   // Ack listener of this stream, and it is notified when any of written bytes
   // are acked or retransmitted.
   QuicReferenceCountedPointer<QuicAckListenerInterface> ack_listener_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer.cc
index c0a77b29485..c29c766ad59 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer.cc
@@ -3,19 +3,18 @@
 // found in the LICENSE file.
 
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer.h"
+
+#include <algorithm>
+
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 
 namespace quic {
 
-QuicSpdyStreamBodyBuffer::QuicSpdyStreamBodyBuffer(
-    QuicStreamSequencer* sequencer)
+QuicSpdyStreamBodyBuffer::QuicSpdyStreamBodyBuffer()
     : bytes_remaining_(0),
       total_body_bytes_readable_(0),
       total_body_bytes_received_(0),
-      total_payload_lengths_(0),
-      sequencer_(sequencer) {}
-
-QuicSpdyStreamBodyBuffer::~QuicSpdyStreamBodyBuffer() {}
+      total_payload_lengths_(0) {}
 
 void QuicSpdyStreamBodyBuffer::OnDataHeader(Http3FrameLengths frame_lengths) {
   frame_meta_.push_back(frame_lengths);
@@ -30,21 +29,21 @@ void QuicSpdyStreamBodyBuffer::OnDataPayload(QuicStringPiece payload) {
   DCHECK_LE(total_body_bytes_received_, total_payload_lengths_);
 }
 
-void QuicSpdyStreamBodyBuffer::MarkBodyConsumed(size_t num_bytes) {
+size_t QuicSpdyStreamBodyBuffer::OnBodyConsumed(size_t num_bytes) {
   // Check if the stream has enough decoded data.
   if (num_bytes > total_body_bytes_readable_) {
-    QUIC_BUG << "Invalid argument to MarkBodyConsumed."
+    QUIC_BUG << "Invalid argument to OnBodyConsumed."
              << " expect to consume: " << num_bytes
              << ", but not enough bytes available. "
              << "Total bytes readable are: " << total_body_bytes_readable_;
-    return;
+    return 0;
   }
   // Discard references in the stream before the sequencer marks them consumed.
   size_t remaining = num_bytes;
   while (remaining > 0) {
     if (bodies_.empty()) {
       QUIC_BUG << "Failed to consume because body buffer is empty.";
-      return;
+      return 0;
     }
     auto body = bodies_.front();
     bodies_.pop_front();
@@ -56,21 +55,26 @@ void QuicSpdyStreamBodyBuffer::MarkBodyConsumed(size_t num_bytes) {
       remaining = 0;
     }
   }
+
   // Consume headers.
+  size_t bytes_to_consume = 0;
   while (bytes_remaining_ < num_bytes) {
     if (frame_meta_.empty()) {
       QUIC_BUG << "Faild to consume because frame header buffer is empty.";
-      return;
+      return 0;
     }
     auto meta = frame_meta_.front();
     frame_meta_.pop_front();
     bytes_remaining_ += meta.payload_length;
-    sequencer_->MarkConsumed(meta.header_length);
+    bytes_to_consume += meta.header_length;
   }
-  sequencer_->MarkConsumed(num_bytes);
+  bytes_to_consume += num_bytes;
+
   // Update accountings.
   bytes_remaining_ -= num_bytes;
   total_body_bytes_readable_ -= num_bytes;
+
+  return bytes_to_consume;
 }
 
 int QuicSpdyStreamBodyBuffer::PeekBody(iovec* iov, size_t iov_len) const {
@@ -94,8 +98,9 @@ int QuicSpdyStreamBodyBuffer::PeekBody(iovec* iov, size_t iov_len) const {
 }
 
 size_t QuicSpdyStreamBodyBuffer::ReadBody(const struct iovec* iov,
-                                          size_t iov_len) {
-  size_t total_data_read = 0;
+                                          size_t iov_len,
+                                          size_t* total_bytes_read) {
+  *total_bytes_read = 0;
   QuicByteCount total_remaining = total_body_bytes_readable_;
   size_t index = 0;
   size_t src_offset = 0;
@@ -110,7 +115,7 @@ size_t QuicSpdyStreamBodyBuffer::ReadBody(const struct iovec* iov,
              bytes_to_copy);
       dest += bytes_to_copy;
       dest_remaining -= bytes_to_copy;
-      total_data_read += bytes_to_copy;
+      *total_bytes_read += bytes_to_copy;
       total_remaining -= bytes_to_copy;
       if (bytes_to_copy < body.length() - src_offset) {
         src_offset += bytes_to_copy;
@@ -121,8 +126,7 @@ size_t QuicSpdyStreamBodyBuffer::ReadBody(const struct iovec* iov,
     }
   }
 
-  MarkBodyConsumed(total_data_read);
-  return total_data_read;
+  return OnBodyConsumed(*total_bytes_read);
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer.h
index 2485aacb446..a37f3bf0b80 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer.h
@@ -6,20 +6,22 @@
 #define QUICHE_QUIC_CORE_HTTP_QUIC_SPDY_STREAM_BODY_BUFFER_H_
 
 #include "net/third_party/quiche/src/quic/core/http/http_decoder.h"
-#include "net/third_party/quiche/src/quic/core/quic_stream_sequencer.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_iovec.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_macros.h"
 
 namespace quic {
 
+class QuicStreamSequencer;
+
 // Buffer decoded body for QuicSpdyStream. It also talks to the sequencer to
 // consume data.
 class QUIC_EXPORT_PRIVATE QuicSpdyStreamBodyBuffer {
  public:
-  // QuicSpdyStreamBodyBuffer doesn't own the sequencer and the sequencer can
-  // outlive the buffer.
-  explicit QuicSpdyStreamBodyBuffer(QuicStreamSequencer* sequencer);
-
-  ~QuicSpdyStreamBodyBuffer();
+  QuicSpdyStreamBodyBuffer();
+  ~QuicSpdyStreamBodyBuffer() = default;
 
   // Add metadata of the frame to accountings.
   // Called when QuicSpdyStream receives data frame header.
@@ -31,9 +33,10 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStreamBodyBuffer {
   // QuicStreamSequencer::MarkConsumed().
   void OnDataPayload(QuicStringPiece payload);
 
-  // Take |num_bytes| as the body size, calculate header sizes accordingly, and
-  // consume the right amount of data in the stream sequencer.
-  void MarkBodyConsumed(size_t num_bytes);
+  // Internally marks |num_bytes| of DATA frame payload consumed, and returns
+  // the number of bytes that the caller should mark consumed with the
+  // sequencer, including DATA frame header bytes, if any.
+  QUIC_MUST_USE_RESULT size_t OnBodyConsumed(size_t num_bytes);
 
   // Fill up to |iov_len| with bodies available in buffer. No data is consumed.
   // |iov|.iov_base will point to data in the buffer, and |iov|.iov_len will
@@ -43,9 +46,11 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStreamBodyBuffer {
 
   // Copies from buffer into |iov| up to |iov_len|, and consume data in
   // sequencer. |iov.iov_base| and |iov.iov_len| are preassigned and will not be
-  // changed.
-  // Returns the number of bytes read.
-  size_t ReadBody(const struct iovec* iov, size_t iov_len);
+  // changed.  |*total_bytes_read| is set to the number of bytes read.  Returns
+  // the number of bytes that should be marked consumed with the sequencer.
+  QUIC_MUST_USE_RESULT size_t ReadBody(const struct iovec* iov,
+                                       size_t iov_len,
+                                       size_t* total_bytes_read);
 
   bool HasBytesToRead() const { return !bodies_.empty(); }
 
@@ -66,8 +71,6 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStreamBodyBuffer {
   QuicByteCount total_body_bytes_received_;
   // Total length of payloads tracked by frame_meta_.
   QuicByteCount total_payload_lengths_;
-  // Stream sequencer that directly manages data in the stream.
-  QuicStreamSequencer* sequencer_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer_test.cc
index 6e8e20d23dd..d5e816119d9 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_buffer_test.cc
@@ -6,13 +6,9 @@
 
 #include <string>
 
-#include "net/third_party/quiche/src/quic/core/quic_stream_sequencer.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
-#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 
 namespace quic {
 
@@ -20,51 +16,16 @@ namespace test {
 
 namespace {
 
-class MockStream : public QuicStreamSequencer::StreamInterface {
- public:
-  MOCK_METHOD0(OnFinRead, void());
-  MOCK_METHOD0(OnDataAvailable, void());
-  MOCK_METHOD2(CloseConnectionWithDetails,
-               void(QuicErrorCode error, const std::string& details));
-  MOCK_METHOD1(Reset, void(QuicRstStreamErrorCode error));
-  MOCK_METHOD0(OnCanWrite, void());
-  MOCK_METHOD1(AddBytesConsumed, void(QuicByteCount bytes));
-
-  QuicStreamId id() const override { return 1; }
-
-  const QuicSocketAddress& PeerAddressOfLatestPacket() const override {
-    return peer_address_;
-  }
-
- protected:
-  QuicSocketAddress peer_address_ =
-      QuicSocketAddress(QuicIpAddress::Any4(), 65535);
-};
-
-class MockSequencer : public QuicStreamSequencer {
- public:
-  explicit MockSequencer(MockStream* stream) : QuicStreamSequencer(stream) {}
-  virtual ~MockSequencer() = default;
-  MOCK_METHOD1(MarkConsumed, void(size_t num_bytes_consumed));
-};
-
 class QuicSpdyStreamBodyBufferTest : public QuicTest {
- public:
-  QuicSpdyStreamBodyBufferTest()
-      : sequencer_(&stream_), body_buffer_(&sequencer_) {}
-
  protected:
-  MockStream stream_;
-  MockSequencer sequencer_;
   QuicSpdyStreamBodyBuffer body_buffer_;
-  HttpEncoder encoder_;
 };
 
 TEST_F(QuicSpdyStreamBodyBufferTest, ReceiveBodies) {
   std::string body(1024, 'a');
   EXPECT_FALSE(body_buffer_.HasBytesToRead());
   body_buffer_.OnDataHeader(Http3FrameLengths(3, 1024));
-  body_buffer_.OnDataPayload(QuicStringPiece(body));
+  body_buffer_.OnDataPayload(body);
   EXPECT_EQ(1024u, body_buffer_.total_body_bytes_received());
   EXPECT_TRUE(body_buffer_.HasBytesToRead());
 }
@@ -72,7 +33,7 @@ TEST_F(QuicSpdyStreamBodyBufferTest, ReceiveBodies) {
 TEST_F(QuicSpdyStreamBodyBufferTest, PeekBody) {
   std::string body(1024, 'a');
   body_buffer_.OnDataHeader(Http3FrameLengths(3, 1024));
-  body_buffer_.OnDataPayload(QuicStringPiece(body));
+  body_buffer_.OnDataPayload(body);
   EXPECT_EQ(1024u, body_buffer_.total_body_bytes_received());
   iovec vec;
   EXPECT_EQ(1, body_buffer_.PeekBody(&vec, 1));
@@ -85,19 +46,11 @@ TEST_F(QuicSpdyStreamBodyBufferTest, PeekBody) {
 TEST_F(QuicSpdyStreamBodyBufferTest, MarkConsumedPartialSingleFrame) {
   testing::InSequence seq;
   std::string body(1024, 'a');
-  std::unique_ptr<char[]> buffer;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buffer);
-  std::string header = std::string(buffer.get(), header_length);
+  const QuicByteCount header_length = 3;
   Http3FrameLengths lengths(header_length, 1024);
-  std::string data = header + body;
-  QuicStreamFrame frame(1, false, 0, data);
-  sequencer_.OnStreamFrame(frame);
   body_buffer_.OnDataHeader(lengths);
-  body_buffer_.OnDataPayload(QuicStringPiece(body));
-  EXPECT_CALL(stream_, AddBytesConsumed(header_length));
-  EXPECT_CALL(stream_, AddBytesConsumed(1024));
-  body_buffer_.MarkBodyConsumed(1024);
+  body_buffer_.OnDataPayload(body);
+  EXPECT_EQ(header_length + 1024, body_buffer_.OnBodyConsumed(1024));
 }
 
 // Buffer received 2 frames. Stream consumes multiple times.
@@ -105,37 +58,21 @@ TEST_F(QuicSpdyStreamBodyBufferTest, MarkConsumedMultipleFrames) {
   testing::InSequence seq;
   // 1st frame.
   std::string body1(1024, 'a');
-  std::unique_ptr<char[]> buffer;
-  QuicByteCount header_length1 =
-      encoder_.SerializeDataFrameHeader(body1.length(), &buffer);
-  std::string header1 = std::string(buffer.get(), header_length1);
+  const QuicByteCount header_length1 = 2;
   Http3FrameLengths lengths1(header_length1, 1024);
-  std::string data1 = header1 + body1;
-  QuicStreamFrame frame1(1, false, 0, data1);
-  sequencer_.OnStreamFrame(frame1);
   body_buffer_.OnDataHeader(lengths1);
-  body_buffer_.OnDataPayload(QuicStringPiece(body1));
+  body_buffer_.OnDataPayload(body1);
 
   // 2nd frame.
   std::string body2(2048, 'b');
-  QuicByteCount header_length2 =
-      encoder_.SerializeDataFrameHeader(body2.length(), &buffer);
-  std::string header2 = std::string(buffer.get(), header_length2);
+  const QuicByteCount header_length2 = 4;
   Http3FrameLengths lengths2(header_length2, 2048);
-  std::string data2 = header2 + body2;
-  QuicStreamFrame frame2(1, false, data1.length(), data2);
-  sequencer_.OnStreamFrame(frame2);
   body_buffer_.OnDataHeader(lengths2);
-  body_buffer_.OnDataPayload(QuicStringPiece(body2));
-
-  EXPECT_CALL(stream_, AddBytesConsumed(header_length1));
-  EXPECT_CALL(stream_, AddBytesConsumed(512));
-  body_buffer_.MarkBodyConsumed(512);
-  EXPECT_CALL(stream_, AddBytesConsumed(header_length2));
-  EXPECT_CALL(stream_, AddBytesConsumed(2048));
-  body_buffer_.MarkBodyConsumed(2048);
-  EXPECT_CALL(stream_, AddBytesConsumed(512));
-  body_buffer_.MarkBodyConsumed(512);
+  body_buffer_.OnDataPayload(body2);
+
+  EXPECT_EQ(header_length1 + 512, body_buffer_.OnBodyConsumed(512));
+  EXPECT_EQ(header_length2 + 2048, body_buffer_.OnBodyConsumed(2048));
+  EXPECT_EQ(512u, body_buffer_.OnBodyConsumed(512));
 }
 
 TEST_F(QuicSpdyStreamBodyBufferTest, MarkConsumedMoreThanBuffered) {
@@ -143,33 +80,29 @@ TEST_F(QuicSpdyStreamBodyBufferTest, MarkConsumedMoreThanBuffered) {
   Http3FrameLengths lengths(3, 1024);
   body_buffer_.OnDataHeader(lengths);
   body_buffer_.OnDataPayload(body);
+  size_t bytes_to_consume = 0;
   EXPECT_QUIC_BUG(
-      body_buffer_.MarkBodyConsumed(2048),
-      "Invalid argument to MarkBodyConsumed. expect to consume: 2048, but not "
+      bytes_to_consume = body_buffer_.OnBodyConsumed(2048),
+      "Invalid argument to OnBodyConsumed. expect to consume: 2048, but not "
       "enough bytes available. Total bytes readable are: 1024");
+  EXPECT_EQ(0u, bytes_to_consume);
 }
 
 // Buffer receives 1 frame. Stream read from the buffer.
 TEST_F(QuicSpdyStreamBodyBufferTest, ReadSingleBody) {
   testing::InSequence seq;
   std::string body(1024, 'a');
-  std::unique_ptr<char[]> buffer;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buffer);
-  std::string header = std::string(buffer.get(), header_length);
+  const QuicByteCount header_length = 2;
   Http3FrameLengths lengths(header_length, 1024);
-  std::string data = header + body;
-  QuicStreamFrame frame(1, false, 0, data);
-  sequencer_.OnStreamFrame(frame);
   body_buffer_.OnDataHeader(lengths);
-  body_buffer_.OnDataPayload(QuicStringPiece(body));
-
-  EXPECT_CALL(stream_, AddBytesConsumed(header_length));
-  EXPECT_CALL(stream_, AddBytesConsumed(1024));
+  body_buffer_.OnDataPayload(body);
 
   char base[1024];
   iovec iov = {&base[0], 1024};
-  EXPECT_EQ(1024u, body_buffer_.ReadBody(&iov, 1));
+  size_t total_bytes_read = 0;
+  EXPECT_EQ(header_length + 1024,
+            body_buffer_.ReadBody(&iov, 1, &total_bytes_read));
+  EXPECT_EQ(1024u, total_bytes_read);
   EXPECT_EQ(1024u, iov.iov_len);
   EXPECT_EQ(body,
             QuicStringPiece(static_cast<const char*>(iov.iov_base), 1024));
@@ -180,54 +113,44 @@ TEST_F(QuicSpdyStreamBodyBufferTest, ReadMultipleBody) {
   testing::InSequence seq;
   // 1st frame.
   std::string body1(1024, 'a');
-  std::unique_ptr<char[]> buffer;
-  QuicByteCount header_length1 =
-      encoder_.SerializeDataFrameHeader(body1.length(), &buffer);
-  std::string header1 = std::string(buffer.get(), header_length1);
+  const QuicByteCount header_length1 = 2;
   Http3FrameLengths lengths1(header_length1, 1024);
-  std::string data1 = header1 + body1;
-  QuicStreamFrame frame1(1, false, 0, data1);
-  sequencer_.OnStreamFrame(frame1);
   body_buffer_.OnDataHeader(lengths1);
-  body_buffer_.OnDataPayload(QuicStringPiece(body1));
+  body_buffer_.OnDataPayload(body1);
 
   // 2nd frame.
   std::string body2(2048, 'b');
-  QuicByteCount header_length2 =
-      encoder_.SerializeDataFrameHeader(body2.length(), &buffer);
-  std::string header2 = std::string(buffer.get(), header_length2);
+  const QuicByteCount header_length2 = 4;
   Http3FrameLengths lengths2(header_length2, 2048);
-  std::string data2 = header2 + body2;
-  QuicStreamFrame frame2(1, false, data1.length(), data2);
-  sequencer_.OnStreamFrame(frame2);
   body_buffer_.OnDataHeader(lengths2);
-  body_buffer_.OnDataPayload(QuicStringPiece(body2));
+  body_buffer_.OnDataPayload(body2);
 
   // First read of 512 bytes.
-  EXPECT_CALL(stream_, AddBytesConsumed(header_length1));
-  EXPECT_CALL(stream_, AddBytesConsumed(512));
   char base[512];
   iovec iov = {&base[0], 512};
-  EXPECT_EQ(512u, body_buffer_.ReadBody(&iov, 1));
+  size_t total_bytes_read = 0;
+  EXPECT_EQ(header_length1 + 512,
+            body_buffer_.ReadBody(&iov, 1, &total_bytes_read));
+  EXPECT_EQ(512u, total_bytes_read);
   EXPECT_EQ(512u, iov.iov_len);
   EXPECT_EQ(body1.substr(0, 512),
             QuicStringPiece(static_cast<const char*>(iov.iov_base), 512));
 
   // Second read of 2048 bytes.
-  EXPECT_CALL(stream_, AddBytesConsumed(header_length2));
-  EXPECT_CALL(stream_, AddBytesConsumed(2048));
   char base2[2048];
   iovec iov2 = {&base2[0], 2048};
-  EXPECT_EQ(2048u, body_buffer_.ReadBody(&iov2, 1));
+  EXPECT_EQ(header_length2 + 2048,
+            body_buffer_.ReadBody(&iov2, 1, &total_bytes_read));
+  EXPECT_EQ(2048u, total_bytes_read);
   EXPECT_EQ(2048u, iov2.iov_len);
   EXPECT_EQ(body1.substr(512, 512) + body2.substr(0, 1536),
             QuicStringPiece(static_cast<const char*>(iov2.iov_base), 2048));
 
   // Third read of the rest 512 bytes.
-  EXPECT_CALL(stream_, AddBytesConsumed(512));
   char base3[512];
   iovec iov3 = {&base3[0], 512};
-  EXPECT_EQ(512u, body_buffer_.ReadBody(&iov3, 1));
+  EXPECT_EQ(512u, body_buffer_.ReadBody(&iov3, 1, &total_bytes_read));
+  EXPECT_EQ(512u, total_bytes_read);
   EXPECT_EQ(512u, iov3.iov_len);
   EXPECT_EQ(body2.substr(1536, 512),
             QuicStringPiece(static_cast<const char*>(iov3.iov_base), 512));
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_test.cc
index eb9a0b3dbb2..f9777ec420f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_test.cc
@@ -35,7 +35,11 @@ using spdy::SpdyHeaderBlock;
 using spdy::SpdyPriority;
 using testing::_;
 using testing::AtLeast;
+using testing::ElementsAre;
 using testing::Invoke;
+using testing::InvokeWithoutArgs;
+using testing::MatchesRegex;
+using testing::Pair;
 using testing::Return;
 using testing::StrictMock;
 
@@ -44,6 +48,7 @@ namespace test {
 namespace {
 
 const bool kShouldProcessData = true;
+const char kDataFramePayload[] = "some data";
 
 class TestStream : public QuicSpdyStream {
  public:
@@ -75,7 +80,7 @@ class TestStream : public QuicSpdyStream {
   size_t WriteHeadersImpl(spdy::SpdyHeaderBlock header_block,
                           bool fin,
                           QuicReferenceCountedPointer<QuicAckListenerInterface>
-                              ack_listener) override {
+                          /*ack_listener*/) override {
     saved_headers_ = std::move(header_block);
     WriteHeadersMock(fin);
     if (VersionUsesQpack(transport_version())) {
@@ -89,6 +94,11 @@ class TestStream : public QuicSpdyStream {
   const std::string& data() const { return data_; }
   const spdy::SpdyHeaderBlock& saved_headers() const { return saved_headers_; }
 
+  // Expose protected accessor.
+  const QuicStreamSequencer* sequencer() const {
+    return QuicStream::sequencer();
+  }
+
  private:
   bool should_process_data_;
   spdy::SpdyHeaderBlock saved_headers_;
@@ -117,7 +127,7 @@ class TestMockUpdateStreamSession : public MockQuicSpdySession {
 };
 
 class QuicSpdyStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
- public:
+ protected:
   QuicSpdyStreamTest() {
     headers_[":host"] = "www.google.com";
     headers_[":path"] = "/index.hml";
@@ -148,10 +158,24 @@ class QuicSpdyStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
         "JBCScs_ejbKaqBDoB7ZGxTvqlrB__2ZmnHHjCr8RgMRtKNtIeuZAo ";
   }
 
+  ~QuicSpdyStreamTest() override = default;
+
+  std::string EncodeQpackHeaders(QuicStreamId id, SpdyHeaderBlock* header) {
+    NoopQpackStreamSenderDelegate encoder_stream_sender_delegate;
+    auto qpack_encoder = QuicMakeUnique<QpackEncoder>(
+        session_.get(), &encoder_stream_sender_delegate);
+    return qpack_encoder->EncodeHeaderList(id, header);
+  }
+
   void Initialize(bool stream_should_process_data) {
+    InitializeWithPerspective(stream_should_process_data,
+                              Perspective::IS_SERVER);
+  }
+
+  void InitializeWithPerspective(bool stream_should_process_data,
+                                 Perspective perspective) {
     connection_ = new StrictMock<MockQuicConnection>(
-        &helper_, &alarm_factory_, Perspective::IS_SERVER,
-        SupportedVersions(GetParam()));
+        &helper_, &alarm_factory_, perspective, SupportedVersions(GetParam()));
     session_ = QuicMakeUnique<StrictMock<MockQuicSpdySession>>(connection_);
     session_->Initialize();
     ON_CALL(*session_, WritevData(_, _, _, _, _))
@@ -179,10 +203,27 @@ class QuicSpdyStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
   }
 
   bool HasFrameHeader() const {
-    return VersionHasDataFrameHeader(connection_->transport_version());
+    return VersionHasDataFrameHeader(GetParam().transport_version);
+  }
+
+  std::string HeadersFrame(QuicStringPiece payload) {
+    std::unique_ptr<char[]> headers_buffer;
+    QuicByteCount headers_frame_header_length =
+        encoder_.SerializeHeadersFrameHeader(payload.length(), &headers_buffer);
+    QuicStringPiece headers_frame_header(headers_buffer.get(),
+                                         headers_frame_header_length);
+    return QuicStrCat(headers_frame_header, payload);
+  }
+
+  std::string DataFrame(QuicStringPiece payload) {
+    std::unique_ptr<char[]> data_buffer;
+    QuicByteCount data_frame_header_length =
+        encoder_.SerializeDataFrameHeader(payload.length(), &data_buffer);
+    QuicStringPiece data_frame_header(data_buffer.get(),
+                                      data_frame_header_length);
+    return QuicStrCat(data_frame_header, payload);
   }
 
- protected:
   MockQuicConnectionHelper helper_;
   MockAlarmFactory alarm_factory_;
   MockQuicConnection* connection_;
@@ -218,12 +259,14 @@ TEST_P(QuicSpdyStreamTest, ProcessTooLargeHeaderList) {
   stream_->OnStreamHeadersPriority(kV3HighestPriority);
 
   const bool version_uses_qpack =
-      VersionUsesQpack(connection_->transport_version());
+      VersionUsesQpack(GetParam().transport_version);
 
   if (version_uses_qpack) {
-    EXPECT_CALL(*connection_,
-                CloseConnection(QUIC_HEADERS_STREAM_DATA_DECOMPRESS_FAILURE,
-                                "Too large headers received on stream 4", _));
+    EXPECT_CALL(
+        *connection_,
+        CloseConnection(
+            QUIC_HEADERS_STREAM_DATA_DECOMPRESS_FAILURE,
+            MatchesRegex("Too large headers received on stream \\d+"), _));
   } else {
     EXPECT_CALL(*session_,
                 SendRstStream(stream_->id(), QUIC_HEADERS_TOO_LARGE, 0));
@@ -253,9 +296,9 @@ TEST_P(QuicSpdyStreamTest, ProcessHeaderListWithFin) {
   EXPECT_TRUE(stream_->HasFinalReceivedByteOffset());
 }
 
+// A valid status code should be 3-digit integer. The first digit should be in
+// the range of [1, 5]. All the others are invalid.
 TEST_P(QuicSpdyStreamTest, ParseHeaderStatusCode) {
-  // A valid status code should be 3-digit integer. The first digit should be in
-  // the range of [1, 5]. All the others are invalid.
   Initialize(kShouldProcessData);
   int status_code = 0;
 
@@ -323,11 +366,12 @@ TEST_P(QuicSpdyStreamTest, MarkHeadersConsumed) {
 }
 
 TEST_P(QuicSpdyStreamTest, ProcessWrongFramesOnSpdyStream) {
-  testing::InSequence s;
-  Initialize(kShouldProcessData);
   if (!HasFrameHeader()) {
     return;
   }
+
+  testing::InSequence s;
+  Initialize(kShouldProcessData);
   connection_->AdvanceTime(QuicTime::Delta::FromSeconds(1));
   GoAwayFrame goaway;
   goaway.stream_id = 0x1;
@@ -350,12 +394,11 @@ TEST_P(QuicSpdyStreamTest, ProcessWrongFramesOnSpdyStream) {
                                                connection_close_behavior);
           })));
   EXPECT_CALL(*connection_, SendConnectionClosePacket(_, _));
-  EXPECT_CALL(*session_, OnConnectionClosed(_, _, _))
-      .WillOnce(
-          Invoke([this](QuicErrorCode error, const std::string& error_details,
-                        ConnectionCloseSource source) {
-            session_->ReallyOnConnectionClosed(error, error_details, source);
-          }));
+  EXPECT_CALL(*session_, OnConnectionClosed(_, _))
+      .WillOnce(Invoke([this](const QuicConnectionCloseFrame& frame,
+                              ConnectionCloseSource source) {
+        session_->ReallyOnConnectionClosed(frame, source);
+      }));
   EXPECT_CALL(*session_, SendRstStream(_, _, _));
   EXPECT_CALL(*session_, SendRstStream(_, _, _));
 
@@ -366,11 +409,7 @@ TEST_P(QuicSpdyStreamTest, ProcessHeadersAndBody) {
   Initialize(kShouldProcessData);
 
   std::string body = "this is the body";
-  std::unique_ptr<char[]> buffer;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buffer);
-  std::string header = std::string(buffer.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
+  std::string data = HasFrameHeader() ? DataFrame(body) : body;
 
   EXPECT_EQ("", stream_->data());
   QuicHeaderList headers = ProcessHeaders(false, headers_);
@@ -384,13 +423,8 @@ TEST_P(QuicSpdyStreamTest, ProcessHeadersAndBody) {
 }
 
 TEST_P(QuicSpdyStreamTest, ProcessHeadersAndBodyFragments) {
-  Initialize(kShouldProcessData);
   std::string body = "this is the body";
-  std::unique_ptr<char[]> buffer;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buffer);
-  std::string header = std::string(buffer.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
+  std::string data = HasFrameHeader() ? DataFrame(body) : body;
 
   for (size_t fragment_size = 1; fragment_size < data.size(); ++fragment_size) {
     Initialize(kShouldProcessData);
@@ -410,13 +444,8 @@ TEST_P(QuicSpdyStreamTest, ProcessHeadersAndBodyFragments) {
 }
 
 TEST_P(QuicSpdyStreamTest, ProcessHeadersAndBodyFragmentsSplit) {
-  Initialize(kShouldProcessData);
   std::string body = "this is the body";
-  std::unique_ptr<char[]> buffer;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buffer);
-  std::string header = std::string(buffer.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
+  std::string data = HasFrameHeader() ? DataFrame(body) : body;
 
   for (size_t split_point = 1; split_point < data.size() - 1; ++split_point) {
     Initialize(kShouldProcessData);
@@ -443,11 +472,7 @@ TEST_P(QuicSpdyStreamTest, ProcessHeadersAndBodyReadv) {
   Initialize(!kShouldProcessData);
 
   std::string body = "this is the body";
-  std::unique_ptr<char[]> buf;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buf);
-  std::string header = std::string(buf.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
+  std::string data = HasFrameHeader() ? DataFrame(body) : body;
 
   ProcessHeaders(false, headers_);
   QuicStreamFrame frame(GetNthClientInitiatedBidirectionalId(0), false, 0,
@@ -470,11 +495,8 @@ TEST_P(QuicSpdyStreamTest, ProcessHeadersAndBodyReadv) {
 TEST_P(QuicSpdyStreamTest, ProcessHeadersAndLargeBodySmallReadv) {
   Initialize(kShouldProcessData);
   std::string body(12 * 1024, 'a');
-  std::unique_ptr<char[]> buf;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buf);
-  std::string header = std::string(buf.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
+  std::string data = HasFrameHeader() ? DataFrame(body) : body;
+
   ProcessHeaders(false, headers_);
   QuicStreamFrame frame(GetNthClientInitiatedBidirectionalId(0), false, 0,
                         QuicStringPiece(data));
@@ -497,11 +519,7 @@ TEST_P(QuicSpdyStreamTest, ProcessHeadersAndBodyMarkConsumed) {
   Initialize(!kShouldProcessData);
 
   std::string body = "this is the body";
-  std::unique_ptr<char[]> buf;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buf);
-  std::string header = std::string(buf.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
+  std::string data = HasFrameHeader() ? DataFrame(body) : body;
 
   ProcessHeaders(false, headers_);
   QuicStreamFrame frame(GetNthClientInitiatedBidirectionalId(0), false, 0,
@@ -522,14 +540,9 @@ TEST_P(QuicSpdyStreamTest, ProcessHeadersAndBodyMarkConsumed) {
 TEST_P(QuicSpdyStreamTest, ProcessHeadersAndConsumeMultipleBody) {
   Initialize(!kShouldProcessData);
   std::string body1 = "this is body 1";
+  std::string data1 = HasFrameHeader() ? DataFrame(body1) : body1;
   std::string body2 = "body 2";
-  std::unique_ptr<char[]> buf;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body1.length(), &buf);
-  std::string header = std::string(buf.get(), header_length);
-  std::string data1 = HasFrameHeader() ? header + body1 : body1;
-  header_length = encoder_.SerializeDataFrameHeader(body2.length(), &buf);
-  std::string data2 = HasFrameHeader() ? header + body2 : body2;
+  std::string data2 = HasFrameHeader() ? DataFrame(body2) : body2;
 
   ProcessHeaders(false, headers_);
   QuicStreamFrame frame1(GetNthClientInitiatedBidirectionalId(0), false, 0,
@@ -549,11 +562,7 @@ TEST_P(QuicSpdyStreamTest, ProcessHeadersAndBodyIncrementalReadv) {
   Initialize(!kShouldProcessData);
 
   std::string body = "this is the body";
-  std::unique_ptr<char[]> buf;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buf);
-  std::string header = std::string(buf.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
+  std::string data = HasFrameHeader() ? DataFrame(body) : body;
 
   ProcessHeaders(false, headers_);
   QuicStreamFrame frame(GetNthClientInitiatedBidirectionalId(0), false, 0,
@@ -577,11 +586,7 @@ TEST_P(QuicSpdyStreamTest, ProcessHeadersUsingReadvWithMultipleIovecs) {
   Initialize(!kShouldProcessData);
 
   std::string body = "this is the body";
-  std::unique_ptr<char[]> buf;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buf);
-  std::string header = std::string(buf.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
+  std::string data = HasFrameHeader() ? DataFrame(body) : body;
 
   ProcessHeaders(false, headers_);
   QuicStreamFrame frame(GetNthClientInitiatedBidirectionalId(0), false, 0,
@@ -605,10 +610,16 @@ TEST_P(QuicSpdyStreamTest, ProcessHeadersUsingReadvWithMultipleIovecs) {
   }
 }
 
+// Tests that we send a BLOCKED frame to the peer when we attempt to write, but
+// are flow control blocked.
 TEST_P(QuicSpdyStreamTest, StreamFlowControlBlocked) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
   testing::InSequence seq;
-  // Tests that we send a BLOCKED frame to the peer when we attempt to write,
-  // but are flow control blocked.
   Initialize(kShouldProcessData);
 
   // Set a small flow control limit.
@@ -639,12 +650,10 @@ TEST_P(QuicSpdyStreamTest, StreamFlowControlBlocked) {
   EXPECT_EQ(kOverflow + kHeaderLength, stream_->BufferedDataBytes());
 }
 
+// The flow control receive window decreases whenever we add new bytes to the
+// sequencer, whether they are consumed immediately or buffered. However we only
+// send WINDOW_UPDATE frames based on increasing number of bytes consumed.
 TEST_P(QuicSpdyStreamTest, StreamFlowControlNoWindowUpdateIfNotConsumed) {
-  // The flow control receive window decreases whenever we add new bytes to the
-  // sequencer, whether they are consumed immediately or buffered. However we
-  // only send WINDOW_UPDATE frames based on increasing number of bytes
-  // consumed.
-
   // Don't process data - it will be buffered instead.
   Initialize(!kShouldProcessData);
 
@@ -694,10 +703,10 @@ TEST_P(QuicSpdyStreamTest, StreamFlowControlNoWindowUpdateIfNotConsumed) {
       QuicFlowControllerPeer::ReceiveWindowSize(stream_->flow_controller()));
 }
 
+// Tests that on receipt of data, the stream updates its receive window offset
+// appropriately, and sends WINDOW_UPDATE frames when its receive window drops
+// too low.
 TEST_P(QuicSpdyStreamTest, StreamFlowControlWindowUpdate) {
-  // Tests that on receipt of data, the stream updates its receive window offset
-  // appropriately, and sends WINDOW_UPDATE frames when its receive window drops
-  // too low.
   Initialize(kShouldProcessData);
 
   // Set a small flow control limit.
@@ -745,10 +754,10 @@ TEST_P(QuicSpdyStreamTest, StreamFlowControlWindowUpdate) {
                          stream_->flow_controller()));
 }
 
+// Tests that on receipt of data, the connection updates its receive window
+// offset appropriately, and sends WINDOW_UPDATE frames when its receive window
+// drops too low.
 TEST_P(QuicSpdyStreamTest, ConnectionFlowControlWindowUpdate) {
-  // Tests that on receipt of data, the connection updates its receive window
-  // offset appropriately, and sends WINDOW_UPDATE frames when its receive
-  // window drops too low.
   Initialize(kShouldProcessData);
 
   // Set a small flow control limit for streams and connection.
@@ -816,10 +825,9 @@ TEST_P(QuicSpdyStreamTest, ConnectionFlowControlWindowUpdate) {
   stream_->OnStreamFrame(frame3);
 }
 
+// Tests that on if the peer sends too much data (i.e. violates the flow control
+// protocol), then we terminate the connection.
 TEST_P(QuicSpdyStreamTest, StreamFlowControlViolation) {
-  // Tests that on if the peer sends too much data (i.e. violates the flow
-  // control protocol), then we terminate the connection.
-
   // Stream should not process data, so that data gets buffered in the
   // sequencer, triggering flow control limits.
   Initialize(!kShouldProcessData);
@@ -833,11 +841,7 @@ TEST_P(QuicSpdyStreamTest, StreamFlowControlViolation) {
 
   // Receive data to overflow the window, violating flow control.
   std::string body(kWindow + 1, 'a');
-  std::unique_ptr<char[]> buf;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buf);
-  std::string header = std::string(buf.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
+  std::string data = HasFrameHeader() ? DataFrame(body) : body;
   QuicStreamFrame frame(GetNthClientInitiatedBidirectionalId(0), false, 0,
                         QuicStringPiece(data));
   EXPECT_CALL(*connection_,
@@ -855,11 +859,10 @@ TEST_P(QuicSpdyStreamTest, TestHandlingQuicRstStreamNoError) {
   EXPECT_FALSE(stream_->reading_stopped());
 }
 
+// Tests that on if the peer sends too much data (i.e. violates the flow control
+// protocol), at the connection level (rather than the stream level) then we
+// terminate the connection.
 TEST_P(QuicSpdyStreamTest, ConnectionFlowControlViolation) {
-  // Tests that on if the peer sends too much data (i.e. violates the flow
-  // control protocol), at the connection level (rather than the stream level)
-  // then we terminate the connection.
-
   // Stream should not process data, so that data gets buffered in the
   // sequencer, triggering flow control limits.
   Initialize(!kShouldProcessData);
@@ -876,11 +879,7 @@ TEST_P(QuicSpdyStreamTest, ConnectionFlowControlViolation) {
 
   // Send enough data to overflow the connection level flow control window.
   std::string body(kConnectionWindow + 1, 'a');
-  std::unique_ptr<char[]> buf;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buf);
-  std::string header = std::string(buf.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
+  std::string data = HasFrameHeader() ? DataFrame(body) : body;
 
   EXPECT_LT(data.size(), kStreamWindow);
   QuicStreamFrame frame(GetNthClientInitiatedBidirectionalId(0), false, 0,
@@ -891,10 +890,9 @@ TEST_P(QuicSpdyStreamTest, ConnectionFlowControlViolation) {
   stream_->OnStreamFrame(frame);
 }
 
+// An attempt to write a FIN with no data should not be flow control blocked,
+// even if the send window is 0.
 TEST_P(QuicSpdyStreamTest, StreamFlowControlFinNotBlocked) {
-  // An attempt to write a FIN with no data should not be flow control blocked,
-  // even if the send window is 0.
-
   Initialize(kShouldProcessData);
 
   // Set a flow control limit of zero.
@@ -914,9 +912,9 @@ TEST_P(QuicSpdyStreamTest, StreamFlowControlFinNotBlocked) {
   stream_->WriteOrBufferBody(body, fin);
 }
 
+// Test that receiving trailing headers from the peer via OnStreamHeaderList()
+// works, and can be read from the stream and consumed.
 TEST_P(QuicSpdyStreamTest, ReceivingTrailersViaHeaderList) {
-  // Test that receiving trailing headers from the peer via
-  // OnStreamHeaderList() works, and can be read from the stream and consumed.
   Initialize(kShouldProcessData);
 
   // Receive initial headers.
@@ -960,27 +958,23 @@ TEST_P(QuicSpdyStreamTest, ReceivingTrailersViaHeaderList) {
   EXPECT_TRUE(stream_->IsDoneReading());
 }
 
+// Test that when receiving trailing headers with an offset before response
+// body, stream is closed at the right offset.
 TEST_P(QuicSpdyStreamTest, ReceivingTrailersWithOffset) {
-  // Test that when receiving trailing headers with an offset before response
-  // body, stream is closed at the right offset.
-  Initialize(kShouldProcessData);
-
   // kFinalOffsetHeaderKey is not used when HEADERS are sent on the
   // request/response stream.
   if (VersionUsesQpack(GetParam().transport_version)) {
     return;
   }
 
+  Initialize(kShouldProcessData);
+
   // Receive initial headers.
   QuicHeaderList headers = ProcessHeaders(false, headers_);
   stream_->ConsumeHeaderList();
 
   const std::string body = "this is the body";
-  std::unique_ptr<char[]> buf;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buf);
-  std::string header = std::string(buf.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
+  std::string data = HasFrameHeader() ? DataFrame(body) : body;
 
   // Receive trailing headers.
   SpdyHeaderBlock trailers_block;
@@ -1012,16 +1006,16 @@ TEST_P(QuicSpdyStreamTest, ReceivingTrailersWithOffset) {
   EXPECT_TRUE(stream_->IsDoneReading());
 }
 
+// Test that receiving trailers without a final offset field is an error.
 TEST_P(QuicSpdyStreamTest, ReceivingTrailersWithoutOffset) {
-  // Test that receiving trailers without a final offset field is an error.
-  Initialize(kShouldProcessData);
-
   // kFinalOffsetHeaderKey is not used when HEADERS are sent on the
   // request/response stream.
   if (VersionUsesQpack(GetParam().transport_version)) {
     return;
   }
 
+  Initialize(kShouldProcessData);
+
   // Receive initial headers.
   ProcessHeaders(false, headers_);
   stream_->ConsumeHeaderList();
@@ -1044,60 +1038,16 @@ TEST_P(QuicSpdyStreamTest, ReceivingTrailersWithoutOffset) {
                               trailers.uncompressed_header_bytes(), trailers);
 }
 
-TEST_P(QuicSpdyStreamTest, ReceivingTrailersOnRequestStream) {
-  Initialize(kShouldProcessData);
-
-  if (!VersionUsesQpack(GetParam().transport_version)) {
-    return;
-  }
-
-  // Receive initial headers.
-  QuicHeaderList headers = ProcessHeaders(false, headers_);
-  stream_->ConsumeHeaderList();
-
-  const std::string body = "this is the body";
-  std::unique_ptr<char[]> buf;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buf);
-  std::string header = std::string(buf.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
-
-  // Receive trailing headers.
-  SpdyHeaderBlock trailers_block;
-  trailers_block["key1"] = "value1";
-  trailers_block["key2"] = "value2";
-  trailers_block["key3"] = "value3";
-
-  QuicHeaderList trailers = ProcessHeaders(true, trailers_block);
-
-  // The trailers should be decompressed, and readable from the stream.
-  EXPECT_TRUE(stream_->trailers_decompressed());
-
-  EXPECT_EQ(trailers_block, stream_->received_trailers());
-
-  // Consuming the trailers erases them from the stream.
-  stream_->MarkTrailersConsumed();
-  EXPECT_TRUE(stream_->FinishedReadingTrailers());
-  EXPECT_TRUE(stream_->IsDoneReading());
-
-  // Receive and consume body.
-  QuicStreamFrame frame(GetNthClientInitiatedBidirectionalId(0), /*fin=*/false,
-                        0, data);
-  stream_->OnStreamFrame(frame);
-  EXPECT_EQ(body, stream_->data());
-  EXPECT_TRUE(stream_->IsDoneReading());
-}
-
+// Test that received Trailers must always have the FIN set.
 TEST_P(QuicSpdyStreamTest, ReceivingTrailersWithoutFin) {
-  // Test that received Trailers must always have the FIN set.
-  Initialize(kShouldProcessData);
-
   // In IETF QUIC, there is no such thing as FIN flag on HTTP/3 frames like the
   // HEADERS frame.
   if (VersionUsesQpack(GetParam().transport_version)) {
     return;
   }
 
+  Initialize(kShouldProcessData);
+
   // Receive initial headers.
   auto headers = AsHeaderList(headers_);
   stream_->OnStreamHeaderList(/*fin=*/false,
@@ -1120,6 +1070,13 @@ TEST_P(QuicSpdyStreamTest, ReceivingTrailersAfterHeadersWithFin) {
   // If headers are received with a FIN, no trailers should then arrive.
   Initialize(kShouldProcessData);
 
+  // If HEADERS frames are sent on the request/response stream, then the
+  // sequencer will signal an error if any stream data arrives after a FIN,
+  // so QuicSpdyStream does not need to.
+  if (VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
   // Receive initial headers with FIN set.
   ProcessHeaders(true, headers_);
   stream_->ConsumeHeaderList();
@@ -1133,10 +1090,8 @@ TEST_P(QuicSpdyStreamTest, ReceivingTrailersAfterHeadersWithFin) {
   ProcessHeaders(true, trailers_block);
 }
 
+// If body data are received with a FIN, no trailers should then arrive.
 TEST_P(QuicSpdyStreamTest, ReceivingTrailersAfterBodyWithFin) {
-  // If body data are received with a FIN, no trailers should then arrive.
-  Initialize(kShouldProcessData);
-
   // If HEADERS frames are sent on the request/response stream,
   // then the sequencer will block them from reaching QuicSpdyStream
   // after the stream is closed.
@@ -1144,6 +1099,8 @@ TEST_P(QuicSpdyStreamTest, ReceivingTrailersAfterBodyWithFin) {
     return;
   }
 
+  Initialize(kShouldProcessData);
+
   // Receive initial headers without FIN set.
   ProcessHeaders(false, headers_);
   stream_->ConsumeHeaderList();
@@ -1174,11 +1131,7 @@ TEST_P(QuicSpdyStreamTest, ClosingStreamWithNoTrailers) {
 
   // Receive and consume body with FIN set, and no trailers.
   std::string body(1024, 'x');
-  std::unique_ptr<char[]> buf;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buf);
-  std::string header = std::string(buf.get(), header_length);
-  std::string data = HasFrameHeader() ? header + body : body;
+  std::string data = HasFrameHeader() ? DataFrame(body) : body;
 
   QuicStreamFrame frame(GetNthClientInitiatedBidirectionalId(0), /*fin=*/true,
                         0, data);
@@ -1187,9 +1140,15 @@ TEST_P(QuicSpdyStreamTest, ClosingStreamWithNoTrailers) {
   EXPECT_TRUE(stream_->IsDoneReading());
 }
 
+// Test that writing trailers will send a FIN, as Trailers are the last thing to
+// be sent on a stream.
 TEST_P(QuicSpdyStreamTest, WritingTrailersSendsAFin) {
-  // Test that writing trailers will send a FIN, as Trailers are the last thing
-  // to be sent on a stream.
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
   Initialize(kShouldProcessData);
 
   if (VersionUsesQpack(GetParam().transport_version)) {
@@ -1210,9 +1169,51 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersSendsAFin) {
   EXPECT_TRUE(stream_->fin_sent());
 }
 
+TEST_P(QuicSpdyStreamTest, ClientWritesPriority) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
+  InitializeWithPerspective(kShouldProcessData, Perspective::IS_CLIENT);
+
+  if (VersionUsesQpack(GetParam().transport_version)) {
+    // In this case, TestStream::WriteHeadersImpl() does not prevent writes.
+    // Six writes include priority for headers, headers frame header, headers
+    // frame, priority of trailers, trailing headers frame header, and trailers.
+    EXPECT_CALL(*session_, WritevData(stream_, stream_->id(), _, _, _))
+        .Times(4);
+    auto send_control_stream =
+        QuicSpdySessionPeer::GetSendControlStream(session_.get());
+    // The control stream will write 3 times, including stream type, settings
+    // frame, priority for headers.
+    EXPECT_CALL(*session_, WritevData(send_control_stream,
+                                      send_control_stream->id(), _, _, _))
+        .Times(3);
+  }
+
+  // Write the initial headers, without a FIN.
+  EXPECT_CALL(*stream_, WriteHeadersMock(false));
+  stream_->WriteHeaders(SpdyHeaderBlock(), /*fin=*/false, nullptr);
+
+  // Writing trailers implicitly sends a FIN.
+  SpdyHeaderBlock trailers;
+  trailers["trailer key"] = "trailer value";
+  EXPECT_CALL(*stream_, WriteHeadersMock(true));
+  stream_->WriteTrailers(std::move(trailers), nullptr);
+  EXPECT_TRUE(stream_->fin_sent());
+}
+
+// Test that when writing trailers, the trailers that are actually sent to the
+// peer contain the final offset field indicating last byte of data.
 TEST_P(QuicSpdyStreamTest, WritingTrailersFinalOffset) {
-  // Test that when writing trailers, the trailers that are actually sent to the
-  // peer contain the final offset field indicating last byte of data.
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
   Initialize(kShouldProcessData);
 
   if (VersionUsesQpack(GetParam().transport_version)) {
@@ -1254,9 +1255,15 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersFinalOffset) {
   EXPECT_EQ(expected_trailers, stream_->saved_headers());
 }
 
+// Test that if trailers are written after all other data has been written
+// (headers and body), that this closes the stream for writing.
 TEST_P(QuicSpdyStreamTest, WritingTrailersClosesWriteSide) {
-  // Test that if trailers are written after all other data has been written
-  // (headers and body), that this closes the stream for writing.
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
   Initialize(kShouldProcessData);
 
   // Expect data being written on the stream.  In addition to that, headers are
@@ -1280,6 +1287,8 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersClosesWriteSide) {
   EXPECT_TRUE(stream_->write_side_closed());
 }
 
+// Test that the stream is not closed for writing when trailers are sent while
+// there are still body bytes queued.
 TEST_P(QuicSpdyStreamTest, WritingTrailersWithQueuedBytes) {
   // This test exercises sending trailers on the headers stream while data is
   // still queued on the response/request stream.  In IETF QUIC, data and
@@ -1288,8 +1297,6 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersWithQueuedBytes) {
     return;
   }
 
-  // Test that the stream is not closed for writing when trailers are sent
-  // while there are still body bytes queued.
   testing::InSequence seq;
   Initialize(kShouldProcessData);
 
@@ -1320,6 +1327,7 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersWithQueuedBytes) {
   EXPECT_TRUE(stream_->write_side_closed());
 }
 
+// Test that it is not possible to write Trailers after a FIN has been sent.
 TEST_P(QuicSpdyStreamTest, WritingTrailersAfterFIN) {
   // EXPECT_QUIC_BUG tests are expensive so only run one instance of them.
   // In IETF QUIC, there is no such thing as FIN flag on HTTP/3 frames like the
@@ -1329,7 +1337,6 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersAfterFIN) {
     return;
   }
 
-  // Test that it is not possible to write Trailers after a FIN has been sent.
   Initialize(kShouldProcessData);
 
   // Write the initial headers, with a FIN.
@@ -1344,6 +1351,22 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersAfterFIN) {
 }
 
 TEST_P(QuicSpdyStreamTest, HeaderStreamNotiferCorrespondingSpdyStream) {
+  // There is no headers stream if QPACK is used.
+  if (!VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
+  const char kHeader1[] = "Header1";
+  const char kHeader2[] = "Header2";
+  const char kBody1[] = "Test1";
+  const char kBody2[] = "Test2";
+
   Initialize(kShouldProcessData);
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _)).Times(AtLeast(1));
   testing::InSequence s;
@@ -1354,47 +1377,48 @@ TEST_P(QuicSpdyStreamTest, HeaderStreamNotiferCorrespondingSpdyStream) {
   stream_->set_ack_listener(ack_listener1);
   stream2_->set_ack_listener(ack_listener2);
 
-  session_->headers_stream()->WriteOrBufferData("Header1", false,
-                                                ack_listener1);
-  stream_->WriteOrBufferBody("Test1", true);
+  session_->headers_stream()->WriteOrBufferData(kHeader1, false, ack_listener1);
+  stream_->WriteOrBufferBody(kBody1, true);
 
-  session_->headers_stream()->WriteOrBufferData("Header2", false,
-                                                ack_listener2);
-  stream2_->WriteOrBufferBody("Test2", false);
+  session_->headers_stream()->WriteOrBufferData(kHeader2, false, ack_listener2);
+  stream2_->WriteOrBufferBody(kBody2, false);
 
   QuicStreamFrame frame1(
       QuicUtils::GetHeadersStreamId(connection_->transport_version()), false, 0,
-      "Header1");
-  std::string header = "";
-  if (HasFrameHeader()) {
-    std::unique_ptr<char[]> buffer;
-    QuicByteCount header_length = encoder_.SerializeDataFrameHeader(5, &buffer);
-    header = std::string(buffer.get(), header_length);
-  }
-  QuicStreamFrame frame2(stream_->id(), true, 0, header + "Test1");
+      kHeader1);
+
+  std::string data1 = HasFrameHeader() ? DataFrame(kBody1) : kBody1;
+  QuicStreamFrame frame2(stream_->id(), true, 0, data1);
   QuicStreamFrame frame3(
       QuicUtils::GetHeadersStreamId(connection_->transport_version()), false, 7,
-      "Header2");
-  QuicStreamFrame frame4(stream2_->id(), false, 0, header + "Test2");
+      kHeader2);
+  std::string data2 = HasFrameHeader() ? DataFrame(kBody2) : kBody2;
+  QuicStreamFrame frame4(stream2_->id(), false, 0, data2);
 
   EXPECT_CALL(*ack_listener1, OnPacketRetransmitted(7));
   session_->OnStreamFrameRetransmitted(frame1);
 
   EXPECT_CALL(*ack_listener1, OnPacketAcked(7, _));
-  EXPECT_TRUE(
-      session_->OnFrameAcked(QuicFrame(frame1), QuicTime::Delta::Zero()));
+  EXPECT_TRUE(session_->OnFrameAcked(QuicFrame(frame1), QuicTime::Delta::Zero(),
+                                     QuicTime::Zero()));
   EXPECT_CALL(*ack_listener1, OnPacketAcked(5, _));
-  EXPECT_TRUE(
-      session_->OnFrameAcked(QuicFrame(frame2), QuicTime::Delta::Zero()));
+  EXPECT_TRUE(session_->OnFrameAcked(QuicFrame(frame2), QuicTime::Delta::Zero(),
+                                     QuicTime::Zero()));
   EXPECT_CALL(*ack_listener2, OnPacketAcked(7, _));
-  EXPECT_TRUE(
-      session_->OnFrameAcked(QuicFrame(frame3), QuicTime::Delta::Zero()));
+  EXPECT_TRUE(session_->OnFrameAcked(QuicFrame(frame3), QuicTime::Delta::Zero(),
+                                     QuicTime::Zero()));
   EXPECT_CALL(*ack_listener2, OnPacketAcked(5, _));
-  EXPECT_TRUE(
-      session_->OnFrameAcked(QuicFrame(frame4), QuicTime::Delta::Zero()));
+  EXPECT_TRUE(session_->OnFrameAcked(QuicFrame(frame4), QuicTime::Delta::Zero(),
+                                     QuicTime::Zero()));
 }
 
 TEST_P(QuicSpdyStreamTest, StreamBecomesZombieWithWriteThatCloses) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
   Initialize(kShouldProcessData);
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _)).Times(AtLeast(1));
   QuicStreamPeer::CloseReadSide(stream_);
@@ -1413,6 +1437,12 @@ TEST_P(QuicSpdyStreamTest, OnPriorityFrame) {
 }
 
 TEST_P(QuicSpdyStreamTest, OnPriorityFrameAfterSendingData) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
   testing::InSequence seq;
   Initialize(kShouldProcessData);
 
@@ -1451,6 +1481,12 @@ TEST_P(QuicSpdyStreamTest, SetPriorityBeforeUpdateStreamPriority) {
 }
 
 TEST_P(QuicSpdyStreamTest, StreamWaitsForAcks) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
   Initialize(kShouldProcessData);
   QuicReferenceCountedPointer<MockAckListener> mock_ack_listener(
       new StrictMock<MockAckListener>);
@@ -1502,6 +1538,12 @@ TEST_P(QuicSpdyStreamTest, StreamWaitsForAcks) {
 }
 
 TEST_P(QuicSpdyStreamTest, StreamDataGetAckedMultipleTimes) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
   Initialize(kShouldProcessData);
   QuicReferenceCountedPointer<MockAckListener> mock_ack_listener(
       new StrictMock<MockAckListener>);
@@ -1557,10 +1599,17 @@ TEST_P(QuicSpdyStreamTest, StreamDataGetAckedMultipleTimes) {
 
 // HTTP/3 only.
 TEST_P(QuicSpdyStreamTest, HeadersAckNotReportedWriteOrBufferBody) {
-  Initialize(kShouldProcessData);
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
   if (!HasFrameHeader()) {
     return;
   }
+
+  Initialize(kShouldProcessData);
   QuicReferenceCountedPointer<MockAckListener> mock_ack_listener(
       new StrictMock<MockAckListener>);
   stream_->set_ack_listener(mock_ack_listener);
@@ -1581,20 +1630,21 @@ TEST_P(QuicSpdyStreamTest, HeadersAckNotReportedWriteOrBufferBody) {
 
   EXPECT_CALL(*mock_ack_listener, OnPacketAcked(body.length(), _));
   QuicStreamFrame frame(stream_->id(), false, 0, header + body);
-  EXPECT_TRUE(
-      session_->OnFrameAcked(QuicFrame(frame), QuicTime::Delta::Zero()));
+  EXPECT_TRUE(session_->OnFrameAcked(QuicFrame(frame), QuicTime::Delta::Zero(),
+                                     QuicTime::Zero()));
 
   EXPECT_CALL(*mock_ack_listener, OnPacketAcked(0, _));
-  QuicStreamFrame frame2(stream_->id(), false, (header + body).length(),
+  QuicStreamFrame frame2(stream_->id(), false, header.length() + body.length(),
                          header2);
-  EXPECT_TRUE(
-      session_->OnFrameAcked(QuicFrame(frame2), QuicTime::Delta::Zero()));
+  EXPECT_TRUE(session_->OnFrameAcked(QuicFrame(frame2), QuicTime::Delta::Zero(),
+                                     QuicTime::Zero()));
 
   EXPECT_CALL(*mock_ack_listener, OnPacketAcked(body2.length(), _));
   QuicStreamFrame frame3(stream_->id(), true,
-                         (header + body).length() + header2.length(), body2);
-  EXPECT_TRUE(
-      session_->OnFrameAcked(QuicFrame(frame3), QuicTime::Delta::Zero()));
+                         header.length() + body.length() + header2.length(),
+                         body2);
+  EXPECT_TRUE(session_->OnFrameAcked(QuicFrame(frame3), QuicTime::Delta::Zero(),
+                                     QuicTime::Zero()));
 
   EXPECT_TRUE(
       QuicSpdyStreamPeer::unacked_frame_headers_offsets(stream_).Empty());
@@ -1602,16 +1652,23 @@ TEST_P(QuicSpdyStreamTest, HeadersAckNotReportedWriteOrBufferBody) {
 
 // HTTP/3 only.
 TEST_P(QuicSpdyStreamTest, HeadersAckNotReportedWriteBodySlices) {
-  Initialize(kShouldProcessData);
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+
   if (!HasFrameHeader()) {
     return;
   }
+
+  Initialize(kShouldProcessData);
   QuicReferenceCountedPointer<MockAckListener> mock_ack_listener(
       new StrictMock<MockAckListener>);
   stream_->set_ack_listener(mock_ack_listener);
-  std::string body = "Test1";
+  std::string body1 = "Test1";
   std::string body2(100, 'x');
-  struct iovec body1_iov = {const_cast<char*>(body.data()), body.length()};
+  struct iovec body1_iov = {const_cast<char*>(body1.data()), body1.length()};
   struct iovec body2_iov = {const_cast<char*>(body2.data()), body2.length()};
   QuicMemSliceStorage storage(&body1_iov, 1,
                               helper_.GetStreamSendBufferAllocator(), 1024);
@@ -1621,20 +1678,14 @@ TEST_P(QuicSpdyStreamTest, HeadersAckNotReportedWriteBodySlices) {
   stream_->WriteBodySlices(storage.ToSpan(), false);
   stream_->WriteBodySlices(storage2.ToSpan(), true);
 
-  std::unique_ptr<char[]> buffer;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buffer);
-  std::string header = std::string(buffer.get(), header_length);
-
-  header_length = encoder_.SerializeDataFrameHeader(body2.length(), &buffer);
-  std::string header2 = std::string(buffer.get(), header_length);
+  std::string data1 = DataFrame(body1);
+  std::string data2 = DataFrame(body2);
 
   EXPECT_CALL(*mock_ack_listener,
-              OnPacketAcked(body.length() + body2.length(), _));
-  QuicStreamFrame frame(stream_->id(), true, 0,
-                        header + body + header2 + body2);
-  EXPECT_TRUE(
-      session_->OnFrameAcked(QuicFrame(frame), QuicTime::Delta::Zero()));
+              OnPacketAcked(body1.length() + body2.length(), _));
+  QuicStreamFrame frame(stream_->id(), true, 0, data1 + data2);
+  EXPECT_TRUE(session_->OnFrameAcked(QuicFrame(frame), QuicTime::Delta::Zero(),
+                                     QuicTime::Zero()));
 
   EXPECT_TRUE(
       QuicSpdyStreamPeer::unacked_frame_headers_offsets(stream_).Empty());
@@ -1642,35 +1693,35 @@ TEST_P(QuicSpdyStreamTest, HeadersAckNotReportedWriteBodySlices) {
 
 // HTTP/3 only.
 TEST_P(QuicSpdyStreamTest, HeaderBytesNotReportedOnRetransmission) {
-  Initialize(kShouldProcessData);
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   if (!HasFrameHeader()) {
     return;
   }
+
+  Initialize(kShouldProcessData);
   QuicReferenceCountedPointer<MockAckListener> mock_ack_listener(
       new StrictMock<MockAckListener>);
   stream_->set_ack_listener(mock_ack_listener);
-  std::string body = "Test1";
+  std::string body1 = "Test1";
   std::string body2(100, 'x');
 
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _)).Times(AtLeast(1));
-  stream_->WriteOrBufferBody(body, false);
+  stream_->WriteOrBufferBody(body1, false);
   stream_->WriteOrBufferBody(body2, true);
 
-  std::unique_ptr<char[]> buffer;
-  QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buffer);
-  std::string header = std::string(buffer.get(), header_length);
-
-  header_length = encoder_.SerializeDataFrameHeader(body2.length(), &buffer);
-  std::string header2 = std::string(buffer.get(), header_length);
+  std::string data1 = DataFrame(body1);
+  std::string data2 = DataFrame(body2);
 
-  EXPECT_CALL(*mock_ack_listener, OnPacketRetransmitted(body.length()));
-  QuicStreamFrame frame(stream_->id(), false, 0, header + body);
+  EXPECT_CALL(*mock_ack_listener, OnPacketRetransmitted(body1.length()));
+  QuicStreamFrame frame(stream_->id(), false, 0, data1);
   session_->OnStreamFrameRetransmitted(frame);
 
   EXPECT_CALL(*mock_ack_listener, OnPacketRetransmitted(body2.length()));
-  QuicStreamFrame frame2(stream_->id(), true, (header + body).length(),
-                         header2 + body2);
+  QuicStreamFrame frame2(stream_->id(), true, data1.length(), data2);
   session_->OnStreamFrameRetransmitted(frame2);
 
   EXPECT_FALSE(
@@ -1684,56 +1735,589 @@ TEST_P(QuicSpdyStreamTest, HeadersFrameOnRequestStream) {
 
   Initialize(kShouldProcessData);
 
-  // QPACK encoded header block with single header field "foo: bar".
-  std::string headers_frame_payload =
-      QuicTextUtils::HexDecode("00002a94e703626172");
-  std::unique_ptr<char[]> headers_buffer;
-  QuicByteCount headers_frame_header_length =
-      encoder_.SerializeHeadersFrameHeader(headers_frame_payload.length(),
-                                           &headers_buffer);
-  QuicStringPiece headers_frame_header(headers_buffer.get(),
-                                       headers_frame_header_length);
-
-  std::string data_frame_payload = "some data";
-  std::unique_ptr<char[]> data_buffer;
-  QuicByteCount data_frame_header_length = encoder_.SerializeDataFrameHeader(
-      data_frame_payload.length(), &data_buffer);
-  QuicStringPiece data_frame_header(data_buffer.get(),
-                                    data_frame_header_length);
-
-  // QPACK encoded header block with single header field
-  // "custom-key: custom-value".
-  std::string trailers_frame_payload =
-      QuicTextUtils::HexDecode("00002f0125a849e95ba97d7f8925a849e95bb8e8b4bf");
-  std::unique_ptr<char[]> trailers_buffer;
-  QuicByteCount trailers_frame_header_length =
-      encoder_.SerializeHeadersFrameHeader(trailers_frame_payload.length(),
-                                           &trailers_buffer);
-  QuicStringPiece trailers_frame_header(trailers_buffer.get(),
-                                        trailers_frame_header_length);
-
-  std::string stream_frame_payload = QuicStrCat(
-      headers_frame_header, headers_frame_payload, data_frame_header,
-      data_frame_payload, trailers_frame_header, trailers_frame_payload);
+  // HEADERS frame with QPACK encoded single header field "foo: bar".
+  std::string headers =
+      HeadersFrame(QuicTextUtils::HexDecode("00002a94e703626172"));
+  std::string data = DataFrame(kDataFramePayload);
+  // HEADERS frame with QPACK encoded single header
+  // field "custom-key: custom-value".
+  std::string trailers = HeadersFrame(
+      QuicTextUtils::HexDecode("00002f0125a849e95ba97d7f8925a849e95bb8e8b4bf"));
+
+  std::string stream_frame_payload = QuicStrCat(headers, data, trailers);
   QuicStreamFrame frame(stream_->id(), false, 0, stream_frame_payload);
   stream_->OnStreamFrame(frame);
 
-  auto it = stream_->header_list().begin();
-  ASSERT_TRUE(it != stream_->header_list().end());
-  EXPECT_EQ("foo", it->first);
-  EXPECT_EQ("bar", it->second);
-  ++it;
-  EXPECT_TRUE(it == stream_->header_list().end());
+  EXPECT_THAT(stream_->header_list(), ElementsAre(Pair("foo", "bar")));
 
   // QuicSpdyStream only calls OnBodyAvailable()
   // after the header list has been consumed.
   EXPECT_EQ("", stream_->data());
   stream_->ConsumeHeaderList();
-  EXPECT_EQ("some data", stream_->data());
+  EXPECT_EQ(kDataFramePayload, stream_->data());
+
+  EXPECT_THAT(stream_->received_trailers(),
+              ElementsAre(Pair("custom-key", "custom-value")));
+}
+
+TEST_P(QuicSpdyStreamTest, ProcessBodyAfterTrailers) {
+  if (!VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
+  Initialize(!kShouldProcessData);
+
+  // HEADERS frame with QPACK encoded single header field "foo: bar".
+  std::string headers =
+      HeadersFrame(QuicTextUtils::HexDecode("00002a94e703626172"));
+
+  // DATA frame.
+  std::string data = DataFrame(kDataFramePayload);
+
+  // A header block that will take more than one block of sequencer buffer.
+  // This ensures that when the trailers are consumed, some buffer buckets will
+  // be freed.
+  SpdyHeaderBlock trailers_block;
+  trailers_block["key1"] = std::string(10000, 'x');
+  std::string trailers_frame_payload =
+      EncodeQpackHeaders(stream_->id(), &trailers_block);
+  std::string trailers = HeadersFrame(trailers_frame_payload);
+
+  // Feed all three HTTP/3 frames in a single stream frame.
+  std::string stream_frame_payload = QuicStrCat(headers, data, trailers);
+  QuicStreamFrame frame(stream_->id(), false, 0, stream_frame_payload);
+  stream_->OnStreamFrame(frame);
+
+  stream_->ConsumeHeaderList();
+  stream_->MarkTrailersConsumed();
+
+  EXPECT_TRUE(stream_->trailers_decompressed());
+  EXPECT_EQ(trailers_block, stream_->received_trailers());
+
+  EXPECT_TRUE(stream_->HasBytesToRead());
+
+  // Consume data.
+  char buffer[2048];
+  struct iovec vec;
+  vec.iov_base = buffer;
+  vec.iov_len = QUIC_ARRAYSIZE(buffer);
+  size_t bytes_read = stream_->Readv(&vec, 1);
+  EXPECT_EQ(kDataFramePayload, QuicStringPiece(buffer, bytes_read));
+
+  EXPECT_FALSE(stream_->HasBytesToRead());
+}
+
+// The test stream will receive a stream frame containing malformed headers and
+// normal body. Make sure the http decoder stops processing body after the
+// connection shuts down.
+TEST_P(QuicSpdyStreamTest, MalformedHeadersStopHttpDecoder) {
+  if (!VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
+  testing::InSequence s;
+
+  Initialize(kShouldProcessData);
+  connection_->AdvanceTime(QuicTime::Delta::FromSeconds(1));
+
+  // Random bad headers.
+  std::string headers =
+      HeadersFrame(QuicTextUtils::HexDecode("00002a94e7036261"));
+  std::string data = DataFrame(kDataFramePayload);
+
+  std::string stream_frame_payload = QuicStrCat(headers, data);
+  QuicStreamFrame frame(stream_->id(), false, 0, stream_frame_payload);
+
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(
+          QUIC_DECOMPRESSION_FAILURE,
+          MatchesRegex("Error decompressing header block on stream \\d+: "
+                       "Incomplete header block."),
+          _))
+      .WillOnce(
+          (Invoke([this](QuicErrorCode error, const std::string& error_details,
+                         ConnectionCloseBehavior connection_close_behavior) {
+            connection_->ReallyCloseConnection(error, error_details,
+                                               connection_close_behavior);
+          })));
+  EXPECT_CALL(*connection_, SendConnectionClosePacket(_, _));
+  EXPECT_CALL(*session_, OnConnectionClosed(_, _))
+      .WillOnce(Invoke([this](const QuicConnectionCloseFrame& frame,
+                              ConnectionCloseSource source) {
+        session_->ReallyOnConnectionClosed(frame, source);
+      }));
+  EXPECT_CALL(*session_, SendRstStream(_, _, _));
+  EXPECT_CALL(*session_, SendRstStream(_, _, _));
+  stream_->OnStreamFrame(frame);
+}
+
+TEST_P(QuicSpdyStreamTest, ImmediateHeaderDecodingWithDynamicTableEntries) {
+  if (!VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
+  Initialize(kShouldProcessData);
+
+  // Deliver dynamic table entry to decoder.
+  session_->qpack_decoder()->OnInsertWithoutNameReference("foo", "bar");
+
+  // HEADERS frame referencing first dynamic table entry.
+  std::string headers = HeadersFrame(QuicTextUtils::HexDecode("020080"));
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), false, 0, headers));
+
+  // Headers can be decoded immediately.
+  EXPECT_TRUE(stream_->headers_decompressed());
+
+  // Verify headers.
+  EXPECT_THAT(stream_->header_list(), ElementsAre(Pair("foo", "bar")));
+  stream_->ConsumeHeaderList();
+
+  // DATA frame.
+  std::string data = DataFrame(kDataFramePayload);
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), false, /* offset = */
+                                         headers.length(), data));
+  EXPECT_EQ(kDataFramePayload, stream_->data());
+
+  // Deliver second dynamic table entry to decoder.
+  session_->qpack_decoder()->OnInsertWithoutNameReference("trailing", "foobar");
+
+  // Trailing HEADERS frame referencing second dynamic table entry.
+  std::string trailers = HeadersFrame(QuicTextUtils::HexDecode("030080"));
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), true, /* offset = */
+                                         headers.length() + data.length(),
+                                         trailers));
+
+  // Trailers can be decoded immediately.
+  EXPECT_TRUE(stream_->trailers_decompressed());
+
+  // Verify trailers.
+  EXPECT_THAT(stream_->received_trailers(),
+              ElementsAre(Pair("trailing", "foobar")));
+  stream_->MarkTrailersConsumed();
+}
+
+TEST_P(QuicSpdyStreamTest, BlockedHeaderDecoding) {
+  if (!VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
+  Initialize(kShouldProcessData);
+
+  // HEADERS frame referencing first dynamic table entry.
+  std::string headers = HeadersFrame(QuicTextUtils::HexDecode("020080"));
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), false, 0, headers));
+
+  // Decoding is blocked because dynamic table entry has not been received yet.
+  EXPECT_FALSE(stream_->headers_decompressed());
+
+  // Deliver dynamic table entry to decoder.
+  session_->qpack_decoder()->OnInsertWithoutNameReference("foo", "bar");
+  EXPECT_TRUE(stream_->headers_decompressed());
+
+  // Verify headers.
+  EXPECT_THAT(stream_->header_list(), ElementsAre(Pair("foo", "bar")));
+  stream_->ConsumeHeaderList();
+
+  // DATA frame.
+  std::string data = DataFrame(kDataFramePayload);
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), false, /* offset = */
+                                         headers.length(), data));
+  EXPECT_EQ(kDataFramePayload, stream_->data());
+
+  // Trailing HEADERS frame referencing second dynamic table entry.
+  std::string trailers = HeadersFrame(QuicTextUtils::HexDecode("030080"));
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), true, /* offset = */
+                                         headers.length() + data.length(),
+                                         trailers));
+
+  // Decoding is blocked because dynamic table entry has not been received yet.
+  EXPECT_FALSE(stream_->trailers_decompressed());
+
+  // Deliver second dynamic table entry to decoder.
+  session_->qpack_decoder()->OnInsertWithoutNameReference("trailing", "foobar");
+  EXPECT_TRUE(stream_->trailers_decompressed());
+
+  // Verify trailers.
+  EXPECT_THAT(stream_->received_trailers(),
+              ElementsAre(Pair("trailing", "foobar")));
+  stream_->MarkTrailersConsumed();
+}
+
+TEST_P(QuicSpdyStreamTest, AsyncErrorDecodingHeaders) {
+  if (!VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
+  Initialize(kShouldProcessData);
+
+  // HEADERS frame only referencing entry with absolute index 0 but with
+  // Required Insert Count = 2, which is incorrect.
+  std::string headers = HeadersFrame(QuicTextUtils::HexDecode("030081"));
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), false, 0, headers));
+
+  // Even though entire header block is received and every referenced entry is
+  // available, decoding is blocked until insert count reaches the Required
+  // Insert Count value advertised in the header block prefix.
+  EXPECT_FALSE(stream_->headers_decompressed());
+
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(
+          QUIC_DECOMPRESSION_FAILURE,
+          MatchesRegex("Error during async decoding of headers on stream \\d+: "
+                       "Required Insert Count too large."),
+          ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET));
+
+  // Deliver two dynamic table entries to decoder
+  // to trigger decoding of header block.
+  session_->qpack_decoder()->OnInsertWithoutNameReference("foo", "bar");
+  session_->qpack_decoder()->OnInsertWithoutNameReference("foo", "bar");
+}
+
+TEST_P(QuicSpdyStreamTest, AsyncErrorDecodingTrailers) {
+  if (!VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
+  Initialize(kShouldProcessData);
+
+  // HEADERS frame referencing first dynamic table entry.
+  std::string headers = HeadersFrame(QuicTextUtils::HexDecode("020080"));
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), false, 0, headers));
+
+  // Decoding is blocked because dynamic table entry has not been received yet.
+  EXPECT_FALSE(stream_->headers_decompressed());
+
+  // Deliver dynamic table entry to decoder.
+  session_->qpack_decoder()->OnInsertWithoutNameReference("foo", "bar");
+  EXPECT_TRUE(stream_->headers_decompressed());
+
+  // Verify headers.
+  EXPECT_THAT(stream_->header_list(), ElementsAre(Pair("foo", "bar")));
+  stream_->ConsumeHeaderList();
+
+  // DATA frame.
+  std::string data = DataFrame(kDataFramePayload);
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), false, /* offset = */
+                                         headers.length(), data));
+  EXPECT_EQ(kDataFramePayload, stream_->data());
+
+  // Trailing HEADERS frame only referencing entry with absolute index 0 but
+  // with Required Insert Count = 2, which is incorrect.
+  std::string trailers = HeadersFrame(QuicTextUtils::HexDecode("030081"));
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), true, /* offset = */
+                                         headers.length() + data.length(),
+                                         trailers));
+
+  // Even though entire header block is received and every referenced entry is
+  // available, decoding is blocked until insert count reaches the Required
+  // Insert Count value advertised in the header block prefix.
+  EXPECT_FALSE(stream_->trailers_decompressed());
+
+  EXPECT_CALL(*connection_,
+              CloseConnection(
+                  QUIC_DECOMPRESSION_FAILURE,
+                  MatchesRegex(
+                      "Error during async decoding of trailers on stream \\d+: "
+                      "Required Insert Count too large."),
+                  ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET));
+
+  // Deliver second dynamic table entry to decoder
+  // to trigger decoding of trailing header block.
+  session_->qpack_decoder()->OnInsertWithoutNameReference("trailing", "foobar");
+}
+
+class QuicSpdyStreamIncrementalConsumptionTest : public QuicSpdyStreamTest {
+ protected:
+  QuicSpdyStreamIncrementalConsumptionTest() : offset_(0), consumed_bytes_(0) {}
+  ~QuicSpdyStreamIncrementalConsumptionTest() override = default;
+
+  // Create QuicStreamFrame with |payload|
+  // and pass it to stream_->OnStreamFrame().
+  void OnStreamFrame(QuicStringPiece payload) {
+    QuicStreamFrame frame(stream_->id(), /* fin = */ false, offset_, payload);
+    stream_->OnStreamFrame(frame);
+    offset_ += payload.size();
+  }
+
+  // Return number of bytes marked consumed with sequencer
+  // since last NewlyConsumedBytes() call.
+  QuicStreamOffset NewlyConsumedBytes() {
+    QuicStreamOffset previously_consumed_bytes = consumed_bytes_;
+    consumed_bytes_ = stream_->sequencer()->NumBytesConsumed();
+    return consumed_bytes_ - previously_consumed_bytes;
+  }
+
+  // Read |size| bytes from the stream.
+  std::string ReadFromStream(QuicByteCount size) {
+    std::string buffer;
+    buffer.resize(size);
+
+    struct iovec vec;
+    vec.iov_base = const_cast<char*>(buffer.data());
+    vec.iov_len = size;
+
+    size_t bytes_read = stream_->Readv(&vec, 1);
+    EXPECT_EQ(bytes_read, size);
+
+    return buffer;
+  }
+
+ private:
+  QuicStreamOffset offset_;
+  QuicStreamOffset consumed_bytes_;
+};
+
+INSTANTIATE_TEST_SUITE_P(Tests,
+                         QuicSpdyStreamIncrementalConsumptionTest,
+                         ::testing::Values(ParsedQuicVersion{PROTOCOL_TLS1_3,
+                                                             QUIC_VERSION_99}));
+
+// Test that stream bytes are consumed (by calling
+// sequencer()->MarkConsumed()) incrementally, as soon as possible.
+TEST_P(QuicSpdyStreamIncrementalConsumptionTest, IncrementalConsumptionTest) {
+  if (!VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
+  Initialize(!kShouldProcessData);
+
+  // HEADERS frame with QPACK encoded single header field "foo: bar".
+  std::string headers =
+      HeadersFrame(QuicTextUtils::HexDecode("00002a94e703626172"));
+
+  // All HEADERS frame bytes are consumed even if the frame is not received
+  // completely (as long as at least some of the payload is received, which is
+  // an implementation detail that should not be tested).
+  OnStreamFrame(QuicStringPiece(headers).substr(0, headers.size() - 1));
+  EXPECT_EQ(headers.size() - 1, NewlyConsumedBytes());
+
+  // The rest of the HEADERS frame is also consumed immediately.
+  OnStreamFrame(QuicStringPiece(headers).substr(headers.size() - 1));
+  EXPECT_EQ(1u, NewlyConsumedBytes());
+
+  // Verify headers.
+  EXPECT_THAT(stream_->header_list(), ElementsAre(Pair("foo", "bar")));
+  stream_->ConsumeHeaderList();
+
+  // DATA frame.
+  QuicStringPiece data_payload(kDataFramePayload);
+  std::string data_frame = DataFrame(data_payload);
+
+  // DATA frame is not consumed because payload has to be buffered.
+  // TODO(bnc): Consume frame header as soon as possible.
+  OnStreamFrame(data_frame);
+  EXPECT_EQ(0u, NewlyConsumedBytes());
+
+  // Consume all but last byte of data.
+  EXPECT_EQ(data_payload.substr(0, data_payload.size() - 1),
+            ReadFromStream(data_payload.size() - 1));
+  EXPECT_EQ(data_frame.size() - 1, NewlyConsumedBytes());
+
+  // Trailing HEADERS frame with QPACK encoded
+  // single header field "custom-key: custom-value".
+  std::string trailers = HeadersFrame(
+      QuicTextUtils::HexDecode("00002f0125a849e95ba97d7f8925a849e95bb8e8b4bf"));
+
+  // No bytes are consumed, because last byte of DATA payload is still buffered.
+  OnStreamFrame(QuicStringPiece(trailers).substr(0, trailers.size() - 1));
+  EXPECT_EQ(0u, NewlyConsumedBytes());
+
+  // Reading last byte of DATA payload triggers consumption of all data received
+  // so far, even though last HEADERS frame has not been received completely.
+  EXPECT_EQ(data_payload.substr(data_payload.size() - 1), ReadFromStream(1));
+  EXPECT_EQ(1 + trailers.size() - 1, NewlyConsumedBytes());
+
+  // Last byte of trailers is immediately consumed.
+  OnStreamFrame(QuicStringPiece(trailers).substr(trailers.size() - 1));
+  EXPECT_EQ(1u, NewlyConsumedBytes());
+
+  // Verify trailers.
+  EXPECT_THAT(stream_->received_trailers(),
+              ElementsAre(Pair("custom-key", "custom-value")));
+}
+
+TEST_P(QuicSpdyStreamTest, PushPromiseOnDataStreamShouldClose) {
+  Initialize(kShouldProcessData);
+  if (!HasFrameHeader()) {
+    return;
+  }
+  PushPromiseFrame push_promise;
+  push_promise.push_id = 0x01;
+  push_promise.headers = "Headers";
+  std::unique_ptr<char[]> buffer;
+  HttpEncoder encoder;
+  uint64_t length =
+      encoder.SerializePushPromiseFrameWithOnlyPushId(push_promise, &buffer);
+  QuicStreamFrame frame(stream_->id(), false, 0, buffer.get(), length);
+  // TODO(lassey): Check for HTTP_WRONG_STREAM error code.
+  EXPECT_CALL(*connection_, CloseConnection(QUIC_HTTP_DECODER_ERROR, _, _));
+  stream_->OnStreamHeadersPriority(kV3HighestPriority);
+  ProcessHeaders(false, headers_);
+  stream_->ConsumeHeaderList();
+  stream_->OnStreamFrame(frame);
+}
+
+// Close connection if a DATA frame is received before a HEADERS frame.
+TEST_P(QuicSpdyStreamTest, DataBeforeHeaders) {
+  if (!VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
+  Initialize(kShouldProcessData);
+
+  // Closing the connection is mocked out in tests.  Instead, simply stop
+  // reading data at the stream level to prevent QuicSpdyStream from blowing up.
+  // TODO(b/124216424): Change error code to HTTP_UNEXPECTED_FRAME.
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(QUIC_INVALID_HEADERS_STREAM_DATA,
+                      "Unexpected DATA frame received.",
+                      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET))
+      .WillOnce(InvokeWithoutArgs([this]() { stream_->StopReading(); }));
+
+  std::string data = DataFrame(kDataFramePayload);
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), false, 0, data));
+}
+
+// Close connection if a HEADERS frame is received after the trailing HEADERS.
+TEST_P(QuicSpdyStreamTest, TrailersAfterTrailers) {
+  if (!VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
+  Initialize(kShouldProcessData);
+
+  // Receive and consume headers, with single header field "foo: bar".
+  std::string headers =
+      HeadersFrame(QuicTextUtils::HexDecode("00002a94e703626172"));
+  QuicStreamOffset offset = 0;
+  stream_->OnStreamFrame(
+      QuicStreamFrame(stream_->id(), false, offset, headers));
+  offset += headers.size();
+
+  EXPECT_THAT(stream_->header_list(), ElementsAre(Pair("foo", "bar")));
+  stream_->ConsumeHeaderList();
+
+  // Receive data.  It is consumed by TestStream.
+  std::string data = DataFrame(kDataFramePayload);
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), false, offset, data));
+  offset += data.size();
+
+  EXPECT_EQ(kDataFramePayload, stream_->data());
+
+  // Receive and consume trailers, with single header field
+  // "custom-key: custom-value".
+  std::string trailers1 = HeadersFrame(
+      QuicTextUtils::HexDecode("00002f0125a849e95ba97d7f8925a849e95bb8e8b4bf"));
+  stream_->OnStreamFrame(
+      QuicStreamFrame(stream_->id(), false, offset, trailers1));
+  offset += trailers1.size();
+
+  EXPECT_TRUE(stream_->trailers_decompressed());
+  EXPECT_THAT(stream_->received_trailers(),
+              ElementsAre(Pair("custom-key", "custom-value")));
+
+  // Closing the connection is mocked out in tests.  Instead, simply stop
+  // reading data at the stream level to prevent QuicSpdyStream from blowing up.
+  // TODO(b/124216424): Change error code to HTTP_UNEXPECTED_FRAME.
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(QUIC_INVALID_HEADERS_STREAM_DATA,
+                      "HEADERS frame received after trailing HEADERS.",
+                      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET))
+      .WillOnce(InvokeWithoutArgs([this]() { stream_->StopReading(); }));
+
+  // Receive another HEADERS frame, with no header fields.
+  std::string trailers2 = HeadersFrame(QuicTextUtils::HexDecode("0000"));
+  stream_->OnStreamFrame(
+      QuicStreamFrame(stream_->id(), false, offset, trailers2));
+}
+
+// Regression test for https://crbug.com/978733.
+// Close connection if a DATA frame is received after the trailing HEADERS.
+TEST_P(QuicSpdyStreamTest, DataAfterTrailers) {
+  if (!VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
+  Initialize(kShouldProcessData);
+
+  // Receive and consume headers, with single header field "foo: bar".
+  std::string headers =
+      HeadersFrame(QuicTextUtils::HexDecode("00002a94e703626172"));
+  QuicStreamOffset offset = 0;
+  stream_->OnStreamFrame(
+      QuicStreamFrame(stream_->id(), false, offset, headers));
+  offset += headers.size();
+
+  EXPECT_THAT(stream_->header_list(), ElementsAre(Pair("foo", "bar")));
+  stream_->ConsumeHeaderList();
+
+  // Receive data.  It is consumed by TestStream.
+  std::string data1 = DataFrame(kDataFramePayload);
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), false, offset, data1));
+  offset += data1.size();
+  EXPECT_EQ(kDataFramePayload, stream_->data());
+
+  // Receive trailers, with single header field "custom-key: custom-value".
+  std::string trailers = HeadersFrame(
+      QuicTextUtils::HexDecode("00002f0125a849e95ba97d7f8925a849e95bb8e8b4bf"));
+  stream_->OnStreamFrame(
+      QuicStreamFrame(stream_->id(), false, offset, trailers));
+  offset += trailers.size();
+
+  EXPECT_THAT(stream_->received_trailers(),
+              ElementsAre(Pair("custom-key", "custom-value")));
+
+  // Closing the connection is mocked out in tests.  Instead, simply stop
+  // reading data at the stream level to prevent QuicSpdyStream from blowing up.
+  // TODO(b/124216424): Change error code to HTTP_UNEXPECTED_FRAME.
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(QUIC_INVALID_HEADERS_STREAM_DATA,
+                      "Unexpected DATA frame received.",
+                      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET))
+      .WillOnce(InvokeWithoutArgs([this]() { stream_->StopReading(); }));
+
+  // Receive more data.
+  std::string data2 = DataFrame("This payload should not be proccessed.");
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), false, offset, data2));
+}
+
+// SETTINGS frames are invalid on bidirectional streams.  If one is received,
+// the connection is closed.  No more data should be processed.
+TEST_P(QuicSpdyStreamTest, StopProcessingIfConnectionClosed) {
+  if (!VersionUsesQpack(GetParam().transport_version)) {
+    return;
+  }
+
+  Initialize(kShouldProcessData);
+
+  // SETTINGS frame with empty payload.
+  std::string settings = QuicTextUtils::HexDecode("0400");
+  // HEADERS frame with QPACK encoded single header field "foo: bar".
+  // Since it arrives after a SETTINGS frame, it should never be read.
+  std::string headers =
+      HeadersFrame(QuicTextUtils::HexDecode("00002a94e703626172"));
+
+  // Combine the two frames to make sure they are processed in a single
+  // QuicSpdyStream::OnDataAvailable() call.
+  std::string frames = QuicStrCat(settings, headers);
+
+  EXPECT_EQ(0u, stream_->sequencer()->NumBytesConsumed());
+
+  EXPECT_CALL(*connection_, CloseConnection(QUIC_HTTP_DECODER_ERROR, _, _))
+      .WillOnce(
+          Invoke(connection_, &MockQuicConnection::ReallyCloseConnection));
+  EXPECT_CALL(*connection_, SendConnectionClosePacket(_, _));
+  EXPECT_CALL(*session_, OnConnectionClosed(_, _));
+
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), /* fin = */ false,
+                                         /* offset = */ 0, frames));
 
-  const spdy::SpdyHeaderBlock& trailers = stream_->received_trailers();
-  EXPECT_THAT(trailers, testing::ElementsAre(
-                            testing::Pair("custom-key", "custom-value")));
+  EXPECT_EQ(0u, stream_->sequencer()->NumBytesConsumed());
 }
 
 }  // namespace
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.cc b/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.cc
new file mode 100644
index 00000000000..02c963ce20a
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.cc
@@ -0,0 +1,214 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h"
+
+#include "url/gurl.h"
+
+using spdy::SpdyHeaderBlock;
+
+namespace quic {
+
+// static
+std::string SpdyServerPushUtils::GetPromisedUrlFromHeaders(
+    const SpdyHeaderBlock& headers) {
+  // RFC 7540, Section 8.1.2.3: All HTTP/2 requests MUST include exactly
+  // one valid value for the ":method", ":scheme", and ":path" pseudo-header
+  // fields, unless it is a CONNECT request.
+
+  // RFC 7540, Section  8.2.1:  The header fields in PUSH_PROMISE and any
+  // subsequent CONTINUATION frames MUST be a valid and complete set of request
+  // header fields (Section 8.1.2.3).  The server MUST include a method in the
+  // ":method" pseudo-header field that is safe and cacheable.
+  //
+  // RFC 7231, Section  4.2.1: Of the request methods defined by this
+  // specification, the GET, HEAD, OPTIONS, and TRACE methods are defined to be
+  // safe.
+  //
+  // RFC 7231, Section  4.2.1: ... this specification defines GET, HEAD, and
+  // POST as cacheable, ...
+  //
+  // So the only methods allowed in a PUSH_PROMISE are GET and HEAD.
+  SpdyHeaderBlock::const_iterator it = headers.find(":method");
+  if (it == headers.end() || (it->second != "GET" && it->second != "HEAD")) {
+    return std::string();
+  }
+
+  it = headers.find(":scheme");
+  if (it == headers.end() || it->second.empty()) {
+    return std::string();
+  }
+  QuicStringPiece scheme = it->second;
+
+  // RFC 7540, Section 8.2: The server MUST include a value in the
+  // ":authority" pseudo-header field for which the server is authoritative
+  // (see Section 10.1).
+  it = headers.find(":authority");
+  if (it == headers.end() || it->second.empty()) {
+    return std::string();
+  }
+  QuicStringPiece authority = it->second;
+
+  // RFC 7540, Section 8.1.2.3 requires that the ":path" pseudo-header MUST
+  // NOT be empty for "http" or "https" URIs;
+  //
+  // However, to ensure the scheme is consistently canonicalized, that check
+  // is deferred to implementations in QuicUrlUtils::GetPushPromiseUrl().
+  it = headers.find(":path");
+  if (it == headers.end()) {
+    return std::string();
+  }
+  QuicStringPiece path = it->second;
+
+  return GetPushPromiseUrl(scheme, authority, path);
+}
+
+// static
+std::string SpdyServerPushUtils::GetPromisedHostNameFromHeaders(
+    const SpdyHeaderBlock& headers) {
+  // TODO(fayang): Consider just checking out the value of the ":authority" key
+  // in headers.
+  return GURL(GetPromisedUrlFromHeaders(headers)).host();
+}
+
+// static
+bool SpdyServerPushUtils::PromisedUrlIsValid(const SpdyHeaderBlock& headers) {
+  std::string url(GetPromisedUrlFromHeaders(headers));
+  return !url.empty() && GURL(url).is_valid();
+}
+
+// static
+std::string SpdyServerPushUtils::GetPushPromiseUrl(QuicStringPiece scheme,
+                                                   QuicStringPiece authority,
+                                                   QuicStringPiece path) {
+  // RFC 7540, Section 8.1.2.3: The ":path" pseudo-header field includes the
+  // path and query parts of the target URI (the "path-absolute" production
+  // and optionally a '?' character followed by the "query" production (see
+  // Sections 3.3 and 3.4 of RFC3986). A request in asterisk form includes the
+  // value '*' for the ":path" pseudo-header field.
+  //
+  // This pseudo-header field MUST NOT be empty for "http" or "https" URIs;
+  // "http" or "https" URIs that do not contain a path MUST include a value of
+  // '/'. The exception to this rule is an OPTIONS request for an "http" or
+  // "https" URI that does not include a path component; these MUST include a
+  // ":path" pseudo-header with a value of '*' (see RFC7230, Section 5.3.4).
+  //
+  // In addition to the above restriction from RFC 7540, note that RFC3986
+  // defines the "path-absolute" construction as starting with "/" but not "//".
+  //
+  // RFC 7540, Section  8.2.1:  The header fields in PUSH_PROMISE and any
+  // subsequent CONTINUATION frames MUST be a valid and complete set of request
+  // header fields (Section 8.1.2.3).  The server MUST include a method in the
+  // ":method" pseudo-header field that is safe and cacheable.
+  //
+  // RFC 7231, Section  4.2.1:
+  // ... this specification defines GET, HEAD, and POST as cacheable, ...
+  //
+  // Since the OPTIONS method is not cacheable, it cannot be the method of a
+  // PUSH_PROMISE. Therefore, the exception mentioned in RFC 7540, Section
+  // 8.1.2.3 about OPTIONS requests does not apply here (i.e. ":path" cannot be
+  // "*").
+  if (path.empty() || path[0] != '/' || (path.size() >= 2 && path[1] == '/')) {
+    return std::string();
+  }
+
+  // Validate the scheme; this is to ensure a scheme of "foo://bar" is not
+  // parsed as a URL of "foo://bar://baz" when combined with a host of "baz".
+  std::string canonical_scheme;
+  url::StdStringCanonOutput canon_scheme_output(&canonical_scheme);
+  url::Component canon_component;
+  url::Component scheme_component(0, scheme.size());
+
+  if (!url::CanonicalizeScheme(scheme.data(), scheme_component,
+                               &canon_scheme_output, &canon_component) ||
+      !canon_component.is_nonempty() || canon_component.begin != 0) {
+    return std::string();
+  }
+  canonical_scheme.resize(canon_component.len + 1);
+
+  // Validate the authority; this is to ensure an authority such as
+  // "host/path" is not accepted, as when combined with a scheme like
+  // "http://", could result in a URL of "http://host/path".
+  url::Component auth_component(0, authority.size());
+  url::Component username_component;
+  url::Component password_component;
+  url::Component host_component;
+  url::Component port_component;
+
+  url::ParseAuthority(authority.data(), auth_component, &username_component,
+                      &password_component, &host_component, &port_component);
+
+  // RFC 7540, Section 8.1.2.3: The authority MUST NOT include the deprecated
+  // "userinfo" subcomponent for "http" or "https" schemed URIs.
+  //
+  // Note: Although |canonical_scheme| has not yet been checked for that, as
+  // it is performed later in processing, only "http" and "https" schemed
+  // URIs are supported for PUSH.
+  if (username_component.is_valid() || password_component.is_valid()) {
+    return std::string();
+  }
+
+  // Failed parsing or no host present. ParseAuthority() will ensure that
+  // host_component + port_component cover the entire string, if
+  // username_component and password_component are not present.
+  if (!host_component.is_nonempty()) {
+    return std::string();
+  }
+
+  // Validate the port (if present; it's optional).
+  int parsed_port_number = url::PORT_INVALID;
+  if (port_component.is_nonempty()) {
+    parsed_port_number = url::ParsePort(authority.data(), port_component);
+    if (parsed_port_number < 0 && parsed_port_number != url::PORT_UNSPECIFIED) {
+      return std::string();
+    }
+  }
+
+  // Validate the host by attempting to canonicalize it. Invalid characters
+  // will result in a canonicalization failure (e.g. '/')
+  std::string canon_host;
+  url::StdStringCanonOutput canon_host_output(&canon_host);
+  canon_component.reset();
+  if (!url::CanonicalizeHost(authority.data(), host_component,
+                             &canon_host_output, &canon_component) ||
+      !canon_component.is_nonempty() || canon_component.begin != 0) {
+    return std::string();
+  }
+
+  // At this point, "authority" has been validated to either be of the form
+  // 'host:port' or 'host', with 'host' being a valid domain or IP address,
+  // and 'port' (if present), being a valid port. Attempt to construct a
+  // URL of just the (scheme, host, port), which should be safe and will not
+  // result in ambiguous parsing.
+  //
+  // This also enforces that all PUSHed URLs are either HTTP or HTTPS-schemed
+  // URIs, consistent with the other restrictions enforced above.
+  //
+  // Note: url::CanonicalizeScheme() will have added the ':' to
+  // |canonical_scheme|.
+  GURL origin_url(canonical_scheme + "//" + std::string(authority));
+  if (!origin_url.is_valid() || !origin_url.SchemeIsHTTPOrHTTPS() ||
+      // The following checks are merely defense in depth.
+      origin_url.has_username() || origin_url.has_password() ||
+      (origin_url.has_path() && origin_url.path_piece() != "/") ||
+      origin_url.has_query() || origin_url.has_ref()) {
+    return std::string();
+  }
+
+  // Attempt to parse the path.
+  std::string spec = origin_url.GetWithEmptyPath().spec();
+  spec.pop_back();  // Remove the '/', as ":path" must contain it.
+  spec.append(std::string(path));
+
+  // Attempt to parse the full URL, with the path as well. Ensure there is no
+  // fragment to the query.
+  GURL full_url(spec);
+  if (!full_url.is_valid() || full_url.has_ref()) {
+    return std::string();
+  }
+
+  return full_url.spec();
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h b/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h
new file mode 100644
index 00000000000..3d11b65a0d1
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h
@@ -0,0 +1,43 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_HTTP_SPDY_SERVER_PUSH_UTILS_H_
+#define QUICHE_QUIC_CORE_HTTP_SPDY_SERVER_PUSH_UTILS_H_
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+#include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
+
+namespace quic {
+
+class QUIC_EXPORT_PRIVATE SpdyServerPushUtils {
+ public:
+  SpdyServerPushUtils() = delete;
+
+  // Returns a canonicalized URL composed from the :scheme, :authority, and
+  // :path headers of a PUSH_PROMISE. Returns empty string if the headers do not
+  // conform to HTTP/2 spec or if the ":method" header contains a forbidden
+  // method for PUSH_PROMISE.
+  static std::string GetPromisedUrlFromHeaders(
+      const spdy::SpdyHeaderBlock& headers);
+
+  // Returns hostname, or empty string if missing.
+  static std::string GetPromisedHostNameFromHeaders(
+      const spdy::SpdyHeaderBlock& headers);
+
+  // Returns true if result of |GetPromisedUrlFromHeaders()| is non-empty
+  // and is a well-formed URL.
+  static bool PromisedUrlIsValid(const spdy::SpdyHeaderBlock& headers);
+
+  // Returns a canonical, valid URL for a PUSH_PROMISE with the specified
+  // ":scheme", ":authority", and ":path" header fields, or an empty
+  // string if the resulting URL is not valid or supported.
+  static std::string GetPushPromiseUrl(QuicStringPiece scheme,
+                                       QuicStringPiece authority,
+                                       QuicStringPiece path);
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_HTTP_SPDY_SERVER_PUSH_UTILS_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils_test.cc
new file mode 100644
index 00000000000..72d4a25ed13
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils_test.cc
@@ -0,0 +1,221 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/http/spdy_server_push_utils.h"
+
+#include <memory>
+#include <string>
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+
+using spdy::SpdyHeaderBlock;
+using testing::Pair;
+using testing::UnorderedElementsAre;
+
+namespace quic {
+namespace test {
+
+using GetPromisedUrlFromHeaders = QuicTest;
+
+TEST_F(GetPromisedUrlFromHeaders, Basic) {
+  SpdyHeaderBlock headers;
+  headers[":method"] = "GET";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers), "");
+  headers[":scheme"] = "https";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers), "");
+  headers[":authority"] = "www.google.com";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers), "");
+  headers[":path"] = "/index.html";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers),
+            "https://www.google.com/index.html");
+  headers["key1"] = "value1";
+  headers["key2"] = "value2";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers),
+            "https://www.google.com/index.html");
+}
+
+TEST_F(GetPromisedUrlFromHeaders, Connect) {
+  SpdyHeaderBlock headers;
+  headers[":method"] = "CONNECT";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers), "");
+  headers[":authority"] = "www.google.com";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers), "");
+  headers[":scheme"] = "https";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers), "");
+  headers[":path"] = "https";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers), "");
+}
+
+TEST_F(GetPromisedUrlFromHeaders, InvalidUserinfo) {
+  SpdyHeaderBlock headers;
+  headers[":method"] = "GET";
+  headers[":authority"] = "user@www.google.com";
+  headers[":scheme"] = "https";
+  headers[":path"] = "/";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers), "");
+}
+
+TEST_F(GetPromisedUrlFromHeaders, InvalidPath) {
+  SpdyHeaderBlock headers;
+  headers[":method"] = "GET";
+  headers[":authority"] = "www.google.com";
+  headers[":scheme"] = "https";
+  headers[":path"] = "";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedUrlFromHeaders(headers), "");
+}
+
+using GetPromisedHostNameFromHeaders = QuicTest;
+
+TEST_F(GetPromisedHostNameFromHeaders, NormalUsage) {
+  SpdyHeaderBlock headers;
+  headers[":method"] = "GET";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedHostNameFromHeaders(headers), "");
+  headers[":scheme"] = "https";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedHostNameFromHeaders(headers), "");
+  headers[":authority"] = "www.google.com";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedHostNameFromHeaders(headers), "");
+  headers[":path"] = "/index.html";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedHostNameFromHeaders(headers),
+            "www.google.com");
+  headers["key1"] = "value1";
+  headers["key2"] = "value2";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedHostNameFromHeaders(headers),
+            "www.google.com");
+  headers[":authority"] = "www.google.com:6666";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedHostNameFromHeaders(headers),
+            "www.google.com");
+  headers[":authority"] = "192.168.1.1";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedHostNameFromHeaders(headers),
+            "192.168.1.1");
+  headers[":authority"] = "192.168.1.1:6666";
+  EXPECT_EQ(SpdyServerPushUtils::GetPromisedHostNameFromHeaders(headers),
+            "192.168.1.1");
+}
+
+using PushPromiseUrlTest = QuicTest;
+
+TEST_F(PushPromiseUrlTest, GetPushPromiseUrl) {
+  // Test rejection of various inputs.
+  EXPECT_EQ("", SpdyServerPushUtils::GetPushPromiseUrl("file", "localhost",
+                                                       "/etc/password"));
+  EXPECT_EQ("", SpdyServerPushUtils::GetPushPromiseUrl(
+                    "file", "", "/C:/Windows/System32/Config/"));
+  EXPECT_EQ("", SpdyServerPushUtils::GetPushPromiseUrl(
+                    "", "https://www.google.com", "/"));
+
+  EXPECT_EQ("", SpdyServerPushUtils::GetPushPromiseUrl("https://www.google.com",
+                                                       "www.google.com", "/"));
+  EXPECT_EQ("", SpdyServerPushUtils::GetPushPromiseUrl("https://",
+                                                       "www.google.com", "/"));
+  EXPECT_EQ("", SpdyServerPushUtils::GetPushPromiseUrl("https", "", "/"));
+  EXPECT_EQ("", SpdyServerPushUtils::GetPushPromiseUrl("https", "",
+                                                       "www.google.com/"));
+  EXPECT_EQ("", SpdyServerPushUtils::GetPushPromiseUrl("https",
+                                                       "www.google.com/", "/"));
+  EXPECT_EQ("", SpdyServerPushUtils::GetPushPromiseUrl("https",
+                                                       "www.google.com", ""));
+  EXPECT_EQ("", SpdyServerPushUtils::GetPushPromiseUrl("https", "www.google",
+                                                       ".com/"));
+
+  // Test acception/rejection of various input combinations.
+  // |input_headers| is an array of pairs. The first value of each pair is a
+  // string that will be used as one of the inputs of GetPushPromiseUrl(). The
+  // second value of each pair is a bitfield where the lowest 3 bits indicate
+  // for which headers that string is valid (in a PUSH_PROMISE). For example,
+  // the string "http" would be valid for both the ":scheme" and ":authority"
+  // headers, so the bitfield paired with it is set to SCHEME | AUTH.
+  const unsigned char SCHEME = (1u << 0);
+  const unsigned char AUTH = (1u << 1);
+  const unsigned char PATH = (1u << 2);
+  const std::pair<const char*, unsigned char> input_headers[] = {
+      {"http", SCHEME | AUTH},
+      {"https", SCHEME | AUTH},
+      {"hTtP", SCHEME | AUTH},
+      {"HTTPS", SCHEME | AUTH},
+      {"www.google.com", AUTH},
+      {"90af90e0", AUTH},
+      {"12foo%20-bar:00001233", AUTH},
+      {"GOO\u200b\u2060\ufeffgoo", AUTH},
+      {"192.168.0.5", AUTH},
+      {"[::ffff:192.168.0.1.]", AUTH},
+      {"http:", AUTH},
+      {"bife l", AUTH},
+      {"/", PATH},
+      {"/foo/bar/baz", PATH},
+      {"/%20-2DVdkj.cie/foe_.iif/", PATH},
+      {"http://", 0},
+      {":443", 0},
+      {":80/eddd", 0},
+      {"google.com:-0", 0},
+      {"google.com:65536", 0},
+      {"http://google.com", 0},
+      {"http://google.com:39", 0},
+      {"//google.com/foo", 0},
+      {".com/", 0},
+      {"http://www.google.com/", 0},
+      {"http://foo:439", 0},
+      {"[::ffff:192.168", 0},
+      {"]/", 0},
+      {"//", 0}};
+  for (size_t i = 0; i < QUIC_ARRAYSIZE(input_headers); ++i) {
+    bool should_accept = (input_headers[i].second & SCHEME);
+    for (size_t j = 0; j < QUIC_ARRAYSIZE(input_headers); ++j) {
+      bool should_accept_2 = should_accept && (input_headers[j].second & AUTH);
+      for (size_t k = 0; k < QUIC_ARRAYSIZE(input_headers); ++k) {
+        // |should_accept_3| indicates whether or not GetPushPromiseUrl() is
+        // expected to accept this input combination.
+        bool should_accept_3 =
+            should_accept_2 && (input_headers[k].second & PATH);
+
+        std::string url = SpdyServerPushUtils::GetPushPromiseUrl(
+            input_headers[i].first, input_headers[j].first,
+            input_headers[k].first);
+
+        ::testing::AssertionResult result = ::testing::AssertionSuccess();
+        if (url.empty() == should_accept_3) {
+          result = ::testing::AssertionFailure()
+                   << "GetPushPromiseUrl() accepted/rejected the inputs when "
+                      "it shouldn't have."
+                   << std::endl
+                   << "     scheme: " << input_headers[i].first << std::endl
+                   << "  authority: " << input_headers[j].first << std::endl
+                   << "       path: " << input_headers[k].first << std::endl
+                   << "Output: " << url << std::endl;
+        }
+        ASSERT_TRUE(result);
+      }
+    }
+  }
+
+  // Test canonicalization of various valid inputs.
+  EXPECT_EQ("http://www.google.com/", SpdyServerPushUtils::GetPushPromiseUrl(
+                                          "http", "www.google.com", "/"));
+  EXPECT_EQ("https://www.goo-gle.com/fOOo/baRR",
+            SpdyServerPushUtils::GetPushPromiseUrl("hTtPs", "wWw.gOo-gLE.cOm",
+                                                   "/fOOo/baRR"));
+  EXPECT_EQ("https://www.goo-gle.com:3278/pAth/To/reSOurce",
+            SpdyServerPushUtils::GetPushPromiseUrl(
+                "hTtPs", "Www.gOo-Gle.Com:000003278", "/pAth/To/reSOurce"));
+  EXPECT_EQ("https://foo%20bar/foo/bar/baz",
+            SpdyServerPushUtils::GetPushPromiseUrl("https", "foo bar",
+                                                   "/foo/bar/baz"));
+  EXPECT_EQ("http://foo.com:70/e/", SpdyServerPushUtils::GetPushPromiseUrl(
+                                        "http", "foo.com:0000070", "/e/"));
+  EXPECT_EQ("http://192.168.0.1:70/e/",
+            SpdyServerPushUtils::GetPushPromiseUrl(
+                "http", "0300.0250.00.01:0070", "/e/"));
+  EXPECT_EQ("http://192.168.0.1/e/", SpdyServerPushUtils::GetPushPromiseUrl(
+                                         "http", "0xC0a80001", "/e/"));
+  EXPECT_EQ("http://[::c0a8:1]/", SpdyServerPushUtils::GetPushPromiseUrl(
+                                      "http", "[::192.168.0.1]", "/"));
+  EXPECT_EQ("https://[::ffff:c0a8:1]/",
+            SpdyServerPushUtils::GetPushPromiseUrl(
+                "https", "[::ffff:0xC0.0Xa8.0x0.0x1]", "/"));
+}
+
+}  // namespace test
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/spdy_utils.cc b/chromium/net/third_party/quiche/src/quic/core/http/spdy_utils.cc
index 721ae33face..d72a18d91e0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/spdy_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/spdy_utils.cc
@@ -8,15 +8,12 @@
 #include <string>
 #include <vector>
 
-#include "url/gurl.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_map_util.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
-#include "net/third_party/quiche/src/spdy/core/spdy_frame_builder.h"
-#include "net/third_party/quiche/src/spdy/core/spdy_framer.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
 
 using spdy::SpdyHeaderBlock;
@@ -131,74 +128,7 @@ bool SpdyUtils::CopyAndValidateTrailers(const QuicHeaderList& header_list,
 }
 
 // static
-std::string SpdyUtils::GetPromisedUrlFromHeaders(
-    const SpdyHeaderBlock& headers) {
-  // RFC 7540, Section 8.1.2.3: All HTTP/2 requests MUST include exactly
-  // one valid value for the ":method", ":scheme", and ":path" pseudo-header
-  // fields, unless it is a CONNECT request.
-
-  // RFC 7540, Section  8.2.1:  The header fields in PUSH_PROMISE and any
-  // subsequent CONTINUATION frames MUST be a valid and complete set of request
-  // header fields (Section 8.1.2.3).  The server MUST include a method in the
-  // ":method" pseudo-header field that is safe and cacheable.
-  //
-  // RFC 7231, Section  4.2.1: Of the request methods defined by this
-  // specification, the GET, HEAD, OPTIONS, and TRACE methods are defined to be
-  // safe.
-  //
-  // RFC 7231, Section  4.2.1: ... this specification defines GET, HEAD, and
-  // POST as cacheable, ...
-  //
-  // So the only methods allowed in a PUSH_PROMISE are GET and HEAD.
-  SpdyHeaderBlock::const_iterator it = headers.find(":method");
-  if (it == headers.end() || (it->second != "GET" && it->second != "HEAD")) {
-    return std::string();
-  }
-
-  it = headers.find(":scheme");
-  if (it == headers.end() || it->second.empty()) {
-    return std::string();
-  }
-  QuicStringPiece scheme = it->second;
-
-  // RFC 7540, Section 8.2: The server MUST include a value in the
-  // ":authority" pseudo-header field for which the server is authoritative
-  // (see Section 10.1).
-  it = headers.find(":authority");
-  if (it == headers.end() || it->second.empty()) {
-    return std::string();
-  }
-  QuicStringPiece authority = it->second;
-
-  // RFC 7540, Section 8.1.2.3 requires that the ":path" pseudo-header MUST
-  // NOT be empty for "http" or "https" URIs;
-  //
-  // However, to ensure the scheme is consistently canonicalized, that check
-  // is deferred to implementations in QuicUrlUtils::GetPushPromiseUrl().
-  it = headers.find(":path");
-  if (it == headers.end()) {
-    return std::string();
-  }
-  QuicStringPiece path = it->second;
-
-  return GetPushPromiseUrl(scheme, authority, path);
-}
-
-// static
-std::string SpdyUtils::GetPromisedHostNameFromHeaders(
-    const SpdyHeaderBlock& headers) {
-  // TODO(fayang): Consider just checking out the value of the ":authority" key
-  // in headers.
-  return GURL(GetPromisedUrlFromHeaders(headers)).host();
-}
-
-// static
-bool SpdyUtils::PromisedUrlIsValid(const SpdyHeaderBlock& headers) {
-  std::string url(GetPromisedUrlFromHeaders(headers));
-  return !url.empty() && GURL(url).is_valid();
-}
-
-// static
+// TODO(danzh): Move it to quic/tools/ and switch to use GURL.
 bool SpdyUtils::PopulateHeaderBlockFromUrl(const std::string url,
                                            SpdyHeaderBlock* headers) {
   (*headers)[":method"] = "GET";
@@ -219,137 +149,4 @@ bool SpdyUtils::PopulateHeaderBlockFromUrl(const std::string url,
   return true;
 }
 
-// static
-std::string SpdyUtils::GetPushPromiseUrl(QuicStringPiece scheme,
-                                         QuicStringPiece authority,
-                                         QuicStringPiece path) {
-  // RFC 7540, Section 8.1.2.3: The ":path" pseudo-header field includes the
-  // path and query parts of the target URI (the "path-absolute" production
-  // and optionally a '?' character followed by the "query" production (see
-  // Sections 3.3 and 3.4 of RFC3986). A request in asterisk form includes the
-  // value '*' for the ":path" pseudo-header field.
-  //
-  // This pseudo-header field MUST NOT be empty for "http" or "https" URIs;
-  // "http" or "https" URIs that do not contain a path MUST include a value of
-  // '/'. The exception to this rule is an OPTIONS request for an "http" or
-  // "https" URI that does not include a path component; these MUST include a
-  // ":path" pseudo-header with a value of '*' (see RFC7230, Section 5.3.4).
-  //
-  // In addition to the above restriction from RFC 7540, note that RFC3986
-  // defines the "path-absolute" construction as starting with "/" but not "//".
-  //
-  // RFC 7540, Section  8.2.1:  The header fields in PUSH_PROMISE and any
-  // subsequent CONTINUATION frames MUST be a valid and complete set of request
-  // header fields (Section 8.1.2.3).  The server MUST include a method in the
-  // ":method" pseudo-header field that is safe and cacheable.
-  //
-  // RFC 7231, Section  4.2.1:
-  // ... this specification defines GET, HEAD, and POST as cacheable, ...
-  //
-  // Since the OPTIONS method is not cacheable, it cannot be the method of a
-  // PUSH_PROMISE. Therefore, the exception mentioned in RFC 7540, Section
-  // 8.1.2.3 about OPTIONS requests does not apply here (i.e. ":path" cannot be
-  // "*").
-  if (path.empty() || path[0] != '/' || (path.size() >= 2 && path[1] == '/')) {
-    return std::string();
-  }
-
-  // Validate the scheme; this is to ensure a scheme of "foo://bar" is not
-  // parsed as a URL of "foo://bar://baz" when combined with a host of "baz".
-  std::string canonical_scheme;
-  url::StdStringCanonOutput canon_scheme_output(&canonical_scheme);
-  url::Component canon_component;
-  url::Component scheme_component(0, scheme.size());
-
-  if (!url::CanonicalizeScheme(scheme.data(), scheme_component,
-                               &canon_scheme_output, &canon_component) ||
-      !canon_component.is_nonempty() || canon_component.begin != 0) {
-    return std::string();
-  }
-  canonical_scheme.resize(canon_component.len + 1);
-
-  // Validate the authority; this is to ensure an authority such as
-  // "host/path" is not accepted, as when combined with a scheme like
-  // "http://", could result in a URL of "http://host/path".
-  url::Component auth_component(0, authority.size());
-  url::Component username_component;
-  url::Component password_component;
-  url::Component host_component;
-  url::Component port_component;
-
-  url::ParseAuthority(authority.data(), auth_component, &username_component,
-                      &password_component, &host_component, &port_component);
-
-  // RFC 7540, Section 8.1.2.3: The authority MUST NOT include the deprecated
-  // "userinfo" subcomponent for "http" or "https" schemed URIs.
-  //
-  // Note: Although |canonical_scheme| has not yet been checked for that, as
-  // it is performed later in processing, only "http" and "https" schemed
-  // URIs are supported for PUSH.
-  if (username_component.is_valid() || password_component.is_valid()) {
-    return std::string();
-  }
-
-  // Failed parsing or no host present. ParseAuthority() will ensure that
-  // host_component + port_component cover the entire string, if
-  // username_component and password_component are not present.
-  if (!host_component.is_nonempty()) {
-    return std::string();
-  }
-
-  // Validate the port (if present; it's optional).
-  int parsed_port_number = url::PORT_INVALID;
-  if (port_component.is_nonempty()) {
-    parsed_port_number = url::ParsePort(authority.data(), port_component);
-    if (parsed_port_number < 0 && parsed_port_number != url::PORT_UNSPECIFIED) {
-      return std::string();
-    }
-  }
-
-  // Validate the host by attempting to canonicalize it. Invalid characters
-  // will result in a canonicalization failure (e.g. '/')
-  std::string canon_host;
-  url::StdStringCanonOutput canon_host_output(&canon_host);
-  canon_component.reset();
-  if (!url::CanonicalizeHost(authority.data(), host_component,
-                             &canon_host_output, &canon_component) ||
-      !canon_component.is_nonempty() || canon_component.begin != 0) {
-    return std::string();
-  }
-
-  // At this point, "authority" has been validated to either be of the form
-  // 'host:port' or 'host', with 'host' being a valid domain or IP address,
-  // and 'port' (if present), being a valid port. Attempt to construct a
-  // URL of just the (scheme, host, port), which should be safe and will not
-  // result in ambiguous parsing.
-  //
-  // This also enforces that all PUSHed URLs are either HTTP or HTTPS-schemed
-  // URIs, consistent with the other restrictions enforced above.
-  //
-  // Note: url::CanonicalizeScheme() will have added the ':' to
-  // |canonical_scheme|.
-  GURL origin_url(canonical_scheme + "//" + std::string(authority));
-  if (!origin_url.is_valid() || !origin_url.SchemeIsHTTPOrHTTPS() ||
-      // The following checks are merely defense in depth.
-      origin_url.has_username() || origin_url.has_password() ||
-      (origin_url.has_path() && origin_url.path_piece() != "/") ||
-      origin_url.has_query() || origin_url.has_ref()) {
-    return std::string();
-  }
-
-  // Attempt to parse the path.
-  std::string spec = origin_url.GetWithEmptyPath().spec();
-  spec.pop_back();  // Remove the '/', as ":path" must contain it.
-  spec.append(std::string(path));
-
-  // Attempt to parse the full URL, with the path as well. Ensure there is no
-  // fragment to the query.
-  GURL full_url(spec);
-  if (!full_url.is_valid() || full_url.has_ref()) {
-    return std::string();
-  }
-
-  return full_url.spec();
-}
-
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/spdy_utils.h b/chromium/net/third_party/quiche/src/quic/core/http/spdy_utils.h
index dc3fabca33b..4b962c20ce6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/spdy_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/spdy_utils.h
@@ -12,7 +12,7 @@
 #include "net/third_party/quiche/src/quic/core/http/quic_header_list.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
-#include "net/third_party/quiche/src/spdy/core/spdy_framer.h"
+#include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
 
 namespace quic {
 
@@ -46,32 +46,10 @@ class QUIC_EXPORT_PRIVATE SpdyUtils {
                                       size_t* final_byte_offset,
                                       spdy::SpdyHeaderBlock* trailers);
 
-  // Returns a canonicalized URL composed from the :scheme, :authority, and
-  // :path headers of a PUSH_PROMISE. Returns empty string if the headers do not
-  // conform to HTTP/2 spec or if the ":method" header contains a forbidden
-  // method for PUSH_PROMISE.
-  static std::string GetPromisedUrlFromHeaders(
-      const spdy::SpdyHeaderBlock& headers);
-
-  // Returns hostname, or empty string if missing.
-  static std::string GetPromisedHostNameFromHeaders(
-      const spdy::SpdyHeaderBlock& headers);
-
-  // Returns true if result of |GetPromisedUrlFromHeaders()| is non-empty
-  // and is a well-formed URL.
-  static bool PromisedUrlIsValid(const spdy::SpdyHeaderBlock& headers);
-
   // Populates the fields of |headers| to make a GET request of |url|,
   // which must be fully-qualified.
   static bool PopulateHeaderBlockFromUrl(const std::string url,
                                          spdy::SpdyHeaderBlock* headers);
-
-  // Returns a canonical, valid URL for a PUSH_PROMISE with the specified
-  // ":scheme", ":authority", and ":path" header fields, or an empty
-  // string if the resulting URL is not valid or supported.
-  static std::string GetPushPromiseUrl(QuicStringPiece scheme,
-                                       QuicStringPiece authority,
-                                       QuicStringPiece path);
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/spdy_utils_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/spdy_utils_test.cc
index d5c96fb9375..2ebf0cff680 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/spdy_utils_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/spdy_utils_test.cc
@@ -334,81 +334,6 @@ TEST_F(CopyAndValidateTrailers, DuplicateCookies) {
           Pair("key", "value")));
 }
 
-using GetPromisedUrlFromHeaders = QuicTest;
-
-TEST_F(GetPromisedUrlFromHeaders, Basic) {
-  SpdyHeaderBlock headers;
-  headers[":method"] = "GET";
-  EXPECT_EQ(SpdyUtils::GetPromisedUrlFromHeaders(headers), "");
-  headers[":scheme"] = "https";
-  EXPECT_EQ(SpdyUtils::GetPromisedUrlFromHeaders(headers), "");
-  headers[":authority"] = "www.google.com";
-  EXPECT_EQ(SpdyUtils::GetPromisedUrlFromHeaders(headers), "");
-  headers[":path"] = "/index.html";
-  EXPECT_EQ(SpdyUtils::GetPromisedUrlFromHeaders(headers),
-            "https://www.google.com/index.html");
-  headers["key1"] = "value1";
-  headers["key2"] = "value2";
-  EXPECT_EQ(SpdyUtils::GetPromisedUrlFromHeaders(headers),
-            "https://www.google.com/index.html");
-}
-
-TEST_F(GetPromisedUrlFromHeaders, Connect) {
-  SpdyHeaderBlock headers;
-  headers[":method"] = "CONNECT";
-  EXPECT_EQ(SpdyUtils::GetPromisedUrlFromHeaders(headers), "");
-  headers[":authority"] = "www.google.com";
-  EXPECT_EQ(SpdyUtils::GetPromisedUrlFromHeaders(headers), "");
-  headers[":scheme"] = "https";
-  EXPECT_EQ(SpdyUtils::GetPromisedUrlFromHeaders(headers), "");
-  headers[":path"] = "https";
-  EXPECT_EQ(SpdyUtils::GetPromisedUrlFromHeaders(headers), "");
-}
-
-TEST_F(GetPromisedUrlFromHeaders, InvalidUserinfo) {
-  SpdyHeaderBlock headers;
-  headers[":method"] = "GET";
-  headers[":authority"] = "user@www.google.com";
-  headers[":scheme"] = "https";
-  headers[":path"] = "/";
-  EXPECT_EQ(SpdyUtils::GetPromisedUrlFromHeaders(headers), "");
-}
-
-TEST_F(GetPromisedUrlFromHeaders, InvalidPath) {
-  SpdyHeaderBlock headers;
-  headers[":method"] = "GET";
-  headers[":authority"] = "www.google.com";
-  headers[":scheme"] = "https";
-  headers[":path"] = "";
-  EXPECT_EQ(SpdyUtils::GetPromisedUrlFromHeaders(headers), "");
-}
-
-using GetPromisedHostNameFromHeaders = QuicTest;
-
-TEST_F(GetPromisedHostNameFromHeaders, NormalUsage) {
-  SpdyHeaderBlock headers;
-  headers[":method"] = "GET";
-  EXPECT_EQ(SpdyUtils::GetPromisedHostNameFromHeaders(headers), "");
-  headers[":scheme"] = "https";
-  EXPECT_EQ(SpdyUtils::GetPromisedHostNameFromHeaders(headers), "");
-  headers[":authority"] = "www.google.com";
-  EXPECT_EQ(SpdyUtils::GetPromisedHostNameFromHeaders(headers), "");
-  headers[":path"] = "/index.html";
-  EXPECT_EQ(SpdyUtils::GetPromisedHostNameFromHeaders(headers),
-            "www.google.com");
-  headers["key1"] = "value1";
-  headers["key2"] = "value2";
-  EXPECT_EQ(SpdyUtils::GetPromisedHostNameFromHeaders(headers),
-            "www.google.com");
-  headers[":authority"] = "www.google.com:6666";
-  EXPECT_EQ(SpdyUtils::GetPromisedHostNameFromHeaders(headers),
-            "www.google.com");
-  headers[":authority"] = "192.168.1.1";
-  EXPECT_EQ(SpdyUtils::GetPromisedHostNameFromHeaders(headers), "192.168.1.1");
-  headers[":authority"] = "192.168.1.1:6666";
-  EXPECT_EQ(SpdyUtils::GetPromisedHostNameFromHeaders(headers), "192.168.1.1");
-}
-
 using PopulateHeaderBlockFromUrl = QuicTest;
 
 TEST_F(PopulateHeaderBlockFromUrl, NormalUsage) {
@@ -437,121 +362,5 @@ TEST_F(PopulateHeaderBlockFromUrl, Failure) {
       SpdyUtils::PopulateHeaderBlockFromUrl("www.google.com/", &headers));
 }
 
-using PushPromiseUrlTest = QuicTest;
-
-TEST_F(PushPromiseUrlTest, GetPushPromiseUrl) {
-  // Test rejection of various inputs.
-  EXPECT_EQ("",
-            SpdyUtils::GetPushPromiseUrl("file", "localhost", "/etc/password"));
-  EXPECT_EQ("", SpdyUtils::GetPushPromiseUrl("file", "",
-                                             "/C:/Windows/System32/Config/"));
-  EXPECT_EQ("",
-            SpdyUtils::GetPushPromiseUrl("", "https://www.google.com", "/"));
-
-  EXPECT_EQ("", SpdyUtils::GetPushPromiseUrl("https://www.google.com",
-                                             "www.google.com", "/"));
-  EXPECT_EQ("",
-            SpdyUtils::GetPushPromiseUrl("https://", "www.google.com", "/"));
-  EXPECT_EQ("", SpdyUtils::GetPushPromiseUrl("https", "", "/"));
-  EXPECT_EQ("", SpdyUtils::GetPushPromiseUrl("https", "", "www.google.com/"));
-  EXPECT_EQ("", SpdyUtils::GetPushPromiseUrl("https", "www.google.com/", "/"));
-  EXPECT_EQ("", SpdyUtils::GetPushPromiseUrl("https", "www.google.com", ""));
-  EXPECT_EQ("", SpdyUtils::GetPushPromiseUrl("https", "www.google", ".com/"));
-
-  // Test acception/rejection of various input combinations.
-  // |input_headers| is an array of pairs. The first value of each pair is a
-  // string that will be used as one of the inputs of GetPushPromiseUrl(). The
-  // second value of each pair is a bitfield where the lowest 3 bits indicate
-  // for which headers that string is valid (in a PUSH_PROMISE). For example,
-  // the string "http" would be valid for both the ":scheme" and ":authority"
-  // headers, so the bitfield paired with it is set to SCHEME | AUTH.
-  const unsigned char SCHEME = (1u << 0);
-  const unsigned char AUTH = (1u << 1);
-  const unsigned char PATH = (1u << 2);
-  const std::pair<const char*, unsigned char> input_headers[] = {
-      {"http", SCHEME | AUTH},
-      {"https", SCHEME | AUTH},
-      {"hTtP", SCHEME | AUTH},
-      {"HTTPS", SCHEME | AUTH},
-      {"www.google.com", AUTH},
-      {"90af90e0", AUTH},
-      {"12foo%20-bar:00001233", AUTH},
-      {"GOO\u200b\u2060\ufeffgoo", AUTH},
-      {"192.168.0.5", AUTH},
-      {"[::ffff:192.168.0.1.]", AUTH},
-      {"http:", AUTH},
-      {"bife l", AUTH},
-      {"/", PATH},
-      {"/foo/bar/baz", PATH},
-      {"/%20-2DVdkj.cie/foe_.iif/", PATH},
-      {"http://", 0},
-      {":443", 0},
-      {":80/eddd", 0},
-      {"google.com:-0", 0},
-      {"google.com:65536", 0},
-      {"http://google.com", 0},
-      {"http://google.com:39", 0},
-      {"//google.com/foo", 0},
-      {".com/", 0},
-      {"http://www.google.com/", 0},
-      {"http://foo:439", 0},
-      {"[::ffff:192.168", 0},
-      {"]/", 0},
-      {"//", 0}};
-  for (size_t i = 0; i < QUIC_ARRAYSIZE(input_headers); ++i) {
-    bool should_accept = (input_headers[i].second & SCHEME);
-    for (size_t j = 0; j < QUIC_ARRAYSIZE(input_headers); ++j) {
-      bool should_accept_2 = should_accept && (input_headers[j].second & AUTH);
-      for (size_t k = 0; k < QUIC_ARRAYSIZE(input_headers); ++k) {
-        // |should_accept_3| indicates whether or not GetPushPromiseUrl() is
-        // expected to accept this input combination.
-        bool should_accept_3 =
-            should_accept_2 && (input_headers[k].second & PATH);
-
-        std::string url = SpdyUtils::GetPushPromiseUrl(input_headers[i].first,
-                                                       input_headers[j].first,
-                                                       input_headers[k].first);
-
-        ::testing::AssertionResult result = ::testing::AssertionSuccess();
-        if (url.empty() == should_accept_3) {
-          result = ::testing::AssertionFailure()
-                   << "GetPushPromiseUrl() accepted/rejected the inputs when "
-                      "it shouldn't have."
-                   << std::endl
-                   << "     scheme: " << input_headers[i].first << std::endl
-                   << "  authority: " << input_headers[j].first << std::endl
-                   << "       path: " << input_headers[k].first << std::endl
-                   << "Output: " << url << std::endl;
-        }
-        ASSERT_TRUE(result);
-      }
-    }
-  }
-
-  // Test canonicalization of various valid inputs.
-  EXPECT_EQ("http://www.google.com/",
-            SpdyUtils::GetPushPromiseUrl("http", "www.google.com", "/"));
-  EXPECT_EQ(
-      "https://www.goo-gle.com/fOOo/baRR",
-      SpdyUtils::GetPushPromiseUrl("hTtPs", "wWw.gOo-gLE.cOm", "/fOOo/baRR"));
-  EXPECT_EQ("https://www.goo-gle.com:3278/pAth/To/reSOurce",
-            SpdyUtils::GetPushPromiseUrl("hTtPs", "Www.gOo-Gle.Com:000003278",
-                                         "/pAth/To/reSOurce"));
-  EXPECT_EQ("https://foo%20bar/foo/bar/baz",
-            SpdyUtils::GetPushPromiseUrl("https", "foo bar", "/foo/bar/baz"));
-  EXPECT_EQ("http://foo.com:70/e/",
-            SpdyUtils::GetPushPromiseUrl("http", "foo.com:0000070", "/e/"));
-  EXPECT_EQ(
-      "http://192.168.0.1:70/e/",
-      SpdyUtils::GetPushPromiseUrl("http", "0300.0250.00.01:0070", "/e/"));
-  EXPECT_EQ("http://192.168.0.1/e/",
-            SpdyUtils::GetPushPromiseUrl("http", "0xC0a80001", "/e/"));
-  EXPECT_EQ("http://[::c0a8:1]/",
-            SpdyUtils::GetPushPromiseUrl("http", "[::192.168.0.1]", "/"));
-  EXPECT_EQ(
-      "https://[::ffff:c0a8:1]/",
-      SpdyUtils::GetPushPromiseUrl("https", "[::ffff:0xC0.0Xa8.0x0.0x1]", "/"));
-}
-
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/legacy_quic_stream_id_manager.cc b/chromium/net/third_party/quiche/src/quic/core/legacy_quic_stream_id_manager.cc
index 447f16d84bd..a7ec1232cf3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/legacy_quic_stream_id_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/legacy_quic_stream_id_manager.cc
@@ -26,9 +26,8 @@ LegacyQuicStreamIdManager::LegacyQuicStreamIdManager(
           session->perspective() == Perspective::IS_SERVER
               ? (QuicVersionUsesCryptoFrames(
                      session->connection()->transport_version())
-                     ? QuicUtils::GetFirstBidirectionalStreamId(
-                           session->connection()->transport_version(),
-                           Perspective::IS_CLIENT)
+                     ? QuicUtils::GetInvalidStreamId(
+                           session->connection()->transport_version())
                      : QuicUtils::GetCryptoStreamId(
                            session->connection()->transport_version()))
               : QuicUtils::GetInvalidStreamId(
@@ -83,6 +82,11 @@ bool LegacyQuicStreamIdManager::MaybeIncreaseLargestPeerStreamId(
   // only alternately-numbered streams.
   size_t additional_available_streams =
       (stream_id - largest_peer_created_stream_id_) / 2 - 1;
+  if (largest_peer_created_stream_id_ ==
+      QuicUtils::GetInvalidStreamId(
+          session_->connection()->transport_version())) {
+    additional_available_streams = (stream_id + 1) / 2 - 1;
+  }
   size_t new_num_available_streams =
       GetNumAvailableStreams() + additional_available_streams;
   if (new_num_available_streams > MaxAvailableStreams()) {
@@ -99,8 +103,15 @@ bool LegacyQuicStreamIdManager::MaybeIncreaseLargestPeerStreamId(
         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
     return false;
   }
-  for (QuicStreamId id = largest_peer_created_stream_id_ + 2; id < stream_id;
-       id += 2) {
+  QuicStreamId first_available_stream = largest_peer_created_stream_id_ + 2;
+  if (largest_peer_created_stream_id_ ==
+      QuicUtils::GetInvalidStreamId(
+          session_->connection()->transport_version())) {
+    first_available_stream = QuicUtils::GetFirstBidirectionalStreamId(
+        session_->connection()->transport_version(),
+        QuicUtils::InvertPerspective(session_->perspective()));
+  }
+  for (QuicStreamId id = first_available_stream; id < stream_id; id += 2) {
     available_streams_.insert(id);
   }
   largest_peer_created_stream_id_ = stream_id;
diff --git a/chromium/net/third_party/quiche/src/quic/core/legacy_quic_stream_id_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/legacy_quic_stream_id_manager_test.cc
index 823cdc0d52e..ca4491a330f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/legacy_quic_stream_id_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/legacy_quic_stream_id_manager_test.cc
@@ -27,7 +27,11 @@ class LegacyQuicStreamIdManagerTest : public QuicTest {
     session_->Initialize();
   }
 
-  QuicStreamId GetNthClientInitiatedId(int n) { return 3 + 2 * n; }
+  QuicStreamId GetNthClientInitiatedId(int n) {
+    return QuicUtils::GetFirstBidirectionalStreamId(
+               connection_->transport_version(), Perspective::IS_CLIENT) +
+           2 * n;
+  }
 
   QuicStreamId GetNthServerInitiatedId(int n) { return 2 + 2 * n; }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h b/chromium/net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h
new file mode 100644
index 00000000000..6a37aa1845c
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h
@@ -0,0 +1,15 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_PROTO_CACHED_NETWORK_PARAMETERS_PROTO_H_
+#define QUICHE_QUIC_CORE_PROTO_CACHED_NETWORK_PARAMETERS_PROTO_H_
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Weverything"
+
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
+
+#pragma clang diagnostic pop
+
+#endif  // QUICHE_QUIC_CORE_PROTO_CACHED_NETWORK_PARAMETERS_PROTO_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/proto/crypto_server_config_proto.h b/chromium/net/third_party/quiche/src/quic/core/proto/crypto_server_config_proto.h
new file mode 100644
index 00000000000..4383e8ecae3
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/proto/crypto_server_config_proto.h
@@ -0,0 +1,15 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_PROTO_CRYPTO_SERVER_CONFIG_PROTO_H_
+#define QUICHE_QUIC_CORE_PROTO_CRYPTO_SERVER_CONFIG_PROTO_H_
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Weverything"
+
+#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config.pb.h"
+
+#pragma clang diagnostic pop
+
+#endif  // QUICHE_QUIC_CORE_PROTO_CRYPTO_SERVER_CONFIG_PROTO_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/proto/source_address_token_proto.h b/chromium/net/third_party/quiche/src/quic/core/proto/source_address_token_proto.h
new file mode 100644
index 00000000000..25f527488c0
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/proto/source_address_token_proto.h
@@ -0,0 +1,15 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_PROTO_SOURCE_ADDRESS_TOKEN_PROTO_H_
+#define QUICHE_QUIC_CORE_PROTO_SOURCE_ADDRESS_TOKEN_PROTO_H_
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Weverything"
+
+#include "net/third_party/quiche/src/quic/core/proto/source_address_token.pb.h"
+
+#pragma clang diagnostic pop
+
+#endif  // QUICHE_QUIC_CORE_PROTO_SOURCE_ADDRESS_TOKEN_PROTO_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.cc
index 42f572b3eac..20af0748723 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.cc
@@ -13,13 +13,15 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_file_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 
 namespace quic {
 
 QpackOfflineDecoder::QpackOfflineDecoder()
     : encoder_stream_error_detected_(false),
-      decoder_(this, &decoder_stream_sender_delegate_) {}
+      qpack_decoder_(this, &decoder_stream_sender_delegate_),
+      max_blocked_streams_(0) {}
 
 bool QpackOfflineDecoder::DecodeAndVerifyOfflineData(
     QuicStringPiece input_filename,
@@ -75,30 +77,24 @@ bool QpackOfflineDecoder::ParseInputFilename(QuicStringPiece input_filename) {
   ++piece_it;
 
   // Maximum allowed number of blocked streams.
-  uint64_t max_blocked_streams = 0;
-  if (!QuicTextUtils::StringToUint64(*piece_it, &max_blocked_streams)) {
+  if (!QuicTextUtils::StringToUint64(*piece_it, &max_blocked_streams_)) {
     QUIC_LOG(ERROR) << "Error parsing part of input filename \"" << *piece_it
                     << "\" as an integer.";
     return false;
   }
 
-  if (max_blocked_streams > 0) {
-    // TODO(bnc): Implement blocked streams.
-    QUIC_LOG(ERROR) << "Blocked streams not implemented.";
-    return false;
-  }
-
   ++piece_it;
 
-  // Dynamic Table Size in bytes
-  uint64_t dynamic_table_size = 0;
-  if (!QuicTextUtils::StringToUint64(*piece_it, &dynamic_table_size)) {
+  // Maximum Dynamic Table Capacity in bytes
+  uint64_t maximum_dynamic_table_capacity = 0;
+  if (!QuicTextUtils::StringToUint64(*piece_it,
+                                     &maximum_dynamic_table_capacity)) {
     QUIC_LOG(ERROR) << "Error parsing part of input filename \"" << *piece_it
                     << "\" as an integer.";
     return false;
   }
 
-  decoder_.SetMaximumDynamicTableCapacity(dynamic_table_size);
+  qpack_decoder_.SetMaximumDynamicTableCapacity(maximum_dynamic_table_capacity);
 
   return true;
 }
@@ -112,6 +108,7 @@ bool QpackOfflineDecoder::DecodeHeaderBlocksFromFile(
   QuicStringPiece input_data(input_data_storage);
 
   while (!input_data.empty()) {
+    // Parse stream_id and length.
     if (input_data.size() < sizeof(uint64_t) + sizeof(uint32_t)) {
       QUIC_LOG(ERROR) << "Unexpected end of input file.";
       return false;
@@ -130,33 +127,84 @@ bool QpackOfflineDecoder::DecodeHeaderBlocksFromFile(
       return false;
     }
 
+    // Parse data.
     QuicStringPiece data = input_data.substr(0, length);
     input_data = input_data.substr(length);
 
+    // Process data.
     if (stream_id == 0) {
-      decoder_.DecodeEncoderStreamData(data);
+      qpack_decoder_.DecodeEncoderStreamData(data);
 
       if (encoder_stream_error_detected_) {
         QUIC_LOG(ERROR) << "Error detected on encoder stream.";
         return false;
       }
+    } else {
+      auto headers_handler = QuicMakeUnique<test::TestHeadersHandler>();
+      auto progressive_decoder = qpack_decoder_.CreateProgressiveDecoder(
+          stream_id, headers_handler.get());
 
-      continue;
+      progressive_decoder->Decode(data);
+      progressive_decoder->EndHeaderBlock();
+
+      if (headers_handler->decoding_error_detected()) {
+        QUIC_LOG(ERROR) << "Sync decoding error on stream " << stream_id << ": "
+                        << headers_handler->error_message();
+        return false;
+      }
+
+      decoders_.push_back({std::move(headers_handler),
+                           std::move(progressive_decoder), stream_id});
     }
 
-    test::TestHeadersHandler headers_handler;
+    // Move decoded header lists from TestHeadersHandlers and append them to
+    // |decoded_header_lists_| while preserving the order in |decoders_|.
+    while (!decoders_.empty() &&
+           decoders_.front().headers_handler->decoding_completed()) {
+      Decoder* decoder = &decoders_.front();
 
-    auto progressive_decoder =
-        decoder_.DecodeHeaderBlock(stream_id, &headers_handler);
-    progressive_decoder->Decode(data);
-    progressive_decoder->EndHeaderBlock();
+      if (decoder->headers_handler->decoding_error_detected()) {
+        QUIC_LOG(ERROR) << "Async decoding error on stream "
+                        << decoder->stream_id << ": "
+                        << decoder->headers_handler->error_message();
+        return false;
+      }
 
-    if (headers_handler.decoding_error_detected()) {
-      QUIC_LOG(ERROR) << "Decoding error on stream " << stream_id;
+      if (!decoder->headers_handler->decoding_completed()) {
+        QUIC_LOG(ERROR) << "Decoding incomplete after reading entire"
+                           " file, on stream "
+                        << decoder->stream_id;
+        return false;
+      }
+
+      decoded_header_lists_.push_back(
+          decoder->headers_handler->ReleaseHeaderList());
+      decoders_.pop_front();
+    }
+
+    // Enforce limit on blocked streams.
+    uint64_t blocked_streams_count = 0;
+    for (const auto& decoder : decoders_) {
+      if (!decoder.headers_handler->decoding_completed()) {
+        ++blocked_streams_count;
+      }
+    }
+
+    if (blocked_streams_count > max_blocked_streams_) {
+      QUIC_LOG(ERROR) << "Too many blocked streams: limit is "
+                      << max_blocked_streams_ << ", actual count is "
+                      << blocked_streams_count;
       return false;
     }
+  }
 
-    decoded_header_lists_.push_back(headers_handler.ReleaseHeaderList());
+  if (!decoders_.empty()) {
+    DCHECK(!decoders_.front().headers_handler->decoding_completed());
+
+    QUIC_LOG(ERROR) << "Blocked decoding uncomplete after reading entire"
+                       " file, on stream "
+                    << decoders_.front().stream_id;
+    return false;
   }
 
   return true;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.h b/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.h
index 922fd64835b..9984d4b4b16 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.h
@@ -9,6 +9,7 @@
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
 
@@ -35,12 +36,21 @@ class QpackOfflineDecoder : public QpackDecoder::EncoderStreamErrorDelegate {
   void OnEncoderStreamError(QuicStringPiece error_message) override;
 
  private:
-  // Parse decoder parameters from |input_filename| and set up |decoder_|
+  // Data structure to hold TestHeadersHandler and QpackProgressiveDecoder until
+  // decoding of a header header block (and all preceding header blocks) is
+  // complete.
+  struct Decoder {
+    std::unique_ptr<test::TestHeadersHandler> headers_handler;
+    std::unique_ptr<QpackProgressiveDecoder> progressive_decoder;
+    uint64_t stream_id;
+  };
+
+  // Parse decoder parameters from |input_filename| and set up |qpack_decoder_|
   // accordingly.
   bool ParseInputFilename(QuicStringPiece input_filename);
 
   // Read encoded header blocks and encoder stream data from |input_filename|,
-  // pass them to |decoder_| for decoding, and add decoded header lists to
+  // pass them to |qpack_decoder_| for decoding, and add decoded header lists to
   // |decoded_header_lists_|.
   bool DecodeHeaderBlocksFromFile(QuicStringPiece input_filename);
 
@@ -61,8 +71,14 @@ class QpackOfflineDecoder : public QpackDecoder::EncoderStreamErrorDelegate {
                            spdy::SpdyHeaderBlock expected_header_list);
 
   bool encoder_stream_error_detected_;
-  test::NoopDecoderStreamSenderDelegate decoder_stream_sender_delegate_;
-  QpackDecoder decoder_;
+  NoopQpackStreamSenderDelegate decoder_stream_sender_delegate_;
+  QpackDecoder qpack_decoder_;
+  uint64_t max_blocked_streams_;
+
+  // Objects necessary for decoding, one list element for each header block.
+  std::list<Decoder> decoders_;
+
+  // Decoded header lists.
   std::list<spdy::SpdyHeaderBlock> decoded_header_lists_;
 };
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_constants.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_constants.cc
index dd4487d7060..6644918b34a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_constants.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_constants.cc
@@ -30,6 +30,8 @@ void ValidateLangague(const QpackLanguage* language) {
     }
     DCHECK_EQ(1u, match_count) << static_cast<int>(byte);
   }
+#else
+  (void)language;
 #endif
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_constants.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_constants.h
index 2812e63302d..35e4d560bef 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_constants.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_constants.h
@@ -77,11 +77,6 @@ struct QUIC_EXPORT_PRIVATE QpackInstruction {
 // Every possible input must match exactly one instruction.
 using QpackLanguage = std::vector<const QpackInstruction*>;
 
-// TODO(bnc): Move this into HpackVarintEncoder.
-// The integer encoder can encode up to 2^64-1, which can take up to 10 bytes
-// (each carrying 7 bits) after the prefix.
-const uint8_t kMaxExtensionBytesForVarintEncoding = 10;
-
 // Wire format defined in
 // https://quicwg.org/base-drafts/draft-ietf-quic-qpack.html#rfc.section.5
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.cc
index bcfe0e4e188..9cce57365b6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.cc
@@ -11,10 +11,14 @@ namespace quic {
 QpackDecodedHeadersAccumulator::QpackDecodedHeadersAccumulator(
     QuicStreamId id,
     QpackDecoder* qpack_decoder,
+    Visitor* visitor,
     size_t max_header_list_size)
-    : decoder_(qpack_decoder->DecodeHeaderBlock(id, this)),
+    : decoder_(qpack_decoder->CreateProgressiveDecoder(id, this)),
+      visitor_(visitor),
       uncompressed_header_bytes_(0),
       compressed_header_bytes_(0),
+      headers_decoded_(false),
+      blocked_(false),
       error_detected_(false) {
   quic_header_list_.set_max_header_list_size(max_header_list_size);
   quic_header_list_.OnHeaderBlockStart();
@@ -28,15 +32,31 @@ void QpackDecodedHeadersAccumulator::OnHeaderDecoded(QuicStringPiece name,
   quic_header_list_.OnHeader(name, value);
 }
 
-void QpackDecodedHeadersAccumulator::OnDecodingCompleted() {}
+void QpackDecodedHeadersAccumulator::OnDecodingCompleted() {
+  DCHECK(!headers_decoded_);
+  DCHECK(!error_detected_);
+
+  headers_decoded_ = true;
+  quic_header_list_.OnHeaderBlockEnd(uncompressed_header_bytes_,
+                                     compressed_header_bytes_);
+
+  if (blocked_) {
+    visitor_->OnHeadersDecoded(quic_header_list_);
+  }
+}
 
 void QpackDecodedHeadersAccumulator::OnDecodingErrorDetected(
     QuicStringPiece error_message) {
   DCHECK(!error_detected_);
+  DCHECK(!headers_decoded_);
 
   error_detected_ = true;
   // Copy error message to ensure it remains valid for the lifetime of |this|.
   error_message_.assign(error_message.data(), error_message.size());
+
+  if (blocked_) {
+    visitor_->OnHeaderDecodingError();
+  }
 }
 
 bool QpackDecodedHeadersAccumulator::Decode(QuicStringPiece data) {
@@ -48,15 +68,24 @@ bool QpackDecodedHeadersAccumulator::Decode(QuicStringPiece data) {
   return !error_detected_;
 }
 
-bool QpackDecodedHeadersAccumulator::EndHeaderBlock() {
+QpackDecodedHeadersAccumulator::Status
+QpackDecodedHeadersAccumulator::EndHeaderBlock() {
   DCHECK(!error_detected_);
+  DCHECK(!headers_decoded_);
 
   decoder_->EndHeaderBlock();
 
-  quic_header_list_.OnHeaderBlockEnd(uncompressed_header_bytes_,
-                                     compressed_header_bytes_);
+  if (error_detected_) {
+    DCHECK(!headers_decoded_);
+    return Status::kError;
+  }
 
-  return !error_detected_;
+  if (headers_decoded_) {
+    return Status::kSuccess;
+  }
+
+  blocked_ = true;
+  return Status::kBlocked;
 }
 
 const QuicHeaderList& QpackDecodedHeadersAccumulator::quic_header_list() const {
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.h
index 5db88d71b33..c64932214dc 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.h
@@ -24,8 +24,33 @@ class QpackDecoder;
 class QUIC_EXPORT_PRIVATE QpackDecodedHeadersAccumulator
     : public QpackProgressiveDecoder::HeadersHandlerInterface {
  public:
+  // Return value for EndHeaderBlock().
+  enum class Status {
+    // Headers have been successfully decoded.
+    kSuccess,
+    // An error has occurred.
+    kError,
+    // Decoding is blocked.
+    kBlocked
+  };
+
+  // Visitor interface used for blocked decoding.  Exactly one visitor method
+  // will be called if EndHeaderBlock() returned kBlocked.  No visitor method
+  // will be called if EndHeaderBlock() returned any other value.
+  class Visitor {
+   public:
+    virtual ~Visitor() = default;
+
+    // Called when headers are successfully decoded.
+    virtual void OnHeadersDecoded(QuicHeaderList headers) = 0;
+
+    // Called when an error has occurred.
+    virtual void OnHeaderDecodingError() = 0;
+  };
+
   QpackDecodedHeadersAccumulator(QuicStreamId id,
                                  QpackDecoder* qpack_decoder,
+                                 Visitor* visitor,
                                  size_t max_header_list_size);
   virtual ~QpackDecodedHeadersAccumulator() = default;
 
@@ -40,23 +65,35 @@ class QUIC_EXPORT_PRIVATE QpackDecodedHeadersAccumulator
   // Must not be called after EndHeaderBlock().
   bool Decode(QuicStringPiece data);
 
-  // Signal end of HEADERS frame.  Returns true on success, false on error.
+  // Signal end of HEADERS frame.
   // Must not be called if an error has been detected.
   // Must not be called more that once.
-  bool EndHeaderBlock();
+  // Returns kSuccess if headers can be readily decoded.
+  // Returns kError if an error occurred.
+  // Returns kBlocked if headers cannot be decoded at the moment, in which case
+  // exactly one Visitor method will be called as soon as sufficient data
+  // is received on the QPACK decoder stream.
+  Status EndHeaderBlock();
 
   // Returns accumulated header list.
   const QuicHeaderList& quic_header_list() const;
 
   // Returns error message.
   // Must not be called unless an error has been detected.
+  // TODO(b/124216424): Add accessor for error code, return HTTP_EXCESSIVE_LOAD
+  // or HTTP_QPACK_DECOMPRESSION_FAILED.
   QuicStringPiece error_message() const;
 
  private:
   std::unique_ptr<QpackProgressiveDecoder> decoder_;
+  Visitor* visitor_;
   QuicHeaderList quic_header_list_;
   size_t uncompressed_header_bytes_;
   size_t compressed_header_bytes_;
+  // Set to true when OnDecodingCompleted() is called.
+  bool headers_decoded_;
+  // Set to true when EndHeaderBlock() returns kBlocked.
+  bool blocked_;
   bool error_detected_;
   std::string error_message_;
 };
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator_test.cc
index c3c0b8101b0..0898327c6be 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator_test.cc
@@ -8,6 +8,7 @@
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 
@@ -15,6 +16,7 @@ using ::testing::ElementsAre;
 using ::testing::Eq;
 using ::testing::Pair;
 using ::testing::StrictMock;
+using Status = quic::QpackDecodedHeadersAccumulator::Status;
 
 namespace quic {
 namespace test {
@@ -26,43 +28,57 @@ QuicStreamId kTestStreamId = 1;
 // Limit on header list size.
 const size_t kMaxHeaderListSize = 100;
 
+// Maximum dynamic table capacity.
+const size_t kMaxDynamicTableCapacity = 100;
+
 // Header Acknowledgement decoder stream instruction with stream_id = 1.
 const char* const kHeaderAcknowledgement = "\x81";
 
 }  // anonymous namespace
 
+class NoopVisitor : public QpackDecodedHeadersAccumulator::Visitor {
+ public:
+  ~NoopVisitor() override = default;
+  void OnHeadersDecoded(QuicHeaderList /* headers */) override {}
+  void OnHeaderDecodingError() override {}
+};
+
 class QpackDecodedHeadersAccumulatorTest : public QuicTest {
  protected:
   QpackDecodedHeadersAccumulatorTest()
       : qpack_decoder_(&encoder_stream_error_delegate_,
                        &decoder_stream_sender_delegate_),
-        accumulator_(kTestStreamId, &qpack_decoder_, kMaxHeaderListSize) {}
+        accumulator_(kTestStreamId,
+                     &qpack_decoder_,
+                     &visitor_,
+                     kMaxHeaderListSize) {}
 
   NoopEncoderStreamErrorDelegate encoder_stream_error_delegate_;
-  StrictMock<MockDecoderStreamSenderDelegate> decoder_stream_sender_delegate_;
+  StrictMock<MockQpackStreamSenderDelegate> decoder_stream_sender_delegate_;
   QpackDecoder qpack_decoder_;
+  NoopVisitor visitor_;
   QpackDecodedHeadersAccumulator accumulator_;
 };
 
 // HEADERS frame payload must have a complete Header Block Prefix.
 TEST_F(QpackDecodedHeadersAccumulatorTest, EmptyPayload) {
-  EXPECT_FALSE(accumulator_.EndHeaderBlock());
+  EXPECT_EQ(Status::kError, accumulator_.EndHeaderBlock());
   EXPECT_EQ("Incomplete header data prefix.", accumulator_.error_message());
 }
 
 // HEADERS frame payload must have a complete Header Block Prefix.
 TEST_F(QpackDecodedHeadersAccumulatorTest, TruncatedHeaderBlockPrefix) {
   EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode("00")));
-  EXPECT_FALSE(accumulator_.EndHeaderBlock());
+  EXPECT_EQ(Status::kError, accumulator_.EndHeaderBlock());
   EXPECT_EQ("Incomplete header data prefix.", accumulator_.error_message());
 }
 
 TEST_F(QpackDecodedHeadersAccumulatorTest, EmptyHeaderList) {
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode("0000")));
-  EXPECT_TRUE(accumulator_.EndHeaderBlock());
+  EXPECT_EQ(Status::kSuccess, accumulator_.EndHeaderBlock());
 
   EXPECT_TRUE(accumulator_.quic_header_list().empty());
 }
@@ -71,7 +87,7 @@ TEST_F(QpackDecodedHeadersAccumulatorTest, EmptyHeaderList) {
 // before it can be completely decoded.
 TEST_F(QpackDecodedHeadersAccumulatorTest, TruncatedPayload) {
   EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode("00002366")));
-  EXPECT_FALSE(accumulator_.EndHeaderBlock());
+  EXPECT_EQ(Status::kError, accumulator_.EndHeaderBlock());
   EXPECT_EQ("Incomplete header block.", accumulator_.error_message());
 }
 
@@ -83,11 +99,11 @@ TEST_F(QpackDecodedHeadersAccumulatorTest, InvalidPayload) {
 
 TEST_F(QpackDecodedHeadersAccumulatorTest, Success) {
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   std::string encoded_data(QuicTextUtils::HexDecode("000023666f6f03626172"));
   EXPECT_TRUE(accumulator_.Decode(encoded_data));
-  EXPECT_TRUE(accumulator_.EndHeaderBlock());
+  EXPECT_EQ(Status::kSuccess, accumulator_.EndHeaderBlock());
 
   const QuicHeaderList& header_list = accumulator_.quic_header_list();
   EXPECT_THAT(header_list, ElementsAre(Pair("foo", "bar")));
@@ -99,7 +115,7 @@ TEST_F(QpackDecodedHeadersAccumulatorTest, Success) {
 
 TEST_F(QpackDecodedHeadersAccumulatorTest, ExceedingLimit) {
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   // Total length of header list exceeds kMaxHeaderListSize.
   EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode(
@@ -109,11 +125,46 @@ TEST_F(QpackDecodedHeadersAccumulatorTest, ExceedingLimit) {
       "616161616161616161616161616161616161616161616161616161616161616161616161"
       "616161616161616161616161616161616161616161616161616161616161616161616161"
       "61616161616161616161616161616161616161616161616161616161616161616161")));
-  EXPECT_TRUE(accumulator_.EndHeaderBlock());
+  EXPECT_EQ(Status::kSuccess, accumulator_.EndHeaderBlock());
 
   // QuicHeaderList signals header list over limit by clearing it.
   EXPECT_TRUE(accumulator_.quic_header_list().empty());
 }
 
+TEST_F(QpackDecodedHeadersAccumulatorTest, BlockedDecoding) {
+  qpack_decoder_.SetMaximumDynamicTableCapacity(kMaxDynamicTableCapacity);
+
+  // Reference to dynamic table entry not yet received.
+  EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode("020080")));
+  EXPECT_EQ(Status::kBlocked, accumulator_.EndHeaderBlock());
+
+  // Adding dynamic table entry unblocks decoding.
+  EXPECT_CALL(decoder_stream_sender_delegate_,
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
+  qpack_decoder_.OnInsertWithoutNameReference("foo", "bar");
+
+  EXPECT_THAT(accumulator_.quic_header_list(), ElementsAre(Pair("foo", "bar")));
+}
+
+TEST_F(QpackDecodedHeadersAccumulatorTest,
+       BlockedDecodingUnblockedBeforeEndOfHeaderBlock) {
+  qpack_decoder_.SetMaximumDynamicTableCapacity(kMaxDynamicTableCapacity);
+
+  // Reference to dynamic table entry not yet received.
+  EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode("020080")));
+
+  // Adding dynamic table entry unblocks decoding.
+  qpack_decoder_.OnInsertWithoutNameReference("foo", "bar");
+
+  // Rest of header block: same entry again.
+  EXPECT_CALL(decoder_stream_sender_delegate_,
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
+  EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode("80")));
+  EXPECT_EQ(Status::kSuccess, accumulator_.EndHeaderBlock());
+
+  EXPECT_THAT(accumulator_.quic_header_list(),
+              ElementsAre(Pair("foo", "bar"), Pair("foo", "bar")));
+}
+
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.cc
index 9efccb6c029..d0e5ad948a5 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.cc
@@ -13,7 +13,7 @@ namespace quic {
 
 QpackDecoder::QpackDecoder(
     EncoderStreamErrorDelegate* encoder_stream_error_delegate,
-    QpackDecoderStreamSender::Delegate* decoder_stream_sender_delegate)
+    QpackStreamSenderDelegate* decoder_stream_sender_delegate)
     : encoder_stream_error_delegate_(encoder_stream_error_delegate),
       encoder_stream_receiver_(this),
       decoder_stream_sender_(decoder_stream_sender_delegate) {
@@ -131,7 +131,7 @@ bool QpackDecoder::EncoderStreamRelativeIndexToAbsoluteIndex(
   return true;
 }
 
-std::unique_ptr<QpackProgressiveDecoder> QpackDecoder::DecodeHeaderBlock(
+std::unique_ptr<QpackProgressiveDecoder> QpackDecoder::CreateProgressiveDecoder(
     QuicStreamId stream_id,
     QpackProgressiveDecoder::HeadersHandlerInterface* handler) {
   return QuicMakeUnique<QpackProgressiveDecoder>(
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h
index c3b28a3e10b..9f8a3e38de1 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h
@@ -34,9 +34,8 @@ class QUIC_EXPORT_PRIVATE QpackDecoder
     virtual void OnEncoderStreamError(QuicStringPiece error_message) = 0;
   };
 
-  QpackDecoder(
-      EncoderStreamErrorDelegate* encoder_stream_error_delegate,
-      QpackDecoderStreamSender::Delegate* decoder_stream_sender_delegate);
+  QpackDecoder(EncoderStreamErrorDelegate* encoder_stream_error_delegate,
+               QpackStreamSenderDelegate* decoder_stream_sender_delegate);
   ~QpackDecoder() override;
 
   // Set maximum capacity of dynamic table.
@@ -65,7 +64,7 @@ class QUIC_EXPORT_PRIVATE QpackDecoder
   // block.  |handler| must remain valid until the returned
   // QpackProgressiveDecoder instance is destroyed or the decoder calls
   // |handler->OnHeaderBlockEnd()|.
-  std::unique_ptr<QpackProgressiveDecoder> DecodeHeaderBlock(
+  std::unique_ptr<QpackProgressiveDecoder> CreateProgressiveDecoder(
       QuicStreamId stream_id,
       QpackProgressiveDecoder::HeadersHandlerInterface* handler);
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.h
index 61c2773a62e..60719399d8b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.h
@@ -8,6 +8,7 @@
 #include <cstdint>
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_stream_receiver.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
@@ -17,7 +18,8 @@ namespace quic {
 // This class decodes data received on the decoder stream,
 // and passes it along to its Delegate.
 class QUIC_EXPORT_PRIVATE QpackDecoderStreamReceiver
-    : public QpackInstructionDecoder::Delegate {
+    : public QpackInstructionDecoder::Delegate,
+      public QpackStreamReceiver {
  public:
   // An interface for handling instructions decoded from the decoder stream, see
   // https://quicwg.org/base-drafts/draft-ietf-quic-qpack.html#rfc.section.5.3
@@ -41,10 +43,11 @@ class QUIC_EXPORT_PRIVATE QpackDecoderStreamReceiver
   QpackDecoderStreamReceiver& operator=(const QpackDecoderStreamReceiver&) =
       delete;
 
+  // Implements QpackStreamReceiver::Decode().
   // Decode data and call appropriate Delegate method after each decoded
   // instruction.  Once an error occurs, Delegate::OnErrorDetected() is called,
   // and all further data is ignored.
-  void Decode(QuicStringPiece data);
+  void Decode(QuicStringPiece data) override;
 
   // QpackInstructionDecoder::Delegate implementation.
   bool OnInstructionDecoded(const QpackInstruction* instruction) override;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.cc
index 9474d6cdf93..63f17219928 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.cc
@@ -13,49 +13,38 @@
 
 namespace quic {
 
-QpackDecoderStreamSender::QpackDecoderStreamSender(Delegate* delegate)
+QpackDecoderStreamSender::QpackDecoderStreamSender(
+    QpackStreamSenderDelegate* delegate)
     : delegate_(delegate) {
   DCHECK(delegate_);
 }
 
 void QpackDecoderStreamSender::SendInsertCountIncrement(uint64_t increment) {
-  instruction_encoder_.set_varint(increment);
-
-  instruction_encoder_.Encode(InsertCountIncrementInstruction());
+  values_.varint = increment;
 
   std::string output;
-
-  instruction_encoder_.Next(std::numeric_limits<size_t>::max(), &output);
-  DCHECK(!instruction_encoder_.HasNext());
-
-  delegate_->WriteDecoderStreamData(output);
+  instruction_encoder_.Encode(InsertCountIncrementInstruction(), values_,
+                              &output);
+  delegate_->WriteStreamData(output);
 }
 
 void QpackDecoderStreamSender::SendHeaderAcknowledgement(
     QuicStreamId stream_id) {
-  instruction_encoder_.set_varint(stream_id);
-
-  instruction_encoder_.Encode(HeaderAcknowledgementInstruction());
+  values_.varint = stream_id;
 
   std::string output;
-
-  instruction_encoder_.Next(std::numeric_limits<size_t>::max(), &output);
-  DCHECK(!instruction_encoder_.HasNext());
-
-  delegate_->WriteDecoderStreamData(output);
+  instruction_encoder_.Encode(HeaderAcknowledgementInstruction(), values_,
+                              &output);
+  delegate_->WriteStreamData(output);
 }
 
 void QpackDecoderStreamSender::SendStreamCancellation(QuicStreamId stream_id) {
-  instruction_encoder_.set_varint(stream_id);
-
-  instruction_encoder_.Encode(StreamCancellationInstruction());
+  values_.varint = stream_id;
 
   std::string output;
-
-  instruction_encoder_.Next(std::numeric_limits<size_t>::max(), &output);
-  DCHECK(!instruction_encoder_.HasNext());
-
-  delegate_->WriteDecoderStreamData(output);
+  instruction_encoder_.Encode(StreamCancellationInstruction(), values_,
+                              &output);
+  delegate_->WriteStreamData(output);
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.h
index a791173f801..5f17744f207 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.h
@@ -8,6 +8,7 @@
 #include <cstdint>
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_stream_sender_delegate.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
@@ -18,19 +19,7 @@ namespace quic {
 // stream.
 class QUIC_EXPORT_PRIVATE QpackDecoderStreamSender {
  public:
-  // An interface for handling encoded data.
-  class Delegate {
-   public:
-    virtual ~Delegate() = default;
-
-    // Encoded |data| is ready to be written on the decoder stream.
-    // WriteDecoderStreamData() is called exactly once for each instruction.
-    // |data| contains the entire encoded instruction and it is guaranteed to be
-    // not empty.
-    virtual void WriteDecoderStreamData(QuicStringPiece data) = 0;
-  };
-
-  explicit QpackDecoderStreamSender(Delegate* delegate);
+  explicit QpackDecoderStreamSender(QpackStreamSenderDelegate* delegate);
   QpackDecoderStreamSender() = delete;
   QpackDecoderStreamSender(const QpackDecoderStreamSender&) = delete;
   QpackDecoderStreamSender& operator=(const QpackDecoderStreamSender&) = delete;
@@ -46,8 +35,9 @@ class QUIC_EXPORT_PRIVATE QpackDecoderStreamSender {
   void SendStreamCancellation(QuicStreamId stream_id);
 
  private:
-  Delegate* const delegate_;
+  QpackStreamSenderDelegate* const delegate_;
   QpackInstructionEncoder instruction_encoder_;
+  QpackInstructionEncoder::Values values_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender_test.cc
index c7c132e0a27..49483f7f37d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender_test.cc
@@ -4,7 +4,7 @@
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.h"
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 
@@ -20,61 +20,51 @@ class QpackDecoderStreamSenderTest : public QuicTest {
   QpackDecoderStreamSenderTest() : stream_(&delegate_) {}
   ~QpackDecoderStreamSenderTest() override = default;
 
-  StrictMock<MockDecoderStreamSenderDelegate> delegate_;
+  StrictMock<MockQpackStreamSenderDelegate> delegate_;
   QpackDecoderStreamSender stream_;
 };
 
 TEST_F(QpackDecoderStreamSenderTest, InsertCountIncrement) {
-  EXPECT_CALL(delegate_,
-              WriteDecoderStreamData(Eq(QuicTextUtils::HexDecode("00"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("00"))));
   stream_.SendInsertCountIncrement(0);
 
-  EXPECT_CALL(delegate_,
-              WriteDecoderStreamData(Eq(QuicTextUtils::HexDecode("0a"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("0a"))));
   stream_.SendInsertCountIncrement(10);
 
-  EXPECT_CALL(delegate_,
-              WriteDecoderStreamData(Eq(QuicTextUtils::HexDecode("3f00"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("3f00"))));
   stream_.SendInsertCountIncrement(63);
 
   EXPECT_CALL(delegate_,
-              WriteDecoderStreamData(Eq(QuicTextUtils::HexDecode("3f8901"))));
+              WriteStreamData(Eq(QuicTextUtils::HexDecode("3f8901"))));
   stream_.SendInsertCountIncrement(200);
 }
 
 TEST_F(QpackDecoderStreamSenderTest, HeaderAcknowledgement) {
-  EXPECT_CALL(delegate_,
-              WriteDecoderStreamData(Eq(QuicTextUtils::HexDecode("80"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("80"))));
   stream_.SendHeaderAcknowledgement(0);
 
-  EXPECT_CALL(delegate_,
-              WriteDecoderStreamData(Eq(QuicTextUtils::HexDecode("a5"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("a5"))));
   stream_.SendHeaderAcknowledgement(37);
 
-  EXPECT_CALL(delegate_,
-              WriteDecoderStreamData(Eq(QuicTextUtils::HexDecode("ff00"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("ff00"))));
   stream_.SendHeaderAcknowledgement(127);
 
   EXPECT_CALL(delegate_,
-              WriteDecoderStreamData(Eq(QuicTextUtils::HexDecode("fff802"))));
+              WriteStreamData(Eq(QuicTextUtils::HexDecode("fff802"))));
   stream_.SendHeaderAcknowledgement(503);
 }
 
 TEST_F(QpackDecoderStreamSenderTest, StreamCancellation) {
-  EXPECT_CALL(delegate_,
-              WriteDecoderStreamData(Eq(QuicTextUtils::HexDecode("40"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("40"))));
   stream_.SendStreamCancellation(0);
 
-  EXPECT_CALL(delegate_,
-              WriteDecoderStreamData(Eq(QuicTextUtils::HexDecode("53"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("53"))));
   stream_.SendStreamCancellation(19);
 
-  EXPECT_CALL(delegate_,
-              WriteDecoderStreamData(Eq(QuicTextUtils::HexDecode("7f00"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("7f00"))));
   stream_.SendStreamCancellation(63);
 
-  EXPECT_CALL(delegate_,
-              WriteDecoderStreamData(Eq(QuicTextUtils::HexDecode("7f2f"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("7f2f"))));
   stream_.SendStreamCancellation(110);
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test.cc
index 8d83f0a8bc0..af3a6a250c1 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test.cc
@@ -14,6 +14,7 @@
 #include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
 
 using ::testing::Eq;
+using ::testing::Mock;
 using ::testing::Sequence;
 using ::testing::StrictMock;
 using ::testing::Values;
@@ -40,26 +41,46 @@ class QpackDecoderTest : public QuicTestWithParam<FragmentMode> {
     qpack_decoder_.DecodeEncoderStreamData(data);
   }
 
-  void DecodeHeaderBlock(QuicStringPiece data) {
+  // Set up |progressive_decoder_|.
+  void StartDecoding() {
+    progressive_decoder_ =
+        qpack_decoder_.CreateProgressiveDecoder(/* stream_id = */ 1, &handler_);
+  }
+
+  // Pass header block data to QpackProgressiveDecoder::Decode()
+  // in fragments dictated by |fragment_mode_|.
+  void DecodeData(QuicStringPiece data) {
     auto fragment_size_generator =
         FragmentModeToFragmentSizeGenerator(fragment_mode_);
-    auto progressive_decoder =
-        qpack_decoder_.DecodeHeaderBlock(/* stream_id = */ 1, &handler_);
     while (!data.empty()) {
       size_t fragment_size = std::min(fragment_size_generator(), data.size());
-      progressive_decoder->Decode(data.substr(0, fragment_size));
+      progressive_decoder_->Decode(data.substr(0, fragment_size));
       data = data.substr(fragment_size);
     }
-    progressive_decoder->EndHeaderBlock();
+  }
+
+  // Signal end of header block to QpackProgressiveDecoder.
+  void EndDecoding() {
+    progressive_decoder_->EndHeaderBlock();
+    // |progressive_decoder_| is kept alive so that it can
+    // handle callbacks later in case of blocked decoding.
+  }
+
+  // Decode an entire header block.
+  void DecodeHeaderBlock(QuicStringPiece data) {
+    StartDecoding();
+    DecodeData(data);
+    EndDecoding();
   }
 
   StrictMock<MockEncoderStreamErrorDelegate> encoder_stream_error_delegate_;
-  StrictMock<MockDecoderStreamSenderDelegate> decoder_stream_sender_delegate_;
+  StrictMock<MockQpackStreamSenderDelegate> decoder_stream_sender_delegate_;
   StrictMock<MockHeadersHandler> handler_;
 
  private:
   QpackDecoder qpack_decoder_;
   const FragmentMode fragment_mode_;
+  std::unique_ptr<QpackProgressiveDecoder> progressive_decoder_;
 };
 
 INSTANTIATE_TEST_SUITE_P(,
@@ -78,7 +99,7 @@ TEST_P(QpackDecoderTest, NoPrefix) {
 TEST_P(QpackDecoderTest, EmptyHeaderBlock) {
   EXPECT_CALL(handler_, OnDecodingCompleted());
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode("0000"));
 }
@@ -87,7 +108,7 @@ TEST_P(QpackDecoderTest, LiteralEntryEmptyName) {
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq(""), Eq("foo")));
   EXPECT_CALL(handler_, OnDecodingCompleted());
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode("00002003666f6f"));
 }
@@ -96,7 +117,7 @@ TEST_P(QpackDecoderTest, LiteralEntryEmptyValue) {
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("")));
   EXPECT_CALL(handler_, OnDecodingCompleted());
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode("000023666f6f00"));
 }
@@ -105,7 +126,7 @@ TEST_P(QpackDecoderTest, LiteralEntryEmptyNameAndValue) {
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq(""), Eq("")));
   EXPECT_CALL(handler_, OnDecodingCompleted());
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode("00002000"));
 }
@@ -114,7 +135,7 @@ TEST_P(QpackDecoderTest, SimpleLiteralEntry) {
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("bar")));
   EXPECT_CALL(handler_, OnDecodingCompleted());
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode("000023666f6f03626172"));
 }
@@ -125,7 +146,7 @@ TEST_P(QpackDecoderTest, MultipleLiteralEntries) {
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foobaar"), QuicStringPiece(str)));
   EXPECT_CALL(handler_, OnDecodingCompleted());
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode(
       "0000"                // prefix
@@ -184,7 +205,7 @@ TEST_P(QpackDecoderTest, HuffmanSimple) {
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq("custom-key"), Eq("custom-value")));
   EXPECT_CALL(handler_, OnDecodingCompleted());
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   DecodeHeaderBlock(
       QuicTextUtils::HexDecode("00002f0125a849e95ba97d7f8925a849e95bb8e8b4bf"));
@@ -195,7 +216,7 @@ TEST_P(QpackDecoderTest, AlternatingHuffmanNonHuffman) {
       .Times(4);
   EXPECT_CALL(handler_, OnDecodingCompleted());
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode(
       "0000"                        // Prefix.
@@ -269,7 +290,7 @@ TEST_P(QpackDecoderTest, StaticTable) {
 
   EXPECT_CALL(handler_, OnDecodingCompleted());
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode(
       "0000d1dfccd45f108621e9aec2a11f5c8294e75f000554524143455f1000"));
@@ -312,7 +333,7 @@ TEST_P(QpackDecoderTest, DynamicTable) {
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("ZZZ"))).InSequence(s);
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq(":method"), Eq("ZZ"))).InSequence(s);
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)))
+              WriteStreamData(Eq(kHeaderAcknowledgement)))
       .InSequence(s);
   EXPECT_CALL(handler_, OnDecodingCompleted()).InSequence(s);
 
@@ -333,7 +354,7 @@ TEST_P(QpackDecoderTest, DynamicTable) {
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("ZZZ"))).InSequence(s);
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq(":method"), Eq("ZZ"))).InSequence(s);
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)))
+              WriteStreamData(Eq(kHeaderAcknowledgement)))
       .InSequence(s);
   EXPECT_CALL(handler_, OnDecodingCompleted()).InSequence(s);
 
@@ -354,7 +375,7 @@ TEST_P(QpackDecoderTest, DynamicTable) {
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("ZZZ"))).InSequence(s);
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq(":method"), Eq("ZZ"))).InSequence(s);
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)))
+              WriteStreamData(Eq(kHeaderAcknowledgement)))
       .InSequence(s);
   EXPECT_CALL(handler_, OnDecodingCompleted()).InSequence(s);
 
@@ -376,7 +397,7 @@ TEST_P(QpackDecoderTest, DecreasingDynamicTableCapacityEvictsEntries) {
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("bar")));
   EXPECT_CALL(handler_, OnDecodingCompleted());
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode(
       "0200"   // Required Insert Count 1 and Delta Base 0.
@@ -387,8 +408,8 @@ TEST_P(QpackDecoderTest, DecreasingDynamicTableCapacityEvictsEntries) {
   // This must cause the entry to be evicted.
   DecodeEncoderStreamData(QuicTextUtils::HexDecode("3f01"));
 
-  EXPECT_CALL(handler_,
-              OnDecodingErrorDetected(Eq("Dynamic table entry not found.")));
+  EXPECT_CALL(handler_, OnDecodingErrorDetected(
+                            Eq("Dynamic table entry already evicted.")));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode(
       "0200"   // Required Insert Count 1 and Delta Base 0.
@@ -446,6 +467,9 @@ TEST_P(QpackDecoderTest, EncoderStreamErrorTooLargeInteger) {
 TEST_P(QpackDecoderTest, InvalidDynamicEntryWhenBaseIsZero) {
   EXPECT_CALL(handler_, OnDecodingErrorDetected(Eq("Invalid relative index.")));
 
+  // Add literal entry with name "foo" and value "bar".
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e703626172"));
+
   DecodeHeaderBlock(QuicTextUtils::HexDecode(
       "0280"   // Required Insert Count is 1.  Base 1 - 1 - 0 = 0 is explicitly
                // permitted by the spec.
@@ -465,25 +489,45 @@ TEST_P(QpackDecoderTest, InvalidDynamicEntryByRelativeIndex) {
   // Add literal entry with name "foo" and value "bar".
   DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e703626172"));
 
-  EXPECT_CALL(handler_,
-              OnDecodingErrorDetected(Eq("Dynamic table entry not found.")));
+  EXPECT_CALL(handler_, OnDecodingErrorDetected(Eq("Invalid relative index.")));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode(
-      "0500"   // Required Insert Count 4 and Delta Base 0.
-               // Base is 4 + 0 = 4.
-      "82"));  // Indexed Header Field instruction addressing relative index 2.
-               // This is absolute index 1. Such entry does not exist.
+      "0200"   // Required Insert Count 1 and Delta Base 0.
+               // Base is 1 + 0 = 1.
+      "81"));  // Indexed Header Field instruction addressing relative index 1.
+               // This is absolute index -1, which is invalid.
 
   EXPECT_CALL(handler_, OnDecodingErrorDetected(Eq("Invalid relative index.")));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode(
+      "0200"     // Required Insert Count 1 and Delta Base 0.
+                 // Base is 1 + 0 = 1.
+      "4100"));  // Literal Header Field with Name Reference instruction
+                 // addressing relative index 1.  This is absolute index -1,
+                 // which is invalid.
+}
+
+TEST_P(QpackDecoderTest, EvictedDynamicTableEntry) {
+  // Update dynamic table capacity to 128.
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("3f61"));
+
+  // Add literal entry with name "foo" and value "bar", size 32 + 3 + 3 = 38.
+  // This fits in the table three times.
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e703626172"));
+  // Duplicate entry four times.  This evicts the first two instances.
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("00000000"));
+
+  EXPECT_CALL(handler_, OnDecodingErrorDetected(
+                            Eq("Dynamic table entry already evicted.")));
+
+  DecodeHeaderBlock(QuicTextUtils::HexDecode(
       "0500"   // Required Insert Count 4 and Delta Base 0.
                // Base is 4 + 0 = 4.
-      "84"));  // Indexed Header Field instruction addressing relative index 4.
-               // This is absolute index -1, which is invalid.
+      "82"));  // Indexed Header Field instruction addressing relative index 2.
+               // This is absolute index 1. Such entry does not exist.
 
-  EXPECT_CALL(handler_,
-              OnDecodingErrorDetected(Eq("Dynamic table entry not found.")));
+  EXPECT_CALL(handler_, OnDecodingErrorDetected(
+                            Eq("Dynamic table entry already evicted.")));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode(
       "0500"     // Required Insert Count 4 and Delta Base 0.
@@ -492,22 +536,8 @@ TEST_P(QpackDecoderTest, InvalidDynamicEntryByRelativeIndex) {
                  // addressing relative index 2.  This is absolute index 1. Such
                  // entry does not exist.
 
-  EXPECT_CALL(handler_, OnDecodingErrorDetected(Eq("Invalid relative index.")));
-
-  DecodeHeaderBlock(QuicTextUtils::HexDecode(
-      "0500"     // Required Insert Count 4 and Delta Base 0.
-                 // Base is 4 + 0 = 4.
-      "4400"));  // Literal Header Field with Name Reference instruction
-                 // addressing relative index 4.  This is absolute index -1,
-                 // which is invalid.
-}
-
-TEST_P(QpackDecoderTest, InvalidDynamicEntryByPostBaseIndex) {
-  // Add literal entry with name "foo" and value "bar".
-  DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e703626172"));
-
-  EXPECT_CALL(handler_,
-              OnDecodingErrorDetected(Eq("Dynamic table entry not found.")));
+  EXPECT_CALL(handler_, OnDecodingErrorDetected(
+                            Eq("Dynamic table entry already evicted.")));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode(
       "0380"   // Required Insert Count 2 and Delta Base 0 with sign bit set.
@@ -516,8 +546,8 @@ TEST_P(QpackDecoderTest, InvalidDynamicEntryByPostBaseIndex) {
                // entry with post-base index 0, absolute index 1.  Such entry
                // does not exist.
 
-  EXPECT_CALL(handler_,
-              OnDecodingErrorDetected(Eq("Dynamic table entry not found.")));
+  EXPECT_CALL(handler_, OnDecodingErrorDetected(
+                            Eq("Dynamic table entry already evicted.")));
 
   DecodeHeaderBlock(QuicTextUtils::HexDecode(
       "0380"     // Required Insert Count 2 and Delta Base 0 with sign bit set.
@@ -551,6 +581,15 @@ TEST_P(QpackDecoderTest, InvalidEncodedRequiredInsertCount) {
   DecodeHeaderBlock(QuicTextUtils::HexDecode("4100"));
 }
 
+// Regression test for https://crbug.com/970218:  Decoder must stop processing
+// after a Header Block Prefix with an invalid Encoded Required Insert Count.
+TEST_P(QpackDecoderTest, DataAfterInvalidEncodedRequiredInsertCount) {
+  EXPECT_CALL(handler_, OnDecodingErrorDetected(
+                            Eq("Error decoding Required Insert Count.")));
+  // Header Block Prefix followed by some extra data.
+  DecodeHeaderBlock(QuicTextUtils::HexDecode("410000"));
+}
+
 TEST_P(QpackDecoderTest, WrappedRequiredInsertCount) {
   // Maximum dynamic table capacity is 1024.
   // MaxEntries is 1024 / 32 = 32.
@@ -571,7 +610,7 @@ TEST_P(QpackDecoderTest, WrappedRequiredInsertCount) {
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq(header_value)));
   EXPECT_CALL(handler_, OnDecodingCompleted());
   EXPECT_CALL(decoder_stream_sender_delegate_,
-              WriteDecoderStreamData(Eq(kHeaderAcknowledgement)));
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
 
   // Send header block with Required Insert Count = 201.
   DecodeHeaderBlock(QuicTextUtils::HexDecode(
@@ -581,6 +620,9 @@ TEST_P(QpackDecoderTest, WrappedRequiredInsertCount) {
 }
 
 TEST_P(QpackDecoderTest, NonZeroRequiredInsertCountButNoDynamicEntries) {
+  // Add literal entry with name "foo" and value "bar".
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e703626172"));
+
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq(":method"), Eq("GET")));
   EXPECT_CALL(handler_,
               OnDecodingErrorDetected(Eq("Required Insert Count too large.")));
@@ -591,6 +633,9 @@ TEST_P(QpackDecoderTest, NonZeroRequiredInsertCountButNoDynamicEntries) {
 }
 
 TEST_P(QpackDecoderTest, AddressEntryNotAllowedByRequiredInsertCount) {
+  // Add literal entry with name "foo" and value "bar".
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e703626172"));
+
   EXPECT_CALL(
       handler_,
       OnDecodingErrorDetected(
@@ -646,7 +691,9 @@ TEST_P(QpackDecoderTest, AddressEntryNotAllowedByRequiredInsertCount) {
 TEST_P(QpackDecoderTest, PromisedRequiredInsertCountLargerThanActual) {
   // Add literal entry with name "foo" and value "bar".
   DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e703626172"));
-  // Duplicate entry.
+  // Duplicate entry twice so that decoding of header blocks with Required
+  // Insert Count not exceeding 3 is not blocked.
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("00"));
   DecodeEncoderStreamData(QuicTextUtils::HexDecode("00"));
 
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("bar")));
@@ -698,6 +745,86 @@ TEST_P(QpackDecoderTest, PromisedRequiredInsertCountLargerThanActual) {
                  // count of 2, even though Required Insert Count is 3.
 }
 
+TEST_P(QpackDecoderTest, BlockedDecoding) {
+  DecodeHeaderBlock(QuicTextUtils::HexDecode(
+      "0200"   // Required Insert Count 1 and Delta Base 0.
+               // Base is 1 + 0 = 1.
+      "80"));  // Indexed Header Field instruction addressing dynamic table
+               // entry with relative index 0, absolute index 0.
+
+  EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("bar")));
+  EXPECT_CALL(handler_, OnDecodingCompleted());
+  EXPECT_CALL(decoder_stream_sender_delegate_,
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
+
+  // Add literal entry with name "foo" and value "bar".
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e703626172"));
+}
+
+TEST_P(QpackDecoderTest, BlockedDecodingUnblockedBeforeEndOfHeaderBlock) {
+  StartDecoding();
+  DecodeData(QuicTextUtils::HexDecode(
+      "0200"   // Required Insert Count 1 and Delta Base 0.
+               // Base is 1 + 0 = 1.
+      "80"     // Indexed Header Field instruction addressing dynamic table
+               // entry with relative index 0, absolute index 0.
+      "d1"));  // Static table entry with index 17.
+
+  // Add literal entry with name "foo" and value "bar".  Decoding is now
+  // unblocked because dynamic table Insert Count reached the Required Insert
+  // Count of the header block.  |handler_| methods are called immediately for
+  // the already consumed part of the header block.
+  EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("bar")));
+  EXPECT_CALL(handler_, OnHeaderDecoded(Eq(":method"), Eq("GET")));
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e703626172"));
+  Mock::VerifyAndClearExpectations(&handler_);
+
+  // Rest of header block is processed by QpackProgressiveDecoder
+  // in the unblocked state.
+  EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("bar")));
+  EXPECT_CALL(handler_, OnHeaderDecoded(Eq(":scheme"), Eq("https")));
+  DecodeData(QuicTextUtils::HexDecode(
+      "80"     // Indexed Header Field instruction addressing dynamic table
+               // entry with relative index 0, absolute index 0.
+      "d7"));  // Static table entry with index 23.
+  Mock::VerifyAndClearExpectations(&handler_);
+
+  EXPECT_CALL(handler_, OnDecodingCompleted());
+  EXPECT_CALL(decoder_stream_sender_delegate_,
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
+  EndDecoding();
+}
+
+// Make sure that Required Insert Count is compared to Insert Count,
+// not size of dynamic table.
+TEST_P(QpackDecoderTest, BlockedDecodingAndEvictedEntries) {
+  // Update dynamic table capacity to 128.
+  // At most three non-empty entries fit in the dynamic table.
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("3f61"));
+
+  StartDecoding();
+  DecodeHeaderBlock(QuicTextUtils::HexDecode(
+      "0700"   // Required Insert Count 6 and Delta Base 0.
+               // Base is 6 + 0 = 6.
+      "80"));  // Indexed Header Field instruction addressing dynamic table
+               // entry with relative index 0, absolute index 5.
+
+  // Add literal entry with name "foo" and value "bar".
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e703626172"));
+
+  // Duplicate entry four times.  This evicts the first two instances.
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("00000000"));
+
+  EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("baz")));
+  EXPECT_CALL(handler_, OnDecodingCompleted());
+  EXPECT_CALL(decoder_stream_sender_delegate_,
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
+
+  // Add literal entry with name "foo" and value "bar".
+  // Insert Count is now 6, reaching Required Insert Count of the header block.
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e70362617a"));
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.cc
index 9fc29deb779..173270d75b6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.cc
@@ -14,10 +14,7 @@ namespace quic {
 namespace test {
 
 void NoopEncoderStreamErrorDelegate::OnEncoderStreamError(
-    QuicStringPiece error_message) {}
-
-void NoopDecoderStreamSenderDelegate::WriteDecoderStreamData(
-    QuicStringPiece data) {}
+    QuicStringPiece /*error_message*/) {}
 
 TestHeadersHandler::TestHeadersHandler()
     : decoding_completed_(false), decoding_error_detected_(false) {}
@@ -43,6 +40,7 @@ void TestHeadersHandler::OnDecodingErrorDetected(
   ASSERT_FALSE(decoding_error_detected_);
 
   decoding_error_detected_ = true;
+  error_message_.assign(error_message.data(), error_message.size());
 }
 
 spdy::SpdyHeaderBlock TestHeadersHandler::ReleaseHeaderList() {
@@ -60,16 +58,21 @@ bool TestHeadersHandler::decoding_error_detected() const {
   return decoding_error_detected_;
 }
 
+const std::string& TestHeadersHandler::error_message() const {
+  DCHECK(decoding_error_detected_);
+  return error_message_;
+}
+
 void QpackDecode(
     QpackDecoder::EncoderStreamErrorDelegate* encoder_stream_error_delegate,
-    QpackDecoderStreamSender::Delegate* decoder_stream_sender_delegate,
+    QpackStreamSenderDelegate* decoder_stream_sender_delegate,
     QpackProgressiveDecoder::HeadersHandlerInterface* handler,
     const FragmentSizeGenerator& fragment_size_generator,
     QuicStringPiece data) {
   QpackDecoder decoder(encoder_stream_error_delegate,
                        decoder_stream_sender_delegate);
   auto progressive_decoder =
-      decoder.DecodeHeaderBlock(/* stream_id = */ 1, handler);
+      decoder.CreateProgressiveDecoder(/* stream_id = */ 1, handler);
   while (!data.empty()) {
     size_t fragment_size = std::min(fragment_size_generator(), data.size());
     progressive_decoder->Decode(data.substr(0, fragment_size));
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h
index 55761b6c388..d5f494cfd37 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h
@@ -5,6 +5,8 @@
 #ifndef QUICHE_QUIC_CORE_QPACK_QPACK_DECODER_TEST_UTILS_H_
 #define QUICHE_QUIC_CORE_QPACK_QPACK_DECODER_TEST_UTILS_H_
 
+#include <string>
+
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
@@ -33,24 +35,6 @@ class MockEncoderStreamErrorDelegate
   MOCK_METHOD1(OnEncoderStreamError, void(QuicStringPiece error_message));
 };
 
-// QpackDecoderStreamSender::Delegate implementation that does nothing.
-class NoopDecoderStreamSenderDelegate
-    : public QpackDecoderStreamSender::Delegate {
- public:
-  ~NoopDecoderStreamSenderDelegate() override = default;
-
-  void WriteDecoderStreamData(QuicStringPiece data) override;
-};
-
-// Mock QpackDecoderStreamSender::Delegate implementation.
-class MockDecoderStreamSenderDelegate
-    : public QpackDecoderStreamSender::Delegate {
- public:
-  ~MockDecoderStreamSenderDelegate() override = default;
-
-  MOCK_METHOD1(WriteDecoderStreamData, void(QuicStringPiece data));
-};
-
 // HeadersHandlerInterface implementation that collects decoded headers
 // into a SpdyHeaderBlock.
 class TestHeadersHandler
@@ -70,11 +54,13 @@ class TestHeadersHandler
 
   bool decoding_completed() const;
   bool decoding_error_detected() const;
+  const std::string& error_message() const;
 
  private:
   spdy::SpdyHeaderBlock header_list_;
   bool decoding_completed_;
   bool decoding_error_detected_;
+  std::string error_message_;
 };
 
 class MockHeadersHandler
@@ -96,14 +82,15 @@ class NoOpHeadersHandler
  public:
   ~NoOpHeadersHandler() override = default;
 
-  void OnHeaderDecoded(QuicStringPiece name, QuicStringPiece value) override {}
+  void OnHeaderDecoded(QuicStringPiece /*name*/,
+                       QuicStringPiece /*value*/) override {}
   void OnDecodingCompleted() override {}
-  void OnDecodingErrorDetected(QuicStringPiece error_message) override {}
+  void OnDecodingErrorDetected(QuicStringPiece /*error_message*/) override {}
 };
 
 void QpackDecode(
     QpackDecoder::EncoderStreamErrorDelegate* encoder_stream_error_delegate,
-    QpackDecoderStreamSender::Delegate* decoder_stream_sender_delegate,
+    QpackStreamSenderDelegate* decoder_stream_sender_delegate,
     QpackProgressiveDecoder::HeadersHandlerInterface* handler,
     const FragmentSizeGenerator& fragment_size_generator,
     QuicStringPiece data);
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.cc
index 09c42869544..3ffe9d07a5f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.cc
@@ -4,9 +4,11 @@
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h"
 
-#include <string>
+#include <list>
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_progressive_encoder.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h"
+#include "net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 
@@ -14,7 +16,7 @@ namespace quic {
 
 QpackEncoder::QpackEncoder(
     DecoderStreamErrorDelegate* decoder_stream_error_delegate,
-    QpackEncoderStreamSender::Delegate* encoder_stream_sender_delegate)
+    QpackStreamSenderDelegate* encoder_stream_sender_delegate)
     : decoder_stream_error_delegate_(decoder_stream_error_delegate),
       decoder_stream_receiver_(this),
       encoder_stream_sender_(encoder_stream_sender_delegate) {
@@ -24,26 +26,88 @@ QpackEncoder::QpackEncoder(
 
 QpackEncoder::~QpackEncoder() {}
 
-std::unique_ptr<spdy::HpackEncoder::ProgressiveEncoder>
-QpackEncoder::EncodeHeaderList(QuicStreamId stream_id,
-                               const spdy::SpdyHeaderBlock* header_list) {
-  return QuicMakeUnique<QpackProgressiveEncoder>(
-      stream_id, &header_table_, &encoder_stream_sender_, header_list);
+std::string QpackEncoder::EncodeHeaderList(
+    QuicStreamId /* stream_id */,
+    const spdy::SpdyHeaderBlock* header_list) {
+  // First pass.
+
+  // Encode into |instructions| which will be serialized during the second pass.
+  std::list<InstructionWithValues> instructions;
+
+  for (const auto& header : ValueSplittingHeaderList(header_list)) {
+    QuicStringPiece name = header.first;
+    QuicStringPiece value = header.second;
+
+    bool is_static;
+    uint64_t index;
+
+    auto match_type =
+        header_table_.FindHeaderField(name, value, &is_static, &index);
+
+    switch (match_type) {
+      case QpackHeaderTable::MatchType::kNameAndValue:
+        DCHECK(is_static) << "Dynamic table entries not supported yet.";
+
+        instructions.push_back({QpackIndexedHeaderFieldInstruction(), {}});
+        instructions.back().values.s_bit = is_static;
+        instructions.back().values.varint = index;
+
+        break;
+      case QpackHeaderTable::MatchType::kName:
+        DCHECK(is_static) << "Dynamic table entries not supported yet.";
+
+        instructions.push_back(
+            {QpackLiteralHeaderFieldNameReferenceInstruction(), {}});
+        instructions.back().values.s_bit = is_static;
+        instructions.back().values.varint = index;
+        instructions.back().values.value = value;
+
+        break;
+      case QpackHeaderTable::MatchType::kNoMatch:
+        instructions.push_back({QpackLiteralHeaderFieldInstruction(), {}});
+        instructions.back().values.name = name;
+        instructions.back().values.value = value;
+
+        break;
+    }
+  }
+
+  // Second pass.
+  QpackInstructionEncoder instruction_encoder;
+  std::string encoded_headers;
+
+  // Header block prefix.
+  // TODO(bnc): Implement dynamic entries and set Required Insert Count and
+  // Delta Base accordingly.
+  QpackInstructionEncoder::Values values;
+  values.varint = 0;     // Encoded required insert count.
+  values.varint2 = 0;    // Delta Base.
+  values.s_bit = false;  // Delta Base sign.
+
+  instruction_encoder.Encode(QpackPrefixInstruction(), values,
+                             &encoded_headers);
+
+  for (const auto& instruction : instructions) {
+    instruction_encoder.Encode(instruction.instruction, instruction.values,
+                               &encoded_headers);
+  }
+
+  return encoded_headers;
 }
 
 void QpackEncoder::DecodeDecoderStreamData(QuicStringPiece data) {
   decoder_stream_receiver_.Decode(data);
 }
 
-void QpackEncoder::OnInsertCountIncrement(uint64_t increment) {
+void QpackEncoder::OnInsertCountIncrement(uint64_t /*increment*/) {
   // TODO(bnc): Implement dynamic table management for encoding.
 }
 
-void QpackEncoder::OnHeaderAcknowledgement(QuicStreamId stream_id) {
+void QpackEncoder::OnHeaderAcknowledgement(QuicStreamId /*stream_id*/) {
   // TODO(bnc): Implement dynamic table management for encoding.
 }
 
-void QpackEncoder::OnStreamCancellation(QuicStreamId stream_id) {
+void QpackEncoder::OnStreamCancellation(QuicStreamId /*stream_id*/) {
   // TODO(bnc): Implement dynamic table management for encoding.
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h
index 2c450b17c9d..39600e89fcd 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h
@@ -7,6 +7,7 @@
 
 #include <cstdint>
 #include <memory>
+#include <string>
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h"
@@ -14,7 +15,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
-#include "net/third_party/quiche/src/spdy/core/hpack/hpack_encoder.h"
 
 namespace spdy {
 
@@ -25,8 +25,6 @@ class SpdyHeaderBlock;
 namespace quic {
 
 // QPACK encoder class.  Exactly one instance should exist per QUIC connection.
-// This class vends a new QpackProgressiveEncoder instance for each new header
-// list to be encoded.
 class QUIC_EXPORT_PRIVATE QpackEncoder
     : public QpackDecoderStreamReceiver::Delegate {
  public:
@@ -40,17 +38,13 @@ class QUIC_EXPORT_PRIVATE QpackEncoder
     virtual void OnDecoderStreamError(QuicStringPiece error_message) = 0;
   };
 
-  QpackEncoder(
-      DecoderStreamErrorDelegate* decoder_stream_error_delegate,
-      QpackEncoderStreamSender::Delegate* encoder_stream_sender_delegate);
+  QpackEncoder(DecoderStreamErrorDelegate* decoder_stream_error_delegate,
+               QpackStreamSenderDelegate* encoder_stream_sender_delegate);
   ~QpackEncoder() override;
 
-  // This factory method is called to start encoding a header list.
-  // |*header_list| must remain valid and must not change
-  // during the lifetime of the returned ProgressiveEncoder instance.
-  std::unique_ptr<spdy::HpackEncoder::ProgressiveEncoder> EncodeHeaderList(
-      QuicStreamId stream_id,
-      const spdy::SpdyHeaderBlock* header_list);
+  // Encode a header list.
+  std::string EncodeHeaderList(QuicStreamId stream_id,
+                               const spdy::SpdyHeaderBlock* header_list);
 
   // Decode data received on the decoder stream.
   void DecodeDecoderStreamData(QuicStringPiece data);
@@ -62,6 +56,17 @@ class QUIC_EXPORT_PRIVATE QpackEncoder
   void OnErrorDetected(QuicStringPiece error_message) override;
 
  private:
+  // TODO(bnc): Consider moving this class to QpackInstructionEncoder or
+  // qpack_constants, adding factory methods, one for each instruction, and
+  // changing QpackInstructionEncoder::Encoder() to take an
+  // InstructionWithValues struct instead of separate |instruction| and |values|
+  // arguments.
+  struct InstructionWithValues {
+    // |instruction| is not owned.
+    const QpackInstruction* instruction;
+    QpackInstructionEncoder::Values values;
+  };
+
   DecoderStreamErrorDelegate* const decoder_stream_error_delegate_;
   QpackDecoderStreamReceiver decoder_stream_receiver_;
   QpackEncoderStreamSender encoder_stream_sender_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.h
index 5519b4c67a2..8da3147d1ea 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.h
@@ -9,6 +9,7 @@
 #include <string>
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_stream_receiver.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 
@@ -16,7 +17,8 @@ namespace quic {
 
 // This class decodes data received on the encoder stream.
 class QUIC_EXPORT_PRIVATE QpackEncoderStreamReceiver
-    : public QpackInstructionDecoder::Delegate {
+    : public QpackInstructionDecoder::Delegate,
+      public QpackStreamReceiver {
  public:
   // An interface for handling instructions decoded from the encoder stream, see
   // https://quicwg.org/base-drafts/draft-ietf-quic-qpack.html#rfc.section.5.2
@@ -46,10 +48,11 @@ class QUIC_EXPORT_PRIVATE QpackEncoderStreamReceiver
       delete;
   ~QpackEncoderStreamReceiver() override = default;
 
+  // Implements QpackStreamReceiver::Decode().
   // Decode data and call appropriate Delegate method after each decoded
   // instruction.  Once an error occurs, Delegate::OnErrorDetected() is called,
   // and all further data is ignored.
-  void Decode(QuicStringPiece data);
+  void Decode(QuicStringPiece data) override;
 
   // QpackInstructionDecoder::Delegate implementation.
   bool OnInstructionDecoded(const QpackInstruction* instruction) override;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.cc
index 3fb3b33f35e..dce183ae17b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.cc
@@ -13,7 +13,8 @@
 
 namespace quic {
 
-QpackEncoderStreamSender::QpackEncoderStreamSender(Delegate* delegate)
+QpackEncoderStreamSender::QpackEncoderStreamSender(
+    QpackStreamSenderDelegate* delegate)
     : delegate_(delegate) {
   DCHECK(delegate_);
 }
@@ -22,60 +23,43 @@ void QpackEncoderStreamSender::SendInsertWithNameReference(
     bool is_static,
     uint64_t name_index,
     QuicStringPiece value) {
-  instruction_encoder_.set_s_bit(is_static);
-  instruction_encoder_.set_varint(name_index);
-  instruction_encoder_.set_value(value);
-
-  instruction_encoder_.Encode(InsertWithNameReferenceInstruction());
+  values_.s_bit = is_static;
+  values_.varint = name_index;
+  values_.value = value;
 
   std::string output;
-
-  instruction_encoder_.Next(std::numeric_limits<size_t>::max(), &output);
-  DCHECK(!instruction_encoder_.HasNext());
-
-  delegate_->WriteEncoderStreamData(output);
+  instruction_encoder_.Encode(InsertWithNameReferenceInstruction(), values_,
+                              &output);
+  delegate_->WriteStreamData(output);
 }
 
 void QpackEncoderStreamSender::SendInsertWithoutNameReference(
     QuicStringPiece name,
     QuicStringPiece value) {
-  instruction_encoder_.set_name(name);
-  instruction_encoder_.set_value(value);
-
-  instruction_encoder_.Encode(InsertWithoutNameReferenceInstruction());
+  values_.name = name;
+  values_.value = value;
 
   std::string output;
-
-  instruction_encoder_.Next(std::numeric_limits<size_t>::max(), &output);
-  DCHECK(!instruction_encoder_.HasNext());
-
-  delegate_->WriteEncoderStreamData(output);
+  instruction_encoder_.Encode(InsertWithoutNameReferenceInstruction(), values_,
+                              &output);
+  delegate_->WriteStreamData(output);
 }
 
 void QpackEncoderStreamSender::SendDuplicate(uint64_t index) {
-  instruction_encoder_.set_varint(index);
-
-  instruction_encoder_.Encode(DuplicateInstruction());
+  values_.varint = index;
 
   std::string output;
-
-  instruction_encoder_.Next(std::numeric_limits<size_t>::max(), &output);
-  DCHECK(!instruction_encoder_.HasNext());
-
-  delegate_->WriteEncoderStreamData(output);
+  instruction_encoder_.Encode(DuplicateInstruction(), values_, &output);
+  delegate_->WriteStreamData(output);
 }
 
 void QpackEncoderStreamSender::SendSetDynamicTableCapacity(uint64_t capacity) {
-  instruction_encoder_.set_varint(capacity);
-
-  instruction_encoder_.Encode(SetDynamicTableCapacityInstruction());
+  values_.varint = capacity;
 
   std::string output;
-
-  instruction_encoder_.Next(std::numeric_limits<size_t>::max(), &output);
-  DCHECK(!instruction_encoder_.HasNext());
-
-  delegate_->WriteEncoderStreamData(output);
+  instruction_encoder_.Encode(SetDynamicTableCapacityInstruction(), values_,
+                              &output);
+  delegate_->WriteStreamData(output);
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h
index ad3456889bd..bf3a79fc0a1 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h
@@ -8,6 +8,7 @@
 #include <cstdint>
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_stream_sender_delegate.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 
@@ -16,19 +17,7 @@ namespace quic {
 // This class serializes instructions for transmission on the encoder stream.
 class QUIC_EXPORT_PRIVATE QpackEncoderStreamSender {
  public:
-  // An interface for handling encoded data.
-  class Delegate {
-   public:
-    virtual ~Delegate() = default;
-
-    // Encoded |data| is ready to be written on the encoder stream.
-    // WriteEncoderStreamData() is called exactly once for each instruction.
-    // |data| contains the entire encoded instruction and it is guaranteed to be
-    // not empty.
-    virtual void WriteEncoderStreamData(QuicStringPiece data) = 0;
-  };
-
-  explicit QpackEncoderStreamSender(Delegate* delegate);
+  explicit QpackEncoderStreamSender(QpackStreamSenderDelegate* delegate);
   QpackEncoderStreamSender() = delete;
   QpackEncoderStreamSender(const QpackEncoderStreamSender&) = delete;
   QpackEncoderStreamSender& operator=(const QpackEncoderStreamSender&) = delete;
@@ -49,8 +38,9 @@ class QUIC_EXPORT_PRIVATE QpackEncoderStreamSender {
   void SendSetDynamicTableCapacity(uint64_t capacity);
 
  private:
-  Delegate* const delegate_;
+  QpackStreamSenderDelegate* const delegate_;
   QpackInstructionEncoder instruction_encoder_;
+  QpackInstructionEncoder::Values values_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender_test.cc
index ee8f399690d..01f1cbf4992 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender_test.cc
@@ -4,7 +4,7 @@
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h"
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 
@@ -20,31 +20,30 @@ class QpackEncoderStreamSenderTest : public QuicTest {
   QpackEncoderStreamSenderTest() : stream_(&delegate_) {}
   ~QpackEncoderStreamSenderTest() override = default;
 
-  StrictMock<MockEncoderStreamSenderDelegate> delegate_;
+  StrictMock<MockQpackStreamSenderDelegate> delegate_;
   QpackEncoderStreamSender stream_;
 };
 
 TEST_F(QpackEncoderStreamSenderTest, InsertWithNameReference) {
   // Static, index fits in prefix, empty value.
-  EXPECT_CALL(delegate_,
-              WriteEncoderStreamData(Eq(QuicTextUtils::HexDecode("c500"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("c500"))));
   stream_.SendInsertWithNameReference(true, 5, "");
 
   // Static, index fits in prefix, Huffman encoded value.
   EXPECT_CALL(delegate_,
-              WriteEncoderStreamData(Eq(QuicTextUtils::HexDecode("c28294e7"))));
+              WriteStreamData(Eq(QuicTextUtils::HexDecode("c28294e7"))));
   stream_.SendInsertWithNameReference(true, 2, "foo");
 
   // Not static, index does not fit in prefix, not Huffman encoded value.
-  EXPECT_CALL(delegate_, WriteEncoderStreamData(
-                             Eq(QuicTextUtils::HexDecode("bf4a03626172"))));
+  EXPECT_CALL(delegate_,
+              WriteStreamData(Eq(QuicTextUtils::HexDecode("bf4a03626172"))));
   stream_.SendInsertWithNameReference(false, 137, "bar");
 
   // Value length does not fit in prefix.
   // 'Z' would be Huffman encoded to 8 bits, so no Huffman encoding is used.
   EXPECT_CALL(
       delegate_,
-      WriteEncoderStreamData(Eq(QuicTextUtils::HexDecode(
+      WriteStreamData(Eq(QuicTextUtils::HexDecode(
           "aa7f005a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a"
           "5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a"
           "5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a"
@@ -54,25 +53,24 @@ TEST_F(QpackEncoderStreamSenderTest, InsertWithNameReference) {
 
 TEST_F(QpackEncoderStreamSenderTest, InsertWithoutNameReference) {
   // Empty name and value.
-  EXPECT_CALL(delegate_,
-              WriteEncoderStreamData(Eq(QuicTextUtils::HexDecode("4000"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("4000"))));
   stream_.SendInsertWithoutNameReference("", "");
 
   // Huffman encoded short strings.
-  EXPECT_CALL(delegate_, WriteEncoderStreamData(
+  EXPECT_CALL(delegate_, WriteStreamData(
                              Eq(QuicTextUtils::HexDecode("4362617203626172"))));
   stream_.SendInsertWithoutNameReference("bar", "bar");
 
   // Not Huffman encoded short strings.
-  EXPECT_CALL(delegate_, WriteEncoderStreamData(
-                             Eq(QuicTextUtils::HexDecode("6294e78294e7"))));
+  EXPECT_CALL(delegate_,
+              WriteStreamData(Eq(QuicTextUtils::HexDecode("6294e78294e7"))));
   stream_.SendInsertWithoutNameReference("foo", "foo");
 
   // Not Huffman encoded long strings; length does not fit on prefix.
   // 'Z' would be Huffman encoded to 8 bits, so no Huffman encoding is used.
   EXPECT_CALL(
       delegate_,
-      WriteEncoderStreamData(Eq(QuicTextUtils::HexDecode(
+      WriteStreamData(Eq(QuicTextUtils::HexDecode(
           "5f005a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a7f"
           "005a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a"
           "5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a"
@@ -84,25 +82,23 @@ TEST_F(QpackEncoderStreamSenderTest, InsertWithoutNameReference) {
 
 TEST_F(QpackEncoderStreamSenderTest, Duplicate) {
   // Small index fits in prefix.
-  EXPECT_CALL(delegate_,
-              WriteEncoderStreamData(Eq(QuicTextUtils::HexDecode("11"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("11"))));
   stream_.SendDuplicate(17);
 
   // Large index requires two extension bytes.
   EXPECT_CALL(delegate_,
-              WriteEncoderStreamData(Eq(QuicTextUtils::HexDecode("1fd503"))));
+              WriteStreamData(Eq(QuicTextUtils::HexDecode("1fd503"))));
   stream_.SendDuplicate(500);
 }
 
 TEST_F(QpackEncoderStreamSenderTest, SetDynamicTableCapacity) {
   // Small capacity fits in prefix.
-  EXPECT_CALL(delegate_,
-              WriteEncoderStreamData(Eq(QuicTextUtils::HexDecode("31"))));
+  EXPECT_CALL(delegate_, WriteStreamData(Eq(QuicTextUtils::HexDecode("31"))));
   stream_.SendSetDynamicTableCapacity(17);
 
   // Large capacity requires two extension bytes.
   EXPECT_CALL(delegate_,
-              WriteEncoderStreamData(Eq(QuicTextUtils::HexDecode("3fd503"))));
+              WriteStreamData(Eq(QuicTextUtils::HexDecode("3fd503"))));
   stream_.SendSetDynamicTableCapacity(500);
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test.cc
index 8200e14f8a3..544b6701f64 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test.cc
@@ -7,7 +7,7 @@
 #include <string>
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 
@@ -19,37 +19,29 @@ namespace quic {
 namespace test {
 namespace {
 
-class QpackEncoderTest : public QuicTestWithParam<FragmentMode> {
+class QpackEncoderTest : public QuicTest {
  protected:
-  QpackEncoderTest() : fragment_mode_(GetParam()) {}
+  QpackEncoderTest() = default;
   ~QpackEncoderTest() override = default;
 
   std::string Encode(const spdy::SpdyHeaderBlock* header_list) {
-    return QpackEncode(
-        &decoder_stream_error_delegate_, &encoder_stream_sender_delegate_,
-        FragmentModeToFragmentSizeGenerator(fragment_mode_), header_list);
+    QpackEncoder encoder(&decoder_stream_error_delegate_,
+                         &encoder_stream_sender_delegate_);
+    return encoder.EncodeHeaderList(/* stream_id = */ 1, header_list);
   }
 
   StrictMock<MockDecoderStreamErrorDelegate> decoder_stream_error_delegate_;
-  NoopEncoderStreamSenderDelegate encoder_stream_sender_delegate_;
-
- private:
-  const FragmentMode fragment_mode_;
+  NoopQpackStreamSenderDelegate encoder_stream_sender_delegate_;
 };
 
-INSTANTIATE_TEST_SUITE_P(,
-                         QpackEncoderTest,
-                         Values(FragmentMode::kSingleChunk,
-                                FragmentMode::kOctetByOctet));
-
-TEST_P(QpackEncoderTest, Empty) {
+TEST_F(QpackEncoderTest, Empty) {
   spdy::SpdyHeaderBlock header_list;
   std::string output = Encode(&header_list);
 
   EXPECT_EQ(QuicTextUtils::HexDecode("0000"), output);
 }
 
-TEST_P(QpackEncoderTest, EmptyName) {
+TEST_F(QpackEncoderTest, EmptyName) {
   spdy::SpdyHeaderBlock header_list;
   header_list[""] = "foo";
   std::string output = Encode(&header_list);
@@ -57,7 +49,7 @@ TEST_P(QpackEncoderTest, EmptyName) {
   EXPECT_EQ(QuicTextUtils::HexDecode("0000208294e7"), output);
 }
 
-TEST_P(QpackEncoderTest, EmptyValue) {
+TEST_F(QpackEncoderTest, EmptyValue) {
   spdy::SpdyHeaderBlock header_list;
   header_list["foo"] = "";
   std::string output = Encode(&header_list);
@@ -65,7 +57,7 @@ TEST_P(QpackEncoderTest, EmptyValue) {
   EXPECT_EQ(QuicTextUtils::HexDecode("00002a94e700"), output);
 }
 
-TEST_P(QpackEncoderTest, EmptyNameAndValue) {
+TEST_F(QpackEncoderTest, EmptyNameAndValue) {
   spdy::SpdyHeaderBlock header_list;
   header_list[""] = "";
   std::string output = Encode(&header_list);
@@ -73,7 +65,7 @@ TEST_P(QpackEncoderTest, EmptyNameAndValue) {
   EXPECT_EQ(QuicTextUtils::HexDecode("00002000"), output);
 }
 
-TEST_P(QpackEncoderTest, Simple) {
+TEST_F(QpackEncoderTest, Simple) {
   spdy::SpdyHeaderBlock header_list;
   header_list["foo"] = "bar";
   std::string output = Encode(&header_list);
@@ -81,7 +73,7 @@ TEST_P(QpackEncoderTest, Simple) {
   EXPECT_EQ(QuicTextUtils::HexDecode("00002a94e703626172"), output);
 }
 
-TEST_P(QpackEncoderTest, Multiple) {
+TEST_F(QpackEncoderTest, Multiple) {
   spdy::SpdyHeaderBlock header_list;
   header_list["foo"] = "bar";
   // 'Z' would be Huffman encoded to 8 bits, so no Huffman encoding is used.
@@ -103,7 +95,7 @@ TEST_P(QpackEncoderTest, Multiple) {
       output);
 }
 
-TEST_P(QpackEncoderTest, StaticTable) {
+TEST_F(QpackEncoderTest, StaticTable) {
   {
     spdy::SpdyHeaderBlock header_list;
     header_list[":method"] = "GET";
@@ -133,26 +125,7 @@ TEST_P(QpackEncoderTest, StaticTable) {
   }
 }
 
-TEST_P(QpackEncoderTest, SimpleIndexed) {
-  spdy::SpdyHeaderBlock header_list;
-  header_list[":path"] = "/";
-
-  QpackEncoder encoder(&decoder_stream_error_delegate_,
-                       &encoder_stream_sender_delegate_);
-  auto progressive_encoder =
-      encoder.EncodeHeaderList(/* stream_id = */ 1, &header_list);
-  EXPECT_TRUE(progressive_encoder->HasNext());
-
-  // This indexed header field takes exactly three bytes:
-  // two for the prefix, one for the indexed static entry.
-  std::string output;
-  progressive_encoder->Next(3, &output);
-
-  EXPECT_EQ(QuicTextUtils::HexDecode("0000c1"), output);
-  EXPECT_FALSE(progressive_encoder->HasNext());
-}
-
-TEST_P(QpackEncoderTest, DecoderStreamError) {
+TEST_F(QpackEncoderTest, DecoderStreamError) {
   EXPECT_CALL(decoder_stream_error_delegate_,
               OnDecoderStreamError(Eq("Encoded integer too large.")));
 
@@ -162,7 +135,7 @@ TEST_P(QpackEncoderTest, DecoderStreamError) {
       QuicTextUtils::HexDecode("ffffffffffffffffffffff"));
 }
 
-TEST_P(QpackEncoderTest, SplitAlongNullCharacter) {
+TEST_F(QpackEncoderTest, SplitAlongNullCharacter) {
   spdy::SpdyHeaderBlock header_list;
   header_list["foo"] = QuicStringPiece("bar\0bar\0baz", 11);
   std::string output = Encode(&header_list);
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.cc
index dd1ccb31256..d91d3d13d5e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.cc
@@ -10,28 +10,7 @@ namespace quic {
 namespace test {
 
 void NoopDecoderStreamErrorDelegate::OnDecoderStreamError(
-    QuicStringPiece error_message) {}
-
-void NoopEncoderStreamSenderDelegate::WriteEncoderStreamData(
-    QuicStringPiece data) {}
-
-std::string QpackEncode(
-    QpackEncoder::DecoderStreamErrorDelegate* decoder_stream_error_delegate,
-    QpackEncoderStreamSender::Delegate* encoder_stream_sender_delegate,
-    const FragmentSizeGenerator& fragment_size_generator,
-    const spdy::SpdyHeaderBlock* header_list) {
-  QpackEncoder encoder(decoder_stream_error_delegate,
-                       encoder_stream_sender_delegate);
-  auto progressive_encoder =
-      encoder.EncodeHeaderList(/* stream_id = */ 1, header_list);
-
-  std::string output;
-  while (progressive_encoder->HasNext()) {
-    progressive_encoder->Next(fragment_size_generator(), &output);
-  }
-
-  return output;
-}
+    QuicStringPiece /*error_message*/) {}
 
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h
index 3c9b404a1d4..b1103dae6c3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h
@@ -34,30 +34,6 @@ class MockDecoderStreamErrorDelegate
   MOCK_METHOD1(OnDecoderStreamError, void(QuicStringPiece error_message));
 };
 
-// QpackEncoderStreamSender::Delegate implementation that does nothing.
-class NoopEncoderStreamSenderDelegate
-    : public QpackEncoderStreamSender::Delegate {
- public:
-  ~NoopEncoderStreamSenderDelegate() override = default;
-
-  void WriteEncoderStreamData(QuicStringPiece data) override;
-};
-
-// Mock QpackEncoderStreamSender::Delegate implementation.
-class MockEncoderStreamSenderDelegate
-    : public QpackEncoderStreamSender::Delegate {
- public:
-  ~MockEncoderStreamSenderDelegate() override = default;
-
-  MOCK_METHOD1(WriteEncoderStreamData, void(QuicStringPiece data));
-};
-
-std::string QpackEncode(
-    QpackEncoder::DecoderStreamErrorDelegate* decoder_stream_error_delegate,
-    QpackEncoderStreamSender::Delegate* encoder_stream_sender_delegate,
-    const FragmentSizeGenerator& fragment_size_generator,
-    const spdy::SpdyHeaderBlock* header_list);
-
 }  // namespace test
 }  // namespace quic
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.cc
index 01943301c66..6fa64125a1a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.cc
@@ -9,16 +9,6 @@
 
 namespace quic {
 
-namespace {
-
-const uint64_t kEntrySizeOverhead = 32;
-
-uint64_t EntrySize(QuicStringPiece name, QuicStringPiece value) {
-  return name.size() + value.size() + kEntrySizeOverhead;
-}
-
-}  // anonymous namespace
-
 QpackHeaderTable::QpackHeaderTable()
     : static_entries_(ObtainQpackStaticTable().GetStaticEntries()),
       static_index_(ObtainQpackStaticTable().GetStaticIndex()),
@@ -102,7 +92,7 @@ QpackHeaderTable::MatchType QpackHeaderTable::FindHeaderField(
 
 const QpackEntry* QpackHeaderTable::InsertEntry(QuicStringPiece name,
                                                 QuicStringPiece value) {
-  const uint64_t entry_size = EntrySize(name, value);
+  const uint64_t entry_size = QpackEntry::Size(name, value);
   if (entry_size > dynamic_table_capacity_) {
     return nullptr;
   }
@@ -140,6 +130,14 @@ const QpackEntry* QpackHeaderTable::InsertEntry(QuicStringPiece name,
     CHECK(result.second);
   }
 
+  // Notify and deregister observers whose threshold is met, if any.
+  while (!observers_.empty() &&
+         observers_.top().required_insert_count <= inserted_entry_count()) {
+    Observer* observer = observers_.top().observer;
+    observers_.pop();
+    observer->OnInsertCountReachedThreshold();
+  }
+
   return new_entry;
 }
 
@@ -169,12 +167,23 @@ void QpackHeaderTable::SetMaximumDynamicTableCapacity(
   max_entries_ = maximum_dynamic_table_capacity / 32;
 }
 
+void QpackHeaderTable::RegisterObserver(Observer* observer,
+                                        uint64_t required_insert_count) {
+  DCHECK_GT(required_insert_count, 0u);
+  observers_.push({observer, required_insert_count});
+}
+
+bool QpackHeaderTable::ObserverWithThreshold::operator>(
+    const ObserverWithThreshold& other) const {
+  return required_insert_count > other.required_insert_count;
+}
+
 void QpackHeaderTable::EvictDownToCurrentCapacity() {
   while (dynamic_table_size_ > dynamic_table_capacity_) {
     DCHECK(!dynamic_entries_.empty());
 
     QpackEntry* const entry = &dynamic_entries_.front();
-    const uint64_t entry_size = EntrySize(entry->name(), entry->value());
+    const uint64_t entry_size = entry->Size();
 
     DCHECK_GE(dynamic_table_size_, entry_size);
     dynamic_table_size_ -= entry_size;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h
index eda7ab525a2..39d7326758b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h
@@ -6,6 +6,9 @@
 #define QUICHE_QUIC_CORE_QPACK_QPACK_HEADER_TABLE_H_
 
 #include <cstdint>
+#include <functional>
+#include <queue>
+#include <vector>
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
@@ -30,6 +33,17 @@ class QUIC_EXPORT_PRIVATE QpackHeaderTable {
   // Result of header table lookup.
   enum class MatchType { kNameAndValue, kName, kNoMatch };
 
+  // Observer interface for dynamic table insertion.
+  class Observer {
+   public:
+    virtual ~Observer() = default;
+
+    // Called when inserted_entry_count() reaches the threshold the Observer was
+    // registered with.  After this call the Observer automatically gets
+    // deregistered.
+    virtual void OnInsertCountReachedThreshold() = 0;
+  };
+
   QpackHeaderTable();
   QpackHeaderTable(const QpackHeaderTable&) = delete;
   QpackHeaderTable& operator=(const QpackHeaderTable&) = delete;
@@ -68,6 +82,11 @@ class QUIC_EXPORT_PRIVATE QpackHeaderTable {
   // This method must only be called at most once.
   void SetMaximumDynamicTableCapacity(uint64_t maximum_dynamic_table_capacity);
 
+  // Register an observer to be notified when inserted_entry_count() reaches
+  // |required_insert_count|.  After the notification, |observer| automatically
+  // gets unregistered.
+  void RegisterObserver(Observer* observer, uint64_t required_insert_count);
+
   // Used on request streams to encode and decode Required Insert Count.
   uint64_t max_entries() const { return max_entries_; }
 
@@ -137,6 +156,22 @@ class QUIC_EXPORT_PRIVATE QpackHeaderTable {
 
   // The number of entries dropped from the dynamic table.
   uint64_t dropped_entry_count_;
+
+  // Data structure to hold an Observer and its threshold.
+  struct ObserverWithThreshold {
+    Observer* observer;
+    uint64_t required_insert_count;
+    bool operator>(const ObserverWithThreshold& other) const;
+  };
+
+  // Use std::greater so that entry with smallest |required_insert_count|
+  // is on top.
+  using ObserverHeap = std::priority_queue<ObserverWithThreshold,
+                                           std::vector<ObserverWithThreshold>,
+                                           std::greater<ObserverWithThreshold>>;
+
+  // Observers waiting to be notified.
+  ObserverHeap observers_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table_test.cc
index 6f9009d8aa4..ff7ef48d4fc 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table_test.cc
@@ -9,12 +9,22 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_entry.h"
 
+using ::testing::Mock;
+using ::testing::StrictMock;
+
 namespace quic {
 namespace test {
 namespace {
 
 const uint64_t kMaximumDynamicTableCapacityForTesting = 1024 * 1024;
 
+class MockObserver : public QpackHeaderTable::Observer {
+ public:
+  ~MockObserver() override = default;
+
+  MOCK_METHOD0(OnInsertCountReachedThreshold, void());
+};
+
 class QpackHeaderTableTest : public QuicTest {
  protected:
   QpackHeaderTableTest() {
@@ -78,6 +88,11 @@ class QpackHeaderTableTest : public QuicTest {
     return table_.SetDynamicTableCapacity(capacity);
   }
 
+  void RegisterObserver(QpackHeaderTable::Observer* observer,
+                        uint64_t required_insert_count) {
+    table_.RegisterObserver(observer, required_insert_count);
+  }
+
   uint64_t max_entries() const { return table_.max_entries(); }
   uint64_t inserted_entry_count() const {
     return table_.inserted_entry_count();
@@ -350,6 +365,45 @@ TEST_F(QpackHeaderTableTest, EvictOldestOfSameName) {
               /* expected_is_static = */ false, 2u);
 }
 
+TEST_F(QpackHeaderTableTest, Observer) {
+  StrictMock<MockObserver> observer1;
+  RegisterObserver(&observer1, 1);
+  EXPECT_CALL(observer1, OnInsertCountReachedThreshold);
+  InsertEntry("foo", "bar");
+  EXPECT_EQ(1u, inserted_entry_count());
+  Mock::VerifyAndClearExpectations(&observer1);
+
+  // Registration order does not matter.
+  StrictMock<MockObserver> observer2;
+  StrictMock<MockObserver> observer3;
+  RegisterObserver(&observer3, 3);
+  RegisterObserver(&observer2, 2);
+
+  EXPECT_CALL(observer2, OnInsertCountReachedThreshold);
+  InsertEntry("foo", "bar");
+  EXPECT_EQ(2u, inserted_entry_count());
+  Mock::VerifyAndClearExpectations(&observer3);
+
+  EXPECT_CALL(observer3, OnInsertCountReachedThreshold);
+  InsertEntry("foo", "bar");
+  EXPECT_EQ(3u, inserted_entry_count());
+  Mock::VerifyAndClearExpectations(&observer2);
+
+  // Multiple observers with identical |required_insert_count| should all be
+  // notified.
+  StrictMock<MockObserver> observer4;
+  StrictMock<MockObserver> observer5;
+  RegisterObserver(&observer4, 4);
+  RegisterObserver(&observer5, 4);
+
+  EXPECT_CALL(observer4, OnInsertCountReachedThreshold);
+  EXPECT_CALL(observer5, OnInsertCountReachedThreshold);
+  InsertEntry("foo", "bar");
+  EXPECT_EQ(4u, inserted_entry_count());
+  Mock::VerifyAndClearExpectations(&observer4);
+  Mock::VerifyAndClearExpectations(&observer5);
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.cc
index 2076fa7c990..187894d374e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.cc
@@ -7,6 +7,7 @@
 #include <algorithm>
 #include <utility>
 
+#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 
 namespace quic {
@@ -172,6 +173,9 @@ size_t QpackInstructionDecoder::DoVarintStart(QuicStringPiece data) {
     case http2::DecodeStatus::kDecodeError:
       OnError("Encoded integer too large.");
       return bytes_consumed;
+    default:
+      QUIC_BUG << "Unknown decode status " << status;
+      return bytes_consumed;
   }
 }
 
@@ -197,6 +201,9 @@ size_t QpackInstructionDecoder::DoVarintResume(QuicStringPiece data) {
     case http2::DecodeStatus::kDecodeError:
       OnError("Encoded integer too large.");
       return bytes_consumed;
+    default:
+      QUIC_BUG << "Unknown decode status " << status;
+      return bytes_consumed;
   }
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.cc
index 3ae38f65697..5845a748ffc 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.cc
@@ -4,22 +4,22 @@
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h"
 
+#include <limits>
+
 #include "net/third_party/quiche/src/http2/hpack/huffman/hpack_huffman_encoder.h"
+#include "net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_utils.h"
 
 namespace quic {
 
 QpackInstructionEncoder::QpackInstructionEncoder()
-    : s_bit_(false),
-      varint_(0),
-      varint2_(0),
-      byte_(0),
-      state_(State::kOpcode),
-      instruction_(nullptr) {}
+    : byte_(0), state_(State::kOpcode), instruction_(nullptr) {}
 
-void QpackInstructionEncoder::Encode(const QpackInstruction* instruction) {
-  DCHECK(!HasNext());
+void QpackInstructionEncoder::Encode(const QpackInstruction* instruction,
+                                     const Values& values,
+                                     std::string* output) {
+  DCHECK(instruction);
 
   state_ = State::kOpcode;
   instruction_ = instruction;
@@ -27,20 +27,8 @@ void QpackInstructionEncoder::Encode(const QpackInstruction* instruction) {
 
   // Field list must not be empty.
   DCHECK(field_ != instruction_->fields.end());
-}
-
-bool QpackInstructionEncoder::HasNext() const {
-  return instruction_ && (field_ != instruction_->fields.end());
-}
-
-void QpackInstructionEncoder::Next(size_t max_encoded_bytes,
-                                   std::string* output) {
-  DCHECK(HasNext());
-  DCHECK_NE(0u, max_encoded_bytes);
-
-  while (max_encoded_bytes > 0 && HasNext()) {
-    size_t encoded_bytes = 0;
 
+  do {
     switch (state_) {
       case State::kOpcode:
         DoOpcode();
@@ -49,25 +37,21 @@ void QpackInstructionEncoder::Next(size_t max_encoded_bytes,
         DoStartField();
         break;
       case State::kSbit:
-        DoStaticBit();
+        DoSBit(values.s_bit);
         break;
-      case State::kVarintStart:
-        encoded_bytes = DoVarintStart(max_encoded_bytes, output);
-        break;
-      case State::kVarintResume:
-        encoded_bytes = DoVarintResume(max_encoded_bytes, output);
+      case State::kVarintEncode:
+        DoVarintEncode(values.varint, values.varint2, output);
         break;
       case State::kStartString:
-        DoStartString();
+        DoStartString(values.name, values.value);
         break;
       case State::kWriteString:
-        encoded_bytes = DoWriteString(max_encoded_bytes, output);
+        DoWriteString(output);
         break;
     }
+  } while (field_ != instruction_->fields.end());
 
-    DCHECK_LE(encoded_bytes, max_encoded_bytes);
-    max_encoded_bytes -= encoded_bytes;
-  }
+  DCHECK(state_ == State::kStartField);
 }
 
 void QpackInstructionEncoder::DoOpcode() {
@@ -85,7 +69,7 @@ void QpackInstructionEncoder::DoStartField() {
       return;
     case QpackInstructionFieldType::kVarint:
     case QpackInstructionFieldType::kVarint2:
-      state_ = State::kVarintStart;
+      state_ = State::kVarintEncode;
       return;
     case QpackInstructionFieldType::kName:
     case QpackInstructionFieldType::kValue:
@@ -94,10 +78,10 @@ void QpackInstructionEncoder::DoStartField() {
   }
 }
 
-void QpackInstructionEncoder::DoStaticBit() {
+void QpackInstructionEncoder::DoSBit(bool s_bit) {
   DCHECK(field_->type == QpackInstructionFieldType::kSbit);
 
-  if (s_bit_) {
+  if (s_bit) {
     DCHECK_EQ(0, byte_ & field_->param);
 
     byte_ |= field_->param;
@@ -107,81 +91,47 @@ void QpackInstructionEncoder::DoStaticBit() {
   state_ = State::kStartField;
 }
 
-size_t QpackInstructionEncoder::DoVarintStart(size_t max_encoded_bytes,
-                                              std::string* output) {
+void QpackInstructionEncoder::DoVarintEncode(uint64_t varint,
+                                             uint64_t varint2,
+                                             std::string* output) {
   DCHECK(field_->type == QpackInstructionFieldType::kVarint ||
          field_->type == QpackInstructionFieldType::kVarint2 ||
          field_->type == QpackInstructionFieldType::kName ||
          field_->type == QpackInstructionFieldType::kValue);
-  DCHECK(!varint_encoder_.IsEncodingInProgress());
-
   uint64_t integer_to_encode;
   switch (field_->type) {
     case QpackInstructionFieldType::kVarint:
-      integer_to_encode = varint_;
+      integer_to_encode = varint;
       break;
     case QpackInstructionFieldType::kVarint2:
-      integer_to_encode = varint2_;
+      integer_to_encode = varint2;
       break;
     default:
       integer_to_encode = string_to_write_.size();
       break;
   }
 
-  output->push_back(
-      varint_encoder_.StartEncoding(byte_, field_->param, integer_to_encode));
+  http2::HpackVarintEncoder::Encode(byte_, field_->param, integer_to_encode,
+                                    output);
   byte_ = 0;
 
-  if (varint_encoder_.IsEncodingInProgress()) {
-    state_ = State::kVarintResume;
-    return 1;
-  }
-
-  if (field_->type == QpackInstructionFieldType::kVarint ||
-      field_->type == QpackInstructionFieldType::kVarint2) {
-    ++field_;
-    state_ = State::kStartField;
-    return 1;
-  }
-
-  state_ = State::kWriteString;
-  return 1;
-}
-
-size_t QpackInstructionEncoder::DoVarintResume(size_t max_encoded_bytes,
-                                               std::string* output) {
-  DCHECK(field_->type == QpackInstructionFieldType::kVarint ||
-         field_->type == QpackInstructionFieldType::kVarint2 ||
-         field_->type == QpackInstructionFieldType::kName ||
-         field_->type == QpackInstructionFieldType::kValue);
-  DCHECK(varint_encoder_.IsEncodingInProgress());
-
-  const size_t encoded_bytes =
-      varint_encoder_.ResumeEncoding(max_encoded_bytes, output);
-  if (varint_encoder_.IsEncodingInProgress()) {
-    DCHECK_EQ(encoded_bytes, max_encoded_bytes);
-    return encoded_bytes;
-  }
-
-  DCHECK_LE(encoded_bytes, max_encoded_bytes);
-
   if (field_->type == QpackInstructionFieldType::kVarint ||
       field_->type == QpackInstructionFieldType::kVarint2) {
     ++field_;
     state_ = State::kStartField;
-    return encoded_bytes;
+    return;
   }
 
   state_ = State::kWriteString;
-  return encoded_bytes;
 }
 
-void QpackInstructionEncoder::DoStartString() {
+void QpackInstructionEncoder::DoStartString(QuicStringPiece name,
+                                            QuicStringPiece value) {
   DCHECK(field_->type == QpackInstructionFieldType::kName ||
          field_->type == QpackInstructionFieldType::kValue);
 
   string_to_write_ =
-      (field_->type == QpackInstructionFieldType::kName) ? name_ : value_;
+      (field_->type == QpackInstructionFieldType::kName) ? name : value;
   http2::HuffmanEncode(string_to_write_, &huffman_encoded_string_);
 
   if (huffman_encoded_string_.size() < string_to_write_.size()) {
@@ -191,27 +141,17 @@ void QpackInstructionEncoder::DoStartString() {
     string_to_write_ = huffman_encoded_string_;
   }
 
-  state_ = State::kVarintStart;
+  state_ = State::kVarintEncode;
 }
 
-size_t QpackInstructionEncoder::DoWriteString(size_t max_encoded_bytes,
-                                              std::string* output) {
+void QpackInstructionEncoder::DoWriteString(std::string* output) {
   DCHECK(field_->type == QpackInstructionFieldType::kName ||
          field_->type == QpackInstructionFieldType::kValue);
 
-  if (max_encoded_bytes < string_to_write_.size()) {
-    const size_t encoded_bytes = max_encoded_bytes;
-    QuicStrAppend(output, string_to_write_.substr(0, encoded_bytes));
-    string_to_write_ = string_to_write_.substr(encoded_bytes);
-    return encoded_bytes;
-  }
-
-  const size_t encoded_bytes = string_to_write_.size();
   QuicStrAppend(output, string_to_write_);
 
   ++field_;
   state_ = State::kStartField;
-  return encoded_bytes;
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h
index 917378ed8f3..1ca52e667ec 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h
@@ -5,11 +5,9 @@
 #ifndef QUICHE_QUIC_CORE_QPACK_QPACK_INSTRUCTION_ENCODER_H_
 #define QUICHE_QUIC_CORE_QPACK_QPACK_INSTRUCTION_ENCODER_H_
 
-#include <cstddef>
 #include <cstdint>
 #include <string>
 
-#include "net/third_party/quiche/src/http2/hpack/varint/hpack_varint_encoder.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
@@ -21,31 +19,24 @@ namespace quic {
 // fields that follow each instruction.
 class QUIC_EXPORT_PRIVATE QpackInstructionEncoder {
  public:
+  // Storage for field values to be encoded.
+  // The encoded instruction determines which values are actually used.
+  struct Values {
+    bool s_bit;
+    uint64_t varint;
+    uint64_t varint2;
+    QuicStringPiece name;
+    QuicStringPiece value;
+  };
+
   QpackInstructionEncoder();
   QpackInstructionEncoder(const QpackInstructionEncoder&) = delete;
   QpackInstructionEncoder& operator=(const QpackInstructionEncoder&) = delete;
 
-  // Setters for values to be encoded.
-  // |name| and |value| must remain valid until the instruction is encoded.
-  void set_s_bit(bool s_bit) { s_bit_ = s_bit; }
-  void set_varint(uint64_t varint) { varint_ = varint; }
-  void set_varint2(uint64_t varint2) { varint2_ = varint2; }
-  void set_name(QuicStringPiece name) { name_ = name; }
-  void set_value(QuicStringPiece value) { value_ = value; }
-
-  // Start encoding an instruction.  Must only be called after the previous
-  // instruction has been completely encoded.
-  void Encode(const QpackInstruction* instruction);
-
-  // Returns true iff more data remains to be encoded for the current
-  // instruction.  Returns false if there is no current instruction, that is, if
-  // Encode() has never been called.
-  bool HasNext() const;
-
-  // Encodes the next up to |max_encoded_bytes| octets of the current
-  // instruction, appending to |output|.  Must only be called when HasNext()
-  // returns true.  |max_encoded_bytes| must be positive.
-  void Next(size_t max_encoded_bytes, std::string* output);
+  // Append encoded instruction to |output|.
+  void Encode(const QpackInstruction* instruction,
+              const Values& values,
+              std::string* output);
 
  private:
   enum class State {
@@ -55,11 +46,9 @@ class QUIC_EXPORT_PRIVATE QpackInstructionEncoder {
     kStartField,
     // Write static bit to |byte_|.
     kSbit,
-    // Start encoding an integer (|varint_| or |varint2_| or string length) with
-    // a prefix, using |byte_| for the high bits.
-    kVarintStart,
-    // Resume encoding an integer.
-    kVarintResume,
+    // Encode an integer (|varint_| or |varint2_| or string length) with a
+    // prefix, using |byte_| for the high bits.
+    kVarintEncode,
     // Determine if Huffman encoding should be used for |name_| or |value_|, set
     // up |name_| or |value_| and |huffman_encoded_string_| accordingly, and
     // write the Huffman bit to |byte_|.
@@ -68,24 +57,15 @@ class QUIC_EXPORT_PRIVATE QpackInstructionEncoder {
     kWriteString
   };
 
-  // One method for each state.  Some encode up to |max_encoded_bytes| octets,
-  // appending to |output|.  Some only change internal state.
+  // One method for each state.  Some append encoded bytes to |output|.
+  // Some only change internal state.
   void DoOpcode();
   void DoStartField();
-  void DoStaticBit();
-  size_t DoVarintStart(size_t max_encoded_bytes, std::string* output);
-  size_t DoVarintResume(size_t max_encoded_bytes, std::string* output);
-  void DoStartString();
-  size_t DoWriteString(size_t max_encoded_bytes, std::string* output);
+  void DoSBit(bool s_bit);
+  void DoVarintEncode(uint64_t varint, uint64_t varint2, std::string* output);
+  void DoStartString(QuicStringPiece name, QuicStringPiece value);
+  void DoWriteString(std::string* output);
 
-  // Storage for field values to be encoded.
-  bool s_bit_;
-  uint64_t varint_;
-  uint64_t varint2_;
-  // The caller must keep the string that |name_| and |value_| point to
-  // valid until they are encoded.
-  QuicStringPiece name_;
-  QuicStringPiece value_;
 
   // Storage for the Huffman encoded string literal to be written if Huffman
   // encoding is used.
@@ -108,9 +88,6 @@ class QUIC_EXPORT_PRIVATE QpackInstructionEncoder {
 
   // Field currently being decoded.
   QpackInstructionFields::const_iterator field_;
-
-  // Decoder instance for decoding integers.
-  http2::HpackVarintEncoder varint_encoder_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder_test.cc
index 738a1b7bc9c..0d172cd6847 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder_test.cc
@@ -4,7 +4,6 @@
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h"
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
@@ -15,134 +14,141 @@ namespace quic {
 namespace test {
 namespace {
 
-class QpackInstructionEncoderTest : public QuicTestWithParam<FragmentMode> {
+class QpackInstructionEncoderTest : public QuicTest {
  protected:
-  QpackInstructionEncoderTest() : fragment_mode_(GetParam()) {}
+  QpackInstructionEncoderTest() : verified_position_(0) {}
   ~QpackInstructionEncoderTest() override = default;
 
-  // Encode |instruction| with fragment sizes dictated by |fragment_mode_|.
-  std::string EncodeInstruction(const QpackInstruction* instruction) {
-    EXPECT_FALSE(encoder_.HasNext());
-
-    FragmentSizeGenerator fragment_size_generator =
-        FragmentModeToFragmentSizeGenerator(fragment_mode_);
-    std::string output;
-    encoder_.Encode(instruction);
-    while (encoder_.HasNext()) {
-      encoder_.Next(fragment_size_generator(), &output);
-    }
-
-    return output;
+  // Append encoded |instruction| to |output_|.
+  void EncodeInstruction(const QpackInstruction* instruction,
+                         const QpackInstructionEncoder::Values& values) {
+    encoder_.Encode(instruction, values, &output_);
   }
 
-  QpackInstructionEncoder encoder_;
+  // Compare substring appended to |output_| since last EncodedSegmentMatches()
+  // call against hex-encoded argument.
+  bool EncodedSegmentMatches(QuicStringPiece hex_encoded_expected_substring) {
+    auto recently_encoded = QuicStringPiece(output_).substr(verified_position_);
+    auto expected = QuicTextUtils::HexDecode(hex_encoded_expected_substring);
+    verified_position_ = output_.size();
+    return recently_encoded == expected;
+  }
 
  private:
-  const FragmentMode fragment_mode_;
+  QpackInstructionEncoder encoder_;
+  std::string output_;
+  std::string::size_type verified_position_;
 };
 
-INSTANTIATE_TEST_SUITE_P(,
-                         QpackInstructionEncoderTest,
-                         Values(FragmentMode::kSingleChunk,
-                                FragmentMode::kOctetByOctet));
-
-TEST_P(QpackInstructionEncoderTest, Varint) {
+TEST_F(QpackInstructionEncoderTest, Varint) {
   const QpackInstruction instruction{QpackInstructionOpcode{0x00, 0x80},
                                      {{QpackInstructionFieldType::kVarint, 7}}};
 
-  encoder_.set_varint(5);
-  EXPECT_EQ(QuicTextUtils::HexDecode("05"), EncodeInstruction(&instruction));
+  QpackInstructionEncoder::Values values;
+  values.varint = 5;
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("05"));
 
-  encoder_.set_varint(127);
-  EXPECT_EQ(QuicTextUtils::HexDecode("7f00"), EncodeInstruction(&instruction));
+  values.varint = 127;
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("7f00"));
 }
 
-TEST_P(QpackInstructionEncoderTest, SBitAndTwoVarint2) {
+TEST_F(QpackInstructionEncoderTest, SBitAndTwoVarint2) {
   const QpackInstruction instruction{
       QpackInstructionOpcode{0x80, 0xc0},
       {{QpackInstructionFieldType::kSbit, 0x20},
        {QpackInstructionFieldType::kVarint, 5},
        {QpackInstructionFieldType::kVarint2, 8}}};
 
-  encoder_.set_s_bit(true);
-  encoder_.set_varint(5);
-  encoder_.set_varint2(200);
-  EXPECT_EQ(QuicTextUtils::HexDecode("a5c8"), EncodeInstruction(&instruction));
-
-  encoder_.set_s_bit(false);
-  encoder_.set_varint(31);
-  encoder_.set_varint2(356);
-  EXPECT_EQ(QuicTextUtils::HexDecode("9f00ff65"),
-            EncodeInstruction(&instruction));
+  QpackInstructionEncoder::Values values;
+  values.s_bit = true;
+  values.varint = 5;
+  values.varint2 = 200;
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("a5c8"));
+
+  values.s_bit = false;
+  values.varint = 31;
+  values.varint2 = 356;
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("9f00ff65"));
 }
 
-TEST_P(QpackInstructionEncoderTest, SBitAndVarintAndValue) {
+TEST_F(QpackInstructionEncoderTest, SBitAndVarintAndValue) {
   const QpackInstruction instruction{QpackInstructionOpcode{0xc0, 0xc0},
                                      {{QpackInstructionFieldType::kSbit, 0x20},
                                       {QpackInstructionFieldType::kVarint, 5},
                                       {QpackInstructionFieldType::kValue, 7}}};
 
-  encoder_.set_s_bit(true);
-  encoder_.set_varint(100);
-  encoder_.set_value("foo");
-  EXPECT_EQ(QuicTextUtils::HexDecode("ff458294e7"),
-            EncodeInstruction(&instruction));
-
-  encoder_.set_s_bit(false);
-  encoder_.set_varint(3);
-  encoder_.set_value("bar");
-  EXPECT_EQ(QuicTextUtils::HexDecode("c303626172"),
-            EncodeInstruction(&instruction));
+  QpackInstructionEncoder::Values values;
+  values.s_bit = true;
+  values.varint = 100;
+  values.value = "foo";
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("ff458294e7"));
+
+  values.s_bit = false;
+  values.varint = 3;
+  values.value = "bar";
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("c303626172"));
 }
 
-TEST_P(QpackInstructionEncoderTest, Name) {
+TEST_F(QpackInstructionEncoderTest, Name) {
   const QpackInstruction instruction{QpackInstructionOpcode{0xe0, 0xe0},
                                      {{QpackInstructionFieldType::kName, 4}}};
 
-  encoder_.set_name("");
-  EXPECT_EQ(QuicTextUtils::HexDecode("e0"), EncodeInstruction(&instruction));
+  QpackInstructionEncoder::Values values;
+  values.name = "";
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("e0"));
 
-  encoder_.set_name("foo");
-  EXPECT_EQ(QuicTextUtils::HexDecode("f294e7"),
-            EncodeInstruction(&instruction));
+  values.name = "foo";
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("f294e7"));
 
-  encoder_.set_name("bar");
-  EXPECT_EQ(QuicTextUtils::HexDecode("e3626172"),
-            EncodeInstruction(&instruction));
+  values.name = "bar";
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("e3626172"));
 }
 
-TEST_P(QpackInstructionEncoderTest, Value) {
+TEST_F(QpackInstructionEncoderTest, Value) {
   const QpackInstruction instruction{QpackInstructionOpcode{0xf0, 0xf0},
                                      {{QpackInstructionFieldType::kValue, 3}}};
 
-  encoder_.set_value("");
-  EXPECT_EQ(QuicTextUtils::HexDecode("f0"), EncodeInstruction(&instruction));
+  QpackInstructionEncoder::Values values;
+  values.value = "";
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("f0"));
 
-  encoder_.set_value("foo");
-  EXPECT_EQ(QuicTextUtils::HexDecode("fa94e7"),
-            EncodeInstruction(&instruction));
+  values.value = "foo";
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("fa94e7"));
 
-  encoder_.set_value("bar");
-  EXPECT_EQ(QuicTextUtils::HexDecode("f3626172"),
-            EncodeInstruction(&instruction));
+  values.value = "bar";
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("f3626172"));
 }
 
-TEST_P(QpackInstructionEncoderTest, SBitAndNameAndValue) {
+TEST_F(QpackInstructionEncoderTest, SBitAndNameAndValue) {
   const QpackInstruction instruction{QpackInstructionOpcode{0xf0, 0xf0},
                                      {{QpackInstructionFieldType::kSbit, 0x08},
                                       {QpackInstructionFieldType::kName, 2},
                                       {QpackInstructionFieldType::kValue, 7}}};
 
-  encoder_.set_s_bit(false);
-  encoder_.set_name("");
-  encoder_.set_value("");
-  EXPECT_EQ(QuicTextUtils::HexDecode("f000"), EncodeInstruction(&instruction));
-
-  encoder_.set_s_bit(true);
-  encoder_.set_name("foo");
-  encoder_.set_value("bar");
-  EXPECT_EQ(QuicTextUtils::HexDecode("fe94e703626172"),
-            EncodeInstruction(&instruction));
+  QpackInstructionEncoder::Values values;
+  values.s_bit = false;
+  values.name = "";
+  values.value = "";
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("f000"));
+
+  values.s_bit = true;
+  values.name = "foo";
+  values.value = "bar";
+  EncodeInstruction(&instruction, values);
+  EXPECT_TRUE(EncodedSegmentMatches("fe94e703626172"));
 }
 
 }  // namespace
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.cc
index 05a5fc03d8a..e364edc1484 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.cc
@@ -8,7 +8,7 @@
 #include <limits>
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 
@@ -30,59 +30,10 @@ QpackProgressiveDecoder::QpackProgressiveDecoder(
       base_(0),
       required_insert_count_so_far_(0),
       prefix_decoded_(false),
+      blocked_(false),
       decoding_(true),
       error_detected_(false) {}
 
-// static
-bool QpackProgressiveDecoder::DecodeRequiredInsertCount(
-    uint64_t encoded_required_insert_count,
-    uint64_t max_entries,
-    uint64_t total_number_of_inserts,
-    uint64_t* required_insert_count) {
-  if (encoded_required_insert_count == 0) {
-    *required_insert_count = 0;
-    return true;
-  }
-
-  // |max_entries| is calculated by dividing an unsigned 64-bit integer by 32,
-  // precluding all calculations in this method from overflowing.
-  DCHECK_LE(max_entries, std::numeric_limits<uint64_t>::max() / 32);
-
-  if (encoded_required_insert_count > 2 * max_entries) {
-    return false;
-  }
-
-  *required_insert_count = encoded_required_insert_count - 1;
-  DCHECK_LT(*required_insert_count, std::numeric_limits<uint64_t>::max() / 16);
-
-  uint64_t current_wrapped = total_number_of_inserts % (2 * max_entries);
-  DCHECK_LT(current_wrapped, std::numeric_limits<uint64_t>::max() / 16);
-
-  if (current_wrapped >= *required_insert_count + max_entries) {
-    // Required Insert Count wrapped around 1 extra time.
-    *required_insert_count += 2 * max_entries;
-  } else if (current_wrapped + max_entries < *required_insert_count) {
-    // Decoder wrapped around 1 extra time.
-    current_wrapped += 2 * max_entries;
-  }
-
-  if (*required_insert_count >
-      std::numeric_limits<uint64_t>::max() - total_number_of_inserts) {
-    return false;
-  }
-
-  *required_insert_count += total_number_of_inserts;
-
-  // Prevent underflow, also disallow invalid value 0 for Required Insert Count.
-  if (current_wrapped >= *required_insert_count) {
-    return false;
-  }
-
-  *required_insert_count -= current_wrapped;
-
-  return true;
-}
-
 void QpackProgressiveDecoder::Decode(QuicStringPiece data) {
   DCHECK(decoding_);
 
@@ -93,45 +44,46 @@ void QpackProgressiveDecoder::Decode(QuicStringPiece data) {
   // Decode prefix byte by byte until the first (and only) instruction is
   // decoded.
   while (!prefix_decoded_) {
+    DCHECK(!blocked_);
+
     prefix_decoder_->Decode(data.substr(0, 1));
+    if (error_detected_) {
+      return;
+    }
+
     data = data.substr(1);
     if (data.empty()) {
       return;
     }
   }
 
-  instruction_decoder_.Decode(data);
+  if (blocked_) {
+    buffer_.append(data.data(), data.size());
+  } else {
+    DCHECK(buffer_.empty());
+
+    instruction_decoder_.Decode(data);
+  }
 }
 
 void QpackProgressiveDecoder::EndHeaderBlock() {
   DCHECK(decoding_);
   decoding_ = false;
 
-  if (error_detected_) {
-    return;
+  if (!blocked_) {
+    FinishDecoding();
   }
-
-  if (!instruction_decoder_.AtInstructionBoundary()) {
-    OnError("Incomplete header block.");
-    return;
-  }
-
-  if (!prefix_decoded_) {
-    OnError("Incomplete header data prefix.");
-    return;
-  }
-
-  if (required_insert_count_ != required_insert_count_so_far_) {
-    OnError("Required Insert Count too large.");
-    return;
-  }
-
-  decoder_stream_sender_->SendHeaderAcknowledgement(stream_id_);
-  handler_->OnDecodingCompleted();
 }
 
 bool QpackProgressiveDecoder::OnInstructionDecoded(
     const QpackInstruction* instruction) {
+  if (instruction == QpackPrefixInstruction()) {
+    return DoPrefixInstruction();
+  }
+
+  DCHECK(prefix_decoded_);
+  DCHECK_LE(required_insert_count_, header_table_->inserted_entry_count());
+
   if (instruction == QpackIndexedHeaderFieldInstruction()) {
     return DoIndexedHeaderFieldInstruction();
   }
@@ -144,11 +96,8 @@ bool QpackProgressiveDecoder::OnInstructionDecoded(
   if (instruction == QpackLiteralHeaderFieldPostBaseInstruction()) {
     return DoLiteralHeaderFieldPostBaseInstruction();
   }
-  if (instruction == QpackLiteralHeaderFieldInstruction()) {
-    return DoLiteralHeaderFieldInstruction();
-  }
-  DCHECK_EQ(instruction, QpackPrefixInstruction());
-  return DoPrefixInstruction();
+  DCHECK_EQ(instruction, QpackLiteralHeaderFieldInstruction());
+  return DoLiteralHeaderFieldInstruction();
 }
 
 void QpackProgressiveDecoder::OnError(QuicStringPiece error_message) {
@@ -158,6 +107,21 @@ void QpackProgressiveDecoder::OnError(QuicStringPiece error_message) {
   handler_->OnDecodingErrorDetected(error_message);
 }
 
+void QpackProgressiveDecoder::OnInsertCountReachedThreshold() {
+  DCHECK(blocked_);
+
+  if (!buffer_.empty()) {
+    instruction_decoder_.Decode(buffer_);
+    buffer_.clear();
+  }
+
+  blocked_ = false;
+
+  if (!decoding_) {
+    FinishDecoding();
+  }
+}
+
 bool QpackProgressiveDecoder::DoIndexedHeaderFieldInstruction() {
   if (!instruction_decoder_.s_bit()) {
     uint64_t absolute_index;
@@ -179,7 +143,7 @@ bool QpackProgressiveDecoder::DoIndexedHeaderFieldInstruction() {
     auto entry =
         header_table_->LookupEntry(/* is_static = */ false, absolute_index);
     if (!entry) {
-      OnError("Dynamic table entry not found.");
+      OnError("Dynamic table entry already evicted.");
       return false;
     }
 
@@ -218,7 +182,7 @@ bool QpackProgressiveDecoder::DoIndexedHeaderFieldPostBaseInstruction() {
   auto entry =
       header_table_->LookupEntry(/* is_static = */ false, absolute_index);
   if (!entry) {
-    OnError("Dynamic table entry not found.");
+    OnError("Dynamic table entry already evicted.");
     return false;
   }
 
@@ -247,7 +211,7 @@ bool QpackProgressiveDecoder::DoLiteralHeaderFieldNameReferenceInstruction() {
     auto entry =
         header_table_->LookupEntry(/* is_static = */ false, absolute_index);
     if (!entry) {
-      OnError("Dynamic table entry not found.");
+      OnError("Dynamic table entry already evicted.");
       return false;
     }
 
@@ -286,7 +250,7 @@ bool QpackProgressiveDecoder::DoLiteralHeaderFieldPostBaseInstruction() {
   auto entry =
       header_table_->LookupEntry(/* is_static = */ false, absolute_index);
   if (!entry) {
-    OnError("Dynamic table entry not found.");
+    OnError("Dynamic table entry already evicted.");
     return false;
   }
 
@@ -304,7 +268,7 @@ bool QpackProgressiveDecoder::DoLiteralHeaderFieldInstruction() {
 bool QpackProgressiveDecoder::DoPrefixInstruction() {
   DCHECK(!prefix_decoded_);
 
-  if (!DecodeRequiredInsertCount(
+  if (!QpackDecodeRequiredInsertCount(
           prefix_decoder_->varint(), header_table_->max_entries(),
           header_table_->inserted_entry_count(), &required_insert_count_)) {
     OnError("Error decoding Required Insert Count.");
@@ -320,9 +284,42 @@ bool QpackProgressiveDecoder::DoPrefixInstruction() {
 
   prefix_decoded_ = true;
 
+  if (required_insert_count_ > header_table_->inserted_entry_count()) {
+    blocked_ = true;
+    header_table_->RegisterObserver(this, required_insert_count_);
+  }
+
   return true;
 }
 
+void QpackProgressiveDecoder::FinishDecoding() {
+  DCHECK(buffer_.empty());
+  DCHECK(!blocked_);
+  DCHECK(!decoding_);
+
+  if (error_detected_) {
+    return;
+  }
+
+  if (!instruction_decoder_.AtInstructionBoundary()) {
+    OnError("Incomplete header block.");
+    return;
+  }
+
+  if (!prefix_decoded_) {
+    OnError("Incomplete header data prefix.");
+    return;
+  }
+
+  if (required_insert_count_ != required_insert_count_so_far_) {
+    OnError("Required Insert Count too large.");
+    return;
+  }
+
+  decoder_stream_sender_->SendHeaderAcknowledgement(stream_id_);
+  handler_->OnDecodingCompleted();
+}
+
 bool QpackProgressiveDecoder::DeltaBaseToBase(bool sign,
                                               uint64_t delta_base,
                                               uint64_t* base) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h
index 52adf45b236..3abf4279fa2 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h
@@ -11,6 +11,7 @@
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
@@ -22,7 +23,8 @@ class QpackHeaderTable;
 
 // Class to decode a single header block.
 class QUIC_EXPORT_PRIVATE QpackProgressiveDecoder
-    : public QpackInstructionDecoder::Delegate {
+    : public QpackInstructionDecoder::Delegate,
+      public QpackHeaderTable::Observer {
  public:
   // Interface for receiving decoded header block from the decoder.
   class QUIC_EXPORT_PRIVATE HeadersHandlerInterface {
@@ -39,7 +41,7 @@ class QUIC_EXPORT_PRIVATE QpackProgressiveDecoder
     // The decoder will not access the handler after this call.
     // Note that this method might not be called synchronously when the header
     // block is received on the wire, in case decoding is blocked on receiving
-    // entries on the encoder stream.  TODO(bnc): Implement blocked decoding.
+    // entries on the encoder stream.
     virtual void OnDecodingCompleted() = 0;
 
     // Called when a decoding error has occurred.  No other methods will be
@@ -56,15 +58,6 @@ class QUIC_EXPORT_PRIVATE QpackProgressiveDecoder
   QpackProgressiveDecoder& operator=(const QpackProgressiveDecoder&) = delete;
   ~QpackProgressiveDecoder() override = default;
 
-  // Calculate Required Insert Count from Encoded Required Insert Count,
-  // MaxEntries, and total number of dynamic table insertions according to
-  // https://quicwg.org/base-drafts/draft-ietf-quic-qpack.html#ric.
-  // Returns true on success, false on invalid input or overflow/underflow.
-  static bool DecodeRequiredInsertCount(uint64_t encoded_required_insert_count,
-                                        uint64_t max_entries,
-                                        uint64_t total_number_of_inserts,
-                                        uint64_t* required_insert_count);
-
   // Provide a data fragment to decode.
   void Decode(QuicStringPiece data);
 
@@ -76,6 +69,9 @@ class QUIC_EXPORT_PRIVATE QpackProgressiveDecoder
   bool OnInstructionDecoded(const QpackInstruction* instruction) override;
   void OnError(QuicStringPiece error_message) override;
 
+  // QpackHeaderTable::Observer implementation.
+  void OnInsertCountReachedThreshold() override;
+
  private:
   bool DoIndexedHeaderFieldInstruction();
   bool DoIndexedHeaderFieldPostBaseInstruction();
@@ -84,6 +80,9 @@ class QUIC_EXPORT_PRIVATE QpackProgressiveDecoder
   bool DoLiteralHeaderFieldInstruction();
   bool DoPrefixInstruction();
 
+  // Called as soon as EndHeaderBlock() is called and decoding is not blocked.
+  void FinishDecoding();
+
   // Calculates Base from |required_insert_count_|, which must be set before
   // calling this method, and sign bit and Delta Base in the Header Data Prefix,
   // which are passed in as arguments.  Returns true on success, false on
@@ -110,7 +109,7 @@ class QUIC_EXPORT_PRIVATE QpackProgressiveDecoder
   std::unique_ptr<QpackInstructionDecoder> prefix_decoder_;
   QpackInstructionDecoder instruction_decoder_;
 
-  const QpackHeaderTable* const header_table_;
+  QpackHeaderTable* const header_table_;
   QpackDecoderStreamSender* const decoder_stream_sender_;
   HeadersHandlerInterface* const handler_;
 
@@ -128,6 +127,12 @@ class QUIC_EXPORT_PRIVATE QpackProgressiveDecoder
   // False until prefix is fully read and decoded.
   bool prefix_decoded_;
 
+  // True if waiting for dynamic table entries to arrive.
+  bool blocked_;
+
+  // Buffer the entire header block after the prefix while decoding is blocked.
+  std::string buffer_;
+
   // True until EndHeaderBlock() is called.
   bool decoding_;
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_encoder.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_encoder.cc
deleted file mode 100644
index 731ec102866..00000000000
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_encoder.cc
+++ /dev/null
@@ -1,138 +0,0 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_progressive_encoder.h"
-
-#include <string>
-
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
-
-namespace quic {
-
-QpackProgressiveEncoder::QpackProgressiveEncoder(
-    QuicStreamId stream_id,
-    QpackHeaderTable* header_table,
-    QpackEncoderStreamSender* encoder_stream_sender,
-    const spdy::SpdyHeaderBlock* header_list)
-    : stream_id_(stream_id),
-      header_table_(header_table),
-      encoder_stream_sender_(encoder_stream_sender),
-      header_list_(header_list),
-      header_list_iterator_(header_list_.begin()),
-      prefix_encoded_(false) {
-  // TODO(bnc): Use |stream_id_| for dynamic table entry management, and
-  // remove this dummy DCHECK.
-  DCHECK_LE(0u, stream_id_);
-
-  DCHECK(header_table_);
-  DCHECK(encoder_stream_sender_);
-}
-
-bool QpackProgressiveEncoder::HasNext() const {
-  return header_list_iterator_ != header_list_.end() || !prefix_encoded_;
-}
-
-void QpackProgressiveEncoder::Next(size_t max_encoded_bytes,
-                                   std::string* output) {
-  DCHECK_NE(0u, max_encoded_bytes);
-  DCHECK(HasNext());
-
-  // Since QpackInstructionEncoder::Next() does not indicate the number of bytes
-  // written, save the maximum new size of |*output|.
-  const size_t max_length = output->size() + max_encoded_bytes;
-
-  DCHECK_LT(output->size(), max_length);
-
-  if (!prefix_encoded_ && !instruction_encoder_.HasNext()) {
-    // TODO(bnc): Implement dynamic entries and set Required Insert Count and
-    // Delta Base accordingly.
-    instruction_encoder_.set_varint(0);
-    instruction_encoder_.set_varint2(0);
-    instruction_encoder_.set_s_bit(false);
-
-    instruction_encoder_.Encode(QpackPrefixInstruction());
-
-    DCHECK(instruction_encoder_.HasNext());
-  }
-
-  do {
-    // Call QpackInstructionEncoder::Encode() for |*header_list_iterator_| if it
-    // has not been called yet.
-    if (!instruction_encoder_.HasNext()) {
-      DCHECK(prefix_encoded_);
-
-      // Even after |name| and |value| go out of scope, copies of these
-      // QuicStringPieces retained by QpackInstructionEncoder are still valid as
-      // long as |header_list_| is valid.
-      QuicStringPiece name = header_list_iterator_->first;
-      QuicStringPiece value = header_list_iterator_->second;
-
-      // |is_static| and |index| are saved by QpackInstructionEncoder by value,
-      // there are no lifetime concerns.
-      bool is_static;
-      uint64_t index;
-
-      auto match_type =
-          header_table_->FindHeaderField(name, value, &is_static, &index);
-
-      switch (match_type) {
-        case QpackHeaderTable::MatchType::kNameAndValue:
-          DCHECK(is_static) << "Dynamic table entries not supported yet.";
-
-          instruction_encoder_.set_s_bit(is_static);
-          instruction_encoder_.set_varint(index);
-
-          instruction_encoder_.Encode(QpackIndexedHeaderFieldInstruction());
-
-          break;
-        case QpackHeaderTable::MatchType::kName:
-          DCHECK(is_static) << "Dynamic table entries not supported yet.";
-
-          instruction_encoder_.set_s_bit(is_static);
-          instruction_encoder_.set_varint(index);
-          instruction_encoder_.set_value(value);
-
-          instruction_encoder_.Encode(
-              QpackLiteralHeaderFieldNameReferenceInstruction());
-
-          break;
-        case QpackHeaderTable::MatchType::kNoMatch:
-          instruction_encoder_.set_name(name);
-          instruction_encoder_.set_value(value);
-
-          instruction_encoder_.Encode(QpackLiteralHeaderFieldInstruction());
-
-          break;
-      }
-    }
-
-    DCHECK(instruction_encoder_.HasNext());
-
-    instruction_encoder_.Next(max_length - output->size(), output);
-
-    if (instruction_encoder_.HasNext()) {
-      // There was not enough room to completely encode current header field.
-      DCHECK_EQ(output->size(), max_length);
-
-      return;
-    }
-
-    // It is possible that the output buffer was just large enough for encoding
-    // the current header field, hence equality is allowed here.
-    DCHECK_LE(output->size(), max_length);
-
-    if (prefix_encoded_) {
-      // Move on to the next header field.
-      ++header_list_iterator_;
-    } else {
-      // Mark prefix as encoded.
-      prefix_encoded_ = true;
-    }
-  } while (HasNext() && output->size() < max_length);
-}
-
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_encoder.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_encoder.h
deleted file mode 100644
index 98a3cfeacea..00000000000
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_encoder.h
+++ /dev/null
@@ -1,60 +0,0 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_QUIC_CORE_QPACK_QPACK_PROGRESSIVE_ENCODER_H_
-#define QUICHE_QUIC_CORE_QPACK_QPACK_PROGRESSIVE_ENCODER_H_
-
-#include <cstddef>
-
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h"
-#include "net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list.h"
-#include "net/third_party/quiche/src/quic/core/quic_types.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
-#include "net/third_party/quiche/src/spdy/core/hpack/hpack_encoder.h"
-#include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
-
-namespace quic {
-
-class QpackHeaderTable;
-
-// An implementation of ProgressiveEncoder interface that encodes a single
-// header block.
-class QUIC_EXPORT_PRIVATE QpackProgressiveEncoder
-    : public spdy::HpackEncoder::ProgressiveEncoder {
- public:
-  QpackProgressiveEncoder() = delete;
-  // |header_table|, |encoder_stream_sender|, and |header_list| must all outlive
-  // this object.
-  QpackProgressiveEncoder(QuicStreamId stream_id,
-                          QpackHeaderTable* header_table,
-                          QpackEncoderStreamSender* encoder_stream_sender,
-                          const spdy::SpdyHeaderBlock* header_list);
-  QpackProgressiveEncoder(const QpackProgressiveEncoder&) = delete;
-  QpackProgressiveEncoder& operator=(const QpackProgressiveEncoder&) = delete;
-  ~QpackProgressiveEncoder() override = default;
-
-  // Returns true iff more remains to encode.
-  bool HasNext() const override;
-
-  // Encodes up to |max_encoded_bytes| octets, appending to |output|.
-  void Next(size_t max_encoded_bytes, std::string* output) override;
-
- private:
-  const QuicStreamId stream_id_;
-  QpackInstructionEncoder instruction_encoder_;
-  const QpackHeaderTable* const header_table_;
-  QpackEncoderStreamSender* const encoder_stream_sender_;
-  const ValueSplittingHeaderList header_list_;
-
-  // Header field currently being encoded.
-  ValueSplittingHeaderList::const_iterator header_list_iterator_;
-
-  // False until prefix is fully encoded.
-  bool prefix_encoded_;
-};
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_CORE_QPACK_QPACK_PROGRESSIVE_ENCODER_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_receive_stream.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_receive_stream.cc
new file mode 100644
index 00000000000..d5f35fb901c
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_receive_stream.cc
@@ -0,0 +1,21 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_receive_stream.h"
+
+#include "net/third_party/quiche/src/quic/core/quic_session.h"
+
+namespace quic {
+QpackReceiveStream::QpackReceiveStream(PendingStream* pending)
+    : QuicStream(pending, READ_UNIDIRECTIONAL, /*is_static=*/true) {}
+
+void QpackReceiveStream::OnStreamReset(const QuicRstStreamFrame& /*frame*/) {
+  // TODO(renjietang) Change the error code to H/3 specific
+  // HTTP_CLOSED_CRITICAL_STREAM.
+  session()->connection()->CloseConnection(
+      QUIC_INVALID_STREAM_ID, "Attempt to reset Qpack receive stream",
+      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_receive_stream.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_receive_stream.h
new file mode 100644
index 00000000000..db18f7c6462
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_receive_stream.h
@@ -0,0 +1,37 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_QPACK_QPACK_RECEIVE_STREAM_H_
+#define QUICHE_QUIC_CORE_QPACK_QPACK_RECEIVE_STREAM_H_
+
+#include "net/third_party/quiche/src/quic/core/quic_stream.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+
+namespace quic {
+
+class QuicSession;
+
+// QPACK 4.2.1 Encoder and Decoder Streams.
+// The QPACK receive stream is peer initiated and is read only.
+class QUIC_EXPORT_PRIVATE QpackReceiveStream : public QuicStream {
+ public:
+  // Construct receive stream from pending stream, the |pending| object needs
+  // to be deleted after the construction.
+  explicit QpackReceiveStream(PendingStream* pending);
+  QpackReceiveStream(const QpackReceiveStream&) = delete;
+  QpackReceiveStream& operator=(const QpackReceiveStream&) = delete;
+  ~QpackReceiveStream() override = default;
+
+  // Overriding QuicStream::OnStreamReset to make sure QPACK stream is never
+  // closed before connection.
+  void OnStreamReset(const QuicRstStreamFrame& frame) override;
+
+  // Implementation of QuicStream. Unimplemented yet.
+  // TODO(bnc): Feed data to QPACK.
+  void OnDataAvailable() override {}
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_QPACK_QPACK_RECEIVE_STREAM_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_receive_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_receive_stream_test.cc
new file mode 100644
index 00000000000..121043fc576
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_receive_stream_test.cc
@@ -0,0 +1,91 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_receive_stream.h"
+
+#include "net/third_party/quiche/src/quic/core/quic_utils.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+
+namespace quic {
+namespace test {
+
+namespace {
+using ::testing::_;
+using ::testing::StrictMock;
+
+struct TestParams {
+  TestParams(const ParsedQuicVersion& version, Perspective perspective)
+      : version(version), perspective(perspective) {
+    QUIC_LOG(INFO) << "TestParams: version: "
+                   << ParsedQuicVersionToString(version)
+                   << ", perspective: " << perspective;
+  }
+
+  TestParams(const TestParams& other)
+      : version(other.version), perspective(other.perspective) {}
+
+  ParsedQuicVersion version;
+  Perspective perspective;
+};
+
+std::vector<TestParams> GetTestParams() {
+  std::vector<TestParams> params;
+  ParsedQuicVersionVector all_supported_versions = AllSupportedVersions();
+  for (const auto& version : AllSupportedVersions()) {
+    if (!VersionHasStreamType(version.transport_version)) {
+      continue;
+    }
+    for (Perspective p : {Perspective::IS_SERVER, Perspective::IS_CLIENT}) {
+      params.emplace_back(version, p);
+    }
+  }
+  return params;
+}
+
+class QpackReceiveStreamTest : public QuicTestWithParam<TestParams> {
+ public:
+  QpackReceiveStreamTest()
+      : connection_(new StrictMock<MockQuicConnection>(
+            &helper_,
+            &alarm_factory_,
+            perspective(),
+            SupportedVersions(GetParam().version))),
+        session_(connection_) {
+    session_.Initialize();
+    PendingStream* pending =
+        new PendingStream(QuicUtils::GetFirstUnidirectionalStreamId(
+                              GetParam().version.transport_version,
+                              QuicUtils::InvertPerspective(perspective())),
+                          &session_);
+    qpack_receive_stream_ = QuicMakeUnique<QpackReceiveStream>(pending);
+    delete pending;
+  }
+
+  Perspective perspective() const { return GetParam().perspective; }
+
+  MockQuicConnectionHelper helper_;
+  MockAlarmFactory alarm_factory_;
+  StrictMock<MockQuicConnection>* connection_;
+  StrictMock<MockQuicSpdySession> session_;
+  std::unique_ptr<QpackReceiveStream> qpack_receive_stream_;
+};
+
+INSTANTIATE_TEST_SUITE_P(Tests,
+                         QpackReceiveStreamTest,
+                         ::testing::ValuesIn(GetTestParams()));
+
+TEST_P(QpackReceiveStreamTest, ResetQpackReceiveStream) {
+  EXPECT_TRUE(qpack_receive_stream_->is_static());
+  QuicRstStreamFrame rst_frame(kInvalidControlFrameId,
+                               qpack_receive_stream_->id(),
+                               QUIC_STREAM_CANCELLED, 1234);
+  EXPECT_CALL(*connection_, CloseConnection(QUIC_INVALID_STREAM_ID, _, _));
+  qpack_receive_stream_->OnStreamReset(rst_frame);
+}
+
+}  // namespace
+}  // namespace test
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.cc
new file mode 100644
index 00000000000..22541e6ee07
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.cc
@@ -0,0 +1,70 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.h"
+
+#include <limits>
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
+
+namespace quic {
+
+uint64_t QpackEncodeRequiredInsertCount(uint64_t required_insert_count,
+                                        uint64_t max_entries) {
+  if (required_insert_count == 0) {
+    return 0;
+  }
+
+  return required_insert_count % (2 * max_entries) + 1;
+}
+
+bool QpackDecodeRequiredInsertCount(uint64_t encoded_required_insert_count,
+                                    uint64_t max_entries,
+                                    uint64_t total_number_of_inserts,
+                                    uint64_t* required_insert_count) {
+  if (encoded_required_insert_count == 0) {
+    *required_insert_count = 0;
+    return true;
+  }
+
+  // |max_entries| is calculated by dividing an unsigned 64-bit integer by 32,
+  // precluding all calculations in this method from overflowing.
+  DCHECK_LE(max_entries, std::numeric_limits<uint64_t>::max() / 32);
+
+  if (encoded_required_insert_count > 2 * max_entries) {
+    return false;
+  }
+
+  *required_insert_count = encoded_required_insert_count - 1;
+  DCHECK_LT(*required_insert_count, std::numeric_limits<uint64_t>::max() / 16);
+
+  uint64_t current_wrapped = total_number_of_inserts % (2 * max_entries);
+  DCHECK_LT(current_wrapped, std::numeric_limits<uint64_t>::max() / 16);
+
+  if (current_wrapped >= *required_insert_count + max_entries) {
+    // Required Insert Count wrapped around 1 extra time.
+    *required_insert_count += 2 * max_entries;
+  } else if (current_wrapped + max_entries < *required_insert_count) {
+    // Decoder wrapped around 1 extra time.
+    current_wrapped += 2 * max_entries;
+  }
+
+  if (*required_insert_count >
+      std::numeric_limits<uint64_t>::max() - total_number_of_inserts) {
+    return false;
+  }
+
+  *required_insert_count += total_number_of_inserts;
+
+  // Prevent underflow, also disallow invalid value 0 for Required Insert Count.
+  if (current_wrapped >= *required_insert_count) {
+    return false;
+  }
+
+  *required_insert_count -= current_wrapped;
+
+  return true;
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.h
new file mode 100644
index 00000000000..7f489bcdf3c
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.h
@@ -0,0 +1,33 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_QPACK_REQUIRED_INSERT_COUNT_H_
+#define QUICHE_QUIC_CORE_QPACK_REQUIRED_INSERT_COUNT_H_
+
+#include <cstdint>
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+
+namespace quic {
+
+// Calculate Encoded Required Insert Count from Required Insert Count and
+// MaxEntries according to
+// https://quicwg.org/base-drafts/draft-ietf-quic-qpack.html#ric.
+QUIC_EXPORT_PRIVATE uint64_t
+QpackEncodeRequiredInsertCount(uint64_t required_insert_count,
+                               uint64_t max_entries);
+
+// Calculate Required Insert Count from Encoded Required Insert Count,
+// MaxEntries, and total number of dynamic table insertions according to
+// https://quicwg.org/base-drafts/draft-ietf-quic-qpack.html#ric.  Returns true
+// on success, false on invalid input or overflow/underflow.
+QUIC_EXPORT_PRIVATE bool QpackDecodeRequiredInsertCount(
+    uint64_t encoded_required_insert_count,
+    uint64_t max_entries,
+    uint64_t total_number_of_inserts,
+    uint64_t* required_insert_count);
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_QPACK_REQUIRED_INSERT_COUNT_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count_test.cc
index b3067023b97..a84548d7606 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count_test.cc
@@ -1,8 +1,8 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.h"
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
@@ -11,6 +11,16 @@ namespace quic {
 namespace test {
 namespace {
 
+TEST(QpackRequiredInsertCountTest, QpackEncodeRequiredInsertCount) {
+  EXPECT_EQ(0u, QpackEncodeRequiredInsertCount(0, 0));
+  EXPECT_EQ(0u, QpackEncodeRequiredInsertCount(0, 8));
+  EXPECT_EQ(0u, QpackEncodeRequiredInsertCount(0, 1024));
+
+  EXPECT_EQ(2u, QpackEncodeRequiredInsertCount(1, 8));
+  EXPECT_EQ(5u, QpackEncodeRequiredInsertCount(20, 8));
+  EXPECT_EQ(7u, QpackEncodeRequiredInsertCount(106, 10));
+}
+
 // For testing valid decodings, the Encoded Required Insert Count is calculated
 // from Required Insert Count, so that there is an expected value to compare
 // the decoded value against, and so that intricate inequalities can be
@@ -39,16 +49,7 @@ struct {
     {401, 100, 500},
     {600, 100, 500}};
 
-uint64_t EncodeRequiredInsertCount(uint64_t required_insert_count,
-                                   uint64_t max_entries) {
-  if (required_insert_count == 0) {
-    return 0;
-  }
-
-  return required_insert_count % (2 * max_entries) + 1;
-}
-
-TEST(QpackProgressiveDecoderTest, DecodeRequiredInsertCount) {
+TEST(QpackRequiredInsertCountTest, QpackDecodeRequiredInsertCount) {
   for (size_t i = 0; i < QUIC_ARRAYSIZE(kTestData); ++i) {
     const uint64_t required_insert_count = kTestData[i].required_insert_count;
     const uint64_t max_entries = kTestData[i].max_entries;
@@ -71,13 +72,13 @@ TEST(QpackProgressiveDecoderTest, DecodeRequiredInsertCount) {
     }
 
     uint64_t encoded_required_insert_count =
-        EncodeRequiredInsertCount(required_insert_count, max_entries);
+        QpackEncodeRequiredInsertCount(required_insert_count, max_entries);
 
     // Initialize to a value different from the expected output to confirm that
-    // DecodeRequiredInsertCount() modifies the value of
+    // QpackDecodeRequiredInsertCount() modifies the value of
     // |decoded_required_insert_count|.
     uint64_t decoded_required_insert_count = required_insert_count + 1;
-    EXPECT_TRUE(QpackProgressiveDecoder::DecodeRequiredInsertCount(
+    EXPECT_TRUE(QpackDecodeRequiredInsertCount(
         encoded_required_insert_count, max_entries, total_number_of_inserts,
         &decoded_required_insert_count))
         << i;
@@ -107,10 +108,10 @@ struct {
     {400, 100, 500},
     {601, 100, 500}};
 
-TEST(QpackProgressiveDecoderTest, DecodeRequiredInsertCountError) {
+TEST(QpackRequiredInsertCountTest, DecodeRequiredInsertCountError) {
   for (size_t i = 0; i < QUIC_ARRAYSIZE(kInvalidTestData); ++i) {
     uint64_t decoded_required_insert_count = 0;
-    EXPECT_FALSE(QpackProgressiveDecoder::DecodeRequiredInsertCount(
+    EXPECT_FALSE(QpackDecodeRequiredInsertCount(
         kInvalidTestData[i].encoded_required_insert_count,
         kInvalidTestData[i].max_entries,
         kInvalidTestData[i].total_number_of_inserts,
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_round_trip_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_round_trip_test.cc
index 45ad667f0d0..1e9de2d7651 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_round_trip_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_round_trip_test.cc
@@ -8,6 +8,7 @@
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
@@ -19,29 +20,25 @@ namespace quic {
 namespace test {
 namespace {
 
-class QpackRoundTripTest
-    : public QuicTestWithParam<std::tuple<FragmentMode, FragmentMode>> {
+class QpackRoundTripTest : public QuicTestWithParam<FragmentMode> {
  public:
-  QpackRoundTripTest()
-      : encoding_fragment_mode_(std::get<0>(GetParam())),
-        decoding_fragment_mode_(std::get<1>(GetParam())) {}
+  QpackRoundTripTest() = default;
   ~QpackRoundTripTest() override = default;
 
   spdy::SpdyHeaderBlock EncodeThenDecode(
       const spdy::SpdyHeaderBlock& header_list) {
     NoopDecoderStreamErrorDelegate decoder_stream_error_delegate;
-    NoopEncoderStreamSenderDelegate encoder_stream_sender_delegate;
-    std::string encoded_header_block = QpackEncode(
-        &decoder_stream_error_delegate, &encoder_stream_sender_delegate,
-        FragmentModeToFragmentSizeGenerator(encoding_fragment_mode_),
-        &header_list);
+    NoopQpackStreamSenderDelegate encoder_stream_sender_delegate;
+    QpackEncoder encoder(&decoder_stream_error_delegate,
+                         &encoder_stream_sender_delegate);
+    std::string encoded_header_block =
+        encoder.EncodeHeaderList(/* stream_id = */ 1, &header_list);
 
     TestHeadersHandler handler;
     NoopEncoderStreamErrorDelegate encoder_stream_error_delegate;
-    NoopDecoderStreamSenderDelegate decoder_stream_sender_delegate;
+    NoopQpackStreamSenderDelegate decoder_stream_sender_delegate;
     QpackDecode(&encoder_stream_error_delegate, &decoder_stream_sender_delegate,
-                &handler,
-                FragmentModeToFragmentSizeGenerator(decoding_fragment_mode_),
+                &handler, FragmentModeToFragmentSizeGenerator(GetParam()),
                 encoded_header_block);
 
     EXPECT_TRUE(handler.decoding_completed());
@@ -49,17 +46,12 @@ class QpackRoundTripTest
 
     return handler.ReleaseHeaderList();
   }
-
- private:
-  const FragmentMode encoding_fragment_mode_;
-  const FragmentMode decoding_fragment_mode_;
 };
 
-INSTANTIATE_TEST_SUITE_P(
-    ,
-    QpackRoundTripTest,
-    Combine(Values(FragmentMode::kSingleChunk, FragmentMode::kOctetByOctet),
-            Values(FragmentMode::kSingleChunk, FragmentMode::kOctetByOctet)));
+INSTANTIATE_TEST_SUITE_P(,
+                         QpackRoundTripTest,
+                         Values(FragmentMode::kSingleChunk,
+                                FragmentMode::kOctetByOctet));
 
 TEST_P(QpackRoundTripTest, Empty) {
   spdy::SpdyHeaderBlock header_list;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_send_stream.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_send_stream.cc
new file mode 100644
index 00000000000..34bba650a83
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_send_stream.cc
@@ -0,0 +1,39 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_send_stream.h"
+
+#include "net/third_party/quiche/src/quic/core/quic_session.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
+
+namespace quic {
+QpackSendStream::QpackSendStream(QuicStreamId id,
+                                 QuicSession* session,
+                                 uint64_t http3_stream_type)
+    : QuicStream(id, session, /*is_static = */ true, WRITE_UNIDIRECTIONAL),
+      http3_stream_type_(http3_stream_type),
+      stream_type_sent_(false) {}
+
+void QpackSendStream::OnStreamReset(const QuicRstStreamFrame& /*frame*/) {
+  // TODO(renjietang) Change the error code to H/3 specific
+  // HTTP_CLOSED_CRITICAL_STREAM.
+  session()->connection()->CloseConnection(
+      QUIC_INVALID_STREAM_ID, "Attempt to reset qpack send stream",
+      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+}
+
+void QpackSendStream::WriteStreamData(QuicStringPiece data) {
+  QuicConnection::ScopedPacketFlusher flusher(session()->connection());
+  if (!stream_type_sent_) {
+    char type[sizeof(http3_stream_type_)];
+    QuicDataWriter writer(QUIC_ARRAYSIZE(type), type);
+    writer.WriteVarInt62(http3_stream_type_);
+    WriteOrBufferData(QuicStringPiece(writer.data(), writer.length()), false,
+                      nullptr);
+    stream_type_sent_ = true;
+  }
+  WriteOrBufferData(data, false, nullptr);
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_send_stream.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_send_stream.h
new file mode 100644
index 00000000000..136a7cc56b2
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_send_stream.h
@@ -0,0 +1,52 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_QPACK_QPACK_SEND_STREAM_H_
+#define QUICHE_QUIC_CORE_QPACK_QPACK_SEND_STREAM_H_
+
+#include <cstdint>
+
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_stream_sender_delegate.h"
+#include "net/third_party/quiche/src/quic/core/quic_stream.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+
+namespace quic {
+
+class QuicSession;
+
+// QPACK 4.2.1 Encoder and Decoder Streams.
+// The QPACK send stream is self initiated and is write only.
+class QUIC_EXPORT_PRIVATE QpackSendStream : public QuicStream,
+                                            public QpackStreamSenderDelegate {
+ public:
+  // |session| can't be nullptr, and the ownership is not passed. |session| owns
+  // this stream.
+  QpackSendStream(QuicStreamId id,
+                  QuicSession* session,
+                  uint64_t http3_stream_type);
+  QpackSendStream(const QpackSendStream&) = delete;
+  QpackSendStream& operator=(const QpackSendStream&) = delete;
+  ~QpackSendStream() override = default;
+
+  // Overriding QuicStream::OnStreamReset to make sure QPACK stream is
+  // never closed before connection.
+  void OnStreamReset(const QuicRstStreamFrame& frame) override;
+
+  // The send QPACK stream is write unidirectional, so this method
+  // should never be called.
+  void OnDataAvailable() override { QUIC_NOTREACHED(); }
+
+  // Writes the instructions to peer. The stream type will be sent
+  // before the first instruction so that the peer can open an qpack stream.
+  void WriteStreamData(QuicStringPiece data) override;
+
+ private:
+  const uint64_t http3_stream_type_;
+  bool stream_type_sent_;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_QPACK_QPACK_SEND_STREAM_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_send_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_send_stream_test.cc
new file mode 100644
index 00000000000..46037c95442
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_send_stream_test.cc
@@ -0,0 +1,111 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_send_stream.h"
+
+#include "net/third_party/quiche/src/quic/core/http/http_constants.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+
+namespace quic {
+namespace test {
+
+namespace {
+using ::testing::_;
+using ::testing::Invoke;
+using ::testing::StrictMock;
+
+struct TestParams {
+  TestParams(const ParsedQuicVersion& version, Perspective perspective)
+      : version(version), perspective(perspective) {
+    QUIC_LOG(INFO) << "TestParams: version: "
+                   << ParsedQuicVersionToString(version)
+                   << ", perspective: " << perspective;
+  }
+
+  TestParams(const TestParams& other)
+      : version(other.version), perspective(other.perspective) {}
+
+  ParsedQuicVersion version;
+  Perspective perspective;
+};
+
+std::vector<TestParams> GetTestParams() {
+  std::vector<TestParams> params;
+  ParsedQuicVersionVector all_supported_versions = AllSupportedVersions();
+  for (const auto& version : AllSupportedVersions()) {
+    if (!VersionHasStreamType(version.transport_version)) {
+      continue;
+    }
+    for (Perspective p : {Perspective::IS_SERVER, Perspective::IS_CLIENT}) {
+      params.emplace_back(version, p);
+    }
+  }
+  return params;
+}
+
+class QpackSendStreamTest : public QuicTestWithParam<TestParams> {
+ public:
+  QpackSendStreamTest()
+      : connection_(new StrictMock<MockQuicConnection>(
+            &helper_,
+            &alarm_factory_,
+            perspective(),
+            SupportedVersions(GetParam().version))),
+        session_(connection_) {
+    session_.Initialize();
+    qpack_send_stream_ = QuicMakeUnique<QpackSendStream>(
+        QuicSpdySessionPeer::GetNextOutgoingUnidirectionalStreamId(&session_),
+        &session_, kQpackEncoderStream);
+    ON_CALL(session_, WritevData(_, _, _, _, _))
+        .WillByDefault(Invoke(MockQuicSession::ConsumeData));
+  }
+
+  Perspective perspective() const { return GetParam().perspective; }
+
+  MockQuicConnectionHelper helper_;
+  MockAlarmFactory alarm_factory_;
+  StrictMock<MockQuicConnection>* connection_;
+  StrictMock<MockQuicSpdySession> session_;
+  std::unique_ptr<QpackSendStream> qpack_send_stream_;
+};
+
+INSTANTIATE_TEST_SUITE_P(Tests,
+                         QpackSendStreamTest,
+                         ::testing::ValuesIn(GetTestParams()));
+
+TEST_P(QpackSendStreamTest, WriteStreamTypeOnlyFirstTime) {
+  if (GetParam().version.handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
+  std::string data = "data";
+  EXPECT_CALL(session_, WritevData(_, _, 1, _, _));
+  EXPECT_CALL(session_, WritevData(_, _, data.length(), _, _));
+  qpack_send_stream_->WriteStreamData(QuicStringPiece(data));
+
+  EXPECT_CALL(session_, WritevData(_, _, data.length(), _, _));
+  qpack_send_stream_->WriteStreamData(QuicStringPiece(data));
+}
+
+TEST_P(QpackSendStreamTest, ResetQpackStream) {
+  QuicRstStreamFrame rst_frame(kInvalidControlFrameId, qpack_send_stream_->id(),
+                               QUIC_STREAM_CANCELLED, 1234);
+  EXPECT_CALL(*connection_, CloseConnection(QUIC_INVALID_STREAM_ID, _, _));
+  qpack_send_stream_->OnStreamReset(rst_frame);
+}
+
+TEST_P(QpackSendStreamTest, ReceiveDataOnSendStream) {
+  QuicStreamFrame frame(qpack_send_stream_->id(), false, 0, "test");
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(QUIC_DATA_RECEIVED_ON_WRITE_UNIDIRECTIONAL_STREAM, _, _));
+  qpack_send_stream_->OnStreamFrame(frame);
+}
+
+}  // namespace
+}  // namespace test
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_stream_receiver.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_stream_receiver.h
new file mode 100644
index 00000000000..48f5aa30f4a
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_stream_receiver.h
@@ -0,0 +1,24 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_QPACK_QPACK_STREAM_RECEIVER_H_
+#define QUICHE_QUIC_CORE_QPACK_QPACK_STREAM_RECEIVER_H_
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+
+namespace quic {
+
+// This interface decodes QPACK data that are received on a QpackReceiveStream.
+class QUIC_EXPORT_PRIVATE QpackStreamReceiver {
+ public:
+  virtual ~QpackStreamReceiver() = default;
+
+  // Decode data.
+  virtual void Decode(QuicStringPiece data) = 0;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_QPACK_QPACK_STREAM_RECEIVER_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_stream_sender_delegate.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_stream_sender_delegate.h
new file mode 100644
index 00000000000..616df98b9db
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_stream_sender_delegate.h
@@ -0,0 +1,24 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_QPACK_QPACK_STREAM_SENDER_DELEGATE_H_
+#define QUICHE_QUIC_CORE_QPACK_QPACK_STREAM_SENDER_DELEGATE_H_
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+
+namespace quic {
+
+// This interface writes encoder/decoder data to peer.
+class QUIC_EXPORT_PRIVATE QpackStreamSenderDelegate {
+ public:
+  virtual ~QpackStreamSenderDelegate() = default;
+
+  // Write data on the unidirectional stream.
+  virtual void WriteStreamData(QuicStringPiece data) = 0;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_QPACK_QPACK_STREAM_SENDER_DELEGATE_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h
index 65bb5a20ded..42fa383a3ea 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h
@@ -8,6 +8,9 @@
 #include <cstddef>
 #include <functional>
 
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_stream_sender_delegate.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+
 namespace quic {
 namespace test {
 
@@ -23,6 +26,14 @@ enum class FragmentMode {
 FragmentSizeGenerator FragmentModeToFragmentSizeGenerator(
     FragmentMode fragment_mode);
 
+// Mock QpackUnidirectionalStreamSenderDelegate implementation.
+class MockQpackStreamSenderDelegate : public QpackStreamSenderDelegate {
+ public:
+  ~MockQpackStreamSenderDelegate() override = default;
+
+  MOCK_METHOD1(WriteStreamData, void(QuicStringPiece data));
+};
+
 }  // namespace test
 }  // namespace quic
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_utils.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_utils.h
new file mode 100644
index 00000000000..1b63422d4ac
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_utils.h
@@ -0,0 +1,23 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_QPACK_QPACK_UTILS_H_
+#define QUICHE_QUIC_CORE_QPACK_QPACK_UTILS_H_
+
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_stream_sender_delegate.h"
+
+namespace quic {
+// TODO(renjietang): Move this class to qpack_test_utils.h once it is not needed
+// in QuicSpdySession.
+class QUIC_EXPORT_PRIVATE NoopQpackStreamSenderDelegate
+    : public QpackStreamSenderDelegate {
+ public:
+  ~NoopQpackStreamSenderDelegate() override = default;
+
+  void WriteStreamData(QuicStringPiece /*data*/) override {}
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_QPACK_QPACK_UTILS_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list.cc
index d8a0ee81766..c1387b99881 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list.cc
@@ -5,6 +5,14 @@
 #include "net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list.h"
 
 namespace quic {
+namespace {
+
+const char kCookieKey[] = "cookie";
+const char kCookieSeparator = ';';
+const char kOptionalSpaceAfterCookieSeparator = ' ';
+const char kNonCookieSeparator = '\0';
+
+}  // namespace
 
 ValueSplittingHeaderList::const_iterator::const_iterator(
     const spdy::SpdyHeaderBlock* header_list,
@@ -59,15 +67,24 @@ void ValueSplittingHeaderList::const_iterator::UpdateHeaderField() {
   }
 
   const QuicStringPiece name = header_list_iterator_->first;
+  const QuicStringPiece original_value = header_list_iterator_->second;
 
-  value_end_ = header_list_iterator_->second.find('\0', value_start_);
-  const QuicStringPiece::size_type value_length =
-      value_end_ == QuicStringPiece::npos ? QuicStringPiece::npos
-                                          : value_end_ - value_start_;
-  const QuicStringPiece value =
-      header_list_iterator_->second.substr(value_start_, value_length);
+  if (name == kCookieKey) {
+    value_end_ = original_value.find(kCookieSeparator, value_start_);
+  } else {
+    value_end_ = original_value.find(kNonCookieSeparator, value_start_);
+  }
 
+  const QuicStringPiece value =
+      original_value.substr(value_start_, value_end_ - value_start_);
   header_field_ = std::make_pair(name, value);
+
+  // Skip character after ';' separator if it is a space.
+  if (name == kCookieKey && value_end_ != QuicStringPiece::npos &&
+      value_end_ + 1 < original_value.size() &&
+      original_value[value_end_ + 1] == kOptionalSpaceAfterCookieSeparator) {
+    ++value_end_;
+  }
 }
 
 ValueSplittingHeaderList::ValueSplittingHeaderList(
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list.h b/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list.h
index 8d994aeff6d..fee30434af0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list.h
@@ -11,8 +11,9 @@
 
 namespace quic {
 
-// A wrapper class around SpdyHeaderBlock that splits header values along '\0'
-// characters.
+// A wrapper class around SpdyHeaderBlock that splits header values along ';'
+// separators (while also removing optional space following separator) for
+// cookies and along '\0' separators for other header fields.
 class QUIC_EXPORT_PRIVATE ValueSplittingHeaderList {
  public:
   using value_type = spdy::SpdyHeaderBlock::value_type;
@@ -34,7 +35,7 @@ class QUIC_EXPORT_PRIVATE ValueSplittingHeaderList {
     const value_type* operator->() const;
 
    private:
-    // Find next '\0' character; update |value_end_| and |header_field_|.
+    // Find next separator; update |value_end_| and |header_field_|.
     void UpdateHeaderField();
 
     const spdy::SpdyHeaderBlock* const header_list_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list_test.cc
index 9ece65d9673..03a5eb03def 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list_test.cc
@@ -4,6 +4,7 @@
 
 #include "net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list.h"
 
+#include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 
 namespace quic {
@@ -17,10 +18,11 @@ TEST(ValueSplittingHeaderListTest, Comparison) {
   spdy::SpdyHeaderBlock block;
   block["foo"] = QuicStringPiece("bar\0baz", 7);
   block["baz"] = "qux";
+  block["cookie"] = "foo; bar";
 
   ValueSplittingHeaderList headers(&block);
   ValueSplittingHeaderList::const_iterator it1 = headers.begin();
-  const int kEnd = 4;
+  const int kEnd = 6;
   for (int i = 0; i < kEnd; ++i) {
     // Compare to begin().
     if (i == 0) {
@@ -73,47 +75,75 @@ TEST(ValueSplittingHeaderListTest, Empty) {
   EXPECT_EQ(headers.begin(), headers.end());
 }
 
-TEST(ValueSplittingHeaderListTest, Simple) {
-  spdy::SpdyHeaderBlock block;
-  block["foo"] = "bar";
-  block["baz"] = "qux";
-
-  ValueSplittingHeaderList headers(&block);
-  EXPECT_THAT(headers, ElementsAre(Pair("foo", "bar"), Pair("baz", "qux")));
-  EXPECT_NE(headers.begin(), headers.end());
-}
-
-TEST(ValueSplittingHeaderListTest, EmptyValue) {
-  spdy::SpdyHeaderBlock block;
-  block["foo"] = "";
-
-  ValueSplittingHeaderList headers(&block);
-  EXPECT_THAT(headers, ElementsAre(Pair("foo", "")));
+struct {
+  const char* name;
+  QuicStringPiece value;
+  std::vector<const char*> expected_values;
+} kTestData[]{
+    // Empty value.
+    {"foo", "", {""}},
+    // Trivial case.
+    {"foo", "bar", {"bar"}},
+    // Simple split.
+    {"foo", {"bar\0baz", 7}, {"bar", "baz"}},
+    {"cookie", "foo;bar", {"foo", "bar"}},
+    {"cookie", "foo; bar", {"foo", "bar"}},
+    // Empty fragments with \0 separator.
+    {"foo", {"\0", 1}, {"", ""}},
+    {"bar", {"foo\0", 4}, {"foo", ""}},
+    {"baz", {"\0bar", 4}, {"", "bar"}},
+    {"qux", {"\0foobar\0", 8}, {"", "foobar", ""}},
+    // Empty fragments with ";" separator.
+    {"cookie", ";", {"", ""}},
+    {"cookie", "foo;", {"foo", ""}},
+    {"cookie", ";bar", {"", "bar"}},
+    {"cookie", ";foobar;", {"", "foobar", ""}},
+    // Empty fragments with "; " separator.
+    {"cookie", "; ", {"", ""}},
+    {"cookie", "foo; ", {"foo", ""}},
+    {"cookie", "; bar", {"", "bar"}},
+    {"cookie", "; foobar; ", {"", "foobar", ""}},
+};
+
+TEST(ValueSplittingHeaderListTest, Split) {
+  for (size_t i = 0; i < QUIC_ARRAYSIZE(kTestData); ++i) {
+    spdy::SpdyHeaderBlock block;
+    block[kTestData[i].name] = kTestData[i].value;
+
+    ValueSplittingHeaderList headers(&block);
+    auto it = headers.begin();
+    for (const char* expected_value : kTestData[i].expected_values) {
+      ASSERT_NE(it, headers.end());
+      EXPECT_EQ(it->first, kTestData[i].name);
+      EXPECT_EQ(it->second, expected_value);
+      ++it;
+    }
+    EXPECT_EQ(it, headers.end());
+  }
 }
 
-TEST(ValueSplittingHeaderListTest, SimpleSplit) {
+TEST(ValueSplittingHeaderListTest, MultipleFields) {
   spdy::SpdyHeaderBlock block;
-  block["foo"] = QuicStringPiece("bar\0baz", 7);
-  block["baz"] = QuicStringPiece("foo\0foo", 7);
+  block["foo"] = QuicStringPiece("bar\0baz\0", 8);
+  block["cookie"] = "foo; bar";
+  block["bar"] = QuicStringPiece("qux\0foo", 7);
 
   ValueSplittingHeaderList headers(&block);
   EXPECT_THAT(headers, ElementsAre(Pair("foo", "bar"), Pair("foo", "baz"),
-                                   Pair("baz", "foo"), Pair("baz", "foo")));
+                                   Pair("foo", ""), Pair("cookie", "foo"),
+                                   Pair("cookie", "bar"), Pair("bar", "qux"),
+                                   Pair("bar", "foo")));
 }
 
-TEST(ValueSplittingHeaderListTest, EmptyFragments) {
+TEST(ValueSplittingHeaderListTest, CookieStartsWithSpace) {
   spdy::SpdyHeaderBlock block;
-  block["foo"] = QuicStringPiece("\0", 1);
-  block["bar"] = QuicStringPiece("foo\0", 4);
-  block["baz"] = QuicStringPiece("\0bar", 4);
-  block["qux"] = QuicStringPiece("\0foobar\0", 8);
+  block["foo"] = "bar";
+  block["cookie"] = " foo";
+  block["bar"] = "baz";
 
   ValueSplittingHeaderList headers(&block);
-  EXPECT_THAT(
-      headers,
-      ElementsAre(Pair("foo", ""), Pair("foo", ""), Pair("bar", "foo"),
-                  Pair("bar", ""), Pair("baz", ""), Pair("baz", "bar"),
-                  Pair("qux", ""), Pair("qux", "foobar"), Pair("qux", "")));
+  EXPECT_THAT(headers, ElementsAre(Pair("foo", "bar"), Pair("cookie", " foo"),
+                                   Pair("bar", "baz")));
 }
 
 }  // namespace
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_bandwidth.h b/chromium/net/third_party/quiche/src/quic/core/quic_bandwidth.h
index a5bb30697bc..afd31b22e1b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_bandwidth.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_bandwidth.h
@@ -67,12 +67,12 @@ class QUIC_EXPORT_PRIVATE QuicBandwidth {
   inline int64_t ToKBytesPerSecond() const { return bits_per_second_ / 8000; }
 
   inline QuicByteCount ToBytesPerPeriod(QuicTime::Delta time_period) const {
-    return ToBytesPerSecond() * time_period.ToMicroseconds() /
+    return bits_per_second_ * time_period.ToMicroseconds() / 8 /
            kNumMicrosPerSecond;
   }
 
   inline int64_t ToKBytesPerPeriod(QuicTime::Delta time_period) const {
-    return ToKBytesPerSecond() * time_period.ToMicroseconds() /
+    return bits_per_second_ * time_period.ToMicroseconds() / 8000 /
            kNumMicrosPerSecond;
   }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_bandwidth_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_bandwidth_test.cc
index 22a510752bb..005eef07f8f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_bandwidth_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_bandwidth_test.cc
@@ -84,6 +84,13 @@ TEST_F(QuicBandwidthTest, BytesPerPeriod) {
                          QuicTime::Delta::FromMilliseconds(100)));
   EXPECT_EQ(200u, QuicBandwidth::FromKBytesPerSecond(2000).ToKBytesPerPeriod(
                       QuicTime::Delta::FromMilliseconds(100)));
+
+  // 1599 * 1001 = 1600599 bits/ms = 200.074875 bytes/s.
+  EXPECT_EQ(200u, QuicBandwidth::FromBitsPerSecond(1599).ToBytesPerPeriod(
+                      QuicTime::Delta::FromMilliseconds(1001)));
+
+  EXPECT_EQ(200u, QuicBandwidth::FromBitsPerSecond(1599).ToKBytesPerPeriod(
+                      QuicTime::Delta::FromSeconds(1001)));
 }
 
 TEST_F(QuicBandwidthTest, TransferTime) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_buffered_packet_store.cc b/chromium/net/third_party/quiche/src/quic/core/quic_buffered_packet_store.cc
index 463cdc4cbbc..e4dd2333255 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_buffered_packet_store.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_buffered_packet_store.cc
@@ -88,7 +88,7 @@ EnqueuePacketResult QuicBufferedPacketStore::EnqueuePacket(
     bool is_chlo,
     const std::string& alpn,
     const ParsedQuicVersion& version) {
-  QUIC_BUG_IF(!FLAGS_quic_allow_chlo_buffering)
+  QUIC_BUG_IF(!GetQuicFlag(FLAGS_quic_allow_chlo_buffering))
       << "Shouldn't buffer packets if disabled via flag.";
   QUIC_BUG_IF(is_chlo && QuicContainsKey(connections_with_chlo_, connection_id))
       << "Shouldn't buffer duplicated CHLO on connection " << connection_id;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_buffered_packet_store_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_buffered_packet_store_test.cc
index 466dffb913a..a00f2139d37 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_buffered_packet_store_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_buffered_packet_store_test.cc
@@ -36,7 +36,7 @@ class QuicBufferedPacketStoreVisitor
 
   ~QuicBufferedPacketStoreVisitor() override {}
 
-  void OnExpiredPackets(QuicConnectionId connection_id,
+  void OnExpiredPackets(QuicConnectionId /*connection_id*/,
                         BufferedPacketList early_arrived_packets) override {
     last_expired_packet_queue_ = std::move(early_arrived_packets);
   }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_config.cc b/chromium/net/third_party/quiche/src/quic/core/quic_config.cc
index 09148092165..e24e84b8e7d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_config.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_config.cc
@@ -170,7 +170,7 @@ void QuicFixedUint32::ToHandshakeMessage(CryptoHandshakeMessage* out) const {
 
 QuicErrorCode QuicFixedUint32::ProcessPeerHello(
     const CryptoHandshakeMessage& peer_hello,
-    HelloType hello_type,
+    HelloType /*hello_type*/,
     std::string* error_details) {
   DCHECK(error_details != nullptr);
   QuicErrorCode error = peer_hello.GetUint32(tag_, &receive_value_);
@@ -235,7 +235,7 @@ void QuicFixedUint128::ToHandshakeMessage(CryptoHandshakeMessage* out) const {
 
 QuicErrorCode QuicFixedUint128::ProcessPeerHello(
     const CryptoHandshakeMessage& peer_hello,
-    HelloType hello_type,
+    HelloType /*hello_type*/,
     std::string* error_details) {
   DCHECK(error_details != nullptr);
   QuicErrorCode error = peer_hello.GetUint128(tag_, &receive_value_);
@@ -305,7 +305,7 @@ void QuicFixedTagVector::ToHandshakeMessage(CryptoHandshakeMessage* out) const {
 
 QuicErrorCode QuicFixedTagVector::ProcessPeerHello(
     const CryptoHandshakeMessage& peer_hello,
-    HelloType hello_type,
+    HelloType /*hello_type*/,
     std::string* error_details) {
   DCHECK(error_details != nullptr);
   QuicTagVector values;
@@ -378,7 +378,7 @@ void QuicFixedSocketAddress::ToHandshakeMessage(
 
 QuicErrorCode QuicFixedSocketAddress::ProcessPeerHello(
     const CryptoHandshakeMessage& peer_hello,
-    HelloType hello_type,
+    HelloType /*hello_type*/,
     std::string* error_details) {
   QuicStringPiece address;
   if (!peer_hello.GetStringPiece(tag_, &address)) {
@@ -702,9 +702,9 @@ void QuicConfig::ToHandshakeMessage(
   silent_close_.ToHandshakeMessage(out);
   // Do not need a version check here, max...bi... will encode
   // as "MIDS" -- the max initial dynamic streams tag -- if
-  // doing some version other than IETF QUIC/V99.
+  // doing some version other than IETF QUIC.
   max_incoming_bidirectional_streams_.ToHandshakeMessage(out);
-  if (transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version)) {
     max_incoming_unidirectional_streams_.ToHandshakeMessage(out);
   }
   bytes_for_connection_id_.ToHandshakeMessage(out);
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection.cc b/chromium/net/third_party/quiche/src/quic/core/quic_connection.cc
index 226a4ccf0eb..22ee18a7e8d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection.cc
@@ -19,7 +19,7 @@
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_utils.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_decrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
-#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_bandwidth.h"
 #include "net/third_party/quiche/src/quic/core/quic_config.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection_id.h"
@@ -50,27 +50,9 @@ namespace {
 // Maximum number of consecutive sent nonretransmittable packets.
 const QuicPacketCount kMaxConsecutiveNonRetransmittablePackets = 19;
 
-// Maximum number of retransmittable packets received before sending an ack.
-const QuicPacketCount kDefaultRetransmittablePacketsBeforeAck = 2;
-// Minimum number of packets received before ack decimation is enabled.
-// This intends to avoid the beginning of slow start, when CWNDs may be
-// rapidly increasing.
-const QuicPacketCount kMinReceivedBeforeAckDecimation = 100;
-// Wait for up to 10 retransmittable packets before sending an ack.
-const QuicPacketCount kMaxRetransmittablePacketsBeforeAck = 10;
-// One quarter RTT delay when doing ack decimation.
-const float kAckDecimationDelay = 0.25;
-// One eighth RTT delay when doing ack decimation.
-const float kShortAckDecimationDelay = 0.125;
-
 // The minimum release time into future in ms.
 const int kMinReleaseTimeIntoFutureMs = 1;
 
-bool Near(QuicPacketNumber a, QuicPacketNumber b) {
-  QuicPacketCount delta = (a > b) ? a - b : b - a;
-  return delta <= kMaxPacketGap;
-}
-
 // An alarm that is scheduled to send an ack if a timeout occurs.
 class AckAlarmDelegate : public QuicAlarm::Delegate {
  public:
@@ -81,15 +63,12 @@ class AckAlarmDelegate : public QuicAlarm::Delegate {
 
   void OnAlarm() override {
     DCHECK(connection_->ack_frame_updated());
-    QuicConnection::ScopedPacketFlusher flusher(connection_,
-                                                QuicConnection::SEND_ACK);
-    if (connection_->packet_generator().deprecate_ack_bundling_mode()) {
-      if (connection_->SupportsMultiplePacketNumberSpaces()) {
-        connection_->SendAllPendingAcks();
-      } else {
-        DCHECK(!connection_->GetUpdatedAckFrame().ack_frame->packets.Empty());
-        connection_->SendAck();
-      }
+    QuicConnection::ScopedPacketFlusher flusher(connection_);
+    if (connection_->SupportsMultiplePacketNumberSpaces()) {
+      connection_->SendAllPendingAcks();
+    } else {
+      DCHECK(!connection_->GetUpdatedAckFrame().ack_frame->packets.Empty());
+      connection_->SendAck();
     }
   }
 
@@ -193,8 +172,7 @@ class ProcessUndecryptablePacketsAlarmDelegate : public QuicAlarm::Delegate {
       const ProcessUndecryptablePacketsAlarmDelegate&) = delete;
 
   void OnAlarm() override {
-    QuicConnection::ScopedPacketFlusher flusher(connection_,
-                                                QuicConnection::NO_ACK);
+    QuicConnection::ScopedPacketFlusher flusher(connection_);
     connection_->MaybeProcessUndecryptablePackets();
   }
 
@@ -213,6 +191,18 @@ bool PacketCanReplaceConnectionId(const QuicPacketHeader& header,
           header.long_packet_type == RETRY);
 }
 
+CongestionControlType GetDefaultCongestionControlType() {
+  if (GetQuicReloadableFlag(quic_default_to_bbr_v2)) {
+    return kBBRv2;
+  }
+
+  if (GetQuicReloadableFlag(quic_default_to_bbr)) {
+    return kBBR;
+  }
+
+  return kCubicBytes;
+}
+
 }  // namespace
 
 #define ENDPOINT \
@@ -243,6 +233,8 @@ QuicConnection::QuicConnection(
       clock_(helper->GetClock()),
       random_generator_(helper->GetRandomGenerator()),
       server_connection_id_(server_connection_id),
+      client_connection_id_(EmptyQuicConnectionId()),
+      client_connection_id_is_set_(false),
       peer_address_(initial_peer_address),
       direct_peer_address_(initial_peer_address),
       active_effective_peer_migration_type_(NO_CHANGE),
@@ -251,27 +243,15 @@ QuicConnection::QuicConnection(
       current_packet_data_(nullptr),
       last_decrypted_packet_level_(ENCRYPTION_INITIAL),
       should_last_packet_instigate_acks_(false),
-      was_last_packet_missing_(false),
       max_undecryptable_packets_(0),
-      max_tracked_packets_(kMaxTrackedPackets),
+      max_tracked_packets_(GetQuicFlag(FLAGS_quic_max_tracked_packet_count)),
       pending_version_negotiation_packet_(false),
       send_ietf_version_negotiation_packet_(false),
-      save_crypto_packets_as_termination_packets_(false),
       idle_timeout_connection_close_behavior_(
           ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET),
       close_connection_after_five_rtos_(false),
-      received_packet_manager_(&stats_),
       uber_received_packet_manager_(&stats_),
-      ack_queued_(false),
-      num_retransmittable_packets_received_since_last_ack_sent_(0),
-      num_packets_received_since_last_ack_sent_(0),
       stop_waiting_count_(0),
-      ack_mode_(GetQuicReloadableFlag(quic_enable_ack_decimation)
-                    ? ACK_DECIMATION
-                    : TCP_ACKING),
-      ack_decimation_delay_(kAckDecimationDelay),
-      unlimited_ack_decimation_(false),
-      fast_ack_after_quiescence_(false),
       pending_retransmission_alarm_(false),
       defer_send_in_response_to_packets_(false),
       ping_timeout_(QuicTime::Delta::FromSeconds(kPingTimeoutSecs)),
@@ -308,21 +288,15 @@ QuicConnection::QuicConnection(
                         this),
       idle_network_timeout_(QuicTime::Delta::Infinite()),
       handshake_timeout_(QuicTime::Delta::Infinite()),
-      time_of_first_packet_sent_after_receiving_(
-          GetQuicReloadableFlag(
-              quic_fix_time_of_first_packet_sent_after_receiving)
-              ? QuicTime::Zero()
-              : clock_->ApproximateNow()),
+      time_of_first_packet_sent_after_receiving_(QuicTime::Zero()),
       time_of_last_received_packet_(clock_->ApproximateNow()),
-      time_of_previous_received_packet_(QuicTime::Zero()),
-      sent_packet_manager_(
-          perspective,
-          clock_,
-          random_generator_,
-          &stats_,
-          GetQuicReloadableFlag(quic_default_to_bbr) ? kBBR : kCubicBytes,
-          kNack),
-      version_negotiation_state_(START_NEGOTIATION),
+      sent_packet_manager_(perspective,
+                           clock_,
+                           random_generator_,
+                           &stats_,
+                           GetDefaultCongestionControlType(),
+                           kNack),
+      version_negotiated_(false),
       perspective_(perspective),
       connected_(true),
       can_truncate_connection_ids_(perspective == Perspective::IS_SERVER),
@@ -332,13 +306,11 @@ QuicConnection::QuicConnection(
       next_mtu_probe_at_(kPacketsBetweenMtuProbesBase),
       largest_received_packet_size_(0),
       write_error_occurred_(false),
-      no_stop_waiting_frames_(transport_version() > QUIC_VERSION_43),
+      no_stop_waiting_frames_(
+          VersionHasIetfInvariantHeader(transport_version())),
       consecutive_num_packets_with_no_retransmittable_frames_(0),
       max_consecutive_num_packets_with_no_retransmittable_frames_(
           kMaxConsecutiveNonRetransmittablePackets),
-      min_received_before_ack_decimation_(kMinReceivedBeforeAckDecimation),
-      ack_frequency_before_ack_decimation_(
-          kDefaultRetransmittablePacketsBeforeAck),
       fill_up_link_during_probing_(false),
       probing_retransmission_pending_(false),
       stateless_reset_token_received_(false),
@@ -348,34 +320,7 @@ QuicConnection::QuicConnection(
       processing_ack_frame_(false),
       supports_release_time_(false),
       release_time_into_future_(QuicTime::Delta::Zero()),
-      no_version_negotiation_(supported_versions.size() == 1),
-      send_ack_when_on_can_write_(false),
-      retry_has_been_parsed_(false),
-      validate_packet_number_post_decryption_(
-          GetQuicReloadableFlag(quic_validate_packet_number_post_decryption)),
-      use_uber_received_packet_manager_(
-          received_packet_manager_.decide_when_to_send_acks() &&
-          validate_packet_number_post_decryption_ &&
-          GetQuicReloadableFlag(quic_use_uber_received_packet_manager)) {
-  if (ack_mode_ == ACK_DECIMATION) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_enable_ack_decimation);
-  }
-  if (perspective_ == Perspective::IS_SERVER &&
-      supported_versions.size() == 1) {
-    QUIC_RESTART_FLAG_COUNT(quic_no_server_conn_ver_negotiation2);
-  }
-  if (packet_generator_.deprecate_ack_bundling_mode()) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_deprecate_ack_bundling_mode);
-  }
-  if (received_packet_manager_.decide_when_to_send_acks()) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_rpm_decides_when_to_send_acks);
-  }
-  if (validate_packet_number_post_decryption_) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_validate_packet_number_post_decryption);
-  }
-  if (use_uber_received_packet_manager_) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_use_uber_received_packet_manager);
-  }
+      retry_has_been_parsed_(false) {
   QUIC_DLOG(INFO) << ENDPOINT << "Created connection with server connection ID "
                   << server_connection_id
                   << " and version: " << ParsedQuicVersionToString(version());
@@ -401,27 +346,22 @@ QuicConnection::QuicConnection(
   SetMaxPacketLength(perspective_ == Perspective::IS_SERVER
                          ? kDefaultServerMaxPacketSize
                          : kDefaultMaxPacketSize);
-  if (use_uber_received_packet_manager_) {
-    uber_received_packet_manager_.set_max_ack_ranges(255);
-  } else {
-    received_packet_manager_.set_max_ack_ranges(255);
-  }
+  uber_received_packet_manager_.set_max_ack_ranges(255);
   MaybeEnableSessionDecidesWhatToWrite();
   MaybeEnableMultiplePacketNumberSpacesSupport();
-  DCHECK(!GetQuicRestartFlag(quic_no_server_conn_ver_negotiation2) ||
-         perspective_ == Perspective::IS_CLIENT ||
+  DCHECK(perspective_ == Perspective::IS_CLIENT ||
          supported_versions.size() == 1);
-  InstallInitialCrypters();
+  InstallInitialCrypters(server_connection_id_);
 }
 
-void QuicConnection::InstallInitialCrypters() {
+void QuicConnection::InstallInitialCrypters(QuicConnectionId connection_id) {
   if (version().handshake_protocol != PROTOCOL_TLS1_3) {
     // Initial crypters are currently only supported with TLS.
     return;
   }
   CrypterPair crypters;
   CryptoUtils::CreateTlsInitialCrypters(perspective_, transport_version(),
-                                        server_connection_id_, &crypters);
+                                        connection_id, &crypters);
   SetEncrypter(ENCRYPTION_INITIAL, std::move(crypters.encrypter));
   InstallDecrypter(ENCRYPTION_INITIAL, std::move(crypters.decrypter));
 }
@@ -474,38 +414,7 @@ void QuicConnection::SetFromConfig(const QuicConfig& config) {
   if (debug_visitor_ != nullptr) {
     debug_visitor_->OnSetFromConfig(config);
   }
-  if (received_packet_manager_.decide_when_to_send_acks()) {
-    if (use_uber_received_packet_manager_) {
-      uber_received_packet_manager_.SetFromConfig(config, perspective_);
-    } else {
-      received_packet_manager_.SetFromConfig(config, perspective_);
-    }
-  } else {
-    if (GetQuicReloadableFlag(quic_enable_ack_decimation) &&
-        config.HasClientSentConnectionOption(kACD0, perspective_)) {
-      ack_mode_ = TCP_ACKING;
-    }
-    if (config.HasClientSentConnectionOption(kACKD, perspective_)) {
-      ack_mode_ = ACK_DECIMATION;
-    }
-    if (config.HasClientSentConnectionOption(kAKD2, perspective_)) {
-      ack_mode_ = ACK_DECIMATION_WITH_REORDERING;
-    }
-    if (config.HasClientSentConnectionOption(kAKD3, perspective_)) {
-      ack_mode_ = ACK_DECIMATION;
-      ack_decimation_delay_ = kShortAckDecimationDelay;
-    }
-    if (config.HasClientSentConnectionOption(kAKD4, perspective_)) {
-      ack_mode_ = ACK_DECIMATION_WITH_REORDERING;
-      ack_decimation_delay_ = kShortAckDecimationDelay;
-    }
-    if (config.HasClientSentConnectionOption(kAKDU, perspective_)) {
-      unlimited_ack_decimation_ = true;
-    }
-    if (config.HasClientSentConnectionOption(kACKQ, perspective_)) {
-      fast_ack_after_quiescence_ = true;
-    }
-  }
+  uber_received_packet_manager_.SetFromConfig(config, perspective_);
   if (config.HasClientSentConnectionOption(k5RTO, perspective_)) {
     close_connection_after_five_rtos_ = true;
   }
@@ -520,11 +429,7 @@ void QuicConnection::SetFromConfig(const QuicConfig& config) {
       config.HasClientSentConnectionOption(kSTMP, perspective_)) {
     QUIC_RELOADABLE_FLAG_COUNT(quic_send_timestamps);
     framer_.set_process_timestamps(true);
-    if (use_uber_received_packet_manager_) {
-      uber_received_packet_manager_.set_save_timestamps(true);
-    } else {
-      received_packet_manager_.set_save_timestamps(true);
-    }
+    uber_received_packet_manager_.set_save_timestamps(true);
   }
 
   supports_release_time_ =
@@ -624,8 +529,7 @@ void QuicConnection::OnPublicResetPacket(const QuicPublicResetPacket& packet) {
 }
 
 bool QuicConnection::OnProtocolVersionMismatch(
-    ParsedQuicVersion received_version,
-    PacketHeaderFormat form) {
+    ParsedQuicVersion received_version) {
   QUIC_DLOG(INFO) << ENDPOINT << "Received packet with mismatched version "
                   << ParsedQuicVersionToString(received_version);
   if (perspective_ == Perspective::IS_CLIENT) {
@@ -633,64 +537,11 @@ bool QuicConnection::OnProtocolVersionMismatch(
     QUIC_BUG << ENDPOINT << error_details;
     CloseConnection(QUIC_INTERNAL_ERROR, error_details,
                     ConnectionCloseBehavior::SILENT_CLOSE);
-    return false;
   }
-  if (no_version_negotiation_) {
-    // Drop old packets that were sent by the client before the version was
-    // negotiated.
-    return false;
-  }
-  DCHECK_NE(version(), received_version);
-
-  if (debug_visitor_ != nullptr) {
-    debug_visitor_->OnProtocolVersionMismatch(received_version);
-  }
-
-  switch (version_negotiation_state_) {
-    case START_NEGOTIATION:
-      if (!framer_.IsSupportedVersion(received_version)) {
-        SendVersionNegotiationPacket(form != GOOGLE_QUIC_PACKET);
-        version_negotiation_state_ = NEGOTIATION_IN_PROGRESS;
-        return false;
-      }
-      break;
-
-    case NEGOTIATION_IN_PROGRESS:
-      if (!framer_.IsSupportedVersion(received_version)) {
-        SendVersionNegotiationPacket(form != GOOGLE_QUIC_PACKET);
-        return false;
-      }
-      break;
-
-    case NEGOTIATED_VERSION:
-      // Might be old packets that were sent by the client before the version
-      // was negotiated. Drop these.
-      return false;
-
-    default:
-      DCHECK(false);
-  }
-
-  // Store the new version.
-  framer_.set_version(received_version);
-  framer_.InferPacketHeaderTypeFromVersion();
 
-  version_negotiation_state_ = NEGOTIATED_VERSION;
-  visitor_->OnSuccessfulVersionNegotiation(received_version);
-  if (debug_visitor_ != nullptr) {
-    debug_visitor_->OnSuccessfulVersionNegotiation(received_version);
-  }
-  QUIC_DLOG(INFO) << ENDPOINT << "version negotiated "
-                  << ParsedQuicVersionToString(received_version);
-
-  MaybeEnableSessionDecidesWhatToWrite();
-  no_stop_waiting_frames_ =
-      received_version.transport_version > QUIC_VERSION_43;
-
-  // TODO(satyamshekhar): Store the packet number of this packet and close the
-  // connection if we ever received a packet with incorrect version and whose
-  // packet number is greater.
-  return true;
+  // Server drops old packets that were sent by the client before the version
+  // was negotiated.
+  return false;
 }
 
 // Handles version negotiation for client connection.
@@ -713,7 +564,7 @@ void QuicConnection::OnVersionNegotiationPacket(
     debug_visitor_->OnVersionNegotiationPacket(packet);
   }
 
-  if (version_negotiation_state_ != START_NEGOTIATION) {
+  if (version_negotiated_) {
     // Possibly a duplicate version negotiation packet.
     return;
   }
@@ -729,52 +580,15 @@ void QuicConnection::OnVersionNegotiationPacket(
   }
 
   server_supported_versions_ = packet.versions;
-
-  if (GetQuicReloadableFlag(quic_no_client_conn_ver_negotiation)) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_no_client_conn_ver_negotiation);
-    CloseConnection(
-        QUIC_INVALID_VERSION,
-        QuicStrCat(
-            "Client may support one of the versions in the server's list, but "
-            "it's going to close the connection anyway. Supported versions: {",
-            ParsedQuicVersionVectorToString(framer_.supported_versions()),
-            "}, peer supported versions: {",
-            ParsedQuicVersionVectorToString(packet.versions), "}"),
-        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-    return;
-  }
-
-  ParsedQuicVersion original_version = version();
-  if (!SelectMutualVersion(packet.versions)) {
-    CloseConnection(
-        QUIC_INVALID_VERSION,
-        QuicStrCat(
-            "No common version found. Supported versions: {",
-            ParsedQuicVersionVectorToString(framer_.supported_versions()),
-            "}, peer supported versions: {",
-            ParsedQuicVersionVectorToString(packet.versions), "}"),
-        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-    return;
-  }
-
-  if (original_version.handshake_protocol != version().handshake_protocol) {
-    const std::string error_details =
-        "In-connection version negotiation between mismatched handshake "
-        " protocols " +
-        ParsedQuicVersionToString(original_version) + " and " +
-        ParsedQuicVersionToString(version()) + " is currently unsupported.";
-    QUIC_DLOG(WARNING) << error_details;
-    CloseConnection(QUIC_INVALID_VERSION, error_details,
-                    ConnectionCloseBehavior::SILENT_CLOSE);
-    return;
-  }
-
-  QUIC_DLOG(INFO) << ENDPOINT << "Negotiated version: "
-                  << ParsedQuicVersionToString(version());
-  no_stop_waiting_frames_ = transport_version() > QUIC_VERSION_43;
-  version_negotiation_state_ = NEGOTIATION_IN_PROGRESS;
-
-  RetransmitUnackedPackets(ALL_UNACKED_RETRANSMISSION);
+  CloseConnection(
+      QUIC_INVALID_VERSION,
+      QuicStrCat(
+          "Client may support one of the versions in the server's list, but "
+          "it's going to close the connection anyway. Supported versions: {",
+          ParsedQuicVersionVectorToString(framer_.supported_versions()),
+          "}, peer supported versions: {",
+          ParsedQuicVersionVectorToString(packet.versions), "}"),
+      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
 }
 
 // Handles retry for client connection.
@@ -804,7 +618,7 @@ void QuicConnection::OnRetryPacket(QuicConnectionId original_connection_id,
   packet_generator_.SetRetryToken(retry_token);
 
   // Reinstall initial crypters because the connection ID changed.
-  InstallInitialCrypters();
+  InstallInitialCrypters(server_connection_id_);
 }
 
 bool QuicConnection::HasIncomingConnectionId(QuicConnectionId connection_id) {
@@ -829,30 +643,54 @@ bool QuicConnection::OnUnauthenticatedPublicHeader(
   QuicConnectionId server_connection_id =
       GetServerConnectionIdAsRecipient(header, perspective_);
 
-  if (server_connection_id == server_connection_id_ ||
-      HasIncomingConnectionId(server_connection_id)) {
-    return true;
-  }
+  if (server_connection_id != server_connection_id_ &&
+      !HasIncomingConnectionId(server_connection_id)) {
+    if (PacketCanReplaceConnectionId(header, perspective_)) {
+      QUIC_DLOG(INFO) << ENDPOINT << "Accepting packet with new connection ID "
+                      << server_connection_id << " instead of "
+                      << server_connection_id_;
+      return true;
+    }
 
-  if (PacketCanReplaceConnectionId(header, perspective_)) {
-    QUIC_DLOG(INFO) << ENDPOINT << "Accepting packet with new connection ID "
+    ++stats_.packets_dropped;
+    QUIC_DLOG(INFO) << ENDPOINT
+                    << "Ignoring packet from unexpected server connection ID "
                     << server_connection_id << " instead of "
                     << server_connection_id_;
+    if (debug_visitor_ != nullptr) {
+      debug_visitor_->OnIncorrectConnectionId(server_connection_id);
+    }
+    // If this is a server, the dispatcher routes each packet to the
+    // QuicConnection responsible for the packet's connection ID.  So if control
+    // arrives here and this is a server, the dispatcher must be malfunctioning.
+    DCHECK_NE(Perspective::IS_SERVER, perspective_);
+    return false;
+  }
+
+  if (!version().SupportsClientConnectionIds()) {
+    return true;
+  }
+
+  QuicConnectionId client_connection_id =
+      GetClientConnectionIdAsRecipient(header, perspective_);
+
+  if (client_connection_id == client_connection_id_) {
+    return true;
+  }
+
+  if (!client_connection_id_is_set_ && perspective_ == Perspective::IS_SERVER) {
+    QUIC_DLOG(INFO) << ENDPOINT
+                    << "Setting client connection ID from first packet to "
+                    << client_connection_id;
+    set_client_connection_id(client_connection_id);
     return true;
   }
 
   ++stats_.packets_dropped;
   QUIC_DLOG(INFO) << ENDPOINT
-                  << "Ignoring packet from unexpected ConnectionId: "
-                  << server_connection_id << " instead of "
-                  << server_connection_id_;
-  if (debug_visitor_ != nullptr) {
-    debug_visitor_->OnIncorrectConnectionId(server_connection_id);
-  }
-  // If this is a server, the dispatcher routes each packet to the
-  // QuicConnection responsible for the packet's connection ID.  So if control
-  // arrives here and this is a server, the dispatcher must be malfunctioning.
-  DCHECK_NE(Perspective::IS_SERVER, perspective_);
+                  << "Ignoring packet from unexpected client connection ID "
+                  << client_connection_id << " instead of "
+                  << client_connection_id_;
   return false;
 }
 
@@ -870,7 +708,7 @@ bool QuicConnection::OnUnauthenticatedHeader(const QuicPacketHeader& header) {
              GetServerConnectionIdAsRecipient(header, perspective_)) ||
          PacketCanReplaceConnectionId(header, perspective_));
 
-  if (!packet_generator_.IsPendingPacketEmpty()) {
+  if (packet_generator_.HasPendingFrames()) {
     // Incoming packets may change a queued ACK frame.
     const std::string error_details =
         "Pending frames must be serialized before incoming packets are "
@@ -881,33 +719,7 @@ bool QuicConnection::OnUnauthenticatedHeader(const QuicPacketHeader& header) {
     return false;
   }
 
-  // If this packet has already been seen, or the sender has told us that it
-  // will not be retransmitted, then stop processing the packet.
-  if (!validate_packet_number_post_decryption_) {
-    const bool is_awaiting =
-        use_uber_received_packet_manager_
-            ? uber_received_packet_manager_.IsAwaitingPacket(
-                  last_decrypted_packet_level_, header.packet_number)
-            : received_packet_manager_.IsAwaitingPacket(header.packet_number);
-    if (!is_awaiting) {
-      if (framer_.IsIetfStatelessResetPacket(header)) {
-        QuicIetfStatelessResetPacket packet(
-            header, header.possible_stateless_reset_token);
-        OnAuthenticatedIetfStatelessResetPacket(packet);
-        return false;
-      }
-      QUIC_DLOG(INFO) << ENDPOINT << "Packet " << header.packet_number
-                      << " no longer being waited for.  Discarding.";
-      if (debug_visitor_ != nullptr) {
-        debug_visitor_->OnDuplicatePacket(header.packet_number);
-      }
-      ++stats_.packets_dropped;
-      return false;
-    }
-  }
-
-  if (version_negotiation_state_ != NEGOTIATED_VERSION &&
-      perspective_ == Perspective::IS_SERVER) {
+  if (!version_negotiated_ && perspective_ == Perspective::IS_SERVER) {
     if (!header.version_flag) {
       // Packets should have the version flag till version negotiation is
       // done.
@@ -920,14 +732,14 @@ bool QuicConnection::OnUnauthenticatedHeader(const QuicPacketHeader& header) {
       return false;
     } else {
       DCHECK_EQ(header.version, version());
-      version_negotiation_state_ = NEGOTIATED_VERSION;
+      version_negotiated_ = true;
       framer_.InferPacketHeaderTypeFromVersion();
       visitor_->OnSuccessfulVersionNegotiation(version());
       if (debug_visitor_ != nullptr) {
         debug_visitor_->OnSuccessfulVersionNegotiation(version());
       }
     }
-    DCHECK_EQ(NEGOTIATED_VERSION, version_negotiation_state_);
+    DCHECK(version_negotiated_);
   }
 
   return true;
@@ -942,10 +754,8 @@ void QuicConnection::OnDecryptedPacket(EncryptionLevel level) {
   if (level == ENCRYPTION_FORWARD_SECURE &&
       perspective_ == Perspective::IS_SERVER) {
     sent_packet_manager_.SetHandshakeConfirmed();
-    if (sent_packet_manager_.unacked_packets().use_uber_loss_algorithm()) {
-      // This may have changed the retransmission timer, so re-arm it.
-      SetRetransmissionAlarm();
-    }
+    // This may have changed the retransmission timer, so re-arm it.
+    SetRetransmissionAlarm();
   }
 }
 
@@ -1011,22 +821,12 @@ bool QuicConnection::OnPacketHeader(const QuicPacketHeader& header) {
   --stats_.packets_dropped;
   QUIC_DVLOG(1) << ENDPOINT << "Received packet header: " << header;
   last_header_ = header;
-  // An ack will be sent if a missing retransmittable packet was received;
-  if (!use_uber_received_packet_manager_) {
-    was_last_packet_missing_ =
-        received_packet_manager_.IsMissing(last_header_.packet_number);
-  }
 
   // Record packet receipt to populate ack info before processing stream
   // frames, since the processing may result in sending a bundled ack.
-  if (use_uber_received_packet_manager_) {
-    uber_received_packet_manager_.RecordPacketReceived(
-        last_decrypted_packet_level_, last_header_,
-        time_of_last_received_packet_);
-  } else {
-    received_packet_manager_.RecordPacketReceived(
-        last_header_, time_of_last_received_packet_);
-  }
+  uber_received_packet_manager_.RecordPacketReceived(
+      last_decrypted_packet_level_, last_header_,
+      time_of_last_received_packet_);
   DCHECK(connected_);
   return true;
 }
@@ -1116,19 +916,6 @@ bool QuicConnection::OnAckFrameStart(QuicPacketNumber largest_acked,
   if (!GetLargestAckedPacket().IsInitialized() ||
       largest_acked > GetLargestAckedPacket()) {
     visitor_->OnForwardProgressConfirmed();
-  } else if (!sent_packet_manager_.tolerate_reneging() &&
-             largest_acked < GetLargestAckedPacket()) {
-    QUIC_LOG(INFO) << ENDPOINT << "Peer's largest_observed packet decreased:"
-                   << largest_acked << " vs " << GetLargestAckedPacket()
-                   << " packet_number:" << last_header_.packet_number
-                   << " largest seen with ack:"
-                   << GetLargestReceivedPacketWithAck()
-                   << " server_connection_id: " << server_connection_id_;
-    // A new ack has a diminished largest_observed value.
-    // If this was an old packet, we wouldn't even have checked.
-    CloseConnection(QUIC_INVALID_ACK_DATA, "Largest observed too low.",
-                    ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-    return false;
   }
   processing_ack_frame_ = true;
   sent_packet_manager_.OnAckFrameStart(largest_acked, ack_delay_time,
@@ -1176,7 +963,8 @@ bool QuicConnection::OnAckFrameEnd(QuicPacketNumber start) {
     return true;
   }
   const AckResult ack_result = sent_packet_manager_.OnAckFrameEnd(
-      time_of_last_received_packet_, last_decrypted_packet_level_);
+      time_of_last_received_packet_, last_header_.packet_number,
+      last_decrypted_packet_level_);
   if (ack_result != PACKETS_NEWLY_ACKED &&
       ack_result != NO_PACKETS_NEWLY_ACKED) {
     // Error occurred (e.g., this ACK tries to ack packets in wrong packet
@@ -1245,12 +1033,8 @@ bool QuicConnection::OnStopWaitingFrame(const QuicStopWaitingFrame& frame) {
   }
 
   largest_seen_packet_with_stop_waiting_ = last_header_.packet_number;
-  if (use_uber_received_packet_manager_) {
-    uber_received_packet_manager_.DontWaitForPacketsBefore(
-        last_decrypted_packet_level_, frame.least_unacked);
-  } else {
-    received_packet_manager_.DontWaitForPacketsBefore(frame.least_unacked);
-  }
+  uber_received_packet_manager_.DontWaitForPacketsBefore(
+      last_decrypted_packet_level_, frame.least_unacked);
   return connected_;
 }
 
@@ -1278,9 +1062,7 @@ bool QuicConnection::OnPingFrame(const QuicPingFrame& frame) {
 const char* QuicConnection::ValidateStopWaitingFrame(
     const QuicStopWaitingFrame& stop_waiting) {
   const QuicPacketNumber peer_least_packet_awaiting_ack =
-      use_uber_received_packet_manager_
-          ? uber_received_packet_manager_.peer_least_packet_awaiting_ack()
-          : received_packet_manager_.peer_least_packet_awaiting_ack();
+      uber_received_packet_manager_.peer_least_packet_awaiting_ack();
   if (peer_least_packet_awaiting_ack.IsInitialized() &&
       stop_waiting.least_unacked < peer_least_packet_awaiting_ack) {
     QUIC_DLOG(ERROR) << ENDPOINT << "Peer's sent low least_unacked: "
@@ -1442,16 +1224,16 @@ bool QuicConnection::OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame) {
 }
 
 bool QuicConnection::OnNewConnectionIdFrame(
-    const QuicNewConnectionIdFrame& frame) {
+    const QuicNewConnectionIdFrame& /*frame*/) {
   return true;
 }
 
 bool QuicConnection::OnRetireConnectionIdFrame(
-    const QuicRetireConnectionIdFrame& frame) {
+    const QuicRetireConnectionIdFrame& /*frame*/) {
   return true;
 }
 
-bool QuicConnection::OnNewTokenFrame(const QuicNewTokenFrame& frame) {
+bool QuicConnection::OnNewTokenFrame(const QuicNewTokenFrame& /*frame*/) {
   return true;
 }
 
@@ -1534,7 +1316,7 @@ void QuicConnection::OnPacketComplete() {
     // This node is not a client (is a server) AND the received packet was
     // NOT connectivity-probing. If the packet had PATH CHALLENGES, send
     // appropriate RESPONSE. Then deal with possible peer migration.
-    if (transport_version() == QUIC_VERSION_99 &&
+    if (VersionHasIetfQuicFrames(transport_version()) &&
         !received_path_challenge_payloads_.empty()) {
       // If a PATH CHALLENGE was in a "Padded PING (or PATH CHALLENGE)"
       // then it is taken care of above. This handles the case where a PATH
@@ -1558,48 +1340,30 @@ void QuicConnection::OnPacketComplete() {
 
   current_effective_peer_migration_type_ = NO_CHANGE;
 
-  // An ack will be sent if a missing retransmittable packet was received;
-  const bool was_missing =
-      should_last_packet_instigate_acks_ && was_last_packet_missing_;
-
-  if (received_packet_manager_.decide_when_to_send_acks()) {
-    if (use_uber_received_packet_manager_) {
-      // Some encryption levels share a packet number space, it is therefore
-      // possible for us to want to ack some packets even though we do not yet
-      // have the appropriate keys to encrypt the acks. In this scenario we
-      // do not update the ACK timeout. This can happen for example with
-      // IETF QUIC on the server when we receive 0-RTT packets and do not yet
-      // have 1-RTT keys (0-RTT packets are acked at the 1-RTT level).
-      // Note that this could cause slight performance degradations in the edge
-      // case where one packet is received, then the encrypter is installed,
-      // then a second packet is received; as that could cause the ACK for the
-      // second packet to be delayed instead of immediate. This is currently
-      // considered to be small enough of an edge case to not be optimized for.
-      if (!SupportsMultiplePacketNumberSpaces() ||
-          framer_.HasEncrypterOfEncryptionLevel(QuicUtils::GetEncryptionLevel(
-              QuicUtils::GetPacketNumberSpace(last_decrypted_packet_level_)))) {
-        uber_received_packet_manager_.MaybeUpdateAckTimeout(
-            should_last_packet_instigate_acks_, last_decrypted_packet_level_,
-            last_header_.packet_number, time_of_last_received_packet_,
-            clock_->ApproximateNow(), sent_packet_manager_.GetRttStats(),
-            sent_packet_manager_.delayed_ack_time());
-      } else {
-        QUIC_DLOG(INFO) << ENDPOINT << "Not updating ACK timeout for "
-                        << QuicUtils::EncryptionLevelToString(
-                               last_decrypted_packet_level_)
-                        << " as we do not have the corresponding encrypter";
-      }
-    } else {
-      received_packet_manager_.MaybeUpdateAckTimeout(
-          should_last_packet_instigate_acks_, last_header_.packet_number,
-          time_of_last_received_packet_, clock_->ApproximateNow(),
-          sent_packet_manager_.GetRttStats(),
-          sent_packet_manager_.delayed_ack_time());
-    }
-  } else if (ack_frame_updated()) {
-    // It's possible the ack frame was sent along with response data, so it
-    // no longer needs to be sent.
-    MaybeQueueAck(was_missing);
+  // Some encryption levels share a packet number space, it is therefore
+  // possible for us to want to ack some packets even though we do not yet
+  // have the appropriate keys to encrypt the acks. In this scenario we
+  // do not update the ACK timeout. This can happen for example with
+  // IETF QUIC on the server when we receive 0-RTT packets and do not yet
+  // have 1-RTT keys (0-RTT packets are acked at the 1-RTT level).
+  // Note that this could cause slight performance degradations in the edge
+  // case where one packet is received, then the encrypter is installed,
+  // then a second packet is received; as that could cause the ACK for the
+  // second packet to be delayed instead of immediate. This is currently
+  // considered to be small enough of an edge case to not be optimized for.
+  if (!SupportsMultiplePacketNumberSpaces() ||
+      framer_.HasEncrypterOfEncryptionLevel(QuicUtils::GetEncryptionLevel(
+          QuicUtils::GetPacketNumberSpace(last_decrypted_packet_level_)))) {
+    uber_received_packet_manager_.MaybeUpdateAckTimeout(
+        should_last_packet_instigate_acks_, last_decrypted_packet_level_,
+        last_header_.packet_number, time_of_last_received_packet_,
+        clock_->ApproximateNow(), sent_packet_manager_.GetRttStats(),
+        sent_packet_manager_.local_max_ack_delay());
+  } else {
+    QUIC_DLOG(INFO) << ENDPOINT << "Not updating ACK timeout for "
+                    << QuicUtils::EncryptionLevelToString(
+                           last_decrypted_packet_level_)
+                    << " as we do not have the corresponding encrypter";
   }
 
   ClearLastFrames();
@@ -1612,7 +1376,7 @@ bool QuicConnection::IsValidStatelessResetToken(QuicUint128 token) const {
 }
 
 void QuicConnection::OnAuthenticatedIetfStatelessResetPacket(
-    const QuicIetfStatelessResetPacket& packet) {
+    const QuicIetfStatelessResetPacket& /*packet*/) {
   // TODO(fayang): Add OnAuthenticatedIetfStatelessResetPacket to
   // debug_visitor_.
   const std::string error_details = "Received stateless reset.";
@@ -1621,114 +1385,6 @@ void QuicConnection::OnAuthenticatedIetfStatelessResetPacket(
                                ConnectionCloseSource::FROM_PEER);
 }
 
-void QuicConnection::MaybeQueueAck(bool was_missing) {
-  DCHECK(!received_packet_manager_.decide_when_to_send_acks());
-  ++num_packets_received_since_last_ack_sent_;
-  // Determine whether the newly received packet was missing before recording
-  // the received packet.
-  if (was_missing) {
-    // Only ack immediately if an ACK frame was sent with a larger
-    // largest acked than the newly received packet number.
-    const QuicPacketNumber largest_sent_largest_acked =
-        sent_packet_manager_.unacked_packets().largest_sent_largest_acked();
-    if (largest_sent_largest_acked.IsInitialized() &&
-        last_header_.packet_number < largest_sent_largest_acked) {
-      if (packet_generator_.deprecate_ack_bundling_mode()) {
-        MaybeSetAckAlarmTo(clock_->ApproximateNow());
-      } else {
-        ack_queued_ = true;
-      }
-    }
-  }
-
-  if (should_last_packet_instigate_acks_ && !ack_queued_) {
-    ++num_retransmittable_packets_received_since_last_ack_sent_;
-    if (ack_mode_ != TCP_ACKING &&
-        last_header_.packet_number >=
-            received_packet_manager_.PeerFirstSendingPacketNumber() +
-                min_received_before_ack_decimation_) {
-      // Ack up to 10 packets at once unless ack decimation is unlimited.
-      if (!unlimited_ack_decimation_ &&
-          num_retransmittable_packets_received_since_last_ack_sent_ >=
-              kMaxRetransmittablePacketsBeforeAck) {
-        if (packet_generator_.deprecate_ack_bundling_mode()) {
-          MaybeSetAckAlarmTo(clock_->ApproximateNow());
-        } else {
-          ack_queued_ = true;
-        }
-      } else if (ShouldSetAckAlarm()) {
-        // Wait for the minimum of the ack decimation delay or the delayed ack
-        // time before sending an ack.
-        QuicTime::Delta ack_delay =
-            std::min(sent_packet_manager_.delayed_ack_time(),
-                     sent_packet_manager_.GetRttStats()->min_rtt() *
-                         ack_decimation_delay_);
-        const QuicTime approximate_now = clock_->ApproximateNow();
-        if (fast_ack_after_quiescence_ &&
-            (approximate_now - time_of_previous_received_packet_) >
-                sent_packet_manager_.GetRttStats()->SmoothedOrInitialRtt()) {
-          // Ack the first packet out of queiscence faster, because QUIC does
-          // not pace the first few packets and commonly these may be handshake
-          // or TLP packets, which we'd like to acknowledge quickly.
-          ack_delay = QuicTime::Delta::FromMilliseconds(1);
-        }
-        ack_alarm_->Set(approximate_now + ack_delay);
-      }
-    } else {
-      // Ack with a timer or every 2 packets by default.
-      if (num_retransmittable_packets_received_since_last_ack_sent_ >=
-          ack_frequency_before_ack_decimation_) {
-        if (packet_generator_.deprecate_ack_bundling_mode()) {
-          MaybeSetAckAlarmTo(clock_->ApproximateNow());
-        } else {
-          ack_queued_ = true;
-        }
-      } else if (ShouldSetAckAlarm()) {
-        const QuicTime approximate_now = clock_->ApproximateNow();
-        if (fast_ack_after_quiescence_ &&
-            (approximate_now - time_of_previous_received_packet_) >
-                sent_packet_manager_.GetRttStats()->SmoothedOrInitialRtt()) {
-          // Ack the first packet out of queiscence faster, because QUIC does
-          // not pace the first few packets and commonly these may be handshake
-          // or TLP packets, which we'd like to acknowledge quickly.
-          ack_alarm_->Set(approximate_now +
-                          QuicTime::Delta::FromMilliseconds(1));
-        } else {
-          ack_alarm_->Set(approximate_now +
-                          sent_packet_manager_.delayed_ack_time());
-        }
-      }
-    }
-
-    // If there are new missing packets to report, send an ack immediately.
-    if (received_packet_manager_.HasNewMissingPackets()) {
-      if (ack_mode_ == ACK_DECIMATION_WITH_REORDERING) {
-        // Wait the minimum of an eighth min_rtt and the existing ack time.
-        QuicTime ack_time =
-            clock_->ApproximateNow() +
-            0.125 * sent_packet_manager_.GetRttStats()->min_rtt();
-        if (ShouldSetAckAlarm() || ack_alarm_->deadline() > ack_time) {
-          ack_alarm_->Update(ack_time, QuicTime::Delta::Zero());
-        }
-      } else {
-        if (packet_generator_.deprecate_ack_bundling_mode()) {
-          MaybeSetAckAlarmTo(clock_->ApproximateNow());
-        } else {
-          ack_queued_ = true;
-        }
-      }
-    }
-
-    if (fast_ack_after_quiescence_) {
-      time_of_previous_received_packet_ = time_of_last_received_packet_;
-    }
-  }
-
-  if (ack_queued_) {
-    ack_alarm_->Cancel();
-  }
-}
-
 void QuicConnection::ClearLastFrames() {
   should_last_packet_instigate_acks_ = false;
 }
@@ -1741,20 +1397,20 @@ void QuicConnection::CloseIfTooManyOutstandingSentPackets() {
           sent_packet_manager_.GetLeastUnacked() + max_tracked_packets_) {
     CloseConnection(
         QUIC_TOO_MANY_OUTSTANDING_SENT_PACKETS,
-        QuicStrCat("More than ", max_tracked_packets_,
-                   " outstanding, least_unacked: ",
-                   sent_packet_manager_.GetLeastUnacked().ToUint64()),
+        QuicStrCat(
+            "More than ", max_tracked_packets_, " outstanding, least_unacked: ",
+            sent_packet_manager_.GetLeastUnacked().ToUint64(),
+            ", packets_processed: ", stats_.packets_processed,
+            ", last_decrypted_packet_level: ",
+            QuicUtils::EncryptionLevelToString(last_decrypted_packet_level_)),
         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
   }
 }
 
 const QuicFrame QuicConnection::GetUpdatedAckFrame() {
-  if (use_uber_received_packet_manager_) {
-    return uber_received_packet_manager_.GetUpdatedAckFrame(
-        QuicUtils::GetPacketNumberSpace(encryption_level_),
-        clock_->ApproximateNow());
-  }
-  return received_packet_manager_.GetUpdatedAckFrame(clock_->ApproximateNow());
+  return uber_received_packet_manager_.GetUpdatedAckFrame(
+      QuicUtils::GetPacketNumberSpace(encryption_level_),
+      clock_->ApproximateNow());
 }
 
 void QuicConnection::PopulateStopWaitingFrame(
@@ -1843,7 +1499,7 @@ size_t QuicConnection::SendCryptoData(EncryptionLevel level,
     return 0;
   }
 
-  ScopedPacketFlusher flusher(this, SEND_ACK_IF_PENDING);
+  ScopedPacketFlusher flusher(this);
   return packet_generator_.ConsumeCryptoData(level, write_length, offset);
 }
 
@@ -1861,21 +1517,15 @@ QuicConsumedData QuicConnection::SendStreamData(QuicStreamId id,
   // which decrypter will be used on an ack packet following a handshake
   // packet (a handshake packet from client to server could result in a REJ or a
   // SHLO from the server, leading to two different decrypters at the server.)
-  ScopedPacketFlusher flusher(this, SEND_ACK_IF_PENDING);
+  ScopedPacketFlusher flusher(this);
   return packet_generator_.ConsumeData(id, write_length, offset, state);
 }
 
 bool QuicConnection::SendControlFrame(const QuicFrame& frame) {
-  if (!packet_generator_.deprecate_queued_control_frames() &&
-      !CanWrite(HAS_RETRANSMITTABLE_DATA) && frame.type != PING_FRAME) {
-    QUIC_DVLOG(1) << ENDPOINT << "Failed to send control frame: " << frame;
-    // Do not check congestion window for ping.
-    return false;
-  }
-  ScopedPacketFlusher flusher(this, SEND_ACK_IF_PENDING);
+  ScopedPacketFlusher flusher(this);
   const bool consumed =
       packet_generator_.ConsumeRetransmittableControlFrame(frame);
-  if (packet_generator_.deprecate_queued_control_frames() && !consumed) {
+  if (!consumed) {
     QUIC_DVLOG(1) << ENDPOINT << "Failed to send control frame: " << frame;
     return false;
   }
@@ -1901,7 +1551,7 @@ void QuicConnection::OnStreamReset(QuicStreamId id,
   }
   // Flush stream frames of reset stream.
   if (packet_generator_.HasPendingStreamFramesOfStream(id)) {
-    ScopedPacketFlusher flusher(this, SEND_ACK_IF_PENDING);
+    ScopedPacketFlusher flusher(this);
     packet_generator_.FlushAllQueuedFrames();
   }
 
@@ -2010,7 +1660,7 @@ void QuicConnection::ProcessUdpPacket(const QuicSocketAddress& self_address,
   QUIC_DVLOG(1) << ENDPOINT << "time of last received packet: "
                 << time_of_last_received_packet_.ToDebuggingValue();
 
-  ScopedPacketFlusher flusher(this, NO_ACK);
+  ScopedPacketFlusher flusher(this);
   if (!framer_.ProcessPacket(packet)) {
     // If we are unable to decrypt this packet, it might be
     // because the CHLO or SHLO packet was lost.
@@ -2064,34 +1714,26 @@ void QuicConnection::OnBlockedWriterCanWrite() {
 }
 
 void QuicConnection::OnCanWrite() {
+  if (!connected_) {
+    return;
+  }
   DCHECK(!writer_->IsWriteBlocked());
 
   // Add a flusher to ensure the connection is marked app-limited.
-  ScopedPacketFlusher flusher(this, NO_ACK);
+  ScopedPacketFlusher flusher(this);
 
   WriteQueuedPackets();
-  if (received_packet_manager_.decide_when_to_send_acks()) {
-    const QuicTime ack_timeout =
-        use_uber_received_packet_manager_
-            ? uber_received_packet_manager_.GetEarliestAckTimeout()
-            : received_packet_manager_.ack_timeout();
-    if (ack_timeout.IsInitialized() &&
-        ack_timeout <= clock_->ApproximateNow()) {
-      // Send an ACK now because either 1) we were write blocked when we last
-      // tried to send an ACK, or 2) both ack alarm and send alarm were set to
-      // go off together.
-      if (SupportsMultiplePacketNumberSpaces()) {
-        SendAllPendingAcks();
-      } else {
-        SendAck();
-      }
-    }
-  } else if (send_ack_when_on_can_write_) {
+  const QuicTime ack_timeout =
+      uber_received_packet_manager_.GetEarliestAckTimeout();
+  if (ack_timeout.IsInitialized() && ack_timeout <= clock_->ApproximateNow()) {
     // Send an ACK now because either 1) we were write blocked when we last
-    // tried to send an ACK, or 2) both ack alarm and send alarm were set to go
-    // off together.
-    DCHECK(packet_generator_.deprecate_ack_bundling_mode());
-    SendAck();
+    // tried to send an ACK, or 2) both ack alarm and send alarm were set to
+    // go off together.
+    if (SupportsMultiplePacketNumberSpaces()) {
+      SendAllPendingAcks();
+    } else {
+      SendAck();
+    }
   }
   if (!session_decides_what_to_write()) {
     WritePendingRetransmissions();
@@ -2110,7 +1752,7 @@ void QuicConnection::WriteNewData() {
   }
 
   {
-    ScopedPacketFlusher flusher(this, SEND_ACK_IF_QUEUED);
+    ScopedPacketFlusher flusher(this);
     visitor_->OnCanWrite();
   }
 
@@ -2133,7 +1775,7 @@ void QuicConnection::WriteIfNotBlocked() {
 
 void QuicConnection::WriteAndBundleAcksIfNotBlocked() {
   if (!HandleWriteBlocked()) {
-    ScopedPacketFlusher flusher(this, SEND_ACK_IF_QUEUED);
+    ScopedPacketFlusher flusher(this);
     WriteIfNotBlocked();
   }
 }
@@ -2170,17 +1812,17 @@ bool QuicConnection::ProcessValidatedPacket(const QuicPacketHeader& header) {
     return false;
   }
 
-  if (version_negotiation_state_ != NEGOTIATED_VERSION) {
+  if (!version_negotiated_) {
     if (perspective_ == Perspective::IS_CLIENT) {
       DCHECK(!header.version_flag || header.form != GOOGLE_QUIC_PACKET);
-      if (framer_.transport_version() <= QUIC_VERSION_43) {
+      if (!VersionHasIetfInvariantHeader(framer_.transport_version())) {
         // If the client gets a packet without the version flag from the server
         // it should stop sending version since the version negotiation is done.
         // IETF QUIC stops sending version once encryption level switches to
         // forward secure.
         packet_generator_.StopSendingVersion();
       }
-      version_negotiation_state_ = NEGOTIATED_VERSION;
+      version_negotiated_ = true;
       visitor_->OnSuccessfulVersionNegotiation(version());
       if (debug_visitor_ != nullptr) {
         debug_visitor_->OnSuccessfulVersionNegotiation(version());
@@ -2202,89 +1844,21 @@ bool QuicConnection::ProcessValidatedPacket(const QuicPacketHeader& header) {
 
 bool QuicConnection::ValidateReceivedPacketNumber(
     QuicPacketNumber packet_number) {
-  if (validate_packet_number_post_decryption_) {
-    const bool is_awaiting =
-        use_uber_received_packet_manager_
-            ? uber_received_packet_manager_.IsAwaitingPacket(
-                  last_decrypted_packet_level_, packet_number)
-            : received_packet_manager_.IsAwaitingPacket(packet_number);
-    if (!is_awaiting) {
-      if (use_uber_received_packet_manager_) {
-        QUIC_DLOG(INFO) << ENDPOINT << "Packet " << packet_number
-                        << " no longer being waited for at level "
-                        << static_cast<int>(last_decrypted_packet_level_)
-                        << ".  Discarding.";
-      } else {
-        QUIC_DLOG(INFO) << ENDPOINT << "Packet " << packet_number
-                        << " no longer being waited for.  Discarding.";
-      }
-      if (debug_visitor_ != nullptr) {
-        debug_visitor_->OnDuplicatePacket(packet_number);
-      }
-      return false;
-    }
-  }
-
-  if (use_uber_received_packet_manager_) {
-    // When using uber_received_packet_manager, accept any packet numbers.
-    return true;
-  }
-
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    QUIC_RESTART_FLAG_COUNT_N(quic_enable_accept_random_ipn, 2, 2);
-    // Configured to accept any packet number in range 1...0x7fffffff as initial
-    // packet number.
-    bool out_of_bound = false;
-    std::string error_detail = "Packet number out of bounds.";
-    if (last_header_.packet_number.IsInitialized()) {
-      out_of_bound = !Near(packet_number, last_header_.packet_number);
-    } else if ((packet_number > MaxRandomInitialPacketNumber())) {
-      out_of_bound = true;
-      error_detail = "Initial packet number out of bounds.";
-    }
-    if (out_of_bound) {
-      QUIC_DLOG(INFO) << ENDPOINT << "Packet " << packet_number
-                      << " out of bounds.  Discarding";
-      CloseConnection(QUIC_INVALID_PACKET_HEADER, error_detail,
-                      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-      return false;
+  // If this packet has already been seen, or the sender has told us that it
+  // will not be retransmitted, then stop processing the packet.
+  if (!uber_received_packet_manager_.IsAwaitingPacket(
+          last_decrypted_packet_level_, packet_number)) {
+    QUIC_DLOG(INFO) << ENDPOINT << "Packet " << packet_number
+                    << " no longer being waited for at level "
+                    << static_cast<int>(last_decrypted_packet_level_)
+                    << ".  Discarding.";
+    if (debug_visitor_ != nullptr) {
+      debug_visitor_->OnDuplicatePacket(packet_number);
     }
-    return true;
+    return false;
   }
 
-  if (packet_number > received_packet_manager_.PeerFirstSendingPacketNumber() &&
-      packet_number <= MaxRandomInitialPacketNumber()) {
-    QUIC_CODE_COUNT_N(had_possibly_random_ipn, 2, 2);
-  }
-  const bool out_of_bound =
-      last_header_.packet_number.IsInitialized()
-          ? !Near(packet_number, last_header_.packet_number)
-          : packet_number >=
-                (received_packet_manager_.PeerFirstSendingPacketNumber() +
-                 kMaxPacketGap);
-  if (!out_of_bound) {
-    return true;
-  }
-  QUIC_DLOG(INFO) << ENDPOINT << "Packet " << packet_number
-                  << " out of bounds.  Discarding";
-  QuicStringPiece packet_data = GetCurrentPacket();
-  const size_t kMaxPacketLengthInErrorDetails = 64;
-  CloseConnection(
-      QUIC_INVALID_PACKET_HEADER,
-      QuicStrCat(
-          "Packet number out of bounds. ",
-          last_header_.packet_number.IsInitialized()
-              ? QuicStrCat("last_pkn=", last_header_.packet_number.ToUint64())
-              : "first received packet",
-          ", current_pkn=", packet_number.ToUint64(),
-          ", current_pkt_len=", packet_data.length(), ", current_hdr=",
-          QuicTextUtils::HexEncode(
-              packet_data.length() > kMaxPacketLengthInErrorDetails
-                  ? QuicStringPiece(packet_data.data(),
-                                    kMaxPacketLengthInErrorDetails)
-                  : packet_data)),
-      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-  return false;
+  return true;
 }
 
 void QuicConnection::WriteQueuedPackets() {
@@ -2342,10 +1916,10 @@ void QuicConnection::WritePendingRetransmissions() {
     // be moved outside of the loop. Also, CanWrite is not checked after the
     // generator is flushed.
     {
-      ScopedPacketFlusher flusher(this, NO_ACK);
+      ScopedPacketFlusher flusher(this);
       packet_generator_.FlushAllQueuedFrames();
     }
-    DCHECK(!packet_generator_.HasQueuedFrames());
+    DCHECK(!packet_generator_.HasPendingFrames());
     char buffer[kMaxOutgoingPacketSize];
     packet_generator_.ReserializeAllFrames(pending, buffer,
                                            kMaxOutgoingPacketSize);
@@ -2394,21 +1968,11 @@ bool QuicConnection::ShouldGeneratePacket(
 }
 
 const QuicFrames QuicConnection::MaybeBundleAckOpportunistically() {
-  DCHECK(packet_generator_.deprecate_ack_bundling_mode());
   QuicFrames frames;
-  bool has_pending_ack = false;
-  if (received_packet_manager_.decide_when_to_send_acks()) {
-    if (use_uber_received_packet_manager_) {
-      has_pending_ack =
-          uber_received_packet_manager_
-              .GetAckTimeout(QuicUtils::GetPacketNumberSpace(encryption_level_))
-              .IsInitialized();
-    } else {
-      has_pending_ack = received_packet_manager_.ack_timeout().IsInitialized();
-    }
-  } else {
-    has_pending_ack = ack_alarm_->IsSet();
-  }
+  const bool has_pending_ack =
+      uber_received_packet_manager_
+          .GetAckTimeout(QuicUtils::GetPacketNumberSpace(encryption_level_))
+          .IsInitialized();
   if (!has_pending_ack && stop_waiting_count_ <= 1) {
     // No need to send an ACK.
     return frames;
@@ -2603,27 +2167,13 @@ bool QuicConnection::WritePacket(SerializedPacket* packet) {
       SetPathDegradingAlarm();
     }
 
-    if (GetQuicReloadableFlag(
-            quic_fix_time_of_first_packet_sent_after_receiving)) {
-      // Update |time_of_first_packet_sent_after_receiving_| if this is the
-      // first packet sent after the last packet was received. If it were
-      // updated on every sent packet, then sending into a black hole might
-      // never timeout.
-      if (time_of_first_packet_sent_after_receiving_ <
-          time_of_last_received_packet_) {
-        QUIC_RELOADABLE_FLAG_COUNT(
-            quic_fix_time_of_first_packet_sent_after_receiving);
-        time_of_first_packet_sent_after_receiving_ = packet_send_time;
-      }
-    } else {
-      // Only adjust the last sent time (for the purpose of tracking the idle
-      // timeout) if this is the first retransmittable packet sent after a
-      // packet is received. If it were updated on every sent packet, then
-      // sending into a black hole might never timeout.
-      if (time_of_first_packet_sent_after_receiving_ <=
-          time_of_last_received_packet_) {
-        time_of_first_packet_sent_after_receiving_ = packet_send_time;
-      }
+    // Update |time_of_first_packet_sent_after_receiving_| if this is the
+    // first packet sent after the last packet was received. If it were
+    // updated on every sent packet, then sending into a black hole might
+    // never timeout.
+    if (time_of_first_packet_sent_after_receiving_ <
+        time_of_last_received_packet_) {
+      time_of_first_packet_sent_after_receiving_ = packet_send_time;
     }
   }
 
@@ -2727,7 +2277,7 @@ void QuicConnection::OnWriteError(int error_code) {
       break;
     default:
       // We can't send an error as the socket is presumably borked.
-      if (transport_version() > QUIC_VERSION_43) {
+      if (VersionHasIetfInvariantHeader(transport_version())) {
         QUIC_CODE_COUNT(quic_tear_down_local_connection_on_write_error_ietf);
       } else {
         QUIC_CODE_COUNT(
@@ -2749,7 +2299,7 @@ void QuicConnection::OnSerializedPacket(SerializedPacket* serialized_packet) {
     // loop here.
     // TODO(ianswett): This is actually an internal error, not an
     // encryption failure.
-    if (transport_version() > QUIC_VERSION_43) {
+    if (VersionHasIetfInvariantHeader(transport_version())) {
       QUIC_CODE_COUNT(
           quic_tear_down_local_connection_on_serialized_packet_ietf);
     } else {
@@ -2777,7 +2327,7 @@ void QuicConnection::OnUnrecoverableError(QuicErrorCode error,
                                           const std::string& error_details) {
   // The packet creator or generator encountered an unrecoverable error: tear
   // down local connection state immediately.
-  if (transport_version() > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(transport_version())) {
     QUIC_CODE_COUNT(
         quic_tear_down_local_connection_on_unrecoverable_error_ietf);
   } else {
@@ -2809,14 +2359,11 @@ void QuicConnection::OnPathMtuIncreased(QuicPacketLength packet_size) {
 
 void QuicConnection::OnHandshakeComplete() {
   sent_packet_manager_.SetHandshakeConfirmed();
-  if (sent_packet_manager_.unacked_packets().use_uber_loss_algorithm()) {
-    // This may have changed the retransmission timer, so re-arm it.
-    SetRetransmissionAlarm();
-  }
+  // This may have changed the retransmission timer, so re-arm it.
+  SetRetransmissionAlarm();
   // The client should immediately ack the SHLO to confirm the handshake is
   // complete with the server.
-  if (perspective_ == Perspective::IS_CLIENT && !ack_queued_ &&
-      ack_frame_updated()) {
+  if (perspective_ == Perspective::IS_CLIENT && ack_frame_updated()) {
     ack_alarm_->Update(clock_->ApproximateNow(), QuicTime::Delta::Zero());
   }
 }
@@ -2841,50 +2388,24 @@ void QuicConnection::SendOrQueuePacket(SerializedPacket* packet) {
 
 void QuicConnection::OnPingTimeout() {
   if (!retransmission_alarm_->IsSet()) {
-    bool enable_half_rtt_tail_loss_probe =
-        sent_packet_manager_.enable_half_rtt_tail_loss_probe();
-    if (enable_half_rtt_tail_loss_probe &&
-        GetQuicReloadableFlag(quic_ignore_tlpr_if_sending_ping)) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_ignore_tlpr_if_sending_ping, 1, 2);
-      sent_packet_manager_.set_enable_half_rtt_tail_loss_probe(false);
-    }
     visitor_->SendPing();
-    if (enable_half_rtt_tail_loss_probe &&
-        GetQuicReloadableFlag(quic_ignore_tlpr_if_sending_ping)) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_ignore_tlpr_if_sending_ping, 2, 2);
-      sent_packet_manager_.set_enable_half_rtt_tail_loss_probe(true);
-    }
   }
 }
 
 void QuicConnection::SendAck() {
   DCHECK(!SupportsMultiplePacketNumberSpaces());
-  if (!received_packet_manager_.decide_when_to_send_acks()) {
-    // When received_packet_manager decides when to send ack, delaying
-    // ResetAckStates until ACK is successfully flushed.
-    ResetAckStates();
+  QUIC_DVLOG(1) << ENDPOINT << "Sending an ACK proactively";
+  QuicFrames frames;
+  frames.push_back(GetUpdatedAckFrame());
+  if (!no_stop_waiting_frames_) {
+    QuicStopWaitingFrame stop_waiting;
+    PopulateStopWaitingFrame(&stop_waiting);
+    frames.push_back(QuicFrame(stop_waiting));
   }
-
-  if (packet_generator_.deprecate_ack_bundling_mode()) {
-    QUIC_DVLOG(1) << ENDPOINT << "Sending an ACK proactively";
-    QuicFrames frames;
-    frames.push_back(GetUpdatedAckFrame());
-    if (!no_stop_waiting_frames_) {
-      QuicStopWaitingFrame stop_waiting;
-      PopulateStopWaitingFrame(&stop_waiting);
-      frames.push_back(QuicFrame(stop_waiting));
-    }
-    if (received_packet_manager_.decide_when_to_send_acks()) {
-      if (!packet_generator_.FlushAckFrame(frames)) {
-        return;
-      }
-      ResetAckStates();
-    } else {
-      send_ack_when_on_can_write_ = !packet_generator_.FlushAckFrame(frames);
-    }
-  } else {
-    packet_generator_.SetShouldSendAck(!no_stop_waiting_frames_);
+  if (!packet_generator_.FlushAckFrame(frames)) {
+    return;
   }
+  ResetAckStates();
   if (consecutive_num_packets_with_no_retransmittable_frames_ <
       max_consecutive_num_packets_with_no_retransmittable_frames_) {
     return;
@@ -2906,6 +2427,13 @@ void QuicConnection::OnPathDegradingTimeout() {
 
 void QuicConnection::OnRetransmissionTimeout() {
   DCHECK(!sent_packet_manager_.unacked_packets().empty());
+  const QuicPacketNumber previous_created_packet_number =
+      packet_generator_.packet_number();
+  const size_t previous_crypto_retransmit_count =
+      stats_.crypto_retransmit_count;
+  const size_t previous_loss_timeout_count = stats_.loss_timeout_count;
+  const size_t previous_tlp_count = stats_.tlp_count;
+  const size_t pervious_rto_count = stats_.rto_count;
   if (close_connection_after_five_rtos_ &&
       sent_packet_manager_.GetConsecutiveRtoCount() >= 4) {
     // Close on the 5th consecutive RTO, so after 4 previous RTOs have occurred.
@@ -2930,6 +2458,29 @@ void QuicConnection::OnRetransmissionTimeout() {
     WriteIfNotBlocked();
   }
 
+  if (sent_packet_manager_.fix_rto_retransmission()) {
+    // Making sure at least one packet is created when retransmission timer
+    // fires in TLP, RTO or HANDSHAKE mode. It is possible that loss algorithm
+    // invokes timer based loss but the packet does not need to be
+    // retransmitted.
+    QUIC_BUG_IF(stats_.loss_timeout_count == previous_loss_timeout_count &&
+                packet_generator_.packet_number() ==
+                    previous_created_packet_number)
+        << "previous_crypto_retransmit_count: "
+        << previous_crypto_retransmit_count
+        << ", crypto_retransmit_count: " << stats_.crypto_retransmit_count
+        << ", previous_loss_timeout_count: " << previous_loss_timeout_count
+        << ", loss_timeout_count: " << stats_.loss_timeout_count
+        << ", previous_tlp_count: " << previous_tlp_count
+        << ", tlp_count: " << stats_.tlp_count
+        << ", pervious_rto_count: " << pervious_rto_count
+        << ", rto_count: " << stats_.rto_count
+        << ", previous_created_packet_number: "
+        << previous_created_packet_number
+        << ", packet_number: " << packet_generator_.packet_number()
+        << ", session has data to write: " << visitor_->WillingAndAbleToWrite();
+  }
+
   // Ensure the retransmission alarm is always set if there are unacked packets
   // and nothing waiting to be sent.
   // This happens if the loss algorithm invokes a timer based loss, but the
@@ -2951,9 +2502,9 @@ void QuicConnection::SetDiversificationNonce(
 }
 
 void QuicConnection::SetDefaultEncryptionLevel(EncryptionLevel level) {
-  if (level != encryption_level_ && packet_generator_.HasQueuedFrames()) {
+  if (level != encryption_level_ && packet_generator_.HasPendingFrames()) {
     // Flush all queued frames when encryption level changes.
-    ScopedPacketFlusher flusher(this, NO_ACK);
+    ScopedPacketFlusher flusher(this);
     packet_generator_.FlushAllQueuedFrames();
   }
   encryption_level_ = level;
@@ -3110,14 +2661,8 @@ void QuicConnection::CloseConnection(
     SendConnectionClosePacket(error, error_details);
   }
 
-  ConnectionCloseSource source = ConnectionCloseSource::FROM_SELF;
-  if (perspective_ == Perspective::IS_CLIENT &&
-      error == QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT) {
-    // Regard stateless rejected connection as closed by server.
-    source = ConnectionCloseSource::FROM_PEER;
-  }
-
-  TearDownLocalConnectionState(error, error_details, source);
+  TearDownLocalConnectionState(error, error_details,
+                               ConnectionCloseSource::FROM_SELF);
 }
 
 void QuicConnection::SendConnectionClosePacket(QuicErrorCode error,
@@ -3126,12 +2671,11 @@ void QuicConnection::SendConnectionClosePacket(QuicErrorCode error,
   SetDefaultEncryptionLevel(GetConnectionCloseEncryptionLevel());
   ClearQueuedPackets();
   // If there was a packet write error, write the smallest close possible.
-  AckBundling ack_mode = (error == QUIC_PACKET_WRITE_ERROR) ? NO_ACK : SEND_ACK;
-  ScopedPacketFlusher flusher(this, ack_mode);
+  ScopedPacketFlusher flusher(this);
   // When multiple packet number spaces is supported, an ACK frame will be
   // bundled when connection is not write blocked.
   if (!SupportsMultiplePacketNumberSpaces() &&
-      packet_generator_.deprecate_ack_bundling_mode() && ack_mode == SEND_ACK &&
+      error != QUIC_PACKET_WRITE_ERROR &&
       !GetUpdatedAckFrame().ack_frame->packets.Empty()) {
     SendAck();
   }
@@ -3139,11 +2683,15 @@ void QuicConnection::SendConnectionClosePacket(QuicErrorCode error,
       new QuicConnectionCloseFrame(error, details);
   // If version99/IETF QUIC set the close type. Default close type is Google
   // QUIC.
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     frame->close_type = IETF_QUIC_TRANSPORT_CONNECTION_CLOSE;
   }
   packet_generator_.ConsumeRetransmittableControlFrame(QuicFrame(frame));
   packet_generator_.FlushAllQueuedFrames();
+  if (GetQuicReloadableFlag(quic_clear_queued_packets_on_connection_close)) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_clear_queued_packets_on_connection_close);
+    ClearQueuedPackets();
+  }
 }
 
 void QuicConnection::TearDownLocalConnectionState(
@@ -3159,9 +2707,12 @@ void QuicConnection::TearDownLocalConnectionState(
   FlushPackets();
   connected_ = false;
   DCHECK(visitor_ != nullptr);
-  visitor_->OnConnectionClosed(error, error_details, source);
+  // TODO(fkastenholz): When the IETF Transport Connection Close information
+  // gets plumbed in, expand this constructor to include that information.
+  QuicConnectionCloseFrame frame(error, error_details);
+  visitor_->OnConnectionClosed(frame, source);
   if (debug_visitor_ != nullptr) {
-    debug_visitor_->OnConnectionClosed(error, error_details, source);
+    debug_visitor_->OnConnectionClosed(frame, source);
   }
   // Cancel the alarms so they don't trigger any action now that the
   // connection is closed.
@@ -3192,11 +2743,7 @@ void QuicConnection::SetMaxPacketLength(QuicByteCount length) {
 
 bool QuicConnection::HasQueuedData() const {
   return pending_version_negotiation_packet_ || !queued_packets_.empty() ||
-         packet_generator_.HasQueuedFrames();
-}
-
-void QuicConnection::EnableSavingCryptoPackets() {
-  save_crypto_packets_as_termination_packets_ = true;
+         packet_generator_.HasPendingFrames();
 }
 
 bool QuicConnection::CanWriteStreamData() {
@@ -3370,15 +2917,13 @@ void QuicConnection::MaybeSetMtuAlarm(QuicPacketNumber sent_packet_number) {
 }
 
 void QuicConnection::MaybeSetAckAlarmTo(QuicTime time) {
-  DCHECK(packet_generator_.deprecate_ack_bundling_mode());
   if (!ack_alarm_->IsSet() || ack_alarm_->deadline() > time) {
     ack_alarm_->Update(time, QuicTime::Delta::Zero());
   }
 }
 
 QuicConnection::ScopedPacketFlusher::ScopedPacketFlusher(
-    QuicConnection* connection,
-    AckBundling ack_mode)
+    QuicConnection* connection)
     : connection_(connection),
       flush_and_set_pending_retransmission_alarm_on_delete_(false) {
   if (connection_ == nullptr) {
@@ -3389,86 +2934,41 @@ QuicConnection::ScopedPacketFlusher::ScopedPacketFlusher(
     flush_and_set_pending_retransmission_alarm_on_delete_ = true;
     connection->packet_generator_.AttachPacketFlusher();
   }
-  if (connection_->packet_generator_.deprecate_ack_bundling_mode()) {
-    return;
-  }
-
-  // If caller wants us to include an ack, check the delayed-ack timer to see if
-  // there's ack info to be sent.
-  if (ShouldSendAck(ack_mode)) {
-    if (!connection_->GetUpdatedAckFrame().ack_frame->packets.Empty()) {
-      QUIC_DVLOG(1) << "Bundling ack with outgoing packet.";
-      connection_->SendAck();
-    }
-  }
-}
-
-bool QuicConnection::ScopedPacketFlusher::ShouldSendAck(
-    AckBundling ack_mode) const {
-  DCHECK(!connection_->packet_generator_.deprecate_ack_bundling_mode());
-  // If the ack alarm is set, make sure the ack has been updated.
-  DCHECK(!connection_->ack_alarm_->IsSet() || connection_->ack_frame_updated())
-      << "ack_mode:" << ack_mode;
-  switch (ack_mode) {
-    case SEND_ACK:
-      return true;
-    case SEND_ACK_IF_QUEUED:
-      return connection_->ack_queued();
-    case SEND_ACK_IF_PENDING:
-      return connection_->ack_alarm_->IsSet() ||
-             connection_->stop_waiting_count_ > 1;
-    case NO_ACK:
-      return false;
-    default:
-      QUIC_BUG << "Unsupported ack_mode.";
-      return true;
-  }
 }
 
 QuicConnection::ScopedPacketFlusher::~ScopedPacketFlusher() {
-  if (connection_ == nullptr) {
+  if (connection_ == nullptr || !connection_->connected()) {
     return;
   }
 
   if (flush_and_set_pending_retransmission_alarm_on_delete_) {
-    if (connection_->packet_generator_.deprecate_ack_bundling_mode()) {
-      if (connection_->received_packet_manager_.decide_when_to_send_acks()) {
-        const QuicTime ack_timeout =
-            connection_->use_uber_received_packet_manager_
-                ? connection_->uber_received_packet_manager_
-                      .GetEarliestAckTimeout()
-                : connection_->received_packet_manager_.ack_timeout();
-        if (ack_timeout.IsInitialized()) {
-          if (ack_timeout <= connection_->clock_->ApproximateNow() &&
-              !connection_->CanWrite(NO_RETRANSMITTABLE_DATA)) {
-            // Cancel ACK alarm if connection is write blocked, and ACK will be
-            // sent when connection gets unblocked.
-            connection_->ack_alarm_->Cancel();
-          } else {
-            connection_->MaybeSetAckAlarmTo(ack_timeout);
-          }
-        }
+    const QuicTime ack_timeout =
+        connection_->uber_received_packet_manager_.GetEarliestAckTimeout();
+    if (ack_timeout.IsInitialized()) {
+      if (ack_timeout <= connection_->clock_->ApproximateNow() &&
+          !connection_->CanWrite(NO_RETRANSMITTABLE_DATA)) {
+        // Cancel ACK alarm if connection is write blocked, and ACK will be
+        // sent when connection gets unblocked.
+        connection_->ack_alarm_->Cancel();
+      } else {
+        connection_->MaybeSetAckAlarmTo(ack_timeout);
       }
-      if (connection_->ack_alarm_->IsSet() &&
-          connection_->ack_alarm_->deadline() <=
+    }
+    if (connection_->ack_alarm_->IsSet() &&
+        connection_->ack_alarm_->deadline() <=
+            connection_->clock_->ApproximateNow()) {
+      // An ACK needs to be sent right now. This ACK did not get bundled
+      // because either there was no data to write or packets were marked as
+      // received after frames were queued in the generator.
+      if (connection_->send_alarm_->IsSet() &&
+          connection_->send_alarm_->deadline() <=
               connection_->clock_->ApproximateNow()) {
-        // An ACK needs to be sent right now. This ACK did not get bundled
-        // because either there was no data to write or packets were marked as
-        // received after frames were queued in the generator.
-        if (connection_->send_alarm_->IsSet() &&
-            connection_->send_alarm_->deadline() <=
-                connection_->clock_->ApproximateNow()) {
-          // If send alarm will go off soon, let send alarm send the ACK.
-          connection_->ack_alarm_->Cancel();
-          if (!connection_->received_packet_manager_
-                   .decide_when_to_send_acks()) {
-            connection_->send_ack_when_on_can_write_ = true;
-          }
-        } else if (connection_->SupportsMultiplePacketNumberSpaces()) {
-          connection_->SendAllPendingAcks();
-        } else {
-          connection_->SendAck();
-        }
+        // If send alarm will go off soon, let send alarm send the ACK.
+        connection_->ack_alarm_->Cancel();
+      } else if (connection_->SupportsMultiplePacketNumberSpaces()) {
+        connection_->SendAllPendingAcks();
+      } else {
+        connection_->SendAck();
       }
     }
     connection_->packet_generator_.Flush();
@@ -3527,10 +3027,6 @@ bool QuicConnection::IsTerminationPacket(const SerializedPacket& packet) {
     if (frame.type == CONNECTION_CLOSE_FRAME) {
       return true;
     }
-    if (save_crypto_packets_as_termination_packets_ &&
-        QuicUtils::IsHandshakeFrame(frame, transport_version())) {
-      return true;
-    }
   }
   return false;
 }
@@ -3615,7 +3111,7 @@ bool QuicConnection::SendGenericPathProbePacket(
                   << server_connection_id_;
 
   OwningSerializedPacketPointer probing_packet;
-  if (transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // Non-IETF QUIC, generate a padded ping regardless of whether this is a
     // request or a response.
     probing_packet = packet_generator_.SerializeConnectivityProbingPacket();
@@ -3769,10 +3265,7 @@ bool QuicConnection::IsCurrentPacketConnectivityProbing() const {
 }
 
 bool QuicConnection::ack_frame_updated() const {
-  if (use_uber_received_packet_manager_) {
-    return uber_received_packet_manager_.IsAckFrameUpdated();
-  }
-  return received_packet_manager_.ack_frame_updated();
+  return uber_received_packet_manager_.IsAckFrameUpdated();
 }
 
 QuicStringPiece QuicConnection::GetCurrentPacket() {
@@ -3917,14 +3410,12 @@ void QuicConnection::MaybeEnableSessionDecidesWhatToWrite() {
 void QuicConnection::PostProcessAfterAckFrame(bool send_stop_waiting,
                                               bool acked_new_packet) {
   if (no_stop_waiting_frames_) {
-    if (use_uber_received_packet_manager_) {
-      uber_received_packet_manager_.DontWaitForPacketsBefore(
-          last_decrypted_packet_level_,
-          sent_packet_manager_.largest_packet_peer_knows_is_acked());
-    } else {
-      received_packet_manager_.DontWaitForPacketsBefore(
-          sent_packet_manager_.largest_packet_peer_knows_is_acked());
-    }
+    uber_received_packet_manager_.DontWaitForPacketsBefore(
+        last_decrypted_packet_level_,
+        SupportsMultiplePacketNumberSpaces()
+            ? sent_packet_manager_.GetLargestPacketPeerKnowsIsAcked(
+                  last_decrypted_packet_level_)
+            : sent_packet_manager_.largest_packet_peer_knows_is_acked());
   }
   // Always reset the retransmission alarm when an ack comes in, since we now
   // have a better estimate of the current rtt than when it was set.
@@ -3984,22 +3475,13 @@ void QuicConnection::UpdateReleaseTimeIntoFuture() {
 
 void QuicConnection::ResetAckStates() {
   ack_alarm_->Cancel();
-  ack_queued_ = false;
   stop_waiting_count_ = 0;
-  num_retransmittable_packets_received_since_last_ack_sent_ = 0;
-  num_packets_received_since_last_ack_sent_ = 0;
-  if (received_packet_manager_.decide_when_to_send_acks()) {
-    if (use_uber_received_packet_manager_) {
-      uber_received_packet_manager_.ResetAckStates(encryption_level_);
-    } else {
-      received_packet_manager_.ResetAckStates();
-    }
-  }
+  uber_received_packet_manager_.ResetAckStates(encryption_level_);
 }
 
 MessageStatus QuicConnection::SendMessage(QuicMessageId message_id,
                                           QuicMemSliceSpan message) {
-  if (transport_version() <= QUIC_VERSION_44) {
+  if (!VersionSupportsMessageFrames(transport_version())) {
     QUIC_BUG << "MESSAGE frame is not supported for version "
              << transport_version();
     return MESSAGE_STATUS_UNSUPPORTED;
@@ -4010,7 +3492,7 @@ MessageStatus QuicConnection::SendMessage(QuicMessageId message_id,
   if (!CanWrite(HAS_RETRANSMITTABLE_DATA)) {
     return MESSAGE_STATUS_BLOCKED;
   }
-  ScopedPacketFlusher flusher(this, SEND_ACK_IF_PENDING);
+  ScopedPacketFlusher flusher(this);
   return packet_generator_.AddMessageFrame(message_id, message);
 }
 
@@ -4029,23 +3511,6 @@ uint32_t QuicConnection::cipher_id() const {
   return framer_.decrypter()->cipher_id();
 }
 
-bool QuicConnection::ShouldSetAckAlarm() const {
-  DCHECK(ack_frame_updated());
-  if (ack_alarm_->IsSet()) {
-    // ACK alarm has been set.
-    return false;
-  }
-  if (GetQuicReloadableFlag(quic_fix_spurious_ack_alarm) &&
-      packet_generator_.should_send_ack()) {
-    // If the generator is already configured to send an ACK, then there is no
-    // need to schedule the ACK alarm. The updated ACK information will be sent
-    // when the generator flushes.
-    QUIC_RELOADABLE_FLAG_COUNT(quic_fix_spurious_ack_alarm);
-    return false;
-  }
-  return true;
-}
-
 EncryptionLevel QuicConnection::GetConnectionCloseEncryptionLevel() const {
   if (perspective_ == Perspective::IS_CLIENT) {
     return encryption_level_;
@@ -4059,7 +3524,7 @@ EncryptionLevel QuicConnection::GetConnectionCloseEncryptionLevel() const {
   }
   if (framer_.HasEncrypterOfEncryptionLevel(ENCRYPTION_ZERO_RTT)) {
     if (encryption_level_ != ENCRYPTION_ZERO_RTT) {
-      if (transport_version() > QUIC_VERSION_43) {
+      if (VersionHasIetfInvariantHeader(transport_version())) {
         QUIC_CODE_COUNT(quic_wrong_encryption_level_connection_close_ietf);
       } else {
         QUIC_CODE_COUNT(quic_wrong_encryption_level_connection_close);
@@ -4133,12 +3598,7 @@ void QuicConnection::SendAllPendingAcks() {
 }
 
 void QuicConnection::MaybeEnableMultiplePacketNumberSpacesSupport() {
-  const bool enable_multiple_packet_number_spaces =
-      version().handshake_protocol == PROTOCOL_TLS1_3 &&
-      use_uber_received_packet_manager_ &&
-      sent_packet_manager_.use_uber_loss_algorithm() &&
-      GetQuicRestartFlag(quic_enable_accept_random_ipn);
-  if (!enable_multiple_packet_number_spaces) {
+  if (version().handshake_protocol != PROTOCOL_TLS1_3) {
     return;
   }
   QUIC_DVLOG(1) << ENDPOINT << "connection " << connection_id()
@@ -4187,61 +3647,27 @@ QuicPacketNumber QuicConnection::GetLargestAckedPacket() const {
 }
 
 QuicPacketNumber QuicConnection::GetLargestReceivedPacket() const {
-  if (use_uber_received_packet_manager_) {
-    return uber_received_packet_manager_.GetLargestObserved(
-        last_decrypted_packet_level_);
-  }
-  return received_packet_manager_.GetLargestObserved();
+  return uber_received_packet_manager_.GetLargestObserved(
+      last_decrypted_packet_level_);
 }
 
 size_t QuicConnection::min_received_before_ack_decimation() const {
-  if (received_packet_manager_.decide_when_to_send_acks()) {
-    if (use_uber_received_packet_manager_) {
-      return uber_received_packet_manager_.min_received_before_ack_decimation();
-    }
-    return received_packet_manager_.min_received_before_ack_decimation();
-  }
-  return min_received_before_ack_decimation_;
+  return uber_received_packet_manager_.min_received_before_ack_decimation();
 }
 
 void QuicConnection::set_min_received_before_ack_decimation(size_t new_value) {
-  if (received_packet_manager_.decide_when_to_send_acks()) {
-    if (use_uber_received_packet_manager_) {
-      uber_received_packet_manager_.set_min_received_before_ack_decimation(
-          new_value);
-    } else {
-      received_packet_manager_.set_min_received_before_ack_decimation(
-          new_value);
-    }
-  } else {
-    min_received_before_ack_decimation_ = new_value;
-  }
+  uber_received_packet_manager_.set_min_received_before_ack_decimation(
+      new_value);
 }
 
 size_t QuicConnection::ack_frequency_before_ack_decimation() const {
-  if (received_packet_manager_.decide_when_to_send_acks()) {
-    if (use_uber_received_packet_manager_) {
-      return uber_received_packet_manager_
-          .ack_frequency_before_ack_decimation();
-    }
-    return received_packet_manager_.ack_frequency_before_ack_decimation();
-  }
-  return ack_frequency_before_ack_decimation_;
+  return uber_received_packet_manager_.ack_frequency_before_ack_decimation();
 }
 
 void QuicConnection::set_ack_frequency_before_ack_decimation(size_t new_value) {
   DCHECK_GT(new_value, 0u);
-  if (received_packet_manager_.decide_when_to_send_acks()) {
-    if (use_uber_received_packet_manager_) {
-      uber_received_packet_manager_.set_ack_frequency_before_ack_decimation(
-          new_value);
-    } else {
-      received_packet_manager_.set_ack_frequency_before_ack_decimation(
-          new_value);
-    }
-  } else {
-    ack_frequency_before_ack_decimation_ = new_value;
-  }
+  uber_received_packet_manager_.set_ack_frequency_before_ack_decimation(
+      new_value);
 }
 
 const QuicAckFrame& QuicConnection::ack_frame() const {
@@ -4249,10 +3675,25 @@ const QuicAckFrame& QuicConnection::ack_frame() const {
     return uber_received_packet_manager_.GetAckFrame(
         QuicUtils::GetPacketNumberSpace(last_decrypted_packet_level_));
   }
-  if (use_uber_received_packet_manager_) {
-    return uber_received_packet_manager_.ack_frame();
+  return uber_received_packet_manager_.ack_frame();
+}
+
+void QuicConnection::set_client_connection_id(
+    QuicConnectionId client_connection_id) {
+  if (!version().SupportsClientConnectionIds()) {
+    QUIC_BUG_IF(!client_connection_id.IsEmpty())
+        << ENDPOINT << "Attempted to use client connection ID "
+        << client_connection_id << " with unsupported version " << version();
+    return;
   }
-  return received_packet_manager_.ack_frame();
+  client_connection_id_ = client_connection_id;
+  client_connection_id_is_set_ = true;
+  QUIC_DLOG(INFO) << ENDPOINT << "setting client connection ID to "
+                  << client_connection_id_
+                  << " for connection with server connection ID "
+                  << server_connection_id_;
+  packet_generator_.SetClientConnectionId(client_connection_id_);
+  framer_.SetExpectedClientConnectionIdLength(client_connection_id_.length());
 }
 
 #undef ENDPOINT  // undef for jumbo builds
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection.h b/chromium/net/third_party/quiche/src/quic/core/quic_connection.h
index 9392f26e949..59a3656364d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection.h
@@ -26,7 +26,7 @@
 
 #include "net/third_party/quiche/src/quic/core/crypto/quic_decrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
-#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_alarm.h"
 #include "net/third_party/quiche/src/quic/core/quic_alarm_factory.h"
 #include "net/third_party/quiche/src/quic/core/quic_blocked_writer_interface.h"
@@ -124,8 +124,7 @@ class QUIC_EXPORT_PRIVATE QuicConnectionVisitorInterface {
 
   // Called when the connection is closed either locally by the framer, or
   // remotely by the peer.
-  virtual void OnConnectionClosed(QuicErrorCode error,
-                                  const std::string& error_details,
+  virtual void OnConnectionClosed(const QuicConnectionCloseFrame& frame,
                                   ConnectionCloseSource source) = 0;
 
   // Called when the connection failed to write because the socket was blocked.
@@ -201,107 +200,107 @@ class QUIC_EXPORT_PRIVATE QuicConnectionDebugVisitor
   ~QuicConnectionDebugVisitor() override {}
 
   // Called when a packet has been sent.
-  virtual void OnPacketSent(const SerializedPacket& serialized_packet,
-                            QuicPacketNumber original_packet_number,
-                            TransmissionType transmission_type,
-                            QuicTime sent_time) {}
+  virtual void OnPacketSent(const SerializedPacket& /*serialized_packet*/,
+                            QuicPacketNumber /*original_packet_number*/,
+                            TransmissionType /*transmission_type*/,
+                            QuicTime /*sent_time*/) {}
 
   // Called when a PING frame has been sent.
   virtual void OnPingSent() {}
 
   // Called when a packet has been received, but before it is
   // validated or parsed.
-  virtual void OnPacketReceived(const QuicSocketAddress& self_address,
-                                const QuicSocketAddress& peer_address,
-                                const QuicEncryptedPacket& packet) {}
+  virtual void OnPacketReceived(const QuicSocketAddress& /*self_address*/,
+                                const QuicSocketAddress& /*peer_address*/,
+                                const QuicEncryptedPacket& /*packet*/) {}
 
   // Called when the unauthenticated portion of the header has been parsed.
-  virtual void OnUnauthenticatedHeader(const QuicPacketHeader& header) {}
+  virtual void OnUnauthenticatedHeader(const QuicPacketHeader& /*header*/) {}
 
   // Called when a packet is received with a connection id that does not
   // match the ID of this connection.
-  virtual void OnIncorrectConnectionId(QuicConnectionId connection_id) {}
+  virtual void OnIncorrectConnectionId(QuicConnectionId /*connection_id*/) {}
 
   // Called when an undecryptable packet has been received.
   virtual void OnUndecryptablePacket() {}
 
   // Called when a duplicate packet has been received.
-  virtual void OnDuplicatePacket(QuicPacketNumber packet_number) {}
+  virtual void OnDuplicatePacket(QuicPacketNumber /*packet_number*/) {}
 
   // Called when the protocol version on the received packet doensn't match
   // current protocol version of the connection.
-  virtual void OnProtocolVersionMismatch(ParsedQuicVersion version) {}
+  virtual void OnProtocolVersionMismatch(ParsedQuicVersion /*version*/) {}
 
   // Called when the complete header of a packet has been parsed.
-  virtual void OnPacketHeader(const QuicPacketHeader& header) {}
+  virtual void OnPacketHeader(const QuicPacketHeader& /*header*/) {}
 
   // Called when a StreamFrame has been parsed.
-  virtual void OnStreamFrame(const QuicStreamFrame& frame) {}
+  virtual void OnStreamFrame(const QuicStreamFrame& /*frame*/) {}
 
   // Called when a StopWaitingFrame has been parsed.
-  virtual void OnStopWaitingFrame(const QuicStopWaitingFrame& frame) {}
+  virtual void OnStopWaitingFrame(const QuicStopWaitingFrame& /*frame*/) {}
 
   // Called when a QuicPaddingFrame has been parsed.
-  virtual void OnPaddingFrame(const QuicPaddingFrame& frame) {}
+  virtual void OnPaddingFrame(const QuicPaddingFrame& /*frame*/) {}
 
   // Called when a Ping has been parsed.
-  virtual void OnPingFrame(const QuicPingFrame& frame) {}
+  virtual void OnPingFrame(const QuicPingFrame& /*frame*/) {}
 
   // Called when a GoAway has been parsed.
-  virtual void OnGoAwayFrame(const QuicGoAwayFrame& frame) {}
+  virtual void OnGoAwayFrame(const QuicGoAwayFrame& /*frame*/) {}
 
   // Called when a RstStreamFrame has been parsed.
-  virtual void OnRstStreamFrame(const QuicRstStreamFrame& frame) {}
+  virtual void OnRstStreamFrame(const QuicRstStreamFrame& /*frame*/) {}
 
   // Called when a ConnectionCloseFrame has been parsed. All forms
   // of CONNECTION CLOSE are handled, Google QUIC, IETF QUIC
   // CONNECTION CLOSE/Transport and IETF QUIC CONNECTION CLOSE/Application
-  virtual void OnConnectionCloseFrame(const QuicConnectionCloseFrame& frame) {}
+  virtual void OnConnectionCloseFrame(
+      const QuicConnectionCloseFrame& /*frame*/) {}
 
   // Called when a WindowUpdate has been parsed.
-  virtual void OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame,
-                                   const QuicTime& receive_time) {}
+  virtual void OnWindowUpdateFrame(const QuicWindowUpdateFrame& /*frame*/,
+                                   const QuicTime& /*receive_time*/) {}
 
   // Called when a BlockedFrame has been parsed.
-  virtual void OnBlockedFrame(const QuicBlockedFrame& frame) {}
+  virtual void OnBlockedFrame(const QuicBlockedFrame& /*frame*/) {}
 
   // Called when a MessageFrame has been parsed.
-  virtual void OnMessageFrame(const QuicMessageFrame& frame) {}
+  virtual void OnMessageFrame(const QuicMessageFrame& /*frame*/) {}
 
   // Called when a public reset packet has been received.
-  virtual void OnPublicResetPacket(const QuicPublicResetPacket& packet) {}
+  virtual void OnPublicResetPacket(const QuicPublicResetPacket& /*packet*/) {}
 
   // Called when a version negotiation packet has been received.
   virtual void OnVersionNegotiationPacket(
-      const QuicVersionNegotiationPacket& packet) {}
+      const QuicVersionNegotiationPacket& /*packet*/) {}
 
   // Called when the connection is closed.
-  virtual void OnConnectionClosed(QuicErrorCode error,
-                                  const std::string& error_details,
-                                  ConnectionCloseSource source) {}
+  virtual void OnConnectionClosed(const QuicConnectionCloseFrame& /*frame*/,
+                                  ConnectionCloseSource /*source*/) {}
 
   // Called when the version negotiation is successful.
   virtual void OnSuccessfulVersionNegotiation(
-      const ParsedQuicVersion& version) {}
+      const ParsedQuicVersion& /*version*/) {}
 
   // Called when a CachedNetworkParameters is sent to the client.
   virtual void OnSendConnectionState(
-      const CachedNetworkParameters& cached_network_params) {}
+      const CachedNetworkParameters& /*cached_network_params*/) {}
 
   // Called when a CachedNetworkParameters are received from the client.
   virtual void OnReceiveConnectionState(
-      const CachedNetworkParameters& cached_network_params) {}
+      const CachedNetworkParameters& /*cached_network_params*/) {}
 
   // Called when the connection parameters are set from the supplied
   // |config|.
-  virtual void OnSetFromConfig(const QuicConfig& config) {}
+  virtual void OnSetFromConfig(const QuicConfig& /*config*/) {}
 
   // Called when RTT may have changed, including when an RTT is read from
   // the config.
-  virtual void OnRttChanged(QuicTime::Delta rtt) const {}
+  virtual void OnRttChanged(QuicTime::Delta /*rtt*/) const {}
 
   // Called when a StopSendingFrame has been parsed.
-  virtual void OnStopSendingFrame(const QuicStopSendingFrame& frame) {}
+  virtual void OnStopSendingFrame(const QuicStopSendingFrame& /*frame*/) {}
 };
 
 class QUIC_EXPORT_PRIVATE QuicConnectionHelperInterface {
@@ -324,19 +323,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
       public QuicPacketGenerator::DelegateInterface,
       public QuicSentPacketManager::NetworkChangeVisitor {
  public:
-  // TODO(fayang): Remove this enum when deprecating
-  // quic_deprecate_ack_bundling_mode.
-  enum AckBundling {
-    // Send an ack if it's already queued in the connection.
-    SEND_ACK_IF_QUEUED,
-    // Always send an ack.
-    SEND_ACK,
-    // Bundle an ack with outgoing data.
-    SEND_ACK_IF_PENDING,
-    // Do not send ack.
-    NO_ACK,
-  };
-
   // Constructs a new QuicConnection for |connection_id| and
   // |initial_peer_address| using |writer| to write packets. |owns_writer|
   // specifies whether the connection takes ownership of |writer|. |helper| must
@@ -477,8 +463,7 @@ class QUIC_EXPORT_PRIVATE QuicConnection
 
   // From QuicFramerVisitorInterface
   void OnError(QuicFramer* framer) override;
-  bool OnProtocolVersionMismatch(ParsedQuicVersion received_version,
-                                 PacketHeaderFormat form) override;
+  bool OnProtocolVersionMismatch(ParsedQuicVersion received_version) override;
   void OnPacket() override;
   void OnPublicResetPacket(const QuicPublicResetPacket& packet) override;
   void OnVersionNegotiationPacket(
@@ -526,10 +511,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   bool ShouldGeneratePacket(HasRetransmittableData retransmittable,
                             IsHandshake handshake) override;
   const QuicFrames MaybeBundleAckOpportunistically() override;
-  // Please note, this is not a const function. For logging purpose, please use
-  // ack_frame().
-  const QuicFrame GetUpdatedAckFrame() override;
-  void PopulateStopWaitingFrame(QuicStopWaitingFrame* stop_waiting) override;
 
   // QuicPacketCreator::DelegateInterface
   char* GetPacketBuffer() override;
@@ -541,6 +522,10 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   void OnCongestionChange() override;
   void OnPathMtuIncreased(QuicPacketLength packet_size) override;
 
+  // Please note, this is not a const function. For logging purpose, please use
+  // ack_frame().
+  const QuicFrame GetUpdatedAckFrame();
+
   // Called by the crypto stream when the handshake completes. In the server's
   // case this is when the SHLO has been ACKed. Clients call this on receipt of
   // the SHLO.
@@ -582,6 +567,10 @@ class QUIC_EXPORT_PRIVATE QuicConnection
     return effective_peer_address_;
   }
   QuicConnectionId connection_id() const { return server_connection_id_; }
+  QuicConnectionId client_connection_id() const {
+    return client_connection_id_;
+  }
+  void set_client_connection_id(QuicConnectionId client_connection_id);
   const QuicClock* clock() const { return clock_; }
   QuicRandom* random_generator() const { return random_generator_; }
   QuicByteCount max_packet_length() const;
@@ -600,10 +589,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // Testing only.
   size_t NumQueuedPackets() const { return queued_packets_.size(); }
 
-  // Once called, any sent crypto packets to be saved as the
-  // termination packet, for use with stateless rejections.
-  void EnableSavingCryptoPackets();
-
   // Returns true if the underlying UDP socket is writable, there is
   // no queued data and the connection is not congestion-control
   // blocked.
@@ -707,16 +692,10 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // information to be sent.
   class QUIC_EXPORT_PRIVATE ScopedPacketFlusher {
    public:
-    // Setting |include_ack| to true ensures that an ACK frame is
-    // opportunistically bundled with the first outgoing packet.
-    // TODO(fayang): Remove |ack_mode| when deprecating
-    // quic_deprecate_ack_bundling_mode.
-    ScopedPacketFlusher(QuicConnection* connection, AckBundling ack_mode);
+    explicit ScopedPacketFlusher(QuicConnection* connection);
     ~ScopedPacketFlusher();
 
    private:
-    bool ShouldSendAck(AckBundling ack_mode) const;
-
     QuicConnection* connection_;
     // If true, when this flusher goes out of scope, flush connection and set
     // retransmission alarm if there is one pending.
@@ -780,8 +759,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
     return termination_packets_.get();
   }
 
-  bool ack_queued() const { return ack_queued_; }
-
   bool ack_frame_updated() const;
 
   QuicConnectionHelperInterface* helper() { return helper_; }
@@ -891,6 +868,11 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // For logging purpose.
   const QuicAckFrame& ack_frame() const;
 
+  // Install encrypter and decrypter for ENCRYPTION_INITIAL using
+  // |connection_id| as the first client-sent destination connection ID,
+  // or the one sent after an IETF Retry.
+  void InstallInitialCrypters(QuicConnectionId connection_id);
+
  protected:
   // Calls cancel() on all the alarms owned by this connection.
   void CancelAllAlarms();
@@ -1028,10 +1010,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // acks and pending writes if an ack opened the congestion window.
   void MaybeSendInResponseToPacket();
 
-  // Queue an ack or set the ack alarm if needed.  |was_missing| is true if
-  // the most recently received packet was formerly missing.
-  void MaybeQueueAck(bool was_missing);
-
   // Gets the least unacked packet number, which is the next packet number to be
   // sent if there are no outstanding packets.
   QuicPacketNumber GetLeastUnacked() const;
@@ -1116,14 +1094,12 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // num_retransmittable_packets_received_since_last_ack_sent_ etc.
   void ResetAckStates();
 
+  void PopulateStopWaitingFrame(QuicStopWaitingFrame* stop_waiting);
+
   // Enables multiple packet number spaces support based on handshake protocol
   // and flags.
   void MaybeEnableMultiplePacketNumberSpacesSupport();
 
-  // Returns true if ack alarm is not set and there is no pending ack in the
-  // generator.
-  bool ShouldSetAckAlarm() const;
-
   // Returns the encryption level the connection close packet should be sent at,
   // which is the highest encryption level that peer can guarantee to process.
   EncryptionLevel GetConnectionCloseEncryptionLevel() const;
@@ -1144,9 +1120,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // Whether incoming_connection_ids_ contains connection_id.
   bool HasIncomingConnectionId(QuicConnectionId connection_id);
 
-  // Install encrypter and decrypter for ENCRYPTION_INITIAL.
-  void InstallInitialCrypters();
-
   QuicFramer framer_;
 
   // Contents received in the current packet, especially used to identify
@@ -1173,6 +1146,10 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   QuicRandom* random_generator_;
 
   QuicConnectionId server_connection_id_;
+  QuicConnectionId client_connection_id_;
+  // On the server, the connection ID is set when receiving the first packet.
+  // This variable ensures we only set it this way once.
+  bool client_connection_id_is_set_;
   // Address on the last successfully processed packet received from the
   // direct peer.
   QuicSocketAddress self_address_;
@@ -1205,10 +1182,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   EncryptionLevel last_decrypted_packet_level_;
   QuicPacketHeader last_header_;
   bool should_last_packet_instigate_acks_;
-  // Whether the most recent packet was missing before it was received.
-  // TODO(fayang): Remove was_last_packet_missing_ when deprecating
-  // quic_rpm_decides_when_to_send_acks.
-  bool was_last_packet_missing_;
 
   // Track some peer state so we can do less bookkeeping
   // Largest sequence sent by the peer which had an ack frame (latest ack info).
@@ -1252,9 +1225,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // the original scope of the SerializedPacket.
   QueuedPacketList queued_packets_;
 
-  // If true, then crypto packets will be saved as termination packets.
-  bool save_crypto_packets_as_termination_packets_;
-
   // Contains the connection close packets if the connection has been closed.
   std::unique_ptr<std::vector<std::unique_ptr<QuicEncryptedPacket>>>
       termination_packets_;
@@ -1269,40 +1239,12 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // 200ms, this is over 5 seconds.
   bool close_connection_after_five_rtos_;
 
-  // TODO(fayang): remove received_packet_manager_ when deprecating
-  // quic_use_uber_received_packet_manager.
-  QuicReceivedPacketManager received_packet_manager_;
-  // Used when use_uber_received_packet_manager_ is true.
   UberReceivedPacketManager uber_received_packet_manager_;
 
-  // Indicates whether an ack should be sent the next time we try to write.
-  // TODO(fayang): Remove ack_queued_ when deprecating
-  // quic_deprecate_ack_bundling_mode.
-  bool ack_queued_;
-  // How many retransmittable packets have arrived without sending an ack.
-  // TODO(fayang): Remove
-  // num_retransmittable_packets_received_since_last_ack_sent_ when deprecating
-  // quic_rpm_decides_when_to_send_acks.
-  QuicPacketCount num_retransmittable_packets_received_since_last_ack_sent_;
-  // How many consecutive packets have arrived without sending an ack.
-  QuicPacketCount num_packets_received_since_last_ack_sent_;
   // Indicates how many consecutive times an ack has arrived which indicates
   // the peer needs to stop waiting for some packets.
   // TODO(fayang): remove this when deprecating quic_simplify_stop_waiting.
   int stop_waiting_count_;
-  // TODO(fayang): Remove ack_mode_, ack_decimation_delay_,
-  // unlimited_ack_decimation_, fast_ack_after_quiescence_ when deprecating
-  // quic_rpm_decides_when_to_send_acks.
-  // Indicates the current ack mode, defaults to acking every 2 packets.
-  AckMode ack_mode_;
-  // The max delay in fraction of min_rtt to use when sending decimated acks.
-  float ack_decimation_delay_;
-  // When true, removes ack decimation's max number of packets(10) before
-  // sending an ack.
-  bool unlimited_ack_decimation_;
-  // When true, use a 1ms delayed ack timer if it's been an SRTT since a packet
-  // was received.
-  bool fast_ack_after_quiescence_;
 
   // Indicates the retransmission alarm needs to be set.
   bool pending_retransmission_alarm_;
@@ -1363,31 +1305,13 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // This is used for timeouts, and does not indicate the packet was processed.
   QuicTime time_of_last_received_packet_;
 
-  // The time the previous ack-instigating packet was received and processed.
-  // TODO(fayang): Remove time_of_previous_received_packet_ when deprecating
-  // quic_rpm_decides_when_to_send_acks.
-  QuicTime time_of_previous_received_packet_;
-
   // Sent packet manager which tracks the status of packets sent by this
   // connection and contains the send and receive algorithms to determine when
   // to send packets.
   QuicSentPacketManager sent_packet_manager_;
 
-  // The state of connection in version negotiation finite state machine.
-  enum QuicVersionNegotiationState {
-    START_NEGOTIATION = 0,
-    // Server-side this implies we've sent a version negotiation packet and are
-    // waiting on the client to select a compatible version.  Client-side this
-    // implies we've gotten a version negotiation packet, are retransmitting the
-    // initial packets with a supported version and are waiting for our first
-    // packet from the server.
-    NEGOTIATION_IN_PROGRESS,
-    // This indicates this endpoint has received a packet from the peer with a
-    // version this endpoint supports.  Version negotiation is complete, and the
-    // version number will no longer be sent with future packets.
-    NEGOTIATED_VERSION
-  };
-  QuicVersionNegotiationState version_negotiation_state_;
+  // Indicates whether connection version has been negotiated.
+  bool version_negotiated_;
 
   // Tracks if the connection was created by the server or the client.
   Perspective perspective_;
@@ -1448,16 +1372,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // from the peer. Default to kMaxConsecutiveNonRetransmittablePackets.
   size_t max_consecutive_num_packets_with_no_retransmittable_frames_;
 
-  // Ack decimation will start happening after this many packets are received.
-  // TODO(fayang): Remove min_received_before_ack_decimation_ when deprecating
-  // quic_rpm_decides_when_to_send_acks.
-  size_t min_received_before_ack_decimation_;
-
-  // Before ack decimation starts (if enabled), we ack every n-th packet.
-  // TODO(fayang): Remove ack_frequency_before_ack_decimation_ when deprecating
-  // quic_rpm_decides_when_to_send_acks.
-  size_t ack_frequency_before_ack_decimation_;
-
   // If true, the connection will fill up the pipe with extra data whenever the
   // congestion controller needs it in order to make a bandwidth estimate.  This
   // is useful if the application pesistently underutilizes the link, but still
@@ -1491,12 +1405,7 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // Time this connection can release packets into the future.
   QuicTime::Delta release_time_into_future_;
 
-  // Indicates whether server connection does version negotiation. Server
-  // connection does not support version negotiation if a single version is
-  // provided in constructor.
-  const bool no_version_negotiation_;
-
-  // Payload of most recently transmitted QUIC_VERSION_99 connectivity
+  // Payload of most recently transmitted IETF QUIC connectivity
   // probe packet (the PATH_CHALLENGE payload). This implementation transmits
   // only one PATH_CHALLENGE per connectivity probe, so only one
   // QuicPathFrameBuffer is needed.
@@ -1513,22 +1422,8 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // vector to improve performance since it is expected to be very small.
   std::vector<QuicConnectionId> incoming_connection_ids_;
 
-  // Indicates whether an ACK needs to be sent in OnCanWrite(). Only used when
-  // deprecate_ack_bundling_mode is true.
-  // TODO(fayang): Remove this when ACK sending logic is moved to received
-  // packet manager, and an ACK timeout would be used to record when an ACK
-  // needs to be sent.
-  bool send_ack_when_on_can_write_;
-
   // Indicates whether a RETRY packet has been parsed.
   bool retry_has_been_parsed_;
-
-  // Latched value of quic_validate_packet_number_post_decryption.
-  const bool validate_packet_number_post_decryption_;
-
-  // Latched value of quic_rpm_decides_when_to_send_acks and
-  // quic_use_uber_received_packet_manager.
-  const bool use_uber_received_packet_manager_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.cc b/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.cc
index 4022283b55f..c560bcca98f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.cc
@@ -4,11 +4,14 @@
 
 #include "net/third_party/quiche/src/quic/core/quic_connection_id.h"
 
+#include <cstddef>
 #include <cstdint>
 #include <cstring>
 #include <iomanip>
 #include <string>
 
+#include "third_party/boringssl/src/include/openssl/siphash.h"
+#include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
@@ -19,27 +22,102 @@
 
 namespace quic {
 
-QuicConnectionId::QuicConnectionId() : length_(0) {}
+namespace {
+
+// QuicConnectionIdHasher can be used to generate a stable connection ID hash
+// function that will return the same value for two equal connection IDs for
+// the duration of process lifetime. It is meant to be used as input to data
+// structures that do not outlast process lifetime. A new key is generated once
+// per process to prevent attackers from crafting connection IDs in such a way
+// that they always land in the same hash bucket.
+class QuicConnectionIdHasher {
+ public:
+  inline QuicConnectionIdHasher()
+      : QuicConnectionIdHasher(QuicRandom::GetInstance()) {}
+
+  explicit inline QuicConnectionIdHasher(QuicRandom* random) {
+    random->RandBytes(&sip_hash_key_, sizeof(sip_hash_key_));
+  }
+
+  inline size_t Hash(const char* input, size_t input_len) const {
+    return static_cast<size_t>(SIPHASH_24(
+        sip_hash_key_, reinterpret_cast<const uint8_t*>(input), input_len));
+  }
+
+ private:
+  uint64_t sip_hash_key_[2];
+};
+
+}  // namespace
+
+QuicConnectionId::QuicConnectionId() : QuicConnectionId(nullptr, 0) {}
 
 QuicConnectionId::QuicConnectionId(const char* data, uint8_t length) {
+  static_assert(
+      kQuicMaxConnectionIdLength <= std::numeric_limits<uint8_t>::max(),
+      "kQuicMaxConnectionIdLength too high");
   if (length > kQuicMaxConnectionIdLength) {
     QUIC_BUG << "Attempted to create connection ID of length " << length;
     length = kQuicMaxConnectionIdLength;
   }
   length_ = length;
-  if (length_ > 0) {
+  if (length_ == 0) {
+    return;
+  }
+  if (!GetQuicRestartFlag(quic_use_allocated_connection_ids)) {
     memcpy(data_, data, length_);
+    return;
+  }
+  QUIC_RESTART_FLAG_COUNT_N(quic_use_allocated_connection_ids, 1, 6);
+  if (length_ <= sizeof(data_short_)) {
+    memcpy(data_short_, data, length_);
+    return;
+  }
+  data_long_ = reinterpret_cast<char*>(malloc(length_));
+  CHECK_NE(nullptr, data_long_);
+  memcpy(data_long_, data, length_);
+}
+
+QuicConnectionId::~QuicConnectionId() {
+  if (!GetQuicRestartFlag(quic_use_allocated_connection_ids)) {
+    return;
+  }
+  QUIC_RESTART_FLAG_COUNT_N(quic_use_allocated_connection_ids, 2, 6);
+  if (length_ > sizeof(data_short_)) {
+    free(data_long_);
+    data_long_ = nullptr;
   }
 }
 
-QuicConnectionId::~QuicConnectionId() {}
+QuicConnectionId::QuicConnectionId(const QuicConnectionId& other)
+    : QuicConnectionId(other.data(), other.length()) {}
+
+QuicConnectionId& QuicConnectionId::operator=(const QuicConnectionId& other) {
+  set_length(other.length());
+  memcpy(mutable_data(), other.data(), length_);
+  return *this;
+}
 
 const char* QuicConnectionId::data() const {
-  return data_;
+  if (!GetQuicRestartFlag(quic_use_allocated_connection_ids)) {
+    return data_;
+  }
+  QUIC_RESTART_FLAG_COUNT_N(quic_use_allocated_connection_ids, 3, 6);
+  if (length_ <= sizeof(data_short_)) {
+    return data_short_;
+  }
+  return data_long_;
 }
 
 char* QuicConnectionId::mutable_data() {
-  return data_;
+  if (!GetQuicRestartFlag(quic_use_allocated_connection_ids)) {
+    return data_;
+  }
+  QUIC_RESTART_FLAG_COUNT_N(quic_use_allocated_connection_ids, 4, 6);
+  if (length_ <= sizeof(data_short_)) {
+    return data_short_;
+  }
+  return data_long_;
 }
 
 uint8_t QuicConnectionId::length() const {
@@ -47,6 +125,31 @@ uint8_t QuicConnectionId::length() const {
 }
 
 void QuicConnectionId::set_length(uint8_t length) {
+  if (GetQuicRestartFlag(quic_use_allocated_connection_ids)) {
+    QUIC_RESTART_FLAG_COUNT_N(quic_use_allocated_connection_ids, 5, 6);
+    char temporary_data[sizeof(data_short_)];
+    if (length > sizeof(data_short_)) {
+      if (length_ <= sizeof(data_short_)) {
+        // Copy data from data_short_ to data_long_.
+        memcpy(temporary_data, data_short_, length_);
+        data_long_ = reinterpret_cast<char*>(malloc(length));
+        CHECK_NE(nullptr, data_long_);
+        memcpy(data_long_, temporary_data, length_);
+      } else {
+        // Resize data_long_.
+        char* realloc_result =
+            reinterpret_cast<char*>(realloc(data_long_, length));
+        CHECK_NE(nullptr, realloc_result);
+        data_long_ = realloc_result;
+      }
+    } else if (length_ > sizeof(data_short_)) {
+      // Copy data from data_long_ to data_short_.
+      memcpy(temporary_data, data_long_, length);
+      free(data_long_);
+      data_long_ = nullptr;
+      memcpy(data_short_, temporary_data, length);
+    }
+  }
   length_ = length;
 }
 
@@ -55,20 +158,27 @@ bool QuicConnectionId::IsEmpty() const {
 }
 
 size_t QuicConnectionId::Hash() const {
-  uint64_t data_bytes[3] = {0, 0, 0};
-  static_assert(sizeof(data_bytes) >= sizeof(data_), "sizeof(data_) changed");
-  memcpy(data_bytes, data_, length_);
-  // This Hash function is designed to return the same value as the host byte
-  // order representation when the connection ID length is 64 bits.
-  return QuicEndian::NetToHost64(kQuicDefaultConnectionIdLength ^ length_ ^
-                                 data_bytes[0] ^ data_bytes[1] ^ data_bytes[2]);
+  if (!GetQuicRestartFlag(quic_connection_id_use_siphash)) {
+    uint64_t data_bytes[3] = {0, 0, 0};
+    static_assert(sizeof(data_bytes) >= kQuicMaxConnectionIdLength,
+                  "kQuicMaxConnectionIdLength changed");
+    memcpy(data_bytes, data(), length_);
+    // This Hash function is designed to return the same value as the host byte
+    // order representation when the connection ID length is 64 bits.
+    return QuicEndian::NetToHost64(kQuicDefaultConnectionIdLength ^ length_ ^
+                                   data_bytes[0] ^ data_bytes[1] ^
+                                   data_bytes[2]);
+  }
+  QUIC_RESTART_FLAG_COUNT(quic_connection_id_use_siphash);
+  static const QuicConnectionIdHasher hasher = QuicConnectionIdHasher();
+  return hasher.Hash(data(), length_);
 }
 
 std::string QuicConnectionId::ToString() const {
   if (IsEmpty()) {
     return std::string("0");
   }
-  return QuicTextUtils::HexEncode(data_, length_);
+  return QuicTextUtils::HexEncode(data(), length_);
 }
 
 std::ostream& operator<<(std::ostream& os, const QuicConnectionId& v) {
@@ -77,7 +187,7 @@ std::ostream& operator<<(std::ostream& os, const QuicConnectionId& v) {
 }
 
 bool QuicConnectionId::operator==(const QuicConnectionId& v) const {
-  return length_ == v.length_ && memcmp(data_, v.data_, length_) == 0;
+  return length_ == v.length_ && memcmp(data(), v.data(), length_) == 0;
 }
 
 bool QuicConnectionId::operator!=(const QuicConnectionId& v) const {
@@ -91,7 +201,7 @@ bool QuicConnectionId::operator<(const QuicConnectionId& v) const {
   if (length_ > v.length_) {
     return false;
   }
-  return memcmp(data_, v.data_, length_) < 0;
+  return memcmp(data(), v.data(), length_) < 0;
 }
 
 QuicConnectionId EmptyQuicConnectionId() {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.h b/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.h
index d51366f75bb..6b1b0bc5ff5 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.h
@@ -6,6 +6,7 @@
 #define QUICHE_QUIC_CORE_QUIC_CONNECTION_ID_H_
 
 #include <string>
+#include <vector>
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_uint128.h"
@@ -43,12 +44,21 @@ class QUIC_EXPORT_PRIVATE QuicConnectionId {
   // Creates a connection ID from network order bytes.
   QuicConnectionId(const char* data, uint8_t length);
 
+  // Creates a connection ID from another connection ID.
+  QuicConnectionId(const QuicConnectionId& other);
+
+  // Assignment operator.
+  QuicConnectionId& operator=(const QuicConnectionId& other);
+
   ~QuicConnectionId();
 
   // Returns the length of the connection ID, in bytes.
   uint8_t length() const;
 
   // Sets the length of the connection ID, in bytes.
+  // WARNING: Calling set_length() can change the in-memory location of the
+  // connection ID. Callers must therefore ensure they call data() or
+  // mutable_data() after they call set_length().
   void set_length(uint8_t length);
 
   // Returns a pointer to the connection ID bytes, in network byte order.
@@ -62,6 +72,11 @@ class QUIC_EXPORT_PRIVATE QuicConnectionId {
   bool IsEmpty() const;
 
   // Hash() is required to use connection IDs as keys in hash tables.
+  // During the lifetime of a process, the output of Hash() is guaranteed to be
+  // the same for connection IDs that are equal to one another. Note however
+  // that this property is not guaranteed across process lifetimes. This makes
+  // Hash() suitable for data structures such as hash tables but not for sending
+  // a hash over the network.
   size_t Hash() const;
 
   // Generates an ASCII string that represents
@@ -79,10 +94,21 @@ class QUIC_EXPORT_PRIVATE QuicConnectionId {
   bool operator<(const QuicConnectionId& v) const;
 
  private:
-  // The connection ID is represented in network byte order
-  // in the first |length_| bytes of |data_|.
-  char data_[kQuicMaxConnectionIdLength];
-  uint8_t length_;
+  uint8_t length_;  // length of the connection ID, in bytes.
+  // The connection ID is represented in network byte order.
+  union {
+    // When quic_use_allocated_connection_ids is false, the connection ID is
+    // stored in the first |length_| bytes of |data_|.
+    char data_[kQuicMaxConnectionIdLength];
+    // When quic_use_allocated_connection_ids is true, if the connection ID
+    // fits in |data_short_|, it is stored in the first |length_| bytes of
+    // |data_short_|. Otherwise it is stored in |data_long_| which is
+    // guaranteed to have a size equal to |length_|. A value of 11 was chosen
+    // because our commonly used connection ID length is 8 and with the length,
+    // the class is padded to 12 bytes anyway.
+    char data_short_[11];
+    char* data_long_;
+  };
 };
 
 // Creates a connection ID of length zero, unless the restart flag
@@ -91,6 +117,11 @@ class QUIC_EXPORT_PRIVATE QuicConnectionId {
 QUIC_EXPORT_PRIVATE QuicConnectionId EmptyQuicConnectionId();
 
 // QuicConnectionIdHash can be passed as hash argument to hash tables.
+// During the lifetime of a process, the output of QuicConnectionIdHash is
+// guaranteed to be the same for connection IDs that are equal to one another.
+// Note however that this property is not guaranteed across process lifetimes.
+// This makes QuicConnectionIdHash suitable for data structures such as hash
+// tables but not for sending a hash over the network.
 class QuicConnectionIdHash {
  public:
   size_t operator()(QuicConnectionId const& connection_id) const noexcept {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection_id_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_connection_id_test.cc
index bbe04f95c2c..0d4b190dbd8 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection_id_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection_id_test.cc
@@ -89,6 +89,70 @@ TEST_F(QuicConnectionIdTest, Hash) {
   EXPECT_NE(connection_id64_1.Hash(), connection_id64_2.Hash());
   EXPECT_NE(connection_id64_1.Hash(), connection_id64_3.Hash());
   EXPECT_NE(connection_id64_2.Hash(), connection_id64_3.Hash());
+
+  // Verify that any two all-zero connection IDs of different lengths never
+  // have the same hash.
+  if (sizeof(connection_id64_1.Hash()) < sizeof(uint64_t) &&
+      !GetQuicRestartFlag(quic_connection_id_use_siphash)) {
+    // The old hashing algorithm returns 0 for all-zero connection IDs on
+    // 32bit platforms.
+    return;
+  }
+  const char connection_id_bytes[kQuicMaxConnectionIdLength] = {};
+  for (uint8_t i = 0; i < kQuicMaxConnectionIdLength - 1; ++i) {
+    QuicConnectionId connection_id_i(connection_id_bytes, i);
+    for (uint8_t j = i + 1; j < kQuicMaxConnectionIdLength; ++j) {
+      QuicConnectionId connection_id_j(connection_id_bytes, j);
+      EXPECT_NE(connection_id_i.Hash(), connection_id_j.Hash());
+    }
+  }
+}
+
+TEST_F(QuicConnectionIdTest, AssignAndCopy) {
+  QuicConnectionId connection_id = test::TestConnectionId(1);
+  QuicConnectionId connection_id2 = test::TestConnectionId(2);
+  connection_id = connection_id2;
+  EXPECT_EQ(connection_id, test::TestConnectionId(2));
+  EXPECT_NE(connection_id, test::TestConnectionId(1));
+  connection_id = QuicConnectionId(test::TestConnectionId(1));
+  EXPECT_EQ(connection_id, test::TestConnectionId(1));
+  EXPECT_NE(connection_id, test::TestConnectionId(2));
+}
+
+TEST_F(QuicConnectionIdTest, ChangeLength) {
+  QuicConnectionId connection_id64_1 = test::TestConnectionId(1);
+  QuicConnectionId connection_id64_2 = test::TestConnectionId(2);
+  QuicConnectionId connection_id136_2 = test::TestConnectionId(2);
+  connection_id136_2.set_length(17);
+  memset(connection_id136_2.mutable_data() + 8, 0, 9);
+  char connection_id136_2_bytes[17] = {0, 0, 0, 0, 0, 0, 0, 2, 0,
+                                       0, 0, 0, 0, 0, 0, 0, 0};
+  QuicConnectionId connection_id136_2b(connection_id136_2_bytes,
+                                       sizeof(connection_id136_2_bytes));
+  EXPECT_EQ(connection_id136_2, connection_id136_2b);
+  QuicConnectionId connection_id = connection_id64_1;
+  connection_id.set_length(17);
+  EXPECT_NE(connection_id64_1, connection_id);
+  // Check resizing big to small.
+  connection_id.set_length(8);
+  EXPECT_EQ(connection_id64_1, connection_id);
+  // Check resizing small to big.
+  connection_id.set_length(17);
+  memset(connection_id.mutable_data(), 0, connection_id.length());
+  memcpy(connection_id.mutable_data(), connection_id64_2.data(),
+         connection_id64_2.length());
+  EXPECT_EQ(connection_id136_2, connection_id);
+  EXPECT_EQ(connection_id136_2b, connection_id);
+  QuicConnectionId connection_id120(connection_id136_2_bytes, 15);
+  connection_id.set_length(15);
+  EXPECT_EQ(connection_id120, connection_id);
+  // Check resizing big to big.
+  QuicConnectionId connection_id2 = connection_id120;
+  connection_id2.set_length(17);
+  connection_id2.mutable_data()[15] = 0;
+  connection_id2.mutable_data()[16] = 0;
+  EXPECT_EQ(connection_id136_2, connection_id2);
+  EXPECT_EQ(connection_id136_2b, connection_id2);
 }
 
 }  // namespace
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_connection_test.cc
index 554f71a59c9..ee7b6511193 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection_test.cc
@@ -85,14 +85,11 @@ const QuicSocketAddress kSelfAddress =
     QuicSocketAddress(QuicIpAddress::Loopback6(),
                       /*port=*/443);
 
-Perspective InvertPerspective(Perspective perspective) {
-  return perspective == Perspective::IS_CLIENT ? Perspective::IS_SERVER
-                                               : Perspective::IS_CLIENT;
-}
-
 QuicStreamId GetNthClientInitiatedStreamId(int n,
                                            QuicTransportVersion version) {
-  return QuicUtils::GetHeadersStreamId(version) + n * 2;
+  return QuicUtils::GetFirstBidirectionalStreamId(version,
+                                                  Perspective::IS_CLIENT) +
+         n * 2;
 }
 
 QuicLongHeaderType EncryptionlevelToLongHeaderType(EncryptionLevel level) {
@@ -122,16 +119,18 @@ class TaggingEncrypter : public QuicEncrypter {
   ~TaggingEncrypter() override {}
 
   // QuicEncrypter interface.
-  bool SetKey(QuicStringPiece key) override { return true; }
+  bool SetKey(QuicStringPiece /*key*/) override { return true; }
 
-  bool SetNoncePrefix(QuicStringPiece nonce_prefix) override { return true; }
+  bool SetNoncePrefix(QuicStringPiece /*nonce_prefix*/) override {
+    return true;
+  }
 
-  bool SetIV(QuicStringPiece iv) override { return true; }
+  bool SetIV(QuicStringPiece /*iv*/) override { return true; }
 
-  bool SetHeaderProtectionKey(QuicStringPiece key) override { return true; }
+  bool SetHeaderProtectionKey(QuicStringPiece /*key*/) override { return true; }
 
-  bool EncryptPacket(uint64_t packet_number,
-                     QuicStringPiece associated_data,
+  bool EncryptPacket(uint64_t /*packet_number*/,
+                     QuicStringPiece /*associated_data*/,
                      QuicStringPiece plaintext,
                      char* output,
                      size_t* output_length,
@@ -148,7 +147,8 @@ class TaggingEncrypter : public QuicEncrypter {
     return true;
   }
 
-  std::string GenerateHeaderProtectionMask(QuicStringPiece sample) override {
+  std::string GenerateHeaderProtectionMask(
+      QuicStringPiece /*sample*/) override {
     return std::string(5, 0);
   }
 
@@ -183,29 +183,31 @@ class TaggingDecrypter : public QuicDecrypter {
   ~TaggingDecrypter() override {}
 
   // QuicDecrypter interface
-  bool SetKey(QuicStringPiece key) override { return true; }
+  bool SetKey(QuicStringPiece /*key*/) override { return true; }
 
-  bool SetNoncePrefix(QuicStringPiece nonce_prefix) override { return true; }
+  bool SetNoncePrefix(QuicStringPiece /*nonce_prefix*/) override {
+    return true;
+  }
 
-  bool SetIV(QuicStringPiece iv) override { return true; }
+  bool SetIV(QuicStringPiece /*iv*/) override { return true; }
 
-  bool SetHeaderProtectionKey(QuicStringPiece key) override { return true; }
+  bool SetHeaderProtectionKey(QuicStringPiece /*key*/) override { return true; }
 
-  bool SetPreliminaryKey(QuicStringPiece key) override {
+  bool SetPreliminaryKey(QuicStringPiece /*key*/) override {
     QUIC_BUG << "should not be called";
     return false;
   }
 
-  bool SetDiversificationNonce(const DiversificationNonce& key) override {
+  bool SetDiversificationNonce(const DiversificationNonce& /*key*/) override {
     return true;
   }
 
-  bool DecryptPacket(uint64_t packet_number,
-                     QuicStringPiece associated_data,
+  bool DecryptPacket(uint64_t /*packet_number*/,
+                     QuicStringPiece /*associated_data*/,
                      QuicStringPiece ciphertext,
                      char* output,
                      size_t* output_length,
-                     size_t max_output_length) override {
+                     size_t /*max_output_length*/) override {
     if (ciphertext.size() < kTagSize) {
       return false;
     }
@@ -218,7 +220,7 @@ class TaggingDecrypter : public QuicDecrypter {
   }
 
   std::string GenerateHeaderProtectionMask(
-      QuicDataReader* sample_reader) override {
+      QuicDataReader* /*sample_reader*/) override {
     return std::string(5, 0);
   }
 
@@ -258,7 +260,7 @@ class StrictTaggingDecrypter : public TaggingDecrypter {
   ~StrictTaggingDecrypter() override {}
 
   // TaggingQuicDecrypter
-  uint8_t GetTag(QuicStringPiece ciphertext) override { return tag_; }
+  uint8_t GetTag(QuicStringPiece /*ciphertext*/) override { return tag_; }
 
   // Use a distinct value starting with 0xFFFFFF, which is never used by TLS.
   uint32_t cipher_id() const override { return 0xFFFFFFF1; }
@@ -346,9 +348,9 @@ class TestPacketWriter : public QuicPacketWriter {
   // QuicPacketWriter interface
   WriteResult WritePacket(const char* buffer,
                           size_t buf_len,
-                          const QuicIpAddress& self_address,
-                          const QuicSocketAddress& peer_address,
-                          PerPacketOptions* options) override {
+                          const QuicIpAddress& /*self_address*/,
+                          const QuicSocketAddress& /*peer_address*/,
+                          PerPacketOptions* /*options*/) override {
     QuicEncryptedPacket packet(buffer, buf_len);
     ++packets_write_attempts_;
 
@@ -422,12 +424,13 @@ class TestPacketWriter : public QuicPacketWriter {
     return max_packet_size_;
   }
 
-  bool SupportsReleaseTime() const { return supports_release_time_; }
+  bool SupportsReleaseTime() const override { return supports_release_time_; }
 
   bool IsBatchMode() const override { return is_batch_mode_; }
 
-  char* GetNextWriteLocation(const QuicIpAddress& self_address,
-                             const QuicSocketAddress& peer_address) override {
+  char* GetNextWriteLocation(
+      const QuicIpAddress& /*self_address*/,
+      const QuicSocketAddress& /*peer_address*/) override {
     return nullptr;
   }
 
@@ -525,7 +528,7 @@ class TestPacketWriter : public QuicPacketWriter {
     // We invert perspective here, because the framer needs to parse packets
     // we send.
     QuicFramerPeer::SetPerspective(framer_.framer(),
-                                   InvertPerspective(perspective));
+                                   QuicUtils::InvertPerspective(perspective));
   }
 
   // final_bytes_of_last_packet_ returns the last four bytes of the previous
@@ -610,8 +613,6 @@ class TestConnection : public QuicConnection {
   TestConnection(const TestConnection&) = delete;
   TestConnection& operator=(const TestConnection&) = delete;
 
-  void SendAck() { QuicConnectionPeer::SendAck(this); }
-
   void SetSendAlgorithm(SendAlgorithmInterface* send_algorithm) {
     QuicConnectionPeer::SetSendAlgorithm(this, send_algorithm);
   }
@@ -620,7 +621,7 @@ class TestConnection : public QuicConnection {
     QuicConnectionPeer::SetLossAlgorithm(this, loss_algorithm);
   }
 
-  void SendPacket(EncryptionLevel level,
+  void SendPacket(EncryptionLevel /*level*/,
                   uint64_t packet_number,
                   std::unique_ptr<QuicPacket> packet,
                   HasRetransmittableData retransmittable,
@@ -647,7 +648,7 @@ class TestConnection : public QuicConnection {
                                          size_t total_length,
                                          QuicStreamOffset offset,
                                          StreamSendingState state) {
-    ScopedPacketFlusher flusher(this, NO_ACK);
+    ScopedPacketFlusher flusher(this);
     producer_.SaveStreamData(id, iov, iov_count, 0u, total_length);
     if (notifier_ != nullptr) {
       return notifier_->WriteOrBufferData(id, total_length, state);
@@ -659,7 +660,7 @@ class TestConnection : public QuicConnection {
                                             QuicStringPiece data,
                                             QuicStreamOffset offset,
                                             StreamSendingState state) {
-    ScopedPacketFlusher flusher(this, NO_ACK);
+    ScopedPacketFlusher flusher(this);
     if (!QuicUtils::IsCryptoStreamId(transport_version(), id) &&
         this->encryption_level() == ENCRYPTION_INITIAL) {
       this->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
@@ -674,7 +675,7 @@ class TestConnection : public QuicConnection {
                                               QuicStringPiece data,
                                               QuicStreamOffset offset,
                                               StreamSendingState state) {
-    ScopedPacketFlusher flusher(this, NO_ACK);
+    ScopedPacketFlusher flusher(this);
     DCHECK(encryption_level >= ENCRYPTION_ZERO_RTT);
     SetEncrypter(encryption_level, QuicMakeUnique<TaggingEncrypter>(0x01));
     SetDefaultEncryptionLevel(encryption_level);
@@ -737,7 +738,6 @@ class TestConnection : public QuicConnection {
 
   void SetSupportedVersions(const ParsedQuicVersionVector& versions) {
     QuicConnectionPeer::GetFramer(this)->SetSupportedVersions(versions);
-    QuicConnectionPeer::SetNoVersionNegotiation(this, versions.size() == 1);
     writer()->SetSupportedVersions(versions);
   }
 
@@ -883,11 +883,12 @@ std::vector<TestParams> GetTestParams() {
          {AckResponse::kDefer, AckResponse::kImmediate}) {
       for (bool no_stop_waiting : {true, false}) {
         // After version 43, never use STOP_WAITING.
-        params.push_back(TestParams(
-            all_supported_versions[i], ack_response,
-            all_supported_versions[i].transport_version <= QUIC_VERSION_43
-                ? no_stop_waiting
-                : true));
+        params.push_back(
+            TestParams(all_supported_versions[i], ack_response,
+                       !VersionHasIetfInvariantHeader(
+                           all_supported_versions[i].transport_version)
+                           ? no_stop_waiting
+                           : true));
       }
     }
   }
@@ -895,6 +896,17 @@ std::vector<TestParams> GetTestParams() {
 }
 
 class QuicConnectionTest : public QuicTestWithParam<TestParams> {
+ public:
+  // For tests that do silent connection closes, no such packet is generated. In
+  // order to verify the contents of the OnConnectionClosed upcall, EXPECTs
+  // should invoke this method, saving the frame, and then the test can verify
+  // the contents.
+  void SaveConnectionCloseFrame(const QuicConnectionCloseFrame& frame,
+                                ConnectionCloseSource /*source*/) {
+    saved_connection_close_frame_ = frame;
+    connection_close_frame_count_++;
+  }
+
  protected:
   QuicConnectionTest()
       : connection_id_(TestConnectionId()),
@@ -929,7 +941,8 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
         crypto_frame_(ENCRYPTION_INITIAL, 0, QuicStringPiece(data1)),
         packet_number_length_(PACKET_4BYTE_PACKET_NUMBER),
         connection_id_included_(CONNECTION_ID_PRESENT),
-        notifier_(&connection_) {
+        notifier_(&connection_),
+        connection_close_frame_count_(0) {
     SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
     connection_.set_defer_send_in_response_to_packets(GetParam().ack_response ==
                                                       AckResponse::kDefer);
@@ -948,7 +961,7 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
     }
     QuicFramerPeer::SetLastSerializedServerConnectionId(
         QuicConnectionPeer::GetFramer(&connection_), connection_id_);
-    if (version().transport_version > QUIC_VERSION_43) {
+    if (VersionHasIetfInvariantHeader(version().transport_version)) {
       EXPECT_TRUE(QuicConnectionPeer::GetNoStopWaitingFrames(&connection_));
     } else {
       QuicConnectionPeer::SetNoStopWaitingFrames(&connection_,
@@ -1017,12 +1030,6 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
 
   ParsedQuicVersion version() { return GetParam().version; }
 
-  QuicAckFrame* outgoing_ack() {
-    QuicFrame ack_frame = QuicConnectionPeer::GetUpdatedAckFrame(&connection_);
-    ack_ = *ack_frame.ack_frame;
-    return &ack_;
-  }
-
   QuicStopWaitingFrame* stop_waiting() {
     QuicConnectionPeer::PopulateStopWaitingFrame(&connection_, &stop_waiting_);
     return &stop_waiting_;
@@ -1126,7 +1133,7 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
     header.destination_connection_id = connection_id_;
     header.packet_number_length = packet_number_length_;
     header.destination_connection_id_included = connection_id_included_;
-    if ((peer_framer_.transport_version() > QUIC_VERSION_43 ||
+    if ((VersionHasIetfInvariantHeader(peer_framer_.transport_version()) ||
          GetQuicRestartFlag(quic_do_not_override_connection_id)) &&
         peer_framer_.perspective() == Perspective::IS_SERVER) {
       header.destination_connection_id_included = CONNECTION_ID_ABSENT;
@@ -1134,8 +1141,10 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
     if (level == ENCRYPTION_INITIAL &&
         peer_framer_.version().KnowsWhichDecrypterToUse()) {
       header.version_flag = true;
-      header.retry_token_length_length = VARIABLE_LENGTH_INTEGER_LENGTH_1;
-      header.length_length = VARIABLE_LENGTH_INTEGER_LENGTH_2;
+      if (QuicVersionHasLongHeaderLengths(peer_framer_.transport_version())) {
+        header.retry_token_length_length = VARIABLE_LENGTH_INTEGER_LENGTH_1;
+        header.length_length = VARIABLE_LENGTH_INTEGER_LENGTH_2;
+      }
     }
     if ((GetQuicRestartFlag(quic_do_not_override_connection_id) ||
          (level == ENCRYPTION_INITIAL &&
@@ -1199,8 +1208,9 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
                                     level);
   }
 
-  size_t ProcessCryptoPacketAtLevel(uint64_t number, EncryptionLevel level) {
-    QuicPacketHeader header = ConstructPacketHeader(1000, ENCRYPTION_INITIAL);
+  size_t ProcessCryptoPacketAtLevel(uint64_t number,
+                                    EncryptionLevel /*level*/) {
+    QuicPacketHeader header = ConstructPacketHeader(number, ENCRYPTION_INITIAL);
     QuicFrames frames;
     if (QuicVersionUsesCryptoFrames(connection_.transport_version())) {
       frames.push_back(QuicFrame(&crypto_frame_));
@@ -1210,9 +1220,9 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
     std::unique_ptr<QuicPacket> packet = ConstructPacket(header, frames);
     char buffer[kMaxOutgoingPacketSize];
     peer_creator_.set_encryption_level(ENCRYPTION_INITIAL);
-    size_t encrypted_length =
-        peer_framer_.EncryptPayload(ENCRYPTION_INITIAL, QuicPacketNumber(1000),
-                                    *packet, buffer, kMaxOutgoingPacketSize);
+    size_t encrypted_length = peer_framer_.EncryptPayload(
+        ENCRYPTION_INITIAL, QuicPacketNumber(number), *packet, buffer,
+        kMaxOutgoingPacketSize);
     connection_.ProcessUdpPacket(
         kSelfAddress, kPeerAddress,
         QuicReceivedPacket(buffer, encrypted_length, clock_.Now(), false));
@@ -1272,8 +1282,7 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
   void SendAckPacketToPeer() {
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
     {
-      QuicConnection::ScopedPacketFlusher flusher(&connection_,
-                                                  QuicConnection::NO_ACK);
+      QuicConnection::ScopedPacketFlusher flusher(&connection_);
       connection_.SendAck();
     }
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _))
@@ -1323,7 +1332,7 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
 
   size_t ProcessStopWaitingPacketAtLevel(uint64_t number,
                                          QuicStopWaitingFrame frame,
-                                         EncryptionLevel level) {
+                                         EncryptionLevel /*level*/) {
     return ProcessFramePacketAtLevel(number, QuicFrame(frame),
                                      ENCRYPTION_ZERO_RTT);
   }
@@ -1333,7 +1342,7 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
   }
 
   bool IsMissing(uint64_t number) {
-    return IsAwaitingPacket(*outgoing_ack(), QuicPacketNumber(number),
+    return IsAwaitingPacket(connection_.ack_frame(), QuicPacketNumber(number),
                             QuicPacketNumber());
   }
 
@@ -1347,7 +1356,7 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
   QuicPacketHeader ConstructPacketHeader(uint64_t number,
                                          EncryptionLevel level) {
     QuicPacketHeader header;
-    if (peer_framer_.transport_version() > QUIC_VERSION_43 &&
+    if (VersionHasIetfInvariantHeader(peer_framer_.transport_version()) &&
         level < ENCRYPTION_FORWARD_SECURE) {
       // Set long header type accordingly.
       header.version_flag = true;
@@ -1371,7 +1380,7 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
       header.destination_connection_id = connection_id_;
       header.destination_connection_id_included = connection_id_included_;
     }
-    if (peer_framer_.transport_version() > QUIC_VERSION_43 &&
+    if (VersionHasIetfInvariantHeader(peer_framer_.transport_version()) &&
         peer_framer_.perspective() == Perspective::IS_SERVER) {
       header.destination_connection_id_included = CONNECTION_ID_ABSENT;
       if (header.version_flag) {
@@ -1401,7 +1410,7 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
   }
 
   OwningSerializedPacketPointer ConstructProbingPacket() {
-    if (version().transport_version == QUIC_VERSION_99) {
+    if (VersionHasIetfQuicFrames(version().transport_version)) {
       QuicPathFrameBuffer payload = {
           {0xde, 0xad, 0xbe, 0xef, 0xba, 0xdc, 0x0f, 0xfe}};
       return QuicPacketCreatorPeer::
@@ -1420,21 +1429,21 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
         peer_framer_.perspective() == Perspective::IS_SERVER) {
       header.source_connection_id = connection_id_;
       header.destination_connection_id_included = CONNECTION_ID_ABSENT;
-      if (peer_framer_.transport_version() <= QUIC_VERSION_43) {
+      if (!VersionHasIetfInvariantHeader(peer_framer_.transport_version())) {
         header.source_connection_id_included = CONNECTION_ID_PRESENT;
       }
     } else {
       header.destination_connection_id = connection_id_;
-      if (peer_framer_.transport_version() > QUIC_VERSION_43) {
+      if (VersionHasIetfInvariantHeader(peer_framer_.transport_version())) {
         header.destination_connection_id_included = CONNECTION_ID_ABSENT;
       }
     }
 
     header.packet_number = QuicPacketNumber(number);
 
-    QuicConnectionCloseFrame qccf(QUIC_PEER_GOING_AWAY);
-    if (peer_framer_.transport_version() == QUIC_VERSION_99) {
-      // Default close-type is Google QUIC. If doing IETF/V99 then
+    QuicConnectionCloseFrame qccf(QUIC_PEER_GOING_AWAY, "");
+    if (VersionHasIetfQuicFrames(peer_framer_.transport_version())) {
+      // Default close-type is Google QUIC. If doing IETF QUIC then
       // set close type to be IETF CC/T.
       qccf.close_type = IETF_QUIC_TRANSPORT_CONNECTION_CLOSE;
     }
@@ -1483,15 +1492,19 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
 
   void TriggerConnectionClose() {
     // Send an erroneous packet to close the connection.
-    EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_INVALID_ACK_DATA, _,
-                                             ConnectionCloseSource::FROM_SELF));
+    EXPECT_CALL(visitor_,
+                OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
+        .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
+
     EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
     // Triggers a connection by receiving ACK of unsent packet.
     QuicAckFrame frame = InitAckFrame(10000);
     ProcessAckPacket(1, &frame);
-
     EXPECT_FALSE(QuicConnectionPeer::GetConnectionClosePacket(&connection_) ==
                  nullptr);
+    EXPECT_EQ(1, connection_close_frame_count_);
+    EXPECT_EQ(QUIC_INVALID_ACK_DATA,
+              saved_connection_close_frame_.quic_error_code);
   }
 
   void BlockOnNextWrite() {
@@ -1523,7 +1536,7 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
       connection_.set_can_truncate_connection_ids(true);
     }
     QuicFramerPeer::SetPerspective(&peer_framer_,
-                                   InvertPerspective(perspective));
+                                   QuicUtils::InvertPerspective(perspective));
   }
 
   void set_packets_between_probes_base(
@@ -1540,6 +1553,16 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
            p.version == AllSupportedVersions()[0] && p.no_stop_waiting;
   }
 
+  void TestConnectionCloseQuicErrorCode(QuicErrorCode expected_code) {
+    // Not strictly needed for this test, but is commonly done.
+    EXPECT_FALSE(QuicConnectionPeer::GetConnectionClosePacket(&connection_) ==
+                 nullptr);
+    const std::vector<QuicConnectionCloseFrame>& connection_close_frames =
+        writer_->connection_close_frames();
+    ASSERT_EQ(1u, connection_close_frames.size());
+    EXPECT_EQ(expected_code, connection_close_frames[0].quic_error_code);
+  }
+
   QuicConnectionId connection_id_;
   QuicFramer framer_;
 
@@ -1568,6 +1591,9 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
   QuicConnectionIdIncluded connection_id_included_;
 
   SimpleSessionNotifier notifier_;
+
+  QuicConnectionCloseFrame saved_connection_close_frame_;
+  int connection_close_frame_count_;
 };
 
 // Run all end to end tests with all supported versions.
@@ -1630,9 +1656,10 @@ TEST_P(QuicConnectionTest, SelfAddressChangeAtServer) {
   host.FromString("1.1.1.1");
   QuicSocketAddress self_address(host, 123);
   EXPECT_CALL(visitor_, AllowSelfAddressChange()).WillOnce(Return(false));
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_ERROR_MIGRATING_ADDRESS, _, _));
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _));
   ProcessFramePacketWithAddresses(frame, self_address, kPeerAddress);
   EXPECT_FALSE(connection_.connected());
+  TestConnectionCloseQuicErrorCode(QUIC_ERROR_MIGRATING_ADDRESS);
 }
 
 TEST_P(QuicConnectionTest, AllowSelfAddressChangeToMappedIpv4AddressAtServer) {
@@ -1867,7 +1894,7 @@ TEST_P(QuicConnectionTest, ReceivePaddedPingAtServer) {
   // Process a padded PING or PATH CHALLENGE packet with no peer address change
   // on server side will be ignored.
   OwningSerializedPacketPointer probing_packet;
-  if (version().transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version().transport_version)) {
     QuicPathFrameBuffer payload = {
         {0xde, 0xad, 0xbe, 0xef, 0xba, 0xdc, 0x0f, 0xfe}};
     probing_packet =
@@ -1894,8 +1921,7 @@ TEST_P(QuicConnectionTest, ReceivePaddedPingAtServer) {
 
 TEST_P(QuicConnectionTest, WriteOutOfOrderQueuedPackets) {
   // EXPECT_QUIC_BUG tests are expensive so only run one instance of them.
-  if (!IsDefaultTestConfiguration() ||
-      connection_.SupportsMultiplePacketNumberSpaces()) {
+  if (!IsDefaultTestConfiguration()) {
     return;
   }
 
@@ -1912,12 +1938,16 @@ TEST_P(QuicConnectionTest, WriteOutOfOrderQueuedPackets) {
   connection_.SendConnectivityProbingPacket(writer_.get(),
                                             connection_.peer_address());
 
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_INTERNAL_ERROR,
-                                           "Packet written out of order.",
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   EXPECT_QUIC_BUG(connection_.OnCanWrite(),
                   "Attempt to write packet:1 after:2");
   EXPECT_FALSE(connection_.connected());
+  TestConnectionCloseQuicErrorCode(QUIC_INTERNAL_ERROR);
+  const std::vector<QuicConnectionCloseFrame>& connection_close_frames =
+      writer_->connection_close_frames();
+  EXPECT_EQ("Packet written out of order.",
+            connection_close_frames[0].error_details);
 }
 
 TEST_P(QuicConnectionTest, DiscardQueuedPacketsAfterConnectionClose) {
@@ -1925,7 +1955,7 @@ TEST_P(QuicConnectionTest, DiscardQueuedPacketsAfterConnectionClose) {
   {
     InSequence seq;
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-    EXPECT_CALL(visitor_, OnConnectionClosed(_, _, _)).Times(1);
+    EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(1);
   }
 
   set_perspective(Perspective::IS_CLIENT);
@@ -1942,7 +1972,7 @@ TEST_P(QuicConnectionTest, DiscardQueuedPacketsAfterConnectionClose) {
 
   EXPECT_EQ(0u, connection_.GetStats().packets_discarded);
   connection_.OnCanWrite();
-  EXPECT_EQ(1u, connection_.GetStats().packets_discarded);
+  EXPECT_EQ(0u, connection_.GetStats().packets_discarded);
 }
 
 TEST_P(QuicConnectionTest, ReceiveConnectivityProbingAtServer) {
@@ -2271,7 +2301,7 @@ TEST_P(QuicConnectionTest, IncreaseServerMaxPacketSize) {
   QuicPacketHeader header;
   header.destination_connection_id = connection_id_;
   header.version_flag = true;
-  header.packet_number = QuicPacketNumber(1);
+  header.packet_number = QuicPacketNumber(12);
 
   if (QuicVersionHasLongHeaderLengths(
           peer_framer_.version().transport_version)) {
@@ -2320,7 +2350,7 @@ TEST_P(QuicConnectionTest, IncreaseServerMaxPacketSizeWhileWriterLimited) {
   QuicPacketHeader header;
   header.destination_connection_id = connection_id_;
   header.version_flag = true;
-  header.packet_number = QuicPacketNumber(1);
+  header.packet_number = QuicPacketNumber(12);
 
   if (QuicVersionHasLongHeaderLengths(
           peer_framer_.version().transport_version)) {
@@ -2382,61 +2412,52 @@ TEST_P(QuicConnectionTest, LimitMaxPacketSizeByWriterForNewConnection) {
 }
 
 TEST_P(QuicConnectionTest, PacketsInOrder) {
-  if (connection_.SupportsMultiplePacketNumberSpaces()) {
-    return;
-  }
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
 
   ProcessPacket(1);
-  EXPECT_EQ(QuicPacketNumber(1u), LargestAcked(*outgoing_ack()));
-  EXPECT_EQ(1u, outgoing_ack()->packets.NumIntervals());
+  EXPECT_EQ(QuicPacketNumber(1u), LargestAcked(connection_.ack_frame()));
+  EXPECT_EQ(1u, connection_.ack_frame().packets.NumIntervals());
 
   ProcessPacket(2);
-  EXPECT_EQ(QuicPacketNumber(2u), LargestAcked(*outgoing_ack()));
-  EXPECT_EQ(1u, outgoing_ack()->packets.NumIntervals());
+  EXPECT_EQ(QuicPacketNumber(2u), LargestAcked(connection_.ack_frame()));
+  EXPECT_EQ(1u, connection_.ack_frame().packets.NumIntervals());
 
   ProcessPacket(3);
-  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(*outgoing_ack()));
-  EXPECT_EQ(1u, outgoing_ack()->packets.NumIntervals());
+  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(connection_.ack_frame()));
+  EXPECT_EQ(1u, connection_.ack_frame().packets.NumIntervals());
 }
 
 TEST_P(QuicConnectionTest, PacketsOutOfOrder) {
-  if (connection_.SupportsMultiplePacketNumberSpaces()) {
-    return;
-  }
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
 
   ProcessPacket(3);
-  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(*outgoing_ack()));
+  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(connection_.ack_frame()));
   EXPECT_TRUE(IsMissing(2));
   EXPECT_TRUE(IsMissing(1));
 
   ProcessPacket(2);
-  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(*outgoing_ack()));
+  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(connection_.ack_frame()));
   EXPECT_FALSE(IsMissing(2));
   EXPECT_TRUE(IsMissing(1));
 
   ProcessPacket(1);
-  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(*outgoing_ack()));
+  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(connection_.ack_frame()));
   EXPECT_FALSE(IsMissing(2));
   EXPECT_FALSE(IsMissing(1));
 }
 
 TEST_P(QuicConnectionTest, DuplicatePacket) {
-  if (connection_.SupportsMultiplePacketNumberSpaces()) {
-    return;
-  }
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
 
   ProcessPacket(3);
-  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(*outgoing_ack()));
+  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(connection_.ack_frame()));
   EXPECT_TRUE(IsMissing(2));
   EXPECT_TRUE(IsMissing(1));
 
   // Send packet 3 again, but do not set the expectation that
   // the visitor OnStreamFrame() will be called.
   ProcessDataPacket(3);
-  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(*outgoing_ack()));
+  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(connection_.ack_frame()));
   EXPECT_TRUE(IsMissing(2));
   EXPECT_TRUE(IsMissing(1));
 }
@@ -2448,16 +2469,16 @@ TEST_P(QuicConnectionTest, PacketsOutOfOrderWithAdditionsAndLeastAwaiting) {
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
 
   ProcessPacket(3);
-  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(*outgoing_ack()));
+  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(connection_.ack_frame()));
   EXPECT_TRUE(IsMissing(2));
   EXPECT_TRUE(IsMissing(1));
 
   ProcessPacket(2);
-  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(*outgoing_ack()));
+  EXPECT_EQ(QuicPacketNumber(3u), LargestAcked(connection_.ack_frame()));
   EXPECT_TRUE(IsMissing(1));
 
   ProcessPacket(5);
-  EXPECT_EQ(QuicPacketNumber(5u), LargestAcked(*outgoing_ack()));
+  EXPECT_EQ(QuicPacketNumber(5u), LargestAcked(connection_.ack_frame()));
   EXPECT_TRUE(IsMissing(1));
   EXPECT_TRUE(IsMissing(4));
 
@@ -2474,24 +2495,6 @@ TEST_P(QuicConnectionTest, PacketsOutOfOrderWithAdditionsAndLeastAwaiting) {
   EXPECT_TRUE(IsMissing(4));
 }
 
-TEST_P(QuicConnectionTest, RejectPacketTooFarOut) {
-  if (GetQuicReloadableFlag(quic_use_uber_received_packet_manager)) {
-    return;
-  }
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_INVALID_PACKET_HEADER, _,
-                                           ConnectionCloseSource::FROM_SELF));
-
-  // Call ProcessDataPacket rather than ProcessPacket, as we should not get a
-  // packet call to the visitor.
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    ProcessDataPacket(MaxRandomInitialPacketNumber() + 6000);
-  } else {
-    ProcessDataPacket(6000);
-  }
-  EXPECT_FALSE(QuicConnectionPeer::GetConnectionClosePacket(&connection_) ==
-               nullptr);
-}
-
 TEST_P(QuicConnectionTest, RejectUnencryptedStreamData) {
   // EXPECT_QUIC_BUG tests are expensive so only run one instance of them.
   if (!IsDefaultTestConfiguration()) {
@@ -2501,55 +2504,31 @@ TEST_P(QuicConnectionTest, RejectUnencryptedStreamData) {
   // Process an unencrypted packet from the non-crypto stream.
   frame1_.stream_id = 3;
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_UNENCRYPTED_STREAM_DATA, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   EXPECT_QUIC_PEER_BUG(ProcessDataPacketAtLevel(1, false, ENCRYPTION_INITIAL),
                        "");
-  EXPECT_FALSE(QuicConnectionPeer::GetConnectionClosePacket(&connection_) ==
-               nullptr);
-  const std::vector<QuicConnectionCloseFrame>& connection_close_frames =
-      writer_->connection_close_frames();
-  ASSERT_EQ(1u, connection_close_frames.size());
-  EXPECT_EQ(QUIC_UNENCRYPTED_STREAM_DATA,
-            connection_close_frames[0].quic_error_code);
+  TestConnectionCloseQuicErrorCode(QUIC_UNENCRYPTED_STREAM_DATA);
 }
 
 TEST_P(QuicConnectionTest, OutOfOrderReceiptCausesAckSend) {
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
 
   ProcessPacket(3);
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    // Should not cause an ack.
-    EXPECT_EQ(0u, writer_->packets_write_attempts());
-  } else {
-    // Should ack immediately since we have missing packets.
-    EXPECT_EQ(1u, writer_->packets_write_attempts());
-  }
+  // Should not cause an ack.
+  EXPECT_EQ(0u, writer_->packets_write_attempts());
 
   ProcessPacket(2);
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    // Should ack immediately, since this fills the last hole.
-    EXPECT_EQ(1u, writer_->packets_write_attempts());
-  } else {
-    // Should ack immediately since we have missing packets.
-    EXPECT_EQ(2u, writer_->packets_write_attempts());
-  }
+  // Should ack immediately, since this fills the last hole.
+  EXPECT_EQ(1u, writer_->packets_write_attempts());
 
   ProcessPacket(1);
   // Should ack immediately, since this fills the last hole.
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    EXPECT_EQ(2u, writer_->packets_write_attempts());
-  } else {
-    EXPECT_EQ(3u, writer_->packets_write_attempts());
-  }
+  EXPECT_EQ(2u, writer_->packets_write_attempts());
 
   ProcessPacket(4);
   // Should not cause an ack.
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    EXPECT_EQ(2u, writer_->packets_write_attempts());
-  } else {
-    EXPECT_EQ(3u, writer_->packets_write_attempts());
-  }
+  EXPECT_EQ(2u, writer_->packets_write_attempts());
 }
 
 TEST_P(QuicConnectionTest, OutOfOrderAckReceiptCausesNoAck) {
@@ -2589,13 +2568,13 @@ TEST_P(QuicConnectionTest, AckReceiptCausesAckSend) {
   QuicPacketNumber retransmission;
   // Packet 1 is short header for IETF QUIC because the encryption level
   // switched to ENCRYPTION_FORWARD_SECURE in SendStreamDataToPeer.
-  EXPECT_CALL(
-      *send_algorithm_,
-      OnPacketSent(_, _, _,
-                   GetParam().version.transport_version > QUIC_VERSION_43
-                       ? packet_size
-                       : packet_size - kQuicVersionSize,
-                   _))
+  EXPECT_CALL(*send_algorithm_,
+              OnPacketSent(_, _, _,
+                           VersionHasIetfInvariantHeader(
+                               GetParam().version.transport_version)
+                               ? packet_size
+                               : packet_size - kQuicVersionSize,
+                           _))
       .WillOnce(SaveArg<2>(&retransmission));
 
   ProcessAckPacket(&frame);
@@ -2742,8 +2721,7 @@ TEST_P(QuicConnectionTest, AckNeedsRetransmittableFrames) {
 }
 
 TEST_P(QuicConnectionTest, LeastUnackedLower) {
-  if (GetParam().version.transport_version > QUIC_VERSION_43 ||
-      connection_.SupportsMultiplePacketNumberSpaces()) {
+  if (VersionHasIetfInvariantHeader(GetParam().version.transport_version)) {
     return;
   }
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
@@ -2771,10 +2749,13 @@ TEST_P(QuicConnectionTest, LeastUnackedLower) {
   QuicPacketCreatorPeer::SetPacketNumber(&peer_creator_, 7);
   if (!GetParam().no_stop_waiting) {
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
-    EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_INVALID_STOP_WAITING_DATA, _,
-                                             ConnectionCloseSource::FROM_SELF));
+    EXPECT_CALL(visitor_,
+                OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   }
   ProcessStopWaitingPacket(InitStopWaitingFrame(1));
+  if (!GetParam().no_stop_waiting) {
+    TestConnectionCloseQuicErrorCode(QUIC_INVALID_STOP_WAITING_DATA);
+  }
 }
 
 TEST_P(QuicConnectionTest, TooManySentPackets) {
@@ -2792,12 +2773,12 @@ TEST_P(QuicConnectionTest, TooManySentPackets) {
   // Ack packet 1, which leaves more than the limit outstanding.
   EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _));
   EXPECT_CALL(visitor_,
-              OnConnectionClosed(QUIC_TOO_MANY_OUTSTANDING_SENT_PACKETS, _,
-                                 ConnectionCloseSource::FROM_SELF));
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
 
   // Nack the first packet and ack the rest, leaving a huge gap.
   QuicAckFrame frame1 = ConstructAckFrame(num_packets, 1);
   ProcessAckPacket(&frame1);
+  TestConnectionCloseQuicErrorCode(QUIC_TOO_MANY_OUTSTANDING_SENT_PACKETS);
 }
 
 TEST_P(QuicConnectionTest, LargestObservedLower) {
@@ -2813,26 +2794,20 @@ TEST_P(QuicConnectionTest, LargestObservedLower) {
   QuicAckFrame frame2 = InitAckFrame(2);
   ProcessAckPacket(&frame2);
 
-  if (GetQuicReloadableFlag(quic_tolerate_reneging)) {
-    EXPECT_CALL(visitor_, OnCanWrite());
-  } else {
-    // Now change it to 1, and it should cause a connection error.
-    EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_INVALID_ACK_DATA, _,
-                                             ConnectionCloseSource::FROM_SELF));
-    EXPECT_CALL(visitor_, OnCanWrite()).Times(0);
-  }
+  EXPECT_CALL(visitor_, OnCanWrite());
   ProcessAckPacket(&frame1);
 }
 
 TEST_P(QuicConnectionTest, AckUnsentData) {
   // Ack a packet which has not been sent.
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_INVALID_ACK_DATA, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
   QuicAckFrame frame = InitAckFrame(1);
   EXPECT_CALL(visitor_, OnCanWrite()).Times(0);
   ProcessAckPacket(&frame);
+  TestConnectionCloseQuicErrorCode(QUIC_INVALID_ACK_DATA);
 }
 
 TEST_P(QuicConnectionTest, BasicSending) {
@@ -2964,8 +2939,7 @@ TEST_P(QuicConnectionTest, FramePacking) {
   // Send two stream frames in 1 packet by queueing them.
   connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
   {
-    QuicConnection::ScopedPacketFlusher flusher(&connection_,
-                                                QuicConnection::SEND_ACK);
+    QuicConnection::ScopedPacketFlusher flusher(&connection_);
     connection_.SendStreamData3();
     connection_.SendStreamData5();
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
@@ -2998,8 +2972,7 @@ TEST_P(QuicConnectionTest, FramePackingNonCryptoThenCrypto) {
   connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
   {
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(2);
-    QuicConnection::ScopedPacketFlusher flusher(&connection_,
-                                                QuicConnection::SEND_ACK);
+    QuicConnection::ScopedPacketFlusher flusher(&connection_);
     connection_.SendStreamData3();
     connection_.SendCryptoStreamData();
   }
@@ -3024,8 +2997,7 @@ TEST_P(QuicConnectionTest, FramePackingCryptoThenNonCrypto) {
   {
     connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(2);
-    QuicConnection::ScopedPacketFlusher flusher(&connection_,
-                                                QuicConnection::SEND_ACK);
+    QuicConnection::ScopedPacketFlusher flusher(&connection_);
     connection_.SendCryptoStreamData();
     connection_.SendStreamData3();
   }
@@ -3041,13 +3013,15 @@ TEST_P(QuicConnectionTest, FramePackingCryptoThenNonCrypto) {
 }
 
 TEST_P(QuicConnectionTest, FramePackingAckResponse) {
-  if (connection_.SupportsMultiplePacketNumberSpaces()) {
-    return;
-  }
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   // Process a data packet to queue up a pending ack.
-  EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(1);
-  ProcessDataPacket(1);
+  if (QuicVersionUsesCryptoFrames(connection_.transport_version())) {
+    EXPECT_CALL(visitor_, OnCryptoFrame(_)).Times(1);
+  } else {
+    EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(1);
+  }
+  ProcessCryptoPacketAtLevel(1, ENCRYPTION_INITIAL);
+
   QuicPacketNumber last_packet;
   if (QuicVersionUsesCryptoFrames(connection_.transport_version())) {
     connection_.SendCryptoDataWithString("foo", 0);
@@ -3200,8 +3174,8 @@ TEST_P(QuicConnectionTest, LargeSendWithPendingAck) {
   iov.iov_base = data_array.get();
   iov.iov_len = len;
   QuicConsumedData consumed = connection_.SaveAndSendStreamData(
-      QuicUtils::GetHeadersStreamId(connection_.transport_version()), &iov, 1,
-      len, 0, FIN);
+      GetNthClientInitiatedStreamId(0, connection_.transport_version()), &iov,
+      1, len, 0, FIN);
   EXPECT_EQ(len, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
   EXPECT_EQ(0u, connection_.NumQueuedPackets());
@@ -3210,7 +3184,7 @@ TEST_P(QuicConnectionTest, LargeSendWithPendingAck) {
   // Parse the last packet and ensure it's one stream frame with a fin.
   EXPECT_EQ(1u, writer_->frame_count());
   ASSERT_EQ(1u, writer_->stream_frames().size());
-  EXPECT_EQ(QuicUtils::GetHeadersStreamId(connection_.transport_version()),
+  EXPECT_EQ(GetNthClientInitiatedStreamId(0, connection_.transport_version()),
             writer_->stream_frames()[0]->stream_id);
   EXPECT_TRUE(writer_->stream_frames()[0]->fin);
   // Ensure the ack alarm was cancelled when the ack was sent.
@@ -3406,12 +3380,6 @@ TEST_P(QuicConnectionTest, CancelRetransmissionAlarmAfterResetStream) {
   // Ensure that the data is still in flight, but the retransmission alarm is no
   // longer set.
   EXPECT_GT(manager_->GetBytesInFlight(), 0u);
-  if (GetQuicReloadableFlag(quic_optimize_inflight_check)) {
-    EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
-    // Firing the alarm should remove all bytes_in_flight.
-    connection_.GetRetransmissionAlarm()->Fire();
-    EXPECT_EQ(0u, manager_->GetBytesInFlight());
-  }
   EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
 }
 
@@ -3564,13 +3532,13 @@ TEST_P(QuicConnectionTest, RetransmitNackedLargestObserved) {
   EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _));
   // Packet 1 is short header for IETF QUIC because the encryption level
   // switched to ENCRYPTION_FORWARD_SECURE in SendStreamDataToPeer.
-  EXPECT_CALL(
-      *send_algorithm_,
-      OnPacketSent(_, _, _,
-                   GetParam().version.transport_version > QUIC_VERSION_43
-                       ? packet_size
-                       : packet_size - kQuicVersionSize,
-                   _));
+  EXPECT_CALL(*send_algorithm_,
+              OnPacketSent(_, _, _,
+                           VersionHasIetfInvariantHeader(
+                               GetParam().version.transport_version)
+                               ? packet_size
+                               : packet_size - kQuicVersionSize,
+                           _));
   ProcessAckPacket(&frame);
 }
 
@@ -3655,13 +3623,6 @@ TEST_P(QuicConnectionTest, RetransmitWriteBlockedAckedOriginalThenSent) {
 
   writer_->SetWritable();
   connection_.OnCanWrite();
-  // There is now a pending packet, but with no retransmittable frames.
-  if (GetQuicReloadableFlag(quic_optimize_inflight_check)) {
-    EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
-    // Firing the alarm should remove all bytes_in_flight.
-    connection_.GetRetransmissionAlarm()->Fire();
-    EXPECT_EQ(0u, manager_->GetBytesInFlight());
-  }
   EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
   EXPECT_FALSE(QuicConnectionPeer::HasRetransmittableFrames(&connection_, 2));
 }
@@ -3728,20 +3689,25 @@ TEST_P(QuicConnectionTest, AddToWriteBlockedListIfWriterBlockedWhenProcessing) {
 TEST_P(QuicConnectionTest, DoNotAddToWriteBlockedListAfterDisconnect) {
   writer_->SetBatchMode(true);
   EXPECT_TRUE(connection_.connected());
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_PEER_GOING_AWAY, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  // Have to explicitly grab the OnConnectionClosed frame and check
+  // its parameters because this is a silent connection close and the
+  // frame is not also transmitted to the peer.
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
+      .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
 
   EXPECT_CALL(visitor_, OnWriteBlocked()).Times(0);
 
   {
-    QuicConnection::ScopedPacketFlusher flusher(&connection_,
-                                                QuicConnection::NO_ACK);
+    QuicConnection::ScopedPacketFlusher flusher(&connection_);
     connection_.CloseConnection(QUIC_PEER_GOING_AWAY, "no reason",
                                 ConnectionCloseBehavior::SILENT_CLOSE);
 
     EXPECT_FALSE(connection_.connected());
     writer_->SetWriteBlocked();
   }
+  EXPECT_EQ(1, connection_close_frame_count_);
+  EXPECT_EQ(QUIC_PEER_GOING_AWAY,
+            saved_connection_close_frame_.quic_error_code);
 }
 
 TEST_P(QuicConnectionTest, AddToWriteBlockedListIfBlockedOnFlushPackets) {
@@ -3750,8 +3716,7 @@ TEST_P(QuicConnectionTest, AddToWriteBlockedListIfBlockedOnFlushPackets) {
 
   EXPECT_CALL(visitor_, OnWriteBlocked()).Times(1);
   {
-    QuicConnection::ScopedPacketFlusher flusher(&connection_,
-                                                QuicConnection::NO_ACK);
+    QuicConnection::ScopedPacketFlusher flusher(&connection_);
     // flusher's destructor will call connection_.FlushPackets, which should add
     // the connection to the write blocked list.
   }
@@ -3910,6 +3875,10 @@ TEST_P(QuicConnectionTest, TLP) {
 }
 
 TEST_P(QuicConnectionTest, TailLossProbeDelayForStreamDataInTLPR) {
+  if (!connection_.session_decides_what_to_write()) {
+    return;
+  }
+
   // Set TLPR from QuicConfig.
   EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
   QuicConfig config;
@@ -3941,6 +3910,10 @@ TEST_P(QuicConnectionTest, TailLossProbeDelayForStreamDataInTLPR) {
 }
 
 TEST_P(QuicConnectionTest, TailLossProbeDelayForNonStreamDataInTLPR) {
+  if (!connection_.session_decides_what_to_write()) {
+    return;
+  }
+
   // Set TLPR from QuicConfig.
   EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
   QuicConfig config;
@@ -4026,7 +3999,7 @@ TEST_P(QuicConnectionTest, TailLossProbeDelayForNonStreamDataInTLPR) {
   QuicTime::Delta min_rto_timeout =
       QuicTime::Delta::FromMilliseconds(kMinRetransmissionTimeMs);
   srtt = manager_->GetRttStats()->SmoothedOrInitialRtt();
-  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_sending_ping)) {
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
     // First TLP without unacked stream data will no longer use TLPR.
     expected_delay = std::max(2 * srtt, 1.5 * srtt + 0.5 * min_rto_timeout);
   } else {
@@ -4037,11 +4010,7 @@ TEST_P(QuicConnectionTest, TailLossProbeDelayForNonStreamDataInTLPR) {
   EXPECT_EQ(expected_delay,
             connection_.GetRetransmissionAlarm()->deadline() - clock_.Now());
 
-  // Verify the path degrading delay.
-  // Path degrading delay will count TLPR for the tail loss probe delay.
-  expected_delay =
-      std::max(QuicTime::Delta::FromMilliseconds(kMinTailLossProbeTimeoutMs),
-               srtt * 0.5);
+  // Verify the path degrading delay = TLP delay + 1st RTO + 2nd RTO.
   // Add 1st RTO.
   retransmission_delay =
       std::max(manager_->GetRttStats()->smoothed_rtt() +
@@ -4059,6 +4028,26 @@ TEST_P(QuicConnectionTest, TailLossProbeDelayForNonStreamDataInTLPR) {
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
   EXPECT_EQ(QuicTime::Delta::FromSeconds(kPingTimeoutSecs),
             connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+
+  // Advance a small period of time: 5ms. And receive a retransmitted ACK.
+  // This will update the retransmission alarm, verify the retransmission delay
+  // is correct.
+  clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+  QuicAckFrame ack = InitAckFrame({{QuicPacketNumber(1), QuicPacketNumber(2)}});
+  ProcessAckPacket(&ack);
+
+  // Verify the retransmission delay.
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    // First TLP without unacked stream data will no longer use TLPR.
+    expected_delay = std::max(2 * srtt, 1.5 * srtt + 0.5 * min_rto_timeout);
+  } else {
+    expected_delay =
+        std::max(QuicTime::Delta::FromMilliseconds(kMinTailLossProbeTimeoutMs),
+                 srtt * 0.5);
+  }
+  expected_delay = expected_delay - QuicTime::Delta::FromMilliseconds(5);
+  EXPECT_EQ(expected_delay,
+            connection_.GetRetransmissionAlarm()->deadline() - clock_.Now());
 }
 
 TEST_P(QuicConnectionTest, RTO) {
@@ -4081,6 +4070,54 @@ TEST_P(QuicConnectionTest, RTO) {
   EXPECT_EQ(QuicPacketNumber(1u), stop_waiting()->least_unacked);
 }
 
+// Regression test of b/133771183.
+TEST_P(QuicConnectionTest, RtoWithNoDataToRetransmit) {
+  if (!connection_.session_decides_what_to_write()) {
+    return;
+  }
+  connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
+  connection_.SetMaxTailLossProbes(0);
+
+  SendStreamDataToPeer(3, "foo", 0, NO_FIN, nullptr);
+  // Connection is cwnd limited.
+  CongestionBlockWrites();
+  // Stream gets reset.
+  SendRstStream(3, QUIC_ERROR_PROCESSING_STREAM, 3);
+  // Simulate the retransmission alarm firing.
+  clock_.AdvanceTime(DefaultRetransmissionTime());
+  // RTO fires, but there is no packet to be RTOed.
+  if (GetQuicReloadableFlag(quic_fix_rto_retransmission)) {
+    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
+  } else {
+    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
+  }
+  connection_.GetRetransmissionAlarm()->Fire();
+  if (GetQuicReloadableFlag(quic_fix_rto_retransmission)) {
+    EXPECT_EQ(1u, writer_->rst_stream_frames().size());
+  }
+
+  EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(40);
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(20);
+  if (GetQuicReloadableFlag(quic_fix_rto_retransmission)) {
+    EXPECT_CALL(visitor_, WillingAndAbleToWrite())
+        .WillRepeatedly(Return(false));
+  } else {
+    EXPECT_CALL(visitor_, WillingAndAbleToWrite()).WillRepeatedly(Return(true));
+  }
+  if (GetQuicReloadableFlag(quic_fix_rto_retransmission)) {
+    EXPECT_CALL(visitor_, OnAckNeedsRetransmittableFrame()).Times(1);
+  } else {
+    // Since there is a buffered RST_STREAM, no retransmittable frame is bundled
+    // with ACKs.
+    EXPECT_CALL(visitor_, OnAckNeedsRetransmittableFrame()).Times(0);
+  }
+  // Receives packets 1 - 40.
+  for (size_t i = 1; i <= 40; ++i) {
+    ProcessDataPacket(i);
+  }
+}
+
 TEST_P(QuicConnectionTest, RetransmitWithSameEncryptionLevel) {
   use_tagging_decrypter();
 
@@ -4385,8 +4422,8 @@ TEST_P(QuicConnectionTest, InitialTimeout) {
       QuicTime::Delta::FromSeconds(kInitialIdleTimeoutSecs - 1);
   EXPECT_EQ(default_timeout, connection_.GetTimeoutAlarm()->deadline());
 
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_NETWORK_IDLE_TIMEOUT, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   // Simulate the timeout alarm firing.
   clock_.AdvanceTime(QuicTime::Delta::FromSeconds(kInitialIdleTimeoutSecs - 1));
   connection_.GetTimeoutAlarm()->Fire();
@@ -4400,6 +4437,7 @@ TEST_P(QuicConnectionTest, InitialTimeout) {
   EXPECT_FALSE(connection_.GetSendAlarm()->IsSet());
   EXPECT_FALSE(connection_.GetMtuDiscoveryAlarm()->IsSet());
   EXPECT_FALSE(connection_.GetProcessUndecryptablePacketsAlarm()->IsSet());
+  TestConnectionCloseQuicErrorCode(QUIC_NETWORK_IDLE_TIMEOUT);
 }
 
 TEST_P(QuicConnectionTest, IdleTimeoutAfterFirstSentPacket) {
@@ -4428,7 +4466,7 @@ TEST_P(QuicConnectionTest, IdleTimeoutAfterFirstSentPacket) {
 
   // Simulate the timeout alarm firing, the connection should not be closed as
   // a new packet has been sent.
-  EXPECT_CALL(visitor_, OnConnectionClosed(_, _, _)).Times(0);
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(0);
   QuicTime::Delta delay = initial_ddl - clock_.ApproximateNow();
   clock_.AdvanceTime(delay);
   connection_.GetTimeoutAlarm()->Fire();
@@ -4439,8 +4477,8 @@ TEST_P(QuicConnectionTest, IdleTimeoutAfterFirstSentPacket) {
 
   // Simulate the timeout alarm firing again, the connection now should be
   // closed.
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_NETWORK_IDLE_TIMEOUT, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   clock_.AdvanceTime(new_ddl - clock_.ApproximateNow());
   connection_.GetTimeoutAlarm()->Fire();
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
@@ -4451,6 +4489,7 @@ TEST_P(QuicConnectionTest, IdleTimeoutAfterFirstSentPacket) {
   EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
   EXPECT_FALSE(connection_.GetSendAlarm()->IsSet());
   EXPECT_FALSE(connection_.GetMtuDiscoveryAlarm()->IsSet());
+  TestConnectionCloseQuicErrorCode(QUIC_NETWORK_IDLE_TIMEOUT);
 }
 
 TEST_P(QuicConnectionTest, IdleTimeoutAfterSendTwoPackets) {
@@ -4480,28 +4519,11 @@ TEST_P(QuicConnectionTest, IdleTimeoutAfterSendTwoPackets) {
   SendStreamDataToPeer(1, "foo", 0, NO_FIN, &last_packet);
   EXPECT_EQ(QuicPacketNumber(2u), last_packet);
 
-  if (GetQuicReloadableFlag(
-          quic_fix_time_of_first_packet_sent_after_receiving)) {
-    // Simulate the timeout alarm firing, the connection will be closed.
-    EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_NETWORK_IDLE_TIMEOUT, _,
-                                             ConnectionCloseSource::FROM_SELF));
-    clock_.AdvanceTime(initial_ddl - clock_.ApproximateNow());
-    connection_.GetTimeoutAlarm()->Fire();
-  } else {
-    // Simulate the timeout alarm firing, the connection will not be closed.
-    EXPECT_CALL(visitor_, OnConnectionClosed(_, _, _)).Times(0);
-    clock_.AdvanceTime(initial_ddl - clock_.ApproximateNow());
-    connection_.GetTimeoutAlarm()->Fire();
-    EXPECT_TRUE(connection_.GetTimeoutAlarm()->IsSet());
-    EXPECT_TRUE(connection_.connected());
-
-    // Advance another 20ms, and fire the alarm again. The connection will be
-    // closed.
-    EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_NETWORK_IDLE_TIMEOUT, _,
-                                             ConnectionCloseSource::FROM_SELF));
-    clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(20));
-    connection_.GetTimeoutAlarm()->Fire();
-  }
+  // Simulate the timeout alarm firing, the connection will be closed.
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
+  clock_.AdvanceTime(initial_ddl - clock_.ApproximateNow());
+  connection_.GetTimeoutAlarm()->Fire();
 
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
   EXPECT_FALSE(connection_.connected());
@@ -4511,6 +4533,7 @@ TEST_P(QuicConnectionTest, IdleTimeoutAfterSendTwoPackets) {
   EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
   EXPECT_FALSE(connection_.GetSendAlarm()->IsSet());
   EXPECT_FALSE(connection_.GetMtuDiscoveryAlarm()->IsSet());
+  TestConnectionCloseQuicErrorCode(QUIC_NETWORK_IDLE_TIMEOUT);
 }
 
 TEST_P(QuicConnectionTest, HandshakeTimeout) {
@@ -4527,8 +4550,8 @@ TEST_P(QuicConnectionTest, HandshakeTimeout) {
 
   // Send and ack new data 3 seconds later to lengthen the idle timeout.
   SendStreamDataToPeer(
-      QuicUtils::GetHeadersStreamId(connection_.transport_version()), "GET /",
-      0, FIN, nullptr);
+      GetNthClientInitiatedStreamId(0, connection_.transport_version()),
+      "GET /", 0, FIN, nullptr);
   clock_.AdvanceTime(QuicTime::Delta::FromSeconds(3));
   QuicAckFrame frame = InitAckFrame(1);
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
@@ -4542,8 +4565,8 @@ TEST_P(QuicConnectionTest, HandshakeTimeout) {
 
   clock_.AdvanceTime(timeout - QuicTime::Delta::FromSeconds(2));
 
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_HANDSHAKE_TIMEOUT, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   // Simulate the timeout alarm firing.
   connection_.GetTimeoutAlarm()->Fire();
 
@@ -4554,6 +4577,7 @@ TEST_P(QuicConnectionTest, HandshakeTimeout) {
   EXPECT_FALSE(connection_.GetPingAlarm()->IsSet());
   EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
   EXPECT_FALSE(connection_.GetSendAlarm()->IsSet());
+  TestConnectionCloseQuicErrorCode(QUIC_HANDSHAKE_TIMEOUT);
 }
 
 TEST_P(QuicConnectionTest, PingAfterSend) {
@@ -4570,8 +4594,8 @@ TEST_P(QuicConnectionTest, PingAfterSend) {
   clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
   EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
   SendStreamDataToPeer(
-      QuicUtils::GetHeadersStreamId(connection_.transport_version()), "GET /",
-      0, FIN, nullptr);
+      GetNthClientInitiatedStreamId(0, connection_.transport_version()),
+      "GET /", 0, FIN, nullptr);
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
   EXPECT_EQ(clock_.ApproximateNow() + QuicTime::Delta::FromSeconds(15),
             connection_.GetPingAlarm()->deadline());
@@ -4624,8 +4648,8 @@ TEST_P(QuicConnectionTest, ReducedPingTimeout) {
   clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
   EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
   SendStreamDataToPeer(
-      QuicUtils::GetHeadersStreamId(connection_.transport_version()), "GET /",
-      0, FIN, nullptr);
+      GetNthClientInitiatedStreamId(0, connection_.transport_version()),
+      "GET /", 0, FIN, nullptr);
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
   EXPECT_EQ(clock_.ApproximateNow() + QuicTime::Delta::FromSeconds(10),
             connection_.GetPingAlarm()->deadline());
@@ -4973,7 +4997,7 @@ TEST_P(QuicConnectionTest, NoMtuDiscoveryAfterConnectionClosed) {
                        nullptr);
   EXPECT_TRUE(connection_.GetMtuDiscoveryAlarm()->IsSet());
 
-  EXPECT_CALL(visitor_, OnConnectionClosed(_, _, _));
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _));
   connection_.CloseConnection(QUIC_PEER_GOING_AWAY, "no reason",
                               ConnectionCloseBehavior::SILENT_CLOSE);
   EXPECT_FALSE(connection_.GetMtuDiscoveryAlarm()->IsSet());
@@ -5018,14 +5042,15 @@ TEST_P(QuicConnectionTest, TimeoutAfterSend) {
             connection_.GetTimeoutAlarm()->deadline());
 
   // This time, we should time out.
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_NETWORK_IDLE_TIMEOUT, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
   clock_.AdvanceTime(five_ms);
   EXPECT_EQ(default_timeout + five_ms, clock_.ApproximateNow());
   connection_.GetTimeoutAlarm()->Fire();
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
   EXPECT_FALSE(connection_.connected());
+  TestConnectionCloseQuicErrorCode(QUIC_NETWORK_IDLE_TIMEOUT);
 }
 
 TEST_P(QuicConnectionTest, TimeoutAfterRetransmission) {
@@ -5092,8 +5117,8 @@ TEST_P(QuicConnectionTest, TimeoutAfterRetransmission) {
             connection_.GetTimeoutAlarm()->deadline().ToDebuggingValue());
 
   // This time, we should time out.
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_NETWORK_IDLE_TIMEOUT, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
   clock_.AdvanceTime(final_timeout - clock_.Now());
   EXPECT_EQ(connection_.GetTimeoutAlarm()->deadline(), clock_.Now());
@@ -5101,6 +5126,7 @@ TEST_P(QuicConnectionTest, TimeoutAfterRetransmission) {
   connection_.GetTimeoutAlarm()->Fire();
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
   EXPECT_FALSE(connection_.connected());
+  TestConnectionCloseQuicErrorCode(QUIC_NETWORK_IDLE_TIMEOUT);
 }
 
 TEST_P(QuicConnectionTest, NewTimeoutAfterSendSilentClose) {
@@ -5161,13 +5187,20 @@ TEST_P(QuicConnectionTest, NewTimeoutAfterSendSilentClose) {
             connection_.GetTimeoutAlarm()->deadline());
 
   // This time, we should time out.
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_NETWORK_IDLE_TIMEOUT, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  // This results in a SILENT_CLOSE, so the writer will not be invoked
+  // and will not save the frame. Grab the frame from OnConnectionClosed
+  // directly.
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
+      .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
+
   clock_.AdvanceTime(five_ms);
   EXPECT_EQ(default_timeout + five_ms, clock_.ApproximateNow());
   connection_.GetTimeoutAlarm()->Fire();
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
   EXPECT_FALSE(connection_.connected());
+  EXPECT_EQ(1, connection_close_frame_count_);
+  EXPECT_EQ(QUIC_NETWORK_IDLE_TIMEOUT,
+            saved_connection_close_frame_.quic_error_code);
 }
 
 TEST_P(QuicConnectionTest, TimeoutAfterSendSilentCloseAndTLP) {
@@ -5216,14 +5249,15 @@ TEST_P(QuicConnectionTest, TimeoutAfterSendSilentCloseAndTLP) {
   connection_.GetRetransmissionAlarm()->Fire();
 
   // This time, we should time out and send a connection close due to the TLP.
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_NETWORK_IDLE_TIMEOUT, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
   clock_.AdvanceTime(connection_.GetTimeoutAlarm()->deadline() -
                      clock_.ApproximateNow() + five_ms);
   connection_.GetTimeoutAlarm()->Fire();
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
   EXPECT_FALSE(connection_.connected());
+  TestConnectionCloseQuicErrorCode(QUIC_NETWORK_IDLE_TIMEOUT);
 }
 
 TEST_P(QuicConnectionTest, TimeoutAfterSendSilentCloseWithOpenStreams) {
@@ -5270,14 +5304,15 @@ TEST_P(QuicConnectionTest, TimeoutAfterSendSilentCloseWithOpenStreams) {
       .WillRepeatedly(Return(true));
 
   // This time, we should time out and send a connection close due to the TLP.
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_NETWORK_IDLE_TIMEOUT, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
   clock_.AdvanceTime(connection_.GetTimeoutAlarm()->deadline() -
                      clock_.ApproximateNow() + five_ms);
   connection_.GetTimeoutAlarm()->Fire();
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
   EXPECT_FALSE(connection_.connected());
+  TestConnectionCloseQuicErrorCode(QUIC_NETWORK_IDLE_TIMEOUT);
 }
 
 TEST_P(QuicConnectionTest, TimeoutAfterReceive) {
@@ -5320,14 +5355,15 @@ TEST_P(QuicConnectionTest, TimeoutAfterReceive) {
             connection_.GetTimeoutAlarm()->deadline());
 
   // This time, we should time out.
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_NETWORK_IDLE_TIMEOUT, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
   clock_.AdvanceTime(five_ms);
   EXPECT_EQ(default_timeout + five_ms, clock_.ApproximateNow());
   connection_.GetTimeoutAlarm()->Fire();
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
   EXPECT_FALSE(connection_.connected());
+  TestConnectionCloseQuicErrorCode(QUIC_NETWORK_IDLE_TIMEOUT);
 }
 
 TEST_P(QuicConnectionTest, TimeoutAfterReceiveNotSendWhenUnacked) {
@@ -5377,8 +5413,8 @@ TEST_P(QuicConnectionTest, TimeoutAfterReceiveNotSendWhenUnacked) {
 
   // Now, send packets while advancing the time and verify that the connection
   // eventually times out.
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_NETWORK_IDLE_TIMEOUT, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AnyNumber());
   for (int i = 0; i < 100 && connection_.connected(); ++i) {
     QUIC_LOG(INFO) << "sending data packet";
@@ -5390,6 +5426,7 @@ TEST_P(QuicConnectionTest, TimeoutAfterReceiveNotSendWhenUnacked) {
   }
   EXPECT_FALSE(connection_.connected());
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
+  TestConnectionCloseQuicErrorCode(QUIC_NETWORK_IDLE_TIMEOUT);
 }
 
 TEST_P(QuicConnectionTest, TimeoutAfter5ClientRTOs) {
@@ -5418,12 +5455,13 @@ TEST_P(QuicConnectionTest, TimeoutAfter5ClientRTOs) {
   EXPECT_EQ(2u, connection_.sent_packet_manager().GetConsecutiveTlpCount());
   EXPECT_EQ(4u, connection_.sent_packet_manager().GetConsecutiveRtoCount());
   // This time, we should time out.
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_TOO_MANY_RTOS, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
   connection_.GetRetransmissionAlarm()->Fire();
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
   EXPECT_FALSE(connection_.connected());
+  TestConnectionCloseQuicErrorCode(QUIC_TOO_MANY_RTOS);
 }
 
 TEST_P(QuicConnectionTest, SendScheduler) {
@@ -5442,7 +5480,7 @@ TEST_P(QuicConnectionTest, FailToSendFirstPacket) {
   // Test that the connection does not crash when it fails to send the first
   // packet at which point self_address_ might be uninitialized.
   QuicFramerPeer::SetPerspective(&peer_framer_, Perspective::IS_CLIENT);
-  EXPECT_CALL(visitor_, OnConnectionClosed(_, _, _)).Times(1);
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(1);
   std::unique_ptr<QuicPacket> packet =
       ConstructDataPacket(1, !kHasStopWaiting, ENCRYPTION_INITIAL);
   QuicPacketCreatorPeer::SetPacketNumber(creator_, 1);
@@ -5493,7 +5531,7 @@ TEST_P(QuicConnectionTest, SendingThreePackets) {
 
 TEST_P(QuicConnectionTest, LoopThroughSendingPacketsWithTruncation) {
   set_perspective(Perspective::IS_SERVER);
-  if (GetParam().version.transport_version <= QUIC_VERSION_43) {
+  if (!VersionHasIetfInvariantHeader(GetParam().version.transport_version)) {
     // For IETF QUIC, encryption level will be switched to FORWARD_SECURE in
     // SendStreamDataWithString.
     QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
@@ -5519,7 +5557,7 @@ TEST_P(QuicConnectionTest, LoopThroughSendingPacketsWithTruncation) {
   EXPECT_EQ(payload.size(),
             connection_.SendStreamDataWithString(3, payload, 1350, NO_FIN)
                 .bytes_consumed);
-  if (connection_.transport_version() > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(connection_.transport_version())) {
     // Short header packets sent from server omit connection ID already, and
     // stream offset size increases from 0 to 2.
     EXPECT_EQ(non_truncated_packet_size, writer_->last_packet_size() - 2);
@@ -6287,20 +6325,9 @@ TEST_P(QuicConnectionTest, SendDelayedAckOnSecondPacket) {
 
 TEST_P(QuicConnectionTest, NoAckOnOldNacks) {
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
-  // Drop one packet, triggering a sequence of acks.
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
   ProcessPacket(2);
   size_t frames_per_ack = GetParam().no_stop_waiting ? 1 : 2;
-  if (!GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    size_t padding_frame_count = writer_->padding_frames().size();
-    EXPECT_EQ(padding_frame_count + frames_per_ack, writer_->frame_count());
-    EXPECT_FALSE(writer_->ack_frames().empty());
-    writer_->Reset();
-  }
 
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   ProcessPacket(3);
@@ -6309,19 +6336,9 @@ TEST_P(QuicConnectionTest, NoAckOnOldNacks) {
   EXPECT_FALSE(writer_->ack_frames().empty());
   writer_->Reset();
 
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
   ProcessPacket(4);
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    EXPECT_EQ(0u, writer_->frame_count());
-  } else {
-    EXPECT_EQ(padding_frame_count + frames_per_ack, writer_->frame_count());
-    EXPECT_FALSE(writer_->ack_frames().empty());
-    writer_->Reset();
-  }
+  EXPECT_EQ(0u, writer_->frame_count());
 
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   ProcessPacket(5);
@@ -6363,11 +6380,13 @@ TEST_P(QuicConnectionTest, SendDelayedAckOnOutgoingPacket) {
 }
 
 TEST_P(QuicConnectionTest, SendDelayedAckOnOutgoingCryptoPacket) {
-  if (connection_.SupportsMultiplePacketNumberSpaces()) {
-    return;
-  }
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
-  ProcessPacket(1);
+  if (QuicVersionUsesCryptoFrames(connection_.transport_version())) {
+    EXPECT_CALL(visitor_, OnCryptoFrame(_)).Times(1);
+  } else {
+    EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(1);
+  }
+  ProcessCryptoPacketAtLevel(1, ENCRYPTION_INITIAL);
   connection_.SendCryptoDataWithString("foo", 0);
   // Check that ack is bundled with outgoing crypto data.
   if (GetParam().no_stop_waiting) {
@@ -6394,9 +6413,6 @@ TEST_P(QuicConnectionTest, BlockAndBufferOnFirstCHLOPacketOfTwo) {
 }
 
 TEST_P(QuicConnectionTest, BundleAckForSecondCHLO) {
-  if (connection_.SupportsMultiplePacketNumberSpaces()) {
-    return;
-  }
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   EXPECT_FALSE(connection_.GetAckAlarm()->IsSet());
   EXPECT_CALL(visitor_, OnCanWrite())
@@ -6405,7 +6421,12 @@ TEST_P(QuicConnectionTest, BundleAckForSecondCHLO) {
   // Process a packet from the crypto stream, which is frame1_'s default.
   // Receiving the CHLO as packet 2 first will cause the connection to
   // immediately send an ack, due to the packet gap.
-  ProcessPacket(2);
+  if (QuicVersionUsesCryptoFrames(connection_.transport_version())) {
+    EXPECT_CALL(visitor_, OnCryptoFrame(_)).Times(1);
+  } else {
+    EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(1);
+  }
+  ProcessCryptoPacketAtLevel(2, ENCRYPTION_INITIAL);
   // Check that ack is sent and that delayed ack alarm is reset.
   if (GetParam().no_stop_waiting) {
     EXPECT_EQ(3u, writer_->frame_count());
@@ -6426,21 +6447,29 @@ TEST_P(QuicConnectionTest, BundleAckForSecondCHLO) {
 }
 
 TEST_P(QuicConnectionTest, BundleAckForSecondCHLOTwoPacketReject) {
-  if (connection_.SupportsMultiplePacketNumberSpaces()) {
-    return;
-  }
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   EXPECT_FALSE(connection_.GetAckAlarm()->IsSet());
 
   // Process two packets from the crypto stream, which is frame1_'s default,
   // simulating a 2 packet reject.
   {
-    ProcessPacket(1);
+    if (QuicVersionUsesCryptoFrames(connection_.transport_version())) {
+      EXPECT_CALL(visitor_, OnCryptoFrame(_)).Times(1);
+    } else {
+      EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(1);
+    }
+    ProcessCryptoPacketAtLevel(1, ENCRYPTION_INITIAL);
     // Send the new CHLO when the REJ is processed.
-    EXPECT_CALL(visitor_, OnStreamFrame(_))
-        .WillOnce(IgnoreResult(InvokeWithoutArgs(
-            &connection_, &TestConnection::SendCryptoStreamData)));
-    ProcessDataPacket(2);
+    if (QuicVersionUsesCryptoFrames(connection_.transport_version())) {
+      EXPECT_CALL(visitor_, OnCryptoFrame(_))
+          .WillOnce(IgnoreResult(InvokeWithoutArgs(
+              &connection_, &TestConnection::SendCryptoStreamData)));
+    } else {
+      EXPECT_CALL(visitor_, OnStreamFrame(_))
+          .WillOnce(IgnoreResult(InvokeWithoutArgs(
+              &connection_, &TestConnection::SendCryptoStreamData)));
+    }
+    ProcessCryptoPacketAtLevel(2, ENCRYPTION_INITIAL);
   }
   // Check that ack is sent and that delayed ack alarm is reset.
   if (GetParam().no_stop_waiting) {
@@ -6532,16 +6561,19 @@ TEST_P(QuicConnectionTest, BundleAckWithDataOnIncomingAck) {
 TEST_P(QuicConnectionTest, NoAckSentForClose) {
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   ProcessPacket(1);
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_PEER_GOING_AWAY, _,
-                                           ConnectionCloseSource::FROM_PEER));
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_PEER))
+      .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
   ProcessClosePacket(2);
+  EXPECT_EQ(1, connection_close_frame_count_);
+  EXPECT_EQ(QUIC_PEER_GOING_AWAY,
+            saved_connection_close_frame_.quic_error_code);
 }
 
 TEST_P(QuicConnectionTest, SendWhenDisconnected) {
   EXPECT_TRUE(connection_.connected());
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_PEER_GOING_AWAY, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
+      .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
   connection_.CloseConnection(QUIC_PEER_GOING_AWAY, "no reason",
                               ConnectionCloseBehavior::SILENT_CLOSE);
   EXPECT_FALSE(connection_.connected());
@@ -6552,18 +6584,20 @@ TEST_P(QuicConnectionTest, SendWhenDisconnected) {
       .Times(0);
   connection_.SendPacket(ENCRYPTION_INITIAL, 1, std::move(packet),
                          HAS_RETRANSMITTABLE_DATA, false, false);
+  EXPECT_EQ(1, connection_close_frame_count_);
+  EXPECT_EQ(QUIC_PEER_GOING_AWAY,
+            saved_connection_close_frame_.quic_error_code);
 }
 
 TEST_P(QuicConnectionTest, SendConnectivityProbingWhenDisconnected) {
   // EXPECT_QUIC_BUG tests are expensive so only run one instance of them.
-  if (!IsDefaultTestConfiguration() ||
-      connection_.SupportsMultiplePacketNumberSpaces()) {
+  if (!IsDefaultTestConfiguration()) {
     return;
   }
 
   EXPECT_TRUE(connection_.connected());
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_PEER_GOING_AWAY, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
+      .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
   connection_.CloseConnection(QUIC_PEER_GOING_AWAY, "no reason",
                               ConnectionCloseBehavior::SILENT_CLOSE);
   EXPECT_FALSE(connection_.connected());
@@ -6576,6 +6610,9 @@ TEST_P(QuicConnectionTest, SendConnectivityProbingWhenDisconnected) {
                       writer_.get(), connection_.peer_address()),
                   "Not sending connectivity probing packet as connection is "
                   "disconnected.");
+  EXPECT_EQ(1, connection_close_frame_count_);
+  EXPECT_EQ(QUIC_PEER_GOING_AWAY,
+            saved_connection_close_frame_.quic_error_code);
 }
 
 TEST_P(QuicConnectionTest, WriteBlockedAfterClientSendsConnectivityProbe) {
@@ -6618,7 +6655,7 @@ TEST_P(QuicConnectionTest, WriterErrorWhenClientSendsConnectivityProbe) {
 
   // Connection should not be closed if a connectivity probe is failed to be
   // sent.
-  EXPECT_CALL(visitor_, OnConnectionClosed(_, _, _)).Times(0);
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(0);
 
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, QuicPacketNumber(1), _, _))
       .Times(0);
@@ -6633,7 +6670,7 @@ TEST_P(QuicConnectionTest, WriterErrorWhenServerSendsConnectivityProbe) {
   writer_->SetShouldWriteFail();
   // Connection should not be closed if a connectivity probe is failed to be
   // sent.
-  EXPECT_CALL(visitor_, OnConnectionClosed(_, _, _)).Times(0);
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(0);
 
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, QuicPacketNumber(1), _, _))
       .Times(0);
@@ -6642,8 +6679,7 @@ TEST_P(QuicConnectionTest, WriterErrorWhenServerSendsConnectivityProbe) {
 }
 
 TEST_P(QuicConnectionTest, PublicReset) {
-  if (GetParam().version.transport_version > QUIC_VERSION_43 ||
-      connection_.SupportsMultiplePacketNumberSpaces()) {
+  if (VersionHasIetfInvariantHeader(GetParam().version.transport_version)) {
     return;
   }
   QuicPublicResetPacket header;
@@ -6653,14 +6689,15 @@ TEST_P(QuicConnectionTest, PublicReset) {
       framer_.BuildPublicResetPacket(header));
   std::unique_ptr<QuicReceivedPacket> received(
       ConstructReceivedPacket(*packet, QuicTime::Zero()));
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_PUBLIC_RESET, _,
-                                           ConnectionCloseSource::FROM_PEER));
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_PEER))
+      .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
   connection_.ProcessUdpPacket(kSelfAddress, kPeerAddress, *received);
+  EXPECT_EQ(1, connection_close_frame_count_);
+  EXPECT_EQ(QUIC_PUBLIC_RESET, saved_connection_close_frame_.quic_error_code);
 }
 
 TEST_P(QuicConnectionTest, IetfStatelessReset) {
-  if (GetParam().version.transport_version <= QUIC_VERSION_43 ||
-      connection_.SupportsMultiplePacketNumberSpaces()) {
+  if (!VersionHasIetfInvariantHeader(GetParam().version.transport_version)) {
     return;
   }
   const QuicUint128 kTestStatelessResetToken = 1010101;
@@ -6674,14 +6711,15 @@ TEST_P(QuicConnectionTest, IetfStatelessReset) {
                                                 kTestStatelessResetToken));
   std::unique_ptr<QuicReceivedPacket> received(
       ConstructReceivedPacket(*packet, QuicTime::Zero()));
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_PUBLIC_RESET, _,
-                                           ConnectionCloseSource::FROM_PEER));
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_PEER))
+      .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
   connection_.ProcessUdpPacket(kSelfAddress, kPeerAddress, *received);
+  EXPECT_EQ(1, connection_close_frame_count_);
+  EXPECT_EQ(QUIC_PUBLIC_RESET, saved_connection_close_frame_.quic_error_code);
 }
 
 TEST_P(QuicConnectionTest, GoAway) {
-  if (GetParam().version.transport_version == QUIC_VERSION_99 ||
-      connection_.SupportsMultiplePacketNumberSpaces()) {
+  if (VersionHasIetfQuicFrames(GetParam().version.transport_version)) {
     // GoAway is not available in version 99.
     return;
   }
@@ -6719,186 +6757,23 @@ TEST_P(QuicConnectionTest, Blocked) {
 
 TEST_P(QuicConnectionTest, ZeroBytePacket) {
   // Don't close the connection for zero byte packets.
-  EXPECT_CALL(visitor_, OnConnectionClosed(_, _, _)).Times(0);
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(0);
   QuicReceivedPacket encrypted(nullptr, 0, QuicTime::Zero());
   connection_.ProcessUdpPacket(kSelfAddress, kPeerAddress, encrypted);
 }
 
 TEST_P(QuicConnectionTest, MissingPacketsBeforeLeastUnacked) {
-  if (GetParam().version.transport_version > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(GetParam().version.transport_version)) {
     return;
   }
   // Set the packet number of the ack packet to be least unacked (4).
   QuicPacketCreatorPeer::SetPacketNumber(&peer_creator_, 3);
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   ProcessStopWaitingPacket(InitStopWaitingFrame(4));
-  EXPECT_FALSE(outgoing_ack()->packets.Empty());
-}
-
-TEST_P(QuicConnectionTest, ServerSendsVersionNegotiationPacket) {
-  // Turn off QUIC_VERSION_99.
-  SetQuicReloadableFlag(quic_enable_version_99, false);
-  connection_.SetSupportedVersions(CurrentSupportedVersions());
-  set_perspective(Perspective::IS_SERVER);
-  if (GetParam().version.transport_version > QUIC_VERSION_43) {
-    peer_framer_.set_version_for_tests(
-        ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_99));
-  } else {
-    peer_framer_.set_version_for_tests(UnsupportedQuicVersion());
-  }
-
-  QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.version_flag = true;
-  header.packet_number = QuicPacketNumber(12);
-
-  if (QuicVersionHasLongHeaderLengths(
-          peer_framer_.version().transport_version)) {
-    header.long_packet_type = INITIAL;
-    header.retry_token_length_length = VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    header.length_length = VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
-
-  QuicFrames frames;
-  frames.push_back(QuicFrame(frame1_));
-  std::unique_ptr<QuicPacket> packet(ConstructPacket(header, frames));
-  char buffer[kMaxOutgoingPacketSize];
-  size_t encrypted_length =
-      framer_.EncryptPayload(ENCRYPTION_INITIAL, QuicPacketNumber(12), *packet,
-                             buffer, kMaxOutgoingPacketSize);
-
-  framer_.set_version(version());
-  // Writer's framer's perspective is client, so that it needs to have the right
-  // version to process either IETF or GQUIC version negotiation packet.
-  writer_->SetSupportedVersions({version()});
-  connection_.ProcessUdpPacket(
-      kSelfAddress, kPeerAddress,
-      QuicReceivedPacket(buffer, encrypted_length, QuicTime::Zero(), false));
-  EXPECT_TRUE(writer_->version_negotiation_packet() != nullptr);
-
-  ParsedQuicVersionVector supported_versions = CurrentSupportedVersions();
-  ASSERT_EQ(supported_versions.size(),
-            writer_->version_negotiation_packet()->versions.size());
-
-  // We expect all versions in supported_versions to be
-  // included in the packet.
-  for (size_t i = 0; i < supported_versions.size(); ++i) {
-    EXPECT_EQ(supported_versions[i],
-              writer_->version_negotiation_packet()->versions[i]);
-  }
-}
-
-TEST_P(QuicConnectionTest, ServerSendsVersionNegotiationPacketSocketBlocked) {
-  // Turn off QUIC_VERSION_99.
-  SetQuicReloadableFlag(quic_enable_version_99, false);
-  connection_.SetSupportedVersions(CurrentSupportedVersions());
-  set_perspective(Perspective::IS_SERVER);
-  if (GetParam().version.transport_version > QUIC_VERSION_43) {
-    peer_framer_.set_version_for_tests(
-        ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_99));
-  } else {
-    peer_framer_.set_version_for_tests(UnsupportedQuicVersion());
-  }
-
-  QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.version_flag = true;
-  header.packet_number = QuicPacketNumber(12);
-
-  if (QuicVersionHasLongHeaderLengths(
-          peer_framer_.version().transport_version)) {
-    header.long_packet_type = INITIAL;
-    header.retry_token_length_length = VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    header.length_length = VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
-
-  QuicFrames frames;
-  frames.push_back(QuicFrame(frame1_));
-  std::unique_ptr<QuicPacket> packet(ConstructPacket(header, frames));
-  char buffer[kMaxOutgoingPacketSize];
-  size_t encrypted_length =
-      framer_.EncryptPayload(ENCRYPTION_INITIAL, QuicPacketNumber(12), *packet,
-                             buffer, kMaxOutgoingPacketSize);
-
-  framer_.set_version(version());
-  BlockOnNextWrite();
-  // Writer's framer's perspective is client, so that it needs to have the right
-  // version to process either IETF or GQUIC version negotiation packet.
-  writer_->SetSupportedVersions({version()});
-  connection_.ProcessUdpPacket(
-      kSelfAddress, kPeerAddress,
-      QuicReceivedPacket(buffer, encrypted_length, QuicTime::Zero(), false));
-  EXPECT_EQ(0u, writer_->last_packet_size());
-  EXPECT_TRUE(connection_.HasQueuedData());
-
-  writer_->SetWritable();
-  connection_.OnCanWrite();
-  EXPECT_TRUE(writer_->version_negotiation_packet() != nullptr);
-
-  ParsedQuicVersionVector supported_versions = CurrentSupportedVersions();
-  ASSERT_EQ(supported_versions.size(),
-            writer_->version_negotiation_packet()->versions.size());
-
-  // We expect all versions in supported_versions to be
-  // included in the packet.
-  for (size_t i = 0; i < supported_versions.size(); ++i) {
-    EXPECT_EQ(supported_versions[i],
-              writer_->version_negotiation_packet()->versions[i]);
-  }
-}
-
-TEST_P(QuicConnectionTest,
-       ServerSendsVersionNegotiationPacketSocketBlockedDataBuffered) {
-  // Turn off QUIC_VERSION_99.
-  SetQuicReloadableFlag(quic_enable_version_99, false);
-  connection_.SetSupportedVersions(CurrentSupportedVersions());
-  set_perspective(Perspective::IS_SERVER);
-  if (GetParam().version.transport_version > QUIC_VERSION_43) {
-    peer_framer_.set_version_for_tests(
-        ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_99));
-  } else {
-    peer_framer_.set_version_for_tests(UnsupportedQuicVersion());
-  }
-
-  QuicPacketHeader header;
-  header.destination_connection_id = connection_id_;
-  header.version_flag = true;
-  header.packet_number = QuicPacketNumber(12);
-
-  if (QuicVersionHasLongHeaderLengths(
-          peer_framer_.version().transport_version)) {
-    header.long_packet_type = INITIAL;
-    header.retry_token_length_length = VARIABLE_LENGTH_INTEGER_LENGTH_1;
-    header.length_length = VARIABLE_LENGTH_INTEGER_LENGTH_2;
-  }
-
-  QuicFrames frames;
-  frames.push_back(QuicFrame(frame1_));
-  std::unique_ptr<QuicPacket> packet(ConstructPacket(header, frames));
-  char buffer[kMaxOutgoingPacketSize];
-  size_t encryped_length =
-      framer_.EncryptPayload(ENCRYPTION_INITIAL, QuicPacketNumber(12), *packet,
-                             buffer, kMaxOutgoingPacketSize);
-
-  framer_.set_version(version());
-  set_perspective(Perspective::IS_SERVER);
-  BlockOnNextWrite();
-  writer_->set_is_write_blocked_data_buffered(true);
-  // Writer's framer's perspective is client, so that it needs to have the right
-  // version to process either IETF or GQUIC version negotiation packet.
-  writer_->SetSupportedVersions({version()});
-  connection_.ProcessUdpPacket(
-      kSelfAddress, kPeerAddress,
-      QuicReceivedPacket(buffer, encryped_length, QuicTime::Zero(), false));
-  EXPECT_EQ(0u, writer_->last_packet_size());
-  EXPECT_FALSE(connection_.HasQueuedData());
+  EXPECT_FALSE(connection_.ack_frame().packets.Empty());
 }
 
 TEST_P(QuicConnectionTest, ClientHandlesVersionNegotiation) {
-  const bool expect_failure =
-      GetQuicReloadableFlag(quic_no_client_conn_ver_negotiation) ||
-      connection_.version().handshake_protocol !=
-          QuicVersionReservedForNegotiation().handshake_protocol;
   // Start out with an unsupported version.
   QuicConnectionPeer::GetFramer(&connection_)
       ->set_version_for_tests(QuicVersionReservedForNegotiation());
@@ -6907,67 +6782,35 @@ TEST_P(QuicConnectionTest, ClientHandlesVersionNegotiation) {
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       QuicFramer::BuildVersionNegotiationPacket(
           connection_id_, EmptyQuicConnectionId(),
-          connection_.transport_version() > QUIC_VERSION_43,
+          VersionHasIetfInvariantHeader(connection_.transport_version()),
           AllSupportedVersions()));
   std::unique_ptr<QuicReceivedPacket> received(
       ConstructReceivedPacket(*encrypted, QuicTime::Zero()));
-  if (expect_failure) {
-    EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_INVALID_VERSION, _,
-                                             ConnectionCloseSource::FROM_SELF));
-  }
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
+      .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
   connection_.ProcessUdpPacket(kSelfAddress, kPeerAddress, *received);
-  if (expect_failure) {
-    EXPECT_FALSE(connection_.connected());
-    return;
-  }
-
-  // Now force another packet.  The connection should transition into
-  // NEGOTIATED_VERSION state and tell the packet creator to StopSendingVersion.
-  QuicPacketHeader header;
-  header.destination_connection_id_included = CONNECTION_ID_ABSENT;
-  if (!GetQuicRestartFlag(quic_do_not_override_connection_id)) {
-    header.destination_connection_id = connection_id_;
-  } else {
-    header.source_connection_id = connection_id_;
-  }
-  header.packet_number = QuicPacketNumber(12);
-  header.version_flag = false;
-  QuicFrames frames;
-  frames.push_back(QuicFrame(frame1_));
-  std::unique_ptr<QuicPacket> packet(ConstructPacket(header, frames));
-  char buffer[kMaxOutgoingPacketSize];
-  size_t encrypted_length =
-      peer_framer_.EncryptPayload(ENCRYPTION_INITIAL, QuicPacketNumber(12),
-                                  *packet, buffer, kMaxOutgoingPacketSize);
-  ASSERT_NE(0u, encrypted_length);
-  EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(1);
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
-  connection_.ProcessUdpPacket(
-      kSelfAddress, kPeerAddress,
-      QuicReceivedPacket(buffer, encrypted_length, QuicTime::Zero(), false));
-  if (GetParam().version.transport_version > QUIC_VERSION_43) {
-    // IETF QUIC stops sending version when switch to FORWARD_SECURE.
-    EXPECT_NE(ENCRYPTION_FORWARD_SECURE, connection_.encryption_level());
-    ASSERT_TRUE(QuicPacketCreatorPeer::SendVersionInPacket(creator_));
-  } else {
-    ASSERT_FALSE(QuicPacketCreatorPeer::SendVersionInPacket(creator_));
-  }
+  EXPECT_FALSE(connection_.connected());
+  EXPECT_EQ(1, connection_close_frame_count_);
+  EXPECT_EQ(QUIC_INVALID_VERSION,
+            saved_connection_close_frame_.quic_error_code);
 }
 
 TEST_P(QuicConnectionTest, BadVersionNegotiation) {
   // Send a version negotiation packet with the version the client started with.
   // It should be rejected.
-  EXPECT_CALL(visitor_,
-              OnConnectionClosed(QUIC_INVALID_VERSION_NEGOTIATION_PACKET, _,
-                                 ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
+      .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       QuicFramer::BuildVersionNegotiationPacket(
           connection_id_, EmptyQuicConnectionId(),
-          connection_.transport_version() > QUIC_VERSION_43,
+          VersionHasIetfInvariantHeader(connection_.transport_version()),
           AllSupportedVersions()));
   std::unique_ptr<QuicReceivedPacket> received(
       ConstructReceivedPacket(*encrypted, QuicTime::Zero()));
   connection_.ProcessUdpPacket(kSelfAddress, kPeerAddress, *received);
+  EXPECT_EQ(1, connection_close_frame_count_);
+  EXPECT_EQ(QUIC_INVALID_VERSION_NEGOTIATION_PACKET,
+            saved_connection_close_frame_.quic_error_code);
 }
 
 TEST_P(QuicConnectionTest, CheckSendStats) {
@@ -7015,8 +6858,9 @@ TEST_P(QuicConnectionTest, CheckSendStats) {
   // For IETF QUIC, version is not included as the encryption level switches to
   // FORWARD_SECURE in SendStreamDataWithString.
   size_t save_on_version =
-      GetParam().version.transport_version > QUIC_VERSION_43 ? 0
-                                                             : kQuicVersionSize;
+      VersionHasIetfInvariantHeader(GetParam().version.transport_version)
+          ? 0
+          : kQuicVersionSize;
   EXPECT_EQ(3 * first_packet_size + 2 * second_packet_size - save_on_version,
             stats.bytes_sent);
   EXPECT_EQ(5u, stats.packets_sent);
@@ -7034,21 +6878,21 @@ TEST_P(QuicConnectionTest, ProcessFramesIfPacketClosedConnection) {
       peer_framer_.perspective() == Perspective::IS_SERVER) {
     header.source_connection_id = connection_id_;
     header.destination_connection_id_included = CONNECTION_ID_ABSENT;
-    if (peer_framer_.transport_version() <= QUIC_VERSION_43) {
+    if (!VersionHasIetfInvariantHeader(peer_framer_.transport_version())) {
       header.source_connection_id_included = CONNECTION_ID_PRESENT;
     }
   } else {
     header.destination_connection_id = connection_id_;
-    if (peer_framer_.transport_version() > QUIC_VERSION_43) {
+    if (VersionHasIetfInvariantHeader(peer_framer_.transport_version())) {
       header.destination_connection_id_included = CONNECTION_ID_ABSENT;
     }
   }
   header.packet_number = QuicPacketNumber(1);
   header.version_flag = false;
 
-  QuicConnectionCloseFrame qccf(QUIC_PEER_GOING_AWAY);
-  if (peer_framer_.transport_version() == QUIC_VERSION_99) {
-    // Default close-type is Google QUIC. If doing IETF/V99 then
+  QuicConnectionCloseFrame qccf(QUIC_PEER_GOING_AWAY, "");
+  if (VersionHasIetfQuicFrames(peer_framer_.transport_version())) {
+    // Default close-type is Google QUIC. If doing IETF QUIC then
     // set close type to be IETF CC/T.
     qccf.close_type = IETF_QUIC_TRANSPORT_CONNECTION_CLOSE;
   }
@@ -7063,14 +6907,17 @@ TEST_P(QuicConnectionTest, ProcessFramesIfPacketClosedConnection) {
       peer_framer_.EncryptPayload(ENCRYPTION_INITIAL, QuicPacketNumber(1),
                                   *packet, buffer, kMaxOutgoingPacketSize);
 
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_PEER_GOING_AWAY, _,
-                                           ConnectionCloseSource::FROM_PEER));
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_PEER))
+      .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
   EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(1);
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
 
   connection_.ProcessUdpPacket(
       kSelfAddress, kPeerAddress,
       QuicReceivedPacket(buffer, encrypted_length, QuicTime::Zero(), false));
+  EXPECT_EQ(1, connection_close_frame_count_);
+  EXPECT_EQ(QUIC_PEER_GOING_AWAY,
+            saved_connection_close_frame_.quic_error_code);
 }
 
 TEST_P(QuicConnectionTest, SelectMutualVersion) {
@@ -7143,7 +6990,7 @@ TEST_P(QuicConnectionTest, OnPacketSentDebugVisitor) {
 TEST_P(QuicConnectionTest, OnPacketHeaderDebugVisitor) {
   QuicPacketHeader header;
   header.packet_number = QuicPacketNumber(1);
-  if (GetParam().version.transport_version > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(GetParam().version.transport_version)) {
     header.form = IETF_QUIC_LONG_HEADER_PACKET;
   }
 
@@ -7287,14 +7134,16 @@ TEST_P(QuicConnectionTest, SendingUnencryptedStreamDataFails) {
     return;
   }
 
-  EXPECT_CALL(visitor_,
-              OnConnectionClosed(QUIC_ATTEMPT_TO_SEND_UNENCRYPTED_STREAM_DATA,
-                                 _, ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
+      .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
   struct iovec iov;
   MakeIOVector("", &iov);
   EXPECT_QUIC_BUG(connection_.SaveAndSendStreamData(3, &iov, 1, 0, 0, FIN),
                   "Cannot send stream data with level: ENCRYPTION_INITIAL");
   EXPECT_FALSE(connection_.connected());
+  EXPECT_EQ(1, connection_close_frame_count_);
+  EXPECT_EQ(QUIC_ATTEMPT_TO_SEND_UNENCRYPTED_STREAM_DATA,
+            saved_connection_close_frame_.quic_error_code);
 }
 
 TEST_P(QuicConnectionTest, SetRetransmissionAlarmForCryptoPacket) {
@@ -7670,7 +7519,7 @@ TEST_P(QuicConnectionTest, MultipleCallsToCloseConnection) {
   // Verifies that multiple calls to CloseConnection do not
   // result in multiple attempts to close the connection - it will be marked as
   // disconnected after the first call.
-  EXPECT_CALL(visitor_, OnConnectionClosed(_, _, _)).Times(1);
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(1);
   connection_.CloseConnection(QUIC_NO_ERROR, "no reason",
                               ConnectionCloseBehavior::SILENT_CLOSE);
   connection_.CloseConnection(QUIC_NO_ERROR, "no reason",
@@ -7691,9 +7540,10 @@ TEST_P(QuicConnectionTest, ServerReceivesChloOnNonCryptoStream) {
   frame1_.data_buffer = data->data();
   frame1_.data_length = data->length();
 
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_MAYBE_CORRUPTED_MEMORY, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   ForceProcessFramePacket(QuicFrame(frame1_));
+  TestConnectionCloseQuicErrorCode(QUIC_MAYBE_CORRUPTED_MEMORY);
 }
 
 TEST_P(QuicConnectionTest, ClientReceivesRejOnNonCryptoStream) {
@@ -7707,28 +7557,57 @@ TEST_P(QuicConnectionTest, ClientReceivesRejOnNonCryptoStream) {
   frame1_.data_buffer = data->data();
   frame1_.data_length = data->length();
 
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_MAYBE_CORRUPTED_MEMORY, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   ForceProcessFramePacket(QuicFrame(frame1_));
+  TestConnectionCloseQuicErrorCode(QUIC_MAYBE_CORRUPTED_MEMORY);
 }
 
 TEST_P(QuicConnectionTest, CloseConnectionOnPacketTooLarge) {
   SimulateNextPacketTooLarge();
   // A connection close packet is sent
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_PACKET_WRITE_ERROR, _,
-                                           ConnectionCloseSource::FROM_SELF))
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
       .Times(1);
   connection_.SendStreamDataWithString(3, "foo", 0, NO_FIN);
+  TestConnectionCloseQuicErrorCode(QUIC_PACKET_WRITE_ERROR);
 }
 
 TEST_P(QuicConnectionTest, AlwaysGetPacketTooLarge) {
   // Test even we always get packet too large, we do not infinitely try to send
   // close packet.
   AlwaysGetPacketTooLarge();
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_PACKET_WRITE_ERROR, _,
-                                           ConnectionCloseSource::FROM_SELF))
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
       .Times(1);
   connection_.SendStreamDataWithString(3, "foo", 0, NO_FIN);
+  TestConnectionCloseQuicErrorCode(QUIC_PACKET_WRITE_ERROR);
+}
+
+TEST_P(QuicConnectionTest, CloseConnectionOnQueuedWriteError) {
+  SetQuicReloadableFlag(quic_clear_queued_packets_on_connection_close, true);
+  // Regression test for crbug.com/979507.
+  //
+  // If we get a write error when writing queued packets, we should attempt to
+  // send a connection close packet, but if sending that fails, it shouldn't get
+  // queued.
+
+  // Queue a packet to write.
+  BlockOnNextWrite();
+  connection_.SendStreamDataWithString(3, "foo", 0, NO_FIN);
+  EXPECT_EQ(1u, connection_.NumQueuedPackets());
+
+  // Configure writer to always fail.
+  AlwaysGetPacketTooLarge();
+
+  // Expect that we attempt to close the connection exactly once.
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
+      .Times(1);
+
+  // Unblock the writes and actually send.
+  writer_->SetWritable();
+  connection_.OnCanWrite();
+  EXPECT_EQ(0u, connection_.NumQueuedPackets());
+
+  TestConnectionCloseQuicErrorCode(QUIC_PACKET_WRITE_ERROR);
 }
 
 // Verify that if connection has no outstanding data, it notifies the send
@@ -7838,33 +7717,24 @@ TEST_P(QuicConnectionTest, DonotForceSendingAckOnPacketTooLarge) {
   EXPECT_TRUE(ack_alarm->IsSet());
   connection_.GetAckAlarm()->Fire();
   // Simulate data packet causes write error.
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_PACKET_WRITE_ERROR, _, _));
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _));
   SimulateNextPacketTooLarge();
   connection_.SendStreamDataWithString(3, "foo", 0, NO_FIN);
   EXPECT_EQ(1u, writer_->frame_count());
   EXPECT_FALSE(writer_->connection_close_frames().empty());
   // Ack frame is not bundled in connection close packet.
   EXPECT_TRUE(writer_->ack_frames().empty());
-}
-
-TEST_P(QuicConnectionTest, CloseConnectionForStatelessReject) {
-  std::string error_details("stateless reject");
-  EXPECT_CALL(visitor_, OnConnectionClosed(
-                            QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT,
-                            error_details, ConnectionCloseSource::FROM_PEER));
-  connection_.set_perspective(Perspective::IS_CLIENT);
-  connection_.CloseConnection(QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT,
-                              error_details,
-                              ConnectionCloseBehavior::SILENT_CLOSE);
+  TestConnectionCloseQuicErrorCode(QUIC_PACKET_WRITE_ERROR);
 }
 
 // Regression test for b/63620844.
 TEST_P(QuicConnectionTest, FailedToWriteHandshakePacket) {
   SimulateNextPacketTooLarge();
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_PACKET_WRITE_ERROR, _,
-                                           ConnectionCloseSource::FROM_SELF))
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
       .Times(1);
+
   connection_.SendCryptoStreamData();
+  TestConnectionCloseQuicErrorCode(QUIC_PACKET_WRITE_ERROR);
 }
 
 TEST_P(QuicConnectionTest, MaxPacingRate) {
@@ -8188,26 +8058,27 @@ TEST_P(QuicConnectionTest, ValidStatelessResetToken) {
 
 TEST_P(QuicConnectionTest, WriteBlockedWithInvalidAck) {
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_INVALID_ACK_DATA, _, _));
-
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _))
+      .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
   BlockOnNextWrite();
   connection_.SendStreamDataWithString(5, "foo", 0, FIN);
   // This causes connection to be closed because packet 1 has not been sent yet.
   QuicAckFrame frame = InitAckFrame(1);
   ProcessAckPacket(1, &frame);
+  EXPECT_EQ(1, connection_close_frame_count_);
+  EXPECT_EQ(QUIC_INVALID_ACK_DATA,
+            saved_connection_close_frame_.quic_error_code);
 }
 
 TEST_P(QuicConnectionTest, SendMessage) {
-  if (connection_.transport_version() <= QUIC_VERSION_44 ||
-      connection_.SupportsMultiplePacketNumberSpaces()) {
+  if (!VersionSupportsMessageFrames(connection_.transport_version())) {
     return;
   }
   std::string message(connection_.GetCurrentLargestMessagePayload() * 2, 'a');
   QuicStringPiece message_data(message);
   QuicMemSliceStorage storage(nullptr, 0, nullptr, 0);
   {
-    QuicConnection::ScopedPacketFlusher flusher(&connection_,
-                                                QuicConnection::SEND_ACK);
+    QuicConnection::ScopedPacketFlusher flusher(&connection_);
     connection_.SendStreamData3();
     // Send a message which cannot fit into current open packet, and 2 packets
     // get sent, one contains stream frame, and the other only contains the
@@ -8245,8 +8116,7 @@ TEST_P(QuicConnectionTest, SendMessage) {
 // Test to check that the path challenge/path response logic works
 // correctly. This test is only for version-99
 TEST_P(QuicConnectionTest, PathChallengeResponse) {
-  if (connection_.version().transport_version != QUIC_VERSION_99 ||
-      connection_.SupportsMultiplePacketNumberSpaces()) {
+  if (!VersionHasIetfQuicFrames(connection_.version().transport_version)) {
     return;
   }
   // First check if we can probe from server to client and back
@@ -8292,7 +8162,6 @@ TEST_P(QuicConnectionTest, PathChallengeResponse) {
 
 // Regression test for b/110259444
 TEST_P(QuicConnectionTest, DoNotScheduleSpuriousAckAlarm) {
-  SetQuicReloadableFlag(quic_fix_spurious_ack_alarm, true);
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   EXPECT_CALL(visitor_, OnWriteBlocked()).Times(AtLeast(1));
   writer_->SetWriteBlocked();
@@ -8350,7 +8219,7 @@ TEST_P(QuicConnectionTest, StopProcessingGQuicPacketInIetfQuicConnection) {
   // This test mimics a problematic scenario where an IETF QUIC connection
   // receives a Google QUIC packet and continue processing it using Google QUIC
   // wire format.
-  if (version().transport_version <= QUIC_VERSION_43) {
+  if (!VersionHasIetfInvariantHeader(version().transport_version)) {
     return;
   }
   set_perspective(Perspective::IS_SERVER);
@@ -8387,8 +8256,7 @@ TEST_P(QuicConnectionTest, StopProcessingGQuicPacketInIetfQuicConnection) {
 }
 
 TEST_P(QuicConnectionTest, AcceptPacketNumberZero) {
-  if (version().transport_version != QUIC_VERSION_99 ||
-      connection_.SupportsMultiplePacketNumberSpaces()) {
+  if (!VersionHasIetfQuicFrames(version().transport_version)) {
     return;
   }
   // Set first_sending_packet_number to be 0 to allow successfully processing
@@ -8397,16 +8265,16 @@ TEST_P(QuicConnectionTest, AcceptPacketNumberZero) {
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
 
   ProcessPacket(0);
-  EXPECT_EQ(QuicPacketNumber(0), LargestAcked(*outgoing_ack()));
-  EXPECT_EQ(1u, outgoing_ack()->packets.NumIntervals());
+  EXPECT_EQ(QuicPacketNumber(0), LargestAcked(connection_.ack_frame()));
+  EXPECT_EQ(1u, connection_.ack_frame().packets.NumIntervals());
 
   ProcessPacket(1);
-  EXPECT_EQ(QuicPacketNumber(1), LargestAcked(*outgoing_ack()));
-  EXPECT_EQ(1u, outgoing_ack()->packets.NumIntervals());
+  EXPECT_EQ(QuicPacketNumber(1), LargestAcked(connection_.ack_frame()));
+  EXPECT_EQ(1u, connection_.ack_frame().packets.NumIntervals());
 
   ProcessPacket(2);
-  EXPECT_EQ(QuicPacketNumber(2), LargestAcked(*outgoing_ack()));
-  EXPECT_EQ(1u, outgoing_ack()->packets.NumIntervals());
+  EXPECT_EQ(QuicPacketNumber(2), LargestAcked(connection_.ack_frame()));
+  EXPECT_EQ(1u, connection_.ack_frame().packets.NumIntervals());
 }
 
 TEST_P(QuicConnectionTest, MultiplePacketNumberSpacesBasicSending) {
@@ -8473,10 +8341,11 @@ TEST_P(QuicConnectionTest, PeerAcksPacketsInWrongPacketNumberSpace) {
   // Received ACK for packets 2 and 3 in wrong packet number space.
   QuicAckFrame invalid_ack =
       InitAckFrame({{QuicPacketNumber(2), QuicPacketNumber(4)}});
-  EXPECT_CALL(visitor_, OnConnectionClosed(QUIC_INVALID_ACK_DATA, _,
-                                           ConnectionCloseSource::FROM_SELF));
+  EXPECT_CALL(visitor_,
+              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   ProcessFramePacketAtLevel(300, QuicFrame(&invalid_ack), ENCRYPTION_INITIAL);
+  TestConnectionCloseQuicErrorCode(QUIC_INVALID_ACK_DATA);
 }
 
 TEST_P(QuicConnectionTest, MultiplePacketNumberSpacesBasicReceiving) {
@@ -8572,6 +8441,130 @@ TEST_P(QuicConnectionTest, CancelAckAlarmOnWriteBlocked) {
   EXPECT_FALSE(connection_.GetAckAlarm()->IsSet());
 }
 
+// Make sure a packet received with the right client connection ID is processed.
+TEST_P(QuicConnectionTest, ValidClientConnectionId) {
+  SetQuicRestartFlag(quic_do_not_override_connection_id, true);
+  if (!framer_.version().SupportsClientConnectionIds()) {
+    return;
+  }
+  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
+  connection_.set_client_connection_id(TestConnectionId(0x33));
+  QuicPacketHeader header = ConstructPacketHeader(1, ENCRYPTION_FORWARD_SECURE);
+  header.destination_connection_id = TestConnectionId(0x33);
+  header.destination_connection_id_included = CONNECTION_ID_PRESENT;
+  header.source_connection_id_included = CONNECTION_ID_ABSENT;
+  QuicFrames frames;
+  QuicPingFrame ping_frame;
+  QuicPaddingFrame padding_frame;
+  frames.push_back(QuicFrame(ping_frame));
+  frames.push_back(QuicFrame(padding_frame));
+  std::unique_ptr<QuicPacket> packet =
+      BuildUnsizedDataPacket(&framer_, header, frames);
+  char buffer[kMaxOutgoingPacketSize];
+  size_t encrypted_length = peer_framer_.EncryptPayload(
+      ENCRYPTION_FORWARD_SECURE, QuicPacketNumber(1), *packet, buffer,
+      kMaxOutgoingPacketSize);
+  QuicReceivedPacket received_packet(buffer, encrypted_length, clock_.Now(),
+                                     false);
+  EXPECT_EQ(0u, connection_.GetStats().packets_dropped);
+  ProcessReceivedPacket(kSelfAddress, kPeerAddress, received_packet);
+  EXPECT_EQ(0u, connection_.GetStats().packets_dropped);
+}
+
+// Make sure a packet received with a different client connection ID is dropped.
+TEST_P(QuicConnectionTest, InvalidClientConnectionId) {
+  SetQuicRestartFlag(quic_do_not_override_connection_id, true);
+  if (!framer_.version().SupportsClientConnectionIds()) {
+    return;
+  }
+  connection_.set_client_connection_id(TestConnectionId(0x33));
+  QuicPacketHeader header = ConstructPacketHeader(1, ENCRYPTION_FORWARD_SECURE);
+  header.destination_connection_id = TestConnectionId(0xbad);
+  header.destination_connection_id_included = CONNECTION_ID_PRESENT;
+  header.source_connection_id_included = CONNECTION_ID_ABSENT;
+  QuicFrames frames;
+  QuicPingFrame ping_frame;
+  QuicPaddingFrame padding_frame;
+  frames.push_back(QuicFrame(ping_frame));
+  frames.push_back(QuicFrame(padding_frame));
+  std::unique_ptr<QuicPacket> packet =
+      BuildUnsizedDataPacket(&framer_, header, frames);
+  char buffer[kMaxOutgoingPacketSize];
+  size_t encrypted_length = peer_framer_.EncryptPayload(
+      ENCRYPTION_FORWARD_SECURE, QuicPacketNumber(1), *packet, buffer,
+      kMaxOutgoingPacketSize);
+  QuicReceivedPacket received_packet(buffer, encrypted_length, clock_.Now(),
+                                     false);
+  EXPECT_EQ(0u, connection_.GetStats().packets_dropped);
+  ProcessReceivedPacket(kSelfAddress, kPeerAddress, received_packet);
+  EXPECT_EQ(1u, connection_.GetStats().packets_dropped);
+}
+
+// Make sure the first packet received with a different client connection ID on
+// the server is processed and it changes the client connection ID.
+TEST_P(QuicConnectionTest, UpdateClientConnectionIdFromFirstPacket) {
+  SetQuicRestartFlag(quic_do_not_override_connection_id, true);
+  if (!framer_.version().SupportsClientConnectionIds()) {
+    return;
+  }
+  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
+  set_perspective(Perspective::IS_SERVER);
+  QuicPacketHeader header = ConstructPacketHeader(1, ENCRYPTION_INITIAL);
+  header.source_connection_id = TestConnectionId(0x33);
+  header.source_connection_id_included = CONNECTION_ID_PRESENT;
+  QuicFrames frames;
+  QuicPingFrame ping_frame;
+  QuicPaddingFrame padding_frame;
+  frames.push_back(QuicFrame(ping_frame));
+  frames.push_back(QuicFrame(padding_frame));
+  std::unique_ptr<QuicPacket> packet =
+      BuildUnsizedDataPacket(&framer_, header, frames);
+  char buffer[kMaxOutgoingPacketSize];
+  size_t encrypted_length = peer_framer_.EncryptPayload(
+      ENCRYPTION_FORWARD_SECURE, QuicPacketNumber(1), *packet, buffer,
+      kMaxOutgoingPacketSize);
+  QuicReceivedPacket received_packet(buffer, encrypted_length, clock_.Now(),
+                                     false);
+  EXPECT_EQ(0u, connection_.GetStats().packets_dropped);
+  ProcessReceivedPacket(kSelfAddress, kPeerAddress, received_packet);
+  EXPECT_EQ(0u, connection_.GetStats().packets_dropped);
+  EXPECT_EQ(TestConnectionId(0x33), connection_.client_connection_id());
+}
+
+// Regression test for b/134416344.
+TEST_P(QuicConnectionTest, CheckConnectedBeforeFlush) {
+  // This test mimics a scenario where a connection processes 2 packets and the
+  // 2nd packet contains connection close frame. When the 2nd flusher goes out
+  // of scope, a delayed ACK is pending, and ACK alarm should not be scheduled
+  // because connection is disconnected.
+  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _));
+  EXPECT_EQ(Perspective::IS_CLIENT, connection_.perspective());
+  std::unique_ptr<QuicConnectionCloseFrame> connection_close_frame(
+      new QuicConnectionCloseFrame(QUIC_INTERNAL_ERROR, ""));
+  if (VersionHasIetfQuicFrames(connection_.transport_version())) {
+    connection_close_frame->close_type = IETF_QUIC_TRANSPORT_CONNECTION_CLOSE;
+  }
+  // Received 2 packets.
+  QuicFrame frame;
+  if (QuicVersionUsesCryptoFrames(connection_.transport_version())) {
+    frame = QuicFrame(&crypto_frame_);
+    EXPECT_CALL(visitor_, OnCryptoFrame(_)).Times(AnyNumber());
+  } else {
+    frame = QuicFrame(QuicStreamFrame(
+        QuicUtils::GetCryptoStreamId(connection_.transport_version()), false,
+        0u, QuicStringPiece()));
+    EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(AnyNumber());
+  }
+  ProcessFramePacketWithAddresses(frame, kSelfAddress, kPeerAddress);
+  QuicAlarm* ack_alarm = QuicConnectionPeer::GetAckAlarm(&connection_);
+  EXPECT_TRUE(ack_alarm->IsSet());
+  ProcessFramePacketWithAddresses(QuicFrame(connection_close_frame.get()),
+                                  kSelfAddress, kPeerAddress);
+  // Verify ack alarm is not set.
+  EXPECT_FALSE(ack_alarm->IsSet());
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_constants.h b/chromium/net/third_party/quiche/src/quic/core/quic_constants.h
index caac2c76295..442fb0907aa 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_constants.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_constants.h
@@ -74,15 +74,19 @@ const uint32_t kDefaultFlowControlSendWindow = 16 * 1024;  // 16 KB
 const QuicByteCount kStreamReceiveWindowLimit = 16 * 1024 * 1024;   // 16 MB
 const QuicByteCount kSessionReceiveWindowLimit = 24 * 1024 * 1024;  // 24 MB
 
-// Default limit on the size of uncompressed headers.
+// Default limit on the size of uncompressed headers,
+// communicated via SETTINGS_MAX_HEADER_LIST_SIZE.
+// TODO(bnc): Move this constant to quic/core/http/.
 const QuicByteCount kDefaultMaxUncompressedHeaderSize = 16 * 1024;  // 16 KB
 
+// Default maximum dynamic table capacity, communicated via
+// SETTINGS_QPACK_MAX_TABLE_CAPACITY.
+// TODO(bnc): Move this constant to quic/core/http/.
+const QuicByteCount kDefaultQpackMaxDynamicTableCapacity = 64 * 1024;  // 64 KB
+
 // Minimum size of the CWND, in packets, when doing bandwidth resumption.
 const QuicPacketCount kMinCongestionWindowForBandwidthResumption = 10;
 
-// Maximum number of tracked packets.
-const QuicPacketCount kMaxTrackedPackets = 10000;
-
 // Default size of the socket receive buffer in bytes.
 const QuicByteCount kDefaultSocketReceiveBuffer = 1024 * 1024;
 
@@ -236,6 +240,9 @@ const size_t kMinRandomBytesLengthInStatelessReset = 24;
 // Maximum length allowed for the token in a NEW_TOKEN frame.
 const size_t kMaxNewTokenTokenLength = 0xffff;
 
+// Default initial rtt used before any samples are received.
+const int kInitialRttMs = 100;
+
 // Packet number of first sending packet of a connection. Please note, this
 // cannot be used as first received packet because peer can choose its starting
 // packet number.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager_test.cc
index ccddadd1cc8..216ba741132 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager_test.cc
@@ -11,6 +11,7 @@
 
 using testing::_;
 using testing::InSequence;
+using testing::Invoke;
 using testing::Return;
 using testing::StrictMock;
 
@@ -31,10 +32,6 @@ const QuicStreamId kTestStopSendingCode = 321;
 
 class QuicControlFrameManagerTest : public QuicTest {
  public:
-  bool ClearControlFrame(const QuicFrame& frame) {
-    DeleteFrame(&const_cast<QuicFrame&>(frame));
-    return true;
-  }
   bool SaveControlFrame(const QuicFrame& frame) {
     frame_ = frame;
     return true;
@@ -103,8 +100,7 @@ TEST_F(QuicControlFrameManagerTest, OnControlFrameAcked) {
   InSequence s;
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(3)
-      .WillRepeatedly(
-          Invoke(this, &QuicControlFrameManagerTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_CALL(*connection_, SendControlFrame(_)).WillOnce(Return(false));
   // Send control frames 1, 2, 3.
   manager_->OnCanWrite();
@@ -139,8 +135,7 @@ TEST_F(QuicControlFrameManagerTest, OnControlFrameAcked) {
 
   // Send control frames 4, 5.
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillRepeatedly(
-          Invoke(this, &QuicControlFrameManagerTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   manager_->OnCanWrite();
   manager_->WritePing();
   EXPECT_FALSE(manager_->WillingToWrite());
@@ -151,8 +146,7 @@ TEST_F(QuicControlFrameManagerTest, OnControlFrameLost) {
   InSequence s;
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(3)
-      .WillRepeatedly(
-          Invoke(this, &QuicControlFrameManagerTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_CALL(*connection_, SendControlFrame(_)).WillOnce(Return(false));
   // Send control frames 1, 2, 3.
   manager_->OnCanWrite();
@@ -169,8 +163,7 @@ TEST_F(QuicControlFrameManagerTest, OnControlFrameLost) {
   // Retransmit control frames 1, 3.
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(2)
-      .WillRepeatedly(
-          Invoke(this, &QuicControlFrameManagerTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   manager_->OnCanWrite();
   EXPECT_FALSE(manager_->HasPendingRetransmission());
   EXPECT_TRUE(manager_->WillingToWrite());
@@ -178,8 +171,7 @@ TEST_F(QuicControlFrameManagerTest, OnControlFrameLost) {
   // Send control frames 4, 5, and 6.
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(number_of_frames_ - 2u)
-      .WillRepeatedly(
-          Invoke(this, &QuicControlFrameManagerTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   manager_->OnCanWrite();
   manager_->WritePing();
   EXPECT_FALSE(manager_->WillingToWrite());
@@ -191,8 +183,7 @@ TEST_F(QuicControlFrameManagerTest, RetransmitControlFrame) {
   // Send control frames 1, 2, 3, 4.
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(number_of_frames_)
-      .WillRepeatedly(
-          Invoke(this, &QuicControlFrameManagerTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   manager_->OnCanWrite();
 
   // Ack control frame 2.
@@ -203,7 +194,7 @@ TEST_F(QuicControlFrameManagerTest, RetransmitControlFrame) {
 
   // Retransmit control frame 3.
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(this, &QuicControlFrameManagerTest::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   EXPECT_TRUE(manager_->RetransmitControlFrame(QuicFrame(&window_update_)));
 
   // Retransmit control frame 4, and connection is write blocked.
@@ -215,7 +206,7 @@ TEST_F(QuicControlFrameManagerTest, DonotSendPingWithBufferedFrames) {
   Initialize();
   InSequence s;
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(this, &QuicControlFrameManagerTest::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   EXPECT_CALL(*connection_, SendControlFrame(_)).WillOnce(Return(false));
   // Send control frame 1.
   manager_->OnCanWrite();
@@ -227,8 +218,7 @@ TEST_F(QuicControlFrameManagerTest, DonotSendPingWithBufferedFrames) {
   // Verify only the buffered frames are sent.
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(number_of_frames_ - 1)
-      .WillRepeatedly(
-          Invoke(this, &QuicControlFrameManagerTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   manager_->OnCanWrite();
   EXPECT_FALSE(manager_->HasPendingRetransmission());
   EXPECT_FALSE(manager_->WillingToWrite());
@@ -247,8 +237,7 @@ TEST_F(QuicControlFrameManagerTest, DonotRetransmitOldWindowUpdates) {
   InSequence s;
   // Flush all buffered control frames.
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillRepeatedly(
-          Invoke(this, &QuicControlFrameManagerTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   manager_->OnCanWrite();
 
   // Mark all 3 window updates as lost.
@@ -280,8 +269,7 @@ TEST_F(QuicControlFrameManagerTest, RetransmitWindowUpdateOfDifferentStreams) {
   InSequence s;
   // Flush all buffered control frames.
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillRepeatedly(
-          Invoke(this, &QuicControlFrameManagerTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   manager_->OnCanWrite();
 
   // Mark all 3 window updates as lost.
@@ -294,8 +282,7 @@ TEST_F(QuicControlFrameManagerTest, RetransmitWindowUpdateOfDifferentStreams) {
   // Verify all 3 window updates get retransmitted.
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(3)
-      .WillRepeatedly(
-          Invoke(this, &QuicControlFrameManagerTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   manager_->OnCanWrite();
   EXPECT_FALSE(manager_->HasPendingRetransmission());
   EXPECT_FALSE(manager_->WillingToWrite());
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker_test.cc
index 92cfab1f3e0..db6b1816385 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker_test.cc
@@ -4,9 +4,7 @@
 
 #include "net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker.h"
 
-#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config.pb.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
+#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config_proto.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 
@@ -19,9 +17,9 @@ class TestProofHandler : public QuicCryptoClientStream::ProofHandler {
  public:
   ~TestProofHandler() override {}
   void OnProofValid(
-      const QuicCryptoClientConfig::CachedState& cached) override {}
+      const QuicCryptoClientConfig::CachedState& /*cached*/) override {}
   void OnProofVerifyDetailsAvailable(
-      const ProofVerifyDetails& verify_details) override {}
+      const ProofVerifyDetails& /*verify_details*/) override {}
 };
 
 class InsecureProofVerifier : public ProofVerifier {
@@ -31,30 +29,30 @@ class InsecureProofVerifier : public ProofVerifier {
 
   // ProofVerifier override.
   QuicAsyncStatus VerifyProof(
-      const std::string& hostname,
-      const uint16_t port,
-      const std::string& server_config,
-      QuicTransportVersion transport_version,
-      QuicStringPiece chlo_hash,
-      const std::vector<std::string>& certs,
-      const std::string& cert_sct,
-      const std::string& signature,
-      const ProofVerifyContext* context,
-      std::string* error_details,
-      std::unique_ptr<ProofVerifyDetails>* verify_details,
-      std::unique_ptr<ProofVerifierCallback> callback) override {
+      const std::string& /*hostname*/,
+      const uint16_t /*port*/,
+      const std::string& /*server_config*/,
+      QuicTransportVersion /*transport_version*/,
+      QuicStringPiece /*chlo_hash*/,
+      const std::vector<std::string>& /*certs*/,
+      const std::string& /*cert_sct*/,
+      const std::string& /*signature*/,
+      const ProofVerifyContext* /*context*/,
+      std::string* /*error_details*/,
+      std::unique_ptr<ProofVerifyDetails>* /*verify_details*/,
+      std::unique_ptr<ProofVerifierCallback> /*callback*/) override {
     return QUIC_SUCCESS;
   }
 
   QuicAsyncStatus VerifyCertChain(
-      const std::string& hostname,
-      const std::vector<std::string>& certs,
-      const std::string& ocsp_response,
-      const std::string& cert_sct,
-      const ProofVerifyContext* context,
-      std::string* error_details,
-      std::unique_ptr<ProofVerifyDetails>* details,
-      std::unique_ptr<ProofVerifierCallback> callback) override {
+      const std::string& /*hostname*/,
+      const std::vector<std::string>& /*certs*/,
+      const std::string& /*ocsp_response*/,
+      const std::string& /*cert_sct*/,
+      const ProofVerifyContext* /*context*/,
+      std::string* /*error_details*/,
+      std::unique_ptr<ProofVerifyDetails>* /*details*/,
+      std::unique_ptr<ProofVerifierCallback> /*callback*/) override {
     return QUIC_SUCCESS;
   }
 
@@ -71,21 +69,21 @@ class DummyProofSource : public ProofSource {
   // ProofSource override.
   void GetProof(const QuicSocketAddress& server_address,
                 const std::string& hostname,
-                const std::string& server_config,
-                QuicTransportVersion transport_version,
-                QuicStringPiece chlo_hash,
+                const std::string& /*server_config*/,
+                QuicTransportVersion /*transport_version*/,
+                QuicStringPiece /*chlo_hash*/,
                 std::unique_ptr<Callback> callback) override {
     QuicReferenceCountedPointer<ProofSource::Chain> chain =
         GetCertChain(server_address, hostname);
     QuicCryptoProof proof;
     proof.signature = "Dummy signature";
     proof.leaf_cert_scts = "Dummy timestamp";
-    callback->Run(true, chain, proof, nullptr /* details */);
+    callback->Run(true, chain, proof, /*details=*/nullptr);
   }
 
   QuicReferenceCountedPointer<Chain> GetCertChain(
-      const QuicSocketAddress& server_address,
-      const std::string& hostname) override {
+      const QuicSocketAddress& /*server_address*/,
+      const std::string& /*hostname*/) override {
     std::vector<std::string> certs;
     certs.push_back("Dummy cert");
     return QuicReferenceCountedPointer<ProofSource::Chain>(
@@ -93,10 +91,10 @@ class DummyProofSource : public ProofSource {
   }
 
   void ComputeTlsSignature(
-      const QuicSocketAddress& server_address,
-      const std::string& hostname,
-      uint16_t signature_algorithm,
-      QuicStringPiece in,
+      const QuicSocketAddress& /*server_address*/,
+      const std::string& /*hostname*/,
+      uint16_t /*signature_algorit*/,
+      QuicStringPiece /*in*/,
       std::unique_ptr<SignatureCallback> callback) override {
     callback->Run(true, "Dummy signature");
   }
@@ -133,8 +131,7 @@ class QuicCryptoClientHandshakerTest : public Test {
                                                  &alarm_factory_,
                                                  Perspective::IS_CLIENT)),
         session_(connection_, false),
-        crypto_client_config_(QuicMakeUnique<InsecureProofVerifier>(),
-                              quic::TlsClientHandshaker::CreateSslCtx()),
+        crypto_client_config_(QuicMakeUnique<InsecureProofVerifier>()),
         client_stream_(new QuicCryptoClientStream(server_id_,
                                                   &session_,
                                                   nullptr,
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream_test.cc
index e09546d93ca..12fc9a26014 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream_test.cc
@@ -13,8 +13,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_server_id.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
@@ -39,8 +37,7 @@ class QuicCryptoClientStreamTest : public QuicTest {
   QuicCryptoClientStreamTest()
       : supported_versions_(AllSupportedVersions()),
         server_id_(kServerHostname, kServerPort, false),
-        crypto_config_(crypto_test_utils::ProofVerifierForTesting(),
-                       TlsClientHandshaker::CreateSslCtx()) {
+        crypto_config_(crypto_test_utils::ProofVerifierForTesting()) {
     CreateConnection();
   }
 
@@ -258,8 +255,7 @@ TEST_F(QuicCryptoClientStreamTest, ServerConfigUpdateWithCert) {
   // Build a server config update message with certificates
   QuicCryptoServerConfig crypto_config(
       QuicCryptoServerConfig::TESTING, QuicRandom::GetInstance(),
-      crypto_test_utils::ProofSourceForTesting(), KeyExchangeSource::Default(),
-      TlsServerHandshaker::CreateSslCtx());
+      crypto_test_utils::ProofSourceForTesting(), KeyExchangeSource::Default());
   crypto_test_utils::SetupCryptoServerConfigForTest(
       connection_->clock(), QuicRandom::GetInstance(), &crypto_config);
   SourceAddressTokens tokens;
@@ -319,6 +315,7 @@ TEST_F(QuicCryptoClientStreamTest, ServerConfigUpdateBeforeHandshake) {
 }
 
 TEST_F(QuicCryptoClientStreamTest, PreferredVersion) {
+  SetQuicReloadableFlag(quic_fix_get_packet_header_size, true);
   // This mimics the case where client receives version negotiation packet, such
   // that, the preferred version is different from the packets' version.
   connection_ = new PacketSavingConnection(
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.cc
index f345a147208..26134d7185b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.cc
@@ -156,7 +156,7 @@ void QuicCryptoServerHandshaker::
         const std::string& error_details,
         std::unique_ptr<CryptoHandshakeMessage> reply,
         std::unique_ptr<DiversificationNonce> diversification_nonce,
-        std::unique_ptr<ProofSource::Details> proof_source_details) {
+        std::unique_ptr<ProofSource::Details> /*proof_source_details*/) {
   // Clear the callback that got us here.
   DCHECK(process_client_hello_cb_ != nullptr);
   DCHECK(validate_client_hello_cb_ == nullptr);
@@ -376,7 +376,7 @@ CryptoMessageParser* QuicCryptoServerHandshaker::crypto_message_parser() {
 void QuicCryptoServerHandshaker::ProcessClientHello(
     QuicReferenceCountedPointer<ValidateClientHelloResultCallback::Result>
         result,
-    std::unique_ptr<ProofSource::Details> proof_source_details,
+    std::unique_ptr<ProofSource::Details> /*proof_source_details*/,
     std::unique_ptr<ProcessClientHelloResultCallback> done_cb) {
   const CryptoHandshakeMessage& message = result->client_hello;
   std::string error_details;
@@ -405,13 +405,10 @@ void QuicCryptoServerHandshaker::ProcessClientHello(
   previous_source_address_tokens_ = result->info.source_address_tokens;
 
   QuicConnection* connection = session()->connection();
-  const QuicConnectionId server_designated_connection_id =
-      GenerateConnectionIdForReject(/*use_stateless_rejects=*/false);
   crypto_config_->ProcessClientHello(
       result, /*reject_only=*/false, connection->connection_id(),
       connection->self_address(), GetClientAddress(), connection->version(),
-      session()->supported_versions(), /*use_stateless_rejects=*/false,
-      server_designated_connection_id, connection->clock(),
+      session()->supported_versions(), connection->clock(),
       connection->random_generator(), compressed_certs_cache_,
       crypto_negotiated_params_, signed_config_,
       QuicCryptoStream::CryptoMessageFramingOverhead(
@@ -420,7 +417,7 @@ void QuicCryptoServerHandshaker::ProcessClientHello(
 }
 
 void QuicCryptoServerHandshaker::OverrideQuicConfigDefaults(
-    QuicConfig* config) {}
+    QuicConfig* /*config*/) {}
 
 QuicCryptoServerHandshaker::ValidateCallback::ValidateCallback(
     QuicCryptoServerHandshaker* parent)
@@ -439,15 +436,6 @@ void QuicCryptoServerHandshaker::ValidateCallback::Run(
   }
 }
 
-QuicConnectionId QuicCryptoServerHandshaker::GenerateConnectionIdForReject(
-    bool use_stateless_rejects) {
-  if (!use_stateless_rejects) {
-    return EmptyQuicConnectionId();
-  }
-  return helper_->GenerateConnectionIdForReject(
-      transport_version(), session()->connection()->connection_id());
-}
-
 const QuicSocketAddress QuicCryptoServerHandshaker::GetClientAddress() {
   return session()->connection()->peer_address();
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.h b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.h
index 99207122b90..f6644083768 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.h
@@ -7,8 +7,8 @@
 
 #include <string>
 
-#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
-#include "net/third_party/quiche/src/quic/core/proto/source_address_token.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
+#include "net/third_party/quiche/src/quic/core/proto/source_address_token_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_handshaker.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_session.h"
@@ -152,10 +152,6 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerHandshaker
   void FinishSendServerConfigUpdate(bool ok,
                                     const CryptoHandshakeMessage& message);
 
-  // Returns a new ConnectionId to be used for statelessly rejected connections
-  // if |use_stateless_rejects| is true. Returns 0 otherwise.
-  QuicConnectionId GenerateConnectionIdForReject(bool use_stateless_rejects);
-
   // Returns the QuicTransportVersion of the connection.
   QuicTransportVersion transport_version() const {
     return session_->connection()->transport_version();
@@ -208,9 +204,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerHandshaker
   // Contains any source address tokens which were present in the CHLO.
   SourceAddressTokens previous_source_address_tokens_;
 
-  // True if client attempts 0-rtt handshake (which can succeed or fail). If
-  // stateless rejects are used, this variable will be false for the stateless
-  // rejected connection and true for subsequent connections.
+  // True if client attempts 0-rtt handshake (which can succeed or fail).
   bool zero_rtt_attempted_;
 
   // Size of the packet containing the most recently received CHLO.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.cc
index a6486d88014..09344cde675 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.cc
@@ -11,7 +11,7 @@
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_utils.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
-#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_config.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h
index 71ce29700ff..c5e0abc0fb4 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h
@@ -126,7 +126,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerStream
     virtual ~Helper() {}
 
     // Given the current connection_id, generates a new ConnectionId to
-    // be returned with a stateless reject.
+    // be returned with a reject.
     virtual QuicConnectionId GenerateConnectionIdForReject(
         QuicTransportVersion version,
         QuicConnectionId connection_id) const = 0;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream_test.cc
index 5105a27b53c..238162c96ef 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream_test.cc
@@ -21,8 +21,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_session.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
@@ -60,13 +58,11 @@ class QuicCryptoServerStreamTest : public QuicTestWithParam<bool> {
       : server_crypto_config_(QuicCryptoServerConfig::TESTING,
                               QuicRandom::GetInstance(),
                               std::move(proof_source),
-                              KeyExchangeSource::Default(),
-                              TlsServerHandshaker::CreateSslCtx()),
+                              KeyExchangeSource::Default()),
         server_compressed_certs_cache_(
             QuicCompressedCertsCache::kQuicCompressedCertsCacheSize),
         server_id_(kServerHostname, kServerPort, false),
-        client_crypto_config_(crypto_test_utils::ProofVerifierForTesting(),
-                              TlsClientHandshaker::CreateSslCtx()) {}
+        client_crypto_config_(crypto_test_utils::ProofVerifierForTesting()) {}
 
   void Initialize() { InitializeServer(); }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream.cc
index f394b3d5110..395b4906b25 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream.cc
@@ -51,14 +51,24 @@ QuicByteCount QuicCryptoStream::CryptoMessageFramingOverhead(
     QuicTransportVersion version,
     QuicConnectionId connection_id) {
   DCHECK(QuicUtils::IsConnectionIdValidForVersion(connection_id, version));
+  QuicVariableLengthIntegerLength retry_token_length_length =
+      VARIABLE_LENGTH_INTEGER_LENGTH_1;
+  QuicVariableLengthIntegerLength length_length =
+      VARIABLE_LENGTH_INTEGER_LENGTH_2;
+  if (!QuicVersionHasLongHeaderLengths(version) &&
+      GetQuicReloadableFlag(quic_fix_get_packet_header_size)) {
+    retry_token_length_length = VARIABLE_LENGTH_INTEGER_LENGTH_0;
+    length_length = VARIABLE_LENGTH_INTEGER_LENGTH_0;
+    QUIC_RELOADABLE_FLAG_COUNT_N(quic_fix_get_packet_header_size, 2, 3);
+  }
   return QuicPacketCreator::StreamFramePacketOverhead(
       version, static_cast<QuicConnectionIdLength>(connection_id.length()),
       PACKET_0BYTE_CONNECTION_ID,
       /*include_version=*/true,
       /*include_diversification_nonce=*/true,
-      version > QUIC_VERSION_43 ? PACKET_4BYTE_PACKET_NUMBER
-                                : PACKET_1BYTE_PACKET_NUMBER,
-      VARIABLE_LENGTH_INTEGER_LENGTH_1, VARIABLE_LENGTH_INTEGER_LENGTH_2,
+      VersionHasIetfInvariantHeader(version) ? PACKET_4BYTE_PACKET_NUMBER
+                                             : PACKET_1BYTE_PACKET_NUMBER,
+      retry_token_length_length, length_length,
       /*offset=*/0);
 }
 
@@ -171,10 +181,10 @@ void QuicCryptoStream::WriteCryptoData(EncryptionLevel level,
 }
 
 void QuicCryptoStream::OnSuccessfulVersionNegotiation(
-    const ParsedQuicVersion& version) {}
+    const ParsedQuicVersion& /*version*/) {}
 
 bool QuicCryptoStream::OnCryptoFrameAcked(const QuicCryptoFrame& frame,
-                                          QuicTime::Delta ack_delay_time) {
+                                          QuicTime::Delta /*ack_delay_time*/) {
   QuicByteCount newly_acked_length = 0;
   if (!substreams_[frame.level].send_buffer.OnStreamDataAcked(
           frame.offset, frame.data_length, &newly_acked_length)) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream_test.cc
index f5ab4130b11..dd4450eab57 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream_test.cc
@@ -484,8 +484,7 @@ TEST_F(QuicCryptoStreamTest, HasUnackedCryptoData) {
   EXPECT_FALSE(stream_->IsWaitingForAcks());
   // Although there is no outstanding data, verify session has pending crypto
   // data.
-  EXPECT_EQ(GetQuicReloadableFlag(quic_fix_has_pending_crypto_data),
-            session_.HasUnackedCryptoData());
+  EXPECT_TRUE(session_.HasUnackedCryptoData());
 
   EXPECT_CALL(
       session_,
@@ -513,6 +512,23 @@ TEST_F(QuicCryptoStreamTest, HasUnackedCryptoDataWithCryptoFrames) {
   EXPECT_TRUE(session_.HasUnackedCryptoData());
 }
 
+// Regression test for bugfix of GetPacketHeaderSize.
+TEST_F(QuicCryptoStreamTest, CryptoMessageFramingOverhead) {
+  SetQuicReloadableFlag(quic_fix_get_packet_header_size, true);
+  for (auto version : AllSupportedTransportVersions()) {
+    SCOPED_TRACE(version);
+    QuicByteCount expected_overhead = 48;
+    if (VersionHasIetfInvariantHeader(version)) {
+      expected_overhead = 52;
+    }
+    if (QuicVersionHasLongHeaderLengths(version)) {
+      expected_overhead = 55;
+    }
+    EXPECT_EQ(expected_overhead, QuicCryptoStream::CryptoMessageFramingOverhead(
+                                     version, TestConnectionId()));
+  }
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.cc b/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.cc
index ef094830a09..e2871d760ba 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.cc
@@ -146,13 +146,37 @@ bool QuicDataReader::ReadConnectionId(QuicConnectionId* connection_id,
     return true;
   }
 
-  const bool ok = ReadBytes(connection_id->mutable_data(), length);
-  if (ok) {
-    connection_id->set_length(length);
+  if (!GetQuicRestartFlag(quic_use_allocated_connection_ids)) {
+    const bool ok = ReadBytes(connection_id->mutable_data(), length);
+    if (ok) {
+      connection_id->set_length(length);
+    }
+    return ok;
   }
+  QUIC_RESTART_FLAG_COUNT_N(quic_use_allocated_connection_ids, 6, 6);
+
+  if (BytesRemaining() < length) {
+    return false;
+  }
+
+  connection_id->set_length(length);
+  const bool ok = ReadBytes(connection_id->mutable_data(), length);
+  DCHECK(ok);
   return ok;
 }
 
+bool QuicDataReader::ReadLengthPrefixedConnectionId(
+    QuicConnectionId* connection_id) {
+  uint8_t connection_id_length;
+  if (!ReadUInt8(&connection_id_length)) {
+    return false;
+  }
+  if (connection_id_length > kQuicMaxConnectionIdLength) {
+    return false;
+  }
+  return ReadConnectionId(connection_id, connection_id_length);
+}
+
 bool QuicDataReader::ReadTag(uint32_t* tag) {
   return ReadBytes(tag, sizeof(*tag));
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.h b/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.h
index a03b92751a5..72e2d132258 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.h
@@ -83,6 +83,11 @@ class QUIC_EXPORT_PRIVATE QuicDataReader {
   // Returns true on success, false otherwise.
   bool ReadConnectionId(QuicConnectionId* connection_id, uint8_t length);
 
+  // Reads 8-bit connection ID length followed by connection ID of that length.
+  // Forwards the internal iterator on success.
+  // Returns true on success, false otherwise.
+  bool ReadLengthPrefixedConnectionId(QuicConnectionId* connection_id);
+
   // Reads tag represented as 32-bit unsigned integer into given output
   // parameter. Tags are in big endian on the wire (e.g., CHLO is
   // 'C','H','L','O') and are read in byte order, so tags in memory are in big
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.cc b/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.cc
index 42f1e4e2092..e01eb6c4d24 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.cc
@@ -181,6 +181,11 @@ bool QuicDataWriter::WriteConnectionId(QuicConnectionId connection_id) {
   return WriteBytes(connection_id.data(), connection_id.length());
 }
 
+bool QuicDataWriter::WriteLengthPrefixedConnectionId(
+    QuicConnectionId connection_id) {
+  return WriteUInt8(connection_id.length()) && WriteConnectionId(connection_id);
+}
+
 bool QuicDataWriter::WriteTag(uint32_t tag) {
   return WriteBytes(&tag, sizeof(tag));
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.h b/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.h
index d2d2b6bf3df..c43d0ffc743 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.h
@@ -108,6 +108,9 @@ class QUIC_EXPORT_PRIVATE QuicDataWriter {
   // Write connection ID to the payload.
   bool WriteConnectionId(QuicConnectionId connection_id);
 
+  // Write 8-bit length followed by connection ID to the payload.
+  bool WriteLengthPrefixedConnectionId(QuicConnectionId connection_id);
+
   // Write tag as a 32-bit unsigned integer to the payload. As tags are already
   // converted to big endian (e.g., CHLO is 'C','H','L','O') in memory by TAG or
   // MakeQuicTag and tags are written in byte order, so tags on the wire are
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_data_writer_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_data_writer_test.cc
index 07f0313f9ef..727c8133301 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_data_writer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_data_writer_test.cc
@@ -5,6 +5,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_data_writer.h"
 
 #include <cstdint>
+#include <cstring>
 
 #include "net/third_party/quiche/src/quic/core/quic_connection_id.h"
 #include "net/third_party/quiche/src/quic/core/quic_data_reader.h"
@@ -26,6 +27,12 @@ char* AsChars(unsigned char* data) {
 struct TestParams {
   explicit TestParams(Endianness endianness) : endianness(endianness) {}
 
+  friend std::ostream& operator<<(std::ostream& os, const TestParams& p) {
+    os << "{ " << (p.endianness == NETWORK_BYTE_ORDER ? "network" : "host")
+       << " byte order }";
+    return os;
+  }
+
   Endianness endianness;
 };
 
@@ -270,6 +277,48 @@ TEST_P(QuicDataWriterTest, WriteConnectionId) {
   EXPECT_EQ(connection_id, read_connection_id);
 }
 
+TEST_P(QuicDataWriterTest, LengthPrefixedConnectionId) {
+  QuicConnectionId connection_id =
+      TestConnectionId(UINT64_C(0x0011223344556677));
+  char length_prefixed_connection_id[] = {
+      0x08, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+  };
+  EXPECT_EQ(QUIC_ARRAYSIZE(length_prefixed_connection_id),
+            kConnectionIdLengthSize + connection_id.length());
+  char buffer[kConnectionIdLengthSize + kQuicMaxConnectionIdLength] = {};
+  QuicDataWriter writer(QUIC_ARRAYSIZE(buffer), buffer);
+  EXPECT_TRUE(writer.WriteLengthPrefixedConnectionId(connection_id));
+  test::CompareCharArraysWithHexError(
+      "WriteLengthPrefixedConnectionId", buffer, writer.length(),
+      length_prefixed_connection_id,
+      QUIC_ARRAYSIZE(length_prefixed_connection_id));
+
+  // Verify that writing length then connection ID produces the same output.
+  memset(buffer, 0, QUIC_ARRAYSIZE(buffer));
+  QuicDataWriter writer2(QUIC_ARRAYSIZE(buffer), buffer);
+  EXPECT_TRUE(writer2.WriteUInt8(connection_id.length()));
+  EXPECT_TRUE(writer2.WriteConnectionId(connection_id));
+  test::CompareCharArraysWithHexError(
+      "Write length then ConnectionId", buffer, writer2.length(),
+      length_prefixed_connection_id,
+      QUIC_ARRAYSIZE(length_prefixed_connection_id));
+
+  QuicConnectionId read_connection_id;
+  QuicDataReader reader(buffer, QUIC_ARRAYSIZE(buffer));
+  EXPECT_TRUE(reader.ReadLengthPrefixedConnectionId(&read_connection_id));
+  EXPECT_EQ(connection_id, read_connection_id);
+
+  // Verify that reading length then connection ID produces the same output.
+  uint8_t read_connection_id_length2 = 33;
+  QuicConnectionId read_connection_id2;
+  QuicDataReader reader2(buffer, QUIC_ARRAYSIZE(buffer));
+  ASSERT_TRUE(reader2.ReadUInt8(&read_connection_id_length2));
+  EXPECT_EQ(connection_id.length(), read_connection_id_length2);
+  EXPECT_TRUE(reader2.ReadConnectionId(&read_connection_id2,
+                                       read_connection_id_length2));
+  EXPECT_EQ(connection_id, read_connection_id2);
+}
+
 TEST_P(QuicDataWriterTest, EmptyConnectionIds) {
   QuicConnectionId empty_connection_id = EmptyQuicConnectionId();
   char buffer[2];
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_default_packet_writer.cc b/chromium/net/third_party/quiche/src/quic/core/quic_default_packet_writer.cc
index a9147c07442..d0929582471 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_default_packet_writer.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_default_packet_writer.cc
@@ -39,7 +39,7 @@ void QuicDefaultPacketWriter::SetWritable() {
 }
 
 QuicByteCount QuicDefaultPacketWriter::GetMaxPacketSize(
-    const QuicSocketAddress& peer_address) const {
+    const QuicSocketAddress& /*peer_address*/) const {
   return kMaxOutgoingPacketSize;
 }
 
@@ -52,8 +52,8 @@ bool QuicDefaultPacketWriter::IsBatchMode() const {
 }
 
 char* QuicDefaultPacketWriter::GetNextWriteLocation(
-    const QuicIpAddress& self_address,
-    const QuicSocketAddress& peer_address) {
+    const QuicIpAddress& /*self_address*/,
+    const QuicSocketAddress& /*peer_address*/) {
   return nullptr;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.cc b/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.cc
index 5bf072d7e09..c6ee81634c7 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.cc
@@ -14,6 +14,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
+#include "net/third_party/quiche/src/quic/core/quic_versions.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
@@ -71,18 +72,11 @@ class PacketCollector : public QuicPacketCreator::DelegateInterface,
     return nullptr;
   }
 
-  void OnUnrecoverableError(QuicErrorCode error,
-                            const std::string& error_details) override {}
-
-  void SaveStatelessRejectFrameData(QuicStringPiece reject) {
-    struct iovec iovec;
-    iovec.iov_base = const_cast<char*>(reject.data());
-    iovec.iov_len = reject.length();
-    send_buffer_.SaveStreamData(&iovec, 1, 0, iovec.iov_len);
-  }
+  void OnUnrecoverableError(QuicErrorCode /*error*/,
+                            const std::string& /*error_details*/) override {}
 
   // QuicStreamFrameDataProducer
-  WriteStreamDataResult WriteStreamData(QuicStreamId id,
+  WriteStreamDataResult WriteStreamData(QuicStreamId /*id*/,
                                         QuicStreamOffset offset,
                                         QuicByteCount data_length,
                                         QuicDataWriter* writer) override {
@@ -91,7 +85,7 @@ class PacketCollector : public QuicPacketCreator::DelegateInterface,
     }
     return WRITE_FAILED;
   }
-  bool WriteCryptoData(EncryptionLevel level,
+  bool WriteCryptoData(EncryptionLevel /*level*/,
                        QuicStreamOffset offset,
                        QuicByteCount data_length,
                        QuicDataWriter* writer) override {
@@ -141,7 +135,7 @@ class StatelessConnectionTerminator {
                        bool ietf_quic) {
     QuicConnectionCloseFrame* frame =
         new QuicConnectionCloseFrame(error_code, error_details);
-    if (framer_.transport_version() == QUIC_VERSION_99) {
+    if (VersionHasIetfQuicFrames(framer_.transport_version())) {
       frame->close_type = IETF_QUIC_TRANSPORT_CONNECTION_CLOSE;
     }
 
@@ -158,49 +152,6 @@ class StatelessConnectionTerminator {
         quic::ENCRYPTION_INITIAL, collector_.packets());
   }
 
-  // Generates a series of termination packets containing the crypto handshake
-  // message |reject|.  Adds the connection to time wait list with the
-  // generated packets.
-  void RejectConnection(QuicStringPiece reject, bool ietf_quic) {
-    QuicStreamOffset offset = 0;
-    collector_.SaveStatelessRejectFrameData(reject);
-    while (offset < reject.length()) {
-      QuicFrame frame;
-      if (!QuicVersionUsesCryptoFrames(framer_.transport_version())) {
-        if (!creator_.ConsumeData(
-                QuicUtils::GetCryptoStreamId(framer_.transport_version()),
-                reject.length() - offset, offset,
-                /*fin=*/false,
-                /*needs_full_padding=*/true, NOT_RETRANSMISSION, &frame)) {
-          QUIC_BUG << "Unable to consume data into an empty packet.";
-          return;
-        }
-        offset += frame.stream_frame.data_length;
-      } else {
-        if (!creator_.ConsumeCryptoData(
-                ENCRYPTION_INITIAL, reject.length() - offset, offset,
-                /*needs_full_padding=*/true, NOT_RETRANSMISSION, &frame)) {
-          QUIC_BUG << "Unable to consume crypto data into an empty packet.";
-          return;
-        }
-        offset += frame.crypto_frame->data_length;
-      }
-      if (offset < reject.length() &&
-          !QuicVersionUsesCryptoFrames(framer_.transport_version())) {
-        DCHECK(!creator_.HasRoomForStreamFrame(
-            QuicUtils::GetCryptoStreamId(framer_.transport_version()), offset,
-            frame.stream_frame.data_length));
-      }
-      creator_.Flush();
-    }
-    time_wait_list_manager_->AddConnectionIdToTimeWait(
-        server_connection_id_, ietf_quic,
-        QuicTimeWaitListManager::SEND_TERMINATION_PACKETS, ENCRYPTION_INITIAL,
-        collector_.packets());
-    DCHECK(time_wait_list_manager_->IsConnectionIdInTimeWait(
-        server_connection_id_));
-  }
-
  private:
   QuicConnectionId server_connection_id_;
   QuicFramer framer_;
@@ -213,8 +164,8 @@ class StatelessConnectionTerminator {
 // Class which extracts the ALPN from a CHLO packet.
 class ChloAlpnExtractor : public ChloExtractor::Delegate {
  public:
-  void OnChlo(QuicTransportVersion version,
-              QuicConnectionId server_connection_id,
+  void OnChlo(QuicTransportVersion /*version*/,
+              QuicConnectionId /*server_connection_id*/,
               const CryptoHandshakeMessage& chlo) override {
     QuicStringPiece alpn_value;
     if (chlo.GetStringPiece(kALPN, &alpn_value)) {
@@ -248,25 +199,14 @@ QuicDispatcher::QuicDispatcher(
       delete_sessions_alarm_(
           alarm_factory_->CreateAlarm(new DeleteSessionsAlarm(this))),
       buffered_packets_(this, helper_->GetClock(), alarm_factory_.get()),
-      current_packet_(nullptr),
       version_manager_(version_manager),
-      framer_(GetSupportedVersions(),
-              /*unused*/ QuicTime::Zero(),
-              Perspective::IS_SERVER,
-              expected_server_connection_id_length),
       last_error_(QUIC_NO_ERROR),
       new_sessions_allowed_per_event_loop_(0u),
       accept_new_connections_(true),
       allow_short_initial_server_connection_ids_(false),
-      last_version_label_(0),
       expected_server_connection_id_length_(
           expected_server_connection_id_length),
-      should_update_expected_server_connection_id_length_(false),
-      no_framer_(GetQuicRestartFlag(quic_no_framer_object_in_dispatcher)) {
-  if (!no_framer_) {
-    framer_.set_visitor(this);
-  }
-}
+      should_update_expected_server_connection_id_length_(false) {}
 
 QuicDispatcher::~QuicDispatcher() {
   session_map_.clear();
@@ -286,28 +226,12 @@ void QuicDispatcher::ProcessPacket(const QuicSocketAddress& self_address,
                 << " bytes:" << std::endl
                 << QuicTextUtils::HexDump(
                        QuicStringPiece(packet.data(), packet.length()));
-  current_self_address_ = self_address;
-  current_peer_address_ = peer_address;
-  // GetClientAddress must be called after current_peer_address_ is set.
-  current_client_address_ = GetClientAddress();
-  current_packet_ = &packet;
-  if (!no_framer_) {
-    // ProcessPacket will cause the packet to be dispatched in
-    // OnUnauthenticatedPublicHeader, or sent to the time wait list manager
-    // in OnUnauthenticatedHeader.
-    framer_.ProcessPacket(packet);
-    // TODO(rjshade): Return a status describing if/why a packet was dropped,
-    //                and log somehow.  Maybe expose as a varz.
-    return;
-  }
-  QUIC_RESTART_FLAG_COUNT(quic_no_framer_object_in_dispatcher);
-  QuicPacketHeader header;
-  uint8_t destination_connection_id_length;
+  ReceivedPacketInfo packet_info(self_address, peer_address, packet);
   std::string detailed_error;
   const QuicErrorCode error = QuicFramer::ProcessPacketDispatcher(
-      packet, expected_server_connection_id_length_, &header.form,
-      &header.version_flag, &last_version_label_,
-      &destination_connection_id_length, &header.destination_connection_id,
+      packet, expected_server_connection_id_length_, &packet_info.form,
+      &packet_info.version_flag, &packet_info.version_label,
+      &packet_info.destination_connection_id, &packet_info.source_connection_id,
       &detailed_error);
   if (error != QUIC_NO_ERROR) {
     // Packet has framing error.
@@ -315,38 +239,32 @@ void QuicDispatcher::ProcessPacket(const QuicSocketAddress& self_address,
     QUIC_DLOG(ERROR) << detailed_error;
     return;
   }
-  header.version = ParseQuicVersionLabel(last_version_label_);
-  if (destination_connection_id_length !=
+  packet_info.version = ParseQuicVersionLabel(packet_info.version_label);
+  if (packet_info.destination_connection_id.length() !=
           expected_server_connection_id_length_ &&
       !should_update_expected_server_connection_id_length_ &&
       !QuicUtils::VariableLengthConnectionIdAllowedForVersion(
-          header.version.transport_version)) {
+          packet_info.version.transport_version)) {
     SetLastError(QUIC_INVALID_PACKET_HEADER);
     QUIC_DLOG(ERROR) << "Invalid Connection Id Length";
     return;
   }
   if (should_update_expected_server_connection_id_length_) {
-    expected_server_connection_id_length_ = destination_connection_id_length;
+    expected_server_connection_id_length_ =
+        packet_info.destination_connection_id.length();
   }
-  // TODO(fayang): Instead of passing in QuicPacketHeader, pass format,
-  // version_flag, version and destination_connection_id. Combine
-  // OnUnauthenticatedPublicHeader and OnUnauthenticatedHeader to a single
-  // function when deprecating quic_no_framer_object_in_dispatcher.
-  if (!OnUnauthenticatedPublicHeader(header)) {
+
+  if (MaybeDispatchPacket(packet_info)) {
+    // Packet has been dropped or successfully dispatched, stop processing.
     return;
   }
-  OnUnauthenticatedHeader(header);
-  // TODO(wub): Consider invalidate the current_* variables so processing of
-  //            the next packet does not use them incorrectly.
+  ProcessHeader(&packet_info);
 }
 
 QuicConnectionId QuicDispatcher::MaybeReplaceServerConnectionId(
     QuicConnectionId server_connection_id,
     ParsedQuicVersion version) {
-  const uint8_t expected_server_connection_id_length =
-      no_framer_ ? expected_server_connection_id_length_
-                 : framer_.GetExpectedServerConnectionIdLength();
-  if (server_connection_id.length() == expected_server_connection_id_length) {
+  if (server_connection_id.length() == expected_server_connection_id_length_) {
     return server_connection_id;
   }
   DCHECK(QuicUtils::VariableLengthConnectionIdAllowedForVersion(
@@ -358,7 +276,10 @@ QuicConnectionId QuicDispatcher::MaybeReplaceServerConnectionId(
   QuicConnectionId new_connection_id =
       session_helper_->GenerateConnectionIdForReject(version.transport_version,
                                                      server_connection_id);
-  DCHECK_EQ(expected_server_connection_id_length, new_connection_id.length());
+  DCHECK_EQ(expected_server_connection_id_length_, new_connection_id.length());
+  // TODO(dschinazi) Prevent connection_id_map_ from growing indefinitely
+  // before we ship a version that supports variable length connection IDs
+  // to production.
   connection_id_map_.insert(
       std::make_pair(server_connection_id, new_connection_id));
   QUIC_DLOG(INFO) << "Replacing incoming connection ID " << server_connection_id
@@ -366,45 +287,53 @@ QuicConnectionId QuicDispatcher::MaybeReplaceServerConnectionId(
   return new_connection_id;
 }
 
-bool QuicDispatcher::OnUnauthenticatedPublicHeader(
-    const QuicPacketHeader& header) {
-  current_server_connection_id_ = header.destination_connection_id;
-
+bool QuicDispatcher::MaybeDispatchPacket(
+    const ReceivedPacketInfo& packet_info) {
   // Port zero is only allowed for unidirectional UDP, so is disallowed by QUIC.
   // Given that we can't even send a reply rejecting the packet, just drop the
   // packet.
-  if (current_peer_address_.port() == 0) {
-    return false;
+  if (packet_info.peer_address.port() == 0) {
+    return true;
   }
 
-  // The dispatcher requires the connection ID to be present in order to
-  // look up the matching QuicConnection, so we error out if it is absent.
-  if (header.destination_connection_id_included != CONNECTION_ID_PRESENT) {
-    return false;
-  }
-  QuicConnectionId server_connection_id = header.destination_connection_id;
+  QuicConnectionId server_connection_id = packet_info.destination_connection_id;
 
   // The IETF spec requires the client to generate an initial server
   // connection ID that is at least 64 bits long. After that initial
   // connection ID, the dispatcher picks a new one of its expected length.
   // Therefore we should never receive a connection ID that is smaller
   // than 64 bits and smaller than what we expect.
-  const uint8_t expected_server_connection_id_length =
-      no_framer_ ? expected_server_connection_id_length_
-                 : framer_.GetExpectedServerConnectionIdLength();
   if (server_connection_id.length() < kQuicMinimumInitialConnectionIdLength &&
-      server_connection_id.length() < expected_server_connection_id_length &&
+      server_connection_id.length() < expected_server_connection_id_length_ &&
       !allow_short_initial_server_connection_ids_) {
-    DCHECK(header.version_flag);
+    DCHECK(packet_info.version_flag);
     DCHECK(QuicUtils::VariableLengthConnectionIdAllowedForVersion(
-        header.version.transport_version));
+        packet_info.version.transport_version));
     QUIC_DLOG(INFO) << "Packet with short destination connection ID "
                     << server_connection_id << " expected "
-                    << static_cast<int>(expected_server_connection_id_length);
-    ProcessUnauthenticatedHeaderFate(kFateTimeWait, server_connection_id,
-                                     header.form, header.version_flag,
-                                     header.version);
-    return false;
+                    << static_cast<int>(expected_server_connection_id_length_);
+    if (!GetQuicReloadableFlag(quic_drop_invalid_small_initial_connection_id)) {
+      // Add this connection_id to the time-wait state, to safely reject
+      // future packets.
+      QUIC_DLOG(INFO) << "Adding connection ID " << server_connection_id
+                      << " to time-wait list.";
+      StatelesslyTerminateConnection(
+          server_connection_id, packet_info.form, packet_info.version_flag,
+          packet_info.version, QUIC_HANDSHAKE_FAILED, "Reject connection",
+          quic::QuicTimeWaitListManager::SEND_STATELESS_RESET);
+
+      DCHECK(time_wait_list_manager_->IsConnectionIdInTimeWait(
+          server_connection_id));
+      time_wait_list_manager_->ProcessPacket(
+          packet_info.self_address, packet_info.peer_address,
+          server_connection_id, packet_info.form, GetPerPacketContext());
+
+      buffered_packets_.DiscardPackets(server_connection_id);
+    } else {
+      QUIC_RELOADABLE_FLAG_COUNT(quic_drop_invalid_small_initial_connection_id);
+      // Drop the packet silently.
+    }
+    return true;
   }
 
   // Packets with connection IDs for active connections are processed
@@ -412,119 +341,111 @@ bool QuicDispatcher::OnUnauthenticatedPublicHeader(
   auto it = session_map_.find(server_connection_id);
   if (it != session_map_.end()) {
     DCHECK(!buffered_packets_.HasBufferedPackets(server_connection_id));
-    it->second->ProcessUdpPacket(current_self_address_, current_peer_address_,
-                                 *current_packet_);
-    return false;
+    it->second->ProcessUdpPacket(packet_info.self_address,
+                                 packet_info.peer_address, packet_info.packet);
+    return true;
+  } else {
+    // We did not find the connection ID, check if we've replaced it.
+    QuicConnectionId replaced_connection_id = MaybeReplaceServerConnectionId(
+        server_connection_id, packet_info.version);
+    if (replaced_connection_id != server_connection_id) {
+      // Search for the replacement.
+      auto it2 = session_map_.find(replaced_connection_id);
+      if (it2 != session_map_.end()) {
+        DCHECK(!buffered_packets_.HasBufferedPackets(replaced_connection_id));
+        it2->second->ProcessUdpPacket(packet_info.self_address,
+                                      packet_info.peer_address,
+                                      packet_info.packet);
+        return true;
+      }
+    }
   }
 
   if (buffered_packets_.HasChloForConnection(server_connection_id)) {
-    BufferEarlyPacket(server_connection_id, header.form != GOOGLE_QUIC_PACKET,
-                      header.version);
-    return false;
-  }
-
-  // Check if we are buffering packets for this connection ID
-  if (temporarily_buffered_connections_.find(server_connection_id) !=
-      temporarily_buffered_connections_.end()) {
-    // This packet was received while the a CHLO for the same connection ID was
-    // being processed.  Buffer it.
-    BufferEarlyPacket(server_connection_id, header.form != GOOGLE_QUIC_PACKET,
-                      header.version);
-    return false;
-  }
-
-  if (!OnUnauthenticatedUnknownPublicHeader(header)) {
-    return false;
+    BufferEarlyPacket(packet_info);
+    return true;
   }
 
-  // If the packet is a public reset for a connection ID that is not active,
-  // there is nothing we must do or can do.
-  if (header.reset_flag) {
-    return false;
+  if (OnFailedToDispatchPacket(packet_info)) {
+    return true;
   }
 
   if (time_wait_list_manager_->IsConnectionIdInTimeWait(server_connection_id)) {
     // This connection ID is already in time-wait state.
     time_wait_list_manager_->ProcessPacket(
-        current_self_address_, current_peer_address_,
-        header.destination_connection_id, header.form, GetPerPacketContext());
-    return false;
+        packet_info.self_address, packet_info.peer_address,
+        packet_info.destination_connection_id, packet_info.form,
+        GetPerPacketContext());
+    return true;
   }
 
   // The packet has an unknown connection ID.
 
   // Unless the packet provides a version, assume that we can continue
   // processing using our preferred version.
-  ParsedQuicVersion version = GetSupportedVersions().front();
-  if (header.version_flag) {
-    ParsedQuicVersion packet_version = header.version;
-    if (!no_framer_ && framer_.supported_versions() != GetSupportedVersions()) {
-      // Reset framer's version if version flags change in flight.
-      framer_.SetSupportedVersions(GetSupportedVersions());
-    }
-    if (!IsSupportedVersion(packet_version)) {
-      if (ShouldCreateSessionForUnknownVersion(
-              no_framer_ ? last_version_label_
-                         : framer_.last_version_label())) {
-        return true;
+  if (packet_info.version_flag) {
+    if (!IsSupportedVersion(packet_info.version)) {
+      if (ShouldCreateSessionForUnknownVersion(packet_info.version_label)) {
+        return false;
       }
       if (!crypto_config()->validate_chlo_size() ||
-          current_packet_->length() >= kMinPacketSizeForVersionNegotiation) {
+          packet_info.packet.length() >= kMinPacketSizeForVersionNegotiation) {
         // Since the version is not supported, send a version negotiation
         // packet and stop processing the current packet.
+        QuicConnectionId client_connection_id =
+            packet_info.source_connection_id;
         time_wait_list_manager()->SendVersionNegotiationPacket(
-            server_connection_id, EmptyQuicConnectionId(),
-            header.form != GOOGLE_QUIC_PACKET, GetSupportedVersions(),
-            current_self_address_, current_peer_address_,
+            server_connection_id, client_connection_id,
+            packet_info.form != GOOGLE_QUIC_PACKET, GetSupportedVersions(),
+            packet_info.self_address, packet_info.peer_address,
             GetPerPacketContext());
       }
-      return false;
+      return true;
     }
-    version = packet_version;
-  }
-  if (!no_framer_) {
-    // Set the framer's version and continue processing.
-    framer_.set_version(version);
-  }
-
-  if (version.HasHeaderProtection()) {
-    ProcessHeader(header);
-    return false;
   }
-  return true;
-}
 
-bool QuicDispatcher::OnUnauthenticatedHeader(const QuicPacketHeader& header) {
-  ProcessHeader(header);
   return false;
 }
 
-void QuicDispatcher::ProcessHeader(const QuicPacketHeader& header) {
-  QuicConnectionId server_connection_id = header.destination_connection_id;
+void QuicDispatcher::ProcessHeader(ReceivedPacketInfo* packet_info) {
+  QuicConnectionId server_connection_id =
+      packet_info->destination_connection_id;
   // Packet's connection ID is unknown.  Apply the validity checks.
-  QuicPacketFate fate = ValidityChecks(header);
-  if (fate == kFateProcess) {
-    ProcessOrBufferPacket(server_connection_id, header.form,
-                          header.version_flag, header.version);
-  } else {
-    // If the fate is already known, process it without executing stateless
-    // rejection logic.
-    ProcessUnauthenticatedHeaderFate(fate, server_connection_id, header.form,
-                                     header.version_flag, header.version);
-  }
-}
-
-void QuicDispatcher::ProcessUnauthenticatedHeaderFate(
-    QuicPacketFate fate,
-    QuicConnectionId server_connection_id,
-    PacketHeaderFormat form,
-    bool version_flag,
-    ParsedQuicVersion version) {
+  // TODO(wub): Determine the fate completely in ValidityChecks, then call
+  // ProcessUnauthenticatedHeaderFate in one place.
+  QuicPacketFate fate = ValidityChecks(*packet_info);
+  ChloAlpnExtractor alpn_extractor;
   switch (fate) {
     case kFateProcess: {
-      ProcessChlo(form, version);
-      break;
-    }
+      if (packet_info->version.handshake_protocol == PROTOCOL_TLS1_3) {
+        // TODO(nharper): Support buffering non-ClientHello packets when using
+        // TLS.
+        ProcessChlo(/*alpn=*/"", packet_info);
+        break;
+      }
+      ParsedQuicVersionVector chlo_extractor_versions;
+      if (!GetQuicRestartFlag(
+              quic_dispatcher_hands_chlo_extractor_one_version)) {
+        chlo_extractor_versions = GetSupportedVersions();
+      } else {
+        QUIC_RESTART_FLAG_COUNT(
+            quic_dispatcher_hands_chlo_extractor_one_version);
+        chlo_extractor_versions = {packet_info->version};
+        // TODO(dschinazi) once we deprecate
+        // quic_dispatcher_hands_chlo_extractor_one_version, we should change
+        // ChloExtractor::Extract to only take one version.
+      }
+      if (GetQuicFlag(FLAGS_quic_allow_chlo_buffering) &&
+          !ChloExtractor::Extract(packet_info->packet, chlo_extractor_versions,
+                                  config_->create_session_tag_indicators(),
+                                  &alpn_extractor,
+                                  server_connection_id.length())) {
+        // Buffer non-CHLO packets.
+        BufferEarlyPacket(*packet_info);
+        break;
+      }
+      ProcessChlo(alpn_extractor.ConsumeAlpn(), packet_info);
+    } break;
     case kFateTimeWait:
       // Add this connection_id to the time-wait state, to safely reject
       // future packets.
@@ -532,112 +453,62 @@ void QuicDispatcher::ProcessUnauthenticatedHeaderFate(
                       << " to time-wait list.";
       QUIC_CODE_COUNT(quic_reject_fate_time_wait);
       StatelesslyTerminateConnection(
-          server_connection_id, form, version_flag, version,
-          QUIC_HANDSHAKE_FAILED, "Reject connection",
+          server_connection_id, packet_info->form, packet_info->version_flag,
+          packet_info->version, QUIC_HANDSHAKE_FAILED, "Reject connection",
           quic::QuicTimeWaitListManager::SEND_STATELESS_RESET);
 
       DCHECK(time_wait_list_manager_->IsConnectionIdInTimeWait(
           server_connection_id));
       time_wait_list_manager_->ProcessPacket(
-          current_self_address_, current_peer_address_, server_connection_id,
-          form, GetPerPacketContext());
+          packet_info->self_address, packet_info->peer_address,
+          server_connection_id, packet_info->form, GetPerPacketContext());
 
-      // Any packets which were buffered while the stateless rejector logic was
-      // running should be discarded.  Do not inform the time wait list manager,
-      // which should already have a made a decision about sending a reject
-      // based on the CHLO alone.
       buffered_packets_.DiscardPackets(server_connection_id);
       break;
-    case kFateBuffer:
-      // This packet is a non-CHLO packet which has arrived before the
-      // corresponding CHLO, *or* this packet was received while the
-      // corresponding CHLO was being processed.  Buffer it.
-      BufferEarlyPacket(server_connection_id, form != GOOGLE_QUIC_PACKET,
-                        version);
-      break;
     case kFateDrop:
-      // Do nothing with the packet.
       break;
   }
 }
 
 QuicDispatcher::QuicPacketFate QuicDispatcher::ValidityChecks(
-    const QuicPacketHeader& header) {
+    const ReceivedPacketInfo& packet_info) {
   // To have all the checks work properly without tears, insert any new check
   // into the framework of this method in the section for checks that return the
   // check's fate value.  The sections for checks must be ordered with the
   // highest priority fate first.
 
-  // Checks that return kFateDrop.
-
-  // Checks that return kFateTimeWait.
-
   // All packets within a connection sent by a client before receiving a
   // response from the server are required to have the version negotiation flag
   // set.  Since this may be a client continuing a connection we lost track of
   // via server restart, send a rejection to fast-fail the connection.
-  if (!header.version_flag) {
+  if (!packet_info.version_flag) {
     QUIC_DLOG(INFO)
         << "Packet without version arrived for unknown connection ID "
-        << header.destination_connection_id;
+        << packet_info.destination_connection_id;
+    if (GetQuicReloadableFlag(quic_reject_unprocessable_packets_statelessly)) {
+      QUIC_RELOADABLE_FLAG_COUNT(quic_reject_unprocessable_packets_statelessly);
+      MaybeResetPacketsWithNoVersion(packet_info);
+      return kFateDrop;
+    }
     return kFateTimeWait;
   }
 
-  if (no_framer_) {
-    // Let the connection parse and validate packet number.
-    return kFateProcess;
-  }
-
-  // initial packet number of 0 is always invalid.
-  if (!framer_.version().HasHeaderProtection()) {
-    if (!header.packet_number.IsInitialized()) {
-      return kFateTimeWait;
-    }
-    if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-      QUIC_RESTART_FLAG_COUNT_N(quic_enable_accept_random_ipn, 1, 2);
-      // Accepting Initial Packet Numbers in 1...((2^31)-1) range... check
-      // maximum accordingly.
-      if (header.packet_number > MaxRandomInitialPacketNumber()) {
-        return kFateTimeWait;
-      }
-    } else {
-      // Count those that would have been accepted if FLAGS..random_ipn
-      // were true -- to detect/diagnose potential issues prior to
-      // enabling the flag.
-      if ((header.packet_number >
-           QuicPacketNumber(kMaxReasonableInitialPacketNumber)) &&
-          (header.packet_number <= MaxRandomInitialPacketNumber())) {
-        QUIC_CODE_COUNT_N(had_possibly_random_ipn, 1, 2);
-      }
-      // Check that the sequence number is within the range that the client is
-      // expected to send before receiving a response from the server.
-      if (header.packet_number >
-          QuicPacketNumber(kMaxReasonableInitialPacketNumber)) {
-        return kFateTimeWait;
-      }
-    }
-  }
+  // Let the connection parse and validate packet number.
   return kFateProcess;
 }
 
 void QuicDispatcher::CleanUpSession(SessionMap::iterator it,
                                     QuicConnection* connection,
-                                    bool should_close_statelessly,
-                                    ConnectionCloseSource source) {
+                                    ConnectionCloseSource /*source*/) {
   write_blocked_list_.erase(connection);
-  if (should_close_statelessly) {
-    DCHECK(connection->termination_packets() != nullptr &&
-           !connection->termination_packets()->empty());
-  }
   QuicTimeWaitListManager::TimeWaitAction action =
       QuicTimeWaitListManager::SEND_STATELESS_RESET;
   if (connection->termination_packets() != nullptr &&
       !connection->termination_packets()->empty()) {
     action = QuicTimeWaitListManager::SEND_TERMINATION_PACKETS;
-  } else if (connection->transport_version() > QUIC_VERSION_43 ||
-             GetQuicReloadableFlag(quic_terminate_gquic_connection_as_ietf)) {
+  } else {
     if (!connection->IsHandshakeConfirmed()) {
-      if (connection->transport_version() <= QUIC_VERSION_43) {
+      if (!VersionHasIetfInvariantHeader(connection->transport_version())) {
         QUIC_CODE_COUNT(gquic_add_to_time_wait_list_with_handshake_failed);
       } else {
         QUIC_CODE_COUNT(quic_v44_add_to_time_wait_list_with_handshake_failed);
@@ -647,7 +518,7 @@ void QuicDispatcher::CleanUpSession(SessionMap::iterator it,
       // QUIC_HANDSHAKE_FAILED and adds the connection to the time wait list.
       StatelesslyTerminateConnection(
           connection->connection_id(),
-          connection->transport_version() > QUIC_VERSION_43
+          VersionHasIetfInvariantHeader(connection->transport_version())
               ? IETF_QUIC_LONG_HEADER_PACKET
               : GOOGLE_QUIC_PACKET,
           /*version_flag=*/true, connection->version(), QUIC_HANDSHAKE_FAILED,
@@ -662,8 +533,9 @@ void QuicDispatcher::CleanUpSession(SessionMap::iterator it,
     QUIC_CODE_COUNT(quic_v44_add_to_time_wait_list_with_stateless_reset);
   }
   time_wait_list_manager_->AddConnectionIdToTimeWait(
-      it->first, connection->transport_version() > QUIC_VERSION_43, action,
-      connection->encryption_level(), connection->termination_packets());
+      it->first, VersionHasIetfInvariantHeader(connection->transport_version()),
+      action, connection->encryption_level(),
+      connection->termination_packets());
   session_map_.erase(it);
 }
 
@@ -760,9 +632,7 @@ void QuicDispatcher::OnConnectionClosed(QuicConnectionId server_connection_id,
     }
     closed_session_list_.push_back(std::move(it->second));
   }
-  const bool should_close_statelessly =
-      (error == QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT);
-  CleanUpSession(it, connection, should_close_statelessly, source);
+  CleanUpSession(it, connection, source);
 }
 
 void QuicDispatcher::OnWriteBlocked(
@@ -780,9 +650,10 @@ void QuicDispatcher::OnWriteBlocked(
   write_blocked_list_.insert(std::make_pair(blocked_writer, true));
 }
 
-void QuicDispatcher::OnRstStreamReceived(const QuicRstStreamFrame& frame) {}
+void QuicDispatcher::OnRstStreamReceived(const QuicRstStreamFrame& /*frame*/) {}
 
-void QuicDispatcher::OnStopSendingReceived(const QuicStopSendingFrame& frame) {}
+void QuicDispatcher::OnStopSendingReceived(
+    const QuicStopSendingFrame& /*frame*/) {}
 
 void QuicDispatcher::OnConnectionAddedToTimeWaitList(
     QuicConnectionId server_connection_id) {
@@ -798,9 +669,7 @@ void QuicDispatcher::StatelesslyTerminateConnection(
     QuicErrorCode error_code,
     const std::string& error_details,
     QuicTimeWaitListManager::TimeWaitAction action) {
-  if (format != IETF_QUIC_LONG_HEADER_PACKET &&
-      (!GetQuicReloadableFlag(quic_terminate_gquic_connection_as_ietf) ||
-       !version_flag)) {
+  if (format != IETF_QUIC_LONG_HEADER_PACKET && !version_flag) {
     QUIC_DVLOG(1) << "Statelessly terminating " << server_connection_id
                   << " based on a non-ietf-long packet, action:" << action
                   << ", error_code:" << error_code
@@ -823,10 +692,6 @@ void QuicDispatcher::StatelesslyTerminateConnection(
                                              helper_.get(),
                                              time_wait_list_manager_.get());
     // This also adds the connection to time wait list.
-    if (format == GOOGLE_QUIC_PACKET) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_terminate_gquic_connection_as_ietf, 1,
-                                   2);
-    }
     terminator.CloseConnection(error_code, error_details,
                                format != GOOGLE_QUIC_PACKET);
     return;
@@ -843,211 +708,18 @@ void QuicDispatcher::StatelesslyTerminateConnection(
   termination_packets.push_back(QuicFramer::BuildVersionNegotiationPacket(
       server_connection_id, EmptyQuicConnectionId(),
       /*ietf_quic=*/format != GOOGLE_QUIC_PACKET,
-      ParsedQuicVersionVector{UnsupportedQuicVersion()}));
-  if (format == GOOGLE_QUIC_PACKET) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_terminate_gquic_connection_as_ietf, 2, 2);
-  }
+      /*versions=*/{}));
   time_wait_list_manager()->AddConnectionIdToTimeWait(
       server_connection_id, /*ietf_quic=*/format != GOOGLE_QUIC_PACKET,
       QuicTimeWaitListManager::SEND_TERMINATION_PACKETS, ENCRYPTION_INITIAL,
       &termination_packets);
 }
 
-void QuicDispatcher::OnPacket() {}
-
-void QuicDispatcher::OnError(QuicFramer* framer) {
-  QuicErrorCode error = framer->error();
-  SetLastError(error);
-  QUIC_DLOG(INFO) << QuicErrorCodeToString(error);
-}
-
 bool QuicDispatcher::ShouldCreateSessionForUnknownVersion(
     QuicVersionLabel /*version_label*/) {
   return false;
 }
 
-bool QuicDispatcher::OnProtocolVersionMismatch(
-    ParsedQuicVersion /*received_version*/,
-    PacketHeaderFormat /*form*/) {
-  DCHECK(!no_framer_);
-  QUIC_BUG_IF(
-      !time_wait_list_manager_->IsConnectionIdInTimeWait(
-          current_server_connection_id_) &&
-      !ShouldCreateSessionForUnknownVersion(framer_.last_version_label()))
-      << "Unexpected version mismatch: "
-      << QuicVersionLabelToString(framer_.last_version_label());
-
-  // Keep processing after protocol mismatch - this will be dealt with by the
-  // time wait list or connection that we will create.
-  return true;
-}
-
-void QuicDispatcher::OnPublicResetPacket(
-    const QuicPublicResetPacket& /*packet*/) {
-  DCHECK(false);
-}
-
-void QuicDispatcher::OnVersionNegotiationPacket(
-    const QuicVersionNegotiationPacket& /*packet*/) {
-  DCHECK(false);
-}
-
-void QuicDispatcher::OnRetryPacket(QuicConnectionId /*original_connection_id*/,
-                                   QuicConnectionId /*new_connection_id*/,
-                                   QuicStringPiece /*retry_token*/) {
-  DCHECK(false);
-}
-
-void QuicDispatcher::OnDecryptedPacket(EncryptionLevel level) {
-  DCHECK(false);
-}
-
-bool QuicDispatcher::OnPacketHeader(const QuicPacketHeader& /*header*/) {
-  DCHECK(false);
-  return false;
-}
-
-void QuicDispatcher::OnCoalescedPacket(const QuicEncryptedPacket& /*packet*/) {
-  DCHECK(false);
-}
-
-bool QuicDispatcher::OnStreamFrame(const QuicStreamFrame& /*frame*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnCryptoFrame(const QuicCryptoFrame& /*frame*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnAckFrameStart(QuicPacketNumber /*largest_acked*/,
-                                     QuicTime::Delta /*ack_delay_time*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnAckRange(QuicPacketNumber /*start*/,
-                                QuicPacketNumber /*end*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnAckTimestamp(QuicPacketNumber /*packet_number*/,
-                                    QuicTime /*timestamp*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnAckFrameEnd(QuicPacketNumber /*start*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnStopWaitingFrame(const QuicStopWaitingFrame& /*frame*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnPaddingFrame(const QuicPaddingFrame& /*frame*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnPingFrame(const QuicPingFrame& /*frame*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnRstStreamFrame(const QuicRstStreamFrame& /*frame*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnConnectionCloseFrame(
-    const QuicConnectionCloseFrame& /*frame*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnMaxStreamsFrame(const QuicMaxStreamsFrame& frame) {
-  return true;
-}
-
-bool QuicDispatcher::OnStreamsBlockedFrame(
-    const QuicStreamsBlockedFrame& frame) {
-  return true;
-}
-
-bool QuicDispatcher::OnStopSendingFrame(const QuicStopSendingFrame& /*frame*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnPathChallengeFrame(
-    const QuicPathChallengeFrame& /*frame*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnPathResponseFrame(
-    const QuicPathResponseFrame& /*frame*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnGoAwayFrame(const QuicGoAwayFrame& /*frame*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnWindowUpdateFrame(
-    const QuicWindowUpdateFrame& /*frame*/) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnBlockedFrame(const QuicBlockedFrame& frame) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnNewConnectionIdFrame(
-    const QuicNewConnectionIdFrame& frame) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnRetireConnectionIdFrame(
-    const QuicRetireConnectionIdFrame& frame) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnNewTokenFrame(const QuicNewTokenFrame& frame) {
-  DCHECK(false);
-  return false;
-}
-
-bool QuicDispatcher::OnMessageFrame(const QuicMessageFrame& frame) {
-  DCHECK(false);
-  return false;
-}
-
-void QuicDispatcher::OnPacketComplete() {
-  DCHECK(false);
-}
-
-bool QuicDispatcher::IsValidStatelessResetToken(QuicUint128 token) const {
-  DCHECK(false);
-  return false;
-}
-
-void QuicDispatcher::OnAuthenticatedIetfStatelessResetPacket(
-    const QuicIetfStatelessResetPacket& packet) {
-  DCHECK(false);
-}
-
 void QuicDispatcher::OnExpiredPackets(
     QuicConnectionId server_connection_id,
     BufferedPacketList early_arrived_packets) {
@@ -1082,8 +754,13 @@ void QuicDispatcher::ProcessBufferedChlos(size_t max_connections_to_create) {
                           packet_list.alpn, packet_list.version);
     if (original_connection_id != server_connection_id) {
       session->connection()->AddIncomingConnectionId(original_connection_id);
+      session->connection()->InstallInitialCrypters(original_connection_id);
     }
     QUIC_DLOG(INFO) << "Created new session for " << server_connection_id;
+
+    DCHECK(session_map_.find(server_connection_id) == session_map_.end())
+        << "Tried to add session map existing entry " << server_connection_id;
+
     session_map_.insert(
         std::make_pair(server_connection_id, QuicWrapUnique(session)));
     DeliverPacketsToSession(packets, session);
@@ -1095,10 +772,9 @@ bool QuicDispatcher::HasChlosBuffered() const {
 }
 
 bool QuicDispatcher::ShouldCreateOrBufferPacketForConnection(
-    QuicConnectionId server_connection_id,
-    bool ietf_quic) {
+    const ReceivedPacketInfo& packet_info) {
   QUIC_VLOG(1) << "Received packet from new connection "
-               << server_connection_id;
+               << packet_info.destination_connection_id;
   return true;
 }
 
@@ -1119,80 +795,90 @@ QuicTimeWaitListManager* QuicDispatcher::CreateQuicTimeWaitListManager() {
                                      alarm_factory_.get());
 }
 
-void QuicDispatcher::BufferEarlyPacket(QuicConnectionId server_connection_id,
-                                       bool ietf_quic,
-                                       ParsedQuicVersion version) {
-  bool is_new_connection =
-      !buffered_packets_.HasBufferedPackets(server_connection_id);
-  if (is_new_connection && !ShouldCreateOrBufferPacketForConnection(
-                               server_connection_id, ietf_quic)) {
+void QuicDispatcher::BufferEarlyPacket(const ReceivedPacketInfo& packet_info) {
+  bool is_new_connection = !buffered_packets_.HasBufferedPackets(
+      packet_info.destination_connection_id);
+  if (is_new_connection &&
+      !ShouldCreateOrBufferPacketForConnection(packet_info)) {
     return;
   }
 
   EnqueuePacketResult rs = buffered_packets_.EnqueuePacket(
-      server_connection_id, ietf_quic, *current_packet_, current_self_address_,
-      current_peer_address_, /*is_chlo=*/false,
-      /*alpn=*/"", version);
+      packet_info.destination_connection_id,
+      packet_info.form != GOOGLE_QUIC_PACKET, packet_info.packet,
+      packet_info.self_address, packet_info.peer_address, /*is_chlo=*/false,
+      /*alpn=*/"", packet_info.version);
   if (rs != EnqueuePacketResult::SUCCESS) {
-    OnBufferPacketFailure(rs, server_connection_id);
+    OnBufferPacketFailure(rs, packet_info.destination_connection_id);
   }
 }
 
-void QuicDispatcher::ProcessChlo(PacketHeaderFormat form,
-                                 ParsedQuicVersion version) {
+void QuicDispatcher::ProcessChlo(const std::string& alpn,
+                                 ReceivedPacketInfo* packet_info) {
   if (!accept_new_connections_) {
     // Don't any create new connection.
     QUIC_CODE_COUNT(quic_reject_stop_accepting_new_connections);
     StatelesslyTerminateConnection(
-        current_server_connection_id(), form, /*version_flag=*/true, version,
-        QUIC_HANDSHAKE_FAILED, "Stop accepting new connections",
+        packet_info->destination_connection_id, packet_info->form,
+        /*version_flag=*/true, packet_info->version, QUIC_HANDSHAKE_FAILED,
+        "Stop accepting new connections",
         quic::QuicTimeWaitListManager::SEND_STATELESS_RESET);
     // Time wait list will reject the packet correspondingly.
     time_wait_list_manager()->ProcessPacket(
-        current_self_address(), current_peer_address(),
-        current_server_connection_id(), form, GetPerPacketContext());
+        packet_info->self_address, packet_info->peer_address,
+        packet_info->destination_connection_id, packet_info->form,
+        GetPerPacketContext());
     return;
   }
-  if (!buffered_packets_.HasBufferedPackets(current_server_connection_id_) &&
-      !ShouldCreateOrBufferPacketForConnection(current_server_connection_id_,
-                                               form != GOOGLE_QUIC_PACKET)) {
+  if (!buffered_packets_.HasBufferedPackets(
+          packet_info->destination_connection_id) &&
+      !ShouldCreateOrBufferPacketForConnection(*packet_info)) {
     return;
   }
-  if (FLAGS_quic_allow_chlo_buffering &&
+  if (GetQuicFlag(FLAGS_quic_allow_chlo_buffering) &&
       new_sessions_allowed_per_event_loop_ <= 0) {
     // Can't create new session any more. Wait till next event loop.
-    QUIC_BUG_IF(
-        buffered_packets_.HasChloForConnection(current_server_connection_id_));
+    QUIC_BUG_IF(buffered_packets_.HasChloForConnection(
+        packet_info->destination_connection_id));
     EnqueuePacketResult rs = buffered_packets_.EnqueuePacket(
-        current_server_connection_id_, form != GOOGLE_QUIC_PACKET,
-        *current_packet_, current_self_address_, current_peer_address_,
-        /*is_chlo=*/true, current_alpn_, version);
+        packet_info->destination_connection_id,
+        packet_info->form != GOOGLE_QUIC_PACKET, packet_info->packet,
+        packet_info->self_address, packet_info->peer_address,
+        /*is_chlo=*/true, alpn, packet_info->version);
     if (rs != EnqueuePacketResult::SUCCESS) {
-      OnBufferPacketFailure(rs, current_server_connection_id_);
+      OnBufferPacketFailure(rs, packet_info->destination_connection_id);
     }
     return;
   }
 
-  QuicConnectionId original_connection_id = current_server_connection_id_;
-  current_server_connection_id_ =
-      MaybeReplaceServerConnectionId(current_server_connection_id_, version);
+  QuicConnectionId original_connection_id =
+      packet_info->destination_connection_id;
+  packet_info->destination_connection_id = MaybeReplaceServerConnectionId(
+      original_connection_id, packet_info->version);
   // Creates a new session and process all buffered packets for this connection.
   QuicSession* session =
-      CreateQuicSession(current_server_connection_id_, current_peer_address_,
-                        current_alpn_, version);
-  if (original_connection_id != current_server_connection_id_) {
+      CreateQuicSession(packet_info->destination_connection_id,
+                        packet_info->peer_address, alpn, packet_info->version);
+  if (original_connection_id != packet_info->destination_connection_id) {
     session->connection()->AddIncomingConnectionId(original_connection_id);
+    session->connection()->InstallInitialCrypters(original_connection_id);
   }
   QUIC_DLOG(INFO) << "Created new session for "
-                  << current_server_connection_id_;
-  session_map_.insert(
-      std::make_pair(current_server_connection_id_, QuicWrapUnique(session)));
+                  << packet_info->destination_connection_id;
+
+  DCHECK(session_map_.find(packet_info->destination_connection_id) ==
+         session_map_.end())
+      << "Tried to add session map existing entry "
+      << packet_info->destination_connection_id;
+
+  session_map_.insert(std::make_pair(packet_info->destination_connection_id,
+                                     QuicWrapUnique(session)));
   std::list<BufferedPacket> packets =
-      buffered_packets_.DeliverPackets(current_server_connection_id_)
+      buffered_packets_.DeliverPackets(packet_info->destination_connection_id)
           .buffered_packets;
   // Process CHLO at first.
-  session->ProcessUdpPacket(current_self_address_, current_peer_address_,
-                            *current_packet_);
+  session->ProcessUdpPacket(packet_info->self_address,
+                            packet_info->peer_address, packet_info->packet);
   // Deliver queued-up packets in the same order as they arrived.
   // Do this even when flag is off because there might be still some packets
   // buffered in the store before flag is turned off.
@@ -1200,10 +886,6 @@ void QuicDispatcher::ProcessChlo(PacketHeaderFormat form,
   --new_sessions_allowed_per_event_loop_;
 }
 
-const QuicSocketAddress QuicDispatcher::GetClientAddress() const {
-  return current_peer_address_;
-}
-
 bool QuicDispatcher::ShouldDestroySessionAsynchronously() {
   return true;
 }
@@ -1212,36 +894,9 @@ void QuicDispatcher::SetLastError(QuicErrorCode error) {
   last_error_ = error;
 }
 
-bool QuicDispatcher::OnUnauthenticatedUnknownPublicHeader(
-    const QuicPacketHeader& header) {
-  return true;
-}
-
-void QuicDispatcher::ProcessOrBufferPacket(
-    QuicConnectionId server_connection_id,
-    PacketHeaderFormat form,
-    bool version_flag,
-    ParsedQuicVersion version) {
-  if (version.handshake_protocol == PROTOCOL_TLS1_3) {
-    ProcessUnauthenticatedHeaderFate(kFateProcess, server_connection_id, form,
-                                     version_flag, version);
-    return;
-    // TODO(nharper): Support buffering non-ClientHello packets when using TLS.
-  }
-
-  ChloAlpnExtractor alpn_extractor;
-  if (FLAGS_quic_allow_chlo_buffering &&
-      !ChloExtractor::Extract(*current_packet_, GetSupportedVersions(),
-                              config_->create_session_tag_indicators(),
-                              &alpn_extractor, server_connection_id.length())) {
-    // Buffer non-CHLO packets.
-    ProcessUnauthenticatedHeaderFate(kFateBuffer, server_connection_id, form,
-                                     version_flag, version);
-    return;
-  }
-  current_alpn_ = alpn_extractor.ConsumeAlpn();
-  ProcessUnauthenticatedHeaderFate(kFateProcess, server_connection_id, form,
-                                   version_flag, version);
+bool QuicDispatcher::OnFailedToDispatchPacket(
+    const ReceivedPacketInfo& /*packet_info*/) {
+  return false;
 }
 
 const QuicTransportVersionVector&
@@ -1262,16 +917,7 @@ void QuicDispatcher::DeliverPacketsToSession(
   }
 }
 
-void QuicDispatcher::DisableFlagValidation() {
-  if (!no_framer_) {
-    framer_.set_validate_flags(false);
-  }
-}
-
 bool QuicDispatcher::IsSupportedVersion(const ParsedQuicVersion version) {
-  if (!no_framer_) {
-    return framer_.IsSupportedVersion(version);
-  }
   for (const ParsedQuicVersion& supported_version :
        version_manager_->GetSupportedVersions()) {
     if (version == supported_version) {
@@ -1281,4 +927,24 @@ bool QuicDispatcher::IsSupportedVersion(const ParsedQuicVersion version) {
   return false;
 }
 
+void QuicDispatcher::MaybeResetPacketsWithNoVersion(
+    const ReceivedPacketInfo& packet_info) {
+  DCHECK(!packet_info.version_flag);
+  const size_t MinValidPacketLength =
+      kPacketHeaderTypeSize + expected_server_connection_id_length_ +
+      PACKET_1BYTE_PACKET_NUMBER + /*payload size=*/1 + /*tag size=*/12;
+  if (packet_info.packet.length() < MinValidPacketLength) {
+    // The packet size is too small.
+    QUIC_CODE_COUNT(drop_too_small_packets);
+    return;
+  }
+  // TODO(fayang): Consider rate limiting reset packets if reset packet size >
+  // packet_length.
+
+  time_wait_list_manager()->SendPublicReset(
+      packet_info.self_address, packet_info.peer_address,
+      packet_info.destination_connection_id,
+      packet_info.form != GOOGLE_QUIC_PACKET, GetPerPacketContext());
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.h b/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.h
index 790d4d2b8ad..cfaafa02360 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.h
@@ -36,7 +36,6 @@ class QuicCryptoServerConfig;
 
 class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
                        public ProcessPacketInterface,
-                       public QuicFramerVisitorInterface,
                        public QuicBufferedPacketStore::VisitorInterface {
  public:
   // Ideally we'd have a linked_hash_set: the  boolean is unused.
@@ -129,66 +128,6 @@ class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
                 "kMaxReasonableInitialPacketNumber is unreasonably small "
                 "relative to kInitialCongestionWindow.");
 
-  // QuicFramerVisitorInterface implementation. Not expected to be called
-  // outside of this class.
-  // TODO(fayang): Make QuicDispatcher no longer implement
-  // QuicFramerVisitorInterface when deprecating
-  // quic_no_framer_object_in_dispatcher.
-  void OnPacket() override;
-  // Called when the public header has been parsed. Returns false when just the
-  // public header is enough to dispatch the packet; true if the framer needs to
-  // continue parsing the packet.
-  bool OnUnauthenticatedPublicHeader(const QuicPacketHeader& header) override;
-  // Called when the private header has been parsed.
-  bool OnUnauthenticatedHeader(const QuicPacketHeader& header) override;
-  void OnError(QuicFramer* framer) override;
-  bool OnProtocolVersionMismatch(ParsedQuicVersion received_version,
-                                 PacketHeaderFormat form) override;
-
-  // The following methods should never get called because
-  // OnUnauthenticatedPublicHeader() or OnUnauthenticatedHeader() (whichever
-  // was called last), will return false and prevent a subsequent invocation
-  // of these methods. Thus, the payload of the packet is never processed in
-  // the dispatcher.
-  void OnPublicResetPacket(const QuicPublicResetPacket& packet) override;
-  void OnVersionNegotiationPacket(
-      const QuicVersionNegotiationPacket& packet) override;
-  void OnRetryPacket(QuicConnectionId original_connection_id,
-                     QuicConnectionId new_connection_id,
-                     QuicStringPiece retry_token) override;
-  void OnDecryptedPacket(EncryptionLevel level) override;
-  bool OnPacketHeader(const QuicPacketHeader& header) override;
-  void OnCoalescedPacket(const QuicEncryptedPacket& packet) override;
-  bool OnStreamFrame(const QuicStreamFrame& frame) override;
-  bool OnCryptoFrame(const QuicCryptoFrame& frame) override;
-  bool OnAckFrameStart(QuicPacketNumber largest_acked,
-                       QuicTime::Delta ack_delay_time) override;
-  bool OnAckRange(QuicPacketNumber start, QuicPacketNumber end) override;
-  bool OnAckTimestamp(QuicPacketNumber packet_number,
-                      QuicTime timestamp) override;
-  bool OnAckFrameEnd(QuicPacketNumber start) override;
-  bool OnStopWaitingFrame(const QuicStopWaitingFrame& frame) override;
-  bool OnPaddingFrame(const QuicPaddingFrame& frame) override;
-  bool OnPingFrame(const QuicPingFrame& frame) override;
-  bool OnRstStreamFrame(const QuicRstStreamFrame& frame) override;
-  bool OnConnectionCloseFrame(const QuicConnectionCloseFrame& frame) override;
-  bool OnStopSendingFrame(const QuicStopSendingFrame& frame) override;
-  bool OnPathChallengeFrame(const QuicPathChallengeFrame& frame) override;
-  bool OnPathResponseFrame(const QuicPathResponseFrame& frame) override;
-  bool OnGoAwayFrame(const QuicGoAwayFrame& frame) override;
-  bool OnMaxStreamsFrame(const QuicMaxStreamsFrame& frame) override;
-  bool OnStreamsBlockedFrame(const QuicStreamsBlockedFrame& frame) override;
-  bool OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame) override;
-  bool OnBlockedFrame(const QuicBlockedFrame& frame) override;
-  bool OnNewConnectionIdFrame(const QuicNewConnectionIdFrame& frame) override;
-  bool OnRetireConnectionIdFrame(
-      const QuicRetireConnectionIdFrame& frame) override;
-  bool OnNewTokenFrame(const QuicNewTokenFrame& frame) override;
-  bool OnMessageFrame(const QuicMessageFrame& frame) override;
-  void OnPacketComplete() override;
-  bool IsValidStatelessResetToken(QuicUint128 token) const override;
-  void OnAuthenticatedIetfStatelessResetPacket(
-      const QuicIetfStatelessResetPacket& packet) override;
 
   // QuicBufferedPacketStore::VisitorInterface implementation.
   void OnExpiredPackets(QuicConnectionId server_connection_id,
@@ -207,49 +146,41 @@ class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
                                          QuicStringPiece alpn,
                                          const ParsedQuicVersion& version) = 0;
 
+  // Tries to validate and dispatch packet based on available information.
+  // Returns true if packet is dropped or successfully dispatched (e.g.,
+  // processed by existing session, processed by time wait list, etc.),
+  // otherwise, returns false and the packet needs further processing.
+  virtual bool MaybeDispatchPacket(const ReceivedPacketInfo& packet_info);
+
   // Values to be returned by ValidityChecks() to indicate what should be done
-  // with a packet.  Fates with greater values are considered to be higher
-  // priority, in that if one validity check indicates a lower-valued fate and
-  // another validity check indicates a higher-valued fate, the higher-valued
-  // fate should be obeyed.
+  // with a packet. Fates with greater values are considered to be higher
+  // priority. ValidityChecks should return fate based on the priority order
+  // (i.e., returns higher priority fate first)
   enum QuicPacketFate {
     // Process the packet normally, which is usually to establish a connection.
     kFateProcess,
     // Put the connection ID into time-wait state and send a public reset.
     kFateTimeWait,
-    // Buffer the packet.
-    kFateBuffer,
-    // Drop the packet (ignore and give no response).
+    // Drop the packet.
     kFateDrop,
   };
 
-  // This method is called by OnUnauthenticatedHeader on packets not associated
-  // with a known connection ID.  It applies validity checks and returns a
+  // This method is called by ProcessHeader on packets not associated with a
+  // known connection ID.  It applies validity checks and returns a
   // QuicPacketFate to tell what should be done with the packet.
-  virtual QuicPacketFate ValidityChecks(const QuicPacketHeader& header);
+  // TODO(fayang): Merge ValidityChecks into MaybeDispatchPacket.
+  virtual QuicPacketFate ValidityChecks(const ReceivedPacketInfo& packet_info);
 
   // Create and return the time wait list manager for this dispatcher, which
   // will be owned by the dispatcher as time_wait_list_manager_
   virtual QuicTimeWaitListManager* CreateQuicTimeWaitListManager();
 
-  // Called when |server_connection_id| doesn't have an open connection yet,
-  // to buffer |current_packet_| until it can be delivered to the connection.
-  void BufferEarlyPacket(QuicConnectionId server_connection_id,
-                         bool ietf_quic,
-                         ParsedQuicVersion version);
-
-  // Called when |current_packet_| is a CHLO packet. Creates a new connection
-  // and delivers any buffered packets for that connection id.
-  void ProcessChlo(PacketHeaderFormat form, ParsedQuicVersion version);
-
-  // Returns the actual client address of the current packet.
-  // This function should only be called once per packet at the very beginning
-  // of ProcessPacket(), its result is saved to |current_client_address_|, which
-  // is guaranteed to be valid even in the stateless rejector's callback(i.e.
-  // OnStatelessRejectorProcessDone).
-  // By default, this function returns |current_peer_address_|, subclasses have
-  // the option to override this function to return a different address.
-  virtual const QuicSocketAddress GetClientAddress() const;
+  // Buffers packet until it can be delivered to a connection.
+  void BufferEarlyPacket(const ReceivedPacketInfo& packet_info);
+
+  // Called when |packet_info| is a CHLO packet. Creates a new connection and
+  // delivers any buffered packets for that connection id.
+  void ProcessChlo(const std::string& alpn, ReceivedPacketInfo* packet_info);
 
   // Return true if dispatcher wants to destroy session outside of
   // OnConnectionClosed() call stack.
@@ -263,20 +194,6 @@ class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
 
   const ParsedQuicVersionVector& GetSupportedVersions();
 
-  QuicConnectionId current_server_connection_id() const {
-    return current_server_connection_id_;
-  }
-  const QuicSocketAddress& current_self_address() const {
-    return current_self_address_;
-  }
-  const QuicSocketAddress& current_peer_address() const {
-    return current_peer_address_;
-  }
-  const QuicSocketAddress& current_client_address() const {
-    return current_client_address_;
-  }
-  const QuicReceivedPacket& current_packet() const { return *current_packet_; }
-
   const QuicConfig& config() const { return *config_; }
 
   const QuicCryptoServerConfig* crypto_config() const { return crypto_config_; }
@@ -302,19 +219,17 @@ class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
 
   void SetLastError(QuicErrorCode error);
 
-  // Called when the public header has been parsed and the session has been
-  // looked up, and the session was not found in the active list of sessions.
-  // Returns false if processing should stop after this call.
-  virtual bool OnUnauthenticatedUnknownPublicHeader(
-      const QuicPacketHeader& header);
+  // Called by MaybeDispatchPacket when current packet cannot be dispatched.
+  // Used by subclasses to conduct specific logic to dispatch packet. Returns
+  // true if packet is successfully dispatched.
+  virtual bool OnFailedToDispatchPacket(const ReceivedPacketInfo& packet_info);
 
   // Called when a new connection starts to be handled by this dispatcher.
   // Either this connection is created or its packets is buffered while waiting
   // for CHLO. Returns true if a new connection should be created or its packets
   // should be buffered, false otherwise.
   virtual bool ShouldCreateOrBufferPacketForConnection(
-      QuicConnectionId server_connection_id,
-      bool ietf_quic);
+      const ReceivedPacketInfo& packet_info);
 
   bool HasBufferedPackets(QuicConnectionId server_connection_id);
 
@@ -324,11 +239,9 @@ class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
       QuicConnectionId server_connection_id);
 
   // Removes the session from the session map and write blocked list, and adds
-  // the ConnectionId to the time-wait list.  If |session_closed_statelessly| is
-  // true, any future packets for the ConnectionId will be black-holed.
+  // the ConnectionId to the time-wait list.
   virtual void CleanUpSession(SessionMap::iterator it,
                               QuicConnection* connection,
-                              bool session_closed_statelessly,
                               ConnectionCloseSource source);
 
   void StopAcceptingNewConnections();
@@ -346,23 +259,15 @@ class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
       const std::string& error_details,
       QuicTimeWaitListManager::TimeWaitAction action);
 
-  // Save/Restore per packet context. Used by async stateless rejector.
+  // Save/Restore per packet context.
   virtual std::unique_ptr<QuicPerPacketContext> GetPerPacketContext() const;
   virtual void RestorePerPacketContext(
       std::unique_ptr<QuicPerPacketContext> /*context*/) {}
 
-  // Skip validating that the public flags are set to legal values.
-  void DisableFlagValidation();
-
   // If true, our framer will change its expected connection ID length
   // to the received destination connection ID length of all IETF long headers.
   void SetShouldUpdateExpectedServerConnectionIdLength(
       bool should_update_expected_server_connection_id_length) {
-    if (!no_framer_) {
-      framer_.SetShouldUpdateExpectedServerConnectionIdLength(
-          should_update_expected_server_connection_id_length);
-      return;
-    }
     should_update_expected_server_connection_id_length_ =
         should_update_expected_server_connection_id_length;
   }
@@ -381,31 +286,15 @@ class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
   typedef QuicUnorderedSet<QuicConnectionId, QuicConnectionIdHash>
       QuicConnectionIdSet;
 
-  // Based on an unauthenticated packet header |header|, calls ValidityChecks
-  // and then ProcessUnauthenticatedHeaderFate.
-  void ProcessHeader(const QuicPacketHeader& header);
-
-  // TODO(wub): Move the body to ProcessHeader, then remove this function.
-  // Determine whether the current packet needs to be processed now or buffered
-  // for later processing, then invokes ProcessUnauthenticatedHeaderFate.
-  void ProcessOrBufferPacket(QuicConnectionId server_connection_id,
-                             PacketHeaderFormat form,
-                             bool version_flag,
-                             ParsedQuicVersion version);
+  // TODO(fayang): Consider to rename this function to
+  // ProcessValidatedPacketWithUnknownConnectionId.
+  void ProcessHeader(ReceivedPacketInfo* packet_info);
 
   // Deliver |packets| to |session| for further processing.
   void DeliverPacketsToSession(
       const std::list<QuicBufferedPacketStore::BufferedPacket>& packets,
       QuicSession* session);
 
-  // Perform the appropriate actions on the current packet based on |fate| -
-  // either process, buffer, or drop it.
-  void ProcessUnauthenticatedHeaderFate(QuicPacketFate fate,
-                                        QuicConnectionId server_connection_id,
-                                        PacketHeaderFormat form,
-                                        bool version_flag,
-                                        ParsedQuicVersion version);
-
   // If the connection ID length is different from what the dispatcher expects,
   // replace the connection ID with a random one of the right length,
   // and save it to make sure the mapping is persistent.
@@ -416,6 +305,10 @@ class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
   // Returns true if |version| is a supported protocol version.
   bool IsSupportedVersion(const ParsedQuicVersion version);
 
+  // Sends public/stateless reset packets with no version and unknown
+  // connection ID according to the packet's size.
+  void MaybeResetPacketsWithNoVersion(const ReceivedPacketInfo& packet_info);
+
   void set_new_sessions_allowed_per_event_loop(
       int16_t new_sessions_allowed_per_event_loop) {
     new_sessions_allowed_per_event_loop_ = new_sessions_allowed_per_event_loop;
@@ -461,29 +354,11 @@ class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
   // them.
   QuicBufferedPacketStore buffered_packets_;
 
-  // Set of connection IDs for which asynchronous CHLO processing is in
-  // progress, making it necessary to buffer any other packets which arrive on
-  // that connection until CHLO processing is complete.
-  QuicConnectionIdSet temporarily_buffered_connections_;
-
-  // Information about the packet currently being handled.
-
-  // Used for stateless rejector to generate and validate source address token.
-  QuicSocketAddress current_client_address_;
-  QuicSocketAddress current_peer_address_;
-  QuicSocketAddress current_self_address_;
-  const QuicReceivedPacket* current_packet_;
-  // If |current_packet_| is a CHLO packet, the extracted alpn.
-  std::string current_alpn_;
-  QuicConnectionId current_server_connection_id_;
-
   // Used to get the supported versions based on flag. Does not own.
   QuicVersionManager* version_manager_;
 
-  QuicFramer framer_;
-
-  // The last error set by SetLastError(), which is called by
-  // framer_visitor_->OnError().
+  // The last error set by SetLastError().
+  // TODO(fayang): consider removing last_error_.
   QuicErrorCode last_error_;
 
   // A backward counter of how many new sessions can be create within current
@@ -498,28 +373,17 @@ class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
   // If true they are allowed.
   bool allow_short_initial_server_connection_ids_;
 
-  // The last QUIC version label received. Used when no_framer_ is true.
-  // TODO(fayang): remove this member variable, instead, add an argument to
-  // OnUnauthenticatedPublicHeader when deprecating
-  // quic_no_framer_object_in_dispatcher.
-  QuicVersionLabel last_version_label_;
-
   // IETF short headers contain a destination connection ID but do not
   // encode its length. This variable contains the length we expect to read.
   // This is also used to signal an error when a long header packet with
   // different destination connection ID length is received when
   // should_update_expected_server_connection_id_length_ is false and packet's
-  // version does not allow variable length connection ID. Used when no_framer_
-  // is true.
+  // version does not allow variable length connection ID.
   uint8_t expected_server_connection_id_length_;
 
   // If true, change expected_server_connection_id_length_ to be the received
-  // destination connection ID length of all IETF long headers. Used when
-  // no_framer_ is true.
+  // destination connection ID length of all IETF long headers.
   bool should_update_expected_server_connection_id_length_;
-
-  // Latched value of quic_no_framer_object_in_dispatcher.
-  const bool no_framer_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher_test.cc
index 105bd0028d6..b18bddb983f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher_test.cc
@@ -19,7 +19,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
@@ -73,12 +72,11 @@ class TestQuicSpdyServerSession : public QuicServerSessionBase {
 
   ~TestQuicSpdyServerSession() override { delete connection(); }
 
-  MOCK_METHOD3(OnConnectionClosed,
-               void(QuicErrorCode error,
-                    const std::string& error_details,
+  MOCK_METHOD2(OnConnectionClosed,
+               void(const QuicConnectionCloseFrame& frame,
                     ConnectionCloseSource source));
   MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(QuicStreamId id));
-  MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(PendingStream pending));
+  MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(PendingStream* pending));
   MOCK_METHOD0(CreateOutgoingBidirectionalStream, QuicSpdyStream*());
   MOCK_METHOD0(CreateOutgoingUnidirectionalStream, QuicSpdyStream*());
 
@@ -130,8 +128,8 @@ class TestDispatcher : public QuicDispatcher {
                                       QuicStringPiece alpn,
                                       const quic::ParsedQuicVersion& version));
 
-  MOCK_METHOD2(ShouldCreateOrBufferPacketForConnection,
-               bool(QuicConnectionId connection_id, bool ietf_quic));
+  MOCK_METHOD1(ShouldCreateOrBufferPacketForConnection,
+               bool(const ReceivedPacketInfo& packet_info));
 
   struct TestQuicPerPacketContext : public QuicPerPacketContext {
     std::string custom_packet_context;
@@ -152,9 +150,6 @@ class TestDispatcher : public QuicDispatcher {
 
   std::string custom_packet_context_;
 
-  using QuicDispatcher::current_client_address;
-  using QuicDispatcher::current_peer_address;
-  using QuicDispatcher::current_self_address;
   using QuicDispatcher::SetAllowShortInitialServerConnectionIds;
   using QuicDispatcher::writer;
 };
@@ -191,20 +186,14 @@ class QuicDispatcherTest : public QuicTest {
   QuicDispatcherTest()
       : QuicDispatcherTest(crypto_test_utils::ProofSourceForTesting()) {}
 
-  ParsedQuicVersionVector AllSupportedVersionsIncludingTls() {
-    SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
-    return AllSupportedVersions();
-  }
-
   explicit QuicDispatcherTest(std::unique_ptr<ProofSource> proof_source)
       :
 
-        version_manager_(AllSupportedVersionsIncludingTls()),
+        version_manager_(AllSupportedVersions()),
         crypto_config_(QuicCryptoServerConfig::TESTING,
                        QuicRandom::GetInstance(),
                        std::move(proof_source),
-                       KeyExchangeSource::Default(),
-                       TlsServerHandshaker::CreateSslCtx()),
+                       KeyExchangeSource::Default()),
         server_address_(QuicIpAddress::Any4(), 5),
         dispatcher_(
             new NiceMock<TestDispatcher>(&config_,
@@ -214,14 +203,15 @@ class QuicDispatcherTest : public QuicTest {
         time_wait_list_manager_(nullptr),
         session1_(nullptr),
         session2_(nullptr),
-        store_(nullptr) {}
+        store_(nullptr),
+        connection_id_(1) {}
 
   void SetUp() override {
     dispatcher_->InitializeWithWriter(new MockPacketWriter());
     // Set the counter to some value to start with.
     QuicDispatcherPeer::set_new_sessions_allowed_per_event_loop(
         dispatcher_.get(), kMaxNumSessionsToCreate);
-    ON_CALL(*dispatcher_, ShouldCreateOrBufferPacketForConnection(_, _))
+    ON_CALL(*dispatcher_, ShouldCreateOrBufferPacketForConnection(_))
         .WillByDefault(Return(true));
   }
 
@@ -243,64 +233,82 @@ class QuicDispatcherTest : public QuicTest {
   // 6 byte packet number, default path id, and packet number 1,
   // using the first supported version.
   void ProcessPacket(QuicSocketAddress peer_address,
-                     QuicConnectionId connection_id,
+                     QuicConnectionId server_connection_id,
                      bool has_version_flag,
                      const std::string& data) {
-    ProcessPacket(peer_address, connection_id, has_version_flag, data,
+    ProcessPacket(peer_address, server_connection_id, has_version_flag, data,
                   CONNECTION_ID_PRESENT, PACKET_4BYTE_PACKET_NUMBER);
   }
 
   // Process a packet with a default path id, and packet number 1,
   // using the first supported version.
   void ProcessPacket(QuicSocketAddress peer_address,
-                     QuicConnectionId connection_id,
+                     QuicConnectionId server_connection_id,
                      bool has_version_flag,
                      const std::string& data,
-                     QuicConnectionIdIncluded connection_id_included,
+                     QuicConnectionIdIncluded server_connection_id_included,
                      QuicPacketNumberLength packet_number_length) {
-    ProcessPacket(peer_address, connection_id, has_version_flag, data,
-                  connection_id_included, packet_number_length, 1);
+    ProcessPacket(peer_address, server_connection_id, has_version_flag, data,
+                  server_connection_id_included, packet_number_length, 1);
   }
 
   // Process a packet using the first supported version.
   void ProcessPacket(QuicSocketAddress peer_address,
-                     QuicConnectionId connection_id,
+                     QuicConnectionId server_connection_id,
                      bool has_version_flag,
                      const std::string& data,
-                     QuicConnectionIdIncluded connection_id_included,
+                     QuicConnectionIdIncluded server_connection_id_included,
                      QuicPacketNumberLength packet_number_length,
                      uint64_t packet_number) {
-    ProcessPacket(peer_address, connection_id, has_version_flag,
+    ProcessPacket(peer_address, server_connection_id, has_version_flag,
                   CurrentSupportedVersions().front(), data,
-                  connection_id_included, packet_number_length, packet_number);
+                  server_connection_id_included, packet_number_length,
+                  packet_number);
   }
 
   // Processes a packet.
   void ProcessPacket(QuicSocketAddress peer_address,
-                     QuicConnectionId connection_id,
+                     QuicConnectionId server_connection_id,
                      bool has_version_flag,
                      ParsedQuicVersion version,
                      const std::string& data,
-                     QuicConnectionIdIncluded connection_id_included,
+                     QuicConnectionIdIncluded server_connection_id_included,
+                     QuicPacketNumberLength packet_number_length,
+                     uint64_t packet_number) {
+    ProcessPacket(peer_address, server_connection_id, EmptyQuicConnectionId(),
+                  has_version_flag, version, data,
+                  server_connection_id_included, CONNECTION_ID_ABSENT,
+                  packet_number_length, packet_number);
+  }
+
+  // Processes a packet.
+  void ProcessPacket(QuicSocketAddress peer_address,
+                     QuicConnectionId server_connection_id,
+                     QuicConnectionId client_connection_id,
+                     bool has_version_flag,
+                     ParsedQuicVersion version,
+                     const std::string& data,
+                     QuicConnectionIdIncluded server_connection_id_included,
+                     QuicConnectionIdIncluded client_connection_id_included,
                      QuicPacketNumberLength packet_number_length,
                      uint64_t packet_number) {
     ParsedQuicVersionVector versions(SupportedVersions(version));
     std::unique_ptr<QuicEncryptedPacket> packet(ConstructEncryptedPacket(
-        connection_id, EmptyQuicConnectionId(), has_version_flag, false,
-        packet_number, data, connection_id_included, CONNECTION_ID_ABSENT,
-        packet_number_length, &versions));
+        server_connection_id, client_connection_id, has_version_flag, false,
+        packet_number, data, server_connection_id_included,
+        client_connection_id_included, packet_number_length, &versions));
     std::unique_ptr<QuicReceivedPacket> received_packet(
         ConstructReceivedPacket(*packet, mock_helper_.GetClock()->Now()));
 
     if (ChloExtractor::Extract(*packet, versions, {}, nullptr,
-                               connection_id.length())) {
+                               server_connection_id.length())) {
       // Add CHLO packet to the beginning to be verified first, because it is
       // also processed first by new session.
-      data_connection_map_[connection_id].push_front(
+      data_connection_map_[server_connection_id].push_front(
           std::string(packet->data(), packet->length()));
     } else {
       // For non-CHLO, always append to last.
-      data_connection_map_[connection_id].push_back(
+      data_connection_map_[server_connection_id].push_back(
           std::string(packet->data(), packet->length()));
     }
     dispatcher_->ProcessPacket(server_address_, peer_address, *received_packet);
@@ -318,7 +326,7 @@ class QuicDispatcherTest : public QuicTest {
       TestDispatcher* dispatcher,
       const QuicConfig& config,
       QuicConnectionId connection_id,
-      const QuicSocketAddress& peer_address,
+      const QuicSocketAddress& /*peer_address*/,
       MockQuicConnectionHelper* helper,
       MockAlarmFactory* alarm_factory,
       const QuicCryptoServerConfig* crypto_config,
@@ -353,10 +361,40 @@ class QuicDispatcherTest : public QuicTest {
     return std::string(client_hello.GetSerialized().AsStringPiece());
   }
 
-  std::string SerializeTlsClientHello() { return ""; }
-
   void MarkSession1Deleted() { session1_ = nullptr; }
 
+  void VerifyVersionSupported(ParsedQuicVersion version) {
+    QuicConnectionId connection_id = TestConnectionId(++connection_id_);
+    QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
+    EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
+                                                QuicStringPiece("hq"), _))
+        .WillOnce(testing::Return(CreateSession(
+            dispatcher_.get(), config_, connection_id, client_address,
+            &mock_helper_, &mock_alarm_factory_, &crypto_config_,
+            QuicDispatcherPeer::GetCache(dispatcher_.get()), &session1_)));
+    EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session1_->connection()),
+                ProcessUdpPacket(_, _, _))
+        .WillOnce(WithArg<2>(
+            Invoke([this, connection_id](const QuicEncryptedPacket& packet) {
+              ValidatePacket(connection_id, packet);
+            })));
+    EXPECT_CALL(*dispatcher_,
+                ShouldCreateOrBufferPacketForConnection(
+                    ReceivedPacketInfoConnectionIdEquals(connection_id)));
+    ProcessPacket(client_address, connection_id, true, version, SerializeCHLO(),
+                  CONNECTION_ID_PRESENT, PACKET_4BYTE_PACKET_NUMBER, 1);
+  }
+
+  void VerifyVersionNotSupported(ParsedQuicVersion version) {
+    QuicConnectionId connection_id = TestConnectionId(++connection_id_);
+    QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
+    EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
+                                                QuicStringPiece("hq"), _))
+        .Times(0);
+    ProcessPacket(client_address, connection_id, true, version, SerializeCHLO(),
+                  CONNECTION_ID_PRESENT, PACKET_4BYTE_PACKET_NUMBER, 1);
+  }
+
   MockQuicConnectionHelper mock_helper_;
   MockAlarmFactory mock_alarm_factory_;
   QuicConfig config_;
@@ -369,6 +407,7 @@ class QuicDispatcherTest : public QuicTest {
   TestQuicSpdyServerSession* session2_;
   std::map<QuicConnectionId, std::list<std::string>> data_connection_map_;
   QuicBufferedPacketStore* store_;
+  uint64_t connection_id_;
 };
 
 TEST_F(QuicDispatcherTest, TlsClientHelloCreatesSession) {
@@ -393,14 +432,13 @@ TEST_F(QuicDispatcherTest, TlsClientHelloCreatesSession) {
         ValidatePacket(TestConnectionId(1), packet);
       })));
   EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(TestConnectionId(1), _));
+              ShouldCreateOrBufferPacketForConnection(
+                  ReceivedPacketInfoConnectionIdEquals(TestConnectionId(1))));
   ProcessPacket(
       client_address, TestConnectionId(1), true,
       ParsedQuicVersion(PROTOCOL_TLS1_3,
                         CurrentSupportedVersions().front().transport_version),
       SerializeCHLO(), CONNECTION_ID_PRESENT, PACKET_4BYTE_PACKET_NUMBER, 1);
-  EXPECT_EQ(client_address, dispatcher_->current_peer_address());
-  EXPECT_EQ(server_address_, dispatcher_->current_self_address());
 }
 
 TEST_F(QuicDispatcherTest, ProcessPackets) {
@@ -419,10 +457,9 @@ TEST_F(QuicDispatcherTest, ProcessPackets) {
         ValidatePacket(TestConnectionId(1), packet);
       })));
   EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(TestConnectionId(1), _));
+              ShouldCreateOrBufferPacketForConnection(
+                  ReceivedPacketInfoConnectionIdEquals(TestConnectionId(1))));
   ProcessPacket(client_address, TestConnectionId(1), true, SerializeCHLO());
-  EXPECT_EQ(client_address, dispatcher_->current_peer_address());
-  EXPECT_EQ(server_address_, dispatcher_->current_self_address());
 
   EXPECT_CALL(*dispatcher_,
               CreateQuicSession(TestConnectionId(2), client_address,
@@ -437,7 +474,8 @@ TEST_F(QuicDispatcherTest, ProcessPackets) {
         ValidatePacket(TestConnectionId(2), packet);
       })));
   EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(TestConnectionId(2), _));
+              ShouldCreateOrBufferPacketForConnection(
+                  ReceivedPacketInfoConnectionIdEquals(TestConnectionId(2))));
   ProcessPacket(client_address, TestConnectionId(2), true, SerializeCHLO());
 
   EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session1_->connection()),
@@ -469,7 +507,8 @@ TEST_F(QuicDispatcherTest, DispatcherDoesNotRejectPacketNumberZero) {
             ValidatePacket(TestConnectionId(1), packet);
           })));
   EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(TestConnectionId(1), _));
+              ShouldCreateOrBufferPacketForConnection(
+                  ReceivedPacketInfoConnectionIdEquals(TestConnectionId(1))));
   ProcessPacket(
       client_address, TestConnectionId(1), true,
       ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO,
@@ -482,8 +521,6 @@ TEST_F(QuicDispatcherTest, DispatcherDoesNotRejectPacketNumberZero) {
       ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO,
                         CurrentSupportedVersions().front().transport_version),
       "", CONNECTION_ID_PRESENT, PACKET_1BYTE_PACKET_NUMBER, 256);
-  EXPECT_EQ(client_address, dispatcher_->current_peer_address());
-  EXPECT_EQ(server_address_, dispatcher_->current_self_address());
 }
 
 TEST_F(QuicDispatcherTest, StatelessVersionNegotiation) {
@@ -491,20 +528,39 @@ TEST_F(QuicDispatcherTest, StatelessVersionNegotiation) {
   QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
 
   EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, _, _)).Times(0);
-  EXPECT_CALL(*time_wait_list_manager_,
-              SendVersionNegotiationPacket(_, _, _, _, _, _, _))
+  EXPECT_CALL(
+      *time_wait_list_manager_,
+      SendVersionNegotiationPacket(TestConnectionId(1), _, _, _, _, _, _))
       .Times(1);
-  QuicTransportVersion version =
-      static_cast<QuicTransportVersion>(QuicTransportVersionMin() - 1);
-  ParsedQuicVersion parsed_version(PROTOCOL_QUIC_CRYPTO, version);
   // Pad the CHLO message with enough data to make the packet large enough
   // to trigger version negotiation.
   std::string chlo = SerializeCHLO() + std::string(1200, 'a');
   DCHECK_LE(1200u, chlo.length());
-  ProcessPacket(client_address, TestConnectionId(1), true, parsed_version, chlo,
+  ProcessPacket(client_address, TestConnectionId(1), true,
+                QuicVersionReservedForNegotiation(), chlo,
                 CONNECTION_ID_PRESENT, PACKET_4BYTE_PACKET_NUMBER, 1);
 }
 
+TEST_F(QuicDispatcherTest, StatelessVersionNegotiationWithClientConnectionId) {
+  SetQuicRestartFlag(quic_do_not_override_connection_id, true);
+  CreateTimeWaitListManager();
+  QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
+
+  EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, _, _)).Times(0);
+  EXPECT_CALL(*time_wait_list_manager_,
+              SendVersionNegotiationPacket(TestConnectionId(1),
+                                           TestConnectionId(2), _, _, _, _, _))
+      .Times(1);
+  // Pad the CHLO message with enough data to make the packet large enough
+  // to trigger version negotiation.
+  std::string chlo = SerializeCHLO() + std::string(1200, 'a');
+  DCHECK_LE(1200u, chlo.length());
+  ProcessPacket(client_address, TestConnectionId(1), TestConnectionId(2), true,
+                QuicVersionReservedForNegotiation(), chlo,
+                CONNECTION_ID_PRESENT, CONNECTION_ID_PRESENT,
+                PACKET_4BYTE_PACKET_NUMBER, 1);
+}
+
 TEST_F(QuicDispatcherTest, NoVersionNegotiationWithSmallPacket) {
   CreateTimeWaitListManager();
   QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
@@ -513,18 +569,15 @@ TEST_F(QuicDispatcherTest, NoVersionNegotiationWithSmallPacket) {
   EXPECT_CALL(*time_wait_list_manager_,
               SendVersionNegotiationPacket(_, _, _, _, _, _, _))
       .Times(0);
-  QuicTransportVersion version =
-      static_cast<QuicTransportVersion>(QuicTransportVersionMin() - 1);
-  ParsedQuicVersion parsed_version(PROTOCOL_QUIC_CRYPTO, version);
   std::string chlo = SerializeCHLO() + std::string(1200, 'a');
   // Truncate to 1100 bytes of payload which results in a packet just
   // under 1200 bytes after framing, packet, and encryption overhead.
   DCHECK_LE(1200u, chlo.length());
   std::string truncated_chlo = chlo.substr(0, 1100);
   DCHECK_EQ(1100u, truncated_chlo.length());
-  ProcessPacket(client_address, TestConnectionId(1), true, parsed_version,
-                truncated_chlo, CONNECTION_ID_PRESENT,
-                PACKET_4BYTE_PACKET_NUMBER, 1);
+  ProcessPacket(client_address, TestConnectionId(1), true,
+                QuicVersionReservedForNegotiation(), truncated_chlo,
+                CONNECTION_ID_PRESENT, PACKET_4BYTE_PACKET_NUMBER, 1);
 }
 
 // Disabling CHLO size validation allows the dispatcher to send version
@@ -539,18 +592,15 @@ TEST_F(QuicDispatcherTest, VersionNegotiationWithoutChloSizeValidation) {
   EXPECT_CALL(*time_wait_list_manager_,
               SendVersionNegotiationPacket(_, _, _, _, _, _, _))
       .Times(1);
-  QuicTransportVersion version =
-      static_cast<QuicTransportVersion>(QuicTransportVersionMin() - 1);
-  ParsedQuicVersion parsed_version(PROTOCOL_QUIC_CRYPTO, version);
   std::string chlo = SerializeCHLO() + std::string(1200, 'a');
   // Truncate to 1100 bytes of payload which results in a packet just
   // under 1200 bytes after framing, packet, and encryption overhead.
   DCHECK_LE(1200u, chlo.length());
   std::string truncated_chlo = chlo.substr(0, 1100);
   DCHECK_EQ(1100u, truncated_chlo.length());
-  ProcessPacket(client_address, TestConnectionId(1), true, parsed_version,
-                truncated_chlo, CONNECTION_ID_PRESENT,
-                PACKET_4BYTE_PACKET_NUMBER, 1);
+  ProcessPacket(client_address, TestConnectionId(1), true,
+                QuicVersionReservedForNegotiation(), truncated_chlo,
+                CONNECTION_ID_PRESENT, PACKET_4BYTE_PACKET_NUMBER, 1);
 }
 
 TEST_F(QuicDispatcherTest, Shutdown) {
@@ -569,7 +619,8 @@ TEST_F(QuicDispatcherTest, Shutdown) {
       })));
 
   EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(TestConnectionId(1), _));
+              ShouldCreateOrBufferPacketForConnection(
+                  ReceivedPacketInfoConnectionIdEquals(TestConnectionId(1))));
   ProcessPacket(client_address, TestConnectionId(1), true, SerializeCHLO());
 
   EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session1_->connection()),
@@ -597,7 +648,8 @@ TEST_F(QuicDispatcherTest, TimeWaitListManager) {
       })));
 
   EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(TestConnectionId(1), _));
+              ShouldCreateOrBufferPacketForConnection(
+                  ReceivedPacketInfoConnectionIdEquals(TestConnectionId(1))));
   ProcessPacket(client_address, connection_id, true, SerializeCHLO());
 
   // Now close the connection, which should add it to the time wait list.
@@ -627,15 +679,62 @@ TEST_F(QuicDispatcherTest, NoVersionPacketToTimeWaitListManager) {
   // list manager.
   EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, QuicStringPiece("hq"), _))
       .Times(0);
-  EXPECT_CALL(*time_wait_list_manager_,
-              ProcessPacket(_, _, connection_id, _, _))
-      .Times(1);
-  EXPECT_CALL(*time_wait_list_manager_,
-              AddConnectionIdToTimeWait(_, _, _, _, _))
-      .Times(1);
+  if (GetQuicReloadableFlag(quic_reject_unprocessable_packets_statelessly)) {
+    EXPECT_CALL(*time_wait_list_manager_,
+                ProcessPacket(_, _, connection_id, _, _))
+        .Times(0);
+    EXPECT_CALL(*time_wait_list_manager_,
+                AddConnectionIdToTimeWait(_, _, _, _, _))
+        .Times(0);
+    EXPECT_CALL(*time_wait_list_manager_, SendPublicReset(_, _, _, _, _))
+        .Times(1);
+  } else {
+    EXPECT_CALL(*time_wait_list_manager_,
+                ProcessPacket(_, _, connection_id, _, _))
+        .Times(1);
+    EXPECT_CALL(*time_wait_list_manager_,
+                AddConnectionIdToTimeWait(_, _, _, _, _))
+        .Times(1);
+  }
   ProcessPacket(client_address, connection_id, false, SerializeCHLO());
 }
 
+TEST_F(QuicDispatcherTest,
+       DonotTimeWaitPacketsWithUnknownConnectionIdAndNoVersion) {
+  QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
+  CreateTimeWaitListManager();
+
+  char short_packet[22] = {0x70, 0xa7, 0x02, 0x6b};
+  QuicReceivedPacket packet(short_packet, 22, QuicTime::Zero());
+  char valid_size_packet[23] = {0x70, 0xa7, 0x02, 0x6c};
+  QuicReceivedPacket packet2(valid_size_packet, 23, QuicTime::Zero());
+  EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, _, _)).Times(0);
+  if (GetQuicReloadableFlag(quic_reject_unprocessable_packets_statelessly)) {
+    EXPECT_CALL(*time_wait_list_manager_, ProcessPacket(_, _, _, _, _))
+        .Times(0);
+    EXPECT_CALL(*time_wait_list_manager_,
+                AddConnectionIdToTimeWait(_, _, _, _, _))
+        .Times(0);
+  } else {
+    EXPECT_CALL(*time_wait_list_manager_, ProcessPacket(_, _, _, _, _))
+        .Times(2);
+    EXPECT_CALL(*time_wait_list_manager_,
+                AddConnectionIdToTimeWait(_, _, _, _, _))
+        .Times(2);
+  }
+  if (GetQuicReloadableFlag(quic_reject_unprocessable_packets_statelessly)) {
+    // Verify small packet is silently dropped.
+    EXPECT_CALL(*time_wait_list_manager_, SendPublicReset(_, _, _, _, _))
+        .Times(0);
+  }
+  dispatcher_->ProcessPacket(server_address_, client_address, packet);
+  if (GetQuicReloadableFlag(quic_reject_unprocessable_packets_statelessly)) {
+    EXPECT_CALL(*time_wait_list_manager_, SendPublicReset(_, _, _, _, _))
+        .Times(1);
+  }
+  dispatcher_->ProcessPacket(server_address_, client_address, packet2);
+}
+
 // Makes sure nine-byte connection IDs are replaced by 8-byte ones.
 TEST_F(QuicDispatcherTest, LongConnectionIdLengthReplaced) {
   if (!QuicUtils::VariableLengthConnectionIdAllowedForVersion(
@@ -664,10 +763,9 @@ TEST_F(QuicDispatcherTest, LongConnectionIdLengthReplaced) {
             ValidatePacket(bad_connection_id, packet);
           })));
   EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(bad_connection_id, _));
+              ShouldCreateOrBufferPacketForConnection(
+                  ReceivedPacketInfoConnectionIdEquals(bad_connection_id)));
   ProcessPacket(client_address, bad_connection_id, true, SerializeCHLO());
-  EXPECT_EQ(client_address, dispatcher_->current_peer_address());
-  EXPECT_EQ(server_address_, dispatcher_->current_self_address());
 }
 
 // Makes sure zero-byte connection IDs are replaced by 8-byte ones.
@@ -703,10 +801,9 @@ TEST_F(QuicDispatcherTest, InvalidShortConnectionIdLengthReplaced) {
             ValidatePacket(bad_connection_id, packet);
           })));
   EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(bad_connection_id, _));
+              ShouldCreateOrBufferPacketForConnection(
+                  ReceivedPacketInfoConnectionIdEquals(bad_connection_id)));
   ProcessPacket(client_address, bad_connection_id, true, SerializeCHLO());
-  EXPECT_EQ(client_address, dispatcher_->current_peer_address());
-  EXPECT_EQ(server_address_, dispatcher_->current_self_address());
 }
 
 // Makes sure TestConnectionId(1) creates a new connection and
@@ -735,10 +832,9 @@ TEST_F(QuicDispatcherTest, MixGoodAndBadConnectionIdLengthPackets) {
         ValidatePacket(TestConnectionId(1), packet);
       })));
   EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(TestConnectionId(1), _));
+              ShouldCreateOrBufferPacketForConnection(
+                  ReceivedPacketInfoConnectionIdEquals(TestConnectionId(1))));
   ProcessPacket(client_address, TestConnectionId(1), true, SerializeCHLO());
-  EXPECT_EQ(client_address, dispatcher_->current_peer_address());
-  EXPECT_EQ(server_address_, dispatcher_->current_self_address());
 
   EXPECT_CALL(*dispatcher_,
               CreateQuicSession(fixed_connection_id, client_address,
@@ -754,7 +850,8 @@ TEST_F(QuicDispatcherTest, MixGoodAndBadConnectionIdLengthPackets) {
             ValidatePacket(bad_connection_id, packet);
           })));
   EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(bad_connection_id, _));
+              ShouldCreateOrBufferPacketForConnection(
+                  ReceivedPacketInfoConnectionIdEquals(bad_connection_id)));
   ProcessPacket(client_address, bad_connection_id, true, SerializeCHLO());
 
   EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session1_->connection()),
@@ -783,6 +880,25 @@ TEST_F(QuicDispatcherTest, ProcessPacketWithZeroPort) {
   ProcessPacket(client_address, TestConnectionId(1), true, SerializeCHLO());
 }
 
+TEST_F(QuicDispatcherTest, ProcessPacketWithInvalidShortInitialConnectionId) {
+  SetQuicReloadableFlag(quic_drop_invalid_small_initial_connection_id, true);
+  // Enable v47 otherwise we cannot create a packet with a short connection ID.
+  SetQuicReloadableFlag(quic_enable_version_47, true);
+  CreateTimeWaitListManager();
+
+  QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
+
+  // dispatcher_ should drop this packet.
+  EXPECT_CALL(*dispatcher_,
+              CreateQuicSession(_, client_address, QuicStringPiece("hq"), _))
+      .Times(0);
+  EXPECT_CALL(*time_wait_list_manager_, ProcessPacket(_, _, _, _, _)).Times(0);
+  EXPECT_CALL(*time_wait_list_manager_,
+              AddConnectionIdToTimeWait(_, _, _, _, _))
+      .Times(0);
+  ProcessPacket(client_address, EmptyQuicConnectionId(), true, SerializeCHLO());
+}
+
 TEST_F(QuicDispatcherTest, OKSeqNoPacketProcessed) {
   QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
   QuicConnectionId connection_id = TestConnectionId(1);
@@ -803,269 +919,85 @@ TEST_F(QuicDispatcherTest, OKSeqNoPacketProcessed) {
   // A packet whose packet number is the largest that is allowed to start a
   // connection.
   EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(connection_id, _));
+              ShouldCreateOrBufferPacketForConnection(
+                  ReceivedPacketInfoConnectionIdEquals(connection_id)));
   ProcessPacket(client_address, connection_id, true, SerializeCHLO(),
                 CONNECTION_ID_PRESENT, PACKET_4BYTE_PACKET_NUMBER,
                 QuicDispatcher::kMaxReasonableInitialPacketNumber);
-  EXPECT_EQ(client_address, dispatcher_->current_peer_address());
-  EXPECT_EQ(server_address_, dispatcher_->current_self_address());
-}
-
-TEST_F(QuicDispatcherTest, TooBigSeqNoPacketToTimeWaitListManager) {
-  if (CurrentSupportedVersions().front().HasHeaderProtection() ||
-      GetQuicRestartFlag(quic_no_framer_object_in_dispatcher)) {
-    // When header protection is in use, we don't put packets in the time wait
-    // list manager based on packet number.
-    return;
-  }
-  CreateTimeWaitListManager();
-  SetQuicRestartFlag(quic_enable_accept_random_ipn, false);
-  QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
-  QuicConnectionId connection_id = TestConnectionId(1);
-
-  // Dispatcher forwards this packet for this connection_id to the time wait
-  // list manager.
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, QuicStringPiece("hq"), _))
-      .Times(0);
-  EXPECT_CALL(*time_wait_list_manager_,
-              ProcessPacket(_, _, TestConnectionId(1), _, _))
-      .Times(1);
-  EXPECT_CALL(*time_wait_list_manager_,
-              ProcessPacket(_, _, TestConnectionId(2), _, _))
-      .Times(1);
-  EXPECT_CALL(*time_wait_list_manager_,
-              AddConnectionIdToTimeWait(_, _, _, _, _))
-      .Times(2);
-  // A packet whose packet number is one to large to be allowed to start a
-  // connection.
-  ProcessPacket(client_address, connection_id, true, SerializeCHLO(),
-                CONNECTION_ID_PRESENT, PACKET_4BYTE_PACKET_NUMBER,
-                QuicDispatcher::kMaxReasonableInitialPacketNumber + 1);
-  connection_id = TestConnectionId(2);
-  SetQuicRestartFlag(quic_enable_accept_random_ipn, true);
-  ProcessPacket(client_address, connection_id, true, SerializeCHLO(),
-                CONNECTION_ID_PRESENT, PACKET_4BYTE_PACKET_NUMBER,
-                MaxRandomInitialPacketNumber().ToUint64() +
-                    QuicDispatcher::kMaxReasonableInitialPacketNumber + 1);
 }
 
 TEST_F(QuicDispatcherTest, SupportedTransportVersionsChangeInFlight) {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 7u,
                 "Supported versions out of sync");
   SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_44, true);
-  SetQuicReloadableFlag(quic_enable_version_46, true);
+  SetQuicReloadableFlag(quic_disable_version_44, false);
   SetQuicReloadableFlag(quic_enable_version_47, true);
+  SetQuicReloadableFlag(quic_enable_version_48, true);
   SetQuicReloadableFlag(quic_enable_version_99, true);
-  QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
-  uint64_t conn_id = 1;
-  QuicConnectionId connection_id = TestConnectionId(conn_id);
 
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
-                                              QuicStringPiece("hq"), _))
-      .Times(0);
-  ParsedQuicVersion version(
-      PROTOCOL_QUIC_CRYPTO,
-      static_cast<QuicTransportVersion>(QuicTransportVersionMin() - 1));
-  ProcessPacket(client_address, connection_id, true, version, SerializeCHLO(),
-                CONNECTION_ID_PRESENT, PACKET_4BYTE_PACKET_NUMBER, 1);
-  connection_id = TestConnectionId(++conn_id);
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
-                                              QuicStringPiece("hq"), _))
-      .WillOnce(testing::Return(CreateSession(
-          dispatcher_.get(), config_, connection_id, client_address,
-          &mock_helper_, &mock_alarm_factory_, &crypto_config_,
-          QuicDispatcherPeer::GetCache(dispatcher_.get()), &session1_)));
-  EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session1_->connection()),
-              ProcessUdpPacket(_, _, _))
-      .WillOnce(WithArg<2>(
-          Invoke([this, connection_id](const QuicEncryptedPacket& packet) {
-            ValidatePacket(connection_id, packet);
-          })));
-  EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(connection_id, _));
-  ProcessPacket(client_address, connection_id, true,
-                ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO,
-                                  QuicVersionMin().transport_version),
-                SerializeCHLO(), CONNECTION_ID_PRESENT,
-                PACKET_4BYTE_PACKET_NUMBER, 1);
-  connection_id = TestConnectionId(++conn_id);
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
-                                              QuicStringPiece("hq"), _))
-      .WillOnce(testing::Return(CreateSession(
-          dispatcher_.get(), config_, connection_id, client_address,
-          &mock_helper_, &mock_alarm_factory_, &crypto_config_,
-          QuicDispatcherPeer::GetCache(dispatcher_.get()), &session1_)));
-  EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session1_->connection()),
-              ProcessUdpPacket(_, _, _))
-      .WillOnce(WithArg<2>(
-          Invoke([this, connection_id](const QuicEncryptedPacket& packet) {
-            ValidatePacket(connection_id, packet);
-          })));
-  EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(connection_id, _));
-  ProcessPacket(client_address, connection_id, true, QuicVersionMax(),
-                SerializeCHLO(), CONNECTION_ID_PRESENT,
-                PACKET_4BYTE_PACKET_NUMBER, 1);
+  VerifyVersionNotSupported(QuicVersionReservedForNegotiation());
+
+  VerifyVersionSupported(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO,
+                                           QuicVersionMin().transport_version));
+  VerifyVersionSupported(QuicVersionMax());
+
+  // Turn off version 48.
+  SetQuicReloadableFlag(quic_enable_version_48, false);
+  VerifyVersionNotSupported(
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48));
+
+  // Turn on version 48.
+  SetQuicReloadableFlag(quic_enable_version_48, true);
+  VerifyVersionSupported(
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48));
 
   // Turn off version 47.
   SetQuicReloadableFlag(quic_enable_version_47, false);
-  connection_id = TestConnectionId(++conn_id);
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
-                                              QuicStringPiece("hq"), _))
-      .Times(0);
-  ProcessPacket(client_address, connection_id, true,
-                ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47),
-                SerializeCHLO(), CONNECTION_ID_PRESENT,
-                PACKET_4BYTE_PACKET_NUMBER, 1);
+  VerifyVersionNotSupported(
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47));
 
   // Turn on version 47.
   SetQuicReloadableFlag(quic_enable_version_47, true);
-  connection_id = TestConnectionId(++conn_id);
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
-                                              QuicStringPiece("hq"), _))
-      .WillOnce(testing::Return(CreateSession(
-          dispatcher_.get(), config_, connection_id, client_address,
-          &mock_helper_, &mock_alarm_factory_, &crypto_config_,
-          QuicDispatcherPeer::GetCache(dispatcher_.get()), &session1_)));
-  EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session1_->connection()),
-              ProcessUdpPacket(_, _, _))
-      .WillOnce(WithArg<2>(
-          Invoke([this, connection_id](const QuicEncryptedPacket& packet) {
-            ValidatePacket(connection_id, packet);
-          })));
-  EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(connection_id, _));
-  ProcessPacket(client_address, connection_id, true,
-                ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47),
-                SerializeCHLO(), CONNECTION_ID_PRESENT,
-                PACKET_4BYTE_PACKET_NUMBER, 1);
-
-  // Turn off version 46.
-  SetQuicReloadableFlag(quic_enable_version_46, false);
-  connection_id = TestConnectionId(++conn_id);
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
-                                              QuicStringPiece("hq"), _))
-      .Times(0);
-  ProcessPacket(client_address, connection_id, true,
-                ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_46),
-                SerializeCHLO(), CONNECTION_ID_PRESENT,
-                PACKET_4BYTE_PACKET_NUMBER, 1);
-
-  // Turn on version 46.
-  SetQuicReloadableFlag(quic_enable_version_46, true);
-  connection_id = TestConnectionId(++conn_id);
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
-                                              QuicStringPiece("hq"), _))
-      .WillOnce(testing::Return(CreateSession(
-          dispatcher_.get(), config_, connection_id, client_address,
-          &mock_helper_, &mock_alarm_factory_, &crypto_config_,
-          QuicDispatcherPeer::GetCache(dispatcher_.get()), &session1_)));
-  EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session1_->connection()),
-              ProcessUdpPacket(_, _, _))
-      .WillOnce(WithArg<2>(
-          Invoke([this, connection_id](const QuicEncryptedPacket& packet) {
-            ValidatePacket(connection_id, packet);
-          })));
-  EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(connection_id, _));
-  ProcessPacket(client_address, connection_id, true,
-                ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_46),
-                SerializeCHLO(), CONNECTION_ID_PRESENT,
-                PACKET_4BYTE_PACKET_NUMBER, 1);
+  VerifyVersionSupported(
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47));
 
   // Turn off version 44.
-  SetQuicReloadableFlag(quic_enable_version_44, false);
-  connection_id = TestConnectionId(++conn_id);
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
-                                              QuicStringPiece("hq"), _))
-      .Times(0);
-  ProcessPacket(client_address, connection_id, true,
-                ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_44),
-                SerializeCHLO(), CONNECTION_ID_PRESENT,
-                PACKET_4BYTE_PACKET_NUMBER, 1);
+  SetQuicReloadableFlag(quic_disable_version_44, true);
+  VerifyVersionNotSupported(
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_44));
 
   // Turn on version 44.
-  SetQuicReloadableFlag(quic_enable_version_44, true);
-  connection_id = TestConnectionId(++conn_id);
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
-                                              QuicStringPiece("hq"), _))
-      .WillOnce(testing::Return(CreateSession(
-          dispatcher_.get(), config_, connection_id, client_address,
-          &mock_helper_, &mock_alarm_factory_, &crypto_config_,
-          QuicDispatcherPeer::GetCache(dispatcher_.get()), &session1_)));
-  EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session1_->connection()),
-              ProcessUdpPacket(_, _, _))
-      .WillOnce(WithArg<2>(
-          Invoke([this, connection_id](const QuicEncryptedPacket& packet) {
-            ValidatePacket(connection_id, packet);
-          })));
-  EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(connection_id, _));
-  ProcessPacket(client_address, connection_id, true,
-                ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_44),
-                SerializeCHLO(), CONNECTION_ID_PRESENT,
-                PACKET_4BYTE_PACKET_NUMBER, 1);
+  SetQuicReloadableFlag(quic_disable_version_44, false);
+  VerifyVersionSupported(
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_44));
 
   // Turn off version 39.
   SetQuicReloadableFlag(quic_disable_version_39, true);
-  connection_id = TestConnectionId(++conn_id);
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
-                                              QuicStringPiece("hq"), _))
-      .Times(0);
-  ProcessPacket(client_address, connection_id, true,
-                ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_39),
-                SerializeCHLO(), CONNECTION_ID_PRESENT,
-                PACKET_4BYTE_PACKET_NUMBER, 1);
+  VerifyVersionNotSupported(
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_39));
 
   // Turn on version 39.
   SetQuicReloadableFlag(quic_disable_version_39, false);
-  connection_id = TestConnectionId(++conn_id);
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(connection_id, client_address,
-                                              QuicStringPiece("hq"), _))
-      .WillOnce(testing::Return(CreateSession(
-          dispatcher_.get(), config_, connection_id, client_address,
-          &mock_helper_, &mock_alarm_factory_, &crypto_config_,
-          QuicDispatcherPeer::GetCache(dispatcher_.get()), &session1_)));
-  EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session1_->connection()),
-              ProcessUdpPacket(_, _, _))
-      .WillOnce(WithArg<2>(
-          Invoke([this, connection_id](const QuicEncryptedPacket& packet) {
-            ValidatePacket(connection_id, packet);
-          })));
-  EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(connection_id, _));
-  ProcessPacket(client_address, connection_id, true,
-                ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_39),
-                SerializeCHLO(), CONNECTION_ID_PRESENT,
-                PACKET_4BYTE_PACKET_NUMBER, 1);
+  VerifyVersionSupported(
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_39));
 }
 
-// Enables mocking of the handshake-confirmation for stateless rejects.
-class MockQuicCryptoServerStream : public QuicCryptoServerStream {
- public:
-  MockQuicCryptoServerStream(const QuicCryptoServerConfig& crypto_config,
-                             QuicCompressedCertsCache* compressed_certs_cache,
-                             QuicServerSessionBase* session,
-                             QuicCryptoServerStream::Helper* helper)
-      : QuicCryptoServerStream(&crypto_config,
-                               compressed_certs_cache,
-                               session,
-                               helper),
-        handshake_confirmed_(false) {}
-  MockQuicCryptoServerStream(const MockQuicCryptoServerStream&) = delete;
-  MockQuicCryptoServerStream& operator=(const MockQuicCryptoServerStream&) =
-      delete;
-
-  void set_handshake_confirmed_for_testing(bool handshake_confirmed) {
-    handshake_confirmed_ = handshake_confirmed;
-  }
-
-  bool handshake_confirmed() const override { return handshake_confirmed_; }
+TEST_F(QuicDispatcherTest, RejectDeprecatedVersionsWithVersionNegotiation) {
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 7u,
+                "Please add deprecated versions to this test");
+  QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
+  CreateTimeWaitListManager();
 
- private:
-  bool handshake_confirmed_;
-};
+  char packet45[kMinPacketSizeForVersionNegotiation] = {
+      0xC0, 'Q', '0', '4', '5', /*connection ID length byte*/ 0x50};
+  QuicReceivedPacket packet(packet45, kMinPacketSizeForVersionNegotiation,
+                            QuicTime::Zero());
+  EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, _, _)).Times(0);
+  EXPECT_CALL(*time_wait_list_manager_,
+              SendVersionNegotiationPacket(_, _, _, _, _, _, _))
+      .Times(1);
+  dispatcher_->ProcessPacket(server_address_, client_address, packet);
+}
 
 // Verify the stopgap test: Packets with truncated connection IDs should be
 // dropped.
@@ -1074,14 +1006,14 @@ class QuicDispatcherTestStrayPacketConnectionId : public QuicDispatcherTest {};
 // Packets with truncated connection IDs should be dropped.
 TEST_F(QuicDispatcherTestStrayPacketConnectionId,
        StrayPacketTruncatedConnectionId) {
+  SetQuicReloadableFlag(quic_drop_invalid_small_initial_connection_id, true);
   CreateTimeWaitListManager();
 
   QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
   QuicConnectionId connection_id = TestConnectionId(1);
   EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, QuicStringPiece("hq"), _))
       .Times(0);
-  if (CurrentSupportedVersions()[0].transport_version > QUIC_VERSION_43 &&
-      !QuicUtils::VariableLengthConnectionIdAllowedForVersion(
+  if (VersionHasIetfInvariantHeader(
           CurrentSupportedVersions()[0].transport_version)) {
     // This IETF packet has invalid connection ID length.
     EXPECT_CALL(*time_wait_list_manager_, ProcessPacket(_, _, _, _, _))
@@ -1090,10 +1022,8 @@ TEST_F(QuicDispatcherTestStrayPacketConnectionId,
                 AddConnectionIdToTimeWait(_, _, _, _, _))
         .Times(0);
   } else {
-    // This is either:
-    // - a GQUIC packet considered as IETF QUIC packet with short header
-    // with unacceptable packet number or
-    // - an IETF QUIC packet with bad connection ID length which is rejected.
+    // This is a GQUIC packet considered as IETF QUIC packet with short header
+    // with unacceptable packet number.
     EXPECT_CALL(*time_wait_list_manager_, ProcessPacket(_, _, _, _, _))
         .Times(1);
     EXPECT_CALL(*time_wait_list_manager_,
@@ -1111,11 +1041,11 @@ class BlockingWriter : public QuicPacketWriterWrapper {
   bool IsWriteBlocked() const override { return write_blocked_; }
   void SetWritable() override { write_blocked_ = false; }
 
-  WriteResult WritePacket(const char* buffer,
-                          size_t buf_len,
-                          const QuicIpAddress& self_client_address,
-                          const QuicSocketAddress& peer_client_address,
-                          PerPacketOptions* options) override {
+  WriteResult WritePacket(const char* /*buffer*/,
+                          size_t /*buf_len*/,
+                          const QuicIpAddress& /*self_client_address*/,
+                          const QuicSocketAddress& /*peer_client_address*/,
+                          PerPacketOptions* /*options*/) override {
     // It would be quite possible to actually implement this method here with
     // the fake blocked status, but it would be significantly more work in
     // Chromium, and since it's not called anyway, don't bother.
@@ -1146,8 +1076,9 @@ class QuicDispatcherWriteBlockedListTest : public QuicDispatcherTest {
         .WillOnce(WithArg<2>(Invoke([this](const QuicEncryptedPacket& packet) {
           ValidatePacket(TestConnectionId(1), packet);
         })));
-    EXPECT_CALL(*dispatcher_, ShouldCreateOrBufferPacketForConnection(
-                                  TestConnectionId(1), _));
+    EXPECT_CALL(*dispatcher_,
+                ShouldCreateOrBufferPacketForConnection(
+                    ReceivedPacketInfoConnectionIdEquals(TestConnectionId(1))));
     ProcessPacket(client_address, TestConnectionId(1), true, SerializeCHLO());
 
     EXPECT_CALL(*dispatcher_,
@@ -1161,8 +1092,9 @@ class QuicDispatcherWriteBlockedListTest : public QuicDispatcherTest {
         .WillOnce(WithArg<2>(Invoke([this](const QuicEncryptedPacket& packet) {
           ValidatePacket(TestConnectionId(2), packet);
         })));
-    EXPECT_CALL(*dispatcher_, ShouldCreateOrBufferPacketForConnection(
-                                  TestConnectionId(2), _));
+    EXPECT_CALL(*dispatcher_,
+                ShouldCreateOrBufferPacketForConnection(
+                    ReceivedPacketInfoConnectionIdEquals(TestConnectionId(2))));
     ProcessPacket(client_address, TestConnectionId(2), true, SerializeCHLO());
 
     blocked_list_ = QuicDispatcherPeer::GetWriteBlockedList(dispatcher_.get());
@@ -1400,7 +1332,6 @@ TEST_F(QuicDispatcherWriteBlockedListTest,
   MarkSession1Deleted();
 }
 
-// A dispatcher whose stateless rejector will always ACCEPTs CHLO.
 class BufferedPacketStoreTest : public QuicDispatcherTest {
  public:
   BufferedPacketStoreTest()
@@ -1442,8 +1373,8 @@ TEST_F(BufferedPacketStoreTest, ProcessNonChloPacketsUptoLimitAndProcessChlo) {
   QuicConnectionId conn_id = TestConnectionId(1);
   // A bunch of non-CHLO should be buffered upon arrival, and the first one
   // should trigger ShouldCreateOrBufferPacketForConnection().
-  EXPECT_CALL(*dispatcher_, ShouldCreateOrBufferPacketForConnection(conn_id, _))
-      .Times(1);
+  EXPECT_CALL(*dispatcher_, ShouldCreateOrBufferPacketForConnection(
+                                ReceivedPacketInfoConnectionIdEquals(conn_id)));
   for (size_t i = 1; i <= kDefaultMaxUndecryptablePackets + 1; ++i) {
     ProcessPacket(client_address, conn_id, true,
                   QuicStrCat("data packet ", i + 1), CONNECTION_ID_PRESENT,
@@ -1484,7 +1415,8 @@ TEST_F(BufferedPacketStoreTest,
     QuicSocketAddress client_address(QuicIpAddress::Loopback4(), i);
     QuicConnectionId conn_id = TestConnectionId(i);
     EXPECT_CALL(*dispatcher_,
-                ShouldCreateOrBufferPacketForConnection(conn_id, _));
+                ShouldCreateOrBufferPacketForConnection(
+                    ReceivedPacketInfoConnectionIdEquals(conn_id)));
     ProcessPacket(client_address, conn_id, true,
                   QuicStrCat("data packet on connection ", i),
                   CONNECTION_ID_PRESENT, PACKET_4BYTE_PACKET_NUMBER,
@@ -1505,7 +1437,8 @@ TEST_F(BufferedPacketStoreTest,
     QuicConnectionId conn_id = TestConnectionId(i);
     if (i == kNumConnections) {
       EXPECT_CALL(*dispatcher_,
-                  ShouldCreateOrBufferPacketForConnection(conn_id, _));
+                  ShouldCreateOrBufferPacketForConnection(
+                      ReceivedPacketInfoConnectionIdEquals(conn_id)));
     }
     EXPECT_CALL(*dispatcher_, CreateQuicSession(conn_id, client_address,
                                                 QuicStringPiece(), _))
@@ -1532,8 +1465,8 @@ TEST_F(BufferedPacketStoreTest,
 TEST_F(BufferedPacketStoreTest, DeliverEmptyPackets) {
   QuicConnectionId conn_id = TestConnectionId(1);
   QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
-  EXPECT_CALL(*dispatcher_,
-              ShouldCreateOrBufferPacketForConnection(conn_id, _));
+  EXPECT_CALL(*dispatcher_, ShouldCreateOrBufferPacketForConnection(
+                                ReceivedPacketInfoConnectionIdEquals(conn_id)));
   EXPECT_CALL(*dispatcher_,
               CreateQuicSession(conn_id, client_address, QuicStringPiece(), _))
       .WillOnce(testing::Return(CreateSession(
@@ -1614,8 +1547,10 @@ TEST_F(BufferedPacketStoreTest, ProcessCHLOsUptoLimitAndBufferTheRest) {
   const size_t kNumCHLOs =
       kMaxNumSessionsToCreate + kDefaultMaxConnectionsInStore + 1;
   for (uint64_t conn_id = 1; conn_id <= kNumCHLOs; ++conn_id) {
-    EXPECT_CALL(*dispatcher_, ShouldCreateOrBufferPacketForConnection(
-                                  TestConnectionId(conn_id), _));
+    EXPECT_CALL(
+        *dispatcher_,
+        ShouldCreateOrBufferPacketForConnection(
+            ReceivedPacketInfoConnectionIdEquals(TestConnectionId(conn_id))));
     if (conn_id <= kMaxNumSessionsToCreate) {
       EXPECT_CALL(*dispatcher_,
                   CreateQuicSession(TestConnectionId(conn_id), client_addr_,
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.cc b/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.cc
index 86c0896f22e..f13eec4ae3a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.cc
@@ -71,7 +71,6 @@ const char* QuicErrorCodeToString(QuicErrorCode error) {
     RETURN_STRING_LITERAL(QUIC_CRYPTO_MESSAGE_AFTER_HANDSHAKE_COMPLETE);
     RETURN_STRING_LITERAL(QUIC_CRYPTO_INTERNAL_ERROR);
     RETURN_STRING_LITERAL(QUIC_CRYPTO_VERSION_NOT_SUPPORTED);
-    RETURN_STRING_LITERAL(QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT);
     RETURN_STRING_LITERAL(QUIC_CRYPTO_NO_SUPPORT);
     RETURN_STRING_LITERAL(QUIC_INVALID_CRYPTO_MESSAGE_TYPE);
     RETURN_STRING_LITERAL(QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER);
@@ -156,6 +155,8 @@ const char* QuicErrorCodeToString(QuicErrorCode error) {
     RETURN_STRING_LITERAL(QUIC_HTTP_DECODER_ERROR);
     RETURN_STRING_LITERAL(QUIC_STALE_CONNECTION_CANCELLED);
     RETURN_STRING_LITERAL(QUIC_IETF_GQUIC_ERROR_MISSING);
+    RETURN_STRING_LITERAL(
+        QUIC_WINDOW_UPDATE_RECEIVED_ON_READ_UNIDIRECTIONAL_STREAM);
 
     RETURN_STRING_LITERAL(QUIC_LAST_ERROR);
     // Intentionally have no default case, so we'll break the build
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.h b/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.h
index c8259f723c3..abc666df908 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.h
@@ -216,8 +216,8 @@ enum QuicErrorCode {
   QUIC_CRYPTO_INTERNAL_ERROR = 38,
   // A crypto handshake message specified an unsupported version.
   QUIC_CRYPTO_VERSION_NOT_SUPPORTED = 39,
-  // A crypto handshake message resulted in a stateless reject.
-  QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT = 72,
+  // (Deprecated) A crypto handshake message resulted in a stateless reject.
+  // QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT = 72,
   // There was no intersection between the crypto primitives supported by the
   // peer and ourselves.
   QUIC_CRYPTO_NO_SUPPORT = 40,
@@ -331,8 +331,11 @@ enum QuicErrorCode {
   // not available in a received CONNECTION_CLOSE frame.
   QUIC_IETF_GQUIC_ERROR_MISSING = 122,
 
+  // Received WindowUpdate on a READ_UNIDIRECTIONAL stream.
+  QUIC_WINDOW_UPDATE_RECEIVED_ON_READ_UNIDIRECTIONAL_STREAM = 123,
+
   // No error. Used as bound while iterating.
-  QUIC_LAST_ERROR = 123,
+  QUIC_LAST_ERROR = 124,
 };
 // QuicErrorCodes is encoded as a single octet on-the-wire.
 static_assert(static_cast<int>(QUIC_LAST_ERROR) <=
@@ -352,7 +355,7 @@ QUIC_EXPORT_PRIVATE inline std::string HistogramEnumString(
 }
 
 QUIC_EXPORT_PRIVATE inline std::string HistogramEnumDescription(
-    QuicErrorCode dummy) {
+    QuicErrorCode /*dummy*/) {
   return "cause";
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_flow_controller.cc b/chromium/net/third_party/quiche/src/quic/core/quic_flow_controller.cc
index 3fb5d754ee7..dbc5100c816 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_flow_controller.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_flow_controller.cc
@@ -21,6 +21,13 @@ namespace quic {
 #define ENDPOINT \
   (perspective_ == Perspective::IS_SERVER ? "Server: " : "Client: ")
 
+std::string QuicFlowController::LogLabel() {
+  if (is_connection_flow_controller_) {
+    return "connection";
+  }
+  return QuicStrCat("stream ", id_);
+}
+
 QuicFlowController::QuicFlowController(
     QuicSession* session,
     QuicStreamId id,
@@ -51,7 +58,7 @@ QuicFlowController::QuicFlowController(
             QuicUtils::GetInvalidStreamId(
                 session_->connection()->transport_version()) == id_);
 
-  QUIC_DVLOG(1) << ENDPOINT << "Created flow controller for stream " << id_
+  QUIC_DVLOG(1) << ENDPOINT << "Created flow controller for " << LogLabel()
                 << ", setting initial receive window offset to: "
                 << receive_window_offset_
                 << ", max receive window to: " << receive_window_size_
@@ -62,8 +69,8 @@ QuicFlowController::QuicFlowController(
 
 void QuicFlowController::AddBytesConsumed(QuicByteCount bytes_consumed) {
   bytes_consumed_ += bytes_consumed;
-  QUIC_DVLOG(1) << ENDPOINT << "Stream " << id_ << " consumed "
-                << bytes_consumed_ << " bytes.";
+  QUIC_DVLOG(1) << ENDPOINT << LogLabel() << " consumed " << bytes_consumed_
+                << " bytes.";
 
   MaybeSendWindowUpdate();
 }
@@ -75,7 +82,7 @@ bool QuicFlowController::UpdateHighestReceivedOffset(
     return false;
   }
 
-  QUIC_DVLOG(1) << ENDPOINT << "Stream " << id_
+  QUIC_DVLOG(1) << ENDPOINT << LogLabel()
                 << " highest byte offset increased from "
                 << highest_received_byte_offset_ << " to " << new_offset;
   highest_received_byte_offset_ = new_offset;
@@ -84,7 +91,7 @@ bool QuicFlowController::UpdateHighestReceivedOffset(
 
 void QuicFlowController::AddBytesSent(QuicByteCount bytes_sent) {
   if (bytes_sent_ + bytes_sent > send_window_offset_) {
-    QUIC_BUG << ENDPOINT << "Stream " << id_ << " Trying to send an extra "
+    QUIC_BUG << ENDPOINT << LogLabel() << " Trying to send an extra "
              << bytes_sent << " bytes, when bytes_sent = " << bytes_sent_
              << ", and send_window_offset_ = " << send_window_offset_;
     bytes_sent_ = send_window_offset_;
@@ -99,13 +106,13 @@ void QuicFlowController::AddBytesSent(QuicByteCount bytes_sent) {
   }
 
   bytes_sent_ += bytes_sent;
-  QUIC_DVLOG(1) << ENDPOINT << "Stream " << id_ << " sent " << bytes_sent_
+  QUIC_DVLOG(1) << ENDPOINT << LogLabel() << " sent " << bytes_sent_
                 << " bytes.";
 }
 
 bool QuicFlowController::FlowControlViolation() {
   if (highest_received_byte_offset_ > receive_window_offset_) {
-    QUIC_DLOG(INFO) << ENDPOINT << "Flow control violation on stream " << id_
+    QUIC_DLOG(INFO) << ENDPOINT << "Flow control violation on " << LogLabel()
                     << ", receive window offset: " << receive_window_offset_
                     << ", highest received byte offset: "
                     << highest_received_byte_offset_;
@@ -128,7 +135,7 @@ void QuicFlowController::MaybeIncreaseMaxWindowSize() {
   QuicTime prev = prev_window_update_time_;
   prev_window_update_time_ = now;
   if (!prev.IsInitialized()) {
-    QUIC_DVLOG(1) << ENDPOINT << "first window update for stream " << id_;
+    QUIC_DVLOG(1) << ENDPOINT << "first window update for " << LogLabel();
     return;
   }
 
@@ -140,7 +147,7 @@ void QuicFlowController::MaybeIncreaseMaxWindowSize() {
   QuicTime::Delta rtt =
       connection_->sent_packet_manager().GetRttStats()->smoothed_rtt();
   if (rtt.IsZero()) {
-    QUIC_DVLOG(1) << ENDPOINT << "rtt zero for stream " << id_;
+    QUIC_DVLOG(1) << ENDPOINT << "rtt zero for " << LogLabel();
     return;
   }
 
@@ -157,7 +164,7 @@ void QuicFlowController::MaybeIncreaseMaxWindowSize() {
   IncreaseWindowSize();
 
   if (receive_window_size_ > old_window) {
-    QUIC_DVLOG(1) << ENDPOINT << "New max window increase for stream " << id_
+    QUIC_DVLOG(1) << ENDPOINT << "New max window increase for " << LogLabel()
                   << " after " << since_last.ToMicroseconds()
                   << " us, and RTT is " << rtt.ToMicroseconds()
                   << "us. max wndw: " << receive_window_size_;
@@ -168,7 +175,7 @@ void QuicFlowController::MaybeIncreaseMaxWindowSize() {
   } else {
     // TODO(ckrasic) - add a varz to track this (?).
     QUIC_LOG_FIRST_N(INFO, 1)
-        << ENDPOINT << "Max window at limit for stream " << id_ << " after "
+        << ENDPOINT << "Max window at limit for " << LogLabel() << " after "
         << since_last.ToMicroseconds() << " us, and RTT is "
         << rtt.ToMicroseconds() << "us. Limit size: " << receive_window_size_;
   }
@@ -199,7 +206,7 @@ void QuicFlowController::MaybeSendWindowUpdate() {
   }
 
   if (available_window >= threshold) {
-    QUIC_DVLOG(1) << ENDPOINT << "Not sending WindowUpdate for stream " << id_
+    QUIC_DVLOG(1) << ENDPOINT << "Not sending WindowUpdate for " << LogLabel()
                   << ", available window: " << available_window
                   << " >= threshold: " << threshold;
     return;
@@ -214,7 +221,7 @@ void QuicFlowController::UpdateReceiveWindowOffsetAndSendWindowUpdate(
   // Update our receive window.
   receive_window_offset_ += (receive_window_size_ - available_window);
 
-  QUIC_DVLOG(1) << ENDPOINT << "Sending WindowUpdate frame for stream " << id_
+  QUIC_DVLOG(1) << ENDPOINT << "Sending WindowUpdate frame for " << LogLabel()
                 << ", consumed bytes: " << bytes_consumed_
                 << ", available window: " << available_window
                 << ", and threshold: " << WindowUpdateThreshold()
@@ -229,8 +236,7 @@ bool QuicFlowController::ShouldSendBlocked() {
       last_blocked_send_window_offset_ >= send_window_offset_) {
     return false;
   }
-  QUIC_DLOG(INFO) << ENDPOINT << "Stream " << id_
-                  << " is flow control blocked. "
+  QUIC_DLOG(INFO) << ENDPOINT << LogLabel() << " is flow control blocked. "
                   << "Send window: " << SendWindowSize()
                   << ", bytes sent: " << bytes_sent_
                   << ", send limit: " << send_window_offset_;
@@ -250,7 +256,7 @@ bool QuicFlowController::UpdateSendWindowOffset(
     return false;
   }
 
-  QUIC_DVLOG(1) << ENDPOINT << "UpdateSendWindowOffset for stream " << id_
+  QUIC_DVLOG(1) << ENDPOINT << "UpdateSendWindowOffset for " << LogLabel()
                 << " with new offset " << new_send_window_offset
                 << " current offset: " << send_window_offset_
                 << " bytes_sent: " << bytes_sent_;
@@ -286,7 +292,7 @@ uint64_t QuicFlowController::SendWindowSize() const {
 
 void QuicFlowController::UpdateReceiveWindowSize(QuicStreamOffset size) {
   DCHECK_LE(size, receive_window_size_limit_);
-  QUIC_DVLOG(1) << ENDPOINT << "UpdateReceiveWindowSize for stream " << id_
+  QUIC_DVLOG(1) << ENDPOINT << "UpdateReceiveWindowSize for " << LogLabel()
                 << ": " << size;
   if (receive_window_size_ != receive_window_offset_) {
     QUIC_BUG << "receive_window_size_:" << receive_window_size_
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_flow_controller.h b/chromium/net/third_party/quiche/src/quic/core/quic_flow_controller.h
index 4de292cd5a6..e627c8c4d31 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_flow_controller.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_flow_controller.h
@@ -121,6 +121,10 @@ class QUIC_EXPORT_PRIVATE QuicFlowController
   // Double the window size as long as we haven't hit the max window size.
   void IncreaseWindowSize();
 
+  // Returns "stream $ID" (where $ID is set to |id_|) or "connection" based on
+  // |is_connection_flow_controller_|.
+  std::string LogLabel();
+
   // The parent session/connection, used to send connection close on flow
   // control violation, and WINDOW_UPDATE and BLOCKED frames when appropriate.
   // Not owned.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_flow_controller_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_flow_controller_test.cc
index 771b2e2bd91..299f92230eb 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_flow_controller_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_flow_controller_test.cc
@@ -16,6 +16,7 @@
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 
 using testing::_;
+using testing::Invoke;
 
 namespace quic {
 namespace test {
@@ -45,11 +46,6 @@ class QuicFlowControllerTest : public QuicTest {
         should_auto_tune_receive_window_, &session_flow_controller_);
   }
 
-  bool ClearControlFrame(const QuicFrame& frame) {
-    DeleteFrame(&const_cast<QuicFrame&>(frame));
-    return true;
-  }
-
  protected:
   QuicStreamId stream_id_ = 1234;
   QuicByteCount send_window_ = kInitialSessionFlowControlWindowForTest;
@@ -243,7 +239,7 @@ TEST_F(QuicFlowControllerTest, ReceivingBytesFastNoAutoTune) {
   // This test will generate two WINDOW_UPDATE frames.
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(2)
-      .WillRepeatedly(Invoke(this, &QuicFlowControllerTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_FALSE(flow_controller_->auto_tune_receive_window());
 
   // Make sure clock is inititialized.
@@ -353,7 +349,7 @@ TEST_F(QuicFlowControllerTest, ReceivingBytesNormalNoAutoTune) {
   // This test will generate two WINDOW_UPDATE frames.
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(2)
-      .WillRepeatedly(Invoke(this, &QuicFlowControllerTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_FALSE(flow_controller_->auto_tune_receive_window());
 
   // Make sure clock is inititialized.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_framer.cc b/chromium/net/third_party/quiche/src/quic/core/quic_framer.cc
index 7e34b3b6259..e9d6fa9f598 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_framer.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_framer.cc
@@ -33,7 +33,6 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_client_stats.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_fallthrough.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
@@ -177,8 +176,9 @@ QuicPacketNumberLength ReadSequenceNumberLength(uint8_t flags) {
   }
 }
 
-QuicPacketNumberLength ReadAckPacketNumberLength(QuicTransportVersion version,
-                                                 uint8_t flags) {
+QuicPacketNumberLength ReadAckPacketNumberLength(
+    QuicTransportVersion /*version*/,
+    uint8_t flags) {
   switch (flags & PACKET_FLAGS_8BYTE_PACKET) {
     case PACKET_FLAGS_8BYTE_PACKET:
       return PACKET_6BYTE_PACKET_NUMBER;
@@ -463,7 +463,7 @@ QuicFramer::QuicFramer(const ParsedQuicVersionVector& supported_versions,
     : visitor_(nullptr),
       error_(QUIC_NO_ERROR),
       last_serialized_server_connection_id_(EmptyQuicConnectionId()),
-      last_version_label_(0),
+      last_serialized_client_connection_id_(EmptyQuicConnectionId()),
       version_(PROTOCOL_UNSUPPORTED, QUIC_VERSION_UNSUPPORTED),
       supported_versions_(supported_versions),
       decrypter_level_(ENCRYPTION_INITIAL),
@@ -480,7 +480,7 @@ QuicFramer::QuicFramer(const ParsedQuicVersionVector& supported_versions,
                                              Perspective::IS_CLIENT),
       expected_server_connection_id_length_(
           expected_server_connection_id_length),
-      should_update_expected_server_connection_id_length_(false),
+      expected_client_connection_id_length_(0),
       supports_multiple_packet_number_spaces_(false),
       last_written_packet_number_length_(0) {
   DCHECK(!supported_versions.empty());
@@ -497,7 +497,7 @@ size_t QuicFramer::GetMinStreamFrameSize(QuicTransportVersion version,
                                          QuicStreamOffset offset,
                                          bool last_frame_in_packet,
                                          QuicPacketLength data_length) {
-  if (version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version)) {
     return kQuicFrameTypeSize + QuicDataWriter::GetVarInt62Len(stream_id) +
            (last_frame_in_packet
                 ? 0
@@ -520,7 +520,7 @@ size_t QuicFramer::GetMinCryptoFrameSize(QuicStreamOffset offset,
 size_t QuicFramer::GetMessageFrameSize(QuicTransportVersion version,
                                        bool last_frame_in_packet,
                                        QuicByteCount length) {
-  QUIC_BUG_IF(version <= QUIC_VERSION_44)
+  QUIC_BUG_IF(!VersionSupportsMessageFrames(version))
       << "Try to serialize MESSAGE frame in " << version;
   return kQuicFrameTypeSize +
          (last_frame_in_packet ? 0 : QuicDataWriter::GetVarInt62Len(length)) +
@@ -531,7 +531,7 @@ size_t QuicFramer::GetMessageFrameSize(QuicTransportVersion version,
 size_t QuicFramer::GetMinAckFrameSize(
     QuicTransportVersion version,
     QuicPacketNumberLength largest_observed_length) {
-  if (version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version)) {
     // The minimal ack frame consists of the following four fields: Largest
     // Acknowledged, ACK Delay, ACK Block Count, and First ACK Block. Minimum
     // size of each is 1 byte.
@@ -544,7 +544,7 @@ size_t QuicFramer::GetMinAckFrameSize(
 
 // static
 size_t QuicFramer::GetStopWaitingFrameSize(
-    QuicTransportVersion version,
+    QuicTransportVersion /*version*/,
     QuicPacketNumberLength packet_number_length) {
   size_t min_size = kQuicFrameTypeSize + packet_number_length;
   return min_size;
@@ -553,10 +553,11 @@ size_t QuicFramer::GetStopWaitingFrameSize(
 // static
 size_t QuicFramer::GetRstStreamFrameSize(QuicTransportVersion version,
                                          const QuicRstStreamFrame& frame) {
-  if (version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version)) {
     return QuicDataWriter::GetVarInt62Len(frame.stream_id) +
            QuicDataWriter::GetVarInt62Len(frame.byte_offset) +
-           kQuicFrameTypeSize + kQuicIetfQuicErrorCodeSize;
+           kQuicFrameTypeSize +
+           QuicDataWriter::GetVarInt62Len(frame.ietf_error_code);
   }
   return kQuicFrameTypeSize + kQuicMaxStreamIdSize + kQuicMaxStreamOffsetSize +
          kQuicErrorCodeSize;
@@ -566,8 +567,8 @@ size_t QuicFramer::GetRstStreamFrameSize(QuicTransportVersion version,
 size_t QuicFramer::GetConnectionCloseFrameSize(
     QuicTransportVersion version,
     const QuicConnectionCloseFrame& frame) {
-  if (version != QUIC_VERSION_99) {
-    // Not version 99/IETF QUIC, return Google QUIC CONNECTION CLOSE frame size.
+  if (!VersionHasIetfQuicFrames(version)) {
+    // Not IETF QUIC, return Google QUIC CONNECTION CLOSE frame size.
     return kQuicFrameTypeSize + kQuicErrorCodeSize +
            kQuicErrorDetailsLengthSize +
            TruncatedErrorStringSize(frame.error_details);
@@ -578,10 +579,16 @@ size_t QuicFramer::GetConnectionCloseFrameSize(
   // extend the error string to include " QuicErrorCode: #"
   const size_t truncated_error_string_size =
       TruncatedErrorStringSize(frame.error_details);
+  uint64_t close_code = 0;
+  if (frame.close_type == IETF_QUIC_TRANSPORT_CONNECTION_CLOSE) {
+    close_code = static_cast<uint64_t>(frame.transport_error_code);
+  } else if (frame.close_type == IETF_QUIC_APPLICATION_CONNECTION_CLOSE) {
+    close_code = static_cast<uint64_t>(frame.application_error_code);
+  }
   const size_t frame_size =
       truncated_error_string_size +
       QuicDataWriter::GetVarInt62Len(truncated_error_string_size) +
-      kQuicFrameTypeSize + kQuicIetfQuicErrorCodeSize;
+      kQuicFrameTypeSize + QuicDataWriter::GetVarInt62Len(close_code);
   if (frame.close_type == IETF_QUIC_APPLICATION_CONNECTION_CLOSE) {
     return frame_size;
   }
@@ -600,7 +607,7 @@ size_t QuicFramer::GetMinGoAwayFrameSize() {
 size_t QuicFramer::GetWindowUpdateFrameSize(
     QuicTransportVersion version,
     const QuicWindowUpdateFrame& frame) {
-  if (version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(version)) {
     return kQuicFrameTypeSize + kQuicMaxStreamIdSize + kQuicMaxStreamOffsetSize;
   }
   if (frame.stream_id == QuicUtils::GetInvalidStreamId(version)) {
@@ -618,9 +625,10 @@ size_t QuicFramer::GetWindowUpdateFrameSize(
 // static
 size_t QuicFramer::GetMaxStreamsFrameSize(QuicTransportVersion version,
                                           const QuicMaxStreamsFrame& frame) {
-  if (version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(version)) {
     QUIC_BUG << "In version " << version
-             << " - not 99 - and tried to serialize MaxStreams Frame.";
+             << ", which does not support IETF Frames, and tried to serialize "
+                "MaxStreams Frame.";
   }
   return kQuicFrameTypeSize +
          QuicDataWriter::GetVarInt62Len(frame.stream_count);
@@ -630,9 +638,10 @@ size_t QuicFramer::GetMaxStreamsFrameSize(QuicTransportVersion version,
 size_t QuicFramer::GetStreamsBlockedFrameSize(
     QuicTransportVersion version,
     const QuicStreamsBlockedFrame& frame) {
-  if (version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(version)) {
     QUIC_BUG << "In version " << version
-             << " - not 99 - and tried to serialize StreamsBlocked Frame.";
+             << ", which does not support IETF frames, and tried to serialize "
+                "StreamsBlocked Frame.";
   }
 
   return kQuicFrameTypeSize +
@@ -642,7 +651,7 @@ size_t QuicFramer::GetStreamsBlockedFrameSize(
 // static
 size_t QuicFramer::GetBlockedFrameSize(QuicTransportVersion version,
                                        const QuicBlockedFrame& frame) {
-  if (version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(version)) {
     return kQuicFrameTypeSize + kQuicMaxStreamIdSize;
   }
   if (frame.stream_id == QuicUtils::GetInvalidStreamId(version)) {
@@ -657,7 +666,7 @@ size_t QuicFramer::GetBlockedFrameSize(QuicTransportVersion version,
 // static
 size_t QuicFramer::GetStopSendingFrameSize(const QuicStopSendingFrame& frame) {
   return kQuicFrameTypeSize + QuicDataWriter::GetVarInt62Len(frame.stream_id) +
-         sizeof(QuicApplicationErrorCode);
+         QuicDataWriter::GetVarInt62Len(frame.application_error_code);
 }
 
 // static
@@ -689,7 +698,7 @@ size_t QuicFramer::GetRetransmittableControlFrameSize(
       return GetMinGoAwayFrameSize() +
              TruncatedErrorStringSize(frame.goaway_frame->reason_phrase);
     case WINDOW_UPDATE_FRAME:
-      // For version 99, this could be either a MAX DATA or MAX STREAM DATA.
+      // For IETF QUIC, this could be either a MAX DATA or MAX STREAM DATA.
       // GetWindowUpdateFrameSize figures this out and returns the correct
       // length.
       return GetWindowUpdateFrameSize(version, *frame.window_update_frame);
@@ -743,7 +752,7 @@ size_t QuicFramer::GetStreamIdSize(QuicStreamId stream_id) {
 }
 
 // static
-size_t QuicFramer::GetStreamOffsetSize(QuicTransportVersion version,
+size_t QuicFramer::GetStreamOffsetSize(QuicTransportVersion /*version*/,
                                        QuicStreamOffset offset) {
   // 0 is a special case.
   if (offset == 0) {
@@ -766,6 +775,7 @@ size_t QuicFramer::GetNewConnectionIdFrameSize(
     const QuicNewConnectionIdFrame& frame) {
   return kQuicFrameTypeSize +
          QuicDataWriter::GetVarInt62Len(frame.sequence_number) +
+         QuicDataWriter::GetVarInt62Len(frame.retire_prior_to) +
          kConnectionIdLengthSize + frame.connection_id.length() +
          sizeof(frame.stateless_reset_token);
 }
@@ -908,7 +918,7 @@ size_t QuicFramer::BuildDataPacket(const QuicPacketHeader& header,
     return 0;
   }
 
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     if (AppendIetfFrames(frames, &writer) == 0) {
       return 0;
     }
@@ -998,36 +1008,36 @@ size_t QuicFramer::BuildDataPacket(const QuicPacketHeader& header,
         break;
       case NEW_CONNECTION_ID_FRAME:
         set_detailed_error(
-            "Attempt to append NEW_CONNECTION_ID frame and not in version 99.");
+            "Attempt to append NEW_CONNECTION_ID frame and not in IETF QUIC.");
         return RaiseError(QUIC_INTERNAL_ERROR);
       case RETIRE_CONNECTION_ID_FRAME:
         set_detailed_error(
-            "Attempt to append RETIRE_CONNECTION_ID frame and not in version "
-            "99.");
+            "Attempt to append RETIRE_CONNECTION_ID frame and not in IETF "
+            "QUIC.");
         return RaiseError(QUIC_INTERNAL_ERROR);
       case NEW_TOKEN_FRAME:
         set_detailed_error(
-            "Attempt to append NEW_TOKEN_ID frame and not in version 99.");
+            "Attempt to append NEW_TOKEN_ID frame and not in IETF QUIC.");
         return RaiseError(QUIC_INTERNAL_ERROR);
       case MAX_STREAMS_FRAME:
         set_detailed_error(
-            "Attempt to append MAX_STREAMS frame and not in version 99.");
+            "Attempt to append MAX_STREAMS frame and not in IETF QUIC.");
         return RaiseError(QUIC_INTERNAL_ERROR);
       case STREAMS_BLOCKED_FRAME:
         set_detailed_error(
-            "Attempt to append STREAMS_BLOCKED frame and not in version 99.");
+            "Attempt to append STREAMS_BLOCKED frame and not in IETF QUIC.");
         return RaiseError(QUIC_INTERNAL_ERROR);
       case PATH_RESPONSE_FRAME:
         set_detailed_error(
-            "Attempt to append PATH_RESPONSE frame and not in version 99.");
+            "Attempt to append PATH_RESPONSE frame and not in IETF QUIC.");
         return RaiseError(QUIC_INTERNAL_ERROR);
       case PATH_CHALLENGE_FRAME:
         set_detailed_error(
-            "Attempt to append PATH_CHALLENGE frame and not in version 99.");
+            "Attempt to append PATH_CHALLENGE frame and not in IETF QUIC.");
         return RaiseError(QUIC_INTERNAL_ERROR);
       case STOP_SENDING_FRAME:
         set_detailed_error(
-            "Attempt to append STOP_SENDING frame and not in version 99.");
+            "Attempt to append STOP_SENDING frame and not in IETF QUIC.");
         return RaiseError(QUIC_INTERNAL_ERROR);
       case MESSAGE_FRAME:
         if (!AppendMessageFrameAndTypeByte(*frame.message_frame,
@@ -1094,7 +1104,7 @@ size_t QuicFramer::AppendIetfFrames(const QuicFrames& frames,
         break;
       case STOP_WAITING_FRAME:
         set_detailed_error(
-            "Attempt to append STOP WAITING frame in version 99.");
+            "Attempt to append STOP WAITING frame in IETF QUIC.");
         return RaiseError(QUIC_INTERNAL_ERROR);
       case MTU_DISCOVERY_FRAME:
         // MTU discovery frames are serialized as ping frames.
@@ -1117,7 +1127,7 @@ size_t QuicFramer::AppendIetfFrames(const QuicFrames& frames,
         }
         break;
       case GOAWAY_FRAME:
-        set_detailed_error("Attempt to append GOAWAY frame in version 99.");
+        set_detailed_error("Attempt to append GOAWAY frame in IETF QUIC.");
         return RaiseError(QUIC_INTERNAL_ERROR);
       case WINDOW_UPDATE_FRAME:
         // Depending on whether there is a stream ID or not, will be either a
@@ -1242,7 +1252,7 @@ size_t QuicFramer::BuildPaddedPathChallengePacket(
     QuicPathFrameBuffer* payload,
     QuicRandom* randomizer,
     EncryptionLevel level) {
-  if (version_.transport_version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(version_.transport_version)) {
     QUIC_BUG << "Attempt to build a PATH_CHALLENGE Connectivity Probing "
                 "packet and not doing IETF QUIC";
     return 0;
@@ -1275,7 +1285,7 @@ size_t QuicFramer::BuildPathResponsePacket(
         << "Attempt to generate connectivity response with no request payloads";
     return 0;
   }
-  if (version_.transport_version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(version_.transport_version)) {
     QUIC_BUG << "Attempt to build a PATH_RESPONSE Connectivity Probing "
                 "packet and not doing IETF QUIC";
     return 0;
@@ -1328,8 +1338,6 @@ std::unique_ptr<QuicEncryptedPacket> QuicFramer::BuildPublicResetPacket(
   size_t len = kPublicFlagsSize + packet.connection_id.length() +
                reset_serialized.length();
   std::unique_ptr<char[]> buffer(new char[len]);
-  // Endianness is not a concern here, as writer is not going to write integers
-  // or floating numbers.
   QuicDataWriter writer(len, buffer.get());
 
   uint8_t flags = static_cast<uint8_t>(PACKET_PUBLIC_FLAGS_RST |
@@ -1353,7 +1361,7 @@ std::unique_ptr<QuicEncryptedPacket> QuicFramer::BuildPublicResetPacket(
 
 // static
 std::unique_ptr<QuicEncryptedPacket> QuicFramer::BuildIetfStatelessResetPacket(
-    QuicConnectionId connection_id,
+    QuicConnectionId /*connection_id*/,
     QuicUint128 stateless_reset_token) {
   QUIC_DVLOG(1) << "Building IETF stateless reset packet.";
   size_t len = kPacketHeaderTypeSize + kMinRandomBytesLengthInStatelessReset +
@@ -1392,20 +1400,47 @@ std::unique_ptr<QuicEncryptedPacket> QuicFramer::BuildVersionNegotiationPacket(
     QuicConnectionId client_connection_id,
     bool ietf_quic,
     const ParsedQuicVersionVector& versions) {
+  ParsedQuicVersionVector wire_versions = versions;
+  if (!GetQuicReloadableFlag(quic_version_negotiation_grease)) {
+    if (wire_versions.empty()) {
+      wire_versions = {QuicVersionReservedForNegotiation()};
+    }
+  } else {
+    // Add a version reserved for negotiation as suggested by the
+    // "Using Reserved Versions" section of draft-ietf-quic-transport.
+    QUIC_RELOADABLE_FLAG_COUNT_N(quic_version_negotiation_grease, 1, 2);
+    if (wire_versions.empty()) {
+      // Ensure that version negotiation packets we send have at least two
+      // versions. This guarantees that, under all circumstances, all QUIC
+      // packets we send are at least 14 bytes long.
+      wire_versions = {QuicVersionReservedForNegotiation(),
+                       QuicVersionReservedForNegotiation()};
+    } else {
+      // This is not uniformely distributed but is acceptable since no security
+      // depends on this randomness.
+      size_t version_index = 0;
+      const bool disable_randomness =
+          GetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness);
+      if (!disable_randomness) {
+        version_index = QuicRandom::GetInstance()->RandUint64() %
+                        (wire_versions.size() + 1);
+      }
+      wire_versions.insert(wire_versions.begin() + version_index,
+                           QuicVersionReservedForNegotiation());
+    }
+  }
   if (ietf_quic) {
-    return BuildIetfVersionNegotiationPacket(server_connection_id,
-                                             client_connection_id, versions);
+    return BuildIetfVersionNegotiationPacket(
+        server_connection_id, client_connection_id, wire_versions);
   }
 
   // The GQUIC encoding does not support encoding client connection IDs.
   DCHECK(client_connection_id.IsEmpty());
 
-  DCHECK(!versions.empty());
+  DCHECK(!wire_versions.empty());
   size_t len = kPublicFlagsSize + server_connection_id.length() +
-               versions.size() * kQuicVersionSize;
+               wire_versions.size() * kQuicVersionSize;
   std::unique_ptr<char[]> buffer(new char[len]);
-  // Endianness is not a concern here, version negotiation packet does not have
-  // integers or floating numbers.
   QuicDataWriter writer(len, buffer.get());
 
   uint8_t flags = static_cast<uint8_t>(
@@ -1420,10 +1455,8 @@ std::unique_ptr<QuicEncryptedPacket> QuicFramer::BuildVersionNegotiationPacket(
     return nullptr;
   }
 
-  for (const ParsedQuicVersion& version : versions) {
-    // TODO(rch): Use WriteUInt32() once QUIC_VERSION_35 is removed.
-    if (!writer.WriteTag(
-            QuicEndian::HostToNet32(CreateQuicVersionLabel(version)))) {
+  for (const ParsedQuicVersion& version : wire_versions) {
+    if (!writer.WriteUInt32(CreateQuicVersionLabel(version))) {
       return nullptr;
     }
   }
@@ -1449,11 +1482,7 @@ QuicFramer::BuildIetfVersionNegotiationPacket(
   QuicDataWriter writer(len, buffer.get());
 
   // TODO(fayang): Randomly select a value for the type.
-  uint8_t type = static_cast<uint8_t>(FLAGS_LONG_HEADER);
-  if (GetQuicReloadableFlag(quic_send_version_negotiation_fixed_bit)) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_send_version_negotiation_fixed_bit);
-    type |= static_cast<uint8_t>(FLAGS_FIXED_BIT);
-  }
+  uint8_t type = static_cast<uint8_t>(FLAGS_LONG_HEADER | FLAGS_FIXED_BIT);
   if (!writer.WriteUInt8(type)) {
     return nullptr;
   }
@@ -1468,9 +1497,7 @@ QuicFramer::BuildIetfVersionNegotiationPacket(
   }
 
   for (const ParsedQuicVersion& version : versions) {
-    // TODO(rch): Use WriteUInt32() once QUIC_VERSION_35 is removed.
-    if (!writer.WriteTag(
-            QuicEndian::HostToNet32(CreateQuicVersionLabel(version)))) {
+    if (!writer.WriteUInt32(CreateQuicVersionLabel(version))) {
       return nullptr;
     }
   }
@@ -1484,7 +1511,7 @@ bool QuicFramer::ProcessPacket(const QuicEncryptedPacket& packet) {
   bool packet_has_ietf_packet_header = false;
   if (infer_packet_header_type_from_version_) {
     packet_has_ietf_packet_header =
-        version_.transport_version > QUIC_VERSION_43;
+        VersionHasIetfInvariantHeader(version_.transport_version);
   } else if (!reader.IsDoneReading()) {
     uint8_t type = reader.PeekByte();
     packet_has_ietf_packet_header = QuicUtils::IsIetfPacketHeader(type);
@@ -1511,11 +1538,6 @@ bool QuicFramer::ProcessPacket(const QuicEncryptedPacket& packet) {
   }
 
   if (IsVersionNegotiation(header, packet_has_ietf_packet_header)) {
-    if (!GetQuicRestartFlag(quic_server_drop_version_negotiation)) {
-      QUIC_DVLOG(1) << ENDPOINT << "Received version negotiation packet";
-      return ProcessVersionNegotiationPacket(&reader, header);
-    }
-    QUIC_RESTART_FLAG_COUNT_N(quic_server_drop_version_negotiation, 1, 2);
     if (perspective_ == Perspective::IS_CLIENT) {
       QUIC_DVLOG(1) << "Client received version negotiation packet";
       return ProcessVersionNegotiationPacket(&reader, header);
@@ -1528,7 +1550,7 @@ bool QuicFramer::ProcessPacket(const QuicEncryptedPacket& packet) {
 
   if (header.version_flag && header.version != version_) {
     if (perspective_ == Perspective::IS_SERVER) {
-      if (!visitor_->OnProtocolVersionMismatch(header.version, header.form)) {
+      if (!visitor_->OnProtocolVersionMismatch(header.version)) {
         RecordDroppedPacketReason(DroppedPacketReason::VERSION_MISMATCH);
         return true;
       }
@@ -1591,7 +1613,10 @@ bool QuicFramer::ProcessVersionNegotiationPacket(
           DroppedPacketReason::INVALID_VERSION_NEGOTIATION_PACKET);
       return RaiseError(QUIC_INVALID_VERSION_NEGOTIATION_PACKET);
     }
-    packet.versions.push_back(ParseQuicVersionLabel(version_label));
+    ParsedQuicVersion parsed_version = ParseQuicVersionLabel(version_label);
+    if (parsed_version != UnsupportedQuicVersion()) {
+      packet.versions.push_back(parsed_version);
+    }
   } while (!reader->IsDoneReading());
 
   QUIC_DLOG(INFO) << ENDPOINT << "parsed version negotiation: "
@@ -1901,7 +1926,7 @@ bool QuicFramer::ProcessIetfDataPacket(QuicDataReader* encrypted_reader,
   }
 
   // Handle the payload.
-  if (version_.transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version_.transport_version)) {
     if (!ProcessIetfFrameData(&reader, *header)) {
       DCHECK_NE(QUIC_NO_ERROR, error_);  // ProcessIetfFrameData sets the error.
       DCHECK_NE("", detailed_error_);
@@ -2054,7 +2079,7 @@ bool QuicFramer::HasEncrypterOfEncryptionLevel(EncryptionLevel level) const {
 bool QuicFramer::AppendPacketHeader(const QuicPacketHeader& header,
                                     QuicDataWriter* writer,
                                     size_t* length_field_offset) {
-  if (transport_version() > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(transport_version())) {
     return AppendIetfPacketHeader(header, writer, length_field_offset);
   }
   QUIC_DVLOG(1) << ENDPOINT << "Appending header: " << header;
@@ -2079,7 +2104,9 @@ bool QuicFramer::AppendPacketHeader(const QuicPacketHeader& header,
   QuicConnectionIdIncluded server_connection_id_included =
       GetServerConnectionIdIncludedAsSender(header, perspective_);
   DCHECK_EQ(CONNECTION_ID_ABSENT,
-            GetClientConnectionIdIncludedAsSender(header, perspective_));
+            GetClientConnectionIdIncludedAsSender(header, perspective_))
+      << ENDPOINT << ParsedQuicVersionToString(version_)
+      << " invalid header: " << header;
 
   switch (server_connection_id_included) {
     case CONNECTION_ID_ABSENT:
@@ -2110,8 +2137,7 @@ bool QuicFramer::AppendPacketHeader(const QuicPacketHeader& header,
   if (header.version_flag) {
     DCHECK_EQ(Perspective::IS_CLIENT, perspective_);
     QuicVersionLabel version_label = CreateQuicVersionLabel(version_);
-    // TODO(rch): Use WriteUInt32() once QUIC_VERSION_35 is removed.
-    if (!writer->WriteTag(QuicEndian::NetToHost32(version_label))) {
+    if (!writer->WriteUInt32(version_label)) {
       return false;
     }
 
@@ -2185,8 +2211,7 @@ bool QuicFramer::AppendIetfPacketHeader(const QuicPacketHeader& header,
   if (header.version_flag) {
     // Append version for long header.
     QuicVersionLabel version_label = CreateQuicVersionLabel(version_);
-    // TODO(rch): Use WriteUInt32() once QUIC_VERSION_35 is removed.
-    if (!writer->WriteTag(QuicEndian::NetToHost32(version_label))) {
+    if (!writer->WriteUInt32(version_label)) {
       return false;
     }
   }
@@ -2205,10 +2230,18 @@ bool QuicFramer::AppendIetfPacketHeader(const QuicPacketHeader& header,
   }
 
   last_serialized_server_connection_id_ = server_connection_id;
+  if (version_.SupportsClientConnectionIds()) {
+    last_serialized_client_connection_id_ =
+        GetClientConnectionIdAsSender(header, perspective_);
+  }
 
   if (QuicVersionHasLongHeaderLengths(transport_version()) &&
       header.version_flag) {
     if (header.long_packet_type == INITIAL) {
+      DCHECK_NE(VARIABLE_LENGTH_INTEGER_LENGTH_0,
+                header.retry_token_length_length)
+          << ENDPOINT << ParsedQuicVersionToString(version_)
+          << " bad retry token length length in header: " << header;
       // Write retry token length.
       if (!writer->WriteVarInt62(header.retry_token.length(),
                                  header.retry_token_length_length)) {
@@ -2364,7 +2397,6 @@ bool QuicFramer::ProcessPublicHeader(QuicDataReader* reader,
     // If the version from the new packet is the same as the version of this
     // framer, then the public flags should be set to something we understand.
     // If not, this raises an error.
-    last_version_label_ = version_label;
     ParsedQuicVersion version = ParseQuicVersionLabel(version_label);
     if (version == version_ && public_flags > PACKET_PUBLIC_FLAGS_MAX) {
       set_detailed_error("Illegal public flags value.");
@@ -2396,7 +2428,7 @@ bool QuicFramer::ProcessPublicHeader(QuicDataReader* reader,
 
 // static
 QuicPacketNumberLength QuicFramer::GetMinPacketNumberLength(
-    QuicTransportVersion version,
+    QuicTransportVersion /*version*/,
     QuicPacketNumber packet_number) {
   DCHECK(packet_number.IsInitialized());
   if (packet_number < QuicPacketNumber(1 << (PACKET_1BYTE_PACKET_NUMBER * 8))) {
@@ -2527,15 +2559,18 @@ bool QuicFramer::ProcessIetfHeaderTypeByte(QuicDataReader* reader,
   if (header->form == IETF_QUIC_LONG_HEADER_PACKET) {
     // Version is always present in long headers.
     header->version_flag = true;
-    // Long header packets received by client must include 8-byte source
-    // connection ID, and those received by server must include 8-byte
-    // destination connection ID.
+    // In versions that do not support client connection IDs, we mark the
+    // corresponding connection ID as absent.
     header->destination_connection_id_included =
-        perspective_ == Perspective::IS_CLIENT ? CONNECTION_ID_ABSENT
-                                               : CONNECTION_ID_PRESENT;
+        (perspective_ == Perspective::IS_SERVER ||
+         version_.SupportsClientConnectionIds())
+            ? CONNECTION_ID_PRESENT
+            : CONNECTION_ID_ABSENT;
     header->source_connection_id_included =
-        perspective_ == Perspective::IS_CLIENT ? CONNECTION_ID_PRESENT
-                                               : CONNECTION_ID_ABSENT;
+        (perspective_ == Perspective::IS_CLIENT ||
+         version_.SupportsClientConnectionIds())
+            ? CONNECTION_ID_PRESENT
+            : CONNECTION_ID_ABSENT;
     // Read version tag.
     QuicVersionLabel version_label;
     if (!ProcessVersionLabel(reader, &version_label)) {
@@ -2573,10 +2608,6 @@ bool QuicFramer::ProcessIetfHeaderTypeByte(QuicDataReader* reader,
         }
       }
     }
-    if (header->long_packet_type != VERSION_NEGOTIATION) {
-      // Do not save version of version negotiation packet.
-      last_version_label_ = version_label;
-    }
 
     QUIC_DVLOG(1) << ENDPOINT << "Received IETF long header: "
                   << QuicUtils::QuicLongHeaderTypetoString(
@@ -2587,11 +2618,13 @@ bool QuicFramer::ProcessIetfHeaderTypeByte(QuicDataReader* reader,
   QUIC_DVLOG(1) << ENDPOINT << "Received IETF short header";
   // Version is not present in short headers.
   header->version_flag = false;
-  // Connection ID length depends on the perspective. Client does not expect
-  // destination connection ID, and server expects destination connection ID.
+  // In versions that do not support client connection IDs, the client will not
+  // receive destination connection IDs.
   header->destination_connection_id_included =
-      perspective_ == Perspective::IS_CLIENT ? CONNECTION_ID_ABSENT
-                                             : CONNECTION_ID_PRESENT;
+      (perspective_ == Perspective::IS_SERVER ||
+       version_.SupportsClientConnectionIds())
+          ? CONNECTION_ID_PRESENT
+          : CONNECTION_ID_ABSENT;
   header->source_connection_id_included = CONNECTION_ID_ABSENT;
   if (infer_packet_header_type_from_version_ &&
       transport_version() > QUIC_VERSION_44 && !(type & FLAGS_FIXED_BIT)) {
@@ -2612,11 +2645,9 @@ bool QuicFramer::ProcessIetfHeaderTypeByte(QuicDataReader* reader,
 // static
 bool QuicFramer::ProcessVersionLabel(QuicDataReader* reader,
                                      QuicVersionLabel* version_label) {
-  if (!reader->ReadTag(version_label)) {
+  if (!reader->ReadUInt32(version_label)) {
     return false;
   }
-  // TODO(rch): Use ReadUInt32() once QUIC_VERSION_35 is removed.
-  *version_label = QuicEndian::NetToHost32(*version_label);
   return true;
 }
 
@@ -2624,6 +2655,7 @@ bool QuicFramer::ProcessVersionLabel(QuicDataReader* reader,
 bool QuicFramer::ProcessAndValidateIetfConnectionIdLength(
     QuicDataReader* reader,
     ParsedQuicVersion version,
+    Perspective perspective,
     bool should_update_expected_server_connection_id_length,
     uint8_t* expected_server_connection_id_length,
     uint8_t* destination_connection_id_length,
@@ -2639,17 +2671,20 @@ bool QuicFramer::ProcessAndValidateIetfConnectionIdLength(
   if (dcil != 0) {
     dcil += kConnectionIdLengthAdjustment;
   }
-  if (should_update_expected_server_connection_id_length &&
-      *expected_server_connection_id_length != dcil) {
-    QUIC_DVLOG(1) << "Updating expected_server_connection_id_length: "
-                  << static_cast<int>(*expected_server_connection_id_length)
-                  << " -> " << static_cast<int>(dcil);
-    *expected_server_connection_id_length = dcil;
-  }
   uint8_t scil = connection_id_lengths_byte & kSourceConnectionIdLengthMask;
   if (scil != 0) {
     scil += kConnectionIdLengthAdjustment;
   }
+  if (should_update_expected_server_connection_id_length) {
+    uint8_t server_connection_id_length =
+        perspective == Perspective::IS_SERVER ? dcil : scil;
+    if (*expected_server_connection_id_length != server_connection_id_length) {
+      QUIC_DVLOG(1) << "Updating expected_server_connection_id_length: "
+                    << static_cast<int>(*expected_server_connection_id_length)
+                    << " -> " << static_cast<int>(server_connection_id_length);
+      *expected_server_connection_id_length = server_connection_id_length;
+    }
+  }
   if (!should_update_expected_server_connection_id_length &&
       (dcil != *destination_connection_id_length ||
        scil != *source_connection_id_length) &&
@@ -2675,16 +2710,20 @@ bool QuicFramer::ProcessIetfPacketHeader(QuicDataReader* reader,
 
   uint8_t destination_connection_id_length =
       header->destination_connection_id_included == CONNECTION_ID_PRESENT
-          ? expected_server_connection_id_length_
+          ? (perspective_ == Perspective::IS_SERVER
+                 ? expected_server_connection_id_length_
+                 : expected_client_connection_id_length_)
           : 0;
   uint8_t source_connection_id_length =
       header->source_connection_id_included == CONNECTION_ID_PRESENT
-          ? expected_server_connection_id_length_
+          ? (perspective_ == Perspective::IS_CLIENT
+                 ? expected_server_connection_id_length_
+                 : expected_client_connection_id_length_)
           : 0;
   if (header->form == IETF_QUIC_LONG_HEADER_PACKET) {
     if (!ProcessAndValidateIetfConnectionIdLength(
-            reader, header->version,
-            should_update_expected_server_connection_id_length_,
+            reader, header->version, perspective_,
+            /*should_update_expected_server_connection_id_length=*/false,
             &expected_server_connection_id_length_,
             &destination_connection_id_length, &source_connection_id_length,
             &detailed_error_)) {
@@ -2723,10 +2762,19 @@ bool QuicFramer::ProcessIetfPacketHeader(QuicDataReader* reader,
       header->destination_connection_id = last_serialized_server_connection_id_;
     }
   } else {
-    QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 5, 5);
+    QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 5, 7);
     if (header->source_connection_id_included == CONNECTION_ID_ABSENT) {
-      DCHECK_EQ(EmptyQuicConnectionId(), header->source_connection_id);
-      header->source_connection_id = last_serialized_server_connection_id_;
+      if (!header->source_connection_id.IsEmpty()) {
+        DCHECK(!version_.SupportsClientConnectionIds());
+        set_detailed_error(
+            "Client connection ID not supported in this version.");
+        return false;
+      }
+      if (perspective_ == Perspective::IS_CLIENT) {
+        header->source_connection_id = last_serialized_server_connection_id_;
+      } else {
+        header->source_connection_id = last_serialized_client_connection_id_;
+      }
     }
   }
 
@@ -2752,12 +2800,14 @@ bool QuicFramer::ProcessAndCalculatePacketNumber(
 
 bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
                                   const QuicPacketHeader& header) {
-  DCHECK_NE(QUIC_VERSION_99, version_.transport_version)
-      << "Version 99 negotiated, but not processing frames as version 99.";
+  DCHECK(!VersionHasIetfQuicFrames(version_.transport_version))
+      << "IETF QUIC Framing negotiated but attempting to process frames as "
+         "non-IETF QUIC.";
   if (reader->IsDoneReading()) {
     set_detailed_error("Packet has no frames.");
     return RaiseError(QUIC_MISSING_PAYLOAD);
   }
+  QUIC_DVLOG(2) << ENDPOINT << "Processing packet with header " << header;
   while (!reader->IsDoneReading()) {
     uint8_t frame_type;
     if (!reader->ReadBytes(&frame_type, 1)) {
@@ -2774,6 +2824,7 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
         if (!ProcessStreamFrame(reader, frame_type, &frame)) {
           return RaiseError(QUIC_INVALID_STREAM_DATA);
         }
+        QUIC_DVLOG(2) << ENDPOINT << "Processing stream frame " << frame;
         if (!visitor_->OnStreamFrame(frame)) {
           QUIC_DVLOG(1) << ENDPOINT
                         << "Visitor asked to stop further processing.";
@@ -2788,6 +2839,7 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
         if (!ProcessAckFrame(reader, frame_type)) {
           return RaiseError(QUIC_INVALID_ACK_DATA);
         }
+        QUIC_DVLOG(2) << ENDPOINT << "Processing ACK frame";
         continue;
       }
 
@@ -2803,6 +2855,7 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
       case PADDING_FRAME: {
         QuicPaddingFrame frame;
         ProcessPaddingFrame(reader, &frame);
+        QUIC_DVLOG(2) << ENDPOINT << "Processing padding frame " << frame;
         if (!visitor_->OnPaddingFrame(frame)) {
           QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
           // Returning true since there was no parsing error.
@@ -2816,6 +2869,7 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
         if (!ProcessRstStreamFrame(reader, &frame)) {
           return RaiseError(QUIC_INVALID_RST_STREAM_DATA);
         }
+        QUIC_DVLOG(2) << ENDPOINT << "Processing reset stream frame " << frame;
         if (!visitor_->OnRstStreamFrame(frame)) {
           QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
           // Returning true since there was no parsing error.
@@ -2830,6 +2884,8 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
           return RaiseError(QUIC_INVALID_CONNECTION_CLOSE_DATA);
         }
 
+        QUIC_DVLOG(2) << ENDPOINT << "Processing connection close frame "
+                      << frame;
         if (!visitor_->OnConnectionCloseFrame(frame)) {
           QUIC_DVLOG(1) << ENDPOINT
                         << "Visitor asked to stop further processing.";
@@ -2844,6 +2900,8 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
         if (!ProcessGoAwayFrame(reader, &goaway_frame)) {
           return RaiseError(QUIC_INVALID_GOAWAY_DATA);
         }
+        QUIC_DVLOG(2) << ENDPOINT << "Processing go away frame "
+                      << goaway_frame;
         if (!visitor_->OnGoAwayFrame(goaway_frame)) {
           QUIC_DVLOG(1) << ENDPOINT
                         << "Visitor asked to stop further processing.";
@@ -2858,6 +2916,8 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
         if (!ProcessWindowUpdateFrame(reader, &window_update_frame)) {
           return RaiseError(QUIC_INVALID_WINDOW_UPDATE_DATA);
         }
+        QUIC_DVLOG(2) << ENDPOINT << "Processing window update frame "
+                      << window_update_frame;
         if (!visitor_->OnWindowUpdateFrame(window_update_frame)) {
           QUIC_DVLOG(1) << ENDPOINT
                         << "Visitor asked to stop further processing.";
@@ -2872,6 +2932,8 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
         if (!ProcessBlockedFrame(reader, &blocked_frame)) {
           return RaiseError(QUIC_INVALID_BLOCKED_DATA);
         }
+        QUIC_DVLOG(2) << ENDPOINT << "Processing blocked frame "
+                      << blocked_frame;
         if (!visitor_->OnBlockedFrame(blocked_frame)) {
           QUIC_DVLOG(1) << ENDPOINT
                         << "Visitor asked to stop further processing.";
@@ -2892,6 +2954,8 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
         if (!ProcessStopWaitingFrame(reader, header, &stop_waiting_frame)) {
           return RaiseError(QUIC_INVALID_STOP_WAITING_DATA);
         }
+        QUIC_DVLOG(2) << ENDPOINT << "Processing stop waiting frame "
+                      << stop_waiting_frame;
         if (!visitor_->OnStopWaitingFrame(stop_waiting_frame)) {
           QUIC_DVLOG(1) << ENDPOINT
                         << "Visitor asked to stop further processing.";
@@ -2909,6 +2973,7 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
           // Returning true since there was no parsing error.
           return true;
         }
+        QUIC_DVLOG(2) << ENDPOINT << "Processing ping frame " << ping_frame;
         continue;
       }
       case IETF_EXTENSION_MESSAGE_NO_LENGTH:
@@ -2920,6 +2985,8 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
                                  &message_frame)) {
           return RaiseError(QUIC_INVALID_MESSAGE_DATA);
         }
+        QUIC_DVLOG(2) << ENDPOINT << "Processing message frame "
+                      << message_frame;
         if (!visitor_->OnMessageFrame(message_frame)) {
           QUIC_DVLOG(1) << ENDPOINT
                         << "Visitor asked to stop further processing.";
@@ -2937,6 +3004,7 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
         if (!ProcessCryptoFrame(reader, &frame)) {
           return RaiseError(QUIC_INVALID_FRAME_DATA);
         }
+        QUIC_DVLOG(2) << ENDPOINT << "Processing crypto frame " << frame;
         if (!visitor_->OnCryptoFrame(frame)) {
           QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
           // Returning true since there was no parsing error.
@@ -2958,13 +3026,16 @@ bool QuicFramer::ProcessFrameData(QuicDataReader* reader,
 
 bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
                                       const QuicPacketHeader& header) {
-  DCHECK_EQ(QUIC_VERSION_99, version_.transport_version)
-      << "Attempt to process frames as IETF frames but version is "
-      << version_.transport_version << ", not 99.";
+  DCHECK(VersionHasIetfQuicFrames(version_.transport_version))
+      << "Attempt to process frames as IETF frames but version ("
+      << version_.transport_version << ") does not support IETF Framing.";
+
   if (reader->IsDoneReading()) {
     set_detailed_error("Packet has no frames.");
     return RaiseError(QUIC_MISSING_PAYLOAD);
   }
+
+  QUIC_DVLOG(2) << ENDPOINT << "Processing IETF packet with header " << header;
   while (!reader->IsDoneReading()) {
     uint64_t frame_type;
     // Will be the number of bytes into which frame_type was encoded.
@@ -2990,6 +3061,7 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
       if (!ProcessIetfStreamFrame(reader, frame_type, &frame)) {
         return RaiseError(QUIC_INVALID_STREAM_DATA);
       }
+      QUIC_DVLOG(2) << ENDPOINT << "Processing IETF stream frame " << frame;
       if (!visitor_->OnStreamFrame(frame)) {
         QUIC_DVLOG(1) << ENDPOINT
                       << "Visitor asked to stop further processing.";
@@ -3001,6 +3073,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
         case IETF_PADDING: {
           QuicPaddingFrame frame;
           ProcessPaddingFrame(reader, &frame);
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF padding frame "
+                        << frame;
           if (!visitor_->OnPaddingFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3013,6 +3087,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           if (!ProcessIetfResetStreamFrame(reader, &frame)) {
             return RaiseError(QUIC_INVALID_RST_STREAM_DATA);
           }
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF reset stream frame "
+                        << frame;
           if (!visitor_->OnRstStreamFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3031,6 +3107,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
                   &frame)) {
             return RaiseError(QUIC_INVALID_CONNECTION_CLOSE_DATA);
           }
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF connection close frame "
+                        << frame;
           if (!visitor_->OnConnectionCloseFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3045,6 +3123,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           }
           // TODO(fkastenholz): Or should we create a new visitor function,
           // OnMaxDataFrame()?
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF max data frame "
+                        << frame;
           if (!visitor_->OnWindowUpdateFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3059,6 +3139,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           }
           // TODO(fkastenholz): Or should we create a new visitor function,
           // OnMaxStreamDataFrame()?
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF max stream data frame "
+                        << frame;
           if (!visitor_->OnWindowUpdateFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3073,6 +3155,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
             return RaiseError(QUIC_MAX_STREAMS_DATA);
           }
           QUIC_CODE_COUNT_N(quic_max_streams_received, 1, 2);
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF max streams frame "
+                        << frame;
           if (!visitor_->OnMaxStreamsFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3083,6 +3167,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
         case IETF_PING: {
           // Ping has no payload.
           QuicPingFrame ping_frame;
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF ping frame "
+                        << ping_frame;
           if (!visitor_->OnPingFrame(ping_frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3095,6 +3181,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           if (!ProcessIetfBlockedFrame(reader, &frame)) {
             return RaiseError(QUIC_INVALID_BLOCKED_DATA);
           }
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF blocked frame "
+                        << frame;
           if (!visitor_->OnBlockedFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3107,6 +3195,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           if (!ProcessStreamBlockedFrame(reader, &frame)) {
             return RaiseError(QUIC_INVALID_STREAM_BLOCKED_DATA);
           }
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF stream blocked frame "
+                        << frame;
           if (!visitor_->OnBlockedFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3121,6 +3211,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
             return RaiseError(QUIC_STREAMS_BLOCKED_DATA);
           }
           QUIC_CODE_COUNT_N(quic_streams_blocked_received, 1, 2);
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF streams blocked frame "
+                        << frame;
           if (!visitor_->OnStreamsBlockedFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3133,6 +3225,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           if (!ProcessNewConnectionIdFrame(reader, &frame)) {
             return RaiseError(QUIC_INVALID_NEW_CONNECTION_ID_DATA);
           }
+          QUIC_DVLOG(2) << ENDPOINT
+                        << "Processing IETF new connection ID frame " << frame;
           if (!visitor_->OnNewConnectionIdFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3145,6 +3239,9 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           if (!ProcessRetireConnectionIdFrame(reader, &frame)) {
             return RaiseError(QUIC_INVALID_RETIRE_CONNECTION_ID_DATA);
           }
+          QUIC_DVLOG(2) << ENDPOINT
+                        << "Processing IETF retire connection ID frame "
+                        << frame;
           if (!visitor_->OnRetireConnectionIdFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3157,6 +3254,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           if (!ProcessNewTokenFrame(reader, &frame)) {
             return RaiseError(QUIC_INVALID_NEW_TOKEN);
           }
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF new token frame "
+                        << frame;
           if (!visitor_->OnNewTokenFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3169,6 +3268,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           if (!ProcessStopSendingFrame(reader, &frame)) {
             return RaiseError(QUIC_INVALID_STOP_SENDING_FRAME_DATA);
           }
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF stop sending frame "
+                        << frame;
           if (!visitor_->OnStopSendingFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3182,6 +3283,7 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           if (!ProcessIetfAckFrame(reader, frame_type, &frame)) {
             return RaiseError(QUIC_INVALID_ACK_DATA);
           }
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF ACK frame " << frame;
           break;
         }
         case IETF_PATH_CHALLENGE: {
@@ -3189,6 +3291,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           if (!ProcessPathChallengeFrame(reader, &frame)) {
             return RaiseError(QUIC_INVALID_PATH_CHALLENGE_DATA);
           }
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF path challenge frame "
+                        << frame;
           if (!visitor_->OnPathChallengeFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3201,6 +3305,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           if (!ProcessPathResponseFrame(reader, &frame)) {
             return RaiseError(QUIC_INVALID_PATH_RESPONSE_DATA);
           }
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF path response frame "
+                        << frame;
           if (!visitor_->OnPathResponseFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3217,6 +3323,8 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
                   &message_frame)) {
             return RaiseError(QUIC_INVALID_MESSAGE_DATA);
           }
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF message frame "
+                        << message_frame;
           if (!visitor_->OnMessageFrame(message_frame)) {
             QUIC_DVLOG(1) << ENDPOINT
                           << "Visitor asked to stop further processing.";
@@ -3230,6 +3338,7 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           if (!ProcessCryptoFrame(reader, &frame)) {
             return RaiseError(QUIC_INVALID_FRAME_DATA);
           }
+          QUIC_DVLOG(2) << ENDPOINT << "Processing IETF crypto frame " << frame;
           if (!visitor_->OnCryptoFrame(frame)) {
             QUIC_DVLOG(1) << "Visitor asked to stop further processing.";
             // Returning true since there was no parsing error.
@@ -3907,8 +4016,8 @@ bool QuicFramer::ProcessWindowUpdateFrame(QuicDataReader* reader,
 
 bool QuicFramer::ProcessBlockedFrame(QuicDataReader* reader,
                                      QuicBlockedFrame* frame) {
-  DCHECK_NE(QUIC_VERSION_99, version_.transport_version)
-      << "Attempt to process non-IETF frames but version is 99";
+  DCHECK(!VersionHasIetfQuicFrames(version_.transport_version))
+      << "Attempt to process non-IETF QUIC frames in an IETF QUIC version.";
 
   if (!reader->ReadUInt32(&frame->stream_id)) {
     set_detailed_error("Unable to read stream_id.");
@@ -4540,11 +4649,11 @@ size_t QuicFramer::GetIetfAckFrameSize(const QuicAckFrame& frame) {
 
 size_t QuicFramer::GetAckFrameSize(
     const QuicAckFrame& ack,
-    QuicPacketNumberLength packet_number_length) {
+    QuicPacketNumberLength /*packet_number_length*/) {
   DCHECK(!ack.packets.Empty());
   size_t ack_size = 0;
 
-  if (version_.transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version_.transport_version)) {
     return GetIetfAckFrameSize(ack);
   }
   AckFrameInfo ack_info = GetAckFrameInfo(ack);
@@ -4621,7 +4730,7 @@ size_t QuicFramer::ComputeFrameLength(
 bool QuicFramer::AppendTypeByte(const QuicFrame& frame,
                                 bool last_frame_in_packet,
                                 QuicDataWriter* writer) {
-  if (version_.transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version_.transport_version)) {
     return AppendIetfTypeByte(frame, last_frame_in_packet, writer);
   }
   uint8_t type_byte = 0;
@@ -4637,36 +4746,35 @@ bool QuicFramer::AppendTypeByte(const QuicFrame& frame,
       break;
     case NEW_CONNECTION_ID_FRAME:
       set_detailed_error(
-          "Attempt to append NEW_CONNECTION_ID frame and not in version 99.");
+          "Attempt to append NEW_CONNECTION_ID frame and not in IETF QUIC.");
       return RaiseError(QUIC_INTERNAL_ERROR);
     case RETIRE_CONNECTION_ID_FRAME:
       set_detailed_error(
-          "Attempt to append RETIRE_CONNECTION_ID frame and not in version "
-          "99.");
+          "Attempt to append RETIRE_CONNECTION_ID frame and not in IETF QUIC.");
       return RaiseError(QUIC_INTERNAL_ERROR);
     case NEW_TOKEN_FRAME:
       set_detailed_error(
-          "Attempt to append NEW_TOKEN frame and not in version 99.");
+          "Attempt to append NEW_TOKEN frame and not in IETF QUIC.");
       return RaiseError(QUIC_INTERNAL_ERROR);
     case MAX_STREAMS_FRAME:
       set_detailed_error(
-          "Attempt to append MAX_STREAMS frame and not in version 99.");
+          "Attempt to append MAX_STREAMS frame and not in IETF QUIC.");
       return RaiseError(QUIC_INTERNAL_ERROR);
     case STREAMS_BLOCKED_FRAME:
       set_detailed_error(
-          "Attempt to append STREAMS_BLOCKED frame and not in version 99.");
+          "Attempt to append STREAMS_BLOCKED frame and not in IETF QUIC.");
       return RaiseError(QUIC_INTERNAL_ERROR);
     case PATH_RESPONSE_FRAME:
       set_detailed_error(
-          "Attempt to append PATH_RESPONSE frame and not in version 99.");
+          "Attempt to append PATH_RESPONSE frame and not in IETF QUIC.");
       return RaiseError(QUIC_INTERNAL_ERROR);
     case PATH_CHALLENGE_FRAME:
       set_detailed_error(
-          "Attempt to append PATH_CHALLENGE frame and not in version 99.");
+          "Attempt to append PATH_CHALLENGE frame and not in IETF QUIC.");
       return RaiseError(QUIC_INTERNAL_ERROR);
     case STOP_SENDING_FRAME:
       set_detailed_error(
-          "Attempt to append STOP_SENDING frame and not in version 99.");
+          "Attempt to append STOP_SENDING frame and not in IETF QUIC.");
       return RaiseError(QUIC_INTERNAL_ERROR);
     case MESSAGE_FRAME:
       return true;
@@ -4705,7 +4813,7 @@ bool QuicFramer::AppendIetfTypeByte(const QuicFrame& frame,
       break;
     case GOAWAY_FRAME:
       set_detailed_error(
-          "Attempt to create non-version-99 GOAWAY frame in version 99.");
+          "Attempt to create non-IETF QUIC GOAWAY frame in IETF QUIC.");
       return RaiseError(QUIC_INTERNAL_ERROR);
     case WINDOW_UPDATE_FRAME:
       // Depending on whether there is a stream ID or not, will be either a
@@ -4727,7 +4835,7 @@ bool QuicFramer::AppendIetfTypeByte(const QuicFrame& frame,
       break;
     case STOP_WAITING_FRAME:
       set_detailed_error(
-          "Attempt to append type byte of STOP WAITING frame in version 99.");
+          "Attempt to append type byte of STOP WAITING frame in IETF QUIC.");
       return RaiseError(QUIC_INTERNAL_ERROR);
     case PING_FRAME:
       type_byte = IETF_PING;
@@ -4845,7 +4953,7 @@ bool QuicFramer::AppendAckBlock(uint8_t gap,
 bool QuicFramer::AppendStreamFrame(const QuicStreamFrame& frame,
                                    bool no_stream_frame_length,
                                    QuicDataWriter* writer) {
-  if (version_.transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version_.transport_version)) {
     return AppendIetfStreamFrame(frame, no_stream_frame_length, writer);
   }
   if (!AppendStreamId(GetStreamIdSize(frame.stream_id), frame.stream_id,
@@ -4860,8 +4968,12 @@ bool QuicFramer::AppendStreamFrame(const QuicStreamFrame& frame,
     return false;
   }
   if (!no_stream_frame_length) {
-    if ((frame.data_length > std::numeric_limits<uint16_t>::max()) ||
-        !writer->WriteUInt16(static_cast<uint16_t>(frame.data_length))) {
+    static_assert(
+        std::numeric_limits<decltype(frame.data_length)>::max() <=
+            std::numeric_limits<uint16_t>::max(),
+        "If frame.data_length can hold more than a uint16_t than we need to "
+        "check that frame.data_length <= std::numeric_limits<uint16_t>::max()");
+    if (!writer->WriteUInt16(static_cast<uint16_t>(frame.data_length))) {
       QUIC_BUG << "Writing stream frame length failed";
       return false;
     }
@@ -5002,7 +5114,7 @@ void QuicFramer::set_version(const ParsedQuicVersion version) {
 
 bool QuicFramer::AppendAckFrameAndTypeByte(const QuicAckFrame& frame,
                                            QuicDataWriter* writer) {
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     return AppendIetfAckFrameAndTypeByte(frame, writer);
   }
 
@@ -5100,7 +5212,6 @@ bool QuicFramer::AppendAckFrameAndTypeByte(const QuicAckFrame& frame,
       const size_t num_encoded_gaps =
           (total_gap + std::numeric_limits<uint8_t>::max() - 1) /
           std::numeric_limits<uint8_t>::max();
-      DCHECK_LE(0u, num_encoded_gaps);
 
       // Append empty ACK blocks because the gap is longer than a single gap.
       for (size_t i = 1;
@@ -5216,7 +5327,7 @@ bool QuicFramer::AppendTimestampsToAckFrame(const QuicAckFrame& frame,
 bool QuicFramer::AppendStopWaitingFrame(const QuicPacketHeader& header,
                                         const QuicStopWaitingFrame& frame,
                                         QuicDataWriter* writer) {
-  DCHECK_GE(QUIC_VERSION_43, version_.transport_version);
+  DCHECK(!VersionHasIetfInvariantHeader(version_.transport_version));
   DCHECK(frame.least_unacked.IsInitialized() &&
          header.packet_number >= frame.least_unacked);
   const uint64_t least_unacked_delta =
@@ -5245,7 +5356,7 @@ bool QuicFramer::AppendStopWaitingFrame(const QuicPacketHeader& header,
 }
 
 int QuicFramer::CalculateIetfAckBlockCount(const QuicAckFrame& frame,
-                                           QuicDataWriter* writer,
+                                           QuicDataWriter* /*writer*/,
                                            size_t available_space) {
   // Number of blocks requested in the frame
   uint64_t ack_block_count = frame.packets.NumIntervals();
@@ -5419,7 +5530,7 @@ bool QuicFramer::AppendIetfAckFrameAndTypeByte(const QuicAckFrame& frame,
 
 bool QuicFramer::AppendRstStreamFrame(const QuicRstStreamFrame& frame,
                                       QuicDataWriter* writer) {
-  if (version_.transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version_.transport_version)) {
     return AppendIetfResetStreamFrame(frame, writer);
   }
   if (!writer->WriteUInt32(frame.stream_id)) {
@@ -5441,7 +5552,7 @@ bool QuicFramer::AppendRstStreamFrame(const QuicRstStreamFrame& frame,
 bool QuicFramer::AppendConnectionCloseFrame(
     const QuicConnectionCloseFrame& frame,
     QuicDataWriter* writer) {
-  if (version_.transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version_.transport_version)) {
     return AppendIetfConnectionCloseFrame(frame, writer);
   }
   uint32_t error_code = static_cast<uint32_t>(frame.quic_error_code);
@@ -5484,7 +5595,7 @@ bool QuicFramer::AppendWindowUpdateFrame(const QuicWindowUpdateFrame& frame,
 
 bool QuicFramer::AppendBlockedFrame(const QuicBlockedFrame& frame,
                                     QuicDataWriter* writer) {
-  if (version_.transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version_.transport_version)) {
     if (frame.stream_id == QuicUtils::GetInvalidStreamId(transport_version())) {
       return AppendIetfBlockedFrame(frame, writer);
     }
@@ -5543,12 +5654,6 @@ bool QuicFramer::RaiseError(QuicErrorCode error) {
 bool QuicFramer::IsVersionNegotiation(
     const QuicPacketHeader& header,
     bool packet_has_ietf_packet_header) const {
-  if (perspective_ == Perspective::IS_SERVER) {
-    if (!GetQuicRestartFlag(quic_server_drop_version_negotiation)) {
-      return false;
-    }
-    QUIC_RESTART_FLAG_COUNT_N(quic_server_drop_version_negotiation, 2, 2);
-  }
   if (!packet_has_ietf_packet_header &&
       perspective_ == Perspective::IS_CLIENT) {
     return header.version_flag;
@@ -5569,7 +5674,14 @@ bool QuicFramer::AppendIetfConnectionCloseFrame(
     return false;
   }
 
-  if (!writer->WriteUInt16(frame.application_error_code)) {
+  uint64_t close_code = 0;
+  if (frame.close_type == IETF_QUIC_TRANSPORT_CONNECTION_CLOSE) {
+    close_code = static_cast<uint64_t>(frame.transport_error_code);
+  } else if (frame.close_type == IETF_QUIC_APPLICATION_CONNECTION_CLOSE) {
+    close_code = static_cast<uint64_t>(frame.application_error_code);
+  }
+
+  if (!writer->WriteVarInt62(close_code)) {
     set_detailed_error("Can not write connection close frame error code");
     return false;
   }
@@ -5600,13 +5712,30 @@ bool QuicFramer::ProcessIetfConnectionCloseFrame(
     QuicConnectionCloseType type,
     QuicConnectionCloseFrame* frame) {
   frame->close_type = type;
-  uint16_t code;
-  if (!reader->ReadUInt16(&code)) {
+  uint64_t error_code;
+  if (!reader->ReadVarInt62(&error_code)) {
     set_detailed_error("Unable to read connection close error code.");
     return false;
   }
-  frame->transport_error_code = static_cast<QuicIetfTransportErrorCodes>(code);
 
+  if (frame->close_type == IETF_QUIC_TRANSPORT_CONNECTION_CLOSE) {
+    if (error_code > 0xffff) {
+      frame->transport_error_code =
+          static_cast<QuicIetfTransportErrorCodes>(0xffff);
+      QUIC_DLOG(ERROR) << "Transport error code " << error_code << " > 0xffff";
+    } else {
+      frame->transport_error_code =
+          static_cast<QuicIetfTransportErrorCodes>(error_code);
+    }
+  } else if (frame->close_type == IETF_QUIC_APPLICATION_CONNECTION_CLOSE) {
+    if (error_code > 0xffff) {
+      frame->application_error_code = 0xffff;
+      QUIC_DLOG(ERROR) << "Application error code " << error_code
+                       << " > 0xffff";
+    } else {
+      frame->application_error_code = static_cast<uint16_t>(error_code);
+    }
+  }
   if (type == IETF_QUIC_TRANSPORT_CONNECTION_CLOSE) {
     // The frame-type of the frame causing the error is present only
     // if it's a CONNECTION_CLOSE/Transport.
@@ -5684,7 +5813,7 @@ bool QuicFramer::AppendIetfResetStreamFrame(const QuicRstStreamFrame& frame,
     set_detailed_error("Writing reset-stream stream id failed.");
     return false;
   }
-  if (!writer->WriteUInt16(frame.ietf_error_code)) {
+  if (!writer->WriteVarInt62(static_cast<uint64_t>(frame.ietf_error_code))) {
     set_detailed_error("Writing reset-stream error code failed.");
     return false;
   }
@@ -5705,10 +5834,18 @@ bool QuicFramer::ProcessIetfResetStreamFrame(QuicDataReader* reader,
     return false;
   }
 
-  if (!reader->ReadUInt16(&frame->ietf_error_code)) {
+  uint64_t error_code;
+  if (!reader->ReadVarInt62(&error_code)) {
     set_detailed_error("Unable to read rst stream error code.");
     return false;
   }
+  if (error_code > 0xffff) {
+    frame->ietf_error_code = 0xffff;
+    QUIC_DLOG(ERROR) << "Reset stream error code (" << error_code
+                     << ") > 0xffff";
+  } else {
+    frame->ietf_error_code = static_cast<uint16_t>(error_code);
+  }
 
   if (!reader->ReadVarInt62(&frame->byte_offset)) {
     set_detailed_error("Unable to read rst stream sent byte offset.");
@@ -5725,10 +5862,20 @@ bool QuicFramer::ProcessStopSendingFrame(
     return false;
   }
 
-  if (!reader->ReadUInt16(&stop_sending_frame->application_error_code)) {
+  uint64_t error_code;
+  if (!reader->ReadVarInt62(&error_code)) {
     set_detailed_error("Unable to read stop sending application error code.");
     return false;
   }
+  // TODO(fkastenholz): when error codes go to uint64_t, remove this.
+  if (error_code > 0xffff) {
+    stop_sending_frame->application_error_code = 0xffff;
+    QUIC_DLOG(ERROR) << "Stop sending error code (" << error_code
+                     << ") > 0xffff";
+  } else {
+    stop_sending_frame->application_error_code =
+        static_cast<uint16_t>(error_code);
+  }
   return true;
 }
 
@@ -5739,7 +5886,8 @@ bool QuicFramer::AppendStopSendingFrame(
     set_detailed_error("Can not write stop sending stream id");
     return false;
   }
-  if (!writer->WriteUInt16(stop_sending_frame.application_error_code)) {
+  if (!writer->WriteVarInt62(
+          static_cast<uint64_t>(stop_sending_frame.application_error_code))) {
     set_detailed_error("Can not write application error code");
     return false;
   }
@@ -5901,12 +6049,11 @@ bool QuicFramer::AppendNewConnectionIdFrame(
     set_detailed_error("Can not write New Connection ID sequence number");
     return false;
   }
-  if (!writer->WriteUInt8(frame.connection_id.length())) {
-    set_detailed_error(
-        "Can not write New Connection ID frame connection ID Length");
+  if (!writer->WriteVarInt62(frame.retire_prior_to)) {
+    set_detailed_error("Can not write New Connection ID retire_prior_to");
     return false;
   }
-  if (!writer->WriteConnectionId(frame.connection_id)) {
+  if (!writer->WriteLengthPrefixedConnectionId(frame.connection_id)) {
     set_detailed_error("Can not write New Connection ID frame connection ID");
     return false;
   }
@@ -5928,27 +6075,29 @@ bool QuicFramer::ProcessNewConnectionIdFrame(QuicDataReader* reader,
     return false;
   }
 
-  uint8_t connection_id_length;
-  if (!reader->ReadUInt8(&connection_id_length)) {
+  if (!reader->ReadVarInt62(&frame->retire_prior_to)) {
     set_detailed_error(
-        "Unable to read new connection ID frame connection id length.");
+        "Unable to read new connection ID frame retire_prior_to.");
+    return false;
+  }
+  if (frame->retire_prior_to > frame->sequence_number) {
+    set_detailed_error("Retire_prior_to > sequence_number.");
     return false;
   }
 
-  if (connection_id_length > kQuicMaxConnectionIdLength) {
-    set_detailed_error("New connection ID length too high.");
+  if (!reader->ReadLengthPrefixedConnectionId(&frame->connection_id)) {
+    set_detailed_error("Unable to read new connection ID frame connection id.");
     return false;
   }
 
-  if (connection_id_length != kQuicDefaultConnectionIdLength &&
-      !QuicUtils::VariableLengthConnectionIdAllowedForVersion(
-          transport_version())) {
-    set_detailed_error("Invalid new connection ID length for version.");
+  if (frame->connection_id.length() > kQuicMaxConnectionIdLength) {
+    set_detailed_error("New connection ID length too high.");
     return false;
   }
 
-  if (!reader->ReadConnectionId(&frame->connection_id, connection_id_length)) {
-    set_detailed_error("Unable to read new connection ID frame connection id.");
+  if (!QuicUtils::IsConnectionIdValidForVersion(frame->connection_id,
+                                                transport_version())) {
+    set_detailed_error("Invalid new connection ID length for version.");
     return false;
   }
 
@@ -5983,7 +6132,7 @@ bool QuicFramer::ProcessRetireConnectionIdFrame(
 
 uint8_t QuicFramer::GetStreamFrameTypeByte(const QuicStreamFrame& frame,
                                            bool last_frame_in_packet) const {
-  if (version_.transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version_.transport_version)) {
     return GetIetfStreamFrameTypeByte(frame, last_frame_in_packet);
   }
   uint8_t type_byte = 0;
@@ -6013,7 +6162,7 @@ uint8_t QuicFramer::GetStreamFrameTypeByte(const QuicStreamFrame& frame,
 uint8_t QuicFramer::GetIetfStreamFrameTypeByte(
     const QuicStreamFrame& frame,
     bool last_frame_in_packet) const {
-  DCHECK_EQ(QUIC_VERSION_99, version_.transport_version);
+  DCHECK(VersionHasIetfQuicFrames(version_.transport_version));
   uint8_t type_byte = IETF_STREAM;
   if (!last_frame_in_packet) {
     type_byte |= IETF_STREAM_FRAME_LEN_BIT;
@@ -6052,28 +6201,30 @@ void QuicFramer::EnableMultiplePacketNumberSpacesSupport() {
 // static
 QuicErrorCode QuicFramer::ProcessPacketDispatcher(
     const QuicEncryptedPacket& packet,
-    uint8_t expected_connection_id_length,
+    uint8_t expected_destination_connection_id_length,
     PacketHeaderFormat* format,
     bool* version_flag,
     QuicVersionLabel* version_label,
-    uint8_t* destination_connection_id_length,
     QuicConnectionId* destination_connection_id,
+    QuicConnectionId* source_connection_id,
     std::string* detailed_error) {
   QuicDataReader reader(packet.data(), packet.length());
 
+  *source_connection_id = EmptyQuicConnectionId();
   uint8_t first_byte;
   if (!reader.ReadBytes(&first_byte, 1)) {
     *detailed_error = "Unable to read first byte.";
     return QUIC_INVALID_PACKET_HEADER;
   }
+  uint8_t destination_connection_id_length = 0, source_connection_id_length = 0;
   if (!QuicUtils::IsIetfPacketHeader(first_byte)) {
     *format = GOOGLE_QUIC_PACKET;
     *version_flag = (first_byte & PACKET_PUBLIC_FLAGS_VERSION) != 0;
-    *destination_connection_id_length =
+    destination_connection_id_length =
         first_byte & PACKET_PUBLIC_FLAGS_8BYTE_CONNECTION_ID;
-    if (*destination_connection_id_length == 0 ||
+    if (destination_connection_id_length == 0 ||
         !reader.ReadConnectionId(destination_connection_id,
-                                 *destination_connection_id_length)) {
+                                 destination_connection_id_length)) {
       *detailed_error = "Unable to read ConnectionId.";
       return QUIC_INVALID_PACKET_HEADER;
     }
@@ -6095,25 +6246,34 @@ QuicErrorCode QuicFramer::ProcessPacketDispatcher(
     }
     // Set should_update_expected_server_connection_id_length to true to bypass
     // connection ID lengths validation.
-    uint8_t unused_source_connection_id_length = 0;
     uint8_t unused_expected_server_connection_id_length = 0;
     if (!ProcessAndValidateIetfConnectionIdLength(
             &reader, ParseQuicVersionLabel(*version_label),
+            Perspective::IS_SERVER,
             /*should_update_expected_server_connection_id_length=*/true,
             &unused_expected_server_connection_id_length,
-            destination_connection_id_length,
-            &unused_source_connection_id_length, detailed_error)) {
+            &destination_connection_id_length, &source_connection_id_length,
+            detailed_error)) {
       return QUIC_INVALID_PACKET_HEADER;
     }
   } else {
-    // For short header packets, expected_connection_id_length is used to
-    // determine the destination_connection_id_length.
-    *destination_connection_id_length = expected_connection_id_length;
+    // For short header packets, expected_destination_connection_id_length
+    // is used to determine the destination_connection_id_length.
+    destination_connection_id_length =
+        expected_destination_connection_id_length;
+    DCHECK_EQ(0, source_connection_id_length);
   }
   // Read destination connection ID.
   if (!reader.ReadConnectionId(destination_connection_id,
-                               *destination_connection_id_length)) {
-    *detailed_error = "Unable to read Destination ConnectionId.";
+                               destination_connection_id_length)) {
+    *detailed_error = "Unable to read destination connection ID.";
+    return QUIC_INVALID_PACKET_HEADER;
+  }
+  // Read source connection ID.
+  if (GetQuicRestartFlag(quic_do_not_override_connection_id) &&
+      !reader.ReadConnectionId(source_connection_id,
+                               source_connection_id_length)) {
+    *detailed_error = "Unable to read source connection ID.";
     return QUIC_INVALID_PACKET_HEADER;
   }
   return QUIC_NO_ERROR;
@@ -6135,8 +6295,8 @@ bool QuicFramer::WriteClientVersionNegotiationProbePacket(
     return false;
   }
   if (destination_connection_id_length > kQuicMaxConnectionIdLength ||
-      (destination_connection_id_length > 0 &&
-       destination_connection_id_length < 4)) {
+      destination_connection_id_length <
+          kQuicMinimumInitialConnectionIdLength) {
     QUIC_BUG << "Invalid connection_id_length";
     return false;
   }
@@ -6247,7 +6407,7 @@ bool QuicFramer::ParseServerVersionNegotiationProbeResponse(
   uint8_t expected_server_connection_id_length = 0,
           destination_connection_id_length = 0, source_connection_id_length = 0;
   if (!ProcessAndValidateIetfConnectionIdLength(
-          &reader, UnsupportedQuicVersion(),
+          &reader, UnsupportedQuicVersion(), Perspective::IS_CLIENT,
           /*should_update_expected_server_connection_id_length=*/true,
           &expected_server_connection_id_length,
           &destination_connection_id_length, &source_connection_id_length,
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_framer.h b/chromium/net/third_party/quiche/src/quic/core/quic_framer.h
index 11d48bbafb2..2349a772257 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_framer.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_framer.h
@@ -15,7 +15,6 @@
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection_id.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 
@@ -77,8 +76,8 @@ class QUIC_EXPORT_PRIVATE QuicFramerVisitorInterface {
   // |quic_version_|. The visitor should return true after it updates the
   // version of the |framer_| to |received_version| or false to stop processing
   // this packet.
-  virtual bool OnProtocolVersionMismatch(ParsedQuicVersion received_version,
-                                         PacketHeaderFormat form) = 0;
+  virtual bool OnProtocolVersionMismatch(
+      ParsedQuicVersion received_version) = 0;
 
   // Called when a new packet has been received, before it
   // has been validated or processed.
@@ -374,18 +373,18 @@ class QUIC_EXPORT_PRIVATE QuicFramer {
       QuicVariableLengthIntegerLength length_length);
 
   // Lightweight parsing of |packet| and populates |format|, |version_flag|,
-  // |version_label|, |destination_connection_id_length|,
-  // |destination_connection_id| and |detailed_error|. Please note,
-  // |expected_connection_id_length| is only used to determine IETF short header
-  // packet's destination connection ID length.
+  // |version_label|, |destination_connection_id|, |source_connection_id| and
+  // |detailed_error|. Please note, |expected_destination_connection_id_length|
+  // is only used to determine IETF short header packet's destination
+  // connection ID length.
   static QuicErrorCode ProcessPacketDispatcher(
       const QuicEncryptedPacket& packet,
-      uint8_t expected_connection_id_length,
+      uint8_t expected_destination_connection_id_length,
       PacketHeaderFormat* format,
       bool* version_flag,
       QuicVersionLabel* version_label,
-      uint8_t* destination_connection_id_length,
       QuicConnectionId* destination_connection_id,
+      QuicConnectionId* source_connection_id,
       std::string* detailed_error);
 
   // Serializes a packet containing |frames| into |buffer|.
@@ -554,41 +553,30 @@ class QUIC_EXPORT_PRIVATE QuicFramer {
 
   Perspective perspective() const { return perspective_; }
 
-  QuicVersionLabel last_version_label() const { return last_version_label_; }
-
   void set_data_producer(QuicStreamFrameDataProducer* data_producer) {
     data_producer_ = data_producer;
   }
 
-  // Returns true if we are doing IETF-formatted packets.
-  // In the future this could encompass a wide variety of
-  // versions. Doing the test by name ("ietf format") rather
-  // than version number localizes the version/ietf-ness binding
-  // to this method.
-  bool is_ietf_format() {
-    return version_.transport_version == QUIC_VERSION_99;
-  }
-
   QuicTime creation_time() const { return creation_time_; }
 
   QuicPacketNumber first_sending_packet_number() const {
     return first_sending_packet_number_;
   }
 
-  // If true, QuicFramer will change its expected connection ID length
-  // to the received destination connection ID length of all IETF long headers.
-  void SetShouldUpdateExpectedServerConnectionIdLength(
-      bool should_update_expected_server_connection_id_length) {
-    should_update_expected_server_connection_id_length_ =
-        should_update_expected_server_connection_id_length;
-  }
-
   // The connection ID length the framer expects on incoming IETF short headers
   // on the server.
   uint8_t GetExpectedServerConnectionIdLength() {
     return expected_server_connection_id_length_;
   }
 
+  // Change the expected destination connection ID length for short headers on
+  // the client.
+  void SetExpectedClientConnectionIdLength(
+      uint8_t expected_client_connection_id_length) {
+    expected_client_connection_id_length_ =
+        expected_client_connection_id_length;
+  }
+
   void EnableMultiplePacketNumberSpacesSupport();
 
   // Writes an array of bytes that, if sent as a UDP datagram, will trigger
@@ -597,8 +585,8 @@ class QUIC_EXPORT_PRIVATE QuicFramer {
   // |packet_length| must be in the range [1200, 65535].
   // |destination_connection_id_bytes| will be sent as the destination
   // connection ID, and must point to |destination_connection_id_length| bytes
-  // of memory. |destination_connection_id_length| must be either 0 or in the
-  // range [4,18]. When targeting Google servers, it is recommended to use a
+  // of memory. |destination_connection_id_length| must be in the range [8,18].
+  // When targeting Google servers, it is recommended to use a
   // |destination_connection_id_length| of 8.
   static bool WriteClientVersionNegotiationProbePacket(
       char* packet_bytes,
@@ -714,10 +702,15 @@ class QUIC_EXPORT_PRIVATE QuicFramer {
                                   QuicVersionLabel* version_label);
 
   // Validates and updates |destination_connection_id_length| and
-  // |source_connection_id_length|.
+  // |source_connection_id_length|. When
+  // |should_update_expected_server_connection_id_length| is true, length
+  // validation is disabled and |expected_server_connection_id_length| is set
+  // to the appropriate length.
+  // TODO(b/133873272) refactor this method.
   static bool ProcessAndValidateIetfConnectionIdLength(
       QuicDataReader* reader,
       ParsedQuicVersion version,
+      Perspective perspective,
       bool should_update_expected_server_connection_id_length,
       uint8_t* expected_server_connection_id_length,
       uint8_t* destination_connection_id_length,
@@ -963,10 +956,8 @@ class QUIC_EXPORT_PRIVATE QuicFramer {
   QuicPacketNumber largest_decrypted_packet_numbers_[NUM_PACKET_NUMBER_SPACES];
   // Last server connection ID seen on the wire.
   QuicConnectionId last_serialized_server_connection_id_;
-  // The last QUIC version label received.
-  // TODO(fayang): Remove this when deprecating
-  // quic_no_framer_object_in_dispatcher.
-  QuicVersionLabel last_version_label_;
+  // Last client connection ID seen on the wire.
+  QuicConnectionId last_serialized_client_connection_id_;
   // Version of the protocol being used.
   ParsedQuicVersion version_;
   // This vector contains QUIC versions which we currently support.
@@ -1017,17 +1008,11 @@ class QUIC_EXPORT_PRIVATE QuicFramer {
   bool infer_packet_header_type_from_version_;
 
   // IETF short headers contain a destination connection ID but do not
-  // encode its length. This variable contains the length we expect to read.
-  // This is also used to validate the long header connection ID lengths in
-  // older versions of QUIC.
+  // encode its length. These variables contains the length we expect to read.
+  // This is also used to validate the long header destination connection ID
+  // lengths in older versions of QUIC.
   uint8_t expected_server_connection_id_length_;
-
-  // When this is true, QuicFramer will change
-  // expected_server_connection_id_length_ to the received destination
-  // connection ID length of all IETF long headers.
-  // TODO(fayang): Remove this when deprecating
-  // quic_no_framer_object_in_dispatcher.
-  bool should_update_expected_server_connection_id_length_;
+  uint8_t expected_client_connection_id_length_;
 
   // Indicates whether this framer supports multiple packet number spaces.
   bool supports_multiple_packet_number_spaces_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_framer_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_framer_test.cc
index 13e448260c4..d73c4127267 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_framer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_framer_test.cc
@@ -16,6 +16,7 @@
 #include "net/third_party/quiche/src/quic/core/crypto/quic_decrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection_id.h"
+#include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
@@ -88,16 +89,18 @@ const uint8_t kVarInt62EightBytes = 0xc0;
 class TestEncrypter : public QuicEncrypter {
  public:
   ~TestEncrypter() override {}
-  bool SetKey(QuicStringPiece key) override { return true; }
-  bool SetNoncePrefix(QuicStringPiece nonce_prefix) override { return true; }
-  bool SetIV(QuicStringPiece iv) override { return true; }
-  bool SetHeaderProtectionKey(QuicStringPiece key) override { return true; }
+  bool SetKey(QuicStringPiece /*key*/) override { return true; }
+  bool SetNoncePrefix(QuicStringPiece /*nonce_prefix*/) override {
+    return true;
+  }
+  bool SetIV(QuicStringPiece /*iv*/) override { return true; }
+  bool SetHeaderProtectionKey(QuicStringPiece /*key*/) override { return true; }
   bool EncryptPacket(uint64_t packet_number,
                      QuicStringPiece associated_data,
                      QuicStringPiece plaintext,
                      char* output,
                      size_t* output_length,
-                     size_t max_output_length) override {
+                     size_t /*max_output_length*/) override {
     packet_number_ = QuicPacketNumber(packet_number);
     associated_data_ = std::string(associated_data);
     plaintext_ = std::string(plaintext);
@@ -105,7 +108,8 @@ class TestEncrypter : public QuicEncrypter {
     *output_length = plaintext.length();
     return true;
   }
-  std::string GenerateHeaderProtectionMask(QuicStringPiece sample) override {
+  std::string GenerateHeaderProtectionMask(
+      QuicStringPiece /*sample*/) override {
     return std::string(5, 0);
   }
   size_t GetKeySize() const override { return 0; }
@@ -128,15 +132,17 @@ class TestEncrypter : public QuicEncrypter {
 class TestDecrypter : public QuicDecrypter {
  public:
   ~TestDecrypter() override {}
-  bool SetKey(QuicStringPiece key) override { return true; }
-  bool SetNoncePrefix(QuicStringPiece nonce_prefix) override { return true; }
-  bool SetIV(QuicStringPiece iv) override { return true; }
-  bool SetHeaderProtectionKey(QuicStringPiece key) override { return true; }
-  bool SetPreliminaryKey(QuicStringPiece key) override {
+  bool SetKey(QuicStringPiece /*key*/) override { return true; }
+  bool SetNoncePrefix(QuicStringPiece /*nonce_prefix*/) override {
+    return true;
+  }
+  bool SetIV(QuicStringPiece /*iv*/) override { return true; }
+  bool SetHeaderProtectionKey(QuicStringPiece /*key*/) override { return true; }
+  bool SetPreliminaryKey(QuicStringPiece /*key*/) override {
     QUIC_BUG << "should not be called";
     return false;
   }
-  bool SetDiversificationNonce(const DiversificationNonce& key) override {
+  bool SetDiversificationNonce(const DiversificationNonce& /*key*/) override {
     return true;
   }
   bool DecryptPacket(uint64_t packet_number,
@@ -144,7 +150,7 @@ class TestDecrypter : public QuicDecrypter {
                      QuicStringPiece ciphertext,
                      char* output,
                      size_t* output_length,
-                     size_t max_output_length) override {
+                     size_t /*max_output_length*/) override {
     packet_number_ = QuicPacketNumber(packet_number);
     associated_data_ = std::string(associated_data);
     ciphertext_ = std::string(ciphertext);
@@ -153,7 +159,7 @@ class TestDecrypter : public QuicDecrypter {
     return true;
   }
   std::string GenerateHeaderProtectionMask(
-      QuicDataReader* sample_reader) override {
+      QuicDataReader* /*sample_reader*/) override {
     return std::string(5, 0);
   }
   size_t GetKeySize() const override { return 0; }
@@ -208,8 +214,7 @@ class TestQuicVisitor : public QuicFramerVisitorInterface {
     retry_token_ = QuicMakeUnique<std::string>(std::string(retry_token));
   }
 
-  bool OnProtocolVersionMismatch(ParsedQuicVersion received_version,
-                                 PacketHeaderFormat /*form*/) override {
+  bool OnProtocolVersionMismatch(ParsedQuicVersion received_version) override {
     QUIC_DLOG(INFO) << "QuicFramer Version Mismatch, version: "
                     << received_version;
     ++version_mismatch_;
@@ -221,11 +226,11 @@ class TestQuicVisitor : public QuicFramerVisitorInterface {
     return accept_public_header_;
   }
 
-  bool OnUnauthenticatedHeader(const QuicPacketHeader& header) override {
+  bool OnUnauthenticatedHeader(const QuicPacketHeader& /*header*/) override {
     return true;
   }
 
-  void OnDecryptedPacket(EncryptionLevel level) override {}
+  void OnDecryptedPacket(EncryptionLevel /*level*/) override {}
 
   bool OnPacketHeader(const QuicPacketHeader& header) override {
     ++packet_count_;
@@ -441,12 +446,6 @@ struct PacketFragment {
 
 using PacketFragments = std::vector<struct PacketFragment>;
 
-ParsedQuicVersionVector AllSupportedVersionsIncludingTls() {
-  QuicFlagSaver flags;
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
-  return AllSupportedVersions();
-}
-
 class QuicFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
  public:
   QuicFramerTest()
@@ -454,7 +453,7 @@ class QuicFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
         decrypter_(new test::TestDecrypter()),
         version_(GetParam()),
         start_(QuicTime::Zero() + QuicTime::Delta::FromMicroseconds(0x10)),
-        framer_(AllSupportedVersionsIncludingTls(),
+        framer_(AllSupportedVersions(),
                 start_,
                 Perspective::IS_SERVER,
                 kQuicDefaultConnectionIdLength) {
@@ -701,10 +700,9 @@ class QuicFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
       GetQuicVersionDigitOnes()
 
 // Run all framer tests with all supported versions of QUIC.
-INSTANTIATE_TEST_SUITE_P(
-    QuicFramerTests,
-    QuicFramerTest,
-    ::testing::ValuesIn(AllSupportedVersionsIncludingTls()));
+INSTANTIATE_TEST_SUITE_P(QuicFramerTests,
+                         QuicFramerTest,
+                         ::testing::ValuesIn(AllSupportedVersions()));
 
 TEST_P(QuicFramerTest, CalculatePacketNumberFromWireNearEpochStart) {
   // A few quick manual sanity checks.
@@ -916,19 +914,19 @@ TEST_P(QuicFramerTest, PacketHeader) {
 
   PacketHeaderFormat format;
   bool version_flag;
-  uint8_t destination_connection_id_length;
-  QuicConnectionId destination_connection_id;
+  QuicConnectionId destination_connection_id, source_connection_id;
   QuicVersionLabel version_label;
   std::string detailed_error;
-  EXPECT_EQ(QUIC_NO_ERROR, QuicFramer::ProcessPacketDispatcher(
-                               *encrypted, kQuicDefaultConnectionIdLength,
-                               &format, &version_flag, &version_label,
-                               &destination_connection_id_length,
-                               &destination_connection_id, &detailed_error));
+  EXPECT_EQ(QUIC_NO_ERROR,
+            QuicFramer::ProcessPacketDispatcher(
+                *encrypted, kQuicDefaultConnectionIdLength, &format,
+                &version_flag, &version_label, &destination_connection_id,
+                &source_connection_id, &detailed_error));
   EXPECT_EQ(GOOGLE_QUIC_PACKET, format);
   EXPECT_FALSE(version_flag);
-  EXPECT_EQ(kQuicDefaultConnectionIdLength, destination_connection_id_length);
+  EXPECT_EQ(kQuicDefaultConnectionIdLength, destination_connection_id.length());
   EXPECT_EQ(FramerTestConnectionId(), destination_connection_id);
+  EXPECT_EQ(EmptyQuicConnectionId(), source_connection_id);
 }
 
 TEST_P(QuicFramerTest, LongPacketHeader) {
@@ -994,19 +992,135 @@ TEST_P(QuicFramerTest, LongPacketHeader) {
 
   PacketHeaderFormat format;
   bool version_flag;
-  uint8_t destination_connection_id_length;
-  QuicConnectionId destination_connection_id;
+  QuicConnectionId destination_connection_id, source_connection_id;
   QuicVersionLabel version_label;
   std::string detailed_error;
-  EXPECT_EQ(QUIC_NO_ERROR, QuicFramer::ProcessPacketDispatcher(
-                               *encrypted, kQuicDefaultConnectionIdLength,
-                               &format, &version_flag, &version_label,
-                               &destination_connection_id_length,
-                               &destination_connection_id, &detailed_error));
+  EXPECT_EQ(QUIC_NO_ERROR,
+            QuicFramer::ProcessPacketDispatcher(
+                *encrypted, kQuicDefaultConnectionIdLength, &format,
+                &version_flag, &version_label, &destination_connection_id,
+                &source_connection_id, &detailed_error));
   EXPECT_EQ(IETF_QUIC_LONG_HEADER_PACKET, format);
   EXPECT_TRUE(version_flag);
-  EXPECT_EQ(kQuicDefaultConnectionIdLength, destination_connection_id_length);
+  EXPECT_EQ(kQuicDefaultConnectionIdLength, destination_connection_id.length());
   EXPECT_EQ(FramerTestConnectionId(), destination_connection_id);
+  EXPECT_EQ(EmptyQuicConnectionId(), source_connection_id);
+}
+
+TEST_P(QuicFramerTest, LongPacketHeaderWithBothConnectionIds) {
+  if (framer_.transport_version() <= QUIC_VERSION_43) {
+    // This test requires an IETF long header.
+    return;
+  }
+  SetQuicRestartFlag(quic_do_not_override_connection_id, true);
+  SetDecrypterLevel(ENCRYPTION_ZERO_RTT);
+  const unsigned char type_byte =
+      framer_.transport_version() == QUIC_VERSION_44 ? 0xFC : 0xD3;
+  // clang-format off
+  unsigned char packet[] = {
+    // public flags (long header with packet type ZERO_RTT_PROTECTED and
+    // 4-byte packet number)
+    type_byte,
+    // version
+    QUIC_VERSION_BYTES,
+    // connection ID lengths
+    0x55,
+    // destination connection ID
+    0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
+    // source connection ID
+    0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x11,
+    // long header packet length
+    0x05,
+    // packet number
+    0x12, 0x34, 0x56, 0x00,
+    // padding frame
+    0x00,
+  };
+  // clang-format on
+
+  QuicEncryptedPacket encrypted(AsChars(packet), QUIC_ARRAYSIZE(packet), false);
+  PacketHeaderFormat format = GOOGLE_QUIC_PACKET;
+  bool version_flag = false;
+  QuicConnectionId destination_connection_id, source_connection_id;
+  QuicVersionLabel version_label = 0;
+  std::string detailed_error = "";
+  EXPECT_EQ(QUIC_NO_ERROR,
+            QuicFramer::ProcessPacketDispatcher(
+                encrypted, kQuicDefaultConnectionIdLength, &format,
+                &version_flag, &version_label, &destination_connection_id,
+                &source_connection_id, &detailed_error));
+  EXPECT_EQ("", detailed_error);
+  EXPECT_EQ(IETF_QUIC_LONG_HEADER_PACKET, format);
+  EXPECT_TRUE(version_flag);
+  EXPECT_EQ(FramerTestConnectionId(), destination_connection_id);
+  EXPECT_EQ(FramerTestConnectionIdPlusOne(), source_connection_id);
+}
+
+TEST_P(QuicFramerTest, ClientConnectionIdFromShortHeaderToClient) {
+  SetQuicRestartFlag(quic_do_not_override_connection_id, true);
+  if (!framer_.version().SupportsClientConnectionIds()) {
+    return;
+  }
+  SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
+  QuicFramerPeer::SetLastSerializedServerConnectionId(&framer_,
+                                                      TestConnectionId(0x33));
+  QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_CLIENT);
+  framer_.SetExpectedClientConnectionIdLength(kQuicDefaultConnectionIdLength);
+  // clang-format off
+  unsigned char packet[] = {
+    // type (short header, 4 byte packet number)
+    0x43,
+    // connection_id
+    0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
+    // packet number
+    0x13, 0x37, 0x42, 0x33,
+    // padding frame
+    0x00,
+  };
+  // clang-format on
+  QuicEncryptedPacket encrypted(AsChars(packet), QUIC_ARRAYSIZE(packet), false);
+  EXPECT_TRUE(framer_.ProcessPacket(encrypted));
+  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_EQ("", framer_.detailed_error());
+  ASSERT_TRUE(visitor_.header_.get());
+  EXPECT_EQ(FramerTestConnectionId(),
+            visitor_.header_->destination_connection_id);
+  EXPECT_EQ(TestConnectionId(0x33), visitor_.header_->source_connection_id);
+}
+
+// In short header packets from client to server, the client connection ID
+// is omitted, but the framer adds it to the header struct using its
+// last serialized client connection ID. This test ensures that this
+// mechanism behaves as expected.
+TEST_P(QuicFramerTest, ClientConnectionIdFromShortHeaderToServer) {
+  SetQuicRestartFlag(quic_do_not_override_connection_id, true);
+  if (!framer_.version().SupportsClientConnectionIds()) {
+    return;
+  }
+  SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
+  QuicFramerPeer::SetLastSerializedClientConnectionId(&framer_,
+                                                      TestConnectionId(0x33));
+  QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_SERVER);
+  // clang-format off
+  unsigned char packet[] = {
+    // type (short header, 4 byte packet number)
+    0x43,
+    // connection_id
+    0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
+    // packet number
+    0x13, 0x37, 0x42, 0x33,
+    // padding frame
+    0x00,
+  };
+  // clang-format on
+  QuicEncryptedPacket encrypted(AsChars(packet), QUIC_ARRAYSIZE(packet), false);
+  EXPECT_TRUE(framer_.ProcessPacket(encrypted));
+  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_EQ("", framer_.detailed_error());
+  ASSERT_TRUE(visitor_.header_.get());
+  EXPECT_EQ(FramerTestConnectionId(),
+            visitor_.header_->destination_connection_id);
+  EXPECT_EQ(TestConnectionId(0x33), visitor_.header_->source_connection_id);
 }
 
 TEST_P(QuicFramerTest, PacketHeaderWith0ByteConnectionId) {
@@ -1797,7 +1911,7 @@ TEST_P(QuicFramerTest, PaddingFrame) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -1952,7 +2066,7 @@ TEST_P(QuicFramerTest, StreamFrame) {
   // clang-format on
 
   PacketFragments& fragments =
-      framer_.transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(framer_.transport_version())
           ? packet99
           : (framer_.transport_version() > QUIC_VERSION_44
                  ? packet46
@@ -1982,7 +2096,7 @@ TEST_P(QuicFramerTest, StreamFrame) {
 TEST_P(QuicFramerTest, EmptyStreamFrame) {
   // Only the IETF QUIC spec explicitly says that empty
   // stream frames are supported.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -2322,7 +2436,7 @@ TEST_P(QuicFramerTest, StreamFrame2ByteStreamId) {
   // clang-format on
 
   PacketFragments& fragments =
-      framer_.transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(framer_.transport_version())
           ? packet99
           : (framer_.transport_version() > QUIC_VERSION_44
                  ? packet46
@@ -2474,7 +2588,7 @@ TEST_P(QuicFramerTest, StreamFrame1ByteStreamId) {
   // clang-format on
 
   PacketFragments& fragments =
-      framer_.transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(framer_.transport_version())
           ? packet99
           : (framer_.transport_version() > QUIC_VERSION_44
                  ? packet46
@@ -2502,6 +2616,12 @@ TEST_P(QuicFramerTest, StreamFrame1ByteStreamId) {
 }
 
 TEST_P(QuicFramerTest, StreamFrameWithVersion) {
+  // If IETF frames are in use then we must also have the IETF
+  // header invariants.
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
+    DCHECK(VersionHasIetfInvariantHeader(framer_.transport_version()));
+  }
+
   SetDecrypterLevel(ENCRYPTION_ZERO_RTT);
   // clang-format off
   PacketFragments packet = {
@@ -2660,7 +2780,7 @@ TEST_P(QuicFramerTest, StreamFrameWithVersion) {
           : VARIABLE_LENGTH_INTEGER_LENGTH_0;
 
   PacketFragments& fragments =
-      framer_.transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(framer_.transport_version())
           ? packet99
           : (framer_.transport_version() > QUIC_VERSION_44
                  ? packet46
@@ -2961,7 +3081,7 @@ TEST_P(QuicFramerTest, AckFrameOneAckBlock) {
   // clang-format on
 
   PacketFragments& fragments =
-      framer_.transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(framer_.transport_version())
           ? packet99
           : (framer_.transport_version() > QUIC_VERSION_44
                  ? packet46
@@ -3105,7 +3225,7 @@ TEST_P(QuicFramerTest, FirstAckFrameUnderflow) {
   // clang-format on
 
   PacketFragments& fragments =
-      framer_.transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(framer_.transport_version())
           ? packet99
           : (framer_.transport_version() > QUIC_VERSION_44
                  ? packet46
@@ -3121,7 +3241,7 @@ TEST_P(QuicFramerTest, FirstAckFrameUnderflow) {
 // and handles the case where the third ack block's gap is larger than the
 // available space in the ack range.
 TEST_P(QuicFramerTest, ThirdAckBlockUnderflowGap) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // for now, only v99
     return;
   }
@@ -3179,7 +3299,7 @@ TEST_P(QuicFramerTest, ThirdAckBlockUnderflowGap) {
 // and handles the case where the third ack block's length is larger than the
 // available space in the ack range.
 TEST_P(QuicFramerTest, ThirdAckBlockUnderflowAck) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // for now, only v99
     return;
   }
@@ -3235,7 +3355,7 @@ TEST_P(QuicFramerTest, ThirdAckBlockUnderflowAck) {
 // around to 0x3fffffff ffffffff... Make sure we detect this
 // condition.
 TEST_P(QuicFramerTest, AckBlockUnderflowGapWrap) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // for now, only v99
     return;
   }
@@ -3285,7 +3405,7 @@ TEST_P(QuicFramerTest, AckBlockUnderflowGapWrap) {
 // As AckBlockUnderflowGapWrap, but in this test, it's the ack
 // component of the ack-block that causes the wrap, not the gap.
 TEST_P(QuicFramerTest, AckBlockUnderflowAckWrap) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // for now, only v99
     return;
   }
@@ -3334,7 +3454,7 @@ TEST_P(QuicFramerTest, AckBlockUnderflowAckWrap) {
 
 // An ack block that acks the entire range, 1...0x3fffffffffffffff
 TEST_P(QuicFramerTest, AckBlockAcksEverything) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // for now, only v99
     return;
   }
@@ -3389,7 +3509,7 @@ TEST_P(QuicFramerTest, AckBlockAcksEverything) {
 //    additional ack blocks.
 //
 TEST_P(QuicFramerTest, AckFrameFirstAckBlockLengthZero) {
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     // Not applicable to version 99 -- first ack block contains the
     // number of packets that preceed the largest_acked packet.
     // A value of 0 means no packets preceed --- that the block's
@@ -3653,7 +3773,7 @@ TEST_P(QuicFramerTest, AckFrameOneAckBlockMaxLength) {
   // clang-format on
 
   PacketFragments& fragments =
-      framer_.transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(framer_.transport_version())
           ? packet99
           : (framer_.transport_version() > QUIC_VERSION_44
                  ? packet46
@@ -3945,7 +4065,7 @@ TEST_P(QuicFramerTest, AckFrameTwoTimeStampsMultipleAckBlocks) {
 
   // clang-format on
   PacketFragments& fragments =
-      framer_.transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(framer_.transport_version())
           ? packet99
           : (framer_.transport_version() > QUIC_VERSION_44
                  ? packet46
@@ -3970,7 +4090,7 @@ TEST_P(QuicFramerTest, AckFrameTwoTimeStampsMultipleAckBlocks) {
   EXPECT_EQ(kSmallLargestObserved, LargestAcked(frame));
   ASSERT_EQ(4254u, frame.packets.NumPacketsSlow());
   EXPECT_EQ(4u, frame.packets.NumIntervals());
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     EXPECT_EQ(0u, frame.received_packet_times.size());
   } else {
     EXPECT_EQ(2u, frame.received_packet_times.size());
@@ -4056,7 +4176,7 @@ TEST_P(QuicFramerTest, AckFrameTimeStampDeltaTooHigh) {
       0x10, 0x32, 0x54, 0x76,
   };
   // clang-format on
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   QuicEncryptedPacket encrypted(
@@ -4160,7 +4280,7 @@ TEST_P(QuicFramerTest, AckFrameTimeStampSecondDeltaTooHigh) {
       0x10, 0x32,
   };
   // clang-format on
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   QuicEncryptedPacket encrypted(
@@ -4175,7 +4295,7 @@ TEST_P(QuicFramerTest, AckFrameTimeStampSecondDeltaTooHigh) {
 }
 
 TEST_P(QuicFramerTest, NewStopWaitingFrame) {
-  if (version_.transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version_.transport_version)) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -4268,7 +4388,7 @@ TEST_P(QuicFramerTest, NewStopWaitingFrame) {
 }
 
 TEST_P(QuicFramerTest, InvalidNewStopWaitingFrame) {
-  if (version_.transport_version == QUIC_VERSION_99 ||
+  if (VersionHasIetfQuicFrames(version_.transport_version) ||
       (GetQuicReloadableFlag(quic_do_not_accept_stop_waiting) &&
        version_.transport_version >= QUIC_VERSION_44)) {
     return;
@@ -4425,7 +4545,7 @@ TEST_P(QuicFramerTest, RstStreamFrame) {
        {kVarInt62FourBytes + 0x01, 0x02, 0x03, 0x04}},
       // application error code
       {"Unable to read rst stream error code.",
-       {0x00, 0x01}},   // Not varint62 encoded
+       {kVarInt62OneByte + 0x01}},
       // Final Offset
       {"Unable to read rst stream sent byte offset.",
        {kVarInt62EightBytes + 0x3a, 0x98, 0xFE, 0xDC, 0x32, 0x10, 0x76, 0x54}}
@@ -4433,7 +4553,7 @@ TEST_P(QuicFramerTest, RstStreamFrame) {
   // clang-format on
 
   PacketFragments& fragments =
-      framer_.transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(framer_.transport_version())
           ? packet99
           : (framer_.transport_version() > QUIC_VERSION_44
                  ? packet46
@@ -4557,7 +4677,7 @@ TEST_P(QuicFramerTest, ConnectionCloseFrame) {
        {0x1c}},
       // error code
       {"Unable to read connection close error code.",
-       {0x00, 0x11}},
+       {kVarInt62TwoBytes + 0x00, 0x11}},
       {"Unable to read connection close frame type.",
        {kVarInt62TwoBytes + 0x12, 0x34 }},
       {"Unable to read connection close error details.",
@@ -4574,7 +4694,7 @@ TEST_P(QuicFramerTest, ConnectionCloseFrame) {
   // clang-format on
 
   PacketFragments& fragments =
-      framer_.transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(framer_.transport_version())
           ? packet99
           : (framer_.transport_version() > QUIC_VERSION_44
                  ? packet46
@@ -4594,7 +4714,7 @@ TEST_P(QuicFramerTest, ConnectionCloseFrame) {
   EXPECT_EQ(0x11u, static_cast<unsigned>(
                        visitor_.connection_close_frame_.quic_error_code));
   EXPECT_EQ("because I can", visitor_.connection_close_frame_.error_details);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     EXPECT_EQ(0x1234u,
               visitor_.connection_close_frame_.transport_close_frame_type);
   }
@@ -4606,7 +4726,7 @@ TEST_P(QuicFramerTest, ConnectionCloseFrame) {
 
 // Test the CONNECTION_CLOSE/Application variant.
 TEST_P(QuicFramerTest, ApplicationCloseFrame) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame does not exist in versions other than 99.
     return;
   }
@@ -4628,7 +4748,7 @@ TEST_P(QuicFramerTest, ApplicationCloseFrame) {
        {0x1d}},
       // error code
       {"Unable to read connection close error code.",
-       {0x00, 0x11}},
+       {kVarInt62TwoBytes + 0x00, 0x11}},
       {"Unable to read connection close error details.",
        {
          // error details length
@@ -4666,7 +4786,7 @@ TEST_P(QuicFramerTest, ApplicationCloseFrame) {
 }
 
 TEST_P(QuicFramerTest, GoAwayFrame) {
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame is not supported in version 99.
     return;
   }
@@ -4791,7 +4911,7 @@ TEST_P(QuicFramerTest, GoAwayFrame) {
 }
 
 TEST_P(QuicFramerTest, WindowUpdateFrame) {
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame is not in version 99, see MaxDataFrame and MaxStreamDataFrame
     // for Version 99 equivalents.
     return;
@@ -4887,7 +5007,7 @@ TEST_P(QuicFramerTest, WindowUpdateFrame) {
 }
 
 TEST_P(QuicFramerTest, MaxDataFrame) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame is available only in version 99.
     return;
   }
@@ -4931,7 +5051,7 @@ TEST_P(QuicFramerTest, MaxDataFrame) {
 }
 
 TEST_P(QuicFramerTest, MaxStreamDataFrame) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame available only in version 99.
     return;
   }
@@ -5056,7 +5176,7 @@ TEST_P(QuicFramerTest, BlockedFrame) {
   // clang-format on
 
   PacketFragments& fragments =
-      framer_.transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(framer_.transport_version())
           ? packet99
           : (framer_.transport_version() > QUIC_VERSION_44
                  ? packet46
@@ -5072,14 +5192,14 @@ TEST_P(QuicFramerTest, BlockedFrame) {
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
       PACKET_8BYTE_CONNECTION_ID, PACKET_0BYTE_CONNECTION_ID));
 
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     EXPECT_EQ(kStreamOffset, visitor_.blocked_frame_.offset);
   } else {
     EXPECT_EQ(0u, visitor_.blocked_frame_.offset);
   }
   EXPECT_EQ(kStreamId, visitor_.blocked_frame_.stream_id);
 
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     CheckFramingBoundaries(fragments, QUIC_INVALID_STREAM_BLOCKED_DATA);
   } else {
     CheckFramingBoundaries(fragments, QUIC_INVALID_BLOCKED_DATA);
@@ -5139,14 +5259,14 @@ TEST_P(QuicFramerTest, PingFrame) {
   // clang-format on
 
   QuicEncryptedPacket encrypted(
-      AsChars(framer_.transport_version() == QUIC_VERSION_99
+      AsChars(VersionHasIetfQuicFrames(framer_.transport_version())
                   ? packet99
                   : (framer_.transport_version() > QUIC_VERSION_44
                          ? packet46
                          : framer_.transport_version() > QUIC_VERSION_43
                                ? packet44
                                : packet)),
-      framer_.transport_version() == QUIC_VERSION_99
+      VersionHasIetfQuicFrames(framer_.transport_version())
           ? QUIC_ARRAYSIZE(packet99)
           : (framer_.transport_version() > QUIC_VERSION_44
                  ? QUIC_ARRAYSIZE(packet46)
@@ -5573,7 +5693,7 @@ TEST_P(QuicFramerTest, VersionNegotiationPacketClient) {
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
   ASSERT_EQ(QUIC_NO_ERROR, framer_.error());
   ASSERT_TRUE(visitor_.version_negotiation_packet_.get());
-  EXPECT_EQ(2u, visitor_.version_negotiation_packet_->versions.size());
+  EXPECT_EQ(1u, visitor_.version_negotiation_packet_->versions.size());
   EXPECT_EQ(GetParam(), visitor_.version_negotiation_packet_->versions[0]);
 
   // Remove the last version from the packet so that every truncated
@@ -5586,9 +5706,6 @@ TEST_P(QuicFramerTest, VersionNegotiationPacketClient) {
 }
 
 TEST_P(QuicFramerTest, VersionNegotiationPacketServer) {
-  if (!GetQuicRestartFlag(quic_server_drop_version_negotiation)) {
-    return;
-  }
   if (framer_.transport_version() < QUIC_VERSION_44) {
     return;
   }
@@ -5645,7 +5762,7 @@ TEST_P(QuicFramerTest, OldVersionNegotiationPacket) {
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
   ASSERT_EQ(QUIC_NO_ERROR, framer_.error());
   ASSERT_TRUE(visitor_.version_negotiation_packet_.get());
-  EXPECT_EQ(2u, visitor_.version_negotiation_packet_->versions.size());
+  EXPECT_EQ(1u, visitor_.version_negotiation_packet_->versions.size());
   EXPECT_EQ(GetParam(), visitor_.version_negotiation_packet_->versions[0]);
 
   // Remove the last version from the packet so that every truncated
@@ -5794,7 +5911,7 @@ TEST_P(QuicFramerTest, BuildPaddingFramePacket) {
   // clang-format on
 
   unsigned char* p = packet;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
     p = packet46;
@@ -5946,7 +6063,7 @@ TEST_P(QuicFramerTest, BuildStreamFramePacketWithNewPaddingFrame) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -6028,7 +6145,7 @@ TEST_P(QuicFramerTest, Build4ByteSequenceNumberPaddingFramePacket) {
   // clang-format on
 
   unsigned char* p = packet;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
     p = packet46;
@@ -6118,7 +6235,7 @@ TEST_P(QuicFramerTest, Build2ByteSequenceNumberPaddingFramePacket) {
   // clang-format on
 
   unsigned char* p = packet;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
     p = packet46;
@@ -6208,7 +6325,7 @@ TEST_P(QuicFramerTest, Build1ByteSequenceNumberPaddingFramePacket) {
   // clang-format on
 
   unsigned char* p = packet;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
     p = packet46;
@@ -6339,7 +6456,7 @@ TEST_P(QuicFramerTest, BuildStreamFramePacket) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -6466,7 +6583,7 @@ TEST_P(QuicFramerTest, BuildStreamFramePacketWithVersionFlag) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -6481,8 +6598,7 @@ TEST_P(QuicFramerTest, BuildStreamFramePacketWithVersionFlag) {
 }
 
 TEST_P(QuicFramerTest, BuildCryptoFramePacket) {
-  if (framer_.transport_version() < QUIC_VERSION_99) {
-    // CRYPTO frames aren't supported prior to v46.
+  if (!QuicVersionUsesCryptoFrames(framer_.transport_version())) {
     return;
   }
   QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_CLIENT);
@@ -6504,7 +6620,28 @@ TEST_P(QuicFramerTest, BuildCryptoFramePacket) {
   QuicFrames frames = {QuicFrame(&crypto_frame)};
 
   // clang-format off
-  unsigned char packet[] = {
+  unsigned char packet48[] = {
+    // type (short header, 4 byte packet number)
+    0x43,
+    // connection_id
+    0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
+    // packet number
+    0x12, 0x34, 0x56, 0x78,
+
+    // frame type (QuicFrameType CRYPTO_FRAME)
+    0x08,
+    // offset
+    kVarInt62EightBytes + 0x3A, 0x98, 0xFE, 0xDC,
+    0x32, 0x10, 0x76, 0x54,
+    // length
+    kVarInt62OneByte + 12,
+    // data
+    'h',  'e',  'l',  'l',
+    'o',  ' ',  'w',  'o',
+    'r',  'l',  'd',  '!',
+  };
+
+  unsigned char packet99[] = {
     // type (short header, 4 byte packet number)
     0x43,
     // connection_id
@@ -6526,7 +6663,12 @@ TEST_P(QuicFramerTest, BuildCryptoFramePacket) {
   };
   // clang-format on
 
-  size_t packet_size = QUIC_ARRAYSIZE(packet);
+  unsigned char* packet = packet48;
+  size_t packet_size = QUIC_ARRAYSIZE(packet48);
+  if (framer_.transport_version() == QUIC_VERSION_99) {
+    packet = packet99;
+    packet_size = QUIC_ARRAYSIZE(packet99);
+  }
 
   std::unique_ptr<QuicPacket> data(BuildDataPacket(header, frames));
   ASSERT_TRUE(data != nullptr);
@@ -6536,14 +6678,41 @@ TEST_P(QuicFramerTest, BuildCryptoFramePacket) {
 }
 
 TEST_P(QuicFramerTest, CryptoFrame) {
-  if (framer_.transport_version() < QUIC_VERSION_99) {
-    // CRYPTO frames aren't supported prior to v46.
+  if (framer_.transport_version() < QUIC_VERSION_48) {
+    // CRYPTO frames aren't supported prior to v48.
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
 
   // clang-format off
-  PacketFragments packet = {
+  PacketFragments packet48 = {
+      // type (short header, 4 byte packet number)
+      {"",
+       {0x43}},
+      // connection_id
+      {"",
+       {0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10}},
+      // packet number
+      {"",
+       {0x12, 0x34, 0x56, 0x78}},
+      // frame type (QuicFrameType CRYPTO_FRAME)
+      {"",
+       {0x08}},
+      // offset
+      {"",
+       {kVarInt62EightBytes + 0x3A, 0x98, 0xFE, 0xDC,
+        0x32, 0x10, 0x76, 0x54}},
+      // data length
+      {"Invalid data length.",
+       {kVarInt62OneByte + 12}},
+      // data
+      {"Unable to read frame data.",
+       {'h',  'e',  'l',  'l',
+        'o',  ' ',  'w',  'o',
+        'r',  'l',  'd',  '!'}},
+  };
+
+  PacketFragments packet99 = {
       // type (short header, 4 byte packet number)
       {"",
        {0x43}},
@@ -6571,8 +6740,10 @@ TEST_P(QuicFramerTest, CryptoFrame) {
   };
   // clang-format on
 
+  PacketFragments& fragments =
+      framer_.transport_version() == QUIC_VERSION_99 ? packet99 : packet48;
   std::unique_ptr<QuicEncryptedPacket> encrypted(
-      AssemblePacketFromFragments(packet));
+      AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
   EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
@@ -6586,33 +6757,33 @@ TEST_P(QuicFramerTest, CryptoFrame) {
   EXPECT_EQ("hello world!",
             std::string(frame->data_buffer, frame->data_length));
 
-  CheckFramingBoundaries(packet, QUIC_INVALID_FRAME_DATA);
+  CheckFramingBoundaries(fragments, QUIC_INVALID_FRAME_DATA);
 }
 
 TEST_P(QuicFramerTest, BuildVersionNegotiationPacket) {
+  SetQuicReloadableFlag(quic_version_negotiation_grease, true);
+  SetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness, true);
   // clang-format off
   unsigned char packet[] = {
       // public flags (version, 8 byte connection_id)
       0x0D,
       // connection_id
       0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
-      // version tag
+      // supported versions
+      0xDA, 0x5A, 0x3A, 0x3A,
       QUIC_VERSION_BYTES,
   };
-  unsigned char type44 = 0x80;
-  if (GetQuicReloadableFlag(quic_send_version_negotiation_fixed_bit)) {
-    type44 = 0xC0;
-  }
   unsigned char packet44[] = {
       // type (long header)
-      type44,
+      0xC0,
       // version tag
       0x00, 0x00, 0x00, 0x00,
       // connection_id length
       0x05,
       // connection_id
       0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
-      // version tag
+      // supported versions
+      0xDA, 0x5A, 0x3A, 0x3A,
       QUIC_VERSION_BYTES,
   };
   // clang-format on
@@ -6641,15 +6812,13 @@ TEST_P(QuicFramerTest, BuildVersionNegotiationPacketWithClientConnectionId) {
 
   // Client connection IDs cannot be used unless this flag is true.
   SetQuicRestartFlag(quic_do_not_override_connection_id, true);
+  SetQuicReloadableFlag(quic_version_negotiation_grease, true);
+  SetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness, true);
 
-  unsigned char type_byte = 0x80;
-  if (GetQuicReloadableFlag(quic_send_version_negotiation_fixed_bit)) {
-    type_byte = 0xC0;
-  }
   // clang-format off
   unsigned char packet[] = {
       // type (long header)
-      type_byte,
+      0xC0,
       // version tag
       0x00, 0x00, 0x00, 0x00,
       // connection ID lengths
@@ -6658,7 +6827,8 @@ TEST_P(QuicFramerTest, BuildVersionNegotiationPacketWithClientConnectionId) {
       0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x11,
       // server/source connection ID
       0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
-      // version tag
+      // supported versions
+      0xDA, 0x5A, 0x3A, 0x3A,
       QUIC_VERSION_BYTES,
   };
   // clang-format on
@@ -6774,7 +6944,7 @@ TEST_P(QuicFramerTest, BuildAckFramePacketOneAckBlock) {
   // clang-format on
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -6891,7 +7061,7 @@ TEST_P(QuicFramerTest, BuildAckFramePacketOneAckBlockMaxLength) {
   // clang-format on
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -7081,7 +7251,7 @@ TEST_P(QuicFramerTest, BuildAckFramePacketMultipleAckBlocks) {
   // clang-format on
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -7486,7 +7656,7 @@ TEST_P(QuicFramerTest, BuildAckFramePacketMaxAckBlocks) {
   // clang-format on
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -7555,7 +7725,7 @@ TEST_P(QuicFramerTest, BuildRstFramePacketQuic) {
 
   QuicRstStreamFrame rst_frame;
   rst_frame.stream_id = kStreamId;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     rst_frame.ietf_error_code = 0x01;
   } else {
     rst_frame.error_code = static_cast<QuicRstStreamErrorCode>(0x05060708);
@@ -7632,8 +7802,8 @@ TEST_P(QuicFramerTest, BuildRstFramePacketQuic) {
     0x04,
     // stream id
     kVarInt62FourBytes + 0x01, 0x02, 0x03, 0x04,
-    // error code (not VarInt32 encoded)
-    0x00, 0x01,
+    // error code
+    kVarInt62OneByte + 0x01,
     // sent byte offset
     kVarInt62EightBytes + 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01
   };
@@ -7646,7 +7816,7 @@ TEST_P(QuicFramerTest, BuildRstFramePacketQuic) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -7671,7 +7841,7 @@ TEST_P(QuicFramerTest, BuildCloseFramePacket) {
   header.packet_number = kPacketNumber;
 
   QuicConnectionCloseFrame close_frame;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     close_frame.transport_error_code =
         static_cast<QuicIetfTransportErrorCodes>(0x11);
     close_frame.transport_close_frame_type = 0x05;
@@ -7758,7 +7928,7 @@ TEST_P(QuicFramerTest, BuildCloseFramePacket) {
     // frame type (IETF_CONNECTION_CLOSE frame)
     0x1c,
     // error code
-    0x00, 0x11,
+    kVarInt62OneByte + 0x11,
     // Frame type within the CONNECTION_CLOSE frame
     kVarInt62OneByte + 0x05,
     // error details length
@@ -7773,7 +7943,7 @@ TEST_P(QuicFramerTest, BuildCloseFramePacket) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -7800,7 +7970,7 @@ TEST_P(QuicFramerTest, BuildTruncatedCloseFramePacket) {
   header.packet_number = kPacketNumber;
 
   QuicConnectionCloseFrame close_frame;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     close_frame.transport_error_code = PROTOCOL_VIOLATION;  // value is 0x0a
     EXPECT_EQ(0u, close_frame.transport_close_frame_type);
     close_frame.close_type = IETF_QUIC_TRANSPORT_CONNECTION_CLOSE;
@@ -7969,7 +8139,7 @@ TEST_P(QuicFramerTest, BuildTruncatedCloseFramePacket) {
     // frame type (IETF_CONNECTION_CLOSE frame)
     0x1c,
     // error code
-    0x00, 0x0a,
+    kVarInt62OneByte + 0x0a,
     // Frame type within the CONNECTION_CLOSE frame
     kVarInt62OneByte + 0x00,
     // error details length
@@ -8012,7 +8182,7 @@ TEST_P(QuicFramerTest, BuildTruncatedCloseFramePacket) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -8031,7 +8201,7 @@ TEST_P(QuicFramerTest, BuildTruncatedCloseFramePacket) {
 }
 
 TEST_P(QuicFramerTest, BuildApplicationCloseFramePacket) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // Versions other than 99 do not have ApplicationClose
     return;
   }
@@ -8043,7 +8213,8 @@ TEST_P(QuicFramerTest, BuildApplicationCloseFramePacket) {
   header.packet_number = kPacketNumber;
 
   QuicConnectionCloseFrame app_close_frame;
-  app_close_frame.quic_error_code = static_cast<QuicErrorCode>(0x11);
+  app_close_frame.application_error_code =
+      static_cast<uint64_t>(QUIC_INVALID_STREAM_ID);
   app_close_frame.error_details = "because I can";
   app_close_frame.close_type = IETF_QUIC_APPLICATION_CONNECTION_CLOSE;
 
@@ -8062,7 +8233,7 @@ TEST_P(QuicFramerTest, BuildApplicationCloseFramePacket) {
     // frame type (IETF_APPLICATION_CLOSE frame)
     0x1d,
     // error code
-    0x00, 0x11,
+    kVarInt62OneByte + 0x11,
     // error details length
     kVarInt62OneByte + 0x0d,
     // error details
@@ -8082,7 +8253,7 @@ TEST_P(QuicFramerTest, BuildApplicationCloseFramePacket) {
 }
 
 TEST_P(QuicFramerTest, BuildTruncatedApplicationCloseFramePacket) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // Versions other than 99 do not have this frame.
     return;
   }
@@ -8094,7 +8265,8 @@ TEST_P(QuicFramerTest, BuildTruncatedApplicationCloseFramePacket) {
   header.packet_number = kPacketNumber;
 
   QuicConnectionCloseFrame app_close_frame;
-  app_close_frame.quic_error_code = static_cast<QuicErrorCode>(0x11);
+  app_close_frame.application_error_code =
+      static_cast<uint64_t>(QUIC_INVALID_STREAM_ID);
   app_close_frame.error_details = std::string(2048, 'A');
   app_close_frame.close_type = IETF_QUIC_APPLICATION_CONNECTION_CLOSE;
 
@@ -8112,7 +8284,7 @@ TEST_P(QuicFramerTest, BuildTruncatedApplicationCloseFramePacket) {
     // frame type (IETF_APPLICATION_CLOSE frame)
     0x1d,
     // error code
-    0x00, 0x11,
+    kVarInt62OneByte + 0x11,
     // error details length
     kVarInt62TwoBytes + 0x01, 0x00,
     // error details (truncated to 256 bytes)
@@ -8160,7 +8332,7 @@ TEST_P(QuicFramerTest, BuildTruncatedApplicationCloseFramePacket) {
 }
 
 TEST_P(QuicFramerTest, BuildGoAwayPacket) {
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame type is not supported in version 99.
     return;
   }
@@ -8268,7 +8440,7 @@ TEST_P(QuicFramerTest, BuildGoAwayPacket) {
 }
 
 TEST_P(QuicFramerTest, BuildTruncatedGoAwayPacket) {
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame type is not supported in version 99.
     return;
   }
@@ -8547,7 +8719,7 @@ TEST_P(QuicFramerTest, BuildWindowUpdatePacket) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -8563,7 +8735,7 @@ TEST_P(QuicFramerTest, BuildWindowUpdatePacket) {
 }
 
 TEST_P(QuicFramerTest, BuildMaxStreamDataPacket) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame is available only in this version.
     return;
   }
@@ -8608,7 +8780,7 @@ TEST_P(QuicFramerTest, BuildMaxStreamDataPacket) {
 }
 
 TEST_P(QuicFramerTest, BuildMaxDataPacket) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame is available only in this version.
     return;
   }
@@ -8660,8 +8832,8 @@ TEST_P(QuicFramerTest, BuildBlockedPacket) {
   header.packet_number = kPacketNumber;
 
   QuicBlockedFrame blocked_frame;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
-    // For V99, the stream ID must be <invalid> for the frame
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
+    // For IETF QUIC, the stream ID must be <invalid> for the frame
     // to be a BLOCKED frame. if it's valid, it will be a
     // STREAM_BLOCKED frame.
     blocked_frame.stream_id =
@@ -8736,7 +8908,7 @@ TEST_P(QuicFramerTest, BuildBlockedPacket) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -8812,7 +8984,7 @@ TEST_P(QuicFramerTest, BuildPingPacket) {
   // clang-format on
 
   unsigned char* p = packet;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
     p = packet46;
@@ -8908,7 +9080,7 @@ TEST_P(QuicFramerTest, BuildMessagePacket) {
   // clang-format on
 
   unsigned char* p = packet45;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
     p = packet46;
@@ -8996,7 +9168,7 @@ TEST_P(QuicFramerTest, BuildConnectivityProbingPacket) {
 
   unsigned char* p = packet;
   size_t packet_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     packet_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -9023,7 +9195,7 @@ TEST_P(QuicFramerTest, BuildConnectivityProbingPacket) {
 // Test that the path challenge connectivity probing packet is serialized
 // correctly as a padded PATH CHALLENGE packet.
 TEST_P(QuicFramerTest, BuildPaddedPathChallengePacket) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -9078,7 +9250,7 @@ TEST_P(QuicFramerTest, BuildPaddedPathChallengePacket) {
 // packet. Also generates packets with 1 and 3 PATH_RESPONSES in them to
 // exercised the single- and multiple- payload cases.
 TEST_P(QuicFramerTest, BuildPathResponsePacket1ResponseUnpadded) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -9122,7 +9294,7 @@ TEST_P(QuicFramerTest, BuildPathResponsePacket1ResponseUnpadded) {
 }
 
 TEST_P(QuicFramerTest, BuildPathResponsePacket1ResponsePadded) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -9168,7 +9340,7 @@ TEST_P(QuicFramerTest, BuildPathResponsePacket1ResponsePadded) {
 }
 
 TEST_P(QuicFramerTest, BuildPathResponsePacket3ResponsesUnpadded) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -9219,7 +9391,7 @@ TEST_P(QuicFramerTest, BuildPathResponsePacket3ResponsesUnpadded) {
 }
 
 TEST_P(QuicFramerTest, BuildPathResponsePacket3ResponsesPadded) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -9336,7 +9508,7 @@ TEST_P(QuicFramerTest, BuildMtuDiscoveryPacket) {
   ASSERT_TRUE(data != nullptr);
 
   unsigned char* p = packet;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
     p = packet46;
@@ -9719,6 +9891,7 @@ TEST_P(QuicFramerTest, EncryptPacketWithVersionFlag) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
+  // TODO(ianswett): see todo in previous test.
   if (framer_.transport_version() == QUIC_VERSION_99) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
@@ -9744,7 +9917,7 @@ TEST_P(QuicFramerTest, EncryptPacketWithVersionFlag) {
 }
 
 TEST_P(QuicFramerTest, AckTruncationLargePacket) {
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This test is not applicable to this version; the range count is
     // effectively unlimited
     return;
@@ -9784,7 +9957,7 @@ TEST_P(QuicFramerTest, AckTruncationLargePacket) {
 }
 
 TEST_P(QuicFramerTest, AckTruncationSmallPacket) {
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This test is not applicable to this version; the range count is
     // effectively unlimited
     return;
@@ -9825,7 +9998,7 @@ TEST_P(QuicFramerTest, AckTruncationSmallPacket) {
 }
 
 TEST_P(QuicFramerTest, CleanTruncation) {
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This test is not applicable to this version; the range count is
     // effectively unlimited
     return;
@@ -10035,7 +10208,7 @@ TEST_P(QuicFramerTest, StopPacketProcessing) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -10147,147 +10320,9 @@ TEST_P(QuicFramerTest, ConstructMisFramedEncryptedPacket) {
   EXPECT_EQ(QUIC_INVALID_FRAME_DATA, framer_.error());
 }
 
-// Tests for fuzzing with Dr. Fuzz
-// Xref http://www.chromium.org/developers/testing/dr-fuzz for more details.
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-// target function to be fuzzed by Dr. Fuzz
-void QuicFramerFuzzFunc(unsigned char* data,
-                        size_t size,
-                        const ParsedQuicVersion& version) {
-  QuicFramer framer(AllSupportedVersions(), QuicTime::Zero(),
-                    Perspective::IS_SERVER, kQuicDefaultConnectionIdLength);
-  ASSERT_EQ(GetQuicFlag(FLAGS_quic_supports_tls_handshake), true);
-  const char* const packet_bytes = reinterpret_cast<const char*>(data);
-
-  // Test the CryptoFramer.
-  QuicStringPiece crypto_input(packet_bytes, size);
-  std::unique_ptr<CryptoHandshakeMessage> handshake_message(
-      CryptoFramer::ParseMessage(crypto_input));
-
-  // Test the regular QuicFramer with the same input.
-  NoOpFramerVisitor visitor;
-  framer.set_visitor(&visitor);
-  framer.set_version(version);
-  QuicEncryptedPacket packet(packet_bytes, size);
-  framer.ProcessPacket(packet);
-}
-
-#ifdef __cplusplus
-}
-#endif
-
-TEST_P(QuicFramerTest, FramerFuzzTest) {
-  // clang-format off
-  unsigned char packet[] = {
-    // public flags (8 byte connection_id)
-    0x2C,
-    // connection_id
-    0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
-    // packet number
-    0x12, 0x34, 0x56, 0x78,
-    // private flags
-    0x00,
-
-    // frame type (stream frame with fin)
-    0xFF,
-    // stream id
-    0x01, 0x02, 0x03, 0x04,
-    // offset
-    0x3A, 0x98, 0xFE, 0xDC,
-    0x32, 0x10, 0x76, 0x54,
-    // data length
-    0x00, 0x0c,
-    // data
-    'h',  'e',  'l',  'l',
-    'o',  ' ',  'w',  'o',
-    'r',  'l',  'd',  '!',
-  };
-
-  unsigned char packet44[] = {
-    // type (short header, 4 byte packet number)
-    0x32,
-    // packet number
-    0x12, 0x34, 0x56, 0x78,
-
-    // frame type (stream frame with fin, length, and offset bits set)
-    0x10 | 0x01 | 0x02 | 0x04,
-    // stream id
-    0x01, 0x02, 0x03, 0x04,
-    // offset
-    0x3A, 0x98, 0xFE, 0xDC,
-    0x32, 0x10, 0x76, 0x54,
-    // data length
-    0x00, 0x0c,
-    // data
-    'h',  'e',  'l',  'l',
-    'o',  ' ',  'w',  'o',
-    'r',  'l',  'd',  '!',
-  };
-
-  unsigned char packet46[] = {
-    // type (short header, 4 byte packet number)
-    0x43,
-    // packet number
-    0x12, 0x34, 0x56, 0x78,
-
-    // frame type (stream frame with fin, length, and offset bits set)
-    0x10 | 0x01 | 0x02 | 0x04,
-    // stream id
-    0x01, 0x02, 0x03, 0x04,
-    // offset
-    0x3A, 0x98, 0xFE, 0xDC,
-    0x32, 0x10, 0x76, 0x54,
-    // data length
-    0x00, 0x0c,
-    // data
-    'h',  'e',  'l',  'l',
-    'o',  ' ',  'w',  'o',
-    'r',  'l',  'd',  '!',
-  };
-
-  unsigned char packet99[] = {
-    // type (short header, 4 byte packet number)
-    0x43,
-    // packet number
-    0x12, 0x34, 0x56, 0x78,
-
-    // frame type (IETF_STREAM frame with fin, length, and offset bits set)
-    0x08 | 0x01 | 0x02 | 0x04,
-    // stream id
-    0x01, 0x02, 0x03, 0x04,
-    // offset
-    0x3A, 0x98, 0xFE, 0xDC,
-    0x32, 0x10, 0x76, 0x54,
-    // data length
-    0x00, 0x0c,
-    // data
-    'h',  'e',  'l',  'l',
-    'o',  ' ',  'w',  'o',
-    'r',  'l',  'd',  '!',
-  };
-  // clang-format on
-
-  unsigned char* p = packet;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
-    p = packet99;
-  } else if (framer_.transport_version() > QUIC_VERSION_44) {
-    p = packet46;
-  } else if (framer_.transport_version() > QUIC_VERSION_43) {
-    p = packet44;
-  }
-  QuicFramerFuzzFunc(p,
-                     framer_.transport_version() > QUIC_VERSION_43
-                         ? QUIC_ARRAYSIZE(packet44)
-                         : QUIC_ARRAYSIZE(packet),
-                     framer_.version());
-}
-
 TEST_P(QuicFramerTest, IetfBlockedFrame) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10329,7 +10364,7 @@ TEST_P(QuicFramerTest, IetfBlockedFrame) {
 
 TEST_P(QuicFramerTest, BuildIetfBlockedPacket) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -10370,7 +10405,7 @@ TEST_P(QuicFramerTest, BuildIetfBlockedPacket) {
 
 TEST_P(QuicFramerTest, IetfStreamBlockedFrame) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10415,7 +10450,7 @@ TEST_P(QuicFramerTest, IetfStreamBlockedFrame) {
 
 TEST_P(QuicFramerTest, BuildIetfStreamBlockedPacket) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -10458,7 +10493,7 @@ TEST_P(QuicFramerTest, BuildIetfStreamBlockedPacket) {
 
 TEST_P(QuicFramerTest, BiDiMaxStreamsFrame) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10500,7 +10535,7 @@ TEST_P(QuicFramerTest, BiDiMaxStreamsFrame) {
 
 TEST_P(QuicFramerTest, UniDiMaxStreamsFrame) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10541,7 +10576,7 @@ TEST_P(QuicFramerTest, UniDiMaxStreamsFrame) {
 
 TEST_P(QuicFramerTest, ServerUniDiMaxStreamsFrame) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10583,7 +10618,7 @@ TEST_P(QuicFramerTest, ServerUniDiMaxStreamsFrame) {
 
 TEST_P(QuicFramerTest, ClientUniDiMaxStreamsFrame) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10630,7 +10665,7 @@ TEST_P(QuicFramerTest, ClientUniDiMaxStreamsFrame) {
 // client- initiated.
 TEST_P(QuicFramerTest, BiDiMaxStreamsFrameTooBig) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10668,7 +10703,7 @@ TEST_P(QuicFramerTest, BiDiMaxStreamsFrameTooBig) {
 
 TEST_P(QuicFramerTest, ClientBiDiMaxStreamsFrameTooBig) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10707,7 +10742,7 @@ TEST_P(QuicFramerTest, ClientBiDiMaxStreamsFrameTooBig) {
 
 TEST_P(QuicFramerTest, ServerUniDiMaxStreamsFrameTooBig) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10746,7 +10781,7 @@ TEST_P(QuicFramerTest, ServerUniDiMaxStreamsFrameTooBig) {
 
 TEST_P(QuicFramerTest, ClientUniDiMaxStreamsFrameTooBig) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10786,7 +10821,7 @@ TEST_P(QuicFramerTest, ClientUniDiMaxStreamsFrameTooBig) {
 // Specifically test that count==0 is accepted.
 TEST_P(QuicFramerTest, MaxStreamsFrameZeroCount) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10813,7 +10848,7 @@ TEST_P(QuicFramerTest, MaxStreamsFrameZeroCount) {
 
 TEST_P(QuicFramerTest, ServerBiDiStreamsBlockedFrame) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10856,7 +10891,7 @@ TEST_P(QuicFramerTest, ServerBiDiStreamsBlockedFrame) {
 
 TEST_P(QuicFramerTest, BiDiStreamsBlockedFrame) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10899,7 +10934,7 @@ TEST_P(QuicFramerTest, BiDiStreamsBlockedFrame) {
 
 TEST_P(QuicFramerTest, UniDiStreamsBlockedFrame) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10941,7 +10976,7 @@ TEST_P(QuicFramerTest, UniDiStreamsBlockedFrame) {
 
 TEST_P(QuicFramerTest, ClientUniDiStreamsBlockedFrame) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -10986,7 +11021,7 @@ TEST_P(QuicFramerTest, ClientUniDiStreamsBlockedFrame) {
 // initiated; the logic does not take these into account.
 TEST_P(QuicFramerTest, StreamsBlockedFrameTooBig) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -11021,7 +11056,7 @@ TEST_P(QuicFramerTest, StreamsBlockedFrameTooBig) {
 // Specifically test that count==0 is accepted.
 TEST_P(QuicFramerTest, StreamsBlockedFrameZeroCount) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -11065,7 +11100,7 @@ TEST_P(QuicFramerTest, StreamsBlockedFrameZeroCount) {
 
 TEST_P(QuicFramerTest, BuildBiDiStreamsBlockedPacket) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -11107,7 +11142,7 @@ TEST_P(QuicFramerTest, BuildBiDiStreamsBlockedPacket) {
 
 TEST_P(QuicFramerTest, BuildUniStreamsBlockedPacket) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -11149,7 +11184,7 @@ TEST_P(QuicFramerTest, BuildUniStreamsBlockedPacket) {
 
 TEST_P(QuicFramerTest, BuildBiDiMaxStreamsPacket) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -11191,7 +11226,7 @@ TEST_P(QuicFramerTest, BuildBiDiMaxStreamsPacket) {
 
 TEST_P(QuicFramerTest, BuildUniDiMaxStreamsPacket) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -11235,7 +11270,7 @@ TEST_P(QuicFramerTest, BuildUniDiMaxStreamsPacket) {
 }
 
 TEST_P(QuicFramerTest, NewConnectionIdFrame) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame is only for version 99.
     return;
   }
@@ -11257,7 +11292,9 @@ TEST_P(QuicFramerTest, NewConnectionIdFrame) {
       // error code
       {"Unable to read new connection ID frame sequence number.",
        {kVarInt62OneByte + 0x11}},
-      {"Unable to read new connection ID frame connection id length.",
+      {"Unable to read new connection ID frame retire_prior_to.",
+       {kVarInt62OneByte + 0x09}},
+      {"Unable to read new connection ID frame connection id.",
        {0x08}},  // connection ID length
       {"Unable to read new connection ID frame connection id.",
        {0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x11}},
@@ -11282,6 +11319,7 @@ TEST_P(QuicFramerTest, NewConnectionIdFrame) {
   EXPECT_EQ(FramerTestConnectionIdPlusOne(),
             visitor_.new_connection_id_.connection_id);
   EXPECT_EQ(0x11u, visitor_.new_connection_id_.sequence_number);
+  EXPECT_EQ(0x09u, visitor_.new_connection_id_.retire_prior_to);
   EXPECT_EQ(kTestStatelessResetToken,
             visitor_.new_connection_id_.stateless_reset_token);
 
@@ -11291,7 +11329,7 @@ TEST_P(QuicFramerTest, NewConnectionIdFrame) {
 }
 
 TEST_P(QuicFramerTest, NewConnectionIdFrameVariableLength) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame is only for version 99.
     return;
   }
@@ -11313,7 +11351,9 @@ TEST_P(QuicFramerTest, NewConnectionIdFrameVariableLength) {
       // error code
       {"Unable to read new connection ID frame sequence number.",
        {kVarInt62OneByte + 0x11}},
-      {"Unable to read new connection ID frame connection id length.",
+      {"Unable to read new connection ID frame retire_prior_to.",
+       {kVarInt62OneByte + 0x0a}},
+      {"Unable to read new connection ID frame connection id.",
        {0x09}},  // connection ID length
       {"Unable to read new connection ID frame connection id.",
        {0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0x42}},
@@ -11338,6 +11378,7 @@ TEST_P(QuicFramerTest, NewConnectionIdFrameVariableLength) {
   EXPECT_EQ(FramerTestConnectionIdNineBytes(),
             visitor_.new_connection_id_.connection_id);
   EXPECT_EQ(0x11u, visitor_.new_connection_id_.sequence_number);
+  EXPECT_EQ(0x0au, visitor_.new_connection_id_.retire_prior_to);
   EXPECT_EQ(kTestStatelessResetToken,
             visitor_.new_connection_id_.stateless_reset_token);
 
@@ -11349,7 +11390,7 @@ TEST_P(QuicFramerTest, NewConnectionIdFrameVariableLength) {
 // Verifies that parsing a NEW_CONNECTION_ID frame with a length above the
 // specified maximum fails.
 TEST_P(QuicFramerTest, InvalidLongNewConnectionIdFrame) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // The NEW_CONNECTION_ID frame is only for version 99.
     return;
   }
@@ -11371,7 +11412,9 @@ TEST_P(QuicFramerTest, InvalidLongNewConnectionIdFrame) {
       // error code
       {"Unable to read new connection ID frame sequence number.",
        {kVarInt62OneByte + 0x11}},
-      {"Unable to read new connection ID frame connection id length.",
+      {"Unable to read new connection ID frame retire_prior_to.",
+       {kVarInt62OneByte + 0x0b}},
+      {"Unable to read new connection ID frame connection id.",
        {0x13}},  // connection ID length
       {"Unable to read new connection ID frame connection id.",
        {0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
@@ -11387,11 +11430,56 @@ TEST_P(QuicFramerTest, InvalidLongNewConnectionIdFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
   EXPECT_EQ(QUIC_INVALID_NEW_CONNECTION_ID_DATA, framer_.error());
-  EXPECT_EQ("New connection ID length too high.", framer_.detailed_error());
+  EXPECT_EQ("Unable to read new connection ID frame connection id.",
+            framer_.detailed_error());
+}
+
+// Verifies that parsing a NEW_CONNECTION_ID frame with an invalid
+// retire-prior-to fails.
+TEST_P(QuicFramerTest, InvalidRetirePriorToNewConnectionIdFrame) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
+    // The NEW_CONNECTION_ID frame is only for version 99.
+    return;
+  }
+  SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
+  // clang-format off
+  PacketFragments packet99 = {
+      // type (short header, 4 byte packet number)
+      {"",
+       {0x43}},
+      // connection_id
+      {"",
+       {0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10}},
+      // packet number
+      {"",
+       {0x12, 0x34, 0x56, 0x78}},
+      // frame type (IETF_NEW_CONNECTION_ID frame)
+      {"",
+       {0x18}},
+      // sequence number
+      {"Unable to read new connection ID frame sequence number.",
+       {kVarInt62OneByte + 0x11}},
+      {"Unable to read new connection ID frame retire_prior_to.",
+       {kVarInt62OneByte + 0x1b}},
+      {"Unable to read new connection ID frame connection id length.",
+       {0x08}},  // connection ID length
+      {"Unable to read new connection ID frame connection id.",
+       {0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x11}},
+      {"Can not read new connection ID frame reset token.",
+       {0xb5, 0x69, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}
+  };
+  // clang-format on
+
+  std::unique_ptr<QuicEncryptedPacket> encrypted(
+      AssemblePacketFromFragments(packet99));
+  EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
+  EXPECT_EQ(QUIC_INVALID_NEW_CONNECTION_ID_DATA, framer_.error());
+  EXPECT_EQ("Retire_prior_to > sequence_number.", framer_.detailed_error());
 }
 
 TEST_P(QuicFramerTest, BuildNewConnectionIdFramePacket) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame is only for version 99.
     return;
   }
@@ -11404,6 +11492,7 @@ TEST_P(QuicFramerTest, BuildNewConnectionIdFramePacket) {
 
   QuicNewConnectionIdFrame frame;
   frame.sequence_number = 0x11;
+  frame.retire_prior_to = 0x0c;
   // Use this value to force a 4-byte encoded variable length connection ID
   // in the frame.
   frame.connection_id = FramerTestConnectionIdPlusOne();
@@ -11424,6 +11513,8 @@ TEST_P(QuicFramerTest, BuildNewConnectionIdFramePacket) {
     0x18,
     // sequence number
     kVarInt62OneByte + 0x11,
+    // retire_prior_to
+    kVarInt62OneByte + 0x0c,
     // new connection id length
     0x08,
     // new connection id
@@ -11443,7 +11534,7 @@ TEST_P(QuicFramerTest, BuildNewConnectionIdFramePacket) {
 }
 
 TEST_P(QuicFramerTest, NewTokenFrame) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame is only for version 99.
     return;
   }
@@ -11492,7 +11583,7 @@ TEST_P(QuicFramerTest, NewTokenFrame) {
 }
 
 TEST_P(QuicFramerTest, BuildNewTokenFramePacket) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame is only for version 99.
     return;
   }
@@ -11538,7 +11629,7 @@ TEST_P(QuicFramerTest, BuildNewTokenFramePacket) {
 
 TEST_P(QuicFramerTest, IetfStopSendingFrame) {
   // This test is only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -11561,7 +11652,7 @@ TEST_P(QuicFramerTest, IetfStopSendingFrame) {
       {"Unable to read stop sending stream id.",
        {kVarInt62FourBytes + 0x01, 0x02, 0x03, 0x04}},
       {"Unable to read stop sending application error code.",
-       {0x76, 0x54}},
+       {kVarInt62FourBytes + 0x00, 0x00, 0x76, 0x54}},
   };
   // clang-format on
 
@@ -11583,7 +11674,7 @@ TEST_P(QuicFramerTest, IetfStopSendingFrame) {
 
 TEST_P(QuicFramerTest, BuildIetfStopSendingPacket) {
   // This test is only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -11612,7 +11703,7 @@ TEST_P(QuicFramerTest, BuildIetfStopSendingPacket) {
     // Stream ID
     kVarInt62FourBytes + 0x01, 0x02, 0x03, 0x04,
     // Application error code
-    0xff, 0xff
+    kVarInt62FourBytes + 0x00, 0x00, 0xff, 0xff
   };
   // clang-format on
 
@@ -11626,7 +11717,7 @@ TEST_P(QuicFramerTest, BuildIetfStopSendingPacket) {
 
 TEST_P(QuicFramerTest, IetfPathChallengeFrame) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -11669,7 +11760,7 @@ TEST_P(QuicFramerTest, IetfPathChallengeFrame) {
 
 TEST_P(QuicFramerTest, BuildIetfPathChallengePacket) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -11709,7 +11800,7 @@ TEST_P(QuicFramerTest, BuildIetfPathChallengePacket) {
 
 TEST_P(QuicFramerTest, IetfPathResponseFrame) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -11752,7 +11843,7 @@ TEST_P(QuicFramerTest, IetfPathResponseFrame) {
 
 TEST_P(QuicFramerTest, BuildIetfPathResponsePacket) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
@@ -11800,7 +11891,7 @@ TEST_P(QuicFramerTest, GetRetransmittableControlFrameSize) {
   std::string error_detail(2048, 'e');
   QuicConnectionCloseFrame connection_close(QUIC_NETWORK_IDLE_TIMEOUT,
                                             error_detail);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     connection_close.close_type = IETF_QUIC_TRANSPORT_CONNECTION_CLOSE;
   }
 
@@ -11826,11 +11917,12 @@ TEST_P(QuicFramerTest, GetRetransmittableControlFrameSize) {
       QuicFramer::GetRetransmittableControlFrameSize(
           framer_.transport_version(), QuicFrame(&blocked)));
 
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
 
-  QuicNewConnectionIdFrame new_connection_id(5, TestConnectionId(), 1, 101111);
+  QuicNewConnectionIdFrame new_connection_id(5, TestConnectionId(), 1, 101111,
+                                             1);
   EXPECT_EQ(QuicFramer::GetNewConnectionIdFrameSize(new_connection_id),
             QuicFramer::GetRetransmittableControlFrameSize(
                 framer_.transport_version(), QuicFrame(&new_connection_id)));
@@ -11874,7 +11966,7 @@ TEST_P(QuicFramerTest, GetRetransmittableControlFrameSize) {
 // This only for version 99.
 TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorUnknown1Byte) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -11906,7 +11998,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorUnknown1Byte) {
 
 TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorUnknown2Bytes) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -11939,7 +12031,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorUnknown2Bytes) {
 
 TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorUnknown4Bytes) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -11972,7 +12064,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorUnknown4Bytes) {
 
 TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorUnknown8Bytes) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -12008,7 +12100,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorUnknown8Bytes) {
 // Look at the frame-type encoded in 2, 4, and 8 bytes.
 TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorKnown2Bytes) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -12041,7 +12133,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorKnown2Bytes) {
 
 TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorKnown4Bytes) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -12074,7 +12166,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorKnown4Bytes) {
 
 TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorKnown8Bytes) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -12110,7 +12202,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorKnown8Bytes) {
 // Just look at 2-byte encoding.
 TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorKnown2BytesAllTypes) {
   // This test only for version 99.
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -12510,7 +12602,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorKnown2BytesAllTypes) {
 }
 
 TEST_P(QuicFramerTest, RetireConnectionIdFrame) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame is only for version 99.
     return;
   }
@@ -12555,7 +12647,7 @@ TEST_P(QuicFramerTest, RetireConnectionIdFrame) {
 }
 
 TEST_P(QuicFramerTest, BuildRetireConnectionIdFramePacket) {
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     // This frame is only for version 99.
     return;
   }
@@ -12681,7 +12773,7 @@ TEST_P(QuicFramerTest, AckFrameWithInvalidLargestObserved) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -12782,7 +12874,7 @@ TEST_P(QuicFramerTest, FirstAckBlockJustUnderFlow) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -12923,7 +13015,7 @@ TEST_P(QuicFramerTest, ThirdAckBlockJustUnderflow) {
 
   unsigned char* p = packet;
   size_t p_size = QUIC_ARRAYSIZE(packet);
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     p = packet99;
     p_size = QUIC_ARRAYSIZE(packet99);
   } else if (framer_.transport_version() > QUIC_VERSION_44) {
@@ -12936,7 +13028,7 @@ TEST_P(QuicFramerTest, ThirdAckBlockJustUnderflow) {
 
   QuicEncryptedPacket encrypted(AsChars(p), p_size, false);
   EXPECT_FALSE(framer_.ProcessPacket(encrypted));
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     EXPECT_EQ(framer_.detailed_error(),
               "Underflow with ack block length 6 latest ack block end is 5.");
   } else {
@@ -13330,124 +13422,10 @@ TEST_P(QuicFramerTest, PacketHeaderWithVariableLengthConnectionId) {
   CheckFramingBoundaries(fragments, QUIC_INVALID_PACKET_HEADER);
 }
 
-TEST_P(QuicFramerTest, UpdateExpectedConnectionIdLength) {
-  if (framer_.transport_version() < QUIC_VERSION_46) {
-    return;
-  }
-  SetDecrypterLevel(ENCRYPTION_ZERO_RTT);
-  framer_.SetShouldUpdateExpectedServerConnectionIdLength(true);
-
-  // clang-format off
-  unsigned char long_header_packet[] = {
-      // public flags (long header with packet type ZERO_RTT_PROTECTED and
-      // 4-byte packet number)
-      0xD3,
-      // version
-      QUIC_VERSION_BYTES,
-      // destination connection ID length
-      0x60,
-      // destination connection ID
-      0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0x42,
-      // packet number
-      0x12, 0x34, 0x56, 0x78,
-      // padding frame
-      0x00,
-  };
-  unsigned char long_header_packet99[] = {
-      // public flags (long header with packet type ZERO_RTT_PROTECTED and
-      // 4-byte packet number)
-      0xD3,
-      // version
-      QUIC_VERSION_BYTES,
-      // destination connection ID length
-      0x60,
-      // destination connection ID
-      0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0x42,
-      // long header packet length
-      0x05,
-      // packet number
-      0x12, 0x34, 0x56, 0x78,
-      // padding frame
-      0x00,
-  };
-  // clang-format on
-
-  if (!QuicVersionHasLongHeaderLengths(framer_.transport_version())) {
-    EXPECT_TRUE(framer_.ProcessPacket(
-        QuicEncryptedPacket(AsChars(long_header_packet),
-                            QUIC_ARRAYSIZE(long_header_packet), false)));
-  } else {
-    EXPECT_TRUE(framer_.ProcessPacket(
-        QuicEncryptedPacket(AsChars(long_header_packet99),
-                            QUIC_ARRAYSIZE(long_header_packet99), false)));
-  }
-
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
-  ASSERT_TRUE(visitor_.header_.get());
-  EXPECT_EQ(visitor_.header_.get()->destination_connection_id,
-            FramerTestConnectionIdNineBytes());
-  EXPECT_EQ(visitor_.header_.get()->packet_number,
-            QuicPacketNumber(UINT64_C(0x12345678)));
-
-  SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
-  // clang-format off
-  unsigned char short_header_packet[] = {
-    // type (short header, 4 byte packet number)
-    0x43,
-    // connection_id
-    0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0x42,
-    // packet number
-    0x13, 0x37, 0x42, 0x33,
-    // padding frame
-    0x00,
-  };
-  // clang-format on
-
-  QuicEncryptedPacket short_header_encrypted(
-      AsChars(short_header_packet), QUIC_ARRAYSIZE(short_header_packet), false);
-  EXPECT_TRUE(framer_.ProcessPacket(short_header_encrypted));
-
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
-  ASSERT_TRUE(visitor_.header_.get());
-  EXPECT_EQ(visitor_.header_.get()->destination_connection_id,
-            FramerTestConnectionIdNineBytes());
-  EXPECT_EQ(visitor_.header_.get()->packet_number,
-            QuicPacketNumber(UINT64_C(0x13374233)));
-
-  PacketHeaderFormat format;
-  bool version_flag;
-  uint8_t destination_connection_id_length;
-  QuicConnectionId destination_connection_id;
-  QuicVersionLabel version_label;
-  std::string detailed_error;
-  EXPECT_EQ(QUIC_NO_ERROR,
-            QuicFramer::ProcessPacketDispatcher(
-                QuicEncryptedPacket(AsChars(long_header_packet),
-                                    QUIC_ARRAYSIZE(long_header_packet)),
-                kQuicDefaultConnectionIdLength, &format, &version_flag,
-                &version_label, &destination_connection_id_length,
-                &destination_connection_id, &detailed_error));
-  EXPECT_EQ(IETF_QUIC_LONG_HEADER_PACKET, format);
-  EXPECT_TRUE(version_flag);
-  EXPECT_EQ(9, destination_connection_id_length);
-  EXPECT_EQ(FramerTestConnectionIdNineBytes(), destination_connection_id);
-
-  EXPECT_EQ(QUIC_NO_ERROR,
-            QuicFramer::ProcessPacketDispatcher(
-                short_header_encrypted, 9, &format, &version_flag,
-                &version_label, &destination_connection_id_length,
-                &destination_connection_id, &detailed_error));
-  EXPECT_EQ(IETF_QUIC_SHORT_HEADER_PACKET, format);
-  EXPECT_FALSE(version_flag);
-  EXPECT_EQ(9, destination_connection_id_length);
-  EXPECT_EQ(FramerTestConnectionIdNineBytes(), destination_connection_id);
-}
-
 TEST_P(QuicFramerTest, MultiplePacketNumberSpaces) {
   if (framer_.transport_version() < QUIC_VERSION_46) {
     return;
   }
-  framer_.SetShouldUpdateExpectedServerConnectionIdLength(true);
   framer_.EnableMultiplePacketNumberSpacesSupport();
 
   // clang-format off
@@ -13458,9 +13436,9 @@ TEST_P(QuicFramerTest, MultiplePacketNumberSpaces) {
        // version
        QUIC_VERSION_BYTES,
        // destination connection ID length
-       0x60,
+       0x50,
        // destination connection ID
-       0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0x42,
+       0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
        // packet number
        0x12, 0x34, 0x56, 0x78,
        // padding frame
@@ -13473,9 +13451,9 @@ TEST_P(QuicFramerTest, MultiplePacketNumberSpaces) {
        // version
        QUIC_VERSION_BYTES,
        // destination connection ID length
-       0x60,
+       0x50,
        // destination connection ID
-       0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0x42,
+       0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
        // long header packet length
        0x05,
        // packet number
@@ -13517,7 +13495,7 @@ TEST_P(QuicFramerTest, MultiplePacketNumberSpaces) {
      // type (short header, 1 byte packet number)
      0x40,
      // connection_id
-     0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0x42,
+     0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
      // packet number
      0x79,
      // padding frame
@@ -13797,26 +13775,23 @@ TEST_P(QuicFramerTest, ParseServerVersionNegotiationProbeResponse) {
       parsed_probe_payload_bytes, parsed_probe_payload_length);
 }
 
-TEST_P(QuicFramerTest, ClientConnectionIdNotSupportedYet) {
-  if (GetQuicRestartFlag(quic_do_not_override_connection_id)) {
-    // This check is currently only performed when this flag is disabled.
-    return;
-  }
+TEST_P(QuicFramerTest, ClientConnectionIdFromLongHeaderToClient) {
   if (framer_.transport_version() <= QUIC_VERSION_43) {
     // This test requires an IETF long header.
     return;
   }
+  SetDecrypterLevel(ENCRYPTION_HANDSHAKE);
   QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_CLIENT);
   const unsigned char type_byte =
-      framer_.transport_version() == QUIC_VERSION_44 ? 0xFC : 0xD3;
+      framer_.transport_version() == QUIC_VERSION_44 ? 0xFC : 0xE3;
   // clang-format off
   unsigned char packet[] = {
-    // public flags (long header with packet type ZERO_RTT_PROTECTED and
+    // public flags (long header with packet type HANDSHAKE and
     // 4-byte packet number)
     type_byte,
     // version
     QUIC_VERSION_BYTES,
-    // destination connection ID length
+    // connection ID lengths
     0x50,
     // destination connection ID
     0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
@@ -13828,16 +13803,158 @@ TEST_P(QuicFramerTest, ClientConnectionIdNotSupportedYet) {
     0x00,
   };
   // clang-format on
-  EXPECT_FALSE(framer_.ProcessPacket(
-      QuicEncryptedPacket(AsChars(packet), QUIC_ARRAYSIZE(packet), false)));
-  EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+  const bool parse_success = framer_.ProcessPacket(
+      QuicEncryptedPacket(AsChars(packet), QUIC_ARRAYSIZE(packet), false));
   if (!QuicUtils::VariableLengthConnectionIdAllowedForVersion(
           framer_.transport_version())) {
+    EXPECT_FALSE(parse_success);
+    EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
     EXPECT_EQ("Invalid ConnectionId length.", framer_.detailed_error());
-  } else {
+    return;
+  }
+  if (!GetQuicRestartFlag(quic_do_not_override_connection_id)) {
+    // When the flag is disabled we expect processing to fail.
+    EXPECT_FALSE(parse_success);
+    EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
     EXPECT_EQ("Client connection ID not supported yet.",
               framer_.detailed_error());
+    return;
+  }
+  EXPECT_TRUE(parse_success);
+  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_EQ("", framer_.detailed_error());
+  ASSERT_TRUE(visitor_.header_.get());
+  EXPECT_EQ(FramerTestConnectionId(),
+            visitor_.header_.get()->destination_connection_id);
+}
+
+TEST_P(QuicFramerTest, ClientConnectionIdFromLongHeaderToServer) {
+  if (framer_.transport_version() <= QUIC_VERSION_43) {
+    // This test requires an IETF long header.
+    return;
+  }
+  SetDecrypterLevel(ENCRYPTION_HANDSHAKE);
+  QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_SERVER);
+  const unsigned char type_byte =
+      framer_.transport_version() == QUIC_VERSION_44 ? 0xFC : 0xE3;
+  // clang-format off
+  unsigned char packet[] = {
+    // public flags (long header with packet type HANDSHAKE and
+    // 4-byte packet number)
+    type_byte,
+    // version
+    QUIC_VERSION_BYTES,
+    // connection ID lengths
+    0x05,
+    // source connection ID
+    0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
+    // long header packet length
+    0x05,
+    // packet number
+    0x12, 0x34, 0x56, 0x00,
+    // padding frame
+    0x00,
+  };
+  // clang-format on
+  const bool parse_success = framer_.ProcessPacket(
+      QuicEncryptedPacket(AsChars(packet), QUIC_ARRAYSIZE(packet), false));
+  if (!QuicUtils::VariableLengthConnectionIdAllowedForVersion(
+          framer_.transport_version())) {
+    EXPECT_FALSE(parse_success);
+    EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+    EXPECT_EQ("Invalid ConnectionId length.", framer_.detailed_error());
+    return;
+  }
+  if (!framer_.version().SupportsClientConnectionIds() &&
+      GetQuicRestartFlag(quic_do_not_override_connection_id)) {
+    EXPECT_FALSE(parse_success);
+    EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+    EXPECT_EQ("Client connection ID not supported in this version.",
+              framer_.detailed_error());
+    return;
+  }
+  EXPECT_TRUE(parse_success);
+  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_EQ("", framer_.detailed_error());
+  ASSERT_TRUE(visitor_.header_.get());
+  EXPECT_EQ(FramerTestConnectionId(),
+            visitor_.header_.get()->source_connection_id);
+}
+
+TEST_P(QuicFramerTest, ProcessAndValidateIetfConnectionIdLengthClient) {
+  if (framer_.transport_version() <= QUIC_VERSION_43) {
+    // This test requires an IETF long header.
+    return;
+  }
+  char connection_id_lengths = 0x05;
+  QuicDataReader reader(&connection_id_lengths, 1);
+
+  bool should_update_expected_server_connection_id_length = false;
+  uint8_t expected_server_connection_id_length = 8;
+  uint8_t destination_connection_id_length = 0;
+  uint8_t source_connection_id_length = 8;
+  std::string detailed_error = "";
+
+  EXPECT_TRUE(QuicFramerPeer::ProcessAndValidateIetfConnectionIdLength(
+      &reader, framer_.version(), Perspective::IS_CLIENT,
+      should_update_expected_server_connection_id_length,
+      &expected_server_connection_id_length, &destination_connection_id_length,
+      &source_connection_id_length, &detailed_error));
+  EXPECT_EQ(8, expected_server_connection_id_length);
+  EXPECT_EQ(0, destination_connection_id_length);
+  EXPECT_EQ(8, source_connection_id_length);
+  EXPECT_EQ("", detailed_error);
+
+  QuicDataReader reader2(&connection_id_lengths, 1);
+  should_update_expected_server_connection_id_length = true;
+  expected_server_connection_id_length = 33;
+  EXPECT_TRUE(QuicFramerPeer::ProcessAndValidateIetfConnectionIdLength(
+      &reader2, framer_.version(), Perspective::IS_CLIENT,
+      should_update_expected_server_connection_id_length,
+      &expected_server_connection_id_length, &destination_connection_id_length,
+      &source_connection_id_length, &detailed_error));
+  EXPECT_EQ(8, expected_server_connection_id_length);
+  EXPECT_EQ(0, destination_connection_id_length);
+  EXPECT_EQ(8, source_connection_id_length);
+  EXPECT_EQ("", detailed_error);
+}
+
+TEST_P(QuicFramerTest, ProcessAndValidateIetfConnectionIdLengthServer) {
+  if (framer_.transport_version() <= QUIC_VERSION_43) {
+    // This test requires an IETF long header.
+    return;
   }
+  char connection_id_lengths = 0x50;
+  QuicDataReader reader(&connection_id_lengths, 1);
+
+  bool should_update_expected_server_connection_id_length = false;
+  uint8_t expected_server_connection_id_length = 8;
+  uint8_t destination_connection_id_length = 8;
+  uint8_t source_connection_id_length = 0;
+  std::string detailed_error = "";
+
+  EXPECT_TRUE(QuicFramerPeer::ProcessAndValidateIetfConnectionIdLength(
+      &reader, framer_.version(), Perspective::IS_SERVER,
+      should_update_expected_server_connection_id_length,
+      &expected_server_connection_id_length, &destination_connection_id_length,
+      &source_connection_id_length, &detailed_error));
+  EXPECT_EQ(8, expected_server_connection_id_length);
+  EXPECT_EQ(8, destination_connection_id_length);
+  EXPECT_EQ(0, source_connection_id_length);
+  EXPECT_EQ("", detailed_error);
+
+  QuicDataReader reader2(&connection_id_lengths, 1);
+  should_update_expected_server_connection_id_length = true;
+  expected_server_connection_id_length = 33;
+  EXPECT_TRUE(QuicFramerPeer::ProcessAndValidateIetfConnectionIdLength(
+      &reader2, framer_.version(), Perspective::IS_SERVER,
+      should_update_expected_server_connection_id_length,
+      &expected_server_connection_id_length, &destination_connection_id_length,
+      &source_connection_id_length, &detailed_error));
+  EXPECT_EQ(8, expected_server_connection_id_length);
+  EXPECT_EQ(8, destination_connection_id_length);
+  EXPECT_EQ(0, source_connection_id_length);
+  EXPECT_EQ("", detailed_error);
 }
 
 }  // namespace
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_ietf_framer_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_ietf_framer_test.cc
index f30fc99cb55..dbbacdd8ddc 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_ietf_framer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_ietf_framer_test.cc
@@ -91,116 +91,131 @@ class TestQuicVisitor : public QuicFramerVisitorInterface {
 
   void OnPacket() override {}
 
-  void OnPublicResetPacket(const QuicPublicResetPacket& packet) override {}
+  void OnPublicResetPacket(const QuicPublicResetPacket& /*packet*/) override {}
 
   void OnVersionNegotiationPacket(
-      const QuicVersionNegotiationPacket& packet) override {}
+      const QuicVersionNegotiationPacket& /*packet*/) override {}
 
-  void OnRetryPacket(QuicConnectionId original_connection_id,
-                     QuicConnectionId new_connection_id,
-                     QuicStringPiece retry_token) override {}
+  void OnRetryPacket(QuicConnectionId /*original_connection_id*/,
+                     QuicConnectionId /*new_connection_id*/,
+                     QuicStringPiece /*retry_token*/) override {}
 
-  bool OnProtocolVersionMismatch(ParsedQuicVersion received_version,
-                                 PacketHeaderFormat form) override {
+  bool OnProtocolVersionMismatch(
+      ParsedQuicVersion /*received_version*/) override {
     return true;
   }
 
-  bool OnUnauthenticatedPublicHeader(const QuicPacketHeader& header) override {
+  bool OnUnauthenticatedPublicHeader(
+      const QuicPacketHeader& /*header*/) override {
     return true;
   }
 
-  bool OnUnauthenticatedHeader(const QuicPacketHeader& header) override {
+  bool OnUnauthenticatedHeader(const QuicPacketHeader& /*header*/) override {
     return true;
   }
 
-  void OnDecryptedPacket(EncryptionLevel level) override {}
+  void OnDecryptedPacket(EncryptionLevel /*level*/) override {}
 
-  bool OnPacketHeader(const QuicPacketHeader& header) override { return true; }
+  bool OnPacketHeader(const QuicPacketHeader& /*header*/) override {
+    return true;
+  }
 
-  void OnCoalescedPacket(const QuicEncryptedPacket& packet) override {}
+  void OnCoalescedPacket(const QuicEncryptedPacket& /*packet*/) override {}
 
-  bool OnStreamFrame(const QuicStreamFrame& frame) override { return true; }
+  bool OnStreamFrame(const QuicStreamFrame& /*frame*/) override { return true; }
 
-  bool OnCryptoFrame(const QuicCryptoFrame& frame) override { return true; }
+  bool OnCryptoFrame(const QuicCryptoFrame& /*frame*/) override { return true; }
 
-  bool OnAckFrameStart(QuicPacketNumber largest_acked,
-                       QuicTime::Delta ack_delay_time) override {
+  bool OnAckFrameStart(QuicPacketNumber /*largest_acked*/,
+                       QuicTime::Delta /*ack_delay_time*/) override {
     return true;
   }
 
-  bool OnAckRange(QuicPacketNumber start, QuicPacketNumber end) override {
+  bool OnAckRange(QuicPacketNumber /*start*/,
+                  QuicPacketNumber /*end*/) override {
     return true;
   }
 
-  bool OnAckTimestamp(QuicPacketNumber packet_number,
-                      QuicTime timestamp) override {
+  bool OnAckTimestamp(QuicPacketNumber /*packet_number*/,
+                      QuicTime /*timestamp*/) override {
     return true;
   }
 
-  bool OnAckFrameEnd(QuicPacketNumber start) override { return true; }
+  bool OnAckFrameEnd(QuicPacketNumber /*start*/) override { return true; }
 
-  bool OnStopWaitingFrame(const QuicStopWaitingFrame& frame) override {
+  bool OnStopWaitingFrame(const QuicStopWaitingFrame& /*frame*/) override {
     return true;
   }
 
-  bool OnPaddingFrame(const QuicPaddingFrame& frame) override { return true; }
+  bool OnPaddingFrame(const QuicPaddingFrame& /*frame*/) override {
+    return true;
+  }
 
-  bool OnPingFrame(const QuicPingFrame& frame) override { return true; }
+  bool OnPingFrame(const QuicPingFrame& /*frame*/) override { return true; }
 
-  bool OnMessageFrame(const QuicMessageFrame& frame) override { return true; }
+  bool OnMessageFrame(const QuicMessageFrame& /*frame*/) override {
+    return true;
+  }
 
   void OnPacketComplete() override {}
 
-  bool OnRstStreamFrame(const QuicRstStreamFrame& frame) override {
+  bool OnRstStreamFrame(const QuicRstStreamFrame& /*frame*/) override {
     return true;
   }
 
-  bool OnConnectionCloseFrame(const QuicConnectionCloseFrame& frame) override {
+  bool OnConnectionCloseFrame(
+      const QuicConnectionCloseFrame& /*frame*/) override {
     return true;
   }
 
-  bool OnStopSendingFrame(const QuicStopSendingFrame& frame) override {
+  bool OnStopSendingFrame(const QuicStopSendingFrame& /*frame*/) override {
     return true;
   }
 
-  bool OnPathChallengeFrame(const QuicPathChallengeFrame& frame) override {
+  bool OnPathChallengeFrame(const QuicPathChallengeFrame& /*frame*/) override {
     return true;
   }
-  bool OnPathResponseFrame(const QuicPathResponseFrame& frame) override {
+  bool OnPathResponseFrame(const QuicPathResponseFrame& /*frame*/) override {
     return true;
   }
 
-  bool OnGoAwayFrame(const QuicGoAwayFrame& frame) override { return true; }
+  bool OnGoAwayFrame(const QuicGoAwayFrame& /*frame*/) override { return true; }
 
-  bool OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame) override {
+  bool OnWindowUpdateFrame(const QuicWindowUpdateFrame& /*frame*/) override {
     return true;
   }
 
-  bool OnBlockedFrame(const QuicBlockedFrame& frame) override { return true; }
+  bool OnBlockedFrame(const QuicBlockedFrame& /*frame*/) override {
+    return true;
+  }
 
-  bool OnNewConnectionIdFrame(const QuicNewConnectionIdFrame& frame) override {
+  bool OnNewConnectionIdFrame(
+      const QuicNewConnectionIdFrame& /*frame*/) override {
     return true;
   }
 
   bool OnRetireConnectionIdFrame(
-      const QuicRetireConnectionIdFrame& frame) override {
+      const QuicRetireConnectionIdFrame& /*frame*/) override {
     return true;
   }
 
-  bool OnNewTokenFrame(const QuicNewTokenFrame& frame) override { return true; }
+  bool OnNewTokenFrame(const QuicNewTokenFrame& /*frame*/) override {
+    return true;
+  }
 
-  bool IsValidStatelessResetToken(QuicUint128 token) const override {
+  bool IsValidStatelessResetToken(QuicUint128 /*token*/) const override {
     return true;
   }
 
   void OnAuthenticatedIetfStatelessResetPacket(
-      const QuicIetfStatelessResetPacket& packet) override {}
+      const QuicIetfStatelessResetPacket& /*packet*/) override {}
 
-  bool OnMaxStreamsFrame(const QuicMaxStreamsFrame& frame) override {
+  bool OnMaxStreamsFrame(const QuicMaxStreamsFrame& /*frame*/) override {
     return true;
   }
 
-  bool OnStreamsBlockedFrame(const QuicStreamsBlockedFrame& frame) override {
+  bool OnStreamsBlockedFrame(
+      const QuicStreamsBlockedFrame& /*frame*/) override {
     return true;
   }
 };
@@ -289,7 +304,7 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
   //   - did the things the reader read match what the writer wrote?
   // Returns true if it all worked false if not.
   bool TryAckFrame(char* packet_buffer,
-                   size_t packet_buffer_size,
+                   size_t /*packet_buffer_size*/,
                    struct ack_frame* frame) {
     QuicAckFrame transmit_frame = InitAckFrame(frame->ranges);
     if (frame->is_ack_ecn) {
@@ -442,9 +457,10 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
     // Write the frame to the packet buffer.
     EXPECT_TRUE(QuicFramerPeer::AppendIetfResetStreamFrame(
         &framer_, transmit_frame, &writer));
-    // Check that the size of the serialzed frame is in the allowed range.
-    EXPECT_LT(3u, writer.length());
-    EXPECT_GT(19u, writer.length());
+    // Check that the size of the serialzed frame is in the allowed range (3 to
+    // 24 bytes, inclusive).
+    EXPECT_LT(2u, writer.length());
+    EXPECT_GT(25u, writer.length());
     // Now set up a reader to read in the thing in.
     QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
 
@@ -1365,6 +1381,7 @@ TEST_F(QuicIetfFramerTest, NewConnectionIdFrame) {
   QuicNewConnectionIdFrame transmit_frame;
   transmit_frame.connection_id = TestConnectionId(UINT64_C(0x0edcba9876543201));
   transmit_frame.sequence_number = 0x01020304;
+  transmit_frame.retire_prior_to = 0x00020304;
   // The token is defined as a uint128 -- a 16-byte integer.
   // The value is set in this manner because we want each
   // byte to have a specific value so that the binary
@@ -1386,12 +1403,12 @@ TEST_F(QuicIetfFramerTest, NewConnectionIdFrame) {
   // Add the frame.
   EXPECT_TRUE(QuicFramerPeer::AppendNewConnectionIdFrame(
       &framer_, transmit_frame, &writer));
-  // Check that buffer length is correct
-  EXPECT_EQ(29u, writer.length());
   // clang-format off
   uint8_t packet[] = {
     // sequence number, 0x80 for varint62 encoding
     0x80 + 0x01, 0x02, 0x03, 0x04,
+    // retire_prior_to, 0x80 for varint62 encoding
+    0x80 + 0x00, 0x02, 0x03, 0x04,
     // new connection id length, is not varint62 encoded.
     0x08,
     // new connection id, is not varint62 encoded.
@@ -1400,8 +1417,10 @@ TEST_F(QuicIetfFramerTest, NewConnectionIdFrame) {
     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
   };
-
   // clang-format on
+
+  // Check that buffer length is correct
+  EXPECT_EQ(sizeof(packet), writer.length());
   EXPECT_EQ(0, memcmp(packet_buffer, packet, sizeof(packet)));
 
   // Set up reader and empty receive QuicPaddingFrame.
@@ -1415,6 +1434,7 @@ TEST_F(QuicIetfFramerTest, NewConnectionIdFrame) {
   // Now check that received == sent
   EXPECT_EQ(transmit_frame.connection_id, receive_frame.connection_id);
   EXPECT_EQ(transmit_frame.sequence_number, receive_frame.sequence_number);
+  EXPECT_EQ(transmit_frame.retire_prior_to, receive_frame.retire_prior_to);
   EXPECT_EQ(transmit_frame.stateless_reset_token,
             receive_frame.stateless_reset_token);
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.cc
index 7420c723074..a8d32918b5a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.cc
@@ -75,6 +75,7 @@ QuicPacketCreator::QuicPacketCreator(QuicConnectionId server_connection_id,
       server_connection_id_included_(CONNECTION_ID_PRESENT),
       packet_size_(0),
       server_connection_id_(server_connection_id),
+      client_connection_id_(EmptyQuicConnectionId()),
       packet_(QuicPacketNumber(),
               PACKET_1BYTE_PACKET_NUMBER,
               nullptr,
@@ -83,7 +84,9 @@ QuicPacketCreator::QuicPacketCreator(QuicConnectionId server_connection_id,
               false),
       pending_padding_bytes_(0),
       needs_full_padding_(false),
-      can_set_transmission_type_(false) {
+      can_set_transmission_type_(false),
+      fix_get_packet_header_size_(
+          GetQuicReloadableFlag(quic_fix_get_packet_header_size)) {
   SetMaxPacketLength(kDefaultMaxPacketSize);
 }
 
@@ -123,7 +126,7 @@ void QuicPacketCreator::SetMaxPacketLength(QuicByteCount length) {
 // maximum packet size if we stop sending version before it is serialized.
 void QuicPacketCreator::StopSendingVersion() {
   DCHECK(send_version_in_packet_);
-  DCHECK_LE(framer_->transport_version(), QUIC_VERSION_43);
+  DCHECK(!VersionHasIetfInvariantHeader(framer_->transport_version()));
   send_version_in_packet_ = false;
   if (packet_size_ > 0) {
     DCHECK_LT(kQuicVersionSize, packet_size_);
@@ -192,7 +195,7 @@ bool QuicPacketCreator::ConsumeData(QuicStreamId id,
   }
   CreateStreamFrame(id, data_size, offset, fin, frame);
   // Explicitly disallow multi-packet CHLOs.
-  if (FLAGS_quic_enforce_single_packet_chlo &&
+  if (GetQuicFlag(FLAGS_quic_enforce_single_packet_chlo) &&
       StreamFrameIsClientHello(frame->stream_frame) &&
       frame->stream_frame.data_length < data_size) {
     const std::string error_details =
@@ -436,14 +439,25 @@ void QuicPacketCreator::CreateAndSerializeStreamFrame(
   QUIC_BUG_IF(iov_offset == write_length && !fin)
       << "Creating a stream frame with no data or fin.";
   const size_t remaining_data_size = write_length - iov_offset;
-  const size_t min_frame_size = QuicFramer::GetMinStreamFrameSize(
+  size_t min_frame_size = QuicFramer::GetMinStreamFrameSize(
       framer_->transport_version(), id, stream_offset,
       /* last_frame_in_packet= */ true, remaining_data_size);
-  const size_t available_size =
+  size_t available_size =
       max_plaintext_size_ - writer.length() - min_frame_size;
-  const size_t bytes_consumed =
-      std::min<size_t>(available_size, remaining_data_size);
-  const size_t plaintext_bytes_written = min_frame_size + bytes_consumed;
+  size_t bytes_consumed = std::min<size_t>(available_size, remaining_data_size);
+  size_t plaintext_bytes_written = min_frame_size + bytes_consumed;
+  bool needs_padding = false;
+  if (plaintext_bytes_written < MinPlaintextPacketSize(framer_->version())) {
+    needs_padding = true;
+    // Recalculate sizes with the stream frame not being marked as the last
+    // frame in the packet.
+    min_frame_size = QuicFramer::GetMinStreamFrameSize(
+        framer_->transport_version(), id, stream_offset,
+        /* last_frame_in_packet= */ false, remaining_data_size);
+    available_size = max_plaintext_size_ - writer.length() - min_frame_size;
+    bytes_consumed = std::min<size_t>(available_size, remaining_data_size);
+    plaintext_bytes_written = min_frame_size + bytes_consumed;
+  }
 
   const bool set_fin = fin && (bytes_consumed == remaining_data_size);
   QuicStreamFrame frame(id, set_fin, stream_offset, bytes_consumed);
@@ -452,19 +466,21 @@ void QuicPacketCreator::CreateAndSerializeStreamFrame(
   }
   QUIC_DVLOG(1) << ENDPOINT << "Adding frame: " << frame;
 
+  QUIC_DVLOG(2) << ENDPOINT << "Serializing stream packet " << header << frame;
+
   // TODO(ianswett): AppendTypeByte and AppendStreamFrame could be optimized
   // into one method that takes a QuicStreamFrame, if warranted.
-  if (!framer_->AppendTypeByte(QuicFrame(frame),
-                               /* no stream frame length */ true, &writer)) {
+  bool omit_frame_length = !needs_padding;
+  if (!framer_->AppendTypeByte(QuicFrame(frame), omit_frame_length, &writer)) {
     QUIC_BUG << "AppendTypeByte failed";
     return;
   }
-  if (!framer_->AppendStreamFrame(frame, /* no stream frame length */ true,
-                                  &writer)) {
+  if (!framer_->AppendStreamFrame(frame, omit_frame_length, &writer)) {
     QUIC_BUG << "AppendStreamFrame failed";
     return;
   }
-  if (plaintext_bytes_written < MinPlaintextPacketSize(framer_->version()) &&
+  if (needs_padding &&
+      plaintext_bytes_written < MinPlaintextPacketSize(framer_->version()) &&
       !writer.WritePaddingBytes(MinPlaintextPacketSize(framer_->version()) -
                                 plaintext_bytes_written)) {
     QUIC_BUG << "Unable to add padding bytes";
@@ -531,7 +547,7 @@ size_t QuicPacketCreator::ExpansionOnNewFrame() const {
   if (!has_trailing_stream_frame) {
     return 0;
   }
-  if (framer_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_->transport_version())) {
     return QuicDataWriter::GetVarInt62Len(
         queued_frames_.back().stream_frame.data_length);
   }
@@ -580,6 +596,9 @@ void QuicPacketCreator::SerializePacket(char* encrypted_buffer,
 
   MaybeAddPadding();
 
+  QUIC_DVLOG(2) << ENDPOINT << "Serializing packet " << header
+                << QuicFramesToString(queued_frames_);
+
   DCHECK_GE(max_plaintext_size_, packet_size_);
   // Use the packet_size_ instead of the buffer size to ensure smaller
   // packet sizes are properly used.
@@ -625,7 +644,7 @@ QuicPacketCreator::SerializeVersionNegotiationPacket(
   DCHECK_EQ(Perspective::IS_SERVER, framer_->perspective());
   std::unique_ptr<QuicEncryptedPacket> encrypted =
       QuicFramer::BuildVersionNegotiationPacket(server_connection_id_,
-                                                EmptyQuicConnectionId(),
+                                                client_connection_id_,
                                                 ietf_quic, supported_versions);
   DCHECK(encrypted);
   DCHECK_GE(max_packet_length_, encrypted->length());
@@ -634,12 +653,15 @@ QuicPacketCreator::SerializeVersionNegotiationPacket(
 
 OwningSerializedPacketPointer
 QuicPacketCreator::SerializeConnectivityProbingPacket() {
-  QUIC_BUG_IF(framer_->transport_version() == QUIC_VERSION_99)
+  QUIC_BUG_IF(VersionHasIetfQuicFrames(framer_->transport_version()))
       << "Must not be version 99 to serialize padded ping connectivity probe";
   QuicPacketHeader header;
   // FillPacketHeader increments packet_number_.
   FillPacketHeader(&header);
 
+  QUIC_DVLOG(2) << ENDPOINT << "Serializing connectivity probing packet "
+                << header;
+
   std::unique_ptr<char[]> buffer(new char[kMaxOutgoingPacketSize]);
   size_t length = framer_->BuildConnectivityProbingPacket(
       header, buffer.get(), max_plaintext_size_, packet_.encryption_level);
@@ -664,7 +686,7 @@ QuicPacketCreator::SerializeConnectivityProbingPacket() {
 OwningSerializedPacketPointer
 QuicPacketCreator::SerializePathChallengeConnectivityProbingPacket(
     QuicPathFrameBuffer* payload) {
-  QUIC_BUG_IF(framer_->transport_version() != QUIC_VERSION_99)
+  QUIC_BUG_IF(!VersionHasIetfQuicFrames(framer_->transport_version()))
       << "Must be version 99 to serialize path challenge connectivity probe, "
          "is version "
       << framer_->transport_version();
@@ -672,6 +694,8 @@ QuicPacketCreator::SerializePathChallengeConnectivityProbingPacket(
   // FillPacketHeader increments packet_number_.
   FillPacketHeader(&header);
 
+  QUIC_DVLOG(2) << ENDPOINT << "Serializing path challenge packet " << header;
+
   std::unique_ptr<char[]> buffer(new char[kMaxOutgoingPacketSize]);
   size_t length = framer_->BuildPaddedPathChallengePacket(
       header, buffer.get(), max_plaintext_size_, payload, random_,
@@ -698,7 +722,7 @@ OwningSerializedPacketPointer
 QuicPacketCreator::SerializePathResponseConnectivityProbingPacket(
     const QuicDeque<QuicPathFrameBuffer>& payloads,
     const bool is_padded) {
-  QUIC_BUG_IF(framer_->transport_version() != QUIC_VERSION_99)
+  QUIC_BUG_IF(!VersionHasIetfQuicFrames(framer_->transport_version()))
       << "Must be version 99 to serialize path response connectivity probe, is "
          "version "
       << framer_->transport_version();
@@ -706,6 +730,8 @@ QuicPacketCreator::SerializePathResponseConnectivityProbingPacket(
   // FillPacketHeader increments packet_number_.
   FillPacketHeader(&header);
 
+  QUIC_DVLOG(2) << ENDPOINT << "Serializing path response packet " << header;
+
   std::unique_ptr<char[]> buffer(new char[kMaxOutgoingPacketSize]);
   size_t length = framer_->BuildPathResponsePacket(
       header, buffer.get(), max_plaintext_size_, payloads, is_padded,
@@ -738,9 +764,9 @@ QuicConnectionId QuicPacketCreator::GetDestinationConnectionId() const {
   if (!GetQuicRestartFlag(quic_do_not_override_connection_id)) {
     return server_connection_id_;
   }
-  QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 1, 5);
+  QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 1, 7);
   if (framer_->perspective() == Perspective::IS_SERVER) {
-    return EmptyQuicConnectionId();
+    return client_connection_id_;
   }
   return server_connection_id_;
 }
@@ -749,20 +775,21 @@ QuicConnectionId QuicPacketCreator::GetSourceConnectionId() const {
   if (!GetQuicRestartFlag(quic_do_not_override_connection_id)) {
     return server_connection_id_;
   }
-  QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 6, 6);
+  QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 6, 7);
   if (framer_->perspective() == Perspective::IS_CLIENT) {
-    return EmptyQuicConnectionId();
+    return client_connection_id_;
   }
   return server_connection_id_;
 }
 
 QuicConnectionIdIncluded QuicPacketCreator::GetDestinationConnectionIdIncluded()
     const {
-  if (framer_->transport_version() > QUIC_VERSION_43 ||
+  if (VersionHasIetfInvariantHeader(framer_->transport_version()) ||
       GetQuicRestartFlag(quic_do_not_override_connection_id)) {
-    // Packets sent by client always include destination connection ID, and
-    // those sent by the server do not include destination connection ID.
-    return framer_->perspective() == Perspective::IS_CLIENT
+    // In versions that do not support client connection IDs, the destination
+    // connection ID is only sent from client to server.
+    return (framer_->perspective() == Perspective::IS_CLIENT ||
+            framer_->version().SupportsClientConnectionIds())
                ? CONNECTION_ID_PRESENT
                : CONNECTION_ID_ABSENT;
   }
@@ -772,12 +799,16 @@ QuicConnectionIdIncluded QuicPacketCreator::GetDestinationConnectionIdIncluded()
 QuicConnectionIdIncluded QuicPacketCreator::GetSourceConnectionIdIncluded()
     const {
   // Long header packets sent by server include source connection ID.
-  if (HasIetfLongHeader() && framer_->perspective() == Perspective::IS_SERVER) {
+  // Ones sent by the client only include source connection ID if the version
+  // supports client connection IDs.
+  if (HasIetfLongHeader() &&
+      (framer_->perspective() == Perspective::IS_SERVER ||
+       framer_->version().SupportsClientConnectionIds())) {
     return CONNECTION_ID_PRESENT;
   }
   if (GetQuicRestartFlag(quic_do_not_override_connection_id) &&
       framer_->perspective() == Perspective::IS_SERVER) {
-    QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 2, 5);
+    QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 2, 7);
     return server_connection_id_included_;
   }
   return CONNECTION_ID_ABSENT;
@@ -803,7 +834,8 @@ QuicConnectionIdLength QuicPacketCreator::GetSourceConnectionIdLength() const {
 }
 
 QuicPacketNumberLength QuicPacketCreator::GetPacketNumberLength() const {
-  if (HasIetfLongHeader() && framer_->transport_version() != QUIC_VERSION_99) {
+  if (HasIetfLongHeader() &&
+      !framer_->version().SendsVariableLengthPacketNumberInLongHeader()) {
     return PACKET_4BYTE_PACKET_NUMBER;
   }
   return packet_.packet_number_length;
@@ -997,7 +1029,7 @@ bool QuicPacketCreator::IncludeNonceInPublicHeader() const {
 }
 
 bool QuicPacketCreator::IncludeVersionInHeader() const {
-  if (framer_->transport_version() > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(framer_->transport_version())) {
     return packet_.encryption_level < ENCRYPTION_FORWARD_SECURE;
   }
   return send_version_in_packet_;
@@ -1032,6 +1064,15 @@ void QuicPacketCreator::SetServerConnectionId(
   server_connection_id_ = server_connection_id;
 }
 
+void QuicPacketCreator::SetClientConnectionId(
+    QuicConnectionId client_connection_id) {
+  DCHECK(client_connection_id.IsEmpty() ||
+         framer_->version().SupportsClientConnectionIds());
+  DCHECK(client_connection_id.IsEmpty() ||
+         GetQuicRestartFlag(quic_do_not_override_connection_id));
+  client_connection_id_ = client_connection_id;
+}
+
 void QuicPacketCreator::SetTransmissionType(TransmissionType type) {
   DCHECK(can_set_transmission_type_);
 
@@ -1045,7 +1086,7 @@ void QuicPacketCreator::SetTransmissionType(TransmissionType type) {
 }
 
 QuicPacketLength QuicPacketCreator::GetCurrentLargestMessagePayload() const {
-  if (framer_->transport_version() <= QUIC_VERSION_44) {
+  if (!VersionSupportsMessageFrames(framer_->transport_version())) {
     return 0;
   }
   const size_t packet_header_size = GetPacketHeaderSize(
@@ -1061,7 +1102,7 @@ QuicPacketLength QuicPacketCreator::GetCurrentLargestMessagePayload() const {
 }
 
 QuicPacketLength QuicPacketCreator::GetGuaranteedLargestMessagePayload() const {
-  if (framer_->transport_version() <= QUIC_VERSION_44) {
+  if (!VersionSupportsMessageFrames(framer_->transport_version())) {
     return 0;
   }
   // QUIC Crypto server packets may include a diversification nonce.
@@ -1070,9 +1111,15 @@ QuicPacketLength QuicPacketCreator::GetGuaranteedLargestMessagePayload() const {
       framer_->perspective() == Perspective::IS_SERVER;
   // IETF QUIC long headers include a length on client 0RTT packets.
   QuicVariableLengthIntegerLength length_length =
-      framer_->perspective() == Perspective::IS_CLIENT
-          ? VARIABLE_LENGTH_INTEGER_LENGTH_2
-          : VARIABLE_LENGTH_INTEGER_LENGTH_0;
+      VARIABLE_LENGTH_INTEGER_LENGTH_0;
+  if (framer_->perspective() == Perspective::IS_CLIENT) {
+    length_length = VARIABLE_LENGTH_INTEGER_LENGTH_2;
+  }
+  if (!QuicVersionHasLongHeaderLengths(framer_->transport_version()) &&
+      fix_get_packet_header_size_) {
+    QUIC_RELOADABLE_FLAG_COUNT_N(quic_fix_get_packet_header_size, 3, 3);
+    length_length = VARIABLE_LENGTH_INTEGER_LENGTH_0;
+  }
   const size_t packet_header_size = GetPacketHeaderSize(
       framer_->transport_version(), GetDestinationConnectionIdLength(),
       // Assume CID lengths don't change, but version may be present.
@@ -1091,10 +1138,11 @@ QuicPacketLength QuicPacketCreator::GetGuaranteedLargestMessagePayload() const {
 }
 
 bool QuicPacketCreator::HasIetfLongHeader() const {
-  return framer_->transport_version() > QUIC_VERSION_43 &&
+  return VersionHasIetfInvariantHeader(framer_->transport_version()) &&
          packet_.encryption_level < ENCRYPTION_FORWARD_SECURE;
 }
 
+// static
 size_t QuicPacketCreator::MinPlaintextPacketSize(
     const ParsedQuicVersion& version) {
   if (!version.HasHeaderProtection()) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.h b/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.h
index a7b1d5cb3e3..2c2fffb12fb 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.h
@@ -52,7 +52,7 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
     virtual ~DebugDelegate() {}
 
     // Called when a frame has been added to the current packet.
-    virtual void OnFrameAddedToPacket(const QuicFrame& frame) {}
+    virtual void OnFrameAddedToPacket(const QuicFrame& /*frame*/) {}
   };
 
   QuicPacketCreator(QuicConnectionId server_connection_id,
@@ -228,6 +228,9 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
   // Update the server connection ID used in outgoing packets.
   void SetServerConnectionId(QuicConnectionId server_connection_id);
 
+  // Update the client connection ID used in outgoing packets.
+  void SetClientConnectionId(QuicConnectionId client_connection_id);
+
   // Sets the encryption level that will be applied to new packets.
   void set_encryption_level(EncryptionLevel level) {
     packet_.encryption_level = level;
@@ -407,6 +410,7 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
   // QuicEncryptedPacket has been flattened into SerializedPacket.
   size_t packet_size_;
   QuicConnectionId server_connection_id_;
+  QuicConnectionId client_connection_id_;
 
   // Packet used to invoke OnSerializedPacket.
   SerializedPacket packet_;
@@ -427,6 +431,9 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
   // If true, packet_'s transmission type is only set by
   // SetPacketTransmissionType and does not get cleared in ClearPacket.
   bool can_set_transmission_type_;
+
+  // Latched value of quic_fix_get_packet_header_size flag.
+  bool fix_get_packet_header_size_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator_test.cc
index bf695637322..802c07b4ee6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator_test.cc
@@ -104,7 +104,7 @@ class TestPacketCreator : public QuicPacketCreator {
   }
 
   void StopSendingVersion() {
-    if (version_ > QUIC_VERSION_43) {
+    if (VersionHasIetfInvariantHeader(version_)) {
       set_encryption_level(ENCRYPTION_FORWARD_SECURE);
       return;
     }
@@ -154,6 +154,7 @@ class QuicPacketCreatorTest : public QuicTestWithParam<TestParams> {
         data_("foo"),
         creator_(connection_id_, &client_framer_, &delegate_, &producer_),
         serialized_packet_(creator_.NoPacket()) {
+    QuicPacketCreatorPeer::EnableGetPacketHeaderSizeBugFix(&creator_);
     EXPECT_CALL(delegate_, GetPacketBuffer()).WillRepeatedly(Return(nullptr));
     creator_.SetEncrypter(ENCRYPTION_HANDSHAKE, QuicMakeUnique<NullEncrypter>(
                                                     Perspective::IS_CLIENT));
@@ -261,7 +262,9 @@ class QuicPacketCreatorTest : public QuicTestWithParam<TestParams> {
   }
 
   QuicStreamId GetNthClientInitiatedStreamId(int n) const {
-    return QuicUtils::GetHeadersStreamId(creator_.transport_version()) + n * 2;
+    return QuicUtils::GetFirstBidirectionalStreamId(
+               creator_.transport_version(), Perspective::IS_CLIENT) +
+           n * 2;
   }
 
   static const QuicStreamOffset kOffset = 0u;
@@ -331,7 +334,7 @@ TEST_P(QuicPacketCreatorTest, SerializeFrames) {
 }
 
 TEST_P(QuicPacketCreatorTest, ReserializeFramesWithSequenceNumberLength) {
-  if (client_framer_.transport_version() > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(client_framer_.transport_version())) {
     creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
   }
   // If the original packet number length, the current packet number
@@ -574,7 +577,7 @@ TEST_P(QuicPacketCreatorTest, ReserializeFramesWithFullPacketAndPadding) {
 
 TEST_P(QuicPacketCreatorTest, SerializeConnectionClose) {
   QuicConnectionCloseFrame frame(QUIC_NO_ERROR, "error");
-  if (GetParam().version.transport_version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(GetParam().version.transport_version)) {
     frame.close_type = IETF_QUIC_TRANSPORT_CONNECTION_CLOSE;
   }
 
@@ -714,7 +717,7 @@ TEST_P(QuicPacketCreatorTest, StreamFrameConsumption) {
 TEST_P(QuicPacketCreatorTest, CryptoStreamFramePacketPadding) {
   // This test serializes crypto payloads slightly larger than a packet, which
   // Causes the multi-packet ClientHello check to fail.
-  FLAGS_quic_enforce_single_packet_chlo = false;
+  SetQuicFlag(FLAGS_quic_enforce_single_packet_chlo, false);
   // Compute the total overhead for a single frame in packet.
   size_t overhead =
       GetPacketHeaderOverhead(client_framer_.transport_version()) +
@@ -808,7 +811,8 @@ TEST_P(QuicPacketCreatorTest, SerializeVersionNegotiationPacket) {
   QuicFramerPeer::SetPerspective(&client_framer_, Perspective::IS_SERVER);
   ParsedQuicVersionVector versions;
   versions.push_back(test::QuicVersionMax());
-  const bool ietf_quic = GetParam().version.transport_version > QUIC_VERSION_43;
+  const bool ietf_quic =
+      VersionHasIetfInvariantHeader(GetParam().version.transport_version);
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       creator_.SerializeVersionNegotiationPacket(ietf_quic, versions));
 
@@ -829,7 +833,7 @@ TEST_P(QuicPacketCreatorTest, SerializeConnectivityProbingPacket) {
     creator_.set_encryption_level(level);
 
     OwningSerializedPacketPointer encrypted;
-    if (GetParam().version.transport_version == QUIC_VERSION_99) {
+    if (VersionHasIetfQuicFrames(GetParam().version.transport_version)) {
       QuicPathFrameBuffer payload = {
           {0xde, 0xad, 0xbe, 0xef, 0xba, 0xdc, 0x0f, 0xfe}};
       encrypted =
@@ -844,7 +848,7 @@ TEST_P(QuicPacketCreatorTest, SerializeConnectivityProbingPacket) {
       EXPECT_CALL(framer_visitor_, OnUnauthenticatedHeader(_));
       EXPECT_CALL(framer_visitor_, OnDecryptedPacket(_));
       EXPECT_CALL(framer_visitor_, OnPacketHeader(_));
-      if (GetParam().version.transport_version == QUIC_VERSION_99) {
+      if (VersionHasIetfQuicFrames(GetParam().version.transport_version)) {
         EXPECT_CALL(framer_visitor_, OnPathChallengeFrame(_));
         EXPECT_CALL(framer_visitor_, OnPaddingFrame(_));
       } else {
@@ -860,7 +864,7 @@ TEST_P(QuicPacketCreatorTest, SerializeConnectivityProbingPacket) {
 }
 
 TEST_P(QuicPacketCreatorTest, SerializePathChallengeProbePacket) {
-  if (GetParam().version.transport_version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(GetParam().version.transport_version)) {
     return;
   }
   QuicPathFrameBuffer payload = {
@@ -891,7 +895,7 @@ TEST_P(QuicPacketCreatorTest, SerializePathChallengeProbePacket) {
 }
 
 TEST_P(QuicPacketCreatorTest, SerializePathResponseProbePacket1PayloadPadded) {
-  if (GetParam().version.transport_version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(GetParam().version.transport_version)) {
     return;
   }
   QuicPathFrameBuffer payload0 = {
@@ -925,7 +929,7 @@ TEST_P(QuicPacketCreatorTest, SerializePathResponseProbePacket1PayloadPadded) {
 
 TEST_P(QuicPacketCreatorTest,
        SerializePathResponseProbePacket1PayloadUnPadded) {
-  if (GetParam().version.transport_version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(GetParam().version.transport_version)) {
     return;
   }
   QuicPathFrameBuffer payload0 = {
@@ -957,7 +961,7 @@ TEST_P(QuicPacketCreatorTest,
 }
 
 TEST_P(QuicPacketCreatorTest, SerializePathResponseProbePacket2PayloadsPadded) {
-  if (GetParam().version.transport_version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(GetParam().version.transport_version)) {
     return;
   }
   QuicPathFrameBuffer payload0 = {
@@ -994,7 +998,7 @@ TEST_P(QuicPacketCreatorTest, SerializePathResponseProbePacket2PayloadsPadded) {
 
 TEST_P(QuicPacketCreatorTest,
        SerializePathResponseProbePacket2PayloadsUnPadded) {
-  if (GetParam().version.transport_version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(GetParam().version.transport_version)) {
     return;
   }
   QuicPathFrameBuffer payload0 = {
@@ -1029,7 +1033,7 @@ TEST_P(QuicPacketCreatorTest,
 }
 
 TEST_P(QuicPacketCreatorTest, SerializePathResponseProbePacket3PayloadsPadded) {
-  if (GetParam().version.transport_version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(GetParam().version.transport_version)) {
     return;
   }
   QuicPathFrameBuffer payload0 = {
@@ -1069,7 +1073,7 @@ TEST_P(QuicPacketCreatorTest, SerializePathResponseProbePacket3PayloadsPadded) {
 
 TEST_P(QuicPacketCreatorTest,
        SerializePathResponseProbePacket3PayloadsUnpadded) {
-  if (GetParam().version.transport_version != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(GetParam().version.transport_version)) {
     return;
   }
   QuicPathFrameBuffer payload0 = {
@@ -1106,8 +1110,8 @@ TEST_P(QuicPacketCreatorTest,
 }
 
 TEST_P(QuicPacketCreatorTest, UpdatePacketSequenceNumberLengthLeastAwaiting) {
-  if (GetParam().version.transport_version > QUIC_VERSION_43 &&
-      GetParam().version.transport_version != QUIC_VERSION_99) {
+  if (VersionHasIetfInvariantHeader(GetParam().version.transport_version) &&
+      !GetParam().version.SendsVariableLengthPacketNumberInLongHeader()) {
     EXPECT_EQ(PACKET_4BYTE_PACKET_NUMBER,
               QuicPacketCreatorPeer::GetPacketNumberLength(&creator_));
     creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
@@ -1144,8 +1148,8 @@ TEST_P(QuicPacketCreatorTest, UpdatePacketSequenceNumberLengthLeastAwaiting) {
 
 TEST_P(QuicPacketCreatorTest, UpdatePacketSequenceNumberLengthCwnd) {
   QuicPacketCreatorPeer::SetPacketNumber(&creator_, 1);
-  if (GetParam().version.transport_version > QUIC_VERSION_43 &&
-      GetParam().version.transport_version != QUIC_VERSION_99) {
+  if (VersionHasIetfInvariantHeader(GetParam().version.transport_version) &&
+      !GetParam().version.SendsVariableLengthPacketNumberInLongHeader()) {
     EXPECT_EQ(PACKET_4BYTE_PACKET_NUMBER,
               QuicPacketCreatorPeer::GetPacketNumberLength(&creator_));
     creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
@@ -1370,9 +1374,8 @@ TEST_P(QuicPacketCreatorTest, SerializeAndSendStreamFrame) {
   EXPECT_FALSE(creator_.HasPendingFrames());
 
   MakeIOVector("test", &iov_);
-  producer_.SaveStreamData(
-      QuicUtils::GetHeadersStreamId(client_framer_.transport_version()), &iov_,
-      1u, 0u, iov_.iov_len);
+  producer_.SaveStreamData(GetNthClientInitiatedStreamId(0), &iov_, 1u, 0u,
+                           iov_.iov_len);
   EXPECT_CALL(delegate_, OnSerializedPacket(_))
       .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
   size_t num_bytes_consumed;
@@ -1380,8 +1383,8 @@ TEST_P(QuicPacketCreatorTest, SerializeAndSendStreamFrame) {
   creator_.set_debug_delegate(&debug);
   EXPECT_CALL(debug, OnFrameAddedToPacket(_));
   creator_.CreateAndSerializeStreamFrame(
-      QuicUtils::GetHeadersStreamId(client_framer_.transport_version()),
-      iov_.iov_len, 0, 0, true, NOT_RETRANSMISSION, &num_bytes_consumed);
+      GetNthClientInitiatedStreamId(0), iov_.iov_len, 0, 0, true,
+      NOT_RETRANSMISSION, &num_bytes_consumed);
   EXPECT_EQ(4u, num_bytes_consumed);
 
   // Ensure the packet is successfully created.
@@ -1395,6 +1398,46 @@ TEST_P(QuicPacketCreatorTest, SerializeAndSendStreamFrame) {
   EXPECT_FALSE(creator_.HasPendingFrames());
 }
 
+TEST_P(QuicPacketCreatorTest, SerializeStreamFrameWithPadding) {
+  // Regression test to check that CreateAndSerializeStreamFrame uses a
+  // correctly formatted stream frame header when appending padding.
+
+  if (!GetParam().version_serialization) {
+    creator_.StopSendingVersion();
+  }
+  EXPECT_FALSE(creator_.HasPendingFrames());
+
+  // Send one byte of stream data.
+  MakeIOVector("a", &iov_);
+  producer_.SaveStreamData(GetNthClientInitiatedStreamId(0), &iov_, 1u, 0u,
+                           iov_.iov_len);
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
+  size_t num_bytes_consumed;
+  creator_.CreateAndSerializeStreamFrame(
+      GetNthClientInitiatedStreamId(0), iov_.iov_len, 0, 0, true,
+      NOT_RETRANSMISSION, &num_bytes_consumed);
+  EXPECT_EQ(1u, num_bytes_consumed);
+
+  // Check that a packet is created.
+  ASSERT_TRUE(serialized_packet_.encrypted_buffer);
+  ASSERT_FALSE(serialized_packet_.retransmittable_frames.empty());
+  {
+    InSequence s;
+    EXPECT_CALL(framer_visitor_, OnPacket());
+    EXPECT_CALL(framer_visitor_, OnUnauthenticatedPublicHeader(_));
+    EXPECT_CALL(framer_visitor_, OnUnauthenticatedHeader(_));
+    EXPECT_CALL(framer_visitor_, OnDecryptedPacket(_));
+    EXPECT_CALL(framer_visitor_, OnPacketHeader(_));
+    EXPECT_CALL(framer_visitor_, OnStreamFrame(_));
+    if (client_framer_.version().HasHeaderProtection()) {
+      EXPECT_CALL(framer_visitor_, OnPaddingFrame(_));
+    }
+    EXPECT_CALL(framer_visitor_, OnPacketComplete());
+  }
+  ProcessPacket(serialized_packet_);
+}
+
 TEST_P(QuicPacketCreatorTest, AddUnencryptedStreamDataClosesConnection) {
   // EXPECT_QUIC_BUG tests are expensive so only run one instance of them.
   if (!IsDefaultTestConfiguration()) {
@@ -1403,9 +1446,8 @@ TEST_P(QuicPacketCreatorTest, AddUnencryptedStreamDataClosesConnection) {
 
   creator_.set_encryption_level(ENCRYPTION_INITIAL);
   EXPECT_CALL(delegate_, OnUnrecoverableError(_, _));
-  QuicStreamFrame stream_frame(
-      QuicUtils::GetHeadersStreamId(client_framer_.transport_version()),
-      /*fin=*/false, 0u, QuicStringPiece());
+  QuicStreamFrame stream_frame(GetNthClientInitiatedStreamId(0),
+                               /*fin=*/false, 0u, QuicStringPiece());
   EXPECT_QUIC_BUG(
       creator_.AddSavedFrame(QuicFrame(stream_frame), NOT_RETRANSMISSION),
       "Cannot send stream data with level: ENCRYPTION_INITIAL");
@@ -1419,9 +1461,8 @@ TEST_P(QuicPacketCreatorTest, SendStreamDataWithEncryptionHandshake) {
 
   creator_.set_encryption_level(ENCRYPTION_HANDSHAKE);
   EXPECT_CALL(delegate_, OnUnrecoverableError(_, _));
-  QuicStreamFrame stream_frame(
-      QuicUtils::GetHeadersStreamId(client_framer_.transport_version()),
-      /*fin=*/false, 0u, QuicStringPiece());
+  QuicStreamFrame stream_frame(GetNthClientInitiatedStreamId(0),
+                               /*fin=*/false, 0u, QuicStringPiece());
   EXPECT_QUIC_BUG(
       creator_.AddSavedFrame(QuicFrame(stream_frame), NOT_RETRANSMISSION),
       "Cannot send stream data with level: ENCRYPTION_HANDSHAKE");
@@ -1674,7 +1715,7 @@ TEST_P(QuicPacketCreatorTest, IetfAckGapErrorRegression) {
 }
 
 TEST_P(QuicPacketCreatorTest, AddMessageFrame) {
-  if (client_framer_.transport_version() <= QUIC_VERSION_44) {
+  if (!VersionSupportsMessageFrames(client_framer_.transport_version())) {
     return;
   }
   creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
@@ -1726,7 +1767,7 @@ TEST_P(QuicPacketCreatorTest, AddMessageFrame) {
 }
 
 TEST_P(QuicPacketCreatorTest, MessageFrameConsumption) {
-  if (client_framer_.transport_version() <= QUIC_VERSION_44) {
+  if (!VersionSupportsMessageFrames(client_framer_.transport_version())) {
     return;
   }
   std::string message_data(kDefaultMaxPacketSize, 'a');
@@ -1769,6 +1810,20 @@ TEST_P(QuicPacketCreatorTest, MessageFrameConsumption) {
   }
 }
 
+// Regression test for bugfix of GetPacketHeaderSize.
+TEST_P(QuicPacketCreatorTest, GetGuaranteedLargestMessagePayload) {
+  QuicTransportVersion version = GetParam().version.transport_version;
+  if (!VersionSupportsMessageFrames(version)) {
+    return;
+  }
+  QuicPacketLength expected_largest_payload = 1319;
+  if (QuicVersionHasLongHeaderLengths(version)) {
+    expected_largest_payload -= 2;
+  }
+  EXPECT_EQ(expected_largest_payload,
+            creator_.GetGuaranteedLargestMessagePayload());
+}
+
 TEST_P(QuicPacketCreatorTest, PacketTransmissionType) {
   creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
   creator_.set_can_set_transmission_type(true);
@@ -1874,6 +1929,18 @@ TEST_P(QuicPacketCreatorTest, GetConnectionId) {
   EXPECT_EQ(EmptyQuicConnectionId(), creator_.GetSourceConnectionId());
 }
 
+TEST_P(QuicPacketCreatorTest, ClientConnectionId) {
+  SetQuicRestartFlag(quic_do_not_override_connection_id, true);
+  if (!client_framer_.version().SupportsClientConnectionIds()) {
+    return;
+  }
+  EXPECT_EQ(TestConnectionId(2), creator_.GetDestinationConnectionId());
+  EXPECT_EQ(EmptyQuicConnectionId(), creator_.GetSourceConnectionId());
+  creator_.SetClientConnectionId(TestConnectionId(0x33));
+  EXPECT_EQ(TestConnectionId(2), creator_.GetDestinationConnectionId());
+  EXPECT_EQ(TestConnectionId(0x33), creator_.GetSourceConnectionId());
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.cc
index d57aad41f47..fe170697f42 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.cc
@@ -26,68 +26,34 @@ QuicPacketGenerator::QuicPacketGenerator(QuicConnectionId server_connection_id,
       packet_creator_(server_connection_id, framer, random_generator, delegate),
       next_transmission_type_(NOT_RETRANSMISSION),
       flusher_attached_(false),
-      should_send_ack_(false),
-      should_send_stop_waiting_(false),
       random_generator_(random_generator),
-      fully_pad_crypto_handshake_packets_(true),
-      deprecate_ack_bundling_mode_(
-          GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)),
-      deprecate_queued_control_frames_(
-          deprecate_ack_bundling_mode_ &&
-          GetQuicReloadableFlag(quic_deprecate_queued_control_frames)) {}
+      fully_pad_crypto_handshake_packets_(true) {}
 
-QuicPacketGenerator::~QuicPacketGenerator() {
-  DeleteFrames(&queued_control_frames_);
-}
-
-void QuicPacketGenerator::SetShouldSendAck(bool also_send_stop_waiting) {
-  DCHECK(!deprecate_ack_bundling_mode_);
-  if (packet_creator_.has_ack()) {
-    // Ack already queued, nothing to do.
-    return;
-  }
-
-  if (also_send_stop_waiting && packet_creator_.has_stop_waiting()) {
-    QUIC_BUG << "Should only ever be one pending stop waiting frame.";
-    return;
-  }
-
-  should_send_ack_ = true;
-  should_send_stop_waiting_ = also_send_stop_waiting;
-  SendQueuedFrames(/*flush=*/false);
-}
+QuicPacketGenerator::~QuicPacketGenerator() {}
 
 bool QuicPacketGenerator::ConsumeRetransmittableControlFrame(
     const QuicFrame& frame) {
   QUIC_BUG_IF(IsControlFrame(frame.type) && !GetControlFrameId(frame))
       << "Adding a control frame with no control frame id: " << frame;
   DCHECK(QuicUtils::IsRetransmittableFrame(frame.type)) << frame;
-  if (deprecate_ack_bundling_mode_) {
-    MaybeBundleAckOpportunistically();
-  }
-  if (deprecate_queued_control_frames_) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_deprecate_queued_control_frames);
-    if (packet_creator_.HasPendingFrames()) {
-      if (packet_creator_.AddSavedFrame(frame, next_transmission_type_)) {
-        // There is pending frames and current frame fits.
-        return true;
-      }
+  MaybeBundleAckOpportunistically();
+  if (packet_creator_.HasPendingFrames()) {
+    if (packet_creator_.AddSavedFrame(frame, next_transmission_type_)) {
+      // There is pending frames and current frame fits.
+      return true;
     }
-    DCHECK(!packet_creator_.HasPendingFrames());
-    if (frame.type != PING_FRAME && frame.type != CONNECTION_CLOSE_FRAME &&
-        !delegate_->ShouldGeneratePacket(HAS_RETRANSMITTABLE_DATA,
-                                         NOT_HANDSHAKE)) {
-      // Do not check congestion window for ping or connection close frames.
-      return false;
-    }
-    const bool success =
-        packet_creator_.AddSavedFrame(frame, next_transmission_type_);
-    DCHECK(success);
-    return success;
   }
-  queued_control_frames_.push_back(frame);
-  SendQueuedFrames(/*flush=*/false);
-  return true;
+  DCHECK(!packet_creator_.HasPendingFrames());
+  if (frame.type != PING_FRAME && frame.type != CONNECTION_CLOSE_FRAME &&
+      !delegate_->ShouldGeneratePacket(HAS_RETRANSMITTABLE_DATA,
+                                       NOT_HANDSHAKE)) {
+    // Do not check congestion window for ping or connection close frames.
+    return false;
+  }
+  const bool success =
+      packet_creator_.AddSavedFrame(frame, next_transmission_type_);
+  DCHECK(success);
+  return success;
 }
 
 size_t QuicPacketGenerator::ConsumeCryptoData(EncryptionLevel level,
@@ -95,16 +61,15 @@ size_t QuicPacketGenerator::ConsumeCryptoData(EncryptionLevel level,
                                               QuicStreamOffset offset) {
   QUIC_BUG_IF(!flusher_attached_) << "Packet flusher is not attached when "
                                      "generator tries to write crypto data.";
-  if (deprecate_ack_bundling_mode_) {
-    MaybeBundleAckOpportunistically();
-  }
+  MaybeBundleAckOpportunistically();
   // To make reasoning about crypto frames easier, we don't combine them with
   // other retransmittable frames in a single packet.
   // TODO(nharper): Once we have separate packet number spaces, everything
   // should be driven by encryption level, and we should stop flushing in this
   // spot.
-  const bool flush = packet_creator_.HasPendingRetransmittableFrames();
-  SendQueuedFrames(flush);
+  if (packet_creator_.HasPendingRetransmittableFrames()) {
+    packet_creator_.Flush();
+  }
 
   size_t total_bytes_consumed = 0;
 
@@ -127,7 +92,7 @@ size_t QuicPacketGenerator::ConsumeCryptoData(EncryptionLevel level,
   }
 
   // Don't allow the handshake to be bundled with other retransmittable frames.
-  SendQueuedFrames(/*flush=*/true);
+  packet_creator_.Flush();
 
   return total_bytes_consumed;
 }
@@ -140,17 +105,15 @@ QuicConsumedData QuicPacketGenerator::ConsumeData(QuicStreamId id,
                                      "generator tries to write stream data.";
   bool has_handshake =
       QuicUtils::IsCryptoStreamId(packet_creator_.transport_version(), id);
-  if (deprecate_ack_bundling_mode_) {
-    MaybeBundleAckOpportunistically();
-  }
+  MaybeBundleAckOpportunistically();
   bool fin = state != NO_FIN;
   QUIC_BUG_IF(has_handshake && fin)
       << "Handshake packets should never send a fin";
   // To make reasoning about crypto frames easier, we don't combine them with
   // other retransmittable frames in a single packet.
-  const bool flush =
-      has_handshake && packet_creator_.HasPendingRetransmittableFrames();
-  SendQueuedFrames(flush);
+  if (has_handshake && packet_creator_.HasPendingRetransmittableFrames()) {
+    packet_creator_.Flush();
+  }
 
   size_t total_bytes_consumed = 0;
   bool fin_consumed = false;
@@ -166,7 +129,7 @@ QuicConsumedData QuicPacketGenerator::ConsumeData(QuicStreamId id,
   // We determine if we can enter the fast path before executing
   // the slow path loop.
   bool run_fast_path =
-      !has_handshake && state != FIN_AND_PADDING && !HasQueuedFrames() &&
+      !has_handshake && state != FIN_AND_PADDING && !HasPendingFrames() &&
       write_length - total_bytes_consumed > kMaxOutgoingPacketSize;
 
   while (!run_fast_path && delegate_->ShouldGeneratePacket(
@@ -206,7 +169,7 @@ QuicConsumedData QuicPacketGenerator::ConsumeData(QuicStreamId id,
     packet_creator_.Flush();
 
     run_fast_path =
-        !has_handshake && state != FIN_AND_PADDING && !HasQueuedFrames() &&
+        !has_handshake && state != FIN_AND_PADDING && !HasPendingFrames() &&
         write_length - total_bytes_consumed > kMaxOutgoingPacketSize;
   }
 
@@ -217,7 +180,7 @@ QuicConsumedData QuicPacketGenerator::ConsumeData(QuicStreamId id,
 
   // Don't allow the handshake to be bundled with other retransmittable frames.
   if (has_handshake) {
-    SendQueuedFrames(/*flush=*/true);
+    packet_creator_.Flush();
   }
 
   return QuicConsumedData(total_bytes_consumed, fin_consumed);
@@ -273,44 +236,6 @@ void QuicPacketGenerator::GenerateMtuDiscoveryPacket(QuicByteCount target_mtu) {
   SetMaxPacketLength(current_mtu);
 }
 
-bool QuicPacketGenerator::CanSendWithNextPendingFrameAddition() const {
-  DCHECK(HasPendingFrames() || packet_creator_.pending_padding_bytes() > 0);
-  HasRetransmittableData retransmittable =
-      (should_send_ack_ || should_send_stop_waiting_ ||
-       packet_creator_.pending_padding_bytes() > 0)
-          ? NO_RETRANSMITTABLE_DATA
-          : HAS_RETRANSMITTABLE_DATA;
-  if (retransmittable == HAS_RETRANSMITTABLE_DATA) {
-    DCHECK(!queued_control_frames_.empty());  // These are retransmittable.
-  }
-  return delegate_->ShouldGeneratePacket(retransmittable, NOT_HANDSHAKE);
-}
-
-void QuicPacketGenerator::SendQueuedFrames(bool flush) {
-  // Only add pending frames if we are SURE we can then send the whole packet.
-  while (HasPendingFrames() &&
-         (flush || CanSendWithNextPendingFrameAddition())) {
-    bool first_frame = packet_creator_.CanSetMaxPacketLength();
-    if (!AddNextPendingFrame() && first_frame) {
-      // A single frame cannot fit into the packet, tear down the connection.
-      QUIC_BUG << "A single frame cannot fit into packet."
-               << " should_send_ack: " << should_send_ack_
-               << " should_send_stop_waiting: " << should_send_stop_waiting_
-               << " number of queued_control_frames: "
-               << queued_control_frames_.size();
-      if (!queued_control_frames_.empty()) {
-        QUIC_LOG(INFO) << queued_control_frames_[0];
-      }
-      delegate_->OnUnrecoverableError(QUIC_FAILED_TO_SERIALIZE_PACKET,
-                                      "Single frame cannot fit into a packet");
-      return;
-    }
-  }
-  if (flush) {
-    packet_creator_.Flush();
-  }
-}
-
 bool QuicPacketGenerator::PacketFlusherAttached() const {
   return flusher_attached_;
 }
@@ -323,7 +248,6 @@ void QuicPacketGenerator::AttachPacketFlusher() {
 }
 
 void QuicPacketGenerator::Flush() {
-  SendQueuedFrames(/*flush=*/false);
   packet_creator_.Flush();
   SendRemainingPendingPadding();
   flusher_attached_ = false;
@@ -341,51 +265,11 @@ void QuicPacketGenerator::Flush() {
 }
 
 void QuicPacketGenerator::FlushAllQueuedFrames() {
-  SendQueuedFrames(/*flush=*/true);
-}
-
-bool QuicPacketGenerator::HasQueuedFrames() const {
-  return packet_creator_.HasPendingFrames() || HasPendingFrames();
-}
-
-bool QuicPacketGenerator::IsPendingPacketEmpty() const {
-  return !packet_creator_.HasPendingFrames();
+  packet_creator_.Flush();
 }
 
 bool QuicPacketGenerator::HasPendingFrames() const {
-  return should_send_ack_ || should_send_stop_waiting_ ||
-         !queued_control_frames_.empty();
-}
-
-bool QuicPacketGenerator::AddNextPendingFrame() {
-  QUIC_BUG_IF(!flusher_attached_) << "Packet flusher is not attached when "
-                                     "generator tries to write control frames.";
-  if (should_send_ack_) {
-    should_send_ack_ = !packet_creator_.AddSavedFrame(
-        delegate_->GetUpdatedAckFrame(), next_transmission_type_);
-    return !should_send_ack_;
-  }
-
-  if (should_send_stop_waiting_) {
-    delegate_->PopulateStopWaitingFrame(&pending_stop_waiting_frame_);
-    // If we can't this add the frame now, then we still need to do so later.
-    should_send_stop_waiting_ = !packet_creator_.AddSavedFrame(
-        QuicFrame(pending_stop_waiting_frame_), next_transmission_type_);
-    // Return success if we have cleared out this flag (i.e., added the frame).
-    // If we still need to send, then the frame is full, and we have failed.
-    return !should_send_stop_waiting_;
-  }
-
-  QUIC_BUG_IF(queued_control_frames_.empty())
-      << "AddNextPendingFrame called with no queued control frames.";
-
-  if (!packet_creator_.AddSavedFrame(queued_control_frames_.back(),
-                                     next_transmission_type_)) {
-    // Packet was full.
-    return false;
-  }
-  queued_control_frames_.pop_back();
-  return true;
+  return packet_creator_.HasPendingFrames();
 }
 
 void QuicPacketGenerator::StopSendingVersion() {
@@ -476,15 +360,15 @@ void QuicPacketGenerator::AddRandomPadding() {
 }
 
 void QuicPacketGenerator::SendRemainingPendingPadding() {
-  while (packet_creator_.pending_padding_bytes() > 0 && !HasQueuedFrames() &&
-         CanSendWithNextPendingFrameAddition()) {
+  while (
+      packet_creator_.pending_padding_bytes() > 0 && !HasPendingFrames() &&
+      delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA, NOT_HANDSHAKE)) {
     packet_creator_.Flush();
   }
 }
 
 bool QuicPacketGenerator::HasRetransmittableFrames() const {
-  return !queued_control_frames_.empty() ||
-         packet_creator_.HasPendingRetransmittableFrames();
+  return packet_creator_.HasPendingRetransmittableFrames();
 }
 
 bool QuicPacketGenerator::HasPendingStreamFramesOfStream(
@@ -512,14 +396,11 @@ MessageStatus QuicPacketGenerator::AddMessageFrame(QuicMessageId message_id,
                                                    QuicMemSliceSpan message) {
   QUIC_BUG_IF(!flusher_attached_) << "Packet flusher is not attached when "
                                      "generator tries to add message frame.";
-  if (deprecate_ack_bundling_mode_) {
-    MaybeBundleAckOpportunistically();
-  }
+  MaybeBundleAckOpportunistically();
   const QuicByteCount message_length = message.total_length();
   if (message_length > GetCurrentLargestMessagePayload()) {
     return MESSAGE_STATUS_TOO_LARGE;
   }
-  SendQueuedFrames(/*flush=*/false);
   if (!packet_creator_.HasRoomForMessageFrame(message_length)) {
     packet_creator_.Flush();
   }
@@ -535,7 +416,6 @@ MessageStatus QuicPacketGenerator::AddMessageFrame(QuicMessageId message_id,
 }
 
 void QuicPacketGenerator::MaybeBundleAckOpportunistically() {
-  DCHECK(deprecate_ack_bundling_mode_);
   if (packet_creator_.has_ack()) {
     // Ack already queued, nothing to do.
     return;
@@ -588,4 +468,9 @@ void QuicPacketGenerator::SetServerConnectionId(
   packet_creator_.SetServerConnectionId(server_connection_id);
 }
 
+void QuicPacketGenerator::SetClientConnectionId(
+    QuicConnectionId client_connection_id) {
+  packet_creator_.SetClientConnectionId(client_connection_id);
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.h b/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.h
index 327cc47238b..ea7da5d968c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.h
@@ -3,7 +3,7 @@
 // found in the LICENSE file.
 
 // Responsible for generating packets on behalf of a QuicConnection.
-// Packets are serialized just-in-time.  Control frames are queued.
+// Packets are serialized just-in-time.
 // Ack and Feedback frames will be requested from the Connection
 // just-in-time.  When a packet needs to be sent, the Generator
 // will serialize a packet and pass it to QuicConnection::SendOrQueuePacket()
@@ -69,11 +69,6 @@ class QUIC_EXPORT_PRIVATE QuicPacketGenerator {
     // Called when there is data to be sent. Retrieves updated ACK frame from
     // the delegate.
     virtual const QuicFrames MaybeBundleAckOpportunistically() = 0;
-    // TODO(fayang): Remove these two interfaces when deprecating
-    // quic_deprecate_ack_bundling_mode.
-    virtual const QuicFrame GetUpdatedAckFrame() = 0;
-    virtual void PopulateStopWaitingFrame(
-        QuicStopWaitingFrame* stop_waiting) = 0;
   };
 
   QuicPacketGenerator(QuicConnectionId server_connection_id,
@@ -85,13 +80,6 @@ class QUIC_EXPORT_PRIVATE QuicPacketGenerator {
 
   ~QuicPacketGenerator();
 
-  // Indicates that an ACK frame should be sent.
-  // If |also_send_stop_waiting| is true, then it also indicates that a
-  // STOP_WAITING frame should be sent as well.
-  // The contents of the frame(s) will be generated via a call to the delegate
-  // CreateAckFrame() when the packet is serialized.
-  void SetShouldSendAck(bool also_send_stop_waiting);
-
   // Consumes retransmittable control |frame|. Returns true if the frame is
   // successfully consumed. Returns false otherwise.
   bool ConsumeRetransmittableControlFrame(const QuicFrame& frame);
@@ -133,16 +121,14 @@ class QUIC_EXPORT_PRIVATE QuicPacketGenerator {
   bool PacketFlusherAttached() const;
   // Attaches packet flusher.
   void AttachPacketFlusher();
-  // Flushes everything, including all queued frames and pending padding.
+  // Flushes everything, including current open packet and pending padding.
   void Flush();
 
-  // Flushes all queued frames, even frames which are not sendable.
+  // Flushes current open packet.
   void FlushAllQueuedFrames();
 
-  bool HasQueuedFrames() const;
-
-  // Whether the pending packet has no frames in it at the moment.
-  bool IsPendingPacketEmpty() const;
+  // Returns true if there are frames pending to be serialized.
+  bool HasPendingFrames() const;
 
   // Makes the framer not serialize the protocol version in sent packets.
   void StopSendingVersion();
@@ -238,12 +224,13 @@ class QUIC_EXPORT_PRIVATE QuicPacketGenerator {
   // Update the server connection ID used in outgoing packets.
   void SetServerConnectionId(QuicConnectionId server_connection_id);
 
+  // Update the client connection ID used in outgoing packets.
+  void SetClientConnectionId(QuicConnectionId client_connection_id);
+
   void set_debug_delegate(QuicPacketCreator::DebugDelegate* debug_delegate) {
     packet_creator_.set_debug_delegate(debug_delegate);
   }
 
-  bool should_send_ack() const { return should_send_ack_; }
-
   void set_fully_pad_crypto_hadshake_packets(bool new_value) {
     fully_pad_crypto_handshake_packets_ = new_value;
   }
@@ -252,30 +239,9 @@ class QUIC_EXPORT_PRIVATE QuicPacketGenerator {
     return fully_pad_crypto_handshake_packets_;
   }
 
-  bool deprecate_ack_bundling_mode() const {
-    return deprecate_ack_bundling_mode_;
-  }
-
-  bool deprecate_queued_control_frames() const {
-    return deprecate_queued_control_frames_;
-  }
-
  private:
   friend class test::QuicPacketGeneratorPeer;
 
-  void SendQueuedFrames(bool flush);
-
-  // Test to see if we have pending ack, or control frames.
-  bool HasPendingFrames() const;
-  // Returns true if addition of a pending frame (which might be
-  // retransmittable) would still allow the resulting packet to be sent now.
-  bool CanSendWithNextPendingFrameAddition() const;
-  // Add exactly one pending frame, preferring ack frames over control frames.
-  // Returns true if a pending frame is successfully added.
-  // Returns false and flushes current open packet if the pending frame cannot
-  // fit into current open packet.
-  bool AddNextPendingFrame();
-
   // Adds a random amount of padding (between 1 to 256 bytes).
   void AddRandomPadding();
 
@@ -290,9 +256,6 @@ class QUIC_EXPORT_PRIVATE QuicPacketGenerator {
   DelegateInterface* delegate_;
 
   QuicPacketCreator packet_creator_;
-  // TODO(fayang): remove this when deprecating
-  // quic_deprecate_queued_control_frames.
-  QuicFrames queued_control_frames_;
 
   // Transmission type of the next serialized packet.
   TransmissionType next_transmission_type_;
@@ -300,19 +263,6 @@ class QUIC_EXPORT_PRIVATE QuicPacketGenerator {
   // True if packet flusher is currently attached.
   bool flusher_attached_;
 
-  // Flags to indicate the need for just-in-time construction of a frame.
-  // TODO(fayang): Remove these two booleans when deprecating
-  // quic_deprecate_ack_bundling_mode.
-  bool should_send_ack_;
-  bool should_send_stop_waiting_;
-  // If we put a non-retransmittable frame in this packet, then we have to hold
-  // a reference to it until we flush (and serialize it). Retransmittable frames
-  // are referenced elsewhere so that they can later be (optionally)
-  // retransmitted.
-  // TODO(fayang): Remove this when deprecating
-  // quic_deprecate_ack_bundling_mode.
-  QuicStopWaitingFrame pending_stop_waiting_frame_;
-
   QuicRandom* random_generator_;
 
   // Whether crypto handshake packets should be fully padded.
@@ -322,12 +272,6 @@ class QUIC_EXPORT_PRIVATE QuicPacketGenerator {
   // when the out-most flusher attaches and gets cleared when the out-most
   // flusher detaches.
   QuicPacketNumber write_start_packet_number_;
-
-  // Latched value of quic_deprecate_ack_bundling_mode.
-  const bool deprecate_ack_bundling_mode_;
-
-  // Latched value of quic_deprecate_queued_control_frames.
-  const bool deprecate_queued_control_frames_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator_test.cc
index 7212e22f76a..cdb19b33373 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator_test.cc
@@ -47,8 +47,6 @@ class MockDelegate : public QuicPacketGenerator::DelegateInterface {
                bool(HasRetransmittableData retransmittable,
                     IsHandshake handshake));
   MOCK_METHOD0(MaybeBundleAckOpportunistically, const QuicFrames());
-  MOCK_METHOD0(GetUpdatedAckFrame, const QuicFrame());
-  MOCK_METHOD1(PopulateStopWaitingFrame, void(QuicStopWaitingFrame*));
   MOCK_METHOD0(GetPacketBuffer, char*());
   MOCK_METHOD1(OnSerializedPacket, void(SerializedPacket* packet));
   MOCK_METHOD2(OnUnrecoverableError, void(QuicErrorCode, const std::string&));
@@ -119,8 +117,7 @@ class TestPacketGenerator : public QuicPacketGenerator {
 
   bool ConsumeRetransmittableControlFrame(const QuicFrame& frame,
                                           bool bundle_ack) {
-    if (GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode) &&
-        !QuicPacketGeneratorPeer::GetPacketCreator(this)->has_ack()) {
+    if (!QuicPacketGeneratorPeer::GetPacketCreator(this)->has_ack()) {
       QuicFrames frames;
       if (bundle_ack) {
         frames.push_back(QuicFrame(&ack_frame_));
@@ -158,8 +155,7 @@ class TestPacketGenerator : public QuicPacketGenerator {
     if (total_length > 0) {
       producer_->SaveStreamData(id, iov, iov_count, 0, total_length);
     }
-    if (GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode) &&
-        !QuicPacketGeneratorPeer::GetPacketCreator(this)->has_ack() &&
+    if (!QuicPacketGeneratorPeer::GetPacketCreator(this)->has_ack() &&
         delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
                                         NOT_HANDSHAKE)) {
       EXPECT_CALL(*delegate_, MaybeBundleAckOpportunistically()).Times(1);
@@ -169,8 +165,7 @@ class TestPacketGenerator : public QuicPacketGenerator {
 
   MessageStatus AddMessageFrame(QuicMessageId message_id,
                                 QuicMemSliceSpan message) {
-    if (GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode) &&
-        !QuicPacketGeneratorPeer::GetPacketCreator(this)->has_ack() &&
+    if (!QuicPacketGeneratorPeer::GetPacketCreator(this)->has_ack() &&
         delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
                                         NOT_HANDSHAKE)) {
       EXPECT_CALL(*delegate_, MaybeBundleAckOpportunistically()).Times(1);
@@ -182,8 +177,7 @@ class TestPacketGenerator : public QuicPacketGenerator {
                            QuicStringPiece data,
                            QuicStreamOffset offset) {
     producer_->SaveCryptoData(level, offset, data);
-    if (GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode) &&
-        !QuicPacketGeneratorPeer::GetPacketCreator(this)->has_ack() &&
+    if (!QuicPacketGeneratorPeer::GetPacketCreator(this)->has_ack() &&
         delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
                                         NOT_HANDSHAKE)) {
       EXPECT_CALL(*delegate_, MaybeBundleAckOpportunistically()).Times(1);
@@ -345,78 +339,6 @@ class MockDebugDelegate : public QuicPacketCreator::DebugDelegate {
   MOCK_METHOD1(OnFrameAddedToPacket, void(const QuicFrame&));
 };
 
-TEST_F(QuicPacketGeneratorTest, ShouldSendAck_NotWritable) {
-  if (GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    return;
-  }
-  delegate_.SetCanNotWrite();
-
-  generator_.SetShouldSendAck(false);
-  EXPECT_TRUE(generator_.HasQueuedFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-}
-
-TEST_F(QuicPacketGeneratorTest, ShouldSendAck_WritableAndShouldNotFlush) {
-  if (GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    return;
-  }
-  StrictMock<MockDebugDelegate> debug_delegate;
-
-  generator_.set_debug_delegate(&debug_delegate);
-  delegate_.SetCanWriteOnlyNonRetransmittable();
-
-  EXPECT_CALL(delegate_, GetUpdatedAckFrame())
-      .WillOnce(Return(QuicFrame(&ack_frame_)));
-  EXPECT_CALL(debug_delegate, OnFrameAddedToPacket(_)).Times(1);
-
-  generator_.SetShouldSendAck(false);
-  EXPECT_TRUE(generator_.HasQueuedFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-}
-
-TEST_F(QuicPacketGeneratorTest, ShouldSendAck_WritableAndShouldFlush) {
-  if (GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    return;
-  }
-  delegate_.SetCanWriteOnlyNonRetransmittable();
-
-  EXPECT_CALL(delegate_, GetUpdatedAckFrame())
-      .WillOnce(Return(QuicFrame(&ack_frame_)));
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-
-  generator_.SetShouldSendAck(false);
-  generator_.Flush();
-  EXPECT_FALSE(generator_.HasQueuedFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  PacketContents contents;
-  contents.num_ack_frames = 1;
-  CheckPacketContains(contents, 0);
-}
-
-TEST_F(QuicPacketGeneratorTest, ShouldSendAck_MultipleCalls) {
-  if (GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    return;
-  }
-  // Make sure that calling SetShouldSendAck multiple times does not result in a
-  // crash. Previously this would result in multiple QuicFrames queued in the
-  // packet generator, with all but the last with internal pointers to freed
-  // memory.
-  delegate_.SetCanWriteAnything();
-
-  // Only one AckFrame should be created.
-  EXPECT_CALL(delegate_, GetUpdatedAckFrame())
-      .WillOnce(Return(QuicFrame(&ack_frame_)));
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .Times(1)
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-
-  generator_.SetShouldSendAck(false);
-  generator_.SetShouldSendAck(false);
-  generator_.Flush();
-}
-
 TEST_F(QuicPacketGeneratorTest, AddControlFrame_NotWritable) {
   delegate_.SetCanNotWrite();
 
@@ -424,15 +346,10 @@ TEST_F(QuicPacketGeneratorTest, AddControlFrame_NotWritable) {
   const bool consumed =
       generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
                                                     /*bundle_ack=*/false);
-  if (generator_.deprecate_queued_control_frames()) {
-    EXPECT_FALSE(consumed);
-    EXPECT_FALSE(generator_.HasQueuedFrames());
-    EXPECT_FALSE(generator_.HasRetransmittableFrames());
-    delete rst_frame;
-  } else {
-    EXPECT_TRUE(generator_.HasQueuedFrames());
-    EXPECT_TRUE(generator_.HasRetransmittableFrames());
-  }
+  EXPECT_FALSE(consumed);
+  EXPECT_FALSE(generator_.HasPendingFrames());
+  EXPECT_FALSE(generator_.HasRetransmittableFrames());
+  delete rst_frame;
 }
 
 TEST_F(QuicPacketGeneratorTest, AddControlFrame_OnlyAckWritable) {
@@ -442,15 +359,10 @@ TEST_F(QuicPacketGeneratorTest, AddControlFrame_OnlyAckWritable) {
   const bool consumed =
       generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
                                                     /*bundle_ack=*/false);
-  if (generator_.deprecate_queued_control_frames()) {
-    EXPECT_FALSE(consumed);
-    EXPECT_FALSE(generator_.HasQueuedFrames());
-    EXPECT_FALSE(generator_.HasRetransmittableFrames());
-    delete rst_frame;
-  } else {
-    EXPECT_TRUE(generator_.HasQueuedFrames());
-    EXPECT_TRUE(generator_.HasRetransmittableFrames());
-  }
+  EXPECT_FALSE(consumed);
+  EXPECT_FALSE(generator_.HasPendingFrames());
+  EXPECT_FALSE(generator_.HasRetransmittableFrames());
+  delete rst_frame;
 }
 
 TEST_F(QuicPacketGeneratorTest, AddControlFrame_WritableAndShouldNotFlush) {
@@ -459,7 +371,7 @@ TEST_F(QuicPacketGeneratorTest, AddControlFrame_WritableAndShouldNotFlush) {
   generator_.ConsumeRetransmittableControlFrame(
       QuicFrame(CreateRstStreamFrame()),
       /*bundle_ack=*/false);
-  EXPECT_TRUE(generator_.HasQueuedFrames());
+  EXPECT_TRUE(generator_.HasPendingFrames());
   EXPECT_TRUE(generator_.HasRetransmittableFrames());
 }
 
@@ -470,29 +382,10 @@ TEST_F(QuicPacketGeneratorTest, AddControlFrame_NotWritableBatchThenFlush) {
   const bool consumed =
       generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
                                                     /*bundle_ack=*/false);
-  if (generator_.deprecate_queued_control_frames()) {
-    EXPECT_FALSE(consumed);
-    EXPECT_FALSE(generator_.HasQueuedFrames());
-    EXPECT_FALSE(generator_.HasRetransmittableFrames());
-    delete rst_frame;
-    return;
-  }
-  EXPECT_TRUE(generator_.HasQueuedFrames());
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-  generator_.Flush();
-  EXPECT_TRUE(generator_.HasQueuedFrames());
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  generator_.AttachPacketFlusher();
-  generator_.FlushAllQueuedFrames();
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(consumed);
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  PacketContents contents;
-  contents.num_rst_stream_frames = 1;
-  CheckPacketContains(contents, 0);
+  delete rst_frame;
 }
 
 TEST_F(QuicPacketGeneratorTest, AddControlFrame_WritableAndShouldFlush) {
@@ -505,7 +398,7 @@ TEST_F(QuicPacketGeneratorTest, AddControlFrame_WritableAndShouldFlush) {
       QuicFrame(CreateRstStreamFrame()),
       /*bundle_ack=*/false);
   generator_.Flush();
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   PacketContents contents;
@@ -523,7 +416,7 @@ TEST_F(QuicPacketGeneratorTest, ConsumeCryptoData) {
       generator_.ConsumeCryptoData(ENCRYPTION_INITIAL, data, 0);
   generator_.Flush();
   EXPECT_EQ(data.length(), consumed_bytes);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   PacketContents contents;
@@ -541,7 +434,7 @@ TEST_F(QuicPacketGeneratorTest, ConsumeData_NotWritable) {
       iov_.iov_len, 0, FIN);
   EXPECT_EQ(0u, consumed.bytes_consumed);
   EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 }
 
@@ -554,7 +447,7 @@ TEST_F(QuicPacketGeneratorTest, ConsumeData_WritableAndShouldNotFlush) {
       iov_.iov_len, 0, FIN);
   EXPECT_EQ(3u, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasQueuedFrames());
+  EXPECT_TRUE(generator_.HasPendingFrames());
   EXPECT_TRUE(generator_.HasRetransmittableFrames());
 }
 
@@ -570,7 +463,7 @@ TEST_F(QuicPacketGeneratorTest, ConsumeData_WritableAndShouldFlush) {
   generator_.Flush();
   EXPECT_EQ(3u, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   PacketContents contents;
@@ -600,7 +493,7 @@ TEST_F(QuicPacketGeneratorTest, ConsumeData_Handshake) {
             .bytes_consumed;
   }
   EXPECT_EQ(7u, consumed_bytes);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   PacketContents contents;
@@ -640,7 +533,7 @@ TEST_F(QuicPacketGeneratorTest, ConsumeData_Handshake_PaddingDisabled) {
             .bytes_consumed;
   }
   EXPECT_EQ(3u, bytes_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   PacketContents contents;
@@ -690,7 +583,7 @@ TEST_F(QuicPacketGeneratorTest,
       generator_.ConsumeData(3, &iov_, 1u, iov_.iov_len, 3, NO_FIN);
   EXPECT_EQ(4u, consumed.bytes_consumed);
   EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasQueuedFrames());
+  EXPECT_TRUE(generator_.HasPendingFrames());
   EXPECT_TRUE(generator_.HasRetransmittableFrames());
 }
 
@@ -707,14 +600,14 @@ TEST_F(QuicPacketGeneratorTest, ConsumeData_BatchOperations) {
       iov_.iov_len, 3, NO_FIN);
   EXPECT_EQ(4u, consumed.bytes_consumed);
   EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasQueuedFrames());
+  EXPECT_TRUE(generator_.HasPendingFrames());
   EXPECT_TRUE(generator_.HasRetransmittableFrames());
 
   // Now both frames will be flushed out.
   EXPECT_CALL(delegate_, OnSerializedPacket(_))
       .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
   generator_.Flush();
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   PacketContents contents;
@@ -761,7 +654,7 @@ TEST_F(QuicPacketGeneratorTest, ConsumeData_FramesPreviouslyQueued) {
       iov_.iov_len, 0, NO_FIN);
   EXPECT_EQ(3u, consumed.bytes_consumed);
   EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasQueuedFrames());
+  EXPECT_TRUE(generator_.HasPendingFrames());
   EXPECT_TRUE(generator_.HasRetransmittableFrames());
 
   // This frame will not fit with the existing frame, causing the queued frame
@@ -772,11 +665,11 @@ TEST_F(QuicPacketGeneratorTest, ConsumeData_FramesPreviouslyQueued) {
       iov_.iov_len, 3, FIN);
   EXPECT_EQ(3u, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasQueuedFrames());
+  EXPECT_TRUE(generator_.HasPendingFrames());
   EXPECT_TRUE(generator_.HasRetransmittableFrames());
 
   creator_->Flush();
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   PacketContents contents;
@@ -799,7 +692,7 @@ TEST_F(QuicPacketGeneratorTest, ConsumeDataFastPath) {
       iov_.iov_len, 0, true);
   EXPECT_EQ(10000u, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   PacketContents contents;
@@ -827,7 +720,7 @@ TEST_F(QuicPacketGeneratorTest, ConsumeDataLarge) {
       iov_.iov_len, 0, FIN);
   EXPECT_EQ(10000u, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   PacketContents contents;
@@ -845,42 +738,26 @@ TEST_F(QuicPacketGeneratorTest, ConsumeDataLarge) {
 TEST_F(QuicPacketGeneratorTest, ConsumeDataLargeSendAckFalse) {
   delegate_.SetCanNotWrite();
 
-  if (!GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    generator_.SetShouldSendAck(false);
-  }
   QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
   const bool success =
       generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
                                                     /*bundle_ack=*/true);
-  if (generator_.deprecate_queued_control_frames()) {
-    EXPECT_FALSE(success);
-    EXPECT_FALSE(generator_.HasQueuedFrames());
-    EXPECT_FALSE(generator_.HasRetransmittableFrames());
-  } else {
-    EXPECT_TRUE(generator_.HasQueuedFrames());
-    EXPECT_TRUE(generator_.HasRetransmittableFrames());
-  }
+  EXPECT_FALSE(success);
+  EXPECT_FALSE(generator_.HasPendingFrames());
+  EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   delegate_.SetCanWriteAnything();
 
-  if (!GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    EXPECT_CALL(delegate_, GetUpdatedAckFrame())
-        .WillOnce(Return(QuicFrame(&ack_frame_)));
-  }
-  if (generator_.deprecate_queued_control_frames()) {
-    generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
-                                                  /*bundle_ack=*/false);
-  }
+  generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
+                                                /*bundle_ack=*/false);
 
   // Create a 10000 byte IOVector.
   CreateData(10000);
   EXPECT_CALL(delegate_, OnSerializedPacket(_))
       .WillRepeatedly(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  if (generator_.deprecate_queued_control_frames()) {
-    generator_.ConsumeRetransmittableControlFrame(
-        QuicFrame(CreateRstStreamFrame()),
-        /*bundle_ack=*/true);
-  }
+  generator_.ConsumeRetransmittableControlFrame(
+      QuicFrame(CreateRstStreamFrame()),
+      /*bundle_ack=*/true);
   QuicConsumedData consumed = generator_.ConsumeData(
       QuicUtils::GetHeadersStreamId(framer_.transport_version()), &iov_, 1u,
       iov_.iov_len, 0, FIN);
@@ -888,7 +765,7 @@ TEST_F(QuicPacketGeneratorTest, ConsumeDataLargeSendAckFalse) {
 
   EXPECT_EQ(10000u, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   EXPECT_FALSE(packets_.empty());
@@ -901,26 +778,12 @@ TEST_F(QuicPacketGeneratorTest, ConsumeDataLargeSendAckFalse) {
 }
 
 TEST_F(QuicPacketGeneratorTest, ConsumeDataLargeSendAckTrue) {
-  if (framer_.transport_version() > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(framer_.transport_version())) {
     return;
   }
   delegate_.SetCanNotWrite();
-  if (!GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    generator_.SetShouldSendAck(true /* stop_waiting */);
-  }
   delegate_.SetCanWriteAnything();
 
-  if (!GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    // Set up frames to write into the creator when control frames are written.
-    EXPECT_CALL(delegate_, GetUpdatedAckFrame())
-        .WillOnce(Return(QuicFrame(&ack_frame_)));
-    EXPECT_CALL(delegate_, PopulateStopWaitingFrame(_));
-    // Generator should have queued control frames, and creator should be empty.
-    EXPECT_TRUE(generator_.HasQueuedFrames());
-    EXPECT_FALSE(generator_.HasRetransmittableFrames());
-    EXPECT_FALSE(creator_->HasPendingFrames());
-  }
-
   // Create a 10000 byte IOVector.
   CreateData(10000);
   EXPECT_CALL(delegate_, OnSerializedPacket(_))
@@ -932,7 +795,7 @@ TEST_F(QuicPacketGeneratorTest, ConsumeDataLargeSendAckTrue) {
 
   EXPECT_EQ(10000u, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   EXPECT_FALSE(packets_.empty());
@@ -947,40 +810,24 @@ TEST_F(QuicPacketGeneratorTest, ConsumeDataLargeSendAckTrue) {
 TEST_F(QuicPacketGeneratorTest, NotWritableThenBatchOperations) {
   delegate_.SetCanNotWrite();
 
-  if (!GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    generator_.SetShouldSendAck(false);
-  }
   QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
   const bool consumed =
       generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
                                                     /*bundle_ack=*/true);
-  if (generator_.deprecate_queued_control_frames()) {
-    EXPECT_FALSE(consumed);
-    EXPECT_FALSE(generator_.HasQueuedFrames());
-    EXPECT_FALSE(generator_.HasRetransmittableFrames());
-  } else {
-    EXPECT_TRUE(generator_.HasQueuedFrames());
-    EXPECT_TRUE(generator_.HasRetransmittableFrames());
-  }
+  EXPECT_FALSE(consumed);
+  EXPECT_FALSE(generator_.HasPendingFrames());
+  EXPECT_FALSE(generator_.HasRetransmittableFrames());
   EXPECT_FALSE(generator_.HasPendingStreamFramesOfStream(3));
 
   delegate_.SetCanWriteAnything();
 
-  if (!GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    // When the first write operation is invoked, the ack frame will be
-    // returned.
-    EXPECT_CALL(delegate_, GetUpdatedAckFrame())
-        .WillOnce(Return(QuicFrame(&ack_frame_)));
-  }
-  if (generator_.deprecate_queued_control_frames()) {
-    EXPECT_TRUE(
-        generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
-                                                      /*bundle_ack=*/false));
-  }
+  EXPECT_TRUE(
+      generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
+                                                    /*bundle_ack=*/false));
   // Send some data and a control frame
   MakeIOVector("quux", &iov_);
   generator_.ConsumeData(3, &iov_, 1u, iov_.iov_len, 0, NO_FIN);
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     generator_.ConsumeRetransmittableControlFrame(
         QuicFrame(CreateGoAwayFrame()),
         /*bundle_ack=*/false);
@@ -991,18 +838,14 @@ TEST_F(QuicPacketGeneratorTest, NotWritableThenBatchOperations) {
   EXPECT_CALL(delegate_, OnSerializedPacket(_))
       .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
   generator_.Flush();
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
   EXPECT_FALSE(generator_.HasPendingStreamFramesOfStream(3));
 
   PacketContents contents;
-  if (GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    // ACK will be flushed by connection.
-    contents.num_ack_frames = 0;
-  } else {
-    contents.num_ack_frames = 1;
-  }
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  // ACK will be flushed by connection.
+  contents.num_ack_frames = 0;
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     contents.num_goaway_frames = 1;
   } else {
     contents.num_goaway_frames = 0;
@@ -1015,31 +858,16 @@ TEST_F(QuicPacketGeneratorTest, NotWritableThenBatchOperations) {
 TEST_F(QuicPacketGeneratorTest, NotWritableThenBatchOperations2) {
   delegate_.SetCanNotWrite();
 
-  if (!GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    generator_.SetShouldSendAck(false);
-  }
   QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
   const bool success =
       generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
                                                     /*bundle_ack=*/true);
-  if (generator_.deprecate_queued_control_frames()) {
-    EXPECT_FALSE(success);
-    EXPECT_FALSE(generator_.HasQueuedFrames());
-    EXPECT_FALSE(generator_.HasRetransmittableFrames());
-  } else {
-    EXPECT_TRUE(generator_.HasQueuedFrames());
-    EXPECT_TRUE(generator_.HasRetransmittableFrames());
-  }
+  EXPECT_FALSE(success);
+  EXPECT_FALSE(generator_.HasPendingFrames());
+  EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   delegate_.SetCanWriteAnything();
 
-  if (!GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    // When the first write operation is invoked, the ack frame will be
-    // returned.
-    EXPECT_CALL(delegate_, GetUpdatedAckFrame())
-        .WillOnce(Return(QuicFrame(&ack_frame_)));
-  }
-
   {
     InSequence dummy;
     // All five frames will be flushed out in a single packet
@@ -1048,11 +876,9 @@ TEST_F(QuicPacketGeneratorTest, NotWritableThenBatchOperations2) {
     EXPECT_CALL(delegate_, OnSerializedPacket(_))
         .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
   }
-  if (generator_.deprecate_queued_control_frames()) {
-    EXPECT_TRUE(
-        generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
-                                                      /*bundle_ack=*/false));
-  }
+  EXPECT_TRUE(
+      generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
+                                                    /*bundle_ack=*/false));
   // Send enough data to exceed one packet
   size_t data_len = kDefaultMaxPacketSize + 100;
   CreateData(data_len);
@@ -1060,31 +886,27 @@ TEST_F(QuicPacketGeneratorTest, NotWritableThenBatchOperations2) {
       generator_.ConsumeData(3, &iov_, 1u, iov_.iov_len, 0, FIN);
   EXPECT_EQ(data_len, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     generator_.ConsumeRetransmittableControlFrame(
         QuicFrame(CreateGoAwayFrame()),
         /*bundle_ack=*/false);
   }
 
   generator_.Flush();
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   // The first packet should have the queued data and part of the stream data.
   PacketContents contents;
-  if (GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    // ACK will be sent by connection.
-    contents.num_ack_frames = 0;
-  } else {
-    contents.num_ack_frames = 1;
-  }
+  // ACK will be sent by connection.
+  contents.num_ack_frames = 0;
   contents.num_rst_stream_frames = 1;
   contents.num_stream_frames = 1;
   CheckPacketContains(contents, 0);
 
   // The second should have the remainder of the stream data.
   PacketContents contents2;
-  if (framer_.transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
     contents2.num_goaway_frames = 1;
   } else {
     contents2.num_goaway_frames = 0;
@@ -1144,7 +966,7 @@ TEST_F(QuicPacketGeneratorTest, TestConnectionIdLength) {
 
   for (size_t i = 1; i < 10; i++) {
     generator_.SetServerConnectionIdLength(i);
-    if (framer_.transport_version() > QUIC_VERSION_43) {
+    if (VersionHasIetfInvariantHeader(framer_.transport_version())) {
       EXPECT_EQ(PACKET_0BYTE_CONNECTION_ID,
                 creator_->GetDestinationConnectionIdLength());
     } else {
@@ -1176,7 +998,7 @@ TEST_F(QuicPacketGeneratorTest, SetMaxPacketLength_Initial) {
       /*offset=*/0, FIN);
   EXPECT_EQ(data_len, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   // We expect three packets, and first two of them have to be of packet_len
@@ -1214,7 +1036,7 @@ TEST_F(QuicPacketGeneratorTest, SetMaxPacketLength_Middle) {
   generator_.Flush();
   EXPECT_EQ(data_len, consumed.bytes_consumed);
   EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   // Make sure we already have two packets.
@@ -1233,7 +1055,7 @@ TEST_F(QuicPacketGeneratorTest, SetMaxPacketLength_Middle) {
   generator_.Flush();
   EXPECT_EQ(data_len, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   // We expect first data chunk to get fragmented, but the second one to fit
@@ -1263,7 +1085,7 @@ TEST_F(QuicPacketGeneratorTest, SetMaxPacketLength_MidpacketFlush) {
       /*offset=*/0, NO_FIN);
   EXPECT_EQ(first_write_len, consumed.bytes_consumed);
   EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasQueuedFrames());
+  EXPECT_TRUE(generator_.HasPendingFrames());
   EXPECT_TRUE(generator_.HasRetransmittableFrames());
 
   // Make sure we have no packets so far.
@@ -1278,7 +1100,7 @@ TEST_F(QuicPacketGeneratorTest, SetMaxPacketLength_MidpacketFlush) {
   generator_.FlushAllQueuedFrames();
   generator_.SetMaxPacketLength(packet_len);
   EXPECT_EQ(packet_len, generator_.GetCurrentMaxPacketLength());
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   // We expect to see exactly one packet serialized after that, because we send
@@ -1296,7 +1118,7 @@ TEST_F(QuicPacketGeneratorTest, SetMaxPacketLength_MidpacketFlush) {
       /*offset=*/first_write_len, FIN);
   EXPECT_EQ(second_write_len, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasQueuedFrames());
+  EXPECT_TRUE(generator_.HasPendingFrames());
   EXPECT_TRUE(generator_.HasRetransmittableFrames());
 
   // We expect the first packet to be underfilled, and the second packet be up
@@ -1313,7 +1135,7 @@ TEST_F(QuicPacketGeneratorTest, GenerateConnectivityProbingPacket) {
   delegate_.SetCanWriteAnything();
 
   OwningSerializedPacketPointer probing_packet;
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     QuicPathFrameBuffer payload = {
         {0xde, 0xad, 0xbe, 0xef, 0xba, 0xdc, 0x0f, 0xfe}};
     probing_packet =
@@ -1326,7 +1148,7 @@ TEST_F(QuicPacketGeneratorTest, GenerateConnectivityProbingPacket) {
       probing_packet->encrypted_buffer, probing_packet->encrypted_length)));
 
   EXPECT_EQ(2u, simple_framer_.num_frames());
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     EXPECT_EQ(1u, simple_framer_.path_challenge_frames().size());
   } else {
     EXPECT_EQ(1u, simple_framer_.ping_frames().size());
@@ -1347,7 +1169,7 @@ TEST_F(QuicPacketGeneratorTest, GenerateMtuDiscoveryPacket_Simple) {
 
   generator_.GenerateMtuDiscoveryPacket(target_mtu);
 
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
   ASSERT_EQ(1u, packets_.size());
   EXPECT_EQ(target_mtu, packets_[0].encrypted_length);
@@ -1385,12 +1207,12 @@ TEST_F(QuicPacketGeneratorTest, GenerateMtuDiscoveryPacket_SurroundedByData) {
   generator_.Flush();
   EXPECT_EQ(data_len, consumed.bytes_consumed);
   EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   // Send the MTU probe.
   generator_.GenerateMtuDiscoveryPacket(target_mtu);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   // Send data after the MTU probe.
@@ -1403,7 +1225,7 @@ TEST_F(QuicPacketGeneratorTest, GenerateMtuDiscoveryPacket_SurroundedByData) {
   generator_.Flush();
   EXPECT_EQ(data_len, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   ASSERT_EQ(5u, packets_.size());
@@ -1423,7 +1245,7 @@ TEST_F(QuicPacketGeneratorTest, GenerateMtuDiscoveryPacket_SurroundedByData) {
 }
 
 TEST_F(QuicPacketGeneratorTest, DontCrashOnInvalidStopWaiting) {
-  if (framer_.transport_version() > QUIC_VERSION_43) {
+  if (VersionSupportsMessageFrames(framer_.transport_version())) {
     return;
   }
   // Test added to ensure the generator does not crash when an invalid frame is
@@ -1433,22 +1255,8 @@ TEST_F(QuicPacketGeneratorTest, DontCrashOnInvalidStopWaiting) {
   QuicPacketCreatorPeer::SetPacketNumber(creator_, 1000);
 
   delegate_.SetCanNotWrite();
-  if (!GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    generator_.SetShouldSendAck(true);
-  }
   delegate_.SetCanWriteAnything();
 
-  if (!GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode)) {
-    // Set up frames to write into the creator when control frames are written.
-    EXPECT_CALL(delegate_, GetUpdatedAckFrame())
-        .WillOnce(Return(QuicFrame(&ack_frame_)));
-    EXPECT_CALL(delegate_, PopulateStopWaitingFrame(_));
-    // Generator should have queued control frames, and creator should be empty.
-    EXPECT_TRUE(generator_.HasQueuedFrames());
-    EXPECT_FALSE(generator_.HasRetransmittableFrames());
-    EXPECT_FALSE(creator_->HasPendingFrames());
-  }
-
   // This will not serialize any packets, because of the invalid frame.
   EXPECT_CALL(delegate_,
               OnUnrecoverableError(QUIC_FAILED_TO_SERIALIZE_PACKET, _));
@@ -1464,12 +1272,12 @@ TEST_F(QuicPacketGeneratorTest, ConnectionCloseFrameLargerThanPacketSize) {
   QuicStringPiece error_details(buf, 2000);
   QuicConnectionCloseFrame* frame = new QuicConnectionCloseFrame(
       QUIC_PACKET_WRITE_ERROR, std::string(error_details));
-  if (framer_.transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     frame->close_type = IETF_QUIC_TRANSPORT_CONNECTION_CLOSE;
   }
   generator_.ConsumeRetransmittableControlFrame(QuicFrame(frame),
                                                 /*bundle_ack=*/false);
-  EXPECT_TRUE(generator_.HasQueuedFrames());
+  EXPECT_TRUE(generator_.HasPendingFrames());
   EXPECT_TRUE(generator_.HasRetransmittableFrames());
 }
 
@@ -1504,7 +1312,7 @@ TEST_F(QuicPacketGeneratorTest, RandomPaddingAfterFinSingleStreamSinglePacket) {
       kDataStreamId, &iov_, 1u, iov_.iov_len, 0, FIN_AND_PADDING);
   generator_.Flush();
   EXPECT_EQ(kStreamFramePayloadSize, consumed.bytes_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   EXPECT_EQ(1u, packets_.size());
@@ -1546,7 +1354,7 @@ TEST_F(QuicPacketGeneratorTest,
       kDataStreamId, &iov_, 1u, iov_.iov_len, 0, FIN_AND_PADDING);
   generator_.Flush();
   EXPECT_EQ(kStreamFramePayloadSize, consumed.bytes_consumed);
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   EXPECT_LE(1u, packets_.size());
@@ -1604,7 +1412,7 @@ TEST_F(QuicPacketGeneratorTest,
                                     FIN_AND_PADDING);
   EXPECT_EQ(kStreamFramePayloadSize, consumed.bytes_consumed);
   generator_.Flush();
-  EXPECT_FALSE(generator_.HasQueuedFrames());
+  EXPECT_FALSE(generator_.HasPendingFrames());
   EXPECT_FALSE(generator_.HasRetransmittableFrames());
 
   EXPECT_LE(2u, packets_.size());
@@ -1627,7 +1435,7 @@ TEST_F(QuicPacketGeneratorTest,
 }
 
 TEST_F(QuicPacketGeneratorTest, AddMessageFrame) {
-  if (framer_.transport_version() <= QUIC_VERSION_44) {
+  if (!VersionSupportsMessageFrames(framer_.transport_version())) {
     return;
   }
   quic::QuicMemSliceStorage storage(nullptr, 0, nullptr, 0);
@@ -1642,7 +1450,7 @@ TEST_F(QuicPacketGeneratorTest, AddMessageFrame) {
   EXPECT_EQ(MESSAGE_STATUS_SUCCESS,
             generator_.AddMessageFrame(
                 1, MakeSpan(&allocator_, "message", &storage)));
-  EXPECT_TRUE(generator_.HasQueuedFrames());
+  EXPECT_TRUE(generator_.HasPendingFrames());
   EXPECT_TRUE(generator_.HasRetransmittableFrames());
 
   // Add a message which causes the flush of current packet.
@@ -1666,5 +1474,18 @@ TEST_F(QuicPacketGeneratorTest, AddMessageFrame) {
                    &storage)));
 }
 
+TEST_F(QuicPacketGeneratorTest, ConnectionId) {
+  SetQuicRestartFlag(quic_do_not_override_connection_id, true);
+  generator_.SetServerConnectionId(TestConnectionId(0x1337));
+  EXPECT_EQ(TestConnectionId(0x1337), creator_->GetDestinationConnectionId());
+  EXPECT_EQ(EmptyQuicConnectionId(), creator_->GetSourceConnectionId());
+  if (!framer_.version().SupportsClientConnectionIds()) {
+    return;
+  }
+  generator_.SetClientConnectionId(TestConnectionId(0x33));
+  EXPECT_EQ(TestConnectionId(0x1337), creator_->GetDestinationConnectionId());
+  EXPECT_EQ(TestConnectionId(0x33), creator_->GetSourceConnectionId());
+}
+
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_reader.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packet_reader.cc
index d2dfd2245fb..bd46c694cbc 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_reader.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_reader.cc
@@ -179,6 +179,11 @@ bool QuicPacketReader::ReadAndDispatchManyPackets(
   // We may not have read all of the packets available on the socket.
   return packets_read == kNumPacketsPerReadMmsgCall;
 #else
+  (void)fd;
+  (void)port;
+  (void)clock;
+  (void)processor;
+  (void)packets_dropped;
   QUIC_LOG(FATAL) << "Unsupported";
   return false;
 #endif
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_writer_wrapper.h b/chromium/net/third_party/quiche/src/quic/core/quic_packet_writer_wrapper.h
index e93bfcfafa7..cc3dbc29543 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_writer_wrapper.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_writer_wrapper.h
@@ -45,7 +45,7 @@ class QuicPacketWriterWrapper : public QuicPacketWriter {
   // Does not take ownership of |writer|.
   void set_non_owning_writer(QuicPacketWriter* writer);
 
-  virtual void set_peer_address(const QuicSocketAddress& peer_address) {}
+  virtual void set_peer_address(const QuicSocketAddress& /*peer_address*/) {}
 
   QuicPacketWriter* writer() { return writer_; }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packets.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packets.cc
index 57bda5476a6..4887e8273ad 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packets.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packets.cc
@@ -13,6 +13,7 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 
 namespace quic {
@@ -27,13 +28,23 @@ QuicConnectionId GetServerConnectionIdAsRecipient(
   return header.source_connection_id;
 }
 
+QuicConnectionId GetClientConnectionIdAsRecipient(
+    const QuicPacketHeader& header,
+    Perspective perspective) {
+  DCHECK(GetQuicRestartFlag(quic_do_not_override_connection_id));
+  if (perspective == Perspective::IS_CLIENT) {
+    return header.destination_connection_id;
+  }
+  return header.source_connection_id;
+}
+
 QuicConnectionId GetServerConnectionIdAsSender(const QuicPacketHeader& header,
                                                Perspective perspective) {
   if (perspective == Perspective::IS_CLIENT ||
       !GetQuicRestartFlag(quic_do_not_override_connection_id)) {
     return header.destination_connection_id;
   }
-  QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 3, 5);
+  QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 3, 7);
   return header.source_connection_id;
 }
 
@@ -44,10 +55,20 @@ QuicConnectionIdIncluded GetServerConnectionIdIncludedAsSender(
       !GetQuicRestartFlag(quic_do_not_override_connection_id)) {
     return header.destination_connection_id_included;
   }
-  QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 4, 5);
+  QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 4, 7);
   return header.source_connection_id_included;
 }
 
+QuicConnectionId GetClientConnectionIdAsSender(const QuicPacketHeader& header,
+                                               Perspective perspective) {
+  if (perspective == Perspective::IS_CLIENT ||
+      !GetQuicRestartFlag(quic_do_not_override_connection_id)) {
+    return header.source_connection_id;
+  }
+  QUIC_RESTART_FLAG_COUNT_N(quic_do_not_override_connection_id, 7, 7);
+  return header.destination_connection_id;
+}
+
 QuicConnectionIdIncluded GetClientConnectionIdIncludedAsSender(
     const QuicPacketHeader& header,
     Perspective perspective) {
@@ -101,16 +122,28 @@ size_t GetPacketHeaderSize(
     QuicVariableLengthIntegerLength retry_token_length_length,
     QuicByteCount retry_token_length,
     QuicVariableLengthIntegerLength length_length) {
-  if (version > QUIC_VERSION_43) {
+  if (VersionHasIetfInvariantHeader(version)) {
     if (include_version) {
       // Long header.
-      return kPacketHeaderTypeSize + kConnectionIdLengthSize +
-             destination_connection_id_length + source_connection_id_length +
-             (version > QUIC_VERSION_44 ? packet_number_length
-                                        : PACKET_4BYTE_PACKET_NUMBER) +
-             kQuicVersionSize +
-             (include_diversification_nonce ? kDiversificationNonceSize : 0) +
-             retry_token_length_length + retry_token_length + length_length;
+      size_t size = kPacketHeaderTypeSize + kConnectionIdLengthSize +
+                    destination_connection_id_length +
+                    source_connection_id_length +
+                    (version > QUIC_VERSION_44 ? packet_number_length
+                                               : PACKET_4BYTE_PACKET_NUMBER) +
+                    kQuicVersionSize;
+      if (include_diversification_nonce) {
+        size += kDiversificationNonceSize;
+      }
+      DCHECK(QuicVersionHasLongHeaderLengths(version) ||
+             !GetQuicReloadableFlag(quic_fix_get_packet_header_size) ||
+             retry_token_length_length + retry_token_length + length_length ==
+                 0);
+      if (QuicVersionHasLongHeaderLengths(version) ||
+          !GetQuicReloadableFlag(quic_fix_get_packet_header_size)) {
+        QUIC_RELOADABLE_FLAG_COUNT_N(quic_fix_get_packet_header_size, 1, 3);
+        size += retry_token_length_length + retry_token_length + length_length;
+      }
+      return size;
     }
     // Short header.
     return kPacketHeaderTypeSize + destination_connection_id_length +
@@ -280,7 +313,7 @@ QuicPacket::QuicPacket(
       retry_token_length_(retry_token_length),
       length_length_(length_length) {}
 
-QuicPacket::QuicPacket(QuicTransportVersion version,
+QuicPacket::QuicPacket(QuicTransportVersion /*version*/,
                        char* buffer,
                        size_t length,
                        bool owns_buffer,
@@ -467,4 +500,41 @@ char* CopyBuffer(const SerializedPacket& packet) {
   return dst_buffer;
 }
 
+ReceivedPacketInfo::ReceivedPacketInfo(const QuicSocketAddress& self_address,
+                                       const QuicSocketAddress& peer_address,
+                                       const QuicReceivedPacket& packet)
+    : self_address(self_address),
+      peer_address(peer_address),
+      packet(packet),
+      form(GOOGLE_QUIC_PACKET),
+      version_flag(false),
+      version_label(0),
+      version(PROTOCOL_UNSUPPORTED, QUIC_VERSION_UNSUPPORTED),
+      destination_connection_id(EmptyQuicConnectionId()),
+      source_connection_id(EmptyQuicConnectionId()) {}
+
+ReceivedPacketInfo::~ReceivedPacketInfo() {}
+
+std::string ReceivedPacketInfo::ToString() const {
+  std::string output =
+      QuicStrCat("{ self_address: ", self_address.ToString(),
+                 ", peer_address: ", peer_address.ToString(),
+                 ", packet_length: ", packet.length(),
+                 ", header_format: ", form, ", version_flag: ", version_flag);
+  if (version_flag) {
+    QuicStrAppend(&output, ", version: ", ParsedQuicVersionToString(version));
+  }
+  QuicStrAppend(
+      &output,
+      ", destination_connection_id: ", destination_connection_id.ToString(),
+      ", source_connection_id: ", source_connection_id.ToString(), " }\n");
+  return output;
+}
+
+std::ostream& operator<<(std::ostream& os,
+                         const ReceivedPacketInfo& packet_info) {
+  os << packet_info.ToString();
+  return os;
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packets.h b/chromium/net/third_party/quiche/src/quic/core/quic_packets.h
index d3c2600e818..cf6099e14a2 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packets.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packets.h
@@ -41,6 +41,12 @@ GetServerConnectionIdAsRecipient(const QuicPacketHeader& header,
 // Returns the destination connection ID of |header| when |perspective| is
 // client, and the source connection ID when |perspective| is server.
 QUIC_EXPORT_PRIVATE QuicConnectionId
+GetClientConnectionIdAsRecipient(const QuicPacketHeader& header,
+                                 Perspective perspective);
+
+// Returns the destination connection ID of |header| when |perspective| is
+// client, and the source connection ID when |perspective| is server.
+QUIC_EXPORT_PRIVATE QuicConnectionId
 GetServerConnectionIdAsSender(const QuicPacketHeader& header,
                               Perspective perspective);
 
@@ -51,6 +57,12 @@ QUIC_EXPORT_PRIVATE QuicConnectionIdIncluded
 GetServerConnectionIdIncludedAsSender(const QuicPacketHeader& header,
                                       Perspective perspective);
 
+// Returns the destination connection ID of |header| when |perspective| is
+// server, and the source connection ID when |perspective| is client.
+QUIC_EXPORT_PRIVATE QuicConnectionId
+GetClientConnectionIdAsSender(const QuicPacketHeader& header,
+                              Perspective perspective);
+
 // Returns the destination connection ID included of |header| when |perspective|
 // is server, and the source connection ID included when |perspective| is
 // client.
@@ -390,6 +402,35 @@ struct QUIC_EXPORT_PRIVATE QuicPerPacketContext {
   virtual ~QuicPerPacketContext() {}
 };
 
+// ReceivedPacketInfo comprises information obtained by parsing the unencrypted
+// bytes of a received packet.
+struct QUIC_EXPORT_PRIVATE ReceivedPacketInfo {
+  ReceivedPacketInfo(const QuicSocketAddress& self_address,
+                     const QuicSocketAddress& peer_address,
+                     const QuicReceivedPacket& packet);
+  ReceivedPacketInfo(const ReceivedPacketInfo& other) = default;
+
+  ~ReceivedPacketInfo();
+
+  std::string ToString() const;
+
+  QUIC_EXPORT_PRIVATE friend std::ostream& operator<<(
+      std::ostream& os,
+      const ReceivedPacketInfo& packet_info);
+
+  const QuicSocketAddress& self_address;
+  const QuicSocketAddress& peer_address;
+  const QuicReceivedPacket& packet;
+
+  // Fields below are populated by QuicFramer::ProcessPacketDispatcher.
+  PacketHeaderFormat form;
+  bool version_flag;
+  QuicVersionLabel version_label;
+  ParsedQuicVersion version;
+  QuicConnectionId destination_connection_id;
+  QuicConnectionId source_connection_id;
+};
+
 }  // namespace quic
 
 #endif  // QUICHE_QUIC_CORE_QUIC_PACKETS_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packets_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packets_test.cc
index 9ea369e874b..be35d201f19 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packets_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packets_test.cc
@@ -86,6 +86,31 @@ TEST_F(QuicPacketsTest, GetClientConnectionIdIncludedAsSender) {
                                       header, Perspective::IS_CLIENT));
 }
 
+TEST_F(QuicPacketsTest, GetClientConnectionIdAsRecipient) {
+  SetQuicRestartFlag(quic_do_not_override_connection_id, true);
+  QuicPacketHeader header = CreateFakePacketHeader();
+  EXPECT_EQ(TestConnectionId(2),
+            GetClientConnectionIdAsRecipient(header, Perspective::IS_SERVER));
+  EXPECT_EQ(TestConnectionId(1),
+            GetClientConnectionIdAsRecipient(header, Perspective::IS_CLIENT));
+}
+
+TEST_F(QuicPacketsTest, GetClientConnectionIdAsSender) {
+  QuicPacketHeader header = CreateFakePacketHeader();
+  if (!GetQuicRestartFlag(quic_do_not_override_connection_id)) {
+    EXPECT_EQ(TestConnectionId(2),
+              GetClientConnectionIdAsSender(header, Perspective::IS_SERVER));
+    EXPECT_EQ(TestConnectionId(2),
+              GetClientConnectionIdAsSender(header, Perspective::IS_CLIENT));
+    return;
+  }
+
+  EXPECT_EQ(TestConnectionId(1),
+            GetClientConnectionIdAsSender(header, Perspective::IS_SERVER));
+  EXPECT_EQ(TestConnectionId(2),
+            GetClientConnectionIdAsSender(header, Perspective::IS_CLIENT));
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager.cc b/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager.cc
index 6fb8c493afa..2994748c8f9 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager.cc
@@ -60,16 +60,16 @@ QuicReceivedPacketManager::QuicReceivedPacketManager(QuicConnectionStats* stats)
       fast_ack_after_quiescence_(false),
       ack_timeout_(QuicTime::Zero()),
       time_of_previous_received_packet_(QuicTime::Zero()),
-      was_last_packet_missing_(false),
-      decide_when_to_send_acks_(
-          GetQuicReloadableFlag(quic_deprecate_ack_bundling_mode) &&
-          GetQuicReloadableFlag(quic_rpm_decides_when_to_send_acks)) {}
+      was_last_packet_missing_(false) {
+  if (ack_mode_ == ACK_DECIMATION) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_enable_ack_decimation);
+  }
+}
 
 QuicReceivedPacketManager::~QuicReceivedPacketManager() {}
 
 void QuicReceivedPacketManager::SetFromConfig(const QuicConfig& config,
                                               Perspective perspective) {
-  DCHECK(decide_when_to_send_acks_);
   if (GetQuicReloadableFlag(quic_enable_ack_decimation) &&
       config.HasClientSentConnectionOption(kACD0, perspective)) {
     ack_mode_ = TCP_ACKING;
@@ -101,9 +101,7 @@ void QuicReceivedPacketManager::RecordPacketReceived(
     QuicTime receipt_time) {
   const QuicPacketNumber packet_number = header.packet_number;
   DCHECK(IsAwaitingPacket(packet_number)) << " packet_number:" << packet_number;
-  if (decide_when_to_send_acks_) {
-    was_last_packet_missing_ = IsMissing(packet_number);
-  }
+  was_last_packet_missing_ = IsMissing(packet_number);
   if (!ack_frame_updated_) {
     ack_frame_.received_packet_times.clear();
   }
@@ -164,9 +162,6 @@ bool QuicReceivedPacketManager::IsAwaitingPacket(
 
 const QuicFrame QuicReceivedPacketManager::GetUpdatedAckFrame(
     QuicTime approximate_now) {
-  if (!decide_when_to_send_acks_) {
-    ack_frame_updated_ = false;
-  }
   if (time_largest_observed_ == QuicTime::Zero()) {
     // We have received no packets.
     ack_frame_.ack_delay_time = QuicTime::Delta::Infinite();
@@ -224,8 +219,7 @@ void QuicReceivedPacketManager::MaybeUpdateAckTimeout(
     QuicTime time_of_last_received_packet,
     QuicTime now,
     const RttStats* rtt_stats,
-    QuicTime::Delta delayed_ack_time) {
-  DCHECK(decide_when_to_send_acks_);
+    QuicTime::Delta local_max_ack_delay) {
   if (!ack_frame_updated_) {
     // ACK frame has not been updated, nothing to do.
     return;
@@ -257,7 +251,7 @@ void QuicReceivedPacketManager::MaybeUpdateAckTimeout(
     // Wait for the minimum of the ack decimation delay or the delayed ack time
     // before sending an ack.
     QuicTime::Delta ack_delay = std::min(
-        delayed_ack_time, rtt_stats->min_rtt() * ack_decimation_delay_);
+        local_max_ack_delay, rtt_stats->min_rtt() * ack_decimation_delay_);
     if (fast_ack_after_quiescence_ && now - time_of_previous_received_packet_ >
                                           rtt_stats->SmoothedOrInitialRtt()) {
       // Ack the first packet out of queiscence faster, because QUIC does
@@ -279,7 +273,7 @@ void QuicReceivedPacketManager::MaybeUpdateAckTimeout(
       // or TLP packets, which we'd like to acknowledge quickly.
       MaybeUpdateAckTimeoutTo(now + QuicTime::Delta::FromMilliseconds(1));
     } else {
-      MaybeUpdateAckTimeoutTo(now + delayed_ack_time);
+      MaybeUpdateAckTimeoutTo(now + local_max_ack_delay);
     }
   }
 
@@ -300,7 +294,6 @@ void QuicReceivedPacketManager::MaybeUpdateAckTimeout(
 }
 
 void QuicReceivedPacketManager::ResetAckStates() {
-  DCHECK(decide_when_to_send_acks_);
   ack_frame_updated_ = false;
   ack_timeout_ = QuicTime::Zero();
   num_retransmittable_packets_received_since_last_ack_sent_ = 0;
@@ -308,7 +301,6 @@ void QuicReceivedPacketManager::ResetAckStates() {
 }
 
 void QuicReceivedPacketManager::MaybeUpdateAckTimeoutTo(QuicTime time) {
-  DCHECK(decide_when_to_send_acks_);
   if (!ack_timeout_.IsInitialized() || ack_timeout_ > time) {
     ack_timeout_ = time;
   }
@@ -321,12 +313,6 @@ bool QuicReceivedPacketManager::HasMissingPackets() const {
   if (ack_frame_.packets.NumIntervals() > 1) {
     return true;
   }
-  if (!GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    return ack_frame_.packets.Min() >
-           (peer_least_packet_awaiting_ack_.IsInitialized()
-                ? peer_least_packet_awaiting_ack_
-                : QuicPacketNumber(1));
-  }
   return peer_least_packet_awaiting_ack_.IsInitialized() &&
          ack_frame_.packets.Min() > peer_least_packet_awaiting_ack_;
 }
@@ -346,9 +332,6 @@ QuicPacketNumber QuicReceivedPacketManager::GetLargestObserved() const {
 
 QuicPacketNumber QuicReceivedPacketManager::PeerFirstSendingPacketNumber()
     const {
-  if (!GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    return QuicPacketNumber(1);
-  }
   if (!least_received_packet_number_.IsInitialized()) {
     QUIC_BUG << "No packets have been received yet";
     return QuicPacketNumber(1);
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager.h b/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager.h
index 7c9bd7fccf8..aaae7f12f9e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager.h
@@ -65,7 +65,7 @@ class QUIC_EXPORT_PRIVATE QuicReceivedPacketManager {
                              QuicTime time_of_last_received_packet,
                              QuicTime now,
                              const RttStats* rtt_stats,
-                             QuicTime::Delta delayed_ack_time);
+                             QuicTime::Delta local_max_ack_delay);
 
   // Resets ACK related states, called after an ACK is successfully sent.
   void ResetAckStates();
@@ -85,11 +85,10 @@ class QUIC_EXPORT_PRIVATE QuicReceivedPacketManager {
 
   QuicPacketNumber GetLargestObserved() const;
 
-  // Returns peer first sending packet number to our best knowledge. If
-  // GetQuicRestartFlag(quic_enable_accept_random_ipn) is false, returns 1.
-  // Otherwise considers least_received_packet_number_ as peer first sending
-  // packet number. Please note, this function should only be called when at
-  // least one packet has been received.
+  // Returns peer first sending packet number to our best knowledge. Considers
+  // least_received_packet_number_ as peer first sending packet number. Please
+  // note, this function should only be called when at least one packet has been
+  // received.
   QuicPacketNumber PeerFirstSendingPacketNumber() const;
 
   void set_connection_stats(QuicConnectionStats* stats) { stats_ = stats; }
@@ -122,8 +121,6 @@ class QUIC_EXPORT_PRIVATE QuicReceivedPacketManager {
 
   QuicTime ack_timeout() const { return ack_timeout_; }
 
-  bool decide_when_to_send_acks() const { return decide_when_to_send_acks_; }
-
  private:
   friend class test::QuicConnectionPeer;
   friend class test::QuicReceivedPacketManagerPeer;
@@ -186,10 +183,6 @@ class QUIC_EXPORT_PRIVATE QuicReceivedPacketManager {
 
   // Last sent largest acked, which gets updated when ACK was successfully sent.
   QuicPacketNumber last_sent_largest_acked_;
-
-  // Latched value of quic_deprecate_ack_bundling_mode and
-  // quic_rpm_decides_when_to_send_acks.
-  const bool decide_when_to_send_acks_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager_test.cc
index 0512cb719d0..86ac933d0ff 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager_test.cc
@@ -82,13 +82,11 @@ class QuicReceivedPacketManagerTest : public QuicTestWithParam<TestParams> {
   }
 
   bool HasPendingAck() {
-    DCHECK(received_manager_.decide_when_to_send_acks());
     return received_manager_.ack_timeout().IsInitialized();
   }
 
   void MaybeUpdateAckTimeout(bool should_last_packet_instigate_acks,
                              uint64_t last_received_packet_number) {
-    DCHECK(received_manager_.decide_when_to_send_acks());
     received_manager_.MaybeUpdateAckTimeout(
         should_last_packet_instigate_acks,
         QuicPacketNumber(last_received_packet_number), clock_.ApproximateNow(),
@@ -136,9 +134,7 @@ TEST_P(QuicReceivedPacketManagerTest, GetUpdatedAckFrame) {
   EXPECT_TRUE(received_manager_.ack_frame_updated());
 
   QuicFrame ack = received_manager_.GetUpdatedAckFrame(QuicTime::Zero());
-  if (received_manager_.decide_when_to_send_acks()) {
-    received_manager_.ResetAckStates();
-  }
+  received_manager_.ResetAckStates();
   EXPECT_FALSE(received_manager_.ack_frame_updated());
   // When UpdateReceivedPacketInfo with a time earlier than the time of the
   // largest observed packet, make sure that the delta is 0, not negative.
@@ -147,9 +143,7 @@ TEST_P(QuicReceivedPacketManagerTest, GetUpdatedAckFrame) {
 
   QuicTime four_ms = QuicTime::Zero() + QuicTime::Delta::FromMilliseconds(4);
   ack = received_manager_.GetUpdatedAckFrame(four_ms);
-  if (received_manager_.decide_when_to_send_acks()) {
-    received_manager_.ResetAckStates();
-  }
+  received_manager_.ResetAckStates();
   EXPECT_FALSE(received_manager_.ack_frame_updated());
   // When UpdateReceivedPacketInfo after not having received a new packet,
   // the delta should still be accurate.
@@ -166,9 +160,7 @@ TEST_P(QuicReceivedPacketManagerTest, GetUpdatedAckFrame) {
   received_manager_.RecordPacketReceived(header, two_ms);
   EXPECT_TRUE(received_manager_.ack_frame_updated());
   ack = received_manager_.GetUpdatedAckFrame(two_ms);
-  if (received_manager_.decide_when_to_send_acks()) {
-    received_manager_.ResetAckStates();
-  }
+  received_manager_.ResetAckStates();
   EXPECT_FALSE(received_manager_.ack_frame_updated());
   // UpdateReceivedPacketInfo should discard any times which can't be
   // expressed on the wire.
@@ -223,33 +215,16 @@ TEST_P(QuicReceivedPacketManagerTest, IgnoreOutOfOrderTimestamps) {
 }
 
 TEST_P(QuicReceivedPacketManagerTest, HasMissingPackets) {
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    EXPECT_QUIC_BUG(received_manager_.PeerFirstSendingPacketNumber(),
-                    "No packets have been received yet");
-  } else {
-    EXPECT_EQ(QuicPacketNumber(1),
-              received_manager_.PeerFirstSendingPacketNumber());
-  }
+  EXPECT_QUIC_BUG(received_manager_.PeerFirstSendingPacketNumber(),
+                  "No packets have been received yet");
   RecordPacketReceipt(4, QuicTime::Zero());
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    EXPECT_EQ(QuicPacketNumber(4),
-              received_manager_.PeerFirstSendingPacketNumber());
-    EXPECT_FALSE(received_manager_.HasMissingPackets());
-  } else {
-    EXPECT_TRUE(received_manager_.HasMissingPackets());
-    EXPECT_EQ(QuicPacketNumber(1),
-              received_manager_.PeerFirstSendingPacketNumber());
-  }
+  EXPECT_EQ(QuicPacketNumber(4),
+            received_manager_.PeerFirstSendingPacketNumber());
+  EXPECT_FALSE(received_manager_.HasMissingPackets());
   RecordPacketReceipt(3, QuicTime::Zero());
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    EXPECT_FALSE(received_manager_.HasMissingPackets());
-    EXPECT_EQ(QuicPacketNumber(3),
-              received_manager_.PeerFirstSendingPacketNumber());
-  } else {
-    EXPECT_TRUE(received_manager_.HasMissingPackets());
-    EXPECT_EQ(QuicPacketNumber(1),
-              received_manager_.PeerFirstSendingPacketNumber());
-  }
+  EXPECT_FALSE(received_manager_.HasMissingPackets());
+  EXPECT_EQ(QuicPacketNumber(3),
+            received_manager_.PeerFirstSendingPacketNumber());
   RecordPacketReceipt(1, QuicTime::Zero());
   EXPECT_EQ(QuicPacketNumber(1),
             received_manager_.PeerFirstSendingPacketNumber());
@@ -261,20 +236,12 @@ TEST_P(QuicReceivedPacketManagerTest, HasMissingPackets) {
 }
 
 TEST_P(QuicReceivedPacketManagerTest, OutOfOrderReceiptCausesAckSent) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
 
   RecordPacketReceipt(3, clock_.ApproximateNow());
   MaybeUpdateAckTimeout(kInstigateAck, 3);
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    // Delayed ack is scheduled.
-    CheckAckTimeout(clock_.ApproximateNow() + kDelayedAckTime);
-  } else {
-    // Should ack immediately since we have missing packets.
-    CheckAckTimeout(clock_.ApproximateNow());
-  }
+  // Delayed ack is scheduled.
+  CheckAckTimeout(clock_.ApproximateNow() + kDelayedAckTime);
 
   RecordPacketReceipt(2, clock_.ApproximateNow());
   MaybeUpdateAckTimeout(kInstigateAck, 2);
@@ -292,9 +259,6 @@ TEST_P(QuicReceivedPacketManagerTest, OutOfOrderReceiptCausesAckSent) {
 }
 
 TEST_P(QuicReceivedPacketManagerTest, OutOfOrderAckReceiptCausesNoAck) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
 
   RecordPacketReceipt(2, clock_.ApproximateNow());
@@ -307,9 +271,6 @@ TEST_P(QuicReceivedPacketManagerTest, OutOfOrderAckReceiptCausesNoAck) {
 }
 
 TEST_P(QuicReceivedPacketManagerTest, AckReceiptCausesAckSend) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
 
   RecordPacketReceipt(1, clock_.ApproximateNow());
@@ -337,9 +298,6 @@ TEST_P(QuicReceivedPacketManagerTest, AckReceiptCausesAckSend) {
 }
 
 TEST_P(QuicReceivedPacketManagerTest, AckSentEveryNthPacket) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
   received_manager_.set_ack_frequency_before_ack_decimation(3);
 
@@ -356,9 +314,6 @@ TEST_P(QuicReceivedPacketManagerTest, AckSentEveryNthPacket) {
 }
 
 TEST_P(QuicReceivedPacketManagerTest, AckDecimationReducesAcks) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
   QuicReceivedPacketManagerPeer::SetAckMode(&received_manager_,
                                             ACK_DECIMATION_WITH_REORDERING);
@@ -394,9 +349,6 @@ TEST_P(QuicReceivedPacketManagerTest, AckDecimationReducesAcks) {
 }
 
 TEST_P(QuicReceivedPacketManagerTest, SendDelayedAfterQuiescence) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
   QuicReceivedPacketManagerPeer::SetFastAckAfterQuiescence(&received_manager_,
                                                            true);
@@ -430,9 +382,6 @@ TEST_P(QuicReceivedPacketManagerTest, SendDelayedAfterQuiescence) {
 }
 
 TEST_P(QuicReceivedPacketManagerTest, SendDelayedAckDecimation) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
   QuicReceivedPacketManagerPeer::SetAckMode(&received_manager_, ACK_DECIMATION);
   // The ack time should be based on min_rtt * 1/4, since it's less than the
@@ -466,9 +415,6 @@ TEST_P(QuicReceivedPacketManagerTest, SendDelayedAckDecimation) {
 
 TEST_P(QuicReceivedPacketManagerTest,
        SendDelayedAckAckDecimationAfterQuiescence) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
   QuicReceivedPacketManagerPeer::SetAckMode(&received_manager_, ACK_DECIMATION);
   QuicReceivedPacketManagerPeer::SetFastAckAfterQuiescence(&received_manager_,
@@ -536,9 +482,6 @@ TEST_P(QuicReceivedPacketManagerTest,
 
 TEST_P(QuicReceivedPacketManagerTest,
        SendDelayedAckDecimationUnlimitedAggregation) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
   QuicConfig config;
   QuicTagVector connection_options;
@@ -579,9 +522,6 @@ TEST_P(QuicReceivedPacketManagerTest,
 }
 
 TEST_P(QuicReceivedPacketManagerTest, SendDelayedAckDecimationEighthRtt) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
   QuicReceivedPacketManagerPeer::SetAckMode(&received_manager_, ACK_DECIMATION);
   QuicReceivedPacketManagerPeer::SetAckDecimationDelay(&received_manager_,
@@ -617,9 +557,6 @@ TEST_P(QuicReceivedPacketManagerTest, SendDelayedAckDecimationEighthRtt) {
 }
 
 TEST_P(QuicReceivedPacketManagerTest, SendDelayedAckDecimationWithReordering) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
   QuicReceivedPacketManagerPeer::SetAckMode(&received_manager_,
                                             ACK_DECIMATION_WITH_REORDERING);
@@ -663,9 +600,6 @@ TEST_P(QuicReceivedPacketManagerTest, SendDelayedAckDecimationWithReordering) {
 
 TEST_P(QuicReceivedPacketManagerTest,
        SendDelayedAckDecimationWithLargeReordering) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
   QuicReceivedPacketManagerPeer::SetAckMode(&received_manager_,
                                             ACK_DECIMATION_WITH_REORDERING);
@@ -711,9 +645,6 @@ TEST_P(QuicReceivedPacketManagerTest,
 
 TEST_P(QuicReceivedPacketManagerTest,
        SendDelayedAckDecimationWithReorderingEighthRtt) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
   QuicReceivedPacketManagerPeer::SetAckMode(&received_manager_,
                                             ACK_DECIMATION_WITH_REORDERING);
@@ -755,9 +686,6 @@ TEST_P(QuicReceivedPacketManagerTest,
 
 TEST_P(QuicReceivedPacketManagerTest,
        SendDelayedAckDecimationWithLargeReorderingEighthRtt) {
-  if (!received_manager_.decide_when_to_send_acks()) {
-    return;
-  }
   EXPECT_FALSE(HasPendingAck());
   QuicReceivedPacketManagerPeer::SetAckMode(&received_manager_,
                                             ACK_DECIMATION_WITH_REORDERING);
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.cc b/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.cc
index 527f820745b..5762333dabe 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.cc
@@ -10,7 +10,7 @@
 #include "net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.h"
 #include "net/third_party/quiche/src/quic/core/congestion_control/pacing_sender.h"
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
-#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection_stats.h"
 #include "net/third_party/quiche/src/quic/core/quic_pending_retransmission.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
@@ -92,7 +92,6 @@ QuicSentPacketManager::QuicSentPacketManager(
       network_change_visitor_(nullptr),
       initial_congestion_window_(kInitialCongestionWindow),
       loss_algorithm_(GetInitialLossAlgorithm()),
-      general_loss_algorithm_(loss_type),
       uber_loss_algorithm_(loss_type),
       consecutive_rto_count_(0),
       consecutive_tlp_count_(0),
@@ -112,27 +111,29 @@ QuicSentPacketManager::QuicSentPacketManager(
       ietf_style_2x_tlp_(false),
       largest_mtu_acked_(0),
       handshake_confirmed_(false),
-      delayed_ack_time_(
+      local_max_ack_delay_(
+          QuicTime::Delta::FromMilliseconds(kDefaultDelayedAckTimeMs)),
+      peer_max_ack_delay_(
           QuicTime::Delta::FromMilliseconds(kDefaultDelayedAckTimeMs)),
       rtt_updated_(false),
       acked_packets_iter_(last_ack_frame_.packets.rbegin()),
-      tolerate_reneging_(GetQuicReloadableFlag(quic_tolerate_reneging)),
       loss_removes_from_inflight_(
-          GetQuicReloadableFlag(quic_loss_removes_from_inflight)) {
-  if (tolerate_reneging_) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_tolerate_reneging);
-  }
+          GetQuicReloadableFlag(quic_loss_removes_from_inflight)),
+      ignore_tlpr_if_no_pending_stream_data_(
+          GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)),
+      fix_rto_retransmission_(
+          GetQuicReloadableFlag(quic_fix_rto_retransmission)) {
   if (loss_removes_from_inflight_) {
     QUIC_RELOADABLE_FLAG_COUNT(quic_loss_removes_from_inflight);
   }
+  if (fix_rto_retransmission_) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_fix_rto_retransmission);
+  }
   SetSendAlgorithm(congestion_control_type);
 }
 
 LossDetectionInterface* QuicSentPacketManager::GetInitialLossAlgorithm() {
-  if (unacked_packets_.use_uber_loss_algorithm()) {
-    return &uber_loss_algorithm_;
-  }
-  return &general_loss_algorithm_;
+  return &uber_loss_algorithm_;
 }
 
 QuicSentPacketManager::~QuicSentPacketManager() {}
@@ -154,7 +155,7 @@ void QuicSentPacketManager::SetFromConfig(const QuicConfig& config) {
     rtt_stats_.set_ignore_max_ack_delay(true);
   }
   if (config.HasClientSentConnectionOption(kMAD1, perspective)) {
-    rtt_stats_.set_initial_max_ack_delay(delayed_ack_time_);
+    rtt_stats_.set_initial_max_ack_delay(local_max_ack_delay_);
   }
   if (config.HasClientSentConnectionOption(kMAD2, perspective)) {
     min_tlp_timeout_ = QuicTime::Delta::Zero();
@@ -173,6 +174,12 @@ void QuicSentPacketManager::SetFromConfig(const QuicConfig& config) {
   if (config.HasClientRequestedIndependentOption(kTBBR, perspective)) {
     SetSendAlgorithm(kBBR);
   }
+  if (GetQuicReloadableFlag(quic_allow_client_enabled_bbr_v2) &&
+      config.HasClientRequestedIndependentOption(kB2ON, perspective)) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_allow_client_enabled_bbr_v2);
+    SetSendAlgorithm(kBBRv2);
+  }
+
   if (config.HasClientRequestedIndependentOption(kRENO, perspective)) {
     SetSendAlgorithm(kRenoBytes);
   } else if (config.HasClientRequestedIndependentOption(kBYTE, perspective) ||
@@ -183,6 +190,7 @@ void QuicSentPacketManager::SetFromConfig(const QuicConfig& config) {
              config.HasClientRequestedIndependentOption(kTPCC, perspective)) {
     SetSendAlgorithm(kPCC);
   }
+
   // Initial window.
   if (GetQuicReloadableFlag(quic_unified_iw_options)) {
     if (config.HasClientRequestedIndependentOption(kIW03, perspective)) {
@@ -203,11 +211,8 @@ void QuicSentPacketManager::SetFromConfig(const QuicConfig& config) {
     }
   }
 
-  using_pacing_ = !FLAGS_quic_disable_pacing_for_perf_tests;
+  using_pacing_ = !GetQuicFlag(FLAGS_quic_disable_pacing_for_perf_tests);
 
-  if (config.HasClientSentConnectionOption(k1CON, perspective)) {
-    send_algorithm_->SetNumEmulatedConnections(1);
-  }
   if (config.HasClientSentConnectionOption(kNTLP, perspective)) {
     max_tail_loss_probes_ = 0;
   }
@@ -225,25 +230,13 @@ void QuicSentPacketManager::SetFromConfig(const QuicConfig& config) {
   }
   // Configure loss detection.
   if (config.HasClientRequestedIndependentOption(kTIME, perspective)) {
-    if (unacked_packets_.use_uber_loss_algorithm()) {
-      uber_loss_algorithm_.SetLossDetectionType(kTime);
-    } else {
-      general_loss_algorithm_.SetLossDetectionType(kTime);
-    }
+    uber_loss_algorithm_.SetLossDetectionType(kTime);
   }
   if (config.HasClientRequestedIndependentOption(kATIM, perspective)) {
-    if (unacked_packets_.use_uber_loss_algorithm()) {
-      uber_loss_algorithm_.SetLossDetectionType(kAdaptiveTime);
-    } else {
-      general_loss_algorithm_.SetLossDetectionType(kAdaptiveTime);
-    }
+    uber_loss_algorithm_.SetLossDetectionType(kAdaptiveTime);
   }
   if (config.HasClientRequestedIndependentOption(kLFAK, perspective)) {
-    if (unacked_packets_.use_uber_loss_algorithm()) {
-      uber_loss_algorithm_.SetLossDetectionType(kLazyFack);
-    } else {
-      general_loss_algorithm_.SetLossDetectionType(kLazyFack);
-    }
+    uber_loss_algorithm_.SetLossDetectionType(kLazyFack);
   }
   if (config.HasClientSentConnectionOption(kCONH, perspective)) {
     conservative_handshake_retransmits_ = true;
@@ -291,12 +284,11 @@ void QuicSentPacketManager::AdjustNetworkParameters(
 
 void QuicSentPacketManager::SetHandshakeConfirmed() {
   handshake_confirmed_ = true;
-  if (unacked_packets_.use_uber_loss_algorithm()) {
-    NeuterHandshakePackets();
-  }
+  NeuterHandshakePackets();
 }
 
 void QuicSentPacketManager::PostProcessNewlyAckedPackets(
+    QuicPacketNumber ack_packet_number,
     const QuicAckFrame& ack_frame,
     QuicTime ack_receive_time,
     bool rtt_updated,
@@ -342,9 +334,9 @@ void QuicSentPacketManager::PostProcessNewlyAckedPackets(
   }
 
   if (debug_delegate_ != nullptr) {
-    debug_delegate_->OnIncomingAck(ack_frame, ack_receive_time,
-                                   LargestAcked(ack_frame), rtt_updated,
-                                   GetLeastUnacked());
+    debug_delegate_->OnIncomingAck(ack_packet_number, ack_frame,
+                                   ack_receive_time, LargestAcked(ack_frame),
+                                   rtt_updated, GetLeastUnacked());
   }
   // Remove packets below least unacked from all_packets_acked_ and
   // last_ack_frame_.
@@ -432,7 +424,6 @@ void QuicSentPacketManager::NeuterUnencryptedPackets() {
 }
 
 void QuicSentPacketManager::NeuterHandshakePackets() {
-  DCHECK(unacked_packets_.use_uber_loss_algorithm());
   QuicPacketNumber packet_number = unacked_packets_.GetLeastUnacked();
   for (QuicUnackedPacketMap::const_iterator it = unacked_packets_.begin();
        it != unacked_packets_.end(); ++it, ++packet_number) {
@@ -610,7 +601,8 @@ QuicPacketNumber QuicSentPacketManager::GetNewestRetransmission(
 
 void QuicSentPacketManager::MarkPacketHandled(QuicPacketNumber packet_number,
                                               QuicTransmissionInfo* info,
-                                              QuicTime::Delta ack_delay_time) {
+                                              QuicTime::Delta ack_delay_time,
+                                              QuicTime receive_timestamp) {
   QuicPacketNumber newest_transmission =
       GetNewestRetransmission(packet_number, *info);
   // Remove the most recent packet, if it is pending retransmission.
@@ -622,13 +614,14 @@ void QuicSentPacketManager::MarkPacketHandled(QuicPacketNumber packet_number,
     const bool fast_path = session_decides_what_to_write() &&
                            info->transmission_type == NOT_RETRANSMISSION;
     if (fast_path) {
-      unacked_packets_.MaybeAggregateAckedStreamFrame(*info, ack_delay_time);
+      unacked_packets_.MaybeAggregateAckedStreamFrame(*info, ack_delay_time,
+                                                      receive_timestamp);
     } else {
       if (session_decides_what_to_write()) {
         unacked_packets_.NotifyAggregatedStreamFrameAcked(ack_delay_time);
       }
-      const bool new_data_acked =
-          unacked_packets_.NotifyFramesAcked(*info, ack_delay_time);
+      const bool new_data_acked = unacked_packets_.NotifyFramesAcked(
+          *info, ack_delay_time, receive_timestamp);
       if (session_decides_what_to_write() && !new_data_acked &&
           info->transmission_type != NOT_RETRANSMISSION) {
         // Record as a spurious retransmission if this packet is a
@@ -651,8 +644,8 @@ void QuicSentPacketManager::MarkPacketHandled(QuicPacketNumber packet_number,
     // only handle nullptr encrypted packets in a special way.
     const QuicTransmissionInfo& newest_transmission_info =
         unacked_packets_.GetTransmissionInfo(newest_transmission);
-    unacked_packets_.NotifyFramesAcked(newest_transmission_info,
-                                       ack_delay_time);
+    unacked_packets_.NotifyFramesAcked(newest_transmission_info, ack_delay_time,
+                                       receive_timestamp);
     if (HasCryptoHandshake(newest_transmission_info)) {
       unacked_packets_.RemoveFromInFlight(newest_transmission);
     }
@@ -776,13 +769,6 @@ bool QuicSentPacketManager::MaybeRetransmitTailLossProbe() {
     return false;
   }
   if (!MaybeRetransmitOldestPacket(TLP_RETRANSMISSION)) {
-    // If no tail loss probe can be sent, because there are no retransmittable
-    // packets, execute a conventional RTO to abandon old packets.
-    if (GetQuicReloadableFlag(quic_optimize_inflight_check)) {
-      QUIC_RELOADABLE_FLAG_COUNT(quic_optimize_inflight_check);
-      pending_timer_transmission_count_ = 0;
-      RetransmitRtoPackets();
-    }
     return false;
   }
   return true;
@@ -830,7 +816,7 @@ void QuicSentPacketManager::RetransmitRtoPackets() {
     if (session_decides_what_to_write()) {
       has_retransmissions = it->state != OUTSTANDING;
     }
-    if (it->in_flight && !has_retransmissions &&
+    if (!fix_rto_retransmission_ && it->in_flight && !has_retransmissions &&
         !unacked_packets_.HasRetransmittableFrames(*it)) {
       // Log only for non-retransmittable data.
       // Retransmittable data is marked as lost during loss detection, and will
@@ -852,6 +838,13 @@ void QuicSentPacketManager::RetransmitRtoPackets() {
     for (QuicPacketNumber retransmission : retransmissions) {
       MarkForRetransmission(retransmission, RTO_RETRANSMISSION);
     }
+    if (fix_rto_retransmission_ && retransmissions.empty()) {
+      QUIC_BUG_IF(pending_timer_transmission_count_ != 0);
+      // No packets to be RTO retransmitted, raise up a credit to allow
+      // connection to send.
+      QUIC_CODE_COUNT(no_packets_to_be_rto_retransmitted);
+      pending_timer_transmission_count_ = 1;
+    }
   }
 }
 
@@ -865,8 +858,7 @@ QuicSentPacketManager::GetRetransmissionMode() const {
     return LOSS_MODE;
   }
   if (consecutive_tlp_count_ < max_tail_loss_probes_) {
-    if (GetQuicReloadableFlag(quic_optimize_inflight_check) ||
-        unacked_packets_.HasUnackedRetransmittableFrames()) {
+    if (unacked_packets_.HasUnackedRetransmittableFrames()) {
       return TLP_MODE;
     }
   }
@@ -948,8 +940,7 @@ const QuicTime QuicSentPacketManager::GetRetransmissionTime() const {
       pending_timer_transmission_count_ > 0) {
     return QuicTime::Zero();
   }
-  if (!GetQuicReloadableFlag(quic_optimize_inflight_check) &&
-      !unacked_packets_.HasUnackedRetransmittableFrames()) {
+  if (!unacked_packets_.HasUnackedRetransmittableFrames()) {
     return QuicTime::Zero();
   }
   switch (GetRetransmissionMode()) {
@@ -1001,7 +992,7 @@ const QuicTime::Delta QuicSentPacketManager::GetCryptoRetransmissionDelay()
   if (conservative_handshake_retransmits_) {
     // Using the delayed ack time directly could cause conservative handshake
     // retransmissions to actually be more aggressive than the default.
-    delay_ms = std::max(delayed_ack_time_.ToMilliseconds(),
+    delay_ms = std::max(peer_max_ack_delay_.ToMilliseconds(),
                         static_cast<int64_t>(2 * srtt.ToMilliseconds()));
   } else {
     delay_ms = std::max(kMinHandshakeTimeoutMs,
@@ -1015,7 +1006,16 @@ const QuicTime::Delta QuicSentPacketManager::GetTailLossProbeDelay(
     size_t consecutive_tlp_count) const {
   QuicTime::Delta srtt = rtt_stats_.SmoothedOrInitialRtt();
   if (enable_half_rtt_tail_loss_probe_ && consecutive_tlp_count == 0u) {
-    return std::max(min_tlp_timeout_, srtt * 0.5);
+    if (!ignore_tlpr_if_no_pending_stream_data_ ||
+        !session_decides_what_to_write()) {
+      return std::max(min_tlp_timeout_, srtt * 0.5);
+    }
+    QUIC_RELOADABLE_FLAG_COUNT_N(quic_ignore_tlpr_if_no_pending_stream_data, 1,
+                                 5);
+    if (unacked_packets().HasUnackedStreamData()) {
+      // Enable TLPR if there are pending data packets.
+      return std::max(min_tlp_timeout_, srtt * 0.5);
+    }
   }
   if (ietf_style_tlp_) {
     return std::max(min_tlp_timeout_, 1.5 * srtt + rtt_stats_.max_ack_delay());
@@ -1123,9 +1123,6 @@ void QuicSentPacketManager::OnAckFrameStart(QuicPacketNumber largest_acked,
   DCHECK_LE(largest_acked, unacked_packets_.largest_sent_packet());
   rtt_updated_ =
       MaybeUpdateRTT(largest_acked, ack_delay_time, ack_receive_time);
-  DCHECK(!unacked_packets_.largest_acked().IsInitialized() ||
-         largest_acked >= unacked_packets_.largest_acked() ||
-         tolerate_reneging_);
   last_ack_frame_.ack_delay_time = ack_delay_time;
   acked_packets_iter_ = last_ack_frame_.packets.rbegin();
 }
@@ -1181,6 +1178,7 @@ void QuicSentPacketManager::OnAckTimestamp(QuicPacketNumber packet_number,
 
 AckResult QuicSentPacketManager::OnAckFrameEnd(
     QuicTime ack_receive_time,
+    QuicPacketNumber ack_packet_number,
     EncryptionLevel ack_decrypted_level) {
   QuicByteCount prior_bytes_in_flight = unacked_packets_.bytes_in_flight();
   // Reverse packets_acked_ so that it is in ascending order.
@@ -1214,9 +1212,7 @@ AckResult QuicSentPacketManager::OnAckFrameEnd(
                   << QuicUtils::EncryptionLevelToString(ack_decrypted_level)
                   << " ack for packet " << acked_packet.packet_number;
     const PacketNumberSpace packet_number_space =
-        unacked_packets_.use_uber_loss_algorithm()
-            ? unacked_packets_.GetPacketNumberSpace(info->encryption_level)
-            : NUM_PACKET_NUMBER_SPACES;
+        unacked_packets_.GetPacketNumberSpace(info->encryption_level);
     if (supports_multiple_packet_number_spaces() &&
         QuicUtils::GetPacketNumberSpace(ack_decrypted_level) !=
             packet_number_space) {
@@ -1236,15 +1232,15 @@ AckResult QuicSentPacketManager::OnAckFrameEnd(
       // Unackable packets are skipped earlier.
       largest_newly_acked_ = acked_packet.packet_number;
     }
-    if (unacked_packets_.use_uber_loss_algorithm()) {
-      unacked_packets_.MaybeUpdateLargestAckedOfPacketNumberSpace(
-          packet_number_space, acked_packet.packet_number);
-    }
+    unacked_packets_.MaybeUpdateLargestAckedOfPacketNumberSpace(
+        packet_number_space, acked_packet.packet_number);
     MarkPacketHandled(acked_packet.packet_number, info,
-                      last_ack_frame_.ack_delay_time);
+                      last_ack_frame_.ack_delay_time,
+                      acked_packet.receive_timestamp);
   }
   const bool acked_new_packet = !packets_acked_.empty();
-  PostProcessNewlyAckedPackets(last_ack_frame_, ack_receive_time, rtt_updated_,
+  PostProcessNewlyAckedPackets(ack_packet_number, last_ack_frame_,
+                               ack_receive_time, rtt_updated_,
                                prior_bytes_in_flight);
 
   return acked_new_packet ? PACKETS_NEWLY_ACKED : NO_PACKETS_NEWLY_ACKED;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.h b/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.h
index 3df874dd873..b08704de229 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.h
@@ -17,7 +17,7 @@
 #include "net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.h"
 #include "net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.h"
 #include "net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.h"
-#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_pending_retransmission.h"
 #include "net/third_party/quiche/src/quic/core/quic_sustained_bandwidth_recorder.h"
@@ -54,25 +54,27 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
 
     // Called when a spurious retransmission is detected.
     virtual void OnSpuriousPacketRetransmission(
-        TransmissionType transmission_type,
-        QuicByteCount byte_size) {}
+        TransmissionType /*transmission_type*/,
+        QuicByteCount /*byte_size*/) {}
 
-    virtual void OnIncomingAck(const QuicAckFrame& ack_frame,
-                               QuicTime ack_receive_time,
-                               QuicPacketNumber largest_observed,
-                               bool rtt_updated,
-                               QuicPacketNumber least_unacked_sent_packet) {}
+    virtual void OnIncomingAck(QuicPacketNumber /*ack_packet_number*/,
+                               const QuicAckFrame& /*ack_frame*/,
+                               QuicTime /*ack_receive_time*/,
+                               QuicPacketNumber /*largest_observed*/,
+                               bool /*rtt_updated*/,
+                               QuicPacketNumber /*least_unacked_sent_packet*/) {
+    }
 
-    virtual void OnPacketLoss(QuicPacketNumber lost_packet_number,
-                              TransmissionType transmission_type,
-                              QuicTime detection_time) {}
+    virtual void OnPacketLoss(QuicPacketNumber /*lost_packet_number*/,
+                              TransmissionType /*transmission_type*/,
+                              QuicTime /*detection_time*/) {}
 
     virtual void OnApplicationLimited() {}
 
-    virtual void OnAdjustNetworkParameters(QuicBandwidth bandwidth,
-                                           QuicTime::Delta rtt,
-                                           QuicByteCount old_cwnd,
-                                           QuicByteCount new_cwnd) {}
+    virtual void OnAdjustNetworkParameters(QuicBandwidth /*bandwidth*/,
+                                           QuicTime::Delta /*rtt*/,
+                                           QuicByteCount /*old_cwnd*/,
+                                           QuicByteCount /*new_cwnd*/) {}
   };
 
   // Interface which gets callbacks from the QuicSentPacketManager when
@@ -143,8 +145,7 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
 
   // Removes the retransmittable frames from all unencrypted packets to ensure
   // they don't get retransmitted.
-  // TODO(fayang): Consider remove this function when deprecating
-  // quic_use_uber_loss_algorithm.
+  // TODO(fayang): Consider replace this function with NeuterHandshakePackets.
   void NeuterUnencryptedPackets();
 
   // Returns true if there are pending retransmissions.
@@ -278,6 +279,7 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
 
   // Called when an ack frame is parsed completely.
   AckResult OnAckFrameEnd(QuicTime ack_receive_time,
+                          QuicPacketNumber ack_packet_number,
                           EncryptionLevel ack_decrypted_level);
 
   // Called to enable/disable letting session decide what to write.
@@ -339,6 +341,7 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   }
 
   QuicPacketNumber largest_packet_peer_knows_is_acked() const {
+    DCHECK(!supports_multiple_packet_number_spaces());
     return largest_packet_peer_knows_is_acked_;
   }
 
@@ -352,21 +355,18 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
     return pending_timer_transmission_count_;
   }
 
-  QuicTime::Delta delayed_ack_time() const { return delayed_ack_time_; }
+  QuicTime::Delta local_max_ack_delay() const { return local_max_ack_delay_; }
 
-  void set_delayed_ack_time(QuicTime::Delta delayed_ack_time) {
+  void set_local_max_ack_delay(QuicTime::Delta local_max_ack_delay) {
     // The delayed ack time should never be more than one half the min RTO time.
-    DCHECK_LE(delayed_ack_time, (min_rto_timeout_ * 0.5));
-    delayed_ack_time_ = delayed_ack_time;
+    DCHECK_LE(local_max_ack_delay, (min_rto_timeout_ * 0.5));
+    local_max_ack_delay_ = local_max_ack_delay;
   }
 
-  bool enable_half_rtt_tail_loss_probe() const {
-    return enable_half_rtt_tail_loss_probe_;
-  }
+  QuicTime::Delta peer_max_ack_delay() const { return peer_max_ack_delay_; }
 
-  void set_enable_half_rtt_tail_loss_probe(
-      bool enable_half_rtt_tail_loss_probe) {
-    enable_half_rtt_tail_loss_probe_ = enable_half_rtt_tail_loss_probe;
+  void set_peer_max_ack_delay(QuicTime::Delta peer_max_ack_delay) {
+    peer_max_ack_delay_ = peer_max_ack_delay;
   }
 
   const QuicUnackedPacketMap& unacked_packets() const {
@@ -383,16 +383,16 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // Setting the send algorithm once the connection is underway is dangerous.
   void SetSendAlgorithm(SendAlgorithmInterface* send_algorithm);
 
-  bool tolerate_reneging() const { return tolerate_reneging_; }
-
   bool supports_multiple_packet_number_spaces() const {
     return unacked_packets_.supports_multiple_packet_number_spaces();
   }
 
-  bool use_uber_loss_algorithm() const {
-    return unacked_packets_.use_uber_loss_algorithm();
+  bool ignore_tlpr_if_no_pending_stream_data() const {
+    return ignore_tlpr_if_no_pending_stream_data_;
   }
 
+  bool fix_rto_retransmission() const { return fix_rto_retransmission_; }
+
  private:
   friend class test::QuicConnectionPeer;
   friend class test::QuicSentPacketManagerPeer;
@@ -481,7 +481,8 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // |info| due to receipt by the peer.
   void MarkPacketHandled(QuicPacketNumber packet_number,
                          QuicTransmissionInfo* info,
-                         QuicTime::Delta ack_delay_time);
+                         QuicTime::Delta ack_delay_time,
+                         QuicTime receive_timestamp);
 
   // Request that |packet_number| be retransmitted after the other pending
   // retransmissions.  Does not add it to the retransmissions if it's already
@@ -496,7 +497,8 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
                             QuicTransmissionInfo* transmission_info);
 
   // Called after packets have been marked handled with last received ack frame.
-  void PostProcessNewlyAckedPackets(const QuicAckFrame& ack_frame,
+  void PostProcessNewlyAckedPackets(QuicPacketNumber ack_packet_number,
+                                    const QuicAckFrame& ack_frame,
                                     QuicTime ack_receive_time,
                                     bool rtt_updated,
                                     QuicByteCount prior_bytes_in_flight);
@@ -521,9 +523,8 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // Called when handshake is confirmed to remove the retransmittable frames
   // from all packets of HANDSHAKE_DATA packet number space to ensure they don't
   // get retransmitted and will eventually be removed from unacked packets map.
-  // Only used when quic_use_uber_loss_algorithm is true. Please note, this only
-  // applies to QUIC Crypto and needs to be changed when switches to IETF QUIC
-  // with QUIC TLS.
+  // Please note, this only applies to QUIC Crypto and needs to be changed when
+  // switches to IETF QUIC with QUIC TLS.
   void NeuterHandshakePackets();
 
   // Newly serialized retransmittable packets are added to this map, which
@@ -550,9 +551,6 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   std::unique_ptr<SendAlgorithmInterface> send_algorithm_;
   // Not owned. Always points to |general_loss_algorithm_| outside of tests.
   LossDetectionInterface* loss_algorithm_;
-  // TODO(fayang): Remove general_loss_algorithm_ when deprecating
-  // quic_use_uber_loss_algorithm.
-  GeneralLossAlgorithm general_loss_algorithm_;
   UberLossAlgorithm uber_loss_algorithm_;
 
   // Tracks the first RTO packet.  If any packet before that packet gets acked,
@@ -617,9 +615,14 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   QuicPacketNumber
       largest_packets_peer_knows_is_acked_[NUM_PACKET_NUMBER_SPACES];
 
-  // The maximum amount of time to wait before sending an acknowledgement.
-  // The recovery code assumes the delayed ack time is the same on both sides.
-  QuicTime::Delta delayed_ack_time_;
+  // The local node's maximum ack delay time. This is the maximum amount of
+  // time to wait before sending an acknowledgement.
+  QuicTime::Delta local_max_ack_delay_;
+
+  // The maximum ACK delay time that the peer uses. Initialized to be the
+  // same as local_max_ack_delay_, may be changed via transport parameter
+  // negotiation.
+  QuicTime::Delta peer_max_ack_delay_;
 
   // Latest received ack frame.
   QuicAckFrame last_ack_frame_;
@@ -631,11 +634,14 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // OnAckRangeStart, and gradually moves in OnAckRange..
   PacketNumberQueue::const_reverse_iterator acked_packets_iter_;
 
-  // Latched value of quic_tolerate_reneging.
-  const bool tolerate_reneging_;
-
   // Latched value of quic_loss_removes_from_inflight.
   const bool loss_removes_from_inflight_;
+
+  // Latched value of quic_ignore_tlpr_if_no_pending_stream_data.
+  const bool ignore_tlpr_if_no_pending_stream_data_;
+
+  // Latched value of quic_fix_rto_retransmission.
+  const bool fix_rto_retransmission_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager_test.cc
index c508cca89dc..4fce40f1859 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager_test.cc
@@ -68,16 +68,23 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
                           HANDSHAKE_RETRANSMISSION, HAS_RETRANSMITTABLE_DATA);
   }
 
-  void RetransmitDataPacket(uint64_t packet_number, TransmissionType type) {
+  void RetransmitDataPacket(uint64_t packet_number,
+                            TransmissionType type,
+                            EncryptionLevel level) {
     EXPECT_CALL(
         *send_algorithm_,
         OnPacketSent(_, BytesInFlight(), QuicPacketNumber(packet_number),
                      kDefaultLength, HAS_RETRANSMITTABLE_DATA));
     SerializedPacket packet(CreatePacket(packet_number, true));
+    packet.encryption_level = level;
     manager_.OnPacketSent(&packet, QuicPacketNumber(), clock_.Now(), type,
                           HAS_RETRANSMITTABLE_DATA);
   }
 
+  void RetransmitDataPacket(uint64_t packet_number, TransmissionType type) {
+    RetransmitDataPacket(packet_number, type, ENCRYPTION_INITIAL);
+  }
+
  protected:
   QuicSentPacketManagerTest()
       : manager_(Perspective::IS_SERVER,
@@ -110,7 +117,7 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
     EXPECT_CALL(notifier_, HasUnackedCryptoData())
         .WillRepeatedly(Return(false));
     EXPECT_CALL(notifier_, OnStreamFrameRetransmitted(_)).Times(AnyNumber());
-    EXPECT_CALL(notifier_, OnFrameAcked(_, _)).WillRepeatedly(Return(true));
+    EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).WillRepeatedly(Return(true));
   }
 
   ~QuicSentPacketManagerTest() override {}
@@ -154,7 +161,7 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
     EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
   }
 
-  void ExpectUpdatedRtt(uint64_t largest_observed) {
+  void ExpectUpdatedRtt(uint64_t /*largest_observed*/) {
     EXPECT_CALL(*send_algorithm_,
                 OnCongestionEvent(true, _, _, IsEmpty(), IsEmpty()));
     EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
@@ -267,6 +274,14 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
     return packet;
   }
 
+  SerializedPacket CreatePingPacket(uint64_t packet_number) {
+    SerializedPacket packet(QuicPacketNumber(packet_number),
+                            PACKET_4BYTE_PACKET_NUMBER, nullptr, kDefaultLength,
+                            false, false);
+    packet.retransmittable_frames.push_back(QuicFrame(QuicPingFrame()));
+    return packet;
+  }
+
   void SendDataPacket(uint64_t packet_number) {
     SendDataPacket(packet_number, ENCRYPTION_INITIAL);
   }
@@ -282,6 +297,17 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
                           NOT_RETRANSMISSION, HAS_RETRANSMITTABLE_DATA);
   }
 
+  void SendPingPacket(uint64_t packet_number,
+                      EncryptionLevel encryption_level) {
+    EXPECT_CALL(*send_algorithm_,
+                OnPacketSent(_, BytesInFlight(),
+                             QuicPacketNumber(packet_number), _, _));
+    SerializedPacket packet(CreatePingPacket(packet_number));
+    packet.encryption_level = encryption_level;
+    manager_.OnPacketSent(&packet, QuicPacketNumber(), clock_.Now(),
+                          NOT_RETRANSMISSION, HAS_RETRANSMITTABLE_DATA);
+  }
+
   void SendCryptoPacket(uint64_t packet_number) {
     EXPECT_CALL(
         *send_algorithm_,
@@ -300,12 +326,19 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
   }
 
   void SendAckPacket(uint64_t packet_number, uint64_t largest_acked) {
+    SendAckPacket(packet_number, largest_acked, ENCRYPTION_INITIAL);
+  }
+
+  void SendAckPacket(uint64_t packet_number,
+                     uint64_t largest_acked,
+                     EncryptionLevel level) {
     EXPECT_CALL(
         *send_algorithm_,
         OnPacketSent(_, BytesInFlight(), QuicPacketNumber(packet_number),
                      kDefaultLength, NO_RETRANSMITTABLE_DATA));
     SerializedPacket packet(CreatePacket(packet_number, false));
     packet.largest_acked = QuicPacketNumber(largest_acked);
+    packet.encryption_level = level;
     manager_.OnPacketSent(&packet, QuicPacketNumber(), clock_.Now(),
                           NOT_RETRANSMISSION, NO_RETRANSMITTABLE_DATA);
   }
@@ -371,7 +404,8 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAck) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(2), QuicPacketNumber(3));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   if (manager_.session_decides_what_to_write()) {
     EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
   }
@@ -403,7 +437,8 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAckBeforeSend) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 
   // There should no longer be a pending retransmission.
   EXPECT_FALSE(manager_.HasPendingRetransmissions());
@@ -458,7 +493,8 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAckPrevious) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   if (manager_.session_decides_what_to_write()) {
     EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
   }
@@ -469,13 +505,14 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAckPrevious) {
   VerifyRetransmittablePackets(nullptr, 0);
   if (manager_.session_decides_what_to_write()) {
     // Ack 2 causes 2 be considered as spurious retransmission.
-    EXPECT_CALL(notifier_, OnFrameAcked(_, _)).WillOnce(Return(false));
+    EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).WillOnce(Return(false));
     ExpectAck(2);
     manager_.OnAckFrameStart(QuicPacketNumber(2), QuicTime::Delta::Infinite(),
                              clock_.Now());
     manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(3));
     EXPECT_EQ(PACKETS_NEWLY_ACKED,
-              manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+              manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                     ENCRYPTION_INITIAL));
   }
 
   EXPECT_EQ(1u, stats_.packets_spuriously_retransmitted);
@@ -493,7 +530,8 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAckPreviousThenNackRetransmit) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 
   SendDataPacket(3);
   SendDataPacket(4);
@@ -507,7 +545,8 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAckPreviousThenNackRetransmit) {
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(4));
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                   ENCRYPTION_INITIAL));
 
   ExpectAck(4);
   manager_.OnAckFrameStart(QuicPacketNumber(4), QuicTime::Delta::Infinite(),
@@ -515,7 +554,8 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAckPreviousThenNackRetransmit) {
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(5));
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(3),
+                                   ENCRYPTION_INITIAL));
 
   ExpectAckAndLoss(true, 5, 2);
   if (manager_.session_decides_what_to_write()) {
@@ -530,7 +570,8 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAckPreviousThenNackRetransmit) {
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(6));
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(4),
+                                   ENCRYPTION_INITIAL));
 
   if (manager_.session_decides_what_to_write()) {
     uint64_t unacked[] = {2};
@@ -567,7 +608,8 @@ TEST_P(QuicSentPacketManagerTest,
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 
   // Since 2 was marked for retransmit, when 1 is acked, 2 is kept for RTT.
   uint64_t unacked[] = {2};
@@ -605,7 +647,8 @@ TEST_P(QuicSentPacketManagerTest, RetransmitTwiceThenAckFirst) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   if (manager_.session_decides_what_to_write()) {
     // Frames in packets 2 and 3 are acked.
     EXPECT_CALL(notifier_, IsFrameOutstanding(_))
@@ -623,7 +666,7 @@ TEST_P(QuicSentPacketManagerTest, RetransmitTwiceThenAckFirst) {
   SendDataPacket(4);
   if (manager_.session_decides_what_to_write()) {
     // No new data gets acked in packet 3.
-    EXPECT_CALL(notifier_, OnFrameAcked(_, _))
+    EXPECT_CALL(notifier_, OnFrameAcked(_, _, _))
         .WillOnce(Return(false))
         .WillRepeatedly(Return(true));
   }
@@ -634,7 +677,8 @@ TEST_P(QuicSentPacketManagerTest, RetransmitTwiceThenAckFirst) {
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(5));
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                   ENCRYPTION_INITIAL));
 
   uint64_t unacked2[] = {2};
   VerifyUnackedPackets(unacked2, QUIC_ARRAYSIZE(unacked2));
@@ -656,7 +700,8 @@ TEST_P(QuicSentPacketManagerTest, RetransmitTwiceThenAckFirst) {
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(6));
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(3),
+                                   ENCRYPTION_INITIAL));
 
   if (manager_.session_decides_what_to_write()) {
     uint64_t unacked[] = {2};
@@ -690,7 +735,8 @@ TEST_P(QuicSentPacketManagerTest, AckOriginalTransmission) {
                              clock_.Now());
     manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
     EXPECT_EQ(PACKETS_NEWLY_ACKED,
-              manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+              manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                     ENCRYPTION_INITIAL));
   }
 
   SendDataPacket(3);
@@ -704,7 +750,8 @@ TEST_P(QuicSentPacketManagerTest, AckOriginalTransmission) {
     manager_.OnAckRange(QuicPacketNumber(4), QuicPacketNumber(5));
     manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
     EXPECT_EQ(PACKETS_NEWLY_ACKED,
-              manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+              manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                     ENCRYPTION_INITIAL));
     RetransmitAndSendPacket(3, 5, LOSS_RETRANSMISSION);
   }
 
@@ -720,20 +767,22 @@ TEST_P(QuicSentPacketManagerTest, AckOriginalTransmission) {
     manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(5));
     manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
     EXPECT_EQ(PACKETS_NEWLY_ACKED,
-              manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+              manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(3),
+                                     ENCRYPTION_INITIAL));
     if (manager_.session_decides_what_to_write()) {
       // Ack 3 will not cause 5 be considered as a spurious retransmission. Ack
       // 5 will cause 5 be considered as a spurious retransmission as no new
       // data gets acked.
       ExpectAck(5);
       EXPECT_CALL(*loss_algorithm, DetectLosses(_, _, _, _, _, _));
-      EXPECT_CALL(notifier_, OnFrameAcked(_, _)).WillOnce(Return(false));
+      EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).WillOnce(Return(false));
       manager_.OnAckFrameStart(QuicPacketNumber(5), QuicTime::Delta::Infinite(),
                                clock_.Now());
       manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(6));
       manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
       EXPECT_EQ(PACKETS_NEWLY_ACKED,
-                manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+                manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(4),
+                                       ENCRYPTION_INITIAL));
     }
   }
 }
@@ -759,7 +808,8 @@ TEST_P(QuicSentPacketManagerTest, AckAckAndUpdateRtt) {
                            QuicTime::Delta::FromMilliseconds(5), clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(3));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   EXPECT_EQ(QuicPacketNumber(1), manager_.largest_packet_peer_knows_is_acked());
 
   SendAckPacket(3, 3);
@@ -771,7 +821,8 @@ TEST_P(QuicSentPacketManagerTest, AckAckAndUpdateRtt) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(4));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                   ENCRYPTION_INITIAL));
   EXPECT_EQ(QuicPacketNumber(3u),
             manager_.largest_packet_peer_knows_is_acked());
 }
@@ -786,7 +837,8 @@ TEST_P(QuicSentPacketManagerTest, Rtt) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   EXPECT_EQ(expected_rtt, manager_.GetRttStats()->latest_rtt());
 }
 
@@ -803,7 +855,8 @@ TEST_P(QuicSentPacketManagerTest, RttWithInvalidDelta) {
                            QuicTime::Delta::FromMilliseconds(11), clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   EXPECT_EQ(expected_rtt, manager_.GetRttStats()->latest_rtt());
 }
 
@@ -819,7 +872,8 @@ TEST_P(QuicSentPacketManagerTest, RttWithInfiniteDelta) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   EXPECT_EQ(expected_rtt, manager_.GetRttStats()->latest_rtt());
 }
 
@@ -835,7 +889,8 @@ TEST_P(QuicSentPacketManagerTest, RttZeroDelta) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   EXPECT_EQ(expected_rtt, manager_.GetRttStats()->latest_rtt());
 }
 
@@ -886,7 +941,8 @@ TEST_P(QuicSentPacketManagerTest, TailLossProbeTimeout) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(4));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 
   EXPECT_TRUE(manager_.HasInFlightPackets());
 
@@ -908,7 +964,8 @@ TEST_P(QuicSentPacketManagerTest, TailLossProbeTimeout) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(6));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                   ENCRYPTION_INITIAL));
 
   EXPECT_FALSE(manager_.HasPendingRetransmissions());
   EXPECT_FALSE(manager_.HasInFlightPackets());
@@ -1015,7 +1072,8 @@ TEST_P(QuicSentPacketManagerTest, TailLossProbeThenRTO) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(103), QuicPacketNumber(104));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   // All packets before 103 should be lost.
   if (manager_.session_decides_what_to_write()) {
     // Packet 104 is still in flight.
@@ -1101,7 +1159,8 @@ TEST_P(QuicSentPacketManagerTest, CryptoHandshakeTimeout) {
   manager_.OnAckRange(QuicPacketNumber(8), QuicPacketNumber(10));
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(6));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 
   EXPECT_FALSE(manager_.HasUnackedCryptoPackets());
 }
@@ -1173,7 +1232,8 @@ TEST_P(QuicSentPacketManagerTest, CryptoHandshakeTimeoutVersionNegotiation) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(8), QuicPacketNumber(10));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   if (manager_.session_decides_what_to_write()) {
     EXPECT_CALL(notifier_, HasUnackedCryptoData())
         .WillRepeatedly(Return(false));
@@ -1219,7 +1279,8 @@ TEST_P(QuicSentPacketManagerTest, CryptoHandshakeSpuriousRetransmission) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(2), QuicPacketNumber(3));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 
   EXPECT_FALSE(manager_.HasUnackedCryptoPackets());
   if (GetQuicReloadableFlag(quic_loss_removes_from_inflight)) {
@@ -1345,7 +1406,8 @@ TEST_P(QuicSentPacketManagerTest,
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(4));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   VerifyUnackedPackets(nullptr, 0);
   VerifyRetransmittablePackets(nullptr, 0);
 }
@@ -1408,7 +1470,8 @@ TEST_P(QuicSentPacketManagerTest, RetransmissionTimeout) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(102), QuicPacketNumber(103));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 }
 
 TEST_P(QuicSentPacketManagerTest, RetransmissionTimeoutOnePacket) {
@@ -1517,7 +1580,8 @@ TEST_P(QuicSentPacketManagerTest, NewRetransmissionTimeout) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(102), QuicPacketNumber(103));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 }
 
 TEST_P(QuicSentPacketManagerTest, TwoRetransmissionTimeoutsAckSecond) {
@@ -1562,7 +1626,8 @@ TEST_P(QuicSentPacketManagerTest, TwoRetransmissionTimeoutsAckSecond) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(2), QuicPacketNumber(3));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 
   // The original packet and newest should be outstanding.
   EXPECT_EQ(2 * kDefaultLength, manager_.GetBytesInFlight());
@@ -1610,7 +1675,8 @@ TEST_P(QuicSentPacketManagerTest, TwoRetransmissionTimeoutsAckFirst) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(4));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 
   // The first two packets should still be outstanding.
   EXPECT_EQ(2 * kDefaultLength, manager_.GetBytesInFlight());
@@ -1761,6 +1827,118 @@ TEST_P(QuicSentPacketManagerTest, GetTransmissionTimeTailLossProbe) {
   EXPECT_EQ(expected_time, manager_.GetRetransmissionTime());
 }
 
+TEST_P(QuicSentPacketManagerTest, TLPRWithPendingStreamData) {
+  if (!manager_.session_decides_what_to_write()) {
+    return;
+  }
+
+  QuicConfig config;
+  QuicTagVector options;
+
+  options.push_back(kTLPR);
+  QuicConfigPeer::SetReceivedConnectionOptions(&config, options);
+  EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
+  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
+  EXPECT_CALL(*send_algorithm_, PacingRate(_))
+      .WillRepeatedly(Return(QuicBandwidth::Zero()));
+  EXPECT_CALL(*send_algorithm_, GetCongestionWindow())
+      .WillOnce(Return(10 * kDefaultTCPMSS));
+  manager_.SetFromConfig(config);
+  EXPECT_TRUE(
+      QuicSentPacketManagerPeer::GetEnableHalfRttTailLossProbe(&manager_));
+
+  QuicSentPacketManagerPeer::SetMaxTailLossProbes(&manager_, 2);
+
+  SendDataPacket(1);
+  SendDataPacket(2);
+
+  // Test with a standard smoothed RTT.
+  RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
+  rtt_stats->set_initial_rtt(QuicTime::Delta::FromMilliseconds(100));
+  QuicTime::Delta srtt = rtt_stats->initial_rtt();
+  // With pending stream data, TLPR is used.
+  QuicTime::Delta expected_tlp_delay = 0.5 * srtt;
+  EXPECT_CALL(notifier_, HasUnackedStreamData()).WillRepeatedly(Return(true));
+
+  EXPECT_EQ(expected_tlp_delay,
+            manager_.GetRetransmissionTime() - clock_.Now());
+
+  // Retransmit the packet by invoking the retransmission timeout.
+  clock_.AdvanceTime(expected_tlp_delay);
+  manager_.OnRetransmissionTimeout();
+  EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
+  EXPECT_FALSE(manager_.HasPendingRetransmissions());
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(3, type); })));
+  EXPECT_TRUE(manager_.MaybeRetransmitTailLossProbe());
+
+  EXPECT_CALL(*send_algorithm_, CanSend(_)).WillOnce(Return(false));
+  EXPECT_EQ(QuicTime::Delta::Infinite(), manager_.TimeUntilSend(clock_.Now()));
+  EXPECT_FALSE(manager_.HasPendingRetransmissions());
+
+  // 2nd TLP.
+  expected_tlp_delay = 2 * srtt;
+  EXPECT_EQ(expected_tlp_delay,
+            manager_.GetRetransmissionTime() - clock_.Now());
+}
+
+TEST_P(QuicSentPacketManagerTest, TLPRWithoutPendingStreamData) {
+  if (!manager_.session_decides_what_to_write()) {
+    return;
+  }
+
+  QuicConfig config;
+  QuicTagVector options;
+
+  options.push_back(kTLPR);
+  QuicConfigPeer::SetReceivedConnectionOptions(&config, options);
+  EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
+  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
+  EXPECT_CALL(*send_algorithm_, PacingRate(_))
+      .WillRepeatedly(Return(QuicBandwidth::Zero()));
+  EXPECT_CALL(*send_algorithm_, GetCongestionWindow())
+      .WillOnce(Return(10 * kDefaultTCPMSS));
+  manager_.SetFromConfig(config);
+  EXPECT_TRUE(
+      QuicSentPacketManagerPeer::GetEnableHalfRttTailLossProbe(&manager_));
+  QuicSentPacketManagerPeer::SetMaxTailLossProbes(&manager_, 2);
+
+  SendPingPacket(1, ENCRYPTION_INITIAL);
+  SendPingPacket(2, ENCRYPTION_INITIAL);
+
+  // Test with a standard smoothed RTT.
+  RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
+  rtt_stats->set_initial_rtt(QuicTime::Delta::FromMilliseconds(100));
+  QuicTime::Delta srtt = rtt_stats->initial_rtt();
+  QuicTime::Delta expected_tlp_delay = 0.5 * srtt;
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    // With no pending stream data, TLPR is ignored.
+    expected_tlp_delay = 2 * srtt;
+  }
+  EXPECT_CALL(notifier_, HasUnackedStreamData()).WillRepeatedly(Return(false));
+  EXPECT_EQ(expected_tlp_delay,
+            manager_.GetRetransmissionTime() - clock_.Now());
+
+  // Retransmit the packet by invoking the retransmission timeout.
+  clock_.AdvanceTime(expected_tlp_delay);
+  manager_.OnRetransmissionTimeout();
+  EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
+  EXPECT_FALSE(manager_.HasPendingRetransmissions());
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(3, type); })));
+  EXPECT_TRUE(manager_.MaybeRetransmitTailLossProbe());
+  EXPECT_CALL(*send_algorithm_, CanSend(_)).WillOnce(Return(false));
+  EXPECT_EQ(QuicTime::Delta::Infinite(), manager_.TimeUntilSend(clock_.Now()));
+  EXPECT_FALSE(manager_.HasPendingRetransmissions());
+
+  // 2nd TLP.
+  expected_tlp_delay = 2 * srtt;
+  EXPECT_EQ(expected_tlp_delay,
+            manager_.GetRetransmissionTime() - clock_.Now());
+}
+
 TEST_P(QuicSentPacketManagerTest, GetTransmissionTimeSpuriousRTO) {
   RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
   rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(100),
@@ -1810,7 +1988,8 @@ TEST_P(QuicSentPacketManagerTest, GetTransmissionTimeSpuriousRTO) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(2), QuicPacketNumber(3));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   EXPECT_FALSE(manager_.HasPendingRetransmissions());
   EXPECT_EQ(5 * kDefaultLength, manager_.GetBytesInFlight());
 
@@ -1945,7 +2124,8 @@ TEST_P(QuicSentPacketManagerTest, GetLossDelay) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(2), QuicPacketNumber(3));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 
   QuicTime timeout(clock_.Now() + QuicTime::Delta::FromMilliseconds(10));
   EXPECT_CALL(*loss_algorithm, GetLossTimeout())
@@ -2057,26 +2237,6 @@ TEST_P(QuicSentPacketManagerTest, NegotiateClientCongestionControlFromOptions) {
                             ->GetCongestionControlType());
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateNumConnectionsFromOptions) {
-  QuicConfig config;
-  QuicTagVector options;
-
-  options.push_back(k1CON);
-  QuicConfigPeer::SetReceivedConnectionOptions(&config, options);
-  EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
-  EXPECT_CALL(*send_algorithm_, SetNumEmulatedConnections(1));
-  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
-  manager_.SetFromConfig(config);
-
-  QuicSentPacketManagerPeer::SetPerspective(&manager_, Perspective::IS_CLIENT);
-  QuicConfig client_config;
-  client_config.SetConnectionOptionsToSend(options);
-  EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
-  EXPECT_CALL(*send_algorithm_, SetNumEmulatedConnections(1));
-  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
-  manager_.SetFromConfig(client_config);
-}
-
 TEST_P(QuicSentPacketManagerTest, NegotiateNoMinTLPFromOptionsAtServer) {
   QuicConfig config;
   QuicTagVector options;
@@ -2450,7 +2610,8 @@ TEST_P(QuicSentPacketManagerTest, PathMtuIncreased) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 }
 
 TEST_P(QuicSentPacketManagerTest, OnAckRangeSlowPath) {
@@ -2472,7 +2633,8 @@ TEST_P(QuicSentPacketManagerTest, OnAckRangeSlowPath) {
   // Make sure empty range does not harm.
   manager_.OnAckRange(QuicPacketNumber(4), QuicPacketNumber(4));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 
   // Ack [4, 8), [9, 13), [14, 21).
   uint64_t acked2[] = {4, 7, 9, 12, 14, 17, 18, 19, 20};
@@ -2483,13 +2645,11 @@ TEST_P(QuicSentPacketManagerTest, OnAckRangeSlowPath) {
   manager_.OnAckRange(QuicPacketNumber(9), QuicPacketNumber(13));
   manager_.OnAckRange(QuicPacketNumber(4), QuicPacketNumber(8));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                   ENCRYPTION_INITIAL));
 }
 
 TEST_P(QuicSentPacketManagerTest, TolerateReneging) {
-  if (!manager_.tolerate_reneging()) {
-    return;
-  }
   // Send packets 1 - 20.
   for (size_t i = 1; i <= 20; ++i) {
     SendDataPacket(i);
@@ -2506,7 +2666,8 @@ TEST_P(QuicSentPacketManagerTest, TolerateReneging) {
   manager_.OnAckRange(QuicPacketNumber(10), QuicPacketNumber(12));
   manager_.OnAckRange(QuicPacketNumber(5), QuicPacketNumber(7));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 
   // Making sure reneged ACK does not harm. Ack [4, 8), [9, 13).
   uint64_t acked2[] = {4, 7, 9, 12};
@@ -2516,14 +2677,12 @@ TEST_P(QuicSentPacketManagerTest, TolerateReneging) {
   manager_.OnAckRange(QuicPacketNumber(9), QuicPacketNumber(13));
   manager_.OnAckRange(QuicPacketNumber(4), QuicPacketNumber(8));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                   ENCRYPTION_INITIAL));
   EXPECT_EQ(QuicPacketNumber(16), manager_.GetLargestObserved());
 }
 
 TEST_P(QuicSentPacketManagerTest, MultiplePacketNumberSpaces) {
-  if (!GetQuicReloadableFlag(quic_use_uber_loss_algorithm)) {
-    return;
-  }
   manager_.EnableMultiplePacketNumberSpacesSupport();
   EXPECT_FALSE(
       manager_.GetLargestSentPacket(ENCRYPTION_INITIAL).IsInitialized());
@@ -2541,7 +2700,8 @@ TEST_P(QuicSentPacketManagerTest, MultiplePacketNumberSpaces) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
   EXPECT_EQ(QuicPacketNumber(1),
             manager_.GetLargestAckedPacket(ENCRYPTION_INITIAL));
   EXPECT_FALSE(
@@ -2561,7 +2721,8 @@ TEST_P(QuicSentPacketManagerTest, MultiplePacketNumberSpaces) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(2), QuicPacketNumber(3));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_HANDSHAKE));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                   ENCRYPTION_HANDSHAKE));
   EXPECT_EQ(QuicPacketNumber(2),
             manager_.GetLargestAckedPacket(ENCRYPTION_HANDSHAKE));
   EXPECT_FALSE(
@@ -2572,7 +2733,8 @@ TEST_P(QuicSentPacketManagerTest, MultiplePacketNumberSpaces) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(2), QuicPacketNumber(4));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_HANDSHAKE));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(3),
+                                   ENCRYPTION_HANDSHAKE));
   EXPECT_EQ(QuicPacketNumber(3),
             manager_.GetLargestAckedPacket(ENCRYPTION_HANDSHAKE));
   EXPECT_FALSE(
@@ -2594,7 +2756,8 @@ TEST_P(QuicSentPacketManagerTest, MultiplePacketNumberSpaces) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(5), QuicPacketNumber(6));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_FORWARD_SECURE));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(4),
+                                   ENCRYPTION_FORWARD_SECURE));
   EXPECT_EQ(QuicPacketNumber(3),
             manager_.GetLargestAckedPacket(ENCRYPTION_HANDSHAKE));
   EXPECT_EQ(QuicPacketNumber(5),
@@ -2621,7 +2784,8 @@ TEST_P(QuicSentPacketManagerTest, MultiplePacketNumberSpaces) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(4), QuicPacketNumber(9));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_FORWARD_SECURE));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(5),
+                                   ENCRYPTION_FORWARD_SECURE));
   EXPECT_EQ(QuicPacketNumber(3),
             manager_.GetLargestAckedPacket(ENCRYPTION_HANDSHAKE));
   EXPECT_EQ(QuicPacketNumber(8),
@@ -2631,9 +2795,6 @@ TEST_P(QuicSentPacketManagerTest, MultiplePacketNumberSpaces) {
 }
 
 TEST_P(QuicSentPacketManagerTest, PacketsGetAckedInWrongPacketNumberSpace) {
-  if (!GetQuicReloadableFlag(quic_use_uber_loss_algorithm)) {
-    return;
-  }
   manager_.EnableMultiplePacketNumberSpacesSupport();
   // Send packet 1.
   SendDataPacket(1, ENCRYPTION_INITIAL);
@@ -2646,13 +2807,11 @@ TEST_P(QuicSentPacketManagerTest, PacketsGetAckedInWrongPacketNumberSpace) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(4));
   EXPECT_EQ(PACKETS_ACKED_IN_WRONG_PACKET_NUMBER_SPACE,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 }
 
 TEST_P(QuicSentPacketManagerTest, PacketsGetAckedInWrongPacketNumberSpace2) {
-  if (!GetQuicReloadableFlag(quic_use_uber_loss_algorithm)) {
-    return;
-  }
   manager_.EnableMultiplePacketNumberSpacesSupport();
   // Send packet 1.
   SendDataPacket(1, ENCRYPTION_INITIAL);
@@ -2665,14 +2824,12 @@ TEST_P(QuicSentPacketManagerTest, PacketsGetAckedInWrongPacketNumberSpace2) {
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(4));
   EXPECT_EQ(PACKETS_ACKED_IN_WRONG_PACKET_NUMBER_SPACE,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_HANDSHAKE));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_HANDSHAKE));
 }
 
 TEST_P(QuicSentPacketManagerTest,
        ToleratePacketsGetAckedInWrongPacketNumberSpace) {
-  if (!GetQuicReloadableFlag(quic_use_uber_loss_algorithm)) {
-    return;
-  }
   manager_.EnableMultiplePacketNumberSpacesSupport();
   // Send packet 1.
   SendDataPacket(1, ENCRYPTION_INITIAL);
@@ -2682,7 +2839,8 @@ TEST_P(QuicSentPacketManagerTest,
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_INITIAL));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
 
   // Send packets 2 and 3.
   SendDataPacket(2, ENCRYPTION_HANDSHAKE);
@@ -2696,7 +2854,100 @@ TEST_P(QuicSentPacketManagerTest,
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(4));
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
-            manager_.OnAckFrameEnd(clock_.Now(), ENCRYPTION_HANDSHAKE));
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                   ENCRYPTION_HANDSHAKE));
+}
+
+// Regression test for b/133771183.
+TEST_P(QuicSentPacketManagerTest, PacketInLimbo) {
+  if (!manager_.session_decides_what_to_write()) {
+    return;
+  }
+  QuicSentPacketManagerPeer::SetMaxTailLossProbes(&manager_, 2);
+  // Send SHLO.
+  SendCryptoPacket(1);
+  // Send data packet.
+  SendDataPacket(2, ENCRYPTION_FORWARD_SECURE);
+  // Send Ack Packet.
+  SendAckPacket(3, 1, ENCRYPTION_FORWARD_SECURE);
+  // Retransmit SHLO.
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(4); }));
+  manager_.OnRetransmissionTimeout();
+
+  // Successfully decrypt a forward secure packet.
+  manager_.SetHandshakeConfirmed();
+  EXPECT_CALL(notifier_, HasUnackedCryptoData()).WillRepeatedly(Return(false));
+  // Send Ack packet.
+  SendAckPacket(5, 2, ENCRYPTION_FORWARD_SECURE);
+
+  // Retransmission alarm fires.
+  manager_.OnRetransmissionTimeout();
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
+        RetransmitDataPacket(6, type, ENCRYPTION_FORWARD_SECURE);
+      })));
+  manager_.MaybeRetransmitTailLossProbe();
+
+  // Received Ack of packets 1, 3 and 4.
+  uint64_t acked[] = {1, 3, 4};
+  ExpectAcksAndLosses(true, acked, QUIC_ARRAYSIZE(acked), nullptr, 0);
+  manager_.OnAckFrameStart(QuicPacketNumber(4), QuicTime::Delta::Infinite(),
+                           clock_.Now());
+  manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(5));
+  manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
+  EXPECT_EQ(PACKETS_NEWLY_ACKED,
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
+
+  uint64_t acked2[] = {5, 6};
+  uint64_t loss[] = {2};
+  if (GetQuicReloadableFlag(quic_fix_packets_acked)) {
+    // Verify packet 2 is detected lost.
+    EXPECT_CALL(notifier_, OnFrameLost(_)).Times(1);
+    ExpectAcksAndLosses(true, acked2, QUIC_ARRAYSIZE(acked2), loss,
+                        QUIC_ARRAYSIZE(loss));
+  } else {
+    // Packet 2 in limbo, bummer.
+    ExpectAcksAndLosses(true, acked2, QUIC_ARRAYSIZE(acked2), nullptr, 0);
+  }
+  manager_.OnAckFrameStart(QuicPacketNumber(6), QuicTime::Delta::Infinite(),
+                           clock_.Now());
+  manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(7));
+  EXPECT_EQ(PACKETS_NEWLY_ACKED,
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                   ENCRYPTION_INITIAL));
+}
+
+TEST_P(QuicSentPacketManagerTest, RtoFiresNoPacketToRetransmit) {
+  if (!manager_.session_decides_what_to_write()) {
+    return;
+  }
+  // Send 10 packets.
+  for (size_t i = 1; i <= 10; ++i) {
+    SendDataPacket(i);
+  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(11, type); })))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(12, type); })));
+  manager_.OnRetransmissionTimeout();
+  EXPECT_EQ(1u, stats_.rto_count);
+  EXPECT_EQ(0u, manager_.pending_timer_transmission_count());
+
+  // RTO fires again, but there is no packet to be RTO retransmitted.
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _)).Times(0);
+  manager_.OnRetransmissionTimeout();
+  EXPECT_EQ(2u, stats_.rto_count);
+  if (GetQuicReloadableFlag(quic_fix_rto_retransmission)) {
+    // Verify a credit is raised up.
+    EXPECT_EQ(1u, manager_.pending_timer_transmission_count());
+  } else {
+    EXPECT_EQ(0u, manager_.pending_timer_transmission_count());
+  }
 }
 
 }  // namespace
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_session.cc b/chromium/net/third_party/quiche/src/quic/core/quic_session.cc
index 89e08efb3ad..221d75eb000 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_session.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_session.cc
@@ -10,7 +10,9 @@
 
 #include "net/third_party/quiche/src/quic/core/quic_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_flow_controller.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
+#include "net/third_party/quiche/src/quic/core/quic_versions.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
@@ -80,17 +82,13 @@ QuicSession::QuicSession(QuicConnection* connection,
           perspective() == Perspective::IS_SERVER,
           nullptr),
       currently_writing_stream_id_(0),
-      largest_static_stream_id_(0),
       is_handshake_confirmed_(false),
       goaway_sent_(false),
       goaway_received_(false),
       control_frame_manager_(this),
       last_message_id_(0),
       closed_streams_clean_up_alarm_(nullptr),
-      supported_versions_(supported_versions),
-      eliminate_static_stream_map_(
-          GetQuicReloadableFlag(quic_eliminate_static_stream_map_3) ||
-          QuicVersionUsesCryptoFrames(connection->transport_version())) {
+      supported_versions_(supported_versions) {
   closed_streams_clean_up_alarm_ =
       QuicWrapUnique<QuicAlarm>(connection_->alarm_factory()->CreateAlarm(
           new ClosedStreamsCleanUpDelegate(this)));
@@ -108,18 +106,11 @@ void QuicSession::Initialize() {
 
   DCHECK_EQ(QuicUtils::GetCryptoStreamId(connection_->transport_version()),
             GetMutableCryptoStream()->id());
-  if (!eliminate_static_stream_map_) {
-    RegisterStaticStream(
-        QuicUtils::GetCryptoStreamId(connection_->transport_version()),
-        GetMutableCryptoStream());
-  } else {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 10, 17);
-    QuicStreamId id =
-        QuicUtils::GetCryptoStreamId(connection_->transport_version());
-    largest_static_stream_id_ = std::max(id, largest_static_stream_id_);
-    if (connection_->transport_version() == QUIC_VERSION_99) {
-      v99_streamid_manager_.RegisterStaticStream(id);
-    }
+
+  QuicStreamId id =
+      QuicUtils::GetCryptoStreamId(connection_->transport_version());
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
+    v99_streamid_manager_.RegisterStaticStream(id, false);
   }
 }
 
@@ -127,27 +118,14 @@ QuicSession::~QuicSession() {
   QUIC_LOG_IF(WARNING, !zombie_streams_.empty()) << "Still have zombie streams";
 }
 
-void QuicSession::RegisterStaticStream(QuicStreamId id, QuicStream* stream) {
-  static_stream_map_[id] = stream;
-
-  QUIC_BUG_IF(id >
-              largest_static_stream_id_ +
-                  QuicUtils::StreamIdDelta(connection_->transport_version()))
-      << ENDPOINT << "Static stream registered out of order: " << id
-      << " vs: " << largest_static_stream_id_;
-  largest_static_stream_id_ = std::max(id, largest_static_stream_id_);
-
-  if (connection_->transport_version() == QUIC_VERSION_99) {
-    v99_streamid_manager_.RegisterStaticStream(id);
-  }
-}
-
-void QuicSession::RegisterStaticStreamNew(std::unique_ptr<QuicStream> stream) {
-  DCHECK(eliminate_static_stream_map_);
+void QuicSession::RegisterStaticStream(std::unique_ptr<QuicStream> stream,
+                                       bool stream_already_counted) {
+  DCHECK(stream->is_static());
   QuicStreamId stream_id = stream->id();
-  dynamic_stream_map_[stream_id] = std::move(stream);
-  if (connection_->transport_version() == QUIC_VERSION_99) {
-    v99_streamid_manager_.RegisterStaticStream(stream_id);
+  stream_map_[stream_id] = std::move(stream);
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
+    v99_streamid_manager_.RegisterStaticStream(stream_id,
+                                               stream_already_counted);
   }
   if (IsIncomingStream(stream_id)) {
     ++num_incoming_static_streams_;
@@ -171,6 +149,9 @@ void QuicSession::PendingStreamOnStreamFrame(const QuicStreamFrame& frame) {
   }
 
   pending->OnStreamFrame(frame);
+  if (!connection()->connected()) {
+    return;
+  }
   if (ProcessPendingStream(pending)) {
     // The pending stream should now be in the scope of normal streams.
     DCHECK(IsClosedStream(stream_id) || IsOpenStream(stream_id))
@@ -190,19 +171,11 @@ void QuicSession::OnStreamFrame(const QuicStreamFrame& frame) {
     return;
   }
 
-  if (frame.fin && QuicContainsKey(static_stream_map_, stream_id)) {
-    connection()->CloseConnection(
-        QUIC_INVALID_STREAM_ID, "Attempt to close a static stream",
-        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-    return;
-  }
-
-  if (VersionHasStreamType(connection()->transport_version()) &&
-      UsesPendingStreams() &&
+  if (UsesPendingStreams() &&
       QuicUtils::GetStreamType(stream_id, perspective(),
                                IsIncomingStream(stream_id)) ==
           READ_UNIDIRECTIONAL &&
-      dynamic_stream_map_.find(stream_id) == dynamic_stream_map_.end()) {
+      stream_map_.find(stream_id) == stream_map_.end()) {
     PendingStreamOnStreamFrame(frame);
     return;
   }
@@ -219,8 +192,7 @@ void QuicSession::OnStreamFrame(const QuicStreamFrame& frame) {
     }
     return;
   }
-  if (eliminate_static_stream_map_ && frame.fin && stream->is_static()) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 1, 17);
+  if (frame.fin && stream->is_static()) {
     connection()->CloseConnection(
         QUIC_INVALID_STREAM_ID, "Attempt to close a static stream",
         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
@@ -238,7 +210,7 @@ bool QuicSession::OnStopSendingFrame(const QuicStopSendingFrame& frame) {
   // could not call OnStopSending... This is just a check that is good when
   // both a new protocol and a new implementation of that protocol are both
   // being developed.
-  DCHECK_EQ(QUIC_VERSION_99, connection_->transport_version());
+  DCHECK(VersionHasIetfQuicFrames(connection_->transport_version()));
 
   QuicStreamId stream_id = frame.stream_id;
   // If Stream ID is invalid then close the connection.
@@ -257,8 +229,7 @@ bool QuicSession::OnStopSendingFrame(const QuicStopSendingFrame& frame) {
   // TODO(fkastenholz): IETF Quic does not have static streams and does not
   // make exceptions for them with respect to processing things like
   // STOP_SENDING.
-  if (QuicContainsKey(static_stream_map_, stream_id) ||
-      QuicUtils::IsCryptoStreamId(connection_->transport_version(),
+  if (QuicUtils::IsCryptoStreamId(connection_->transport_version(),
                                   stream_id)) {
     QUIC_DVLOG(1) << ENDPOINT
                   << "Received STOP_SENDING for a static stream, id: "
@@ -282,8 +253,8 @@ bool QuicSession::OnStopSendingFrame(const QuicStopSendingFrame& frame) {
     return true;  // Continue processing the packet.
   }
   // If stream is non-existent, close the connection
-  DynamicStreamMap::iterator it = dynamic_stream_map_.find(stream_id);
-  if (it == dynamic_stream_map_.end()) {
+  StreamMap::iterator it = stream_map_.find(stream_id);
+  if (it == stream_map_.end()) {
     QUIC_DVLOG(1) << ENDPOINT
                   << "Received STOP_SENDING for non-existent stream, id: "
                   << stream_id << " Closing connection";
@@ -307,8 +278,7 @@ bool QuicSession::OnStopSendingFrame(const QuicStopSendingFrame& frame) {
     return true;
   }
 
-  if (eliminate_static_stream_map_ && stream->is_static()) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 2, 17);
+  if (stream->is_static()) {
     QUIC_DVLOG(1) << ENDPOINT
                   << "Received STOP_SENDING for a static stream, id: "
                   << stream_id << " Closing connection";
@@ -356,23 +326,15 @@ void QuicSession::OnRstStream(const QuicRstStreamFrame& frame) {
     return;
   }
 
-  if (QuicContainsKey(static_stream_map_, stream_id)) {
-    connection()->CloseConnection(
-        QUIC_INVALID_STREAM_ID, "Attempt to reset a static stream",
-        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-    return;
-  }
-
   if (visitor_) {
     visitor_->OnRstStreamReceived(frame);
   }
 
-  if (VersionHasStreamType(connection()->transport_version()) &&
-      UsesPendingStreams() &&
+  if (UsesPendingStreams() &&
       QuicUtils::GetStreamType(stream_id, perspective(),
                                IsIncomingStream(stream_id)) ==
           READ_UNIDIRECTIONAL &&
-      dynamic_stream_map_.find(stream_id) == dynamic_stream_map_.end()) {
+      stream_map_.find(stream_id) == stream_map_.end()) {
     PendingStreamOnRstStream(frame);
     return;
   }
@@ -383,8 +345,7 @@ void QuicSession::OnRstStream(const QuicRstStreamFrame& frame) {
     HandleRstOnValidNonexistentStream(frame);
     return;  // Errors are handled by GetOrCreateStream.
   }
-  if (eliminate_static_stream_map_ && stream->is_static()) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 3, 17);
+  if (stream->is_static()) {
     connection()->CloseConnection(
         QUIC_INVALID_STREAM_ID, "Attempt to reset a static stream",
         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
@@ -393,7 +354,7 @@ void QuicSession::OnRstStream(const QuicRstStreamFrame& frame) {
   stream->OnStreamReset(frame);
 }
 
-void QuicSession::OnGoAway(const QuicGoAwayFrame& frame) {
+void QuicSession::OnGoAway(const QuicGoAwayFrame& /*frame*/) {
   goaway_received_ = true;
 }
 
@@ -418,47 +379,31 @@ void QuicSession::RecordConnectionCloseAtServer(QuicErrorCode error,
   }
 }
 
-void QuicSession::OnConnectionClosed(QuicErrorCode error,
-                                     const std::string& error_details,
+void QuicSession::OnConnectionClosed(const QuicConnectionCloseFrame& frame,
                                      ConnectionCloseSource source) {
   DCHECK(!connection_->connected());
   if (perspective() == Perspective::IS_SERVER) {
-    RecordConnectionCloseAtServer(error, source);
+    RecordConnectionCloseAtServer(frame.quic_error_code, source);
   }
 
   if (error_ == QUIC_NO_ERROR) {
-    error_ = error;
-  }
-
-  if (!eliminate_static_stream_map_) {
-    while (!dynamic_stream_map_.empty()) {
-      DynamicStreamMap::iterator it = dynamic_stream_map_.begin();
-      QuicStreamId id = it->first;
-      it->second->OnConnectionClosed(error, source);
-      // The stream should call CloseStream as part of OnConnectionClosed.
-      if (dynamic_stream_map_.find(id) != dynamic_stream_map_.end()) {
-        QUIC_BUG << ENDPOINT << "Stream " << id
-                 << " failed to close under OnConnectionClosed";
-        CloseStream(id);
-      }
-    }
-  } else {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 4, 17);
-    // Copy all non static streams in a new map for the ease of deleting.
-    QuicSmallMap<QuicStreamId, QuicStream*, 10> non_static_streams;
-    for (const auto& it : dynamic_stream_map_) {
-      if (!it.second->is_static()) {
-        non_static_streams[it.first] = it.second.get();
-      }
+    error_ = frame.quic_error_code;
+  }
+
+  // Copy all non static streams in a new map for the ease of deleting.
+  QuicSmallMap<QuicStreamId, QuicStream*, 10> non_static_streams;
+  for (const auto& it : stream_map_) {
+    if (!it.second->is_static()) {
+      non_static_streams[it.first] = it.second.get();
     }
-    for (const auto& it : non_static_streams) {
-      QuicStreamId id = it.first;
-      it.second->OnConnectionClosed(error, source);
-      if (dynamic_stream_map_.find(id) != dynamic_stream_map_.end()) {
-        QUIC_BUG << ENDPOINT << "Stream " << id
-                 << " failed to close under OnConnectionClosed";
-        CloseStream(id);
-      }
+  }
+  for (const auto& it : non_static_streams) {
+    QuicStreamId id = it.first;
+    it.second->OnConnectionClosed(frame.quic_error_code, source);
+    if (stream_map_.find(id) != stream_map_.end()) {
+      QUIC_BUG << ENDPOINT << "Stream " << id
+               << " failed to close under OnConnectionClosed";
+      CloseStream(id);
     }
   }
 
@@ -472,8 +417,9 @@ void QuicSession::OnConnectionClosed(QuicErrorCode error,
   closed_streams_clean_up_alarm_->Cancel();
 
   if (visitor_) {
-    visitor_->OnConnectionClosed(connection_->connection_id(), error,
-                                 error_details, source);
+    visitor_->OnConnectionClosed(connection_->connection_id(),
+                                 frame.quic_error_code, frame.error_details,
+                                 source);
   }
 }
 
@@ -492,7 +438,7 @@ void QuicSession::OnSuccessfulVersionNegotiation(
 }
 
 void QuicSession::OnConnectivityProbeReceived(
-    const QuicSocketAddress& self_address,
+    const QuicSocketAddress& /*self_address*/,
     const QuicSocketAddress& peer_address) {
   if (perspective() == Perspective::IS_SERVER) {
     // Server only sends back a connectivity probe after received a
@@ -524,6 +470,18 @@ void QuicSession::OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame) {
     flow_controller_.UpdateSendWindowOffset(frame.byte_offset);
     return;
   }
+
+  if (VersionHasIetfQuicFrames(connection_->transport_version()) &&
+      QuicUtils::GetStreamType(stream_id, perspective(),
+                               IsIncomingStream(stream_id)) ==
+          READ_UNIDIRECTIONAL) {
+    connection()->CloseConnection(
+        QUIC_WINDOW_UPDATE_RECEIVED_ON_READ_UNIDIRECTIONAL_STREAM,
+        "WindowUpdateFrame received on READ_UNIDIRECTIONAL stream.",
+        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+    return;
+  }
+
   QuicStream* stream = GetOrCreateStream(stream_id);
   if (stream != nullptr) {
     stream->OnWindowUpdateFrame(frame);
@@ -607,8 +565,7 @@ void QuicSession::OnCanWrite() {
     return;
   }
 
-  QuicConnection::ScopedPacketFlusher flusher(
-      connection_, QuicConnection::SEND_ACK_IF_QUEUED);
+  QuicConnection::ScopedPacketFlusher flusher(connection_);
   if (control_frame_manager_.WillingToWrite()) {
     control_frame_manager_.OnCanWrite();
   }
@@ -679,7 +636,7 @@ bool QuicSession::HasPendingHandshake() const {
 }
 
 uint64_t QuicSession::GetNumOpenDynamicStreams() const {
-  return dynamic_stream_map_.size() - draining_streams_.size() +
+  return stream_map_.size() - draining_streams_.size() +
          locally_closed_streams_highest_offset_.size() -
          num_incoming_static_streams_ - num_outgoing_static_streams_;
 }
@@ -742,16 +699,15 @@ void QuicSession::SendRstStreamInner(QuicStreamId id,
   if (connection()->connected()) {
     // Only send if still connected.
     if (close_write_side_only) {
-      DCHECK_EQ(QUIC_VERSION_99, connection_->transport_version());
+      DCHECK(VersionHasIetfQuicFrames(connection_->transport_version()));
       // Send a RST_STREAM frame.
       control_frame_manager_.WriteOrBufferRstStream(id, error, bytes_written);
     } else {
       // Send a RST_STREAM frame plus, if version 99, an IETF
       // QUIC STOP_SENDING frame. Both sre sent to emulate
       // the two-way close that Google QUIC's RST_STREAM does.
-      if (connection_->transport_version() == QUIC_VERSION_99) {
-        QuicConnection::ScopedPacketFlusher flusher(
-            connection(), QuicConnection::SEND_ACK_IF_QUEUED);
+      if (VersionHasIetfQuicFrames(connection_->transport_version())) {
+        QuicConnection::ScopedPacketFlusher flusher(connection());
         control_frame_manager_.WriteOrBufferRstStream(id, error, bytes_written);
         control_frame_manager_.WriteOrBufferStopSending(error, id);
       } else {
@@ -769,12 +725,11 @@ void QuicSession::SendRstStreamInner(QuicStreamId id,
     CloseStreamInner(id, true);
     return;
   }
-  DCHECK_EQ(QUIC_VERSION_99, connection_->transport_version());
+  DCHECK(VersionHasIetfQuicFrames(connection_->transport_version()));
 
-  DynamicStreamMap::iterator it = dynamic_stream_map_.find(id);
-  if (it != dynamic_stream_map_.end()) {
-    if (eliminate_static_stream_map_ && it->second->is_static()) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 5, 17);
+  StreamMap::iterator it = stream_map_.find(id);
+  if (it != stream_map_.end()) {
+    if (it->second->is_static()) {
       QUIC_DVLOG(1) << ENDPOINT
                     << "Try to send rst for a static stream, id: " << id
                     << " Closing connection";
@@ -794,7 +749,7 @@ void QuicSession::SendRstStreamInner(QuicStreamId id,
 void QuicSession::SendGoAway(QuicErrorCode error_code,
                              const std::string& reason) {
   // GOAWAY frame is not supported in v99.
-  DCHECK_NE(QUIC_VERSION_99, connection_->transport_version());
+  DCHECK(!VersionHasIetfQuicFrames(connection_->transport_version()));
   if (goaway_sent_) {
     return;
   }
@@ -839,8 +794,8 @@ void QuicSession::InsertLocallyClosedStreamsHighestOffset(
 void QuicSession::CloseStreamInner(QuicStreamId stream_id, bool locally_reset) {
   QUIC_DVLOG(1) << ENDPOINT << "Closing stream " << stream_id;
 
-  DynamicStreamMap::iterator it = dynamic_stream_map_.find(stream_id);
-  if (it == dynamic_stream_map_.end()) {
+  StreamMap::iterator it = stream_map_.find(stream_id);
+  if (it == stream_map_.end()) {
     // When CloseStreamInner has been called recursively (via
     // QuicStream::OnClose), the stream will already have been deleted
     // from stream_map_, so return immediately.
@@ -848,8 +803,7 @@ void QuicSession::CloseStreamInner(QuicStreamId stream_id, bool locally_reset) {
     return;
   }
   QuicStream* stream = it->second.get();
-  if (eliminate_static_stream_map_ && stream->is_static()) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 6, 17);
+  if (stream->is_static()) {
     QUIC_DVLOG(1) << ENDPOINT
                   << "Try to close a static stream, id: " << stream_id
                   << " Closing connection";
@@ -858,6 +812,7 @@ void QuicSession::CloseStreamInner(QuicStreamId stream_id, bool locally_reset) {
         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
     return;
   }
+  StreamType type = stream->type();
 
   // Tell the stream that a RST has been sent.
   if (locally_reset) {
@@ -867,6 +822,13 @@ void QuicSession::CloseStreamInner(QuicStreamId stream_id, bool locally_reset) {
   if (stream->IsWaitingForAcks()) {
     zombie_streams_[stream->id()] = std::move(it->second);
   } else {
+    // Clean up the stream since it is no longer waiting for acks.
+    if (ignore_tlpr_if_no_pending_stream_data() &&
+        session_decides_what_to_write()) {
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_ignore_tlpr_if_no_pending_stream_data,
+                                   2, 5);
+      streams_waiting_for_acks_.erase(stream->id());
+    }
     closed_streams_.push_back(std::move(it->second));
     // Do not retransmit data of a closed stream.
     streams_with_pending_retransmission_.erase(stream_id);
@@ -884,7 +846,7 @@ void QuicSession::CloseStreamInner(QuicStreamId stream_id, bool locally_reset) {
     InsertLocallyClosedStreamsHighestOffset(
         stream_id, stream->flow_controller()->highest_received_byte_offset());
   }
-  dynamic_stream_map_.erase(it);
+  stream_map_.erase(it);
   if (IsIncomingStream(stream_id)) {
     --num_dynamic_incoming_streams_;
   }
@@ -896,7 +858,7 @@ void QuicSession::CloseStreamInner(QuicStreamId stream_id, bool locally_reset) {
       --num_draining_incoming_streams_;
     }
     draining_streams_.erase(stream_id);
-  } else if (connection_->transport_version() == QUIC_VERSION_99) {
+  } else if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     // Stream was not draining, but we did have a fin or rst, so we can now
     // free the stream ID if version 99.
     if (had_fin_or_rst) {
@@ -907,10 +869,10 @@ void QuicSession::CloseStreamInner(QuicStreamId stream_id, bool locally_reset) {
   stream->OnClose();
 
   if (!stream_was_draining && !IsIncomingStream(stream_id) && had_fin_or_rst &&
-      connection_->transport_version() != QUIC_VERSION_99) {
+      !VersionHasIetfQuicFrames(connection_->transport_version())) {
     // Streams that first became draining already called OnCanCreate...
     // This covers the case where the stream went directly to being closed.
-    OnCanCreateNewOutgoingStream();
+    OnCanCreateNewOutgoingStream(type != BIDIRECTIONAL);
   }
 }
 
@@ -930,13 +892,9 @@ void QuicSession::ClosePendingStream(QuicStreamId stream_id) {
     pending_stream_map_.erase(stream_id);
   }
 
-  --num_dynamic_incoming_streams_;
-
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     v99_streamid_manager_.OnStreamClosed(stream_id);
   }
-
-  OnCanCreateNewOutgoingStream();
 }
 
 void QuicSession::OnFinalByteOffsetReceived(
@@ -966,11 +924,11 @@ void QuicSession::OnFinalByteOffsetReceived(
   locally_closed_streams_highest_offset_.erase(it);
   if (IsIncomingStream(stream_id)) {
     --num_locally_closed_incoming_streams_highest_offset_;
-    if (connection_->transport_version() == QUIC_VERSION_99) {
+    if (VersionHasIetfQuicFrames(connection_->transport_version())) {
       v99_streamid_manager_.OnStreamClosed(stream_id);
     }
-  } else if (connection_->transport_version() != QUIC_VERSION_99) {
-    OnCanCreateNewOutgoingStream();
+  } else if (!VersionHasIetfQuicFrames(connection_->transport_version())) {
+    OnCanCreateNewOutgoingStream(false);
   }
 }
 
@@ -989,7 +947,7 @@ bool QuicSession::IsCryptoHandshakeConfirmed() const {
 void QuicSession::OnConfigNegotiated() {
   connection_->SetFromConfig(config_);
 
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     uint32_t max_streams = 0;
     if (config_.HasReceivedMaxIncomingBidirectionalStreams()) {
       max_streams = config_.ReceivedMaxIncomingBidirectionalStreams();
@@ -1040,7 +998,7 @@ void QuicSession::OnConfigNegotiated() {
     config_.SetStatelessResetTokenToSend(GetStatelessResetToken());
   }
 
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     v99_streamid_manager_.SetMaxOpenIncomingBidirectionalStreams(
         config_.GetMaxIncomingBidirectionalStreamsToSend());
     v99_streamid_manager_.SetMaxOpenIncomingUnidirectionalStreams(
@@ -1089,15 +1047,10 @@ void QuicSession::AdjustInitialFlowControlWindows(size_t stream_window) {
   config_.SetInitialSessionFlowControlWindowToSend(session_window);
   flow_controller_.UpdateReceiveWindowSize(session_window);
   // Inform all existing streams about the new window.
-  for (auto const& kv : static_stream_map_) {
+  for (auto const& kv : stream_map_) {
     kv.second->flow_controller()->UpdateReceiveWindowSize(stream_window);
   }
-  for (auto const& kv : dynamic_stream_map_) {
-    kv.second->flow_controller()->UpdateReceiveWindowSize(stream_window);
-  }
-  if (eliminate_static_stream_map_ &&
-      !QuicVersionUsesCryptoFrames(connection_->transport_version())) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 11, 17);
+  if (!QuicVersionUsesCryptoFrames(connection_->transport_version())) {
     GetMutableCryptoStream()->flow_controller()->UpdateReceiveWindowSize(
         stream_window);
   }
@@ -1116,7 +1069,7 @@ void QuicSession::HandleFrameOnNonexistentOutgoingStream(
 void QuicSession::HandleRstOnValidNonexistentStream(
     const QuicRstStreamFrame& frame) {
   // If the stream is neither originally in active streams nor created in
-  // GetOrCreateDynamicStream(), it could be a closed stream in which case its
+  // GetOrCreateStream(), it could be a closed stream in which case its
   // final received byte offset need to be updated.
   if (IsClosedStream(frame.stream_id)) {
     // The RST frame contains the final byte offset for the stream: we can now
@@ -1140,15 +1093,10 @@ void QuicSession::OnNewStreamFlowControlWindow(QuicStreamOffset new_window) {
   }
 
   // Inform all existing streams about the new window.
-  for (auto const& kv : static_stream_map_) {
-    kv.second->UpdateSendWindowOffset(new_window);
-  }
-  for (auto const& kv : dynamic_stream_map_) {
+  for (auto const& kv : stream_map_) {
     kv.second->UpdateSendWindowOffset(new_window);
   }
-  if (eliminate_static_stream_map_ &&
-      !QuicVersionUsesCryptoFrames(connection_->transport_version())) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 12, 17);
+  if (!QuicVersionUsesCryptoFrames(connection_->transport_version())) {
     GetMutableCryptoStream()->UpdateSendWindowOffset(new_window);
   }
 }
@@ -1229,32 +1177,31 @@ QuicConfig* QuicSession::config() {
 void QuicSession::ActivateStream(std::unique_ptr<QuicStream> stream) {
   DCHECK(!stream->is_static());
   QuicStreamId stream_id = stream->id();
-  QUIC_DVLOG(1) << ENDPOINT << "num_streams: " << dynamic_stream_map_.size()
+  QUIC_DVLOG(1) << ENDPOINT << "num_streams: " << stream_map_.size()
                 << ". activating " << stream_id;
-  DCHECK(!QuicContainsKey(dynamic_stream_map_, stream_id));
-  DCHECK(!QuicContainsKey(static_stream_map_, stream_id));
-  dynamic_stream_map_[stream_id] = std::move(stream);
+  DCHECK(!QuicContainsKey(stream_map_, stream_id));
+  stream_map_[stream_id] = std::move(stream);
   if (IsIncomingStream(stream_id)) {
     ++num_dynamic_incoming_streams_;
   }
 }
 
 QuicStreamId QuicSession::GetNextOutgoingBidirectionalStreamId() {
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     return v99_streamid_manager_.GetNextOutgoingBidirectionalStreamId();
   }
   return stream_id_manager_.GetNextOutgoingStreamId();
 }
 
 QuicStreamId QuicSession::GetNextOutgoingUnidirectionalStreamId() {
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     return v99_streamid_manager_.GetNextOutgoingUnidirectionalStreamId();
   }
   return stream_id_manager_.GetNextOutgoingStreamId();
 }
 
 bool QuicSession::CanOpenNextOutgoingBidirectionalStream() {
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     return v99_streamid_manager_.CanOpenNextOutgoingBidirectionalStream();
   }
   return stream_id_manager_.CanOpenNextOutgoingStream(
@@ -1262,7 +1209,7 @@ bool QuicSession::CanOpenNextOutgoingBidirectionalStream() {
 }
 
 bool QuicSession::CanOpenNextOutgoingUnidirectionalStream() {
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     return v99_streamid_manager_.CanOpenNextOutgoingUnidirectionalStream();
   }
   return stream_id_manager_.CanOpenNextOutgoingStream(
@@ -1270,39 +1217,79 @@ bool QuicSession::CanOpenNextOutgoingUnidirectionalStream() {
 }
 
 QuicStream* QuicSession::GetOrCreateStream(const QuicStreamId stream_id) {
-  if (eliminate_static_stream_map_ &&
-      QuicUtils::IsCryptoStreamId(connection_->transport_version(),
+  DCHECK(!QuicContainsKey(pending_stream_map_, stream_id));
+  if (QuicUtils::IsCryptoStreamId(connection_->transport_version(),
                                   stream_id)) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 13, 17);
     return GetMutableCryptoStream();
   }
-  StaticStreamMap::iterator it = static_stream_map_.find(stream_id);
-  if (it != static_stream_map_.end()) {
-    return it->second;
+
+  StreamMap::iterator it = stream_map_.find(stream_id);
+  if (it != stream_map_.end()) {
+    return it->second.get();
   }
-  return GetOrCreateDynamicStream(stream_id);
+
+  if (IsClosedStream(stream_id)) {
+    return nullptr;
+  }
+
+  if (!IsIncomingStream(stream_id)) {
+    HandleFrameOnNonexistentOutgoingStream(stream_id);
+    return nullptr;
+  }
+
+  // TODO(fkastenholz): If we are creating a new stream and we have
+  // sent a goaway, we should ignore the stream creation. Need to
+  // add code to A) test if goaway was sent ("if (goaway_sent_)") and
+  // B) reject stream creation ("return nullptr")
+
+  if (!MaybeIncreaseLargestPeerStreamId(stream_id)) {
+    return nullptr;
+  }
+
+  if (!VersionHasIetfQuicFrames(connection_->transport_version())) {
+    // TODO(fayang): Let LegacyQuicStreamIdManager count open streams and make
+    // CanOpenIncomingStream interface consistent with that of v99.
+    if (!stream_id_manager_.CanOpenIncomingStream(
+            GetNumOpenIncomingStreams())) {
+      // Refuse to open the stream.
+      SendRstStream(stream_id, QUIC_REFUSED_STREAM, 0);
+      return nullptr;
+    }
+  }
+
+  return CreateIncomingStream(stream_id);
 }
 
 void QuicSession::StreamDraining(QuicStreamId stream_id) {
-  DCHECK(QuicContainsKey(dynamic_stream_map_, stream_id));
+  DCHECK(QuicContainsKey(stream_map_, stream_id));
   if (!QuicContainsKey(draining_streams_, stream_id)) {
     draining_streams_.insert(stream_id);
     if (IsIncomingStream(stream_id)) {
       ++num_draining_incoming_streams_;
     }
-    if (connection_->transport_version() == QUIC_VERSION_99) {
+    if (VersionHasIetfQuicFrames(connection_->transport_version())) {
       v99_streamid_manager_.OnStreamClosed(stream_id);
     }
   }
   if (!IsIncomingStream(stream_id)) {
     // Inform application that a stream is available.
-    OnCanCreateNewOutgoingStream();
+    if (VersionHasIetfQuicFrames(connection_->transport_version())) {
+      OnCanCreateNewOutgoingStream(
+          !QuicUtils::IsBidirectionalStreamId(stream_id));
+    } else {
+      QuicStream* stream = GetStream(stream_id);
+      if (!stream) {
+        QUIC_BUG << "Stream doesn't exist when draining.";
+        return;
+      }
+      OnCanCreateNewOutgoingStream(stream->type() != BIDIRECTIONAL);
+    }
   }
 }
 
 bool QuicSession::MaybeIncreaseLargestPeerStreamId(
     const QuicStreamId stream_id) {
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     return v99_streamid_manager_.MaybeIncreaseLargestPeerStreamId(stream_id);
   }
   return stream_id_manager_.MaybeIncreaseLargestPeerStreamId(stream_id);
@@ -1334,11 +1321,9 @@ PendingStream* QuicSession::GetOrCreatePendingStream(QuicStreamId stream_id) {
 
 QuicStream* QuicSession::GetOrCreateDynamicStream(
     const QuicStreamId stream_id) {
-  DCHECK(!QuicContainsKey(static_stream_map_, stream_id))
-      << "Attempt to call GetOrCreateDynamicStream for a static stream";
-
-  DynamicStreamMap::iterator it = dynamic_stream_map_.find(stream_id);
-  if (it != dynamic_stream_map_.end()) {
+  DCHECK(!GetQuicReloadableFlag(quic_inline_getorcreatedynamicstream));
+  StreamMap::iterator it = stream_map_.find(stream_id);
+  if (it != stream_map_.end()) {
     return it->second.get();
   }
 
@@ -1360,7 +1345,7 @@ QuicStream* QuicSession::GetOrCreateDynamicStream(
     return nullptr;
   }
 
-  if (connection_->transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(connection_->transport_version())) {
     // TODO(fayang): Let LegacyQuicStreamIdManager count open streams and make
     // CanOpenIncomingStream interface cosistent with that of v99.
     if (!stream_id_manager_.CanOpenIncomingStream(
@@ -1376,7 +1361,7 @@ QuicStream* QuicSession::GetOrCreateDynamicStream(
 
 void QuicSession::set_largest_peer_created_stream_id(
     QuicStreamId largest_peer_created_stream_id) {
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     v99_streamid_manager_.SetLargestPeerCreatedStreamId(
         largest_peer_created_stream_id);
     return;
@@ -1393,7 +1378,7 @@ bool QuicSession::IsClosedStream(QuicStreamId id) {
     return false;
   }
 
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     return !v99_streamid_manager_.IsAvailableStream(id);
   }
 
@@ -1403,8 +1388,7 @@ bool QuicSession::IsClosedStream(QuicStreamId id) {
 bool QuicSession::IsOpenStream(QuicStreamId id) {
   DCHECK_NE(QuicUtils::GetInvalidStreamId(connection_->transport_version()),
             id);
-  if (QuicContainsKey(static_stream_map_, id) ||
-      QuicContainsKey(dynamic_stream_map_, id) ||
+  if (QuicContainsKey(stream_map_, id) ||
       QuicContainsKey(pending_stream_map_, id) ||
       QuicUtils::IsCryptoStreamId(connection_->transport_version(), id)) {
     // Stream is active
@@ -1414,15 +1398,11 @@ bool QuicSession::IsOpenStream(QuicStreamId id) {
 }
 
 bool QuicSession::IsStaticStream(QuicStreamId id) const {
-  if (eliminate_static_stream_map()) {
-    auto it = dynamic_stream_map_.find(id);
-    if (it == dynamic_stream_map_.end()) {
-      return false;
-    }
-    return it->second->is_static();
+  auto it = stream_map_.find(id);
+  if (it == stream_map_.end()) {
+    return false;
   }
-
-  return QuicContainsKey(static_streams(), id);
+  return it->second->is_static();
 }
 
 size_t QuicSession::GetNumOpenIncomingStreams() const {
@@ -1440,7 +1420,7 @@ size_t QuicSession::GetNumOpenOutgoingStreams() const {
 }
 
 size_t QuicSession::GetNumActiveStreams() const {
-  return dynamic_stream_map_.size() - draining_streams_.size() -
+  return stream_map_.size() - draining_streams_.size() -
          num_incoming_static_streams_ - num_outgoing_static_streams_;
 }
 
@@ -1474,11 +1454,11 @@ void QuicSession::SendPing() {
 }
 
 size_t QuicSession::GetNumDynamicOutgoingStreams() const {
-  DCHECK_GE(static_cast<size_t>(dynamic_stream_map_.size() +
-                                pending_stream_map_.size()),
-            num_dynamic_incoming_streams_ + num_outgoing_static_streams_ +
-                num_incoming_static_streams_);
-  return dynamic_stream_map_.size() + pending_stream_map_.size() -
+  DCHECK_GE(
+      static_cast<size_t>(stream_map_.size() + pending_stream_map_.size()),
+      num_dynamic_incoming_streams_ + num_outgoing_static_streams_ +
+          num_incoming_static_streams_);
+  return stream_map_.size() + pending_stream_map_.size() -
          num_dynamic_incoming_streams_ - num_outgoing_static_streams_ -
          num_incoming_static_streams_;
 }
@@ -1500,47 +1480,47 @@ bool QuicSession::IsConnectionFlowControlBlocked() const {
 }
 
 bool QuicSession::IsStreamFlowControlBlocked() {
-  for (auto const& kv : static_stream_map_) {
+  for (auto const& kv : stream_map_) {
     if (kv.second->flow_controller()->IsBlocked()) {
       return true;
     }
   }
-  for (auto const& kv : dynamic_stream_map_) {
-    if (kv.second->flow_controller()->IsBlocked()) {
-      return true;
-    }
-  }
-  if (eliminate_static_stream_map_ &&
-      !QuicVersionUsesCryptoFrames(connection_->transport_version()) &&
+  if (!QuicVersionUsesCryptoFrames(connection_->transport_version()) &&
       GetMutableCryptoStream()->flow_controller()->IsBlocked()) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 14, 17);
     return true;
   }
   return false;
 }
 
 size_t QuicSession::MaxAvailableBidirectionalStreams() const {
-  if (connection()->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection()->transport_version())) {
     return v99_streamid_manager_.GetMaxAllowdIncomingBidirectionalStreams();
   }
   return stream_id_manager_.MaxAvailableStreams();
 }
 
 size_t QuicSession::MaxAvailableUnidirectionalStreams() const {
-  if (connection()->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection()->transport_version())) {
     return v99_streamid_manager_.GetMaxAllowdIncomingUnidirectionalStreams();
   }
   return stream_id_manager_.MaxAvailableStreams();
 }
 
 bool QuicSession::IsIncomingStream(QuicStreamId id) const {
-  if (connection()->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection()->transport_version())) {
     return v99_streamid_manager_.IsIncomingStream(id);
   }
   return stream_id_manager_.IsIncomingStream(id);
 }
 
 void QuicSession::OnStreamDoneWaitingForAcks(QuicStreamId id) {
+  if (ignore_tlpr_if_no_pending_stream_data() &&
+      session_decides_what_to_write()) {
+    QUIC_RELOADABLE_FLAG_COUNT_N(quic_ignore_tlpr_if_no_pending_stream_data, 3,
+                                 5);
+    streams_waiting_for_acks_.erase(id);
+  }
+
   auto it = zombie_streams_.find(id);
   if (it == zombie_streams_.end()) {
     return;
@@ -1555,16 +1535,35 @@ void QuicSession::OnStreamDoneWaitingForAcks(QuicStreamId id) {
   streams_with_pending_retransmission_.erase(id);
 }
 
-QuicStream* QuicSession::GetStream(QuicStreamId id) const {
-  if (id <= largest_static_stream_id_) {
-    auto static_stream = static_stream_map_.find(id);
-    if (static_stream != static_stream_map_.end()) {
-      return static_stream->second;
-    }
+void QuicSession::OnStreamWaitingForAcks(QuicStreamId id) {
+  if (!ignore_tlpr_if_no_pending_stream_data() ||
+      !session_decides_what_to_write())
+    return;
+
+  // Exclude crypto stream's status since it is counted in HasUnackedCryptoData.
+  if (GetCryptoStream() != nullptr && id == GetCryptoStream()->id()) {
+    return;
   }
 
-  auto active_stream = dynamic_stream_map_.find(id);
-  if (active_stream != dynamic_stream_map_.end()) {
+  QUIC_RELOADABLE_FLAG_COUNT_N(quic_ignore_tlpr_if_no_pending_stream_data, 4,
+                               5);
+  streams_waiting_for_acks_.insert(id);
+
+  // The number of the streams waiting for acks should not be larger than the
+  // number of streams.
+  if (static_cast<size_t>(stream_map_.size() + zombie_streams_.size()) <
+      streams_waiting_for_acks_.size()) {
+    QUIC_BUG << "More streams are waiting for acks than the number of streams. "
+             << "Sizes: streams: " << stream_map_.size()
+             << ", zombie streams: " << zombie_streams_.size()
+             << ", vs streams waiting for acks: "
+             << streams_waiting_for_acks_.size();
+  }
+}
+
+QuicStream* QuicSession::GetStream(QuicStreamId id) const {
+  auto active_stream = stream_map_.find(id);
+  if (active_stream != stream_map_.end()) {
     return active_stream->second.get();
   }
   auto zombie_stream = zombie_streams_.find(id);
@@ -1572,9 +1571,7 @@ QuicStream* QuicSession::GetStream(QuicStreamId id) const {
     return zombie_stream->second.get();
   }
 
-  if (eliminate_static_stream_map_ &&
-      QuicUtils::IsCryptoStreamId(connection_->transport_version(), id)) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_eliminate_static_stream_map_3, 15, 17);
+  if (QuicUtils::IsCryptoStreamId(connection_->transport_version(), id)) {
     return const_cast<QuicCryptoStream*>(GetCryptoStream());
   }
 
@@ -1582,9 +1579,10 @@ QuicStream* QuicSession::GetStream(QuicStreamId id) const {
 }
 
 bool QuicSession::OnFrameAcked(const QuicFrame& frame,
-                               QuicTime::Delta ack_delay_time) {
+                               QuicTime::Delta ack_delay_time,
+                               QuicTime receive_timestamp) {
   if (frame.type == MESSAGE_FRAME) {
-    OnMessageAcked(frame.message_frame->message_id);
+    OnMessageAcked(frame.message_frame->message_id, receive_timestamp);
     return true;
   }
   if (frame.type == CRYPTO_FRAME) {
@@ -1653,8 +1651,7 @@ void QuicSession::OnFrameLost(const QuicFrame& frame) {
 
 void QuicSession::RetransmitFrames(const QuicFrames& frames,
                                    TransmissionType type) {
-  QuicConnection::ScopedPacketFlusher retransmission_flusher(
-      connection_, QuicConnection::NO_ACK);
+  QuicConnection::ScopedPacketFlusher retransmission_flusher(connection_);
   SetTransmissionType(type);
   for (const QuicFrame& frame : frames) {
     if (frame.type == MESSAGE_FRAME) {
@@ -1702,15 +1699,18 @@ bool QuicSession::IsFrameOutstanding(const QuicFrame& frame) const {
 
 bool QuicSession::HasUnackedCryptoData() const {
   const QuicCryptoStream* crypto_stream = GetCryptoStream();
-  if (crypto_stream->IsWaitingForAcks()) {
-    return true;
-  }
-  if (GetQuicReloadableFlag(quic_fix_has_pending_crypto_data) &&
-      crypto_stream->HasBufferedData()) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_fix_has_pending_crypto_data);
-    return true;
+  return crypto_stream->IsWaitingForAcks() || crypto_stream->HasBufferedData();
+}
+
+bool QuicSession::HasUnackedStreamData() const {
+  DCHECK(ignore_tlpr_if_no_pending_stream_data());
+  if (ignore_tlpr_if_no_pending_stream_data()) {
+    QUIC_RELOADABLE_FLAG_COUNT_N(quic_ignore_tlpr_if_no_pending_stream_data, 5,
+                                 5);
+    return !streams_waiting_for_acks_.empty();
   }
-  return false;
+
+  return true;
 }
 
 WriteStreamDataResult QuicSession::WriteStreamData(QuicStreamId id,
@@ -1744,8 +1744,7 @@ QuicUint128 QuicSession::GetStatelessResetToken() const {
 }
 
 bool QuicSession::RetransmitLostData() {
-  QuicConnection::ScopedPacketFlusher retransmission_flusher(
-      connection_, QuicConnection::SEND_ACK_IF_QUEUED);
+  QuicConnection::ScopedPacketFlusher retransmission_flusher(connection_);
   // Retransmit crypto data first.
   bool uses_crypto_frames =
       QuicVersionUsesCryptoFrames(connection_->transport_version());
@@ -1839,7 +1838,8 @@ MessageResult QuicSession::SendMessage(QuicMemSliceSpan message) {
   return {result, 0};
 }
 
-void QuicSession::OnMessageAcked(QuicMessageId message_id) {
+void QuicSession::OnMessageAcked(QuicMessageId message_id,
+                                 QuicTime /*receive_timestamp*/) {
   QUIC_DVLOG(1) << ENDPOINT << "message " << message_id << " gets acked.";
 }
 
@@ -1868,17 +1868,17 @@ void QuicSession::SendStopSending(uint16_t code, QuicStreamId stream_id) {
   control_frame_manager_.WriteOrBufferStopSending(code, stream_id);
 }
 
-void QuicSession::OnCanCreateNewOutgoingStream() {}
+void QuicSession::OnCanCreateNewOutgoingStream(bool /*unidirectional*/) {}
 
 QuicStreamId QuicSession::next_outgoing_bidirectional_stream_id() const {
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     return v99_streamid_manager_.next_outgoing_bidirectional_stream_id();
   }
   return stream_id_manager_.next_outgoing_stream_id();
 }
 
 QuicStreamId QuicSession::next_outgoing_unidirectional_stream_id() const {
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     return v99_streamid_manager_.next_outgoing_unidirectional_stream_id();
   }
   return stream_id_manager_.next_outgoing_stream_id();
@@ -1893,14 +1893,14 @@ bool QuicSession::OnStreamsBlockedFrame(const QuicStreamsBlockedFrame& frame) {
 }
 
 size_t QuicSession::max_open_incoming_bidirectional_streams() const {
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     return v99_streamid_manager_.GetMaxAllowdIncomingBidirectionalStreams();
   }
   return stream_id_manager_.max_open_incoming_streams();
 }
 
 size_t QuicSession::max_open_incoming_unidirectional_streams() const {
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     return v99_streamid_manager_.GetMaxAllowdIncomingUnidirectionalStreams();
   }
   return stream_id_manager_.max_open_incoming_streams();
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_session.h b/chromium/net/third_party/quiche/src/quic/core/quic_session.h
index 513ed9bf60f..b7c02122f93 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_session.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_session.h
@@ -105,8 +105,7 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   void OnMessageReceived(QuicStringPiece message) override;
   void OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame) override;
   void OnBlockedFrame(const QuicBlockedFrame& frame) override;
-  void OnConnectionClosed(QuicErrorCode error,
-                          const std::string& error_details,
+  void OnConnectionClosed(const QuicConnectionCloseFrame& frame,
                           ConnectionCloseSource source) override;
   void OnWriteBlocked() override;
   void OnSuccessfulVersionNegotiation(
@@ -117,7 +116,7 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   void OnCanWrite() override;
   bool SendProbingData() override;
   void OnCongestionWindowChange(QuicTime /*now*/) override {}
-  void OnConnectionMigration(AddressChangeType type) override {}
+  void OnConnectionMigration(AddressChangeType /*type*/) override {}
   // Adds a connection level WINDOW_UPDATE frame.
   void OnAckNeedsRetransmittableFrame() override;
   void SendPing() override;
@@ -142,13 +141,15 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
 
   // SessionNotifierInterface methods:
   bool OnFrameAcked(const QuicFrame& frame,
-                    QuicTime::Delta ack_delay_time) override;
+                    QuicTime::Delta ack_delay_time,
+                    QuicTime receive_timestamp) override;
   void OnStreamFrameRetransmitted(const QuicStreamFrame& frame) override;
   void OnFrameLost(const QuicFrame& frame) override;
   void RetransmitFrames(const QuicFrames& frames,
                         TransmissionType type) override;
   bool IsFrameOutstanding(const QuicFrame& frame) const override;
   bool HasUnackedCryptoData() const override;
+  bool HasUnackedStreamData() const override;
 
   // Called on every incoming packet. Passes |packet| through to |connection_|.
   virtual void ProcessUdpPacket(const QuicSocketAddress& self_address,
@@ -189,7 +190,8 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   MessageResult SendMessage(QuicMemSliceSpan message);
 
   // Called when message with |message_id| gets acked.
-  virtual void OnMessageAcked(QuicMessageId message_id);
+  virtual void OnMessageAcked(QuicMessageId message_id,
+                              QuicTime receive_timestamp);
 
   // Called when message with |message_id| is considered as lost.
   virtual void OnMessageLost(QuicMessageId message_id);
@@ -322,6 +324,9 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   // a stream is reset because of an error).
   void OnStreamDoneWaitingForAcks(QuicStreamId id);
 
+  // Called when stream |id| is newly waiting for acks.
+  void OnStreamWaitingForAcks(QuicStreamId id);
+
   // Called to cancel retransmission of unencypted crypto stream data.
   void NeuterUnencryptedData();
 
@@ -361,10 +366,11 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   size_t MaxAvailableBidirectionalStreams() const;
   size_t MaxAvailableUnidirectionalStreams() const;
 
-  // Returns existing static or dynamic stream with id = |stream_id|. If no
-  // such stream exists, and |stream_id| is a peer-created dynamic stream id,
+  // Returns existing stream with id = |stream_id|. If no
+  // such stream exists, and |stream_id| is a peer-created stream id,
   // then a new stream is created and returned. In all other cases, nullptr is
   // returned.
+  // Caller does not own the returned stream.
   QuicStream* GetOrCreateStream(const QuicStreamId stream_id);
 
   // Mark a stream as draining.
@@ -387,8 +393,11 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
 
   // Called when new outgoing streams are available to be opened. This occurs
   // when an extant, open, stream is moved to draining or closed. The default
-  // implementation does nothing.
-  virtual void OnCanCreateNewOutgoingStream();
+  // implementation does nothing. |unidirectional| indicates whether
+  // unidirectional or bidirectional streams are now available. If both become
+  // available at the same time then there will be two calls to this method, one
+  // with unidirectional==true, the other with it ==false.
+  virtual void OnCanCreateNewOutgoingStream(bool unidirectional);
 
   QuicStreamId next_outgoing_bidirectional_stream_id() const;
   QuicStreamId next_outgoing_unidirectional_stream_id() const;
@@ -424,10 +433,7 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   }
 
  protected:
-  using StaticStreamMap = QuicSmallMap<QuicStreamId, QuicStream*, 2>;
-
-  using DynamicStreamMap =
-      QuicSmallMap<QuicStreamId, std::unique_ptr<QuicStream>, 10>;
+  using StreamMap = QuicSmallMap<QuicStreamId, std::unique_ptr<QuicStream>, 10>;
 
   using PendingStreamMap =
       QuicSmallMap<QuicStreamId, std::unique_ptr<PendingStream>, 10>;
@@ -441,7 +447,7 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   // Caller does not own the returned stream.
   // Returns nullptr and does error handling if the stream can not be created.
   virtual QuicStream* CreateIncomingStream(QuicStreamId id) = 0;
-  virtual QuicStream* CreateIncomingStream(PendingStream pending) = 0;
+  virtual QuicStream* CreateIncomingStream(PendingStream* pending) = 0;
 
   // Return the reserved crypto stream.
   virtual QuicCryptoStream* GetMutableCryptoStream() = 0;
@@ -449,7 +455,7 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   // Return the reserved crypto stream as a constant pointer.
   virtual const QuicCryptoStream* GetCryptoStream() const = 0;
 
-  // Adds |stream| to the dynamic stream map.
+  // Adds |stream| to the stream map.
   virtual void ActivateStream(std::unique_ptr<QuicStream> stream);
 
   // Returns the stream ID for a new outgoing bidirectional/unidirectional
@@ -473,6 +479,8 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   // returned. However if |stream_id| is a locally-created id and no such stream
   // exists, the connection is closed.
   // Caller does not own the returned stream.
+  // TODO(renjietang): Remove this method after
+  // quic_inline_getorcreatedynamicstream is deprecated.
   QuicStream* GetOrCreateDynamicStream(QuicStreamId stream_id);
 
   // Performs the work required to close |stream_id|.  If |locally_reset|
@@ -493,18 +501,15 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   // ProcessPendingStream().
   virtual bool UsesPendingStreams() const { return false; }
 
-  // Register (|id|, |stream|) with the static stream map. Override previous
-  // registrations with the same id.
-  void RegisterStaticStream(QuicStreamId id, QuicStream* stream);
-  // TODO(renjietang): Replace the original Register method with the new one
-  // once flag is deprecated.
-  void RegisterStaticStreamNew(std::unique_ptr<QuicStream> stream);
-  const StaticStreamMap& static_streams() const { return static_stream_map_; }
-
-  DynamicStreamMap& dynamic_streams() { return dynamic_stream_map_; }
-  const DynamicStreamMap& dynamic_streams() const {
-    return dynamic_stream_map_;
-  }
+  // Transfer ownership of |stream| to stream_map_, and register
+  // |stream| as static in stream id manager. |stream_already_counted| is true
+  // if |stream| is created from pending stream and is already known as an open
+  // stream.
+  void RegisterStaticStream(std::unique_ptr<QuicStream> stream,
+                            bool stream_already_counted);
+
+  StreamMap& stream_map() { return stream_map_; }
+  const StreamMap& stream_map() const { return stream_map_; }
 
   ClosedStreams* closed_streams() { return &closed_streams_; }
 
@@ -560,10 +565,8 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   // Processes the stream type information of |pending| depending on
   // different kinds of sessions' own rules. Returns true if the pending stream
   // is converted into a normal stream.
-  virtual bool ProcessPendingStream(PendingStream* pending) { return false; }
-
-  bool eliminate_static_stream_map() const {
-    return eliminate_static_stream_map_;
+  virtual bool ProcessPendingStream(PendingStream* /*pending*/) {
+    return false;
   }
 
  private:
@@ -613,6 +616,11 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   // stream.
   void PendingStreamOnRstStream(const QuicRstStreamFrame& frame);
 
+  bool ignore_tlpr_if_no_pending_stream_data() const {
+    return connection_->sent_packet_manager()
+        .ignore_tlpr_if_no_pending_stream_data();
+  }
+
   // Keep track of highest received byte offset of locally closed streams, while
   // waiting for a definitive final highest offset from the peer.
   std::map<QuicStreamId, QuicStreamOffset>
@@ -635,12 +643,8 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
 
   QuicConfig config_;
 
-  // Static streams, such as crypto and header streams. Owned by child classes
-  // that create these streams.
-  StaticStreamMap static_stream_map_;
-
   // Map from StreamId to pointers to streams. Owns the streams.
-  DynamicStreamMap dynamic_stream_map_;
+  StreamMap stream_map_;
 
   // Map from StreamId to PendingStreams for peer-created unidirectional streams
   // which are waiting for the first byte of payload to arrive.
@@ -651,6 +655,9 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   // been consumed.
   QuicUnorderedSet<QuicStreamId> draining_streams_;
 
+  // Set of stream ids that are waiting for acks excluding crypto stream id.
+  QuicUnorderedSet<QuicStreamId> streams_waiting_for_acks_;
+
   // TODO(fayang): Consider moving LegacyQuicStreamIdManager into
   // UberQuicStreamIdManager.
   // Manages stream IDs for Google QUIC.
@@ -659,18 +666,18 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   // Manages stream IDs for version99/IETF QUIC
   UberQuicStreamIdManager v99_streamid_manager_;
 
-  // A counter for peer initiated streams which are in the dynamic_stream_map_.
+  // A counter for peer initiated dynamic streams which are in the stream_map_.
   size_t num_dynamic_incoming_streams_;
 
   // A counter for peer initiated streams which are in the draining_streams_.
   size_t num_draining_incoming_streams_;
 
   // A counter for self initiated static streams which are in
-  // dynamic_stream_map_.
+  // stream_map_.
   size_t num_outgoing_static_streams_;
 
   // A counter for peer initiated static streams which are in
-  // dynamic_stream_map_.
+  // stream_map_.
   size_t num_incoming_static_streams_;
 
   // A counter for peer initiated streams which are in the
@@ -687,9 +694,6 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   // call stack of OnCanWrite.
   QuicStreamId currently_writing_stream_id_;
 
-  // The largest stream id in |static_stream_map_|.
-  QuicStreamId largest_static_stream_id_;
-
   // Cached value of whether the crypto handshake has been confirmed.
   bool is_handshake_confirmed_;
 
@@ -715,9 +719,6 @@ class QUIC_EXPORT_PRIVATE QuicSession : public QuicConnectionVisitorInterface,
   // Supported version list used by the crypto handshake only. Please note, this
   // list may be a superset of the connection framer's supported versions.
   ParsedQuicVersionVector supported_versions_;
-
-  //  Latched value of quic_eliminate_static_stream_map.
-  const bool eliminate_static_stream_map_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_session_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_session_test.cc
index e2996db731c..90577d54483 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_session_test.cc
@@ -117,8 +117,8 @@ class TestStream : public QuicStream {
              StreamType type)
       : QuicStream(id, session, is_static, type) {}
 
-  TestStream(PendingStream pending, StreamType type)
-      : QuicStream(std::move(pending), type, /*is_static=*/false) {}
+  TestStream(PendingStream* pending, StreamType type)
+      : QuicStream(pending, type, /*is_static=*/false) {}
 
   using QuicStream::CloseReadSide;
   using QuicStream::CloseWriteSide;
@@ -185,9 +185,9 @@ class TestSession : public QuicSession {
     // Enforce the limit on the number of open streams.
     if (GetNumOpenIncomingStreams() + 1 >
             max_open_incoming_bidirectional_streams() &&
-        connection()->transport_version() != QUIC_VERSION_99) {
+        !VersionHasIetfQuicFrames(connection()->transport_version())) {
       // No need to do this test for version 99; it's done by
-      // QuicSession::GetOrCreateDynamicStream.
+      // QuicSession::GetOrCreateStream.
       connection()->CloseConnection(
           QUIC_TOO_MANY_OPEN_STREAMS, "Too many streams!",
           ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
@@ -204,13 +204,12 @@ class TestSession : public QuicSession {
     return stream;
   }
 
-  TestStream* CreateIncomingStream(PendingStream pending) override {
-    QuicStreamId id = pending.id();
-    TestStream* stream =
-        new TestStream(std::move(pending),
-                       DetermineStreamType(
-                           id, connection()->transport_version(), perspective(),
-                           /*is_incoming=*/true, BIDIRECTIONAL));
+  TestStream* CreateIncomingStream(PendingStream* pending) override {
+    QuicStreamId id = pending->id();
+    TestStream* stream = new TestStream(
+        pending, DetermineStreamType(id, connection()->transport_version(),
+                                     perspective(),
+                                     /*is_incoming=*/true, BIDIRECTIONAL));
     ActivateStream(QuicWrapUnique(stream));
     ++num_incoming_streams_created_;
     return stream;
@@ -223,7 +222,7 @@ class TestSession : public QuicSession {
     struct iovec iov;
     if (pending->sequencer()->GetReadableRegion(&iov)) {
       // Create TestStream once the first byte is received.
-      CreateIncomingStream(std::move(*pending));
+      CreateIncomingStream(pending);
       return true;
     }
     return false;
@@ -233,8 +232,8 @@ class TestSession : public QuicSession {
     return QuicSession::IsClosedStream(id);
   }
 
-  QuicStream* GetOrCreateDynamicStream(QuicStreamId stream_id) {
-    return QuicSession::GetOrCreateDynamicStream(stream_id);
+  QuicStream* GetOrCreateStream(QuicStreamId stream_id) {
+    return QuicSession::GetOrCreateStream(stream_id);
   }
 
   bool ShouldKeepConnectionAlive() const override {
@@ -260,7 +259,7 @@ class TestSession : public QuicSession {
     return consumed;
   }
 
-  MOCK_METHOD0(OnCanCreateNewOutgoingStream, void());
+  MOCK_METHOD1(OnCanCreateNewOutgoingStream, void(bool unidirectional));
 
   void set_writev_consumes_all_data(bool val) {
     writev_consumes_all_data_ = val;
@@ -281,11 +280,6 @@ class TestSession : public QuicSession {
     return consumed;
   }
 
-  bool ClearControlFrame(const QuicFrame& frame) {
-    DeleteFrame(&const_cast<QuicFrame&>(frame));
-    return true;
-  }
-
   bool SaveFrame(const QuicFrame& frame) {
     save_frame_ = frame;
     DeleteFrame(&const_cast<QuicFrame&>(frame));
@@ -358,7 +352,7 @@ class QuicSessionTestBase : public QuicTestWithParam<ParsedQuicVersion> {
   }
 
   void CloseStream(QuicStreamId id) {
-    if (session_.connection()->transport_version() == QUIC_VERSION_99 &&
+    if (VersionHasIetfQuicFrames(session_.connection()->transport_version()) &&
         QuicUtils::GetStreamType(id, session_.perspective(),
                                  session_.IsIncomingStream(id)) ==
             READ_UNIDIRECTIONAL) {
@@ -367,14 +361,15 @@ class QuicSessionTestBase : public QuicTestWithParam<ParsedQuicVersion> {
       EXPECT_CALL(*connection_, OnStreamReset(_, _)).Times(0);
     } else {
       // Verify reset IS sent for BIDIRECTIONAL streams.
-      if (session_.connection()->transport_version() == QUIC_VERSION_99) {
+      if (VersionHasIetfQuicFrames(
+              session_.connection()->transport_version())) {
         // Once for the RST_STREAM, Once for the STOP_SENDING
         EXPECT_CALL(*connection_, SendControlFrame(_))
             .Times(2)
-            .WillRepeatedly(Invoke(&session_, &TestSession::ClearControlFrame));
+            .WillRepeatedly(Invoke(&ClearControlFrame));
       } else {
         EXPECT_CALL(*connection_, SendControlFrame(_))
-            .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+            .WillOnce(Invoke(&ClearControlFrame));
       }
       EXPECT_CALL(*connection_, OnStreamReset(id, _));
     }
@@ -418,7 +413,7 @@ class QuicSessionTestBase : public QuicTestWithParam<ParsedQuicVersion> {
     // needs to do the stream count where #1 is 0/1/2/3, and not
     // take into account that stream 0 is special.
     QuicStreamId id =
-        ((stream_count - 1) * QuicUtils::StreamIdDelta(QUIC_VERSION_99));
+        ((stream_count - 1) * QuicUtils::StreamIdDelta(transport_version()));
     if (!bidirectional) {
       id |= 0x2;
     }
@@ -442,9 +437,9 @@ class QuicSessionTestServer : public QuicSessionTestBase {
   // contains both expected path responses.
   WriteResult CheckMultiPathResponse(const char* buffer,
                                      size_t buf_len,
-                                     const QuicIpAddress& self_address,
-                                     const QuicSocketAddress& peer_address,
-                                     PerPacketOptions* options) {
+                                     const QuicIpAddress& /*self_address*/,
+                                     const QuicSocketAddress& /*peer_address*/,
+                                     PerPacketOptions* /*options*/) {
     QuicEncryptedPacket packet(buffer, buf_len);
     {
       InSequence s;
@@ -536,35 +531,35 @@ TEST_P(QuicSessionTestServer, IsClosedStreamDefault) {
 }
 
 TEST_P(QuicSessionTestServer, AvailableBidirectionalStreams) {
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthClientInitiatedBidirectionalId(3)) != nullptr);
   // Smaller bidirectional streams should be available.
   EXPECT_TRUE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthClientInitiatedBidirectionalId(1)));
   EXPECT_TRUE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthClientInitiatedBidirectionalId(2)));
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthClientInitiatedBidirectionalId(2)) != nullptr);
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthClientInitiatedBidirectionalId(1)) != nullptr);
 }
 
 TEST_P(QuicSessionTestServer, AvailableUnidirectionalStreams) {
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthClientInitiatedUnidirectionalId(3)) != nullptr);
   // Smaller unidirectional streams should be available.
   EXPECT_TRUE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthClientInitiatedUnidirectionalId(1)));
   EXPECT_TRUE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthClientInitiatedUnidirectionalId(2)));
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthClientInitiatedUnidirectionalId(2)) != nullptr);
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthClientInitiatedUnidirectionalId(1)) != nullptr);
 }
 
 TEST_P(QuicSessionTestServer, MaxAvailableBidirectionalStreams) {
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     EXPECT_EQ(session_.max_open_incoming_bidirectional_streams(),
               session_.MaxAvailableBidirectionalStreams());
   } else {
@@ -577,7 +572,7 @@ TEST_P(QuicSessionTestServer, MaxAvailableBidirectionalStreams) {
 }
 
 TEST_P(QuicSessionTestServer, MaxAvailableUnidirectionalStreams) {
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     EXPECT_EQ(session_.max_open_incoming_unidirectional_streams(),
               session_.MaxAvailableUnidirectionalStreams());
   } else {
@@ -618,15 +613,15 @@ TEST_P(QuicSessionTestServer, IsClosedUnidirectionalStreamLocallyCreated) {
 TEST_P(QuicSessionTestServer, IsClosedBidirectionalStreamPeerCreated) {
   QuicStreamId stream_id1 = GetNthClientInitiatedBidirectionalId(0);
   QuicStreamId stream_id2 = GetNthClientInitiatedBidirectionalId(1);
-  session_.GetOrCreateDynamicStream(stream_id1);
-  session_.GetOrCreateDynamicStream(stream_id2);
+  session_.GetOrCreateStream(stream_id1);
+  session_.GetOrCreateStream(stream_id2);
 
   CheckClosedStreams();
   CloseStream(stream_id1);
   CheckClosedStreams();
   CloseStream(stream_id2);
   // Create a stream, and make another available.
-  QuicStream* stream3 = session_.GetOrCreateDynamicStream(
+  QuicStream* stream3 = session_.GetOrCreateStream(
       stream_id2 +
       2 * QuicUtils::StreamIdDelta(connection_->transport_version()));
   CheckClosedStreams();
@@ -638,15 +633,15 @@ TEST_P(QuicSessionTestServer, IsClosedBidirectionalStreamPeerCreated) {
 TEST_P(QuicSessionTestServer, IsClosedUnidirectionalStreamPeerCreated) {
   QuicStreamId stream_id1 = GetNthClientInitiatedUnidirectionalId(0);
   QuicStreamId stream_id2 = GetNthClientInitiatedUnidirectionalId(1);
-  session_.GetOrCreateDynamicStream(stream_id1);
-  session_.GetOrCreateDynamicStream(stream_id2);
+  session_.GetOrCreateStream(stream_id1);
+  session_.GetOrCreateStream(stream_id2);
 
   CheckClosedStreams();
   CloseStream(stream_id1);
   CheckClosedStreams();
   CloseStream(stream_id2);
   // Create a stream, and make another available.
-  QuicStream* stream3 = session_.GetOrCreateDynamicStream(
+  QuicStream* stream3 = session_.GetOrCreateStream(
       stream_id2 +
       2 * QuicUtils::StreamIdDelta(connection_->transport_version()));
   CheckClosedStreams();
@@ -657,33 +652,31 @@ TEST_P(QuicSessionTestServer, IsClosedUnidirectionalStreamPeerCreated) {
 
 TEST_P(QuicSessionTestServer, MaximumAvailableOpenedBidirectionalStreams) {
   QuicStreamId stream_id = GetNthClientInitiatedBidirectionalId(0);
-  session_.GetOrCreateDynamicStream(stream_id);
+  session_.GetOrCreateStream(stream_id);
   EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
-  EXPECT_NE(
-      nullptr,
-      session_.GetOrCreateDynamicStream(GetNthClientInitiatedBidirectionalId(
-          session_.max_open_incoming_bidirectional_streams() - 1)));
+  EXPECT_NE(nullptr,
+            session_.GetOrCreateStream(GetNthClientInitiatedBidirectionalId(
+                session_.max_open_incoming_bidirectional_streams() - 1)));
 }
 
 TEST_P(QuicSessionTestServer, MaximumAvailableOpenedUnidirectionalStreams) {
   QuicStreamId stream_id = GetNthClientInitiatedUnidirectionalId(0);
-  session_.GetOrCreateDynamicStream(stream_id);
+  session_.GetOrCreateStream(stream_id);
   EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
-  EXPECT_NE(
-      nullptr,
-      session_.GetOrCreateDynamicStream(GetNthClientInitiatedUnidirectionalId(
-          session_.max_open_incoming_unidirectional_streams() - 1)));
+  EXPECT_NE(nullptr,
+            session_.GetOrCreateStream(GetNthClientInitiatedUnidirectionalId(
+                session_.max_open_incoming_unidirectional_streams() - 1)));
 }
 
 TEST_P(QuicSessionTestServer, TooManyAvailableBidirectionalStreams) {
   QuicStreamId stream_id1 = GetNthClientInitiatedBidirectionalId(0);
   QuicStreamId stream_id2;
-  EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(stream_id1));
+  EXPECT_NE(nullptr, session_.GetOrCreateStream(stream_id1));
   // A stream ID which is too large to create.
   stream_id2 = GetNthClientInitiatedBidirectionalId(
       session_.MaxAvailableBidirectionalStreams() + 2);
-  if (transport_version() == QUIC_VERSION_99) {
-    // V99 terminates the connection with invalid stream id
+  if (VersionHasIetfQuicFrames(transport_version())) {
+    // IETF QUIC terminates the connection with invalid stream id
     EXPECT_CALL(*connection_, CloseConnection(QUIC_INVALID_STREAM_ID, _, _));
   } else {
     // other versions terminate the connection with
@@ -691,18 +684,18 @@ TEST_P(QuicSessionTestServer, TooManyAvailableBidirectionalStreams) {
     EXPECT_CALL(*connection_,
                 CloseConnection(QUIC_TOO_MANY_AVAILABLE_STREAMS, _, _));
   }
-  EXPECT_EQ(nullptr, session_.GetOrCreateDynamicStream(stream_id2));
+  EXPECT_EQ(nullptr, session_.GetOrCreateStream(stream_id2));
 }
 
 TEST_P(QuicSessionTestServer, TooManyAvailableUnidirectionalStreams) {
   QuicStreamId stream_id1 = GetNthClientInitiatedUnidirectionalId(0);
   QuicStreamId stream_id2;
-  EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(stream_id1));
+  EXPECT_NE(nullptr, session_.GetOrCreateStream(stream_id1));
   // A stream ID which is too large to create.
   stream_id2 = GetNthClientInitiatedUnidirectionalId(
       session_.MaxAvailableUnidirectionalStreams() + 2);
-  if (transport_version() == QUIC_VERSION_99) {
-    // V99 terminates the connection with invalid stream id
+  if (VersionHasIetfQuicFrames(transport_version())) {
+    // IETF QUIC terminates the connection with invalid stream id
     EXPECT_CALL(*connection_, CloseConnection(QUIC_INVALID_STREAM_ID, _, _));
   } else {
     // other versions terminate the connection with
@@ -710,13 +703,13 @@ TEST_P(QuicSessionTestServer, TooManyAvailableUnidirectionalStreams) {
     EXPECT_CALL(*connection_,
                 CloseConnection(QUIC_TOO_MANY_AVAILABLE_STREAMS, _, _));
   }
-  EXPECT_EQ(nullptr, session_.GetOrCreateDynamicStream(stream_id2));
+  EXPECT_EQ(nullptr, session_.GetOrCreateStream(stream_id2));
 }
 
 TEST_P(QuicSessionTestServer, ManyAvailableBidirectionalStreams) {
   // When max_open_streams_ is 200, should be able to create 200 streams
   // out-of-order, that is, creating the one with the largest stream ID first.
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     QuicSessionPeer::SetMaxOpenIncomingBidirectionalStreams(&session_, 200);
     // Smaller limit on unidirectional streams to help detect crossed wires.
     QuicSessionPeer::SetMaxOpenIncomingUnidirectionalStreams(&session_, 50);
@@ -725,21 +718,21 @@ TEST_P(QuicSessionTestServer, ManyAvailableBidirectionalStreams) {
   }
   // Create a stream at the start of the range.
   QuicStreamId stream_id = GetNthClientInitiatedBidirectionalId(0);
-  EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(stream_id));
+  EXPECT_NE(nullptr, session_.GetOrCreateStream(stream_id));
 
   // Create the largest stream ID of a threatened total of 200 streams.
   // GetNth... starts at 0, so for 200 streams, get the 199th.
   EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
-  EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(
+  EXPECT_NE(nullptr, session_.GetOrCreateStream(
                          GetNthClientInitiatedBidirectionalId(199)));
 
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // If IETF QUIC, check to make sure that creating bidirectional
     // streams does not mess up the unidirectional streams.
     stream_id = GetNthClientInitiatedUnidirectionalId(0);
-    EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(stream_id));
+    EXPECT_NE(nullptr, session_.GetOrCreateStream(stream_id));
     // Now try to get the last possible unidirectional stream.
-    EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(
+    EXPECT_NE(nullptr, session_.GetOrCreateStream(
                            GetNthClientInitiatedUnidirectionalId(49)));
     // and this should fail because it exceeds the unidirectional limit
     // (but not the bi-)
@@ -751,7 +744,7 @@ TEST_P(QuicSessionTestServer, ManyAvailableBidirectionalStreams) {
 
                         ))
         .Times(1);
-    EXPECT_EQ(nullptr, session_.GetOrCreateDynamicStream(
+    EXPECT_EQ(nullptr, session_.GetOrCreateStream(
                            GetNthClientInitiatedUnidirectionalId(199)));
   }
 }
@@ -759,7 +752,7 @@ TEST_P(QuicSessionTestServer, ManyAvailableBidirectionalStreams) {
 TEST_P(QuicSessionTestServer, ManyAvailableUnidirectionalStreams) {
   // When max_open_streams_ is 200, should be able to create 200 streams
   // out-of-order, that is, creating the one with the largest stream ID first.
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     QuicSessionPeer::SetMaxOpenIncomingUnidirectionalStreams(&session_, 200);
     // Smaller limit on unidirectional streams to help detect crossed wires.
     QuicSessionPeer::SetMaxOpenIncomingBidirectionalStreams(&session_, 50);
@@ -768,20 +761,20 @@ TEST_P(QuicSessionTestServer, ManyAvailableUnidirectionalStreams) {
   }
   // Create one stream.
   QuicStreamId stream_id = GetNthClientInitiatedUnidirectionalId(0);
-  EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(stream_id));
+  EXPECT_NE(nullptr, session_.GetOrCreateStream(stream_id));
 
   // Create the largest stream ID of a threatened total of 200 streams.
   // GetNth... starts at 0, so for 200 streams, get the 199th.
   EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
-  EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(
+  EXPECT_NE(nullptr, session_.GetOrCreateStream(
                          GetNthClientInitiatedUnidirectionalId(199)));
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // If IETF QUIC, check to make sure that creating unidirectional
     // streams does not mess up the bidirectional streams.
     stream_id = GetNthClientInitiatedBidirectionalId(0);
-    EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(stream_id));
+    EXPECT_NE(nullptr, session_.GetOrCreateStream(stream_id));
     // Now try to get the last possible bidirectional stream.
-    EXPECT_NE(nullptr, session_.GetOrCreateDynamicStream(
+    EXPECT_NE(nullptr, session_.GetOrCreateStream(
                            GetNthClientInitiatedBidirectionalId(49)));
     // and this should fail because it exceeds the bnidirectional limit
     // (but not the uni-)
@@ -796,7 +789,7 @@ TEST_P(QuicSessionTestServer, ManyAvailableUnidirectionalStreams) {
         CloseConnection(QUIC_INVALID_STREAM_ID, error_detail,
                         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET))
         .Times(1);
-    EXPECT_EQ(nullptr, session_.GetOrCreateDynamicStream(
+    EXPECT_EQ(nullptr, session_.GetOrCreateStream(
                            GetNthClientInitiatedBidirectionalId(199)));
   }
 }
@@ -820,6 +813,11 @@ TEST_P(QuicSessionTestServer, DebugDFatalIfMarkingClosedStreamWriteBlocked) {
 }
 
 TEST_P(QuicSessionTestServer, OnCanWrite) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   session_.set_writev_consumes_all_data(true);
   TestStream* stream2 = session_.CreateOutgoingBidirectionalStream();
   TestStream* stream4 = session_.CreateOutgoingBidirectionalStream();
@@ -849,6 +847,11 @@ TEST_P(QuicSessionTestServer, OnCanWrite) {
 }
 
 TEST_P(QuicSessionTestServer, TestBatchedWrites) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   session_.set_writev_consumes_all_data(true);
   TestStream* stream2 = session_.CreateOutgoingBidirectionalStream();
   TestStream* stream4 = session_.CreateOutgoingBidirectionalStream();
@@ -958,6 +961,11 @@ TEST_P(QuicSessionTestServer, OnCanWriteBundlesStreams) {
 }
 
 TEST_P(QuicSessionTestServer, OnCanWriteCongestionControlBlocks) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   session_.set_writev_consumes_all_data(true);
   InSequence s;
 
@@ -1004,6 +1012,11 @@ TEST_P(QuicSessionTestServer, OnCanWriteCongestionControlBlocks) {
 }
 
 TEST_P(QuicSessionTestServer, OnCanWriteWriterBlocks) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Drive congestion control manually in order to ensure that
   // application-limited signaling is handled correctly.
   MockSendAlgorithm* send_algorithm = new StrictMock<MockSendAlgorithm>;
@@ -1081,6 +1094,11 @@ TEST_P(QuicSessionTestServer, BufferedHandshake) {
 }
 
 TEST_P(QuicSessionTestServer, OnCanWriteWithClosedStream) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   session_.set_writev_consumes_all_data(true);
   TestStream* stream2 = session_.CreateOutgoingBidirectionalStream();
   TestStream* stream4 = session_.CreateOutgoingBidirectionalStream();
@@ -1093,7 +1111,7 @@ TEST_P(QuicSessionTestServer, OnCanWriteWithClosedStream) {
 
   InSequence s;
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillRepeatedly(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_CALL(*stream2, OnCanWrite()).WillOnce(Invoke([this, stream2]() {
     session_.SendStreamData(stream2);
   }));
@@ -1146,7 +1164,7 @@ TEST_P(QuicSessionTestServer, OnCanWriteLimitsNumWritesIfFlowControlBlocked) {
 }
 
 TEST_P(QuicSessionTestServer, SendGoAway) {
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // GoAway frames are not in version 99
     return;
   }
@@ -1166,24 +1184,24 @@ TEST_P(QuicSessionTestServer, SendGoAway) {
   EXPECT_CALL(*connection_,
               OnStreamReset(kTestStreamId, QUIC_STREAM_PEER_GOING_AWAY))
       .Times(0);
-  EXPECT_TRUE(session_.GetOrCreateDynamicStream(kTestStreamId));
+  EXPECT_TRUE(session_.GetOrCreateStream(kTestStreamId));
 }
 
 TEST_P(QuicSessionTestServer, DoNotSendGoAwayTwice) {
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // TODO(b/118808809): Enable this test for version 99 when GOAWAY is
     // supported.
     return;
   }
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   session_.SendGoAway(QUIC_PEER_GOING_AWAY, "Going Away.");
   EXPECT_TRUE(session_.goaway_sent());
   session_.SendGoAway(QUIC_PEER_GOING_AWAY, "Going Away.");
 }
 
 TEST_P(QuicSessionTestServer, InvalidGoAway) {
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // TODO(b/118808809): Enable this test for version 99 when GOAWAY is
     // supported.
     return;
@@ -1211,7 +1229,7 @@ TEST_P(QuicSessionTestServer, ServerReplyToConnectivityProbe) {
       .WillOnce(Invoke(
           connection_,
           &MockQuicConnection::ReallySendConnectivityProbingResponsePacket));
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // Need to explicitly do this to emulate the reception of a PathChallenge,
     // which stores its payload for use in generating the response.
     connection_->OnPathChallengeFrame(
@@ -1224,9 +1242,14 @@ TEST_P(QuicSessionTestServer, ServerReplyToConnectivityProbe) {
 
 // Same as above, but check that if there are two PATH_CHALLENGE frames in the
 // packet, the response has both of them AND we do not do migration.  This for
-// V99 only.
+// IETF QUIC only.
 TEST_P(QuicSessionTestServer, ServerReplyToConnectivityProbes) {
-  if (transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
+    return;
+  }
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
     return;
   }
   QuicSocketAddress old_peer_address =
@@ -1266,17 +1289,15 @@ TEST_P(QuicSessionTestServer, IncreasedTimeoutAfterCryptoHandshake) {
 }
 
 TEST_P(QuicSessionTestServer, OnStreamFrameFinStaticStreamId) {
+  if (connection_->version().DoesNotHaveHeadersStream()) {
+    return;
+  }
   QuicStreamId headers_stream_id =
       QuicUtils::GetHeadersStreamId(connection_->transport_version());
   std::unique_ptr<TestStream> fake_headers_stream = QuicMakeUnique<TestStream>(
       headers_stream_id, &session_, /*is_static*/ true, BIDIRECTIONAL);
-  if (GetQuicReloadableFlag(quic_eliminate_static_stream_map_3)) {
-    QuicSessionPeer::RegisterStaticStreamNew(&session_,
-                                             std::move(fake_headers_stream));
-  } else {
-    QuicSessionPeer::RegisterStaticStream(&session_, headers_stream_id,
-                                          fake_headers_stream.get());
-  }
+  QuicSessionPeer::RegisterStaticStream(&session_,
+                                        std::move(fake_headers_stream));
   // Send two bytes of payload.
   QuicStreamFrame data1(headers_stream_id, true, 0, QuicStringPiece("HT"));
   EXPECT_CALL(*connection_,
@@ -1287,17 +1308,15 @@ TEST_P(QuicSessionTestServer, OnStreamFrameFinStaticStreamId) {
 }
 
 TEST_P(QuicSessionTestServer, OnRstStreamStaticStreamId) {
+  if (connection_->version().DoesNotHaveHeadersStream()) {
+    return;
+  }
   QuicStreamId headers_stream_id =
       QuicUtils::GetHeadersStreamId(connection_->transport_version());
   std::unique_ptr<TestStream> fake_headers_stream = QuicMakeUnique<TestStream>(
       headers_stream_id, &session_, /*is_static*/ true, BIDIRECTIONAL);
-  if (GetQuicReloadableFlag(quic_eliminate_static_stream_map_3)) {
-    QuicSessionPeer::RegisterStaticStreamNew(&session_,
-                                             std::move(fake_headers_stream));
-  } else {
-    QuicSessionPeer::RegisterStaticStream(&session_, headers_stream_id,
-                                          fake_headers_stream.get());
-  }
+  QuicSessionPeer::RegisterStaticStream(&session_,
+                                        std::move(fake_headers_stream));
   // Send two bytes of payload.
   QuicRstStreamFrame rst1(kInvalidControlFrameId, headers_stream_id,
                           QUIC_ERROR_PROCESSING_STREAM, 0);
@@ -1334,6 +1353,11 @@ TEST_P(QuicSessionTestServer, OnRstStreamInvalidStreamId) {
 }
 
 TEST_P(QuicSessionTestServer, HandshakeUnblocksFlowControlBlockedStream) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Test that if a stream is flow control blocked, then on receipt of the SHLO
   // containing a suitable send window offset, the stream becomes unblocked.
 
@@ -1381,7 +1405,7 @@ TEST_P(QuicSessionTestServer, HandshakeUnblocksFlowControlBlockedCryptoStream) {
   EXPECT_FALSE(session_.IsConnectionFlowControlBlocked());
   EXPECT_FALSE(session_.IsStreamFlowControlBlocked());
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   for (QuicStreamId i = 0;
        !crypto_stream->flow_controller()->IsBlocked() && i < 1000u; i++) {
     EXPECT_FALSE(session_.IsConnectionFlowControlBlocked());
@@ -1426,16 +1450,16 @@ TEST_P(QuicSessionTestServer, ConnectionFlowControlAccountingRstOutOfOrder) {
 
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(2)
-      .WillRepeatedly(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_CALL(*connection_, OnStreamReset(stream->id(), _));
 
   QuicRstStreamFrame rst_frame(kInvalidControlFrameId, stream->id(),
                                QUIC_STREAM_CANCELLED, kByteOffset);
   session_.OnRstStream(rst_frame);
-  if (transport_version() == QUIC_VERSION_99) {
-    // The test is predicated on the stream being fully closed. For V99, the
-    // RST_STREAM only does one side (the read side from the perspective of the
-    // node receiving the RST_STREAM). This is needed to fully close the
+  if (VersionHasIetfQuicFrames(transport_version())) {
+    // The test is predicated on the stream being fully closed. For IETF QUIC,
+    // the RST_STREAM only does one side (the read side from the perspective of
+    // the node receiving the RST_STREAM). This is needed to fully close the
     // stream and therefore fulfill all of the expects.
     QuicStopSendingFrame frame(kInvalidControlFrameId, stream->id(),
                                QUIC_STREAM_CANCELLED);
@@ -1610,10 +1634,10 @@ TEST_P(QuicSessionTestServer, FlowControlWithInvalidFinalOffset) {
 
 TEST_P(QuicSessionTestServer, TooManyUnfinishedStreamsCauseServerRejectStream) {
   // If a buggy/malicious peer creates too many streams that are not ended
-  // with a FIN or RST then we send an RST to refuse streams. For V99 the
+  // with a FIN or RST then we send an RST to refuse streams. For IETF QUIC the
   // connection is closed.
   const QuicStreamId kMaxStreams = 5;
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     QuicSessionPeer::SetMaxOpenIncomingBidirectionalStreams(&session_,
                                                             kMaxStreams);
   } else {
@@ -1629,15 +1653,15 @@ TEST_P(QuicSessionTestServer, TooManyUnfinishedStreamsCauseServerRejectStream) {
     QuicStreamFrame data1(i, false, 0, QuicStringPiece("HT"));
     session_.OnStreamFrame(data1);
     // EXPECT_EQ(1u, session_.GetNumOpenStreams());
-    if (transport_version() == QUIC_VERSION_99) {
+    if (VersionHasIetfQuicFrames(transport_version())) {
       // Expect two control frames, RST STREAM and STOP SENDING
       EXPECT_CALL(*connection_, SendControlFrame(_))
           .Times(2)
-          .WillRepeatedly(Invoke(&session_, &TestSession::ClearControlFrame));
+          .WillRepeatedly(Invoke(&ClearControlFrame));
     } else {
       // Expect one control frame, just RST STREAM
       EXPECT_CALL(*connection_, SendControlFrame(_))
-          .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+          .WillOnce(Invoke(&ClearControlFrame));
     }
     // Close stream. Should not make new streams available since
     // the stream is not finished.
@@ -1645,7 +1669,7 @@ TEST_P(QuicSessionTestServer, TooManyUnfinishedStreamsCauseServerRejectStream) {
     session_.CloseStream(i);
   }
 
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     EXPECT_CALL(
         *connection_,
         CloseConnection(QUIC_INVALID_STREAM_ID,
@@ -1669,7 +1693,7 @@ TEST_P(QuicSessionTestServer, DrainingStreamsDoNotCountAsOpenedOutgoing) {
   QuicStreamId stream_id = stream->id();
   QuicStreamFrame data1(stream_id, true, 0, QuicStringPiece("HT"));
   session_.OnStreamFrame(data1);
-  EXPECT_CALL(session_, OnCanCreateNewOutgoingStream()).Times(1);
+  EXPECT_CALL(session_, OnCanCreateNewOutgoingStream(false)).Times(1);
   session_.StreamDraining(stream_id);
 }
 
@@ -1688,7 +1712,7 @@ TEST_P(QuicSessionTestServer, NoPendingStreams) {
 }
 
 TEST_P(QuicSessionTestServer, PendingStreams) {
-  if (connection_->transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     return;
   }
   session_.set_uses_pending_streams(true);
@@ -1705,7 +1729,7 @@ TEST_P(QuicSessionTestServer, PendingStreams) {
 }
 
 TEST_P(QuicSessionTestServer, RstPendingStreams) {
-  if (connection_->transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     return;
   }
   session_.set_uses_pending_streams(true);
@@ -1715,8 +1739,8 @@ TEST_P(QuicSessionTestServer, RstPendingStreams) {
   QuicStreamFrame data1(stream_id, true, 10, QuicStringPiece("HT"));
   session_.OnStreamFrame(data1);
   EXPECT_EQ(0, session_.num_incoming_streams_created());
+  EXPECT_EQ(0u, session_.GetNumOpenIncomingStreams());
 
-  EXPECT_CALL(session_, OnCanCreateNewOutgoingStream()).Times(1);
   EXPECT_CALL(*connection_, SendControlFrame(_)).Times(1);
   EXPECT_CALL(*connection_, OnStreamReset(stream_id, QUIC_RST_ACKNOWLEDGEMENT))
       .Times(1);
@@ -1724,26 +1748,49 @@ TEST_P(QuicSessionTestServer, RstPendingStreams) {
                           QUIC_ERROR_PROCESSING_STREAM, 12);
   session_.OnRstStream(rst1);
   EXPECT_EQ(0, session_.num_incoming_streams_created());
+  EXPECT_EQ(0u, session_.GetNumOpenIncomingStreams());
 
   QuicStreamFrame data2(stream_id, false, 0, QuicStringPiece("HT"));
   session_.OnStreamFrame(data2);
   EXPECT_EQ(0, session_.num_incoming_streams_created());
+  EXPECT_EQ(0u, session_.GetNumOpenIncomingStreams());
+}
+
+TEST_P(QuicSessionTestServer, PendingStreamOnWindowUpdate) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
+    return;
+  }
+
+  session_.set_uses_pending_streams(true);
+  QuicStreamId stream_id = QuicUtils::GetFirstUnidirectionalStreamId(
+      transport_version(), Perspective::IS_CLIENT);
+  QuicStreamFrame data1(stream_id, true, 10, QuicStringPiece("HT"));
+  session_.OnStreamFrame(data1);
+  EXPECT_EQ(0, session_.num_incoming_streams_created());
+  QuicWindowUpdateFrame window_update_frame(kInvalidControlFrameId, stream_id,
+                                            0);
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(
+          QUIC_WINDOW_UPDATE_RECEIVED_ON_READ_UNIDIRECTIONAL_STREAM,
+          "WindowUpdateFrame received on READ_UNIDIRECTIONAL stream.", _));
+  session_.OnWindowUpdateFrame(window_update_frame);
 }
 
 TEST_P(QuicSessionTestServer, DrainingStreamsDoNotCountAsOpened) {
   // Verify that a draining stream (which has received a FIN but not consumed
   // it) does not count against the open quota (because it is closed from the
   // protocol point of view).
-  if (transport_version() == QUIC_VERSION_99) {
-    // On v99, we will expect to see a MAX_STREAMS go out when there are not
-    // enough streams to create the next one.
+  if (VersionHasIetfQuicFrames(transport_version())) {
+    // On IETF QUIC, we will expect to see a MAX_STREAMS go out when there are
+    // not enough streams to create the next one.
     EXPECT_CALL(*connection_, SendControlFrame(_)).Times(1);
   } else {
     EXPECT_CALL(*connection_, SendControlFrame(_)).Times(0);
   }
   EXPECT_CALL(*connection_, OnStreamReset(_, QUIC_REFUSED_STREAM)).Times(0);
   const QuicStreamId kMaxStreams = 5;
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     QuicSessionPeer::SetMaxOpenIncomingBidirectionalStreams(&session_,
                                                             kMaxStreams);
   } else {
@@ -1774,16 +1821,16 @@ INSTANTIATE_TEST_SUITE_P(Tests,
                          ::testing::ValuesIn(AllSupportedVersions()));
 
 TEST_P(QuicSessionTestClient, AvailableBidirectionalStreamsClient) {
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthServerInitiatedBidirectionalId(2)) != nullptr);
   // Smaller bidirectional streams should be available.
   EXPECT_TRUE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthServerInitiatedBidirectionalId(0)));
   EXPECT_TRUE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthServerInitiatedBidirectionalId(1)));
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthServerInitiatedBidirectionalId(0)) != nullptr);
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthServerInitiatedBidirectionalId(1)) != nullptr);
   // And 5 should be not available.
   EXPECT_FALSE(QuicSessionPeer::IsStreamAvailable(
@@ -1791,16 +1838,16 @@ TEST_P(QuicSessionTestClient, AvailableBidirectionalStreamsClient) {
 }
 
 TEST_P(QuicSessionTestClient, AvailableUnidirectionalStreamsClient) {
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthServerInitiatedUnidirectionalId(2)) != nullptr);
   // Smaller unidirectional streams should be available.
   EXPECT_TRUE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthServerInitiatedUnidirectionalId(0)));
   EXPECT_TRUE(QuicSessionPeer::IsStreamAvailable(
       &session_, GetNthServerInitiatedUnidirectionalId(1)));
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthServerInitiatedUnidirectionalId(0)) != nullptr);
-  ASSERT_TRUE(session_.GetOrCreateDynamicStream(
+  ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthServerInitiatedUnidirectionalId(1)) != nullptr);
   // And 5 should be not available.
   EXPECT_FALSE(QuicSessionPeer::IsStreamAvailable(
@@ -1863,19 +1910,24 @@ TEST_P(QuicSessionTestServer, RstStreamReceivedAfterRstStreamSent) {
 
   EXPECT_CALL(*connection_, SendControlFrame(_));
   EXPECT_CALL(*connection_, OnStreamReset(stream2->id(), _));
-  EXPECT_CALL(session_, OnCanCreateNewOutgoingStream()).Times(0);
+  EXPECT_CALL(session_, OnCanCreateNewOutgoingStream(false)).Times(0);
   stream2->Reset(quic::QUIC_STREAM_CANCELLED);
 
   QuicRstStreamFrame rst1(kInvalidControlFrameId, stream2->id(),
                           QUIC_ERROR_PROCESSING_STREAM, 0);
-  if (transport_version() != QUIC_VERSION_99) {
-    EXPECT_CALL(session_, OnCanCreateNewOutgoingStream()).Times(1);
+  if (!VersionHasIetfQuicFrames(transport_version())) {
+    EXPECT_CALL(session_, OnCanCreateNewOutgoingStream(false)).Times(1);
   }
   session_.OnRstStream(rst1);
 }
 
 // Regression test of b/71548958.
 TEST_P(QuicSessionTestServer, TestZombieStreams) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   session_.set_writev_consumes_all_data(true);
 
   TestStream* stream2 = session_.CreateOutgoingBidirectionalStream();
@@ -1888,8 +1940,8 @@ TEST_P(QuicSessionTestServer, TestZombieStreams) {
                                QUIC_STREAM_CANCELLED, 1234);
   // Just for the RST_STREAM
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
-  if (transport_version() == QUIC_VERSION_99) {
+      .WillOnce(Invoke(&ClearControlFrame));
+  if (VersionHasIetfQuicFrames(transport_version())) {
     EXPECT_CALL(*connection_,
                 OnStreamReset(stream2->id(), QUIC_STREAM_CANCELLED));
   } else {
@@ -1898,10 +1950,10 @@ TEST_P(QuicSessionTestServer, TestZombieStreams) {
   }
   stream2->OnStreamReset(rst_frame);
 
-  if (transport_version() == QUIC_VERSION_99) {
-    // The test is predicated on the stream being fully closed. For V99, the
-    // RST_STREAM only does one side (the read side from the perspective of the
-    // node receiving the RST_STREAM). This is needed to fully close the
+  if (VersionHasIetfQuicFrames(transport_version())) {
+    // The test is predicated on the stream being fully closed. For IETF QUIC,
+    // the RST_STREAM only does one side (the read side from the perspective of
+    // the node receiving the RST_STREAM). This is needed to fully close the
     // stream and therefore fulfill all of the expects.
     QuicStopSendingFrame frame(kInvalidControlFrameId, stream2->id(),
                                QUIC_STREAM_CANCELLED);
@@ -1912,11 +1964,11 @@ TEST_P(QuicSessionTestServer, TestZombieStreams) {
   EXPECT_EQ(stream2->id(), session_.closed_streams()->front()->id());
 
   TestStream* stream4 = session_.CreateOutgoingBidirectionalStream();
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // Once for the RST_STREAM, once for the STOP_SENDING
     EXPECT_CALL(*connection_, SendControlFrame(_))
         .Times(2)
-        .WillRepeatedly(Invoke(&session_, &TestSession::ClearControlFrame));
+        .WillRepeatedly(Invoke(&ClearControlFrame));
   } else {
     // Just for the RST_STREAM
     EXPECT_CALL(*connection_, SendControlFrame(_)).Times(1);
@@ -1926,7 +1978,7 @@ TEST_P(QuicSessionTestServer, TestZombieStreams) {
   stream4->WriteOrBufferData(body, false, nullptr);
   // Note well: Reset() actually closes the stream in both directions. For
   // GOOGLE QUIC it sends a RST_STREAM (which does a 2-way close), for IETF
-  // QUIC/V99 it sends both a RST_STREAM and a STOP_SENDING (each of which
+  // QUIC it sends both a RST_STREAM and a STOP_SENDING (each of which
   // closes in only one direction).
   stream4->Reset(QUIC_STREAM_CANCELLED);
   EXPECT_FALSE(QuicContainsKey(session_.zombie_streams(), stream4->id()));
@@ -1934,6 +1986,11 @@ TEST_P(QuicSessionTestServer, TestZombieStreams) {
 }
 
 TEST_P(QuicSessionTestServer, OnStreamFrameLost) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
   InSequence s;
 
@@ -2011,6 +2068,11 @@ TEST_P(QuicSessionTestServer, OnStreamFrameLost) {
 }
 
 TEST_P(QuicSessionTestServer, DonotRetransmitDataOfClosedStreams) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
   InSequence s;
 
@@ -2044,7 +2106,7 @@ TEST_P(QuicSessionTestServer, DonotRetransmitDataOfClosedStreams) {
   EXPECT_CALL(*stream2, OnCanWrite());
   EXPECT_CALL(*stream2, HasPendingRetransmission()).WillOnce(Return(false));
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillRepeatedly(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_CALL(*stream2, OnCanWrite());
   EXPECT_CALL(*stream6, OnCanWrite());
   session_.OnCanWrite();
@@ -2060,7 +2122,7 @@ TEST_P(QuicSessionTestServer, RetransmitFrames) {
   TestStream* stream4 = session_.CreateOutgoingBidirectionalStream();
   TestStream* stream6 = session_.CreateOutgoingBidirectionalStream();
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   session_.SendWindowUpdate(stream2->id(), 9);
 
   QuicStreamFrame frame1(stream2->id(), false, 0, 9);
@@ -2076,7 +2138,7 @@ TEST_P(QuicSessionTestServer, RetransmitFrames) {
 
   EXPECT_CALL(*stream2, RetransmitStreamData(_, _, _)).WillOnce(Return(true));
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   EXPECT_CALL(*stream4, RetransmitStreamData(_, _, _)).WillOnce(Return(true));
   EXPECT_CALL(*stream6, RetransmitStreamData(_, _, _)).WillOnce(Return(true));
   EXPECT_CALL(*send_algorithm, OnApplicationLimited(_));
@@ -2100,7 +2162,7 @@ TEST_P(QuicSessionTestServer, RetransmitLostDataCausesConnectionClose) {
   // yet, so an RST is sent.
   EXPECT_CALL(*stream, OnCanWrite())
       .WillOnce(Invoke(stream, &QuicStream::OnClose));
-  if (transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // Once for the RST_STREAM, once for the STOP_SENDING
     EXPECT_CALL(*connection_, SendControlFrame(_))
         .Times(2)
@@ -2160,12 +2222,17 @@ TEST_P(QuicSessionTestServer, SendMessage) {
   EXPECT_FALSE(session_.IsFrameOutstanding(QuicFrame(&frame2)));
 
   // message 1 gets acked.
-  session_.OnMessageAcked(1);
+  session_.OnMessageAcked(1, QuicTime::Zero());
   EXPECT_FALSE(session_.IsFrameOutstanding(QuicFrame(&frame)));
 }
 
 // Regression test of b/115323618.
 TEST_P(QuicSessionTestServer, LocallyResetZombieStreams) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
 
   session_.set_writev_consumes_all_data(true);
@@ -2184,7 +2251,7 @@ TEST_P(QuicSessionTestServer, LocallyResetZombieStreams) {
 
   // Reset stream2 locally.
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillRepeatedly(Invoke(&session_, &TestSession::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_CALL(*connection_, OnStreamReset(stream2->id(), _));
   stream2->Reset(QUIC_STREAM_CANCELLED);
 
@@ -2217,6 +2284,11 @@ TEST_P(QuicSessionTestServer, CleanUpClosedStreamsAlarm) {
 }
 
 TEST_P(QuicSessionTestServer, WriteUnidirectionalStream) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   session_.set_writev_consumes_all_data(true);
   TestStream* stream4 = new TestStream(GetNthServerInitiatedUnidirectionalId(1),
                                        &session_, WRITE_UNIDIRECTIONAL);
@@ -2317,8 +2389,8 @@ TEST_P(QuicSessionTestServer, WriteMemSlicesOnReadUnidirectionalStream) {
 // properly and that nothing in the call path interferes with the check.
 // First test make sure that streams with ids below the limit are accepted.
 TEST_P(QuicSessionTestServer, NewStreamIdBelowLimit) {
-  if (transport_version() != QUIC_VERSION_99) {
-    // Applicable only to V99
+  if (!VersionHasIetfQuicFrames(transport_version())) {
+    // Applicable only to IETF QUIC
     return;
   }
   QuicStreamId bidirectional_stream_id = StreamCountToId(
@@ -2347,8 +2419,8 @@ TEST_P(QuicSessionTestServer, NewStreamIdBelowLimit) {
 
 // Accept a stream with an ID that equals the limit.
 TEST_P(QuicSessionTestServer, NewStreamIdAtLimit) {
-  if (transport_version() != QUIC_VERSION_99) {
-    // Applicable only to V99
+  if (!VersionHasIetfQuicFrames(transport_version())) {
+    // Applicable only to IETF QUIC
     return;
   }
   QuicStreamId bidirectional_stream_id = StreamCountToId(
@@ -2372,8 +2444,8 @@ TEST_P(QuicSessionTestServer, NewStreamIdAtLimit) {
 
 // Close the connection if the id exceeds the limit.
 TEST_P(QuicSessionTestServer, NewStreamIdAboveLimit) {
-  if (transport_version() != QUIC_VERSION_99) {
-    // Applicable only to V99
+  if (!VersionHasIetfQuicFrames(transport_version())) {
+    // Applicable only to IETF QUIC
     return;
   }
   QuicStreamId bidirectional_stream_id = StreamCountToId(
@@ -2406,8 +2478,8 @@ TEST_P(QuicSessionTestServer, NewStreamIdAboveLimit) {
 // Check that the OnStopSendingFrame upcall handles bad input properly
 // First test checks that invalid stream ids are handled.
 TEST_P(QuicSessionTestServer, OnStopSendingInputInvalidStreamId) {
-  if (transport_version() != QUIC_VERSION_99) {
-    // Applicable only to V99
+  if (!VersionHasIetfQuicFrames(transport_version())) {
+    // Applicable only to IETF QUIC
     return;
   }
   // Check that "invalid" stream ids are rejected.
@@ -2423,20 +2495,15 @@ TEST_P(QuicSessionTestServer, OnStopSendingInputInvalidStreamId) {
 // Second test, streams in the static stream map are not subject to
 // STOP_SENDING; it's ignored.
 TEST_P(QuicSessionTestServer, OnStopSendingInputStaticStreams) {
-  if (transport_version() != QUIC_VERSION_99) {
-    // Applicable only to V99
+  if (!VersionHasIetfQuicFrames(transport_version())) {
+    // Applicable only to IETF QUIC
     return;
   }
   QuicStreamId stream_id = 0;
   std::unique_ptr<TestStream> fake_static_stream = QuicMakeUnique<TestStream>(
       stream_id, &session_, /*is_static*/ true, BIDIRECTIONAL);
-  if (GetQuicReloadableFlag(quic_eliminate_static_stream_map_3)) {
-    QuicSessionPeer::RegisterStaticStreamNew(&session_,
-                                             std::move(fake_static_stream));
-  } else {
-    QuicSessionPeer::RegisterStaticStream(&session_, stream_id,
-                                          fake_static_stream.get());
-  }
+  QuicSessionPeer::RegisterStaticStream(&session_,
+                                        std::move(fake_static_stream));
   // Check that a stream id in the static stream map is ignored.
   // Note that the notion of a static stream is Google-specific.
   QuicStopSendingFrame frame(1, stream_id, 123);
@@ -2449,8 +2516,8 @@ TEST_P(QuicSessionTestServer, OnStopSendingInputStaticStreams) {
 // Third test, if stream id specifies a closed stream:
 // return true and do not close the connection.
 TEST_P(QuicSessionTestServer, OnStopSendingInputClosedStream) {
-  if (transport_version() != QUIC_VERSION_99) {
-    // Applicable only to V99
+  if (!VersionHasIetfQuicFrames(transport_version())) {
+    // Applicable only to IETF QUIC
     return;
   }
 
@@ -2469,8 +2536,8 @@ TEST_P(QuicSessionTestServer, OnStopSendingInputClosedStream) {
 // Fourth test, if stream id specifies a nonexistent stream, return false and
 // close the connection
 TEST_P(QuicSessionTestServer, OnStopSendingInputNonExistentStream) {
-  if (transport_version() != QUIC_VERSION_99) {
-    // Applicable only to V99
+  if (!VersionHasIetfQuicFrames(transport_version())) {
+    // Applicable only to IETF QUIC
     return;
   }
 
@@ -2486,8 +2553,8 @@ TEST_P(QuicSessionTestServer, OnStopSendingInputNonExistentStream) {
 
 // For a valid stream, ensure that all works
 TEST_P(QuicSessionTestServer, OnStopSendingInputValidStream) {
-  if (transport_version() != QUIC_VERSION_99) {
-    // Applicable only to V99
+  if (!VersionHasIetfQuicFrames(transport_version())) {
+    // Applicable only to IETF QUIC
     return;
   }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_socket_address_coder.cc b/chromium/net/third_party/quiche/src/quic/core/quic_socket_address_coder.cc
index 2527fc90291..b26103d9af9 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_socket_address_coder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_socket_address_coder.cc
@@ -2,10 +2,12 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include <string>
-
 #include "net/third_party/quiche/src/quic/core/quic_socket_address_coder.h"
 
+#include <cstring>
+#include <string>
+#include <vector>
+
 namespace quic {
 
 namespace {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream.cc
index 94cffd4030c..8ef4717dc7a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream.cc
@@ -173,16 +173,16 @@ void PendingStream::MarkConsumed(size_t num_bytes) {
   sequencer_.MarkConsumed(num_bytes);
 }
 
-QuicStream::QuicStream(PendingStream pending, StreamType type, bool is_static)
-    : QuicStream(pending.id_,
-                 pending.session_,
-                 std::move(pending.sequencer_),
+QuicStream::QuicStream(PendingStream* pending, StreamType type, bool is_static)
+    : QuicStream(pending->id_,
+                 pending->session_,
+                 std::move(pending->sequencer_),
                  is_static,
                  type,
-                 pending.stream_bytes_read_,
-                 pending.fin_received_,
-                 std::move(pending.flow_controller_),
-                 pending.connection_flow_controller_) {
+                 pending->stream_bytes_read_,
+                 pending->fin_received_,
+                 std::move(pending->flow_controller_),
+                 pending->connection_flow_controller_) {
   sequencer_.set_stream(this);
 }
 
@@ -260,7 +260,8 @@ QuicStream::QuicStream(QuicStreamId id,
       buffered_data_threshold_(GetQuicFlag(FLAGS_quic_buffered_data_threshold)),
       is_static_(is_static),
       deadline_(QuicTime::Zero()),
-      type_(session->connection()->transport_version() == QUIC_VERSION_99 &&
+      type_(VersionHasIetfQuicFrames(
+                session->connection()->transport_version()) &&
                     type != CRYPTO
                 ? QuicUtils::GetStreamType(id_,
                                            perspective_,
@@ -387,7 +388,7 @@ void QuicStream::OnStreamReset(const QuicRstStreamFrame& frame) {
   stream_error_ = frame.error_code;
   // Google QUIC closes both sides of the stream in response to a
   // RESET_STREAM, IETF QUIC closes only the read side.
-  if (transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     CloseWriteSide();
   }
   CloseReadSide();
@@ -608,7 +609,7 @@ QuicConsumedData QuicStream::WriteMemSlices(QuicMemSliceSpan span, bool fin) {
 
   if (write_side_closed_) {
     QUIC_DLOG(ERROR) << ENDPOINT << "Stream " << id()
-                     << "attempting to write when the write side is closed";
+                     << " attempting to write when the write side is closed";
     if (type_ == READ_UNIDIRECTIONAL) {
       CloseConnectionWithDetails(
           QUIC_TRY_TO_WRITE_DATA_ON_READ_UNIDIRECTIONAL_STREAM,
@@ -656,16 +657,6 @@ bool QuicStream::IsStreamFrameOutstanding(QuicStreamOffset offset,
          (fin && fin_outstanding_);
 }
 
-QuicConsumedData QuicStream::WritevDataInner(size_t write_length,
-                                             QuicStreamOffset offset,
-                                             bool fin) {
-  StreamSendingState state = fin ? FIN : NO_FIN;
-  if (fin && add_random_padding_after_fin_) {
-    state = FIN_AND_PADDING;
-  }
-  return session()->WritevData(this, id(), write_length, offset, state);
-}
-
 void QuicStream::CloseReadSide() {
   if (read_side_closed_) {
     return;
@@ -746,6 +737,15 @@ void QuicStream::OnClose() {
 }
 
 void QuicStream::OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame) {
+  if (GetQuicReloadableFlag(quic_no_window_update_on_read_only_stream) &&
+      type_ == READ_UNIDIRECTIONAL) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_no_window_update_on_read_only_stream);
+    CloseConnectionWithDetails(
+        QUIC_WINDOW_UPDATE_RECEIVED_ON_READ_UNIDIRECTIONAL_STREAM,
+        "WindowUpdateFrame received on READ_UNIDIRECTIONAL stream.");
+    return;
+  }
+
   if (flow_controller_->UpdateSendWindowOffset(frame.byte_offset)) {
     // Let session unblock this stream.
     session_->MarkConnectionLevelWriteBlocked(id_);
@@ -809,7 +809,7 @@ void QuicStream::AddRandomPaddingAfterFin() {
 bool QuicStream::OnStreamFrameAcked(QuicStreamOffset offset,
                                     QuicByteCount data_length,
                                     bool fin_acked,
-                                    QuicTime::Delta ack_delay_time,
+                                    QuicTime::Delta /*ack_delay_time*/,
                                     QuicByteCount* newly_acked_length) {
   QUIC_DVLOG(1) << ENDPOINT << "stream " << id_ << " Acking "
                 << "[" << offset << ", " << offset + data_length << "]"
@@ -973,8 +973,13 @@ void QuicStream::WriteBufferedData() {
   if (session_->session_decides_what_to_write()) {
     session_->SetTransmissionType(NOT_RETRANSMISSION);
   }
-  QuicConsumedData consumed_data =
-      WritevDataInner(write_length, stream_bytes_written(), fin);
+
+  StreamSendingState state = fin ? FIN : NO_FIN;
+  if (fin && add_random_padding_after_fin_) {
+    state = FIN_AND_PADDING;
+  }
+  QuicConsumedData consumed_data = session_->WritevData(
+      this, id(), write_length, stream_bytes_written(), state);
 
   OnStreamDataConsumed(consumed_data.bytes_consumed);
 
@@ -1011,6 +1016,10 @@ void QuicStream::WriteBufferedData() {
   if (consumed_data.bytes_consumed > 0 || consumed_data.fin_consumed) {
     busy_counter_ = 0;
   }
+
+  if (IsWaitingForAcks()) {
+    session_->OnStreamWaitingForAcks(id_);
+  }
 }
 
 uint64_t QuicStream::BufferedDataBytes() const {
@@ -1115,7 +1124,7 @@ void QuicStream::OnDeadlinePassed() {
 }
 
 void QuicStream::SendStopSending(uint16_t code) {
-  if (transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // If the connection is not version 99, do nothing.
     // Do not QUIC_BUG or anything; the application really does not need to know
     // what version the connection is in.
@@ -1124,6 +1133,6 @@ void QuicStream::SendStopSending(uint16_t code) {
   session_->SendStopSending(code, id_);
 }
 
-void QuicStream::OnStopSending(uint16_t code) {}
+void QuicStream::OnStopSending(uint16_t /*code*/) {}
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream.h b/chromium/net/third_party/quiche/src/quic/core/quic_stream.h
index 80ee4e4a24a..6f5536d3991 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream.h
@@ -126,7 +126,7 @@ class QUIC_EXPORT_PRIVATE QuicStream
              QuicSession* session,
              bool is_static,
              StreamType type);
-  QuicStream(PendingStream pending, StreamType type, bool is_static);
+  QuicStream(PendingStream* pending, StreamType type, bool is_static);
   QuicStream(const QuicStream&) = delete;
   QuicStream& operator=(const QuicStream&) = delete;
 
@@ -362,12 +362,6 @@ class QUIC_EXPORT_PRIVATE QuicStream
   // TODO(fayang): Let WritevData return boolean.
   QuicConsumedData WritevData(const struct iovec* iov, int iov_count, bool fin);
 
-  // Allows override of the session level writev, for the force HOL
-  // blocking experiment.
-  virtual QuicConsumedData WritevDataInner(size_t write_length,
-                                           QuicStreamOffset offset,
-                                           bool fin);
-
   // Close the read side of the socket.  May cause the stream to be closed.
   // Subclasses and consumers should use StopReading to terminate reading early
   // if expecting a FIN. Can be used directly by subclasses if not expecting a
@@ -377,10 +371,10 @@ class QUIC_EXPORT_PRIVATE QuicStream
   // Called when data of [offset, offset + data_length] is buffered in send
   // buffer.
   virtual void OnDataBuffered(
-      QuicStreamOffset offset,
-      QuicByteCount data_length,
+      QuicStreamOffset /*offset*/,
+      QuicByteCount /*data_length*/,
       const QuicReferenceCountedPointer<QuicAckListenerInterface>&
-          ack_listener) {}
+      /*ack_listener*/) {}
 
   // True if buffered data in send buffer is below buffered_data_threshold_.
   bool CanWriteNewData() const;
@@ -529,7 +523,7 @@ class QUIC_EXPORT_PRIVATE QuicStream
   // or discarded.
   QuicStreamSendBuffer send_buffer_;
 
-  // Latched value of FLAGS_quic_buffered_data_threshold.
+  // Latched value of quic_buffered_data_threshold.
   const QuicByteCount buffered_data_threshold_;
 
   // If true, then this stream has precedence over other streams for write
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager.cc
index 2921268b5a2..f38477688e0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager.cc
@@ -63,7 +63,7 @@ bool QuicStreamIdManager::OnMaxStreamsFrame(const QuicMaxStreamsFrame& frame) {
   // available.
   if (outgoing_stream_count_ == current_outgoing_max_streams &&
       current_outgoing_max_streams < outgoing_max_streams_) {
-    session_->OnCanCreateNewOutgoingStream();
+    session_->OnCanCreateNewOutgoingStream(unidirectional_);
   }
   return true;
 }
@@ -229,7 +229,7 @@ QuicStreamId QuicStreamIdManager::GetNextOutgoingStreamId() {
 }
 
 bool QuicStreamIdManager::CanOpenNextOutgoingStream() {
-  DCHECK_EQ(QUIC_VERSION_99, transport_version());
+  DCHECK(VersionHasIetfQuicFrames(transport_version()));
   if (outgoing_stream_count_ < outgoing_max_streams_) {
     return true;
   }
@@ -239,7 +239,8 @@ bool QuicStreamIdManager::CanOpenNextOutgoingStream() {
   return false;
 }
 
-bool QuicStreamIdManager::RegisterStaticStream(QuicStreamId stream_id) {
+bool QuicStreamIdManager::RegisterStaticStream(QuicStreamId stream_id,
+                                               bool stream_already_counted) {
   DCHECK_NE(QuicUtils::IsBidirectionalStreamId(stream_id), unidirectional_);
   if (IsIncomingStream(stream_id)) {
     // This code is predicated on static stream ids being allocated densely, in
@@ -267,7 +268,10 @@ bool QuicStreamIdManager::RegisterStaticStream(QuicStreamId stream_id) {
         QuicUtils::GetMaxStreamCount(unidirectional_, perspective())) {
       incoming_advertised_max_streams_++;
     }
-    incoming_stream_count_++;
+
+    if (!stream_already_counted) {
+      incoming_stream_count_++;
+    }
     incoming_static_stream_count_++;
     return true;
   }
@@ -398,8 +402,7 @@ Perspective QuicStreamIdManager::perspective() const {
 }
 
 Perspective QuicStreamIdManager::peer_perspective() const {
-  return (perspective() == Perspective::IS_SERVER) ? Perspective::IS_CLIENT
-                                                   : Perspective::IS_SERVER;
+  return QuicUtils::InvertPerspective(perspective());
 }
 
 QuicTransportVersion QuicStreamIdManager::transport_version() const {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager.h b/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager.h
index 42c7d1a260d..d0b08246204 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager.h
@@ -113,9 +113,12 @@ class QUIC_EXPORT_PRIVATE QuicStreamIdManager {
   // advertised MAX STREAMS can be calculated based on the start of the
   // dynamic stream space. This method will take any stream ID, one that either
   // this node or the peer will initiate.
+  // If |stream_already_counted| is true, the stream is already counted as an
+  // open stream else where, so no need to count it again.
   // Returns false if this fails because the new static stream would cause the
   // stream limit to be exceeded.
-  bool RegisterStaticStream(QuicStreamId stream_id);
+  bool RegisterStaticStream(QuicStreamId stream_id,
+                            bool stream_already_counted);
 
   // Checks if the incoming stream ID exceeds the MAX_STREAMS limit.  If the
   // limit is exceeded, closes the connection and returns false.  Uses the
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager_test.cc
index 79c484525d3..30ff954f236 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager_test.cc
@@ -77,11 +77,6 @@ class TestQuicSession : public MockQuicSession {
 
   const QuicFrame& save_frame() { return save_frame_; }
 
-  bool ClearControlFrame(const QuicFrame& frame) {
-    DeleteFrame(&const_cast<QuicFrame&>(frame));
-    return true;
-  }
-
   TestQuicStream* CreateOutgoingBidirectionalStream() {
     if (!CanOpenNextOutgoingBidirectionalStream()) {
       return nullptr;
@@ -161,7 +156,7 @@ class QuicStreamIdManagerTestBase : public QuicTestWithParam<bool> {
     // needs to do the stream count where #1 is 0/1/2/3, and not
     // take into account that stream 0 is special.
     QuicStreamId id =
-        ((stream_count - 1) * QuicUtils::StreamIdDelta(QUIC_VERSION_99));
+        ((stream_count - 1) * QuicUtils::StreamIdDelta(transport_version()));
     if (IsUnidi()) {
       id |= 0x2;
     }
@@ -640,7 +635,8 @@ TEST_P(QuicStreamIdManagerTestClient, TestStaticStreamAdjustment) {
 
   // First test will register the first dynamic stream id as being for a static
   // stream.
-  stream_id_manager_->RegisterStaticStream(first_dynamic);
+  stream_id_manager_->RegisterStaticStream(first_dynamic,
+                                           /*stream_already_counted = */ false);
   // Should go up by 1 stream/stream id.
   EXPECT_EQ(actual_max + 1u, stream_id_manager_->incoming_actual_max_streams());
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.cc
index 9832fc98ef0..9e47a6f4e34 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.cc
@@ -156,6 +156,12 @@ bool QuicStreamSequencer::GetReadableRegion(iovec* iov) const {
   return buffered_frames_.GetReadableRegion(iov);
 }
 
+bool QuicStreamSequencer::PeekRegion(QuicStreamOffset offset,
+                                     iovec* iov) const {
+  DCHECK(!blocked_);
+  return buffered_frames_.PeekRegion(offset, iov);
+}
+
 bool QuicStreamSequencer::PrefetchNextRegion(iovec* iov) {
   DCHECK(!blocked_);
   return buffered_frames_.PrefetchNextRegion(iov);
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.h b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.h
index 7cecf4de70a..5888a4a3cd8 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.h
@@ -81,7 +81,12 @@ class QUIC_EXPORT_PRIVATE QuicStreamSequencer {
   // is no readable region available.
   bool GetReadableRegion(iovec* iov) const;
 
-  // Fill in one iovec with the next unread region for the quic spdy stream.
+  // Fills in one iovec with the region starting at |offset| and returns true.
+  // Returns false if no readable region is available, either because data has
+  // not been received yet or has already been consumed.
+  bool PeekRegion(QuicStreamOffset offset, iovec* iov) const;
+
+  // Fills in one iovec with the next unread region.
   // Returns false if no readable region is available.
   bool PrefetchNextRegion(iovec* iov);
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.cc
index 7f0f2cbf22d..e68925b1fc7 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.cc
@@ -53,6 +53,7 @@ void QuicStreamSequencerBuffer::Clear() {
   num_bytes_buffered_ = 0;
   bytes_received_.Clear();
   bytes_received_.Add(0, total_bytes_read_);
+  total_bytes_prefetched_ = total_bytes_read_;
 }
 
 bool QuicStreamSequencerBuffer::RetireBlock(size_t idx) {
@@ -334,27 +335,47 @@ bool QuicStreamSequencerBuffer::GetReadableRegion(iovec* iov) const {
   return GetReadableRegions(iov, 1) == 1;
 }
 
-bool QuicStreamSequencerBuffer::PrefetchNextRegion(iovec* iov) {
-  DCHECK(iov != nullptr);
+bool QuicStreamSequencerBuffer::PeekRegion(QuicStreamOffset offset,
+                                           iovec* iov) const {
+  DCHECK(iov);
 
-  if (total_bytes_prefetched_ == FirstMissingByte()) {
+  if (offset < total_bytes_read_) {
+    // Data at |offset| has already been consumed.
     return false;
   }
 
-  size_t start_block_idx = GetBlockIndex(total_bytes_prefetched_);
-  size_t start_block_offset = GetInBlockOffset(total_bytes_prefetched_);
-  QuicStreamOffset readable_offset_end = FirstMissingByte() - 1;
-  size_t end_block_offset = GetInBlockOffset(readable_offset_end);
-  size_t end_block_idx = GetBlockIndex(readable_offset_end);
+  if (offset >= FirstMissingByte()) {
+    // Data at |offset| has not been received yet.
+    return false;
+  }
 
-  if (start_block_idx != end_block_idx) {
-    iov->iov_base = blocks_[start_block_idx]->buffer + start_block_offset;
-    iov->iov_len = GetBlockCapacity(start_block_idx) - start_block_offset;
-    total_bytes_prefetched_ += iov->iov_len;
-    return true;
+  // Beginning of region.
+  size_t block_idx = GetBlockIndex(offset);
+  size_t block_offset = GetInBlockOffset(offset);
+  iov->iov_base = blocks_[block_idx]->buffer + block_offset;
+
+  // Determine if entire block has been received.
+  size_t end_block_idx = GetBlockIndex(FirstMissingByte());
+  if (block_idx == end_block_idx) {
+    // Only read part of block before FirstMissingByte().
+    iov->iov_len = GetInBlockOffset(FirstMissingByte()) - block_offset;
+  } else {
+    // Read entire block.
+    iov->iov_len = GetBlockCapacity(block_idx) - block_offset;
   }
-  iov->iov_base = blocks_[end_block_idx]->buffer + start_block_offset;
-  iov->iov_len = end_block_offset - start_block_offset + 1;
+
+  return true;
+}
+
+bool QuicStreamSequencerBuffer::PrefetchNextRegion(iovec* iov) {
+  DCHECK(iov);
+  DCHECK_LE(total_bytes_read_, total_bytes_prefetched_);
+  DCHECK_LE(total_bytes_prefetched_, FirstMissingByte());
+
+  if (!PeekRegion(total_bytes_prefetched_, iov)) {
+    return false;
+  }
+
   total_bytes_prefetched_ += iov->iov_len;
   return true;
 }
@@ -479,12 +500,12 @@ size_t QuicStreamSequencerBuffer::GetBlockCapacity(size_t block_index) const {
   }
 }
 
-std::string QuicStreamSequencerBuffer::GapsDebugString() {
+std::string QuicStreamSequencerBuffer::GapsDebugString() const {
   // TODO(vasilvv): this should return the complement of |bytes_received_|.
   return bytes_received_.ToString();
 }
 
-std::string QuicStreamSequencerBuffer::ReceivedFramesDebugString() {
+std::string QuicStreamSequencerBuffer::ReceivedFramesDebugString() const {
   return bytes_received_.ToString();
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.h b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.h
index 08a1ab4a640..b0478c02b70 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.h
@@ -131,10 +131,17 @@ class QUIC_EXPORT_PRIVATE QuicStreamSequencerBuffer {
   // Returns false if there is no readable region available.
   bool GetReadableRegion(iovec* iov) const;
 
+  // Returns true and sets |*iov| to point to a region starting at |offset|.
+  // Returns false if no data can be read at |offset|, which can be because data
+  // has not been received yet or it is already consumed.
+  // Does not consume data.
+  bool PeekRegion(QuicStreamOffset offset, iovec* iov) const;
+
+  // DEPRECATED, use PeekRegion() instead.
   // Called to return the next region that has not been returned by this method
-  // previously.
-  // If this method is to be used along with Readv() or MarkConsumed(), make
-  // sure that they are consuming less data than is read by this method.
+  // previously, except if Clear() has been called then prefetch offset is set
+  // to BytesConsumed(), and if Readv() or MarkConsumed() reads further than
+  // prefetch offset, then offset is set to beginning of not yet consumed area.
   // This method only returns reference of underlying data. The caller is
   // responsible for copying and consuming the data.
   // Returns true if the data is read, false otherwise.
@@ -212,10 +219,10 @@ class QUIC_EXPORT_PRIVATE QuicStreamSequencerBuffer {
   QuicStreamOffset NextExpectedByte() const;
 
   // Return |gaps_| as a string: [1024, 1500) [1800, 2048)... for debugging.
-  std::string GapsDebugString();
+  std::string GapsDebugString() const;
 
   // Return all received frames as a string in same format as GapsDebugString();
-  std::string ReceivedFramesDebugString();
+  std::string ReceivedFramesDebugString() const;
 
   // The maximum total capacity of this buffer in byte, as constructed.
   const size_t max_buffer_capacity_bytes_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer_test.cc
index 335aa2dd3d8..20dbe05f0ae 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer_test.cc
@@ -22,6 +22,11 @@ namespace quic {
 
 namespace test {
 
+QuicStringPiece IovecToStringPiece(iovec iov) {
+  return QuicStringPiece(reinterpret_cast<const char*>(iov.iov_base),
+                         iov.iov_len);
+}
+
 char GetCharFromIOVecs(size_t offset, iovec iov[], size_t count) {
   size_t start_offset = 0;
   for (size_t i = 0; i < count; i++) {
@@ -73,6 +78,7 @@ class QuicStreamSequencerBufferTest : public QuicTest {
 
   std::unique_ptr<QuicStreamSequencerBuffer> buffer_;
   std::unique_ptr<QuicStreamSequencerBufferPeer> helper_;
+  size_t written_ = 0;
   std::string error_details_;
 };
 
@@ -102,9 +108,8 @@ TEST_F(QuicStreamSequencerBufferTest, ClearOnEmpty) {
 }
 
 TEST_F(QuicStreamSequencerBufferTest, OnStreamData0length) {
-  size_t written;
   QuicErrorCode error =
-      buffer_->OnStreamData(800, "", &written, &error_details_);
+      buffer_->OnStreamData(800, "", &written_, &error_details_);
   EXPECT_EQ(error, QUIC_EMPTY_STREAM_FRAME_NO_FIN);
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
@@ -112,9 +117,8 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamData0length) {
 TEST_F(QuicStreamSequencerBufferTest, OnStreamDataWithinBlock) {
   EXPECT_FALSE(helper_->IsBufferAllocated());
   std::string source(1024, 'a');
-  size_t written;
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(800, source, &written, &error_details_));
+            buffer_->OnStreamData(800, source, &written_, &error_details_));
   BufferBlock* block_ptr = helper_->GetBlock(0);
   for (size_t i = 0; i < source.size(); ++i) {
     ASSERT_EQ('a', block_ptr->buffer[helper_->GetInBlockOffset(800) + i]);
@@ -131,9 +135,8 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataWithinBlock) {
 TEST_F(QuicStreamSequencerBufferTest, Move) {
   EXPECT_FALSE(helper_->IsBufferAllocated());
   std::string source(1024, 'a');
-  size_t written;
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(800, source, &written, &error_details_));
+            buffer_->OnStreamData(800, source, &written_, &error_details_));
   BufferBlock* block_ptr = helper_->GetBlock(0);
   for (size_t i = 0; i < source.size(); ++i) {
     ASSERT_EQ('a', block_ptr->buffer[helper_->GetInBlockOffset(800) + i]);
@@ -157,9 +160,8 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataInvalidSource) {
   // Pass in an invalid source, expects to return error.
   QuicStringPiece source;
   source = QuicStringPiece(nullptr, 1024);
-  size_t written;
   EXPECT_EQ(QUIC_STREAM_SEQUENCER_INVALID_STATE,
-            buffer_->OnStreamData(800, source, &written, &error_details_));
+            buffer_->OnStreamData(800, source, &written_, &error_details_));
   EXPECT_EQ(0u, error_details_.find(QuicStrCat(
                     "QuicStreamSequencerBuffer error: OnStreamData() "
                     "dest == nullptr: ",
@@ -169,50 +171,47 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataInvalidSource) {
 TEST_F(QuicStreamSequencerBufferTest, OnStreamDataWithOverlap) {
   std::string source(1024, 'a');
   // Write something into [800, 1824)
-  size_t written;
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(800, source, &written, &error_details_));
+            buffer_->OnStreamData(800, source, &written_, &error_details_));
   // Try to write to [0, 1024) and [1024, 2048).
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(0, source, &written, &error_details_));
+            buffer_->OnStreamData(0, source, &written_, &error_details_));
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(1024, source, &written, &error_details_));
+            buffer_->OnStreamData(1024, source, &written_, &error_details_));
 }
 
 TEST_F(QuicStreamSequencerBufferTest,
        OnStreamDataOverlapAndDuplicateCornerCases) {
   std::string source(1024, 'a');
   // Write something into [800, 1824)
-  size_t written;
-  buffer_->OnStreamData(800, source, &written, &error_details_);
+  buffer_->OnStreamData(800, source, &written_, &error_details_);
   source = std::string(800, 'b');
   std::string one_byte = "c";
   // Write [1, 801).
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(1, source, &written, &error_details_));
+            buffer_->OnStreamData(1, source, &written_, &error_details_));
   // Write [0, 800).
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(0, source, &written, &error_details_));
+            buffer_->OnStreamData(0, source, &written_, &error_details_));
   // Write [1823, 1824).
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(1823, one_byte, &written, &error_details_));
-  EXPECT_EQ(0u, written);
+            buffer_->OnStreamData(1823, one_byte, &written_, &error_details_));
+  EXPECT_EQ(0u, written_);
   // write one byte to [1824, 1825)
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(1824, one_byte, &written, &error_details_));
+            buffer_->OnStreamData(1824, one_byte, &written_, &error_details_));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
 
 TEST_F(QuicStreamSequencerBufferTest, OnStreamDataWithoutOverlap) {
   std::string source(1024, 'a');
   // Write something into [800, 1824).
-  size_t written;
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(800, source, &written, &error_details_));
+            buffer_->OnStreamData(800, source, &written_, &error_details_));
   source = std::string(100, 'b');
   // Write something into [kBlockSizeBytes * 2 - 20, kBlockSizeBytes * 2 + 80).
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(kBlockSizeBytes * 2 - 20, source, &written,
+            buffer_->OnStreamData(kBlockSizeBytes * 2 - 20, source, &written_,
                                   &error_details_));
   EXPECT_EQ(3, helper_->IntervalSize());
   EXPECT_EQ(1024u + 100u, buffer_->BytesBuffered());
@@ -228,23 +227,22 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataInLongStreamWithOverlap) {
   // Three new out of order frames arrive.
   const size_t kBytesToWrite = 100;
   std::string source(kBytesToWrite, 'a');
-  size_t written;
   // Frame [2^32 + 500, 2^32 + 600).
   QuicStreamOffset offset = pow(2, 32) + 500;
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(offset, source, &written, &error_details_));
+            buffer_->OnStreamData(offset, source, &written_, &error_details_));
   EXPECT_EQ(2, helper_->IntervalSize());
 
   // Frame [2^32 + 700, 2^32 + 800).
   offset = pow(2, 32) + 700;
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(offset, source, &written, &error_details_));
+            buffer_->OnStreamData(offset, source, &written_, &error_details_));
   EXPECT_EQ(3, helper_->IntervalSize());
 
   // Another frame [2^32 + 300, 2^32 + 400).
   offset = pow(2, 32) + 300;
   EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(offset, source, &written, &error_details_));
+            buffer_->OnStreamData(offset, source, &written_, &error_details_));
   EXPECT_EQ(4, helper_->IntervalSize());
 }
 
@@ -252,10 +250,9 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataTillEnd) {
   // Write 50 bytes to the end.
   const size_t kBytesToWrite = 50;
   std::string source(kBytesToWrite, 'a');
-  size_t written;
   EXPECT_EQ(QUIC_NO_ERROR,
             buffer_->OnStreamData(max_capacity_bytes_ - kBytesToWrite, source,
-                                  &written, &error_details_));
+                                  &written_, &error_details_));
   EXPECT_EQ(50u, buffer_->BytesBuffered());
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
@@ -264,44 +261,42 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataTillEndCorner) {
   // Write 1 byte to the end.
   const size_t kBytesToWrite = 1;
   std::string source(kBytesToWrite, 'a');
-  size_t written;
   EXPECT_EQ(QUIC_NO_ERROR,
             buffer_->OnStreamData(max_capacity_bytes_ - kBytesToWrite, source,
-                                  &written, &error_details_));
+                                  &written_, &error_details_));
   EXPECT_EQ(1u, buffer_->BytesBuffered());
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
 
 TEST_F(QuicStreamSequencerBufferTest, OnStreamDataBeyondCapacity) {
   std::string source(60, 'a');
-  size_t written;
   EXPECT_EQ(QUIC_INTERNAL_ERROR,
-            buffer_->OnStreamData(max_capacity_bytes_ - 50, source, &written,
+            buffer_->OnStreamData(max_capacity_bytes_ - 50, source, &written_,
                                   &error_details_));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 
   source = "b";
   EXPECT_EQ(QUIC_INTERNAL_ERROR,
-            buffer_->OnStreamData(max_capacity_bytes_, source, &written,
+            buffer_->OnStreamData(max_capacity_bytes_, source, &written_,
                                   &error_details_));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 
   EXPECT_EQ(QUIC_INTERNAL_ERROR,
-            buffer_->OnStreamData(max_capacity_bytes_ * 1000, source, &written,
+            buffer_->OnStreamData(max_capacity_bytes_ * 1000, source, &written_,
                                   &error_details_));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 
   // Disallow current_gap != gaps_.end()
   EXPECT_EQ(QUIC_INTERNAL_ERROR,
             buffer_->OnStreamData(static_cast<QuicStreamOffset>(-1), source,
-                                  &written, &error_details_));
+                                  &written_, &error_details_));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 
   // Disallow offset + size overflow
   source = "bbb";
   EXPECT_EQ(QUIC_INTERNAL_ERROR,
             buffer_->OnStreamData(static_cast<QuicStreamOffset>(-2), source,
-                                  &written, &error_details_));
+                                  &written_, &error_details_));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
   EXPECT_EQ(0u, buffer_->BytesBuffered());
 }
@@ -309,12 +304,11 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataBeyondCapacity) {
 TEST_F(QuicStreamSequencerBufferTest, Readv100Bytes) {
   std::string source(1024, 'a');
   // Write something into [kBlockSizeBytes, kBlockSizeBytes + 1024).
-  size_t written;
-  buffer_->OnStreamData(kBlockSizeBytes, source, &written, &error_details_);
+  buffer_->OnStreamData(kBlockSizeBytes, source, &written_, &error_details_);
   EXPECT_FALSE(buffer_->HasBytesToRead());
   source = std::string(100, 'b');
   // Write something into [0, 100).
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   EXPECT_TRUE(buffer_->HasBytesToRead());
   // Read into a iovec array with total capacity of 120 bytes.
   char dest[120];
@@ -324,7 +318,7 @@ TEST_F(QuicStreamSequencerBufferTest, Readv100Bytes) {
   QUIC_LOG(ERROR) << error_details_;
   EXPECT_EQ(100u, read);
   EXPECT_EQ(100u, buffer_->BytesConsumed());
-  EXPECT_EQ(source, std::string(dest, read));
+  EXPECT_EQ(source, QuicStringPiece(dest, read));
   // The first block should be released as its data has been read out.
   EXPECT_EQ(nullptr, helper_->GetBlock(0));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
@@ -333,8 +327,7 @@ TEST_F(QuicStreamSequencerBufferTest, Readv100Bytes) {
 TEST_F(QuicStreamSequencerBufferTest, ReadvAcrossBlocks) {
   std::string source(kBlockSizeBytes + 50, 'a');
   // Write 1st block to full and extand 50 bytes to next block.
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   EXPECT_EQ(source.size(), helper_->ReadableBytes());
   // Iteratively read 512 bytes from buffer_-> Overwrite dest[] each time.
   char dest[512];
@@ -355,8 +348,7 @@ TEST_F(QuicStreamSequencerBufferTest, ReadvAcrossBlocks) {
 TEST_F(QuicStreamSequencerBufferTest, ClearAfterRead) {
   std::string source(kBlockSizeBytes + 50, 'a');
   // Write 1st block to full with 'a'.
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   // Read first 512 bytes from buffer to make space at the beginning.
   char dest[512]{0};
   const iovec iov{dest, 512};
@@ -372,21 +364,20 @@ TEST_F(QuicStreamSequencerBufferTest,
        OnStreamDataAcrossLastBlockAndFillCapacity) {
   std::string source(kBlockSizeBytes + 50, 'a');
   // Write 1st block to full with 'a'.
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   // Read first 512 bytes from buffer to make space at the beginning.
   char dest[512]{0};
   const iovec iov{dest, 512};
   size_t read;
   EXPECT_EQ(QUIC_NO_ERROR, buffer_->Readv(&iov, 1, &read, &error_details_));
-  EXPECT_EQ(source.size(), written);
+  EXPECT_EQ(source.size(), written_);
 
   // Write more than half block size of bytes in the last block with 'b', which
   // will wrap to the beginning and reaches the full capacity.
   source = std::string(0.5 * kBlockSizeBytes + 512, 'b');
   EXPECT_EQ(QUIC_NO_ERROR, buffer_->OnStreamData(2 * kBlockSizeBytes, source,
-                                                 &written, &error_details_));
-  EXPECT_EQ(source.size(), written);
+                                                 &written_, &error_details_));
+  EXPECT_EQ(source.size(), written_);
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
 
@@ -394,8 +385,7 @@ TEST_F(QuicStreamSequencerBufferTest,
        OnStreamDataAcrossLastBlockAndExceedCapacity) {
   std::string source(kBlockSizeBytes + 50, 'a');
   // Write 1st block to full.
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   // Read first 512 bytes from buffer to make space at the beginning.
   char dest[512]{0};
   const iovec iov{dest, 512};
@@ -406,7 +396,7 @@ TEST_F(QuicStreamSequencerBufferTest,
   // max_capacity_bytes_ +  512 + 1). But last bytes exceeds current capacity.
   source = std::string(0.5 * kBlockSizeBytes + 512 + 1, 'b');
   EXPECT_EQ(QUIC_INTERNAL_ERROR,
-            buffer_->OnStreamData(2 * kBlockSizeBytes, source, &written,
+            buffer_->OnStreamData(2 * kBlockSizeBytes, source, &written_,
                                   &error_details_));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
@@ -415,14 +405,14 @@ TEST_F(QuicStreamSequencerBufferTest, ReadvAcrossLastBlock) {
   // Write to full capacity and read out 512 bytes at beginning and continue
   // appending 256 bytes.
   std::string source(max_capacity_bytes_, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[512]{0};
   const iovec iov{dest, 512};
   size_t read;
   EXPECT_EQ(QUIC_NO_ERROR, buffer_->Readv(&iov, 1, &read, &error_details_));
   source = std::string(256, 'b');
-  buffer_->OnStreamData(max_capacity_bytes_, source, &written, &error_details_);
+  buffer_->OnStreamData(max_capacity_bytes_, source, &written_,
+                        &error_details_);
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 
   // Read all data out.
@@ -457,8 +447,7 @@ TEST_F(QuicStreamSequencerBufferTest, ReleaseWholeBuffer) {
   // Tests that buffer is not deallocated unless ReleaseWholeBuffer() is called.
   std::string source(100, 'b');
   // Write something into [0, 100).
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   EXPECT_TRUE(buffer_->HasBytesToRead());
   char dest[120];
   iovec iovecs[3]{iovec{dest, 40}, iovec{dest + 40, 40}, iovec{dest + 80, 40}};
@@ -475,8 +464,7 @@ TEST_F(QuicStreamSequencerBufferTest, ReleaseWholeBuffer) {
 TEST_F(QuicStreamSequencerBufferTest, GetReadableRegionsBlockedByGap) {
   // Write into [1, 1024).
   std::string source(1023, 'a');
-  size_t written;
-  buffer_->OnStreamData(1, source, &written, &error_details_);
+  buffer_->OnStreamData(1, source, &written_, &error_details_);
   // Try to get readable regions, but none is there.
   iovec iovs[2];
   int iov_count = buffer_->GetReadableRegions(iovs, 2);
@@ -487,8 +475,7 @@ TEST_F(QuicStreamSequencerBufferTest, GetReadableRegionsTillEndOfBlock) {
   // Write first block to full with [0, 256) 'a' and the rest 'b' then read out
   // [0, 256)
   std::string source(kBlockSizeBytes, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[256];
   helper_->Read(dest, 256);
   // Get readable region from [256, 1024)
@@ -496,32 +483,27 @@ TEST_F(QuicStreamSequencerBufferTest, GetReadableRegionsTillEndOfBlock) {
   int iov_count = buffer_->GetReadableRegions(iovs, 2);
   EXPECT_EQ(1, iov_count);
   EXPECT_EQ(std::string(kBlockSizeBytes - 256, 'a'),
-            std::string(reinterpret_cast<const char*>(iovs[0].iov_base),
-                        iovs[0].iov_len));
+            IovecToStringPiece(iovs[0]));
 }
 
 TEST_F(QuicStreamSequencerBufferTest, GetReadableRegionsWithinOneBlock) {
   // Write into [0, 1024) and then read out [0, 256)
   std::string source(1024, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[256];
   helper_->Read(dest, 256);
   // Get readable region from [256, 1024)
   iovec iovs[2];
   int iov_count = buffer_->GetReadableRegions(iovs, 2);
   EXPECT_EQ(1, iov_count);
-  EXPECT_EQ(std::string(1024 - 256, 'a'),
-            std::string(reinterpret_cast<const char*>(iovs[0].iov_base),
-                        iovs[0].iov_len));
+  EXPECT_EQ(std::string(1024 - 256, 'a'), IovecToStringPiece(iovs[0]));
 }
 
 TEST_F(QuicStreamSequencerBufferTest,
        GetReadableRegionsAcrossBlockWithLongIOV) {
   // Write into [0, 2 * kBlockSizeBytes + 1024) and then read out [0, 1024)
   std::string source(2 * kBlockSizeBytes + 1024, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[1024];
   helper_->Read(dest, 1024);
 
@@ -538,13 +520,12 @@ TEST_F(QuicStreamSequencerBufferTest,
   // Write into [0, 2 * kBlockSizeBytes + 1024) and then read out [0, 1024)
   // and then append 1024 + 512 bytes.
   std::string source(2.5 * kBlockSizeBytes - 1024, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[1024];
   helper_->Read(dest, 1024);
   // Write across the end.
   source = std::string(1024 + 512, 'b');
-  buffer_->OnStreamData(2.5 * kBlockSizeBytes - 1024, source, &written,
+  buffer_->OnStreamData(2.5 * kBlockSizeBytes - 1024, source, &written_,
                         &error_details_);
   // Use short iovec's.
   iovec iovs[2];
@@ -557,9 +538,7 @@ TEST_F(QuicStreamSequencerBufferTest,
   EXPECT_EQ(4, buffer_->GetReadableRegions(iovs1, 5));
   EXPECT_EQ(0.5 * kBlockSizeBytes, iovs1[2].iov_len);
   EXPECT_EQ(512u, iovs1[3].iov_len);
-  EXPECT_EQ(std::string(512, 'b'),
-            std::string(reinterpret_cast<const char*>(iovs1[3].iov_base),
-                        iovs1[3].iov_len));
+  EXPECT_EQ(std::string(512, 'b'), IovecToStringPiece(iovs1[3]));
 }
 
 TEST_F(QuicStreamSequencerBufferTest, GetReadableRegionEmpty) {
@@ -572,8 +551,7 @@ TEST_F(QuicStreamSequencerBufferTest, GetReadableRegionEmpty) {
 TEST_F(QuicStreamSequencerBufferTest, GetReadableRegionBeforeGap) {
   // Write into [1, 1024).
   std::string source(1023, 'a');
-  size_t written;
-  buffer_->OnStreamData(1, source, &written, &error_details_);
+  buffer_->OnStreamData(1, source, &written_, &error_details_);
   // GetReadableRegion should return false because range  [0,1) hasn't been
   // filled yet.
   iovec iov;
@@ -583,31 +561,26 @@ TEST_F(QuicStreamSequencerBufferTest, GetReadableRegionBeforeGap) {
 TEST_F(QuicStreamSequencerBufferTest, GetReadableRegionTillEndOfBlock) {
   // Write into [0, kBlockSizeBytes + 1) and then read out [0, 256)
   std::string source(kBlockSizeBytes + 1, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[256];
   helper_->Read(dest, 256);
   // Get readable region from [256, 1024)
   iovec iov;
   EXPECT_TRUE(buffer_->GetReadableRegion(&iov));
-  EXPECT_EQ(
-      std::string(kBlockSizeBytes - 256, 'a'),
-      std::string(reinterpret_cast<const char*>(iov.iov_base), iov.iov_len));
+  EXPECT_EQ(std::string(kBlockSizeBytes - 256, 'a'), IovecToStringPiece(iov));
 }
 
 TEST_F(QuicStreamSequencerBufferTest, GetReadableRegionTillGap) {
   // Write into [0, kBlockSizeBytes - 1) and then read out [0, 256)
   std::string source(kBlockSizeBytes - 1, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[256];
   helper_->Read(dest, 256);
   // Get readable region from [256, 1023)
   iovec iov;
   EXPECT_TRUE(buffer_->GetReadableRegion(&iov));
-  EXPECT_EQ(
-      std::string(kBlockSizeBytes - 1 - 256, 'a'),
-      std::string(reinterpret_cast<const char*>(iov.iov_base), iov.iov_len));
+  EXPECT_EQ(std::string(kBlockSizeBytes - 1 - 256, 'a'),
+            IovecToStringPiece(iov));
 }
 
 TEST_F(QuicStreamSequencerBufferTest, PrefetchEmptyBuffer) {
@@ -617,123 +590,256 @@ TEST_F(QuicStreamSequencerBufferTest, PrefetchEmptyBuffer) {
 
 TEST_F(QuicStreamSequencerBufferTest, PrefetchInitialBuffer) {
   std::string source(kBlockSizeBytes, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   iovec iov;
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(source, std::string(reinterpret_cast<const char*>(iov.iov_base),
-                                iov.iov_len));
+  EXPECT_EQ(source, IovecToStringPiece(iov));
 }
 
 TEST_F(QuicStreamSequencerBufferTest, PrefetchBufferWithOffset) {
   std::string source(1024, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   iovec iov;
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(source, std::string(reinterpret_cast<const char*>(iov.iov_base),
-                                iov.iov_len));
-  // The second frame goes into the same bucket.
+  EXPECT_EQ(source, IovecToStringPiece(iov));
+  // The second frame goes into the same block.
   std::string source2(800, 'a');
-  buffer_->OnStreamData(1024, source2, &written, &error_details_);
+  buffer_->OnStreamData(1024, source2, &written_, &error_details_);
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(source2, std::string(reinterpret_cast<const char*>(iov.iov_base),
-                                 iov.iov_len));
+  EXPECT_EQ(source2, IovecToStringPiece(iov));
 }
 
-TEST_F(QuicStreamSequencerBufferTest, PrefetchBufferWithMultipleBucket) {
+TEST_F(QuicStreamSequencerBufferTest, PrefetchBufferWithMultipleBlocks) {
   const size_t data_size = 1024;
   std::string source(data_size, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   iovec iov;
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(source, std::string(reinterpret_cast<const char*>(iov.iov_base),
-                                iov.iov_len));
+  EXPECT_EQ(source, IovecToStringPiece(iov));
   std::string source2(kBlockSizeBytes, 'b');
-  buffer_->OnStreamData(data_size, source2, &written, &error_details_);
+  buffer_->OnStreamData(data_size, source2, &written_, &error_details_);
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(
-      std::string(kBlockSizeBytes - data_size, 'b'),
-      std::string(reinterpret_cast<const char*>(iov.iov_base), iov.iov_len));
+  EXPECT_EQ(std::string(kBlockSizeBytes - data_size, 'b'),
+            IovecToStringPiece(iov));
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(
-      std::string(data_size, 'b'),
-      std::string(reinterpret_cast<const char*>(iov.iov_base), iov.iov_len));
+  EXPECT_EQ(std::string(data_size, 'b'), IovecToStringPiece(iov));
 }
 
 TEST_F(QuicStreamSequencerBufferTest, PrefetchBufferAfterBlockRetired) {
   std::string source(kBlockSizeBytes, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   iovec iov;
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(source, std::string(reinterpret_cast<const char*>(iov.iov_base),
-                                iov.iov_len));
+  EXPECT_EQ(source, IovecToStringPiece(iov));
   // Read the whole block so it's retired.
   char dest[kBlockSizeBytes];
   helper_->Read(dest, kBlockSizeBytes);
 
   std::string source2(300, 'b');
-  buffer_->OnStreamData(kBlockSizeBytes, source2, &written, &error_details_);
+  buffer_->OnStreamData(kBlockSizeBytes, source2, &written_, &error_details_);
 
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(source2, std::string(reinterpret_cast<const char*>(iov.iov_base),
-                                 iov.iov_len));
+  EXPECT_EQ(source2, IovecToStringPiece(iov));
 }
 
 TEST_F(QuicStreamSequencerBufferTest, PrefetchContinously) {
   std::string source(kBlockSizeBytes, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   iovec iov;
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(source, std::string(reinterpret_cast<const char*>(iov.iov_base),
-                                iov.iov_len));
+  EXPECT_EQ(source, IovecToStringPiece(iov));
   std::string source2(kBlockSizeBytes, 'b');
-  buffer_->OnStreamData(kBlockSizeBytes, source2, &written, &error_details_);
+  buffer_->OnStreamData(kBlockSizeBytes, source2, &written_, &error_details_);
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(source2, std::string(reinterpret_cast<const char*>(iov.iov_base),
-                                 iov.iov_len));
+  EXPECT_EQ(source2, IovecToStringPiece(iov));
 }
 
 TEST_F(QuicStreamSequencerBufferTest, ConsumeMoreThanPrefetch) {
   std::string source(100, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[30];
   helper_->Read(dest, 30);
   iovec iov;
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(
-      std::string(70, 'a'),
-      std::string(reinterpret_cast<const char*>(iov.iov_base), iov.iov_len));
+  EXPECT_EQ(std::string(70, 'a'), IovecToStringPiece(iov));
   std::string source2(100, 'b');
-  buffer_->OnStreamData(100, source2, &written, &error_details_);
+  buffer_->OnStreamData(100, source2, &written_, &error_details_);
   buffer_->MarkConsumed(100);
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(
-      std::string(70, 'b'),
-      std::string(reinterpret_cast<const char*>(iov.iov_base), iov.iov_len));
+  EXPECT_EQ(std::string(70, 'b'), IovecToStringPiece(iov));
 }
 
 TEST_F(QuicStreamSequencerBufferTest, PrefetchMoreThanBufferHas) {
   std::string source(100, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   iovec iov;
   EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
-  EXPECT_EQ(
-      std::string(100, 'a'),
-      std::string(reinterpret_cast<const char*>(iov.iov_base), iov.iov_len));
+  EXPECT_EQ(std::string(100, 'a'), IovecToStringPiece(iov));
   EXPECT_FALSE(buffer_->PrefetchNextRegion(&iov));
 }
 
+TEST_F(QuicStreamSequencerBufferTest, PeekEmptyBuffer) {
+  iovec iov;
+  EXPECT_FALSE(buffer_->PeekRegion(0, &iov));
+  EXPECT_FALSE(buffer_->PeekRegion(1, &iov));
+  EXPECT_FALSE(buffer_->PeekRegion(100, &iov));
+}
+
+TEST_F(QuicStreamSequencerBufferTest, PeekSingleBlock) {
+  std::string source(kBlockSizeBytes, 'a');
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
+
+  iovec iov;
+  EXPECT_TRUE(buffer_->PeekRegion(0, &iov));
+  EXPECT_EQ(source, IovecToStringPiece(iov));
+
+  // Peeking again gives the same result.
+  EXPECT_TRUE(buffer_->PeekRegion(0, &iov));
+  EXPECT_EQ(source, IovecToStringPiece(iov));
+
+  // Peek at a different offset.
+  EXPECT_TRUE(buffer_->PeekRegion(100, &iov));
+  EXPECT_EQ(QuicStringPiece(source).substr(100), IovecToStringPiece(iov));
+
+  // Peeking at or after FirstMissingByte() returns false.
+  EXPECT_FALSE(buffer_->PeekRegion(kBlockSizeBytes, &iov));
+  EXPECT_FALSE(buffer_->PeekRegion(kBlockSizeBytes + 1, &iov));
+}
+
+TEST_F(QuicStreamSequencerBufferTest, PeekTwoWritesInSingleBlock) {
+  const size_t length1 = 1024;
+  std::string source1(length1, 'a');
+  buffer_->OnStreamData(0, source1, &written_, &error_details_);
+
+  iovec iov;
+  EXPECT_TRUE(buffer_->PeekRegion(0, &iov));
+  EXPECT_EQ(source1, IovecToStringPiece(iov));
+
+  // The second frame goes into the same block.
+  const size_t length2 = 800;
+  std::string source2(length2, 'b');
+  buffer_->OnStreamData(length1, source2, &written_, &error_details_);
+
+  EXPECT_TRUE(buffer_->PeekRegion(length1, &iov));
+  EXPECT_EQ(source2, IovecToStringPiece(iov));
+
+  // Peek with an offset inside the first write.
+  const QuicStreamOffset offset1 = 500;
+  EXPECT_TRUE(buffer_->PeekRegion(offset1, &iov));
+  EXPECT_EQ(QuicStringPiece(source1).substr(offset1),
+            IovecToStringPiece(iov).substr(0, length1 - offset1));
+  EXPECT_EQ(QuicStringPiece(source2),
+            IovecToStringPiece(iov).substr(length1 - offset1));
+
+  // Peek with an offset inside the second write.
+  const QuicStreamOffset offset2 = 1500;
+  EXPECT_TRUE(buffer_->PeekRegion(offset2, &iov));
+  EXPECT_EQ(QuicStringPiece(source2).substr(offset2 - length1),
+            IovecToStringPiece(iov));
+
+  // Peeking at or after FirstMissingByte() returns false.
+  EXPECT_FALSE(buffer_->PeekRegion(length1 + length2, &iov));
+  EXPECT_FALSE(buffer_->PeekRegion(length1 + length2 + 1, &iov));
+}
+
+TEST_F(QuicStreamSequencerBufferTest, PeekBufferWithMultipleBlocks) {
+  const size_t length1 = 1024;
+  std::string source1(length1, 'a');
+  buffer_->OnStreamData(0, source1, &written_, &error_details_);
+
+  iovec iov;
+  EXPECT_TRUE(buffer_->PeekRegion(0, &iov));
+  EXPECT_EQ(source1, IovecToStringPiece(iov));
+
+  const size_t length2 = kBlockSizeBytes + 2;
+  std::string source2(length2, 'b');
+  buffer_->OnStreamData(length1, source2, &written_, &error_details_);
+
+  // Peek with offset 0 returns the entire block.
+  EXPECT_TRUE(buffer_->PeekRegion(0, &iov));
+  EXPECT_EQ(kBlockSizeBytes, iov.iov_len);
+  EXPECT_EQ(source1, IovecToStringPiece(iov).substr(0, length1));
+  EXPECT_EQ(QuicStringPiece(source2).substr(0, kBlockSizeBytes - length1),
+            IovecToStringPiece(iov).substr(length1));
+
+  EXPECT_TRUE(buffer_->PeekRegion(length1, &iov));
+  EXPECT_EQ(QuicStringPiece(source2).substr(0, kBlockSizeBytes - length1),
+            IovecToStringPiece(iov));
+
+  EXPECT_TRUE(buffer_->PeekRegion(kBlockSizeBytes, &iov));
+  EXPECT_EQ(QuicStringPiece(source2).substr(kBlockSizeBytes - length1),
+            IovecToStringPiece(iov));
+
+  // Peeking at or after FirstMissingByte() returns false.
+  EXPECT_FALSE(buffer_->PeekRegion(length1 + length2, &iov));
+  EXPECT_FALSE(buffer_->PeekRegion(length1 + length2 + 1, &iov));
+}
+
+TEST_F(QuicStreamSequencerBufferTest, PeekAfterConsumed) {
+  std::string source1(kBlockSizeBytes, 'a');
+  buffer_->OnStreamData(0, source1, &written_, &error_details_);
+
+  iovec iov;
+  EXPECT_TRUE(buffer_->PeekRegion(0, &iov));
+  EXPECT_EQ(source1, IovecToStringPiece(iov));
+
+  // Consume some data.
+  EXPECT_TRUE(buffer_->MarkConsumed(1024));
+
+  // Peeking into consumed data fails.
+  EXPECT_FALSE(buffer_->PeekRegion(0, &iov));
+  EXPECT_FALSE(buffer_->PeekRegion(512, &iov));
+
+  EXPECT_TRUE(buffer_->PeekRegion(1024, &iov));
+  EXPECT_EQ(QuicStringPiece(source1).substr(1024), IovecToStringPiece(iov));
+
+  EXPECT_TRUE(buffer_->PeekRegion(1500, &iov));
+  EXPECT_EQ(QuicStringPiece(source1).substr(1500), IovecToStringPiece(iov));
+
+  // Consume rest of block.
+  EXPECT_TRUE(buffer_->MarkConsumed(kBlockSizeBytes - 1024));
+
+  // Read new data.
+  std::string source2(300, 'b');
+  buffer_->OnStreamData(kBlockSizeBytes, source2, &written_, &error_details_);
+
+  // Peek into new data.
+  EXPECT_TRUE(buffer_->PeekRegion(kBlockSizeBytes, &iov));
+  EXPECT_EQ(source2, IovecToStringPiece(iov));
+
+  EXPECT_TRUE(buffer_->PeekRegion(kBlockSizeBytes + 128, &iov));
+  EXPECT_EQ(QuicStringPiece(source2).substr(128), IovecToStringPiece(iov));
+
+  // Peeking into consumed data still fails.
+  EXPECT_FALSE(buffer_->PeekRegion(0, &iov));
+  EXPECT_FALSE(buffer_->PeekRegion(512, &iov));
+  EXPECT_FALSE(buffer_->PeekRegion(1024, &iov));
+  EXPECT_FALSE(buffer_->PeekRegion(1500, &iov));
+}
+
+TEST_F(QuicStreamSequencerBufferTest, PeekContinously) {
+  std::string source1(kBlockSizeBytes, 'a');
+  buffer_->OnStreamData(0, source1, &written_, &error_details_);
+
+  iovec iov;
+  EXPECT_TRUE(buffer_->PeekRegion(0, &iov));
+  EXPECT_EQ(source1, IovecToStringPiece(iov));
+
+  std::string source2(kBlockSizeBytes, 'b');
+  buffer_->OnStreamData(kBlockSizeBytes, source2, &written_, &error_details_);
+
+  EXPECT_TRUE(buffer_->PeekRegion(kBlockSizeBytes, &iov));
+  EXPECT_EQ(source2, IovecToStringPiece(iov));
+
+  // First block is still there.
+  EXPECT_TRUE(buffer_->PeekRegion(0, &iov));
+  EXPECT_EQ(source1, IovecToStringPiece(iov));
+}
+
 TEST_F(QuicStreamSequencerBufferTest, MarkConsumedInOneBlock) {
   // Write into [0, 1024) and then read out [0, 256)
   std::string source(1024, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[256];
   helper_->Read(dest, 256);
 
@@ -748,8 +854,7 @@ TEST_F(QuicStreamSequencerBufferTest, MarkConsumedInOneBlock) {
 TEST_F(QuicStreamSequencerBufferTest, MarkConsumedNotEnoughBytes) {
   // Write into [0, 1024) and then read out [0, 256)
   std::string source(1024, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[256];
   helper_->Read(dest, 256);
 
@@ -768,8 +873,7 @@ TEST_F(QuicStreamSequencerBufferTest, MarkConsumedNotEnoughBytes) {
 TEST_F(QuicStreamSequencerBufferTest, MarkConsumedAcrossBlock) {
   // Write into [0, 2 * kBlockSizeBytes + 1024) and then read out [0, 1024)
   std::string source(2 * kBlockSizeBytes + 1024, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[1024];
   helper_->Read(dest, 1024);
 
@@ -783,12 +887,11 @@ TEST_F(QuicStreamSequencerBufferTest, MarkConsumedAcrossEnd) {
   // Write into [0, 2.5 * kBlockSizeBytes - 1024) and then read out [0, 1024)
   // and then append 1024 + 512 bytes.
   std::string source(2.5 * kBlockSizeBytes - 1024, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[1024];
   helper_->Read(dest, 1024);
   source = std::string(1024 + 512, 'b');
-  buffer_->OnStreamData(2.5 * kBlockSizeBytes - 1024, source, &written,
+  buffer_->OnStreamData(2.5 * kBlockSizeBytes - 1024, source, &written_,
                         &error_details_);
   EXPECT_EQ(1024u, buffer_->BytesConsumed());
 
@@ -809,15 +912,15 @@ TEST_F(QuicStreamSequencerBufferTest, MarkConsumedAcrossEnd) {
 TEST_F(QuicStreamSequencerBufferTest, FlushBufferedFrames) {
   // Write into [0, 2.5 * kBlockSizeBytes - 1024) and then read out [0, 1024).
   std::string source(max_capacity_bytes_ - 1024, 'a');
-  size_t written;
-  buffer_->OnStreamData(0, source, &written, &error_details_);
+  buffer_->OnStreamData(0, source, &written_, &error_details_);
   char dest[1024];
   helper_->Read(dest, 1024);
   EXPECT_EQ(1024u, buffer_->BytesConsumed());
   // Write [1024, 512) to the physical beginning.
   source = std::string(512, 'b');
-  buffer_->OnStreamData(max_capacity_bytes_, source, &written, &error_details_);
-  EXPECT_EQ(512u, written);
+  buffer_->OnStreamData(max_capacity_bytes_, source, &written_,
+                        &error_details_);
+  EXPECT_EQ(512u, written_);
   EXPECT_EQ(max_capacity_bytes_ - 1024 + 512, buffer_->FlushBufferedFrames());
   EXPECT_EQ(max_capacity_bytes_ + 512, buffer_->BytesConsumed());
   EXPECT_TRUE(buffer_->Empty());
@@ -834,9 +937,8 @@ TEST_F(QuicStreamSequencerBufferTest, TooManyGaps) {
   max_capacity_bytes_ = 3 * kBlockSizeBytes;
   // Feed buffer with 1-byte discontiguous frames. e.g. [1,2), [3,4), [5,6)...
   for (QuicStreamOffset begin = 1; begin <= max_capacity_bytes_; begin += 2) {
-    size_t written;
     QuicErrorCode rs =
-        buffer_->OnStreamData(begin, "a", &written, &error_details_);
+        buffer_->OnStreamData(begin, "a", &written_, &error_details_);
 
     QuicStreamOffset last_straw = 2 * kMaxNumGapsAllowed - 1;
     if (begin == last_straw) {
@@ -914,8 +1016,7 @@ class QuicStreamSequencerBufferRandomIOTest
       write_buf[i] = (offset + i) % 256;
     }
     QuicStringPiece string_piece_w(write_buf.get(), num_to_write);
-    size_t written;
-    auto result = buffer_->OnStreamData(offset, string_piece_w, &written,
+    auto result = buffer_->OnStreamData(offset, string_piece_w, &written_,
                                         &error_details_);
     if (result == QUIC_NO_ERROR) {
       shuffled_buf_.pop_front();
@@ -1078,6 +1179,29 @@ TEST_F(QuicStreamSequencerBufferRandomIOTest, RandomWriteAndConsumeInPlace) {
   EXPECT_LE(bytes_to_buffer_, total_bytes_written_);
 }
 
+// Regression test for https://crbug.com/969391.
+TEST_F(QuicStreamSequencerBufferTest, PrefetchAfterClear) {
+  // Write a few bytes.
+  const std::string kData("foo");
+  EXPECT_EQ(QUIC_NO_ERROR, buffer_->OnStreamData(/* offset = */ 0, kData,
+                                                 &written_, &error_details_));
+  EXPECT_EQ(kData.size(), written_);
+
+  // Prefetch all buffered data.
+  iovec iov;
+  EXPECT_TRUE(buffer_->PrefetchNextRegion(&iov));
+  EXPECT_EQ(kData, IovecToStringPiece(iov));
+
+  // No more data to prefetch.
+  EXPECT_FALSE(buffer_->PrefetchNextRegion(&iov));
+
+  // Clear all buffered data.
+  buffer_->Clear();
+
+  // Still no data to prefetch.
+  EXPECT_FALSE(buffer_->PrefetchNextRegion(&iov));
+}
+
 }  // anonymous namespace
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_test.cc
index 47b1a5cc9e2..60525f8484b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_test.cc
@@ -107,7 +107,7 @@ class QuicStreamSequencerTest : public QuicTest {
            VerifyIovecs(sequencer, iovecs, num_iovecs, expected);
   }
 
-  bool VerifyIovecs(const QuicStreamSequencer& sequencer,
+  bool VerifyIovecs(const QuicStreamSequencer& /*sequencer*/,
                     iovec* iovecs,
                     size_t num_iovecs,
                     const std::vector<std::string>& expected) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_test.cc
index 9b32012e319..ee9676f03b7 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_test.cc
@@ -49,8 +49,8 @@ class TestStream : public QuicStream {
   TestStream(QuicStreamId id, QuicSession* session, StreamType type)
       : QuicStream(id, session, /*is_static=*/false, type) {}
 
-  TestStream(PendingStream pending, StreamType type, bool is_static)
-      : QuicStream(std::move(pending), type, is_static) {}
+  TestStream(PendingStream* pending, StreamType type, bool is_static)
+      : QuicStream(pending, type, is_static) {}
 
   void OnDataAvailable() override {}
 
@@ -121,11 +121,6 @@ class QuicStreamTestBase : public QuicTestWithParam<ParsedQuicVersion> {
     return QuicConsumedData(1, false);
   }
 
-  bool ClearControlFrame(const QuicFrame& frame) {
-    DeleteFrame(&const_cast<QuicFrame&>(frame));
-    return true;
-  }
-
   bool ClearResetStreamFrame(const QuicFrame& frame) {
     EXPECT_EQ(RST_STREAM_FRAME, frame.type);
     DeleteFrame(&const_cast<QuicFrame&>(frame));
@@ -175,11 +170,11 @@ TEST_P(QuicStreamTest, PendingStreamStaticness) {
   Initialize();
 
   PendingStream pending(kTestStreamId + 2, session_.get());
-  TestStream stream(std::move(pending), StreamType::BIDIRECTIONAL, false);
+  TestStream stream(&pending, StreamType::BIDIRECTIONAL, false);
   EXPECT_FALSE(stream.is_static());
 
   PendingStream pending2(kTestStreamId + 3, session_.get());
-  TestStream stream2(std::move(pending2), StreamType::BIDIRECTIONAL, true);
+  TestStream stream2(&pending2, StreamType::BIDIRECTIONAL, true);
   EXPECT_TRUE(stream2.is_static());
 }
 
@@ -240,7 +235,7 @@ TEST_P(QuicStreamTest, FromPendingStream) {
   QuicStreamFrame frame2(kTestStreamId + 2, true, 3, QuicStringPiece("."));
   pending.OnStreamFrame(frame2);
 
-  TestStream stream(std::move(pending), StreamType::READ_UNIDIRECTIONAL, false);
+  TestStream stream(&pending, StreamType::READ_UNIDIRECTIONAL, false);
   EXPECT_EQ(3, stream.num_frames_received());
   EXPECT_EQ(3u, stream.stream_bytes_read());
   EXPECT_EQ(1, stream.num_duplicate_frames_received());
@@ -259,8 +254,8 @@ TEST_P(QuicStreamTest, FromPendingStreamThenData) {
   QuicStreamFrame frame(kTestStreamId + 2, false, 2, QuicStringPiece("."));
   pending.OnStreamFrame(frame);
 
-  auto stream = new TestStream(std::move(pending),
-                               StreamType::READ_UNIDIRECTIONAL, false);
+  auto stream =
+      new TestStream(&pending, StreamType::READ_UNIDIRECTIONAL, false);
   session_->ActivateStream(QuicWrapUnique(stream));
 
   QuicStreamFrame frame2(kTestStreamId + 2, true, 3, QuicStringPiece("."));
@@ -314,6 +309,9 @@ TEST_P(QuicStreamTest, BlockIfOnlySomeDataConsumed) {
                                             NO_FIN);
       }));
   stream_->WriteOrBufferData(QuicStringPiece(kData1, 2), false, nullptr);
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   ASSERT_EQ(1u, write_blocked_list_->NumBlockedStreams());
   EXPECT_EQ(1u, stream_->BufferedDataBytes());
 }
@@ -331,6 +329,9 @@ TEST_P(QuicStreamTest, BlockIfFinNotConsumedWithData) {
                                             NO_FIN);
       }));
   stream_->WriteOrBufferData(QuicStringPiece(kData1, 2), true, nullptr);
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   ASSERT_EQ(1u, write_blocked_list_->NumBlockedStreams());
 }
 
@@ -376,6 +377,10 @@ TEST_P(QuicStreamTest, WriteOrBufferData) {
                                             kDataLen - 1, 0u, NO_FIN);
       }));
   stream_->WriteOrBufferData(kData1, false, nullptr);
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
+
   EXPECT_EQ(1u, stream_->BufferedDataBytes());
   EXPECT_TRUE(HasWriteBlockedStreams());
 
@@ -390,6 +395,9 @@ TEST_P(QuicStreamTest, WriteOrBufferData) {
                                             kDataLen - 1, kDataLen - 1, NO_FIN);
       }));
   stream_->OnCanWrite();
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
 
   // And finally the end of the bytes_consumed.
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _))
@@ -398,6 +406,9 @@ TEST_P(QuicStreamTest, WriteOrBufferData) {
                                             2 * kDataLen - 2, NO_FIN);
       }));
   stream_->OnCanWrite();
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
 }
 
 TEST_P(QuicStreamTest, WriteOrBufferDataReachStreamLimit) {
@@ -408,6 +419,9 @@ TEST_P(QuicStreamTest, WriteOrBufferDataReachStreamLimit) {
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _))
       .WillOnce(Invoke(&(MockQuicSession::ConsumeData)));
   stream_->WriteOrBufferData(data, false, nullptr);
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_CALL(*connection_, CloseConnection(QUIC_STREAM_LENGTH_OVERFLOW, _, _));
   EXPECT_QUIC_BUG(stream_->WriteOrBufferData("a", false, nullptr),
                   "Write too many data via stream");
@@ -442,12 +456,18 @@ TEST_P(QuicStreamTest, RstAlwaysSentIfNoFinSent) {
                                             NO_FIN);
       }));
   stream_->WriteOrBufferData(QuicStringPiece(kData1, 1), false, nullptr);
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_FALSE(fin_sent());
   EXPECT_FALSE(rst_sent());
 
   // Now close the stream, and expect that we send a RST.
   EXPECT_CALL(*session_, SendRstStream(_, _, _));
   stream_->OnClose();
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
   EXPECT_FALSE(fin_sent());
   EXPECT_TRUE(rst_sent());
 }
@@ -585,7 +605,7 @@ TEST_P(QuicStreamTest, StopReadingSendsFlowControl) {
       .Times(0);
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(AtLeast(1))
-      .WillRepeatedly(Invoke(this, &QuicStreamTest::ClearControlFrame));
+      .WillRepeatedly(Invoke(&ClearControlFrame));
 
   std::string data(1000, 'x');
   for (QuicStreamOffset offset = 0;
@@ -719,6 +739,11 @@ TEST_P(QuicStreamTest, StreamTooLong) {
 }
 
 TEST_P(QuicParameterizedStreamTest, SetDrainingIncomingOutgoing) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Don't have incoming data consumed.
   Initialize();
 
@@ -748,6 +773,11 @@ TEST_P(QuicParameterizedStreamTest, SetDrainingIncomingOutgoing) {
 }
 
 TEST_P(QuicParameterizedStreamTest, SetDrainingOutgoingIncoming) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Don't have incoming data consumed.
   Initialize();
 
@@ -808,9 +838,15 @@ TEST_P(QuicStreamTest, StreamWaitsForAcks) {
   // Stream is not waiting for acks initially.
   EXPECT_FALSE(stream_->IsWaitingForAcks());
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
 
   // Send kData1.
   stream_->WriteOrBufferData(kData1, false, nullptr);
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->IsWaitingForAcks());
   QuicByteCount newly_acked_length = 0;
@@ -819,11 +855,17 @@ TEST_P(QuicStreamTest, StreamWaitsForAcks) {
   EXPECT_EQ(9u, newly_acked_length);
   // Stream is not waiting for acks as all sent data is acked.
   EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
 
   // Send kData2.
   stream_->WriteOrBufferData(kData2, false, nullptr);
   EXPECT_TRUE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
   // Send FIN.
   stream_->WriteOrBufferData("", true, nullptr);
@@ -839,6 +881,9 @@ TEST_P(QuicStreamTest, StreamWaitsForAcks) {
   EXPECT_EQ(9u, newly_acked_length);
   // Stream is waiting for acks as FIN is not acked.
   EXPECT_TRUE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
 
   // FIN is acked.
@@ -846,6 +891,9 @@ TEST_P(QuicStreamTest, StreamWaitsForAcks) {
                                           &newly_acked_length));
   EXPECT_EQ(0u, newly_acked_length);
   EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
 }
 
@@ -860,26 +908,43 @@ TEST_P(QuicStreamTest, StreamDataGetAckedOutOfOrder) {
   stream_->WriteOrBufferData("", true, nullptr);
   EXPECT_EQ(3u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   QuicByteCount newly_acked_length = 0;
   EXPECT_TRUE(stream_->OnStreamFrameAcked(9, 9, false, QuicTime::Delta::Zero(),
                                           &newly_acked_length));
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(9u, newly_acked_length);
   EXPECT_EQ(3u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->OnStreamFrameAcked(18, 9, false, QuicTime::Delta::Zero(),
                                           &newly_acked_length));
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(9u, newly_acked_length);
   EXPECT_EQ(3u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->OnStreamFrameAcked(0, 9, false, QuicTime::Delta::Zero(),
                                           &newly_acked_length));
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(9u, newly_acked_length);
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
   // FIN is not acked yet.
   EXPECT_TRUE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_TRUE(stream_->OnStreamFrameAcked(27, 0, true, QuicTime::Delta::Zero(),
                                           &newly_acked_length));
   EXPECT_EQ(0u, newly_acked_length);
   EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
 }
 
 TEST_P(QuicStreamTest, CancelStream) {
@@ -887,22 +952,43 @@ TEST_P(QuicStreamTest, CancelStream) {
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _))
       .WillRepeatedly(Invoke(MockQuicSession::ConsumeData));
   EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
 
   stream_->WriteOrBufferData(kData1, false, nullptr);
   EXPECT_TRUE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
   // Cancel stream.
   stream_->Reset(QUIC_STREAM_NO_ERROR);
   // stream still waits for acks as the error code is QUIC_STREAM_NO_ERROR, and
   // data is going to be retransmitted.
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  EXPECT_CALL(*session_,
-              SendRstStream(stream_->id(), QUIC_STREAM_CANCELLED, 9));
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
+  EXPECT_CALL(*connection_,
+              OnStreamReset(stream_->id(), QUIC_STREAM_CANCELLED));
+  EXPECT_CALL(*connection_, SendControlFrame(_)).Times(1);
+  EXPECT_CALL(*session_, SendRstStream(stream_->id(), QUIC_STREAM_CANCELLED, 9))
+      .WillOnce(InvokeWithoutArgs([this]() {
+        return QuicSessionPeer::SendRstStreamInner(
+            session_.get(), stream_->id(), QUIC_STREAM_CANCELLED,
+            stream_->stream_bytes_written(),
+            /*close_write_side_only=*/false);
+      }));
+
   stream_->Reset(QUIC_STREAM_CANCELLED);
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
   // Stream stops waiting for acks as data is not going to be retransmitted.
   EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
 }
 
 TEST_P(QuicStreamTest, RstFrameReceivedStreamNotFinishSending) {
@@ -910,10 +996,16 @@ TEST_P(QuicStreamTest, RstFrameReceivedStreamNotFinishSending) {
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _))
       .WillRepeatedly(Invoke(MockQuicSession::ConsumeData));
   EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
 
   stream_->WriteOrBufferData(kData1, false, nullptr);
   EXPECT_TRUE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
 
   // RST_STREAM received.
@@ -926,6 +1018,9 @@ TEST_P(QuicStreamTest, RstFrameReceivedStreamNotFinishSending) {
   // Stream stops waiting for acks as it does not finish sending and rst is
   // sent.
   EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
 }
 
 TEST_P(QuicStreamTest, RstFrameReceivedStreamFinishSending) {
@@ -933,10 +1028,16 @@ TEST_P(QuicStreamTest, RstFrameReceivedStreamFinishSending) {
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _))
       .WillRepeatedly(Invoke(MockQuicSession::ConsumeData));
   EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
 
   stream_->WriteOrBufferData(kData1, true, nullptr);
   EXPECT_TRUE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
 
   // RST_STREAM received.
   EXPECT_CALL(*session_, SendRstStream(_, _, _)).Times(0);
@@ -945,6 +1046,9 @@ TEST_P(QuicStreamTest, RstFrameReceivedStreamFinishSending) {
   stream_->OnStreamReset(rst_frame);
   // Stream still waits for acks as it finishes sending and has unacked data.
   EXPECT_TRUE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
 }
 
@@ -953,11 +1057,16 @@ TEST_P(QuicStreamTest, ConnectionClosed) {
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _))
       .WillRepeatedly(Invoke(MockQuicSession::ConsumeData));
   EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
 
   stream_->WriteOrBufferData(kData1, false, nullptr);
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
   EXPECT_CALL(*session_,
               SendRstStream(stream_->id(), QUIC_RST_ACKNOWLEDGEMENT, 9));
   stream_->OnConnectionClosed(QUIC_INTERNAL_ERROR,
@@ -965,6 +1074,9 @@ TEST_P(QuicStreamTest, ConnectionClosed) {
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
   // Stream stops waiting for acks as connection is going to close.
   EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
 }
 
 TEST_P(QuicStreamTest, CanWriteNewDataAfterData) {
@@ -993,6 +1105,8 @@ TEST_P(QuicStreamTest, WriteBufferedData) {
   stream_->WriteOrBufferData(data, false, nullptr);
   stream_->WriteOrBufferData(data, false, nullptr);
   stream_->WriteOrBufferData(data, false, nullptr);
+  EXPECT_TRUE(stream_->IsWaitingForAcks());
+
   // Verify all data is saved.
   EXPECT_EQ(3 * data.length() - 100, stream_->BufferedDataBytes());
 
@@ -1205,12 +1319,20 @@ TEST_P(QuicStreamTest, StreamDataGetAckedMultipleTimes) {
   Initialize();
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _))
       .WillRepeatedly(Invoke(MockQuicSession::ConsumeData));
+  EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
+
   // Send [0, 27) and fin.
   stream_->WriteOrBufferData(kData1, false, nullptr);
   stream_->WriteOrBufferData(kData1, false, nullptr);
   stream_->WriteOrBufferData(kData1, true, nullptr);
   EXPECT_EQ(3u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
 
   // Ack [0, 9), [5, 22) and [18, 26)
   // Verify [0, 9) 9 bytes are acked.
@@ -1230,6 +1352,9 @@ TEST_P(QuicStreamTest, StreamDataGetAckedMultipleTimes) {
   EXPECT_EQ(4u, newly_acked_length);
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
 
   // Ack [0, 27). Verify [26, 27) 1 byte is acked.
   EXPECT_TRUE(stream_->OnStreamFrameAcked(26, 1, false, QuicTime::Delta::Zero(),
@@ -1237,6 +1362,9 @@ TEST_P(QuicStreamTest, StreamDataGetAckedMultipleTimes) {
   EXPECT_EQ(1u, newly_acked_length);
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_TRUE(session_->HasUnackedStreamData());
+  }
 
   // Ack Fin.
   EXPECT_TRUE(stream_->OnStreamFrameAcked(27, 0, true, QuicTime::Delta::Zero(),
@@ -1244,6 +1372,9 @@ TEST_P(QuicStreamTest, StreamDataGetAckedMultipleTimes) {
   EXPECT_EQ(0u, newly_acked_length);
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
 
   // Ack [10, 27) and fin. No new data is acked.
   EXPECT_FALSE(stream_->OnStreamFrameAcked(
@@ -1251,6 +1382,9 @@ TEST_P(QuicStreamTest, StreamDataGetAckedMultipleTimes) {
   EXPECT_EQ(0u, newly_acked_length);
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_FALSE(stream_->IsWaitingForAcks());
+  if (GetQuicReloadableFlag(quic_ignore_tlpr_if_no_pending_stream_data)) {
+    EXPECT_FALSE(session_->HasUnackedStreamData());
+  }
 }
 
 TEST_P(QuicStreamTest, OnStreamFrameLost) {
@@ -1354,7 +1488,7 @@ TEST_P(QuicStreamTest, MarkConnectionLevelWriteBlockedOnWindowUpdateFrame) {
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _))
       .WillRepeatedly(Invoke(MockQuicSession::ConsumeData));
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(this, &QuicStreamTest::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   std::string data(1024, '.');
   stream_->WriteOrBufferData(data, false, nullptr);
   EXPECT_FALSE(HasWriteBlockedStreams());
@@ -1380,7 +1514,7 @@ TEST_P(QuicStreamTest,
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _))
       .WillRepeatedly(Invoke(MockQuicSession::ConsumeData));
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(this, &QuicStreamTest::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   stream_->WriteOrBufferData(data, false, nullptr);
   EXPECT_FALSE(HasWriteBlockedStreams());
 
@@ -1482,7 +1616,7 @@ TEST_P(QuicParameterizedStreamTest, CheckStopSending) {
   EXPECT_FALSE(stream_->write_side_closed());
   EXPECT_FALSE(QuicStreamPeer::read_side_closed(stream_));
   // Expect to actually see a stop sending if and only if we are in version 99.
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     EXPECT_CALL(*session_, SendStopSending(kStopSendingCode, stream_->id()))
         .Times(1);
   } else {
@@ -1506,7 +1640,7 @@ TEST_P(QuicStreamTest, OnStreamResetReadOrReadWrite) {
   QuicRstStreamFrame rst_frame(kInvalidControlFrameId, stream_->id(),
                                QUIC_STREAM_CANCELLED, 1234);
   stream_->OnStreamReset(rst_frame);
-  if (connection_->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     // Version 99/IETF QUIC should close just the read side.
     EXPECT_TRUE(QuicStreamPeer::read_side_closed(stream_));
     EXPECT_FALSE(stream_->write_side_closed());
@@ -1521,7 +1655,7 @@ TEST_P(QuicStreamTest, OnStreamResetReadOrReadWrite) {
 // If not V99, the test is a noop (no STOP_SENDING in Google QUIC).
 TEST_P(QuicStreamTest, OnStopSendingReadOrReadWrite) {
   Initialize();
-  if (connection_->transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(connection_->transport_version())) {
     return;
   }
 
@@ -1539,7 +1673,7 @@ TEST_P(QuicStreamTest, OnStopSendingReadOrReadWrite) {
 // SendOnlyRstStream must only send a RESET_STREAM (no bundled STOP_SENDING).
 TEST_P(QuicStreamTest, SendOnlyRstStream) {
   Initialize();
-  if (connection_->transport_version() != QUIC_VERSION_99) {
+  if (!VersionHasIetfQuicFrames(connection_->transport_version())) {
     return;
   }
 
@@ -1559,6 +1693,23 @@ TEST_P(QuicStreamTest, SendOnlyRstStream) {
   EXPECT_TRUE(stream_->write_side_closed());
 }
 
+TEST_P(QuicStreamTest, WindowUpdateForReadOnlyStream) {
+  SetQuicReloadableFlag(quic_no_window_update_on_read_only_stream, true);
+  Initialize();
+
+  QuicStreamId stream_id = QuicUtils::GetFirstUnidirectionalStreamId(
+      connection_->transport_version(), Perspective::IS_CLIENT);
+  TestStream stream(stream_id, session_.get(), READ_UNIDIRECTIONAL);
+  QuicWindowUpdateFrame window_update_frame(kInvalidControlFrameId, stream_id,
+                                            0);
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(
+          QUIC_WINDOW_UPDATE_RECEIVED_ON_READ_UNIDIRECTIONAL_STREAM,
+          "WindowUpdateFrame received on READ_UNIDIRECTIONAL stream.", _));
+  stream.OnWindowUpdateFrame(window_update_frame);
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_tag.cc b/chromium/net/third_party/quiche/src/quic/core/quic_tag.cc
index 109803da105..3b6ba0d4ab2 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_tag.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_tag.cc
@@ -36,7 +36,7 @@ bool FindMutualQuicTag(const QuicTagVector& our_tags,
 }
 
 std::string QuicTagToString(QuicTag tag) {
-  if (GetQuicReloadableFlag(quic_print_tag_hex) && tag == 0) {
+  if (tag == 0) {
     return "0";
   }
   char chars[sizeof tag];
@@ -60,12 +60,6 @@ std::string QuicTagToString(QuicTag tag) {
     return std::string(chars, sizeof(chars));
   }
 
-  if (!GetQuicReloadableFlag(quic_print_tag_hex)) {
-    return QuicTextUtils::Uint64ToString(orig_tag);
-  }
-
-  QUIC_RELOADABLE_FLAG_COUNT(quic_print_tag_hex);
-
   return QuicTextUtils::HexEncode(reinterpret_cast<const char*>(&orig_tag),
                                   sizeof(orig_tag));
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_tag_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_tag_test.cc
index 20af4eeeb3a..3d58133eeb7 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_tag_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_tag_test.cc
@@ -19,10 +19,6 @@ TEST_F(QuicTagTest, TagToString) {
   EXPECT_EQ("SNO ", QuicTagToString(kServerNonceTag));
   EXPECT_EQ("CRT ", QuicTagToString(kCertificateTag));
   EXPECT_EQ("CHLO", QuicTagToString(MakeQuicTag('C', 'H', 'L', 'O')));
-  if (!GetQuicReloadableFlag(quic_print_tag_hex)) {
-    EXPECT_EQ("525092931", QuicTagToString(MakeQuicTag('C', 'H', 'L', '\x1f')));
-    return;
-  }
   // A tag that contains a non-printing character will be printed as hex.
   EXPECT_EQ("43484c1f", QuicTagToString(MakeQuicTag('C', 'H', 'L', '\x1f')));
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.cc b/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.cc
index f1f6dcf2678..cb29a40fbfe 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.cc
@@ -51,8 +51,8 @@ QuicTimeWaitListManager::QuicTimeWaitListManager(
     Visitor* visitor,
     const QuicClock* clock,
     QuicAlarmFactory* alarm_factory)
-    : time_wait_period_(
-          QuicTime::Delta::FromSeconds(FLAGS_quic_time_wait_list_seconds)),
+    : time_wait_period_(QuicTime::Delta::FromSeconds(
+          GetQuicFlag(FLAGS_quic_time_wait_list_seconds))),
       connection_id_clean_up_alarm_(
           alarm_factory->CreateAlarm(new ConnectionIdCleanUpAlarm(this))),
       clock_(clock),
@@ -81,8 +81,10 @@ void QuicTimeWaitListManager::AddConnectionIdToTimeWait(
     connection_id_map_.erase(it);
   }
   TrimTimeWaitListIfNeeded();
-  DCHECK_LT(num_connections(),
-            static_cast<size_t>(FLAGS_quic_time_wait_list_max_connections));
+  int64_t max_connections =
+      GetQuicFlag(FLAGS_quic_time_wait_list_max_connections);
+  DCHECK(connection_id_map_.empty() ||
+         num_connections() < static_cast<size_t>(max_connections));
   ConnectionIdData data(num_packets, ietf_quic, clock_->ApproximateNow(),
                         action);
   if (termination_packets != nullptr) {
@@ -371,11 +373,13 @@ void QuicTimeWaitListManager::CleanUpOldConnectionIds() {
 }
 
 void QuicTimeWaitListManager::TrimTimeWaitListIfNeeded() {
-  if (FLAGS_quic_time_wait_list_max_connections < 0) {
+  const int64_t kMaxConnections =
+      GetQuicFlag(FLAGS_quic_time_wait_list_max_connections);
+  if (kMaxConnections < 0) {
     return;
   }
-  while (num_connections() >=
-         static_cast<size_t>(FLAGS_quic_time_wait_list_max_connections)) {
+  while (!connection_id_map_.empty() &&
+         num_connections() >= static_cast<size_t>(kMaxConnections)) {
     MaybeExpireOldestConnection(QuicTime::Infinite());
   }
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.h b/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.h
index ba0c76336aa..c53632c8e35 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.h
@@ -130,13 +130,6 @@ class QuicTimeWaitListManager : public QuicBlockedWriterInterface {
       const QuicSocketAddress& peer_address,
       std::unique_ptr<QuicPerPacketContext> packet_context);
 
-  // Return a non-owning pointer to the packet writer.
-  QuicPacketWriter* writer() { return writer_; }
-
- protected:
-  virtual std::unique_ptr<QuicEncryptedPacket> BuildPublicReset(
-      const QuicPublicResetPacket& packet);
-
   // Creates a public reset packet and sends it or queues it to be sent later.
   virtual void SendPublicReset(
       const QuicSocketAddress& self_address,
@@ -145,7 +138,14 @@ class QuicTimeWaitListManager : public QuicBlockedWriterInterface {
       bool ietf_quic,
       std::unique_ptr<QuicPerPacketContext> packet_context);
 
-  virtual void GetEndpointId(std::string* endpoint_id) {}
+  // Return a non-owning pointer to the packet writer.
+  QuicPacketWriter* writer() { return writer_; }
+
+ protected:
+  virtual std::unique_ptr<QuicEncryptedPacket> BuildPublicReset(
+      const QuicPublicResetPacket& packet);
+
+  virtual void GetEndpointId(std::string* /*endpoint_id*/) {}
 
   // Returns a stateless reset token which will be included in the public reset
   // packet.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager_test.cc
index 4624a236503..0d9e32ac62c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager_test.cc
@@ -163,8 +163,8 @@ class QuicTimeWaitListManagerTest : public QuicTest {
       QuicTimeWaitListManager::TimeWaitAction action,
       std::vector<std::unique_ptr<QuicEncryptedPacket>>* packets) {
     time_wait_list_manager_.AddConnectionIdToTimeWait(
-        connection_id, version.transport_version > QUIC_VERSION_43, action,
-        ENCRYPTION_INITIAL, packets);
+        connection_id, VersionHasIetfInvariantHeader(version.transport_version),
+        action, ENCRYPTION_INITIAL, packets);
   }
 
   bool IsConnectionIdInTimeWait(QuicConnectionId connection_id) {
@@ -542,12 +542,14 @@ TEST_F(QuicTimeWaitListManagerTest, ConnectionIdsOrderedByTime) {
 
 TEST_F(QuicTimeWaitListManagerTest, MaxConnectionsTest) {
   // Basically, shut off time-based eviction.
-  FLAGS_quic_time_wait_list_seconds = 10000000000;
-  FLAGS_quic_time_wait_list_max_connections = 5;
+  SetQuicFlag(FLAGS_quic_time_wait_list_seconds, 10000000000);
+  SetQuicFlag(FLAGS_quic_time_wait_list_max_connections, 5);
 
   uint64_t current_conn_id = 0;
+  const int64_t kMaxConnections =
+      GetQuicFlag(FLAGS_quic_time_wait_list_max_connections);
   // Add exactly the maximum number of connections
-  for (int64_t i = 0; i < FLAGS_quic_time_wait_list_max_connections; ++i) {
+  for (int64_t i = 0; i < kMaxConnections; ++i) {
     ++current_conn_id;
     QuicConnectionId current_connection_id = TestConnectionId(current_conn_id);
     EXPECT_FALSE(IsConnectionIdInTimeWait(current_connection_id));
@@ -560,23 +562,44 @@ TEST_F(QuicTimeWaitListManagerTest, MaxConnectionsTest) {
 
   // Now keep adding.  Since we're already at the max, every new connection-id
   // will evict the oldest one.
-  for (int64_t i = 0; i < FLAGS_quic_time_wait_list_max_connections; ++i) {
+  for (int64_t i = 0; i < kMaxConnections; ++i) {
     ++current_conn_id;
     QuicConnectionId current_connection_id = TestConnectionId(current_conn_id);
-    const QuicConnectionId id_to_evict = TestConnectionId(
-        current_conn_id - FLAGS_quic_time_wait_list_max_connections);
+    const QuicConnectionId id_to_evict =
+        TestConnectionId(current_conn_id - kMaxConnections);
     EXPECT_TRUE(IsConnectionIdInTimeWait(id_to_evict));
     EXPECT_FALSE(IsConnectionIdInTimeWait(current_connection_id));
     EXPECT_CALL(visitor_,
                 OnConnectionAddedToTimeWaitList(current_connection_id));
     AddConnectionId(current_connection_id, QuicTimeWaitListManager::DO_NOTHING);
-    EXPECT_EQ(static_cast<size_t>(FLAGS_quic_time_wait_list_max_connections),
+    EXPECT_EQ(static_cast<size_t>(kMaxConnections),
               time_wait_list_manager_.num_connections());
     EXPECT_FALSE(IsConnectionIdInTimeWait(id_to_evict));
     EXPECT_TRUE(IsConnectionIdInTimeWait(current_connection_id));
   }
 }
 
+TEST_F(QuicTimeWaitListManagerTest, ZeroMaxConnections) {
+  // Basically, shut off time-based eviction.
+  SetQuicFlag(FLAGS_quic_time_wait_list_seconds, 10000000000);
+  // Keep time wait list empty.
+  SetQuicFlag(FLAGS_quic_time_wait_list_max_connections, 0);
+
+  uint64_t current_conn_id = 0;
+  // Add exactly the maximum number of connections
+  for (int64_t i = 0; i < 10; ++i) {
+    ++current_conn_id;
+    QuicConnectionId current_connection_id = TestConnectionId(current_conn_id);
+    EXPECT_FALSE(IsConnectionIdInTimeWait(current_connection_id));
+    EXPECT_CALL(visitor_,
+                OnConnectionAddedToTimeWaitList(current_connection_id));
+    AddConnectionId(current_connection_id, QuicTimeWaitListManager::DO_NOTHING);
+    // Verify time wait list always has 1 connection.
+    EXPECT_EQ(1u, time_wait_list_manager_.num_connections());
+    EXPECT_TRUE(IsConnectionIdInTimeWait(current_connection_id));
+  }
+}
+
 // Regression test for b/116200989.
 TEST_F(QuicTimeWaitListManagerTest,
        SendStatelessResetInResponseToShortHeaders) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.cc b/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.cc
index 8b1b62a6278..42ee003966d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.cc
@@ -225,6 +225,7 @@ void QuicTraceVisitor::PopulateFrameInfo(const QuicFrame& frame,
 }
 
 void QuicTraceVisitor::OnIncomingAck(
+    QuicPacketNumber /*ack_packet_number*/,
     const QuicAckFrame& ack_frame,
     QuicTime ack_receive_time,
     QuicPacketNumber /*largest_observed*/,
@@ -242,7 +243,7 @@ void QuicTraceVisitor::OnIncomingAck(
 }
 
 void QuicTraceVisitor::OnPacketLoss(QuicPacketNumber lost_packet_number,
-                                    TransmissionType transmission_type,
+                                    TransmissionType /*transmission_type*/,
                                     QuicTime detection_time) {
   quic_trace::Event* event = trace_.add_events();
   event->set_time_us(ConvertTimestampToRecordedFormat(detection_time));
@@ -279,8 +280,8 @@ void QuicTraceVisitor::OnApplicationLimited() {
 
 void QuicTraceVisitor::OnAdjustNetworkParameters(QuicBandwidth bandwidth,
                                                  QuicTime::Delta rtt,
-                                                 QuicByteCount old_cwnd,
-                                                 QuicByteCount new_cwnd) {
+                                                 QuicByteCount /*old_cwnd*/,
+                                                 QuicByteCount /*new_cwnd*/) {
   quic_trace::Event* event = trace_.add_events();
   event->set_time_us(
       ConvertTimestampToRecordedFormat(connection_->clock()->ApproximateNow()));
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.h b/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.h
index 8021865f852..0494d874331 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.h
@@ -23,7 +23,8 @@ class QuicTraceVisitor : public QuicConnectionDebugVisitor {
                     TransmissionType transmission_type,
                     QuicTime sent_time) override;
 
-  void OnIncomingAck(const QuicAckFrame& ack_frame,
+  void OnIncomingAck(QuicPacketNumber ack_packet_number,
+                     const QuicAckFrame& ack_frame,
                      QuicTime ack_receive_time,
                      QuicPacketNumber largest_observed,
                      bool rtt_updated,
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_types.h b/chromium/net/third_party/quiche/src/quic/core/quic_types.h
index 66a90c16562..c3f70e739d4 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_types.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_types.h
@@ -146,7 +146,8 @@ struct QUIC_EXPORT_PRIVATE WriteResult {
 enum TransmissionType : int8_t {
   NOT_RETRANSMISSION,
   FIRST_TRANSMISSION_TYPE = NOT_RETRANSMISSION,
-  HANDSHAKE_RETRANSMISSION,    // Retransmits due to handshake timeouts.
+  HANDSHAKE_RETRANSMISSION,  // Retransmits due to handshake timeouts.
+  // TODO(fayang): remove ALL_UNACKED_RETRANSMISSION.
   ALL_UNACKED_RETRANSMISSION,  // Retransmits all unacked packets.
   ALL_INITIAL_RETRANSMISSION,  // Retransmits all initially encrypted packets.
   LOSS_RETRANSMISSION,         // Retransmits due to loss detection.
@@ -368,7 +369,14 @@ enum QuicPacketPrivateFlags {
 // QUIC. Note that this is separate from the congestion feedback type -
 // some congestion control algorithms may use the same feedback type
 // (Reno and Cubic are the classic example for that).
-enum CongestionControlType { kCubicBytes, kRenoBytes, kBBR, kPCC, kGoogCC };
+enum CongestionControlType {
+  kCubicBytes,
+  kRenoBytes,
+  kBBR,
+  kPCC,
+  kGoogCC,
+  kBBRv2,
+};
 
 enum LossDetectionType : uint8_t {
   kNack,          // Used to mimic TCP's loss detection.
@@ -496,6 +504,7 @@ struct LostPacket {
 // A vector of lost packets.
 typedef std::vector<LostPacket> LostPacketVector;
 
+// TODO(fkastenholz): Change this to uint64_t to reflect -22 of the ID.
 enum QuicIetfTransportErrorCodes : uint16_t {
   NO_IETF_QUIC_ERROR = 0x0,
   INTERNAL_ERROR = 0x1,
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.cc b/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.cc
index 1a0b1af24c4..f07fd315c95 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.cc
@@ -32,13 +32,7 @@ QuicUnackedPacketMap::QuicUnackedPacketMap(Perspective perspective)
       last_crypto_packet_sent_time_(QuicTime::Zero()),
       session_notifier_(nullptr),
       session_decides_what_to_write_(false),
-      use_uber_loss_algorithm_(
-          GetQuicReloadableFlag(quic_use_uber_loss_algorithm)),
-      supports_multiple_packet_number_spaces_(false) {
-  if (use_uber_loss_algorithm_) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_use_uber_loss_algorithm);
-  }
-}
+      supports_multiple_packet_number_spaces_(false) {}
 
 QuicUnackedPacketMap::~QuicUnackedPacketMap() {
   for (QuicTransmissionInfo& transmission_info : unacked_packets_) {
@@ -83,12 +77,8 @@ void QuicUnackedPacketMap::AddSentPacket(SerializedPacket* packet,
   if (set_in_flight) {
     bytes_in_flight_ += bytes_sent;
     info.in_flight = true;
-    if (use_uber_loss_algorithm_) {
-      largest_sent_retransmittable_packets_[GetPacketNumberSpace(
-          info.encryption_level)] = packet_number;
-    } else {
-      largest_sent_retransmittable_packet_ = packet_number;
-    }
+    largest_sent_retransmittable_packets_[GetPacketNumberSpace(
+        info.encryption_level)] = packet_number;
   }
   unacked_packets_.push_back(info);
   // Swap the retransmittable frames to avoid allocations.
@@ -231,7 +221,6 @@ void QuicUnackedPacketMap::IncreaseLargestAcked(
 void QuicUnackedPacketMap::MaybeUpdateLargestAckedOfPacketNumberSpace(
     PacketNumberSpace packet_number_space,
     QuicPacketNumber packet_number) {
-  DCHECK(use_uber_loss_algorithm_);
   largest_acked_packets_[packet_number_space].UpdateMax(packet_number);
 }
 
@@ -387,7 +376,6 @@ bool QuicUnackedPacketMap::HasPendingCryptoPackets() const {
 }
 
 bool QuicUnackedPacketMap::HasUnackedRetransmittableFrames() const {
-  DCHECK(!GetQuicReloadableFlag(quic_optimize_inflight_check));
   for (auto it = unacked_packets_.rbegin(); it != unacked_packets_.rend();
        ++it) {
     if (it->in_flight && HasRetransmittableFrames(*it)) {
@@ -407,13 +395,14 @@ void QuicUnackedPacketMap::SetSessionNotifier(
 }
 
 bool QuicUnackedPacketMap::NotifyFramesAcked(const QuicTransmissionInfo& info,
-                                             QuicTime::Delta ack_delay) {
+                                             QuicTime::Delta ack_delay,
+                                             QuicTime receive_timestamp) {
   if (session_notifier_ == nullptr) {
     return false;
   }
   bool new_data_acked = false;
   for (const QuicFrame& frame : info.retransmittable_frames) {
-    if (session_notifier_->OnFrameAcked(frame, ack_delay)) {
+    if (session_notifier_->OnFrameAcked(frame, ack_delay, receive_timestamp)) {
       new_data_acked = true;
     }
   }
@@ -421,7 +410,7 @@ bool QuicUnackedPacketMap::NotifyFramesAcked(const QuicTransmissionInfo& info,
 }
 
 void QuicUnackedPacketMap::NotifyFramesLost(const QuicTransmissionInfo& info,
-                                            TransmissionType type) {
+                                            TransmissionType /*type*/) {
   DCHECK(session_decides_what_to_write_);
   for (const QuicFrame& frame : info.retransmittable_frames) {
     session_notifier_->OnFrameLost(frame);
@@ -436,7 +425,8 @@ void QuicUnackedPacketMap::RetransmitFrames(const QuicTransmissionInfo& info,
 
 void QuicUnackedPacketMap::MaybeAggregateAckedStreamFrame(
     const QuicTransmissionInfo& info,
-    QuicTime::Delta ack_delay) {
+    QuicTime::Delta ack_delay,
+    QuicTime receive_timestamp) {
   if (session_notifier_ == nullptr) {
     return;
   }
@@ -468,7 +458,7 @@ void QuicUnackedPacketMap::MaybeAggregateAckedStreamFrame(
 
     NotifyAggregatedStreamFrameAcked(ack_delay);
     if (frame.type != STREAM_FRAME || frame.stream_frame.fin) {
-      session_notifier_->OnFrameAcked(frame, ack_delay);
+      session_notifier_->OnFrameAcked(frame, ack_delay, receive_timestamp);
       continue;
     }
 
@@ -488,22 +478,23 @@ void QuicUnackedPacketMap::NotifyAggregatedStreamFrameAcked(
     // Aggregated stream frame is empty.
     return;
   }
+  // Note: there is no receive_timestamp for an aggregated stream frame.  The
+  // frames that are aggregated may not have been received at the same time.
   session_notifier_->OnFrameAcked(QuicFrame(aggregated_stream_frame_),
-                                  ack_delay);
+                                  ack_delay,
+                                  /*receive_timestamp=*/QuicTime::Zero());
   // Clear aggregated stream frame.
   aggregated_stream_frame_.stream_id = -1;
 }
 
 PacketNumberSpace QuicUnackedPacketMap::GetPacketNumberSpace(
     QuicPacketNumber packet_number) const {
-  DCHECK(use_uber_loss_algorithm_);
   return GetPacketNumberSpace(
       GetTransmissionInfo(packet_number).encryption_level);
 }
 
 PacketNumberSpace QuicUnackedPacketMap::GetPacketNumberSpace(
     EncryptionLevel encryption_level) const {
-  DCHECK(use_uber_loss_algorithm_);
   if (supports_multiple_packet_number_spaces_) {
     return QuicUtils::GetPacketNumberSpace(encryption_level);
   }
@@ -517,7 +508,6 @@ PacketNumberSpace QuicUnackedPacketMap::GetPacketNumberSpace(
 
 QuicPacketNumber QuicUnackedPacketMap::GetLargestAckedOfPacketNumberSpace(
     PacketNumberSpace packet_number_space) const {
-  DCHECK(use_uber_loss_algorithm_);
   if (packet_number_space >= NUM_PACKET_NUMBER_SPACES) {
     QUIC_BUG << "Invalid packet number space: " << packet_number_space;
     return QuicPacketNumber();
@@ -528,7 +518,6 @@ QuicPacketNumber QuicUnackedPacketMap::GetLargestAckedOfPacketNumberSpace(
 QuicPacketNumber
 QuicUnackedPacketMap::GetLargestSentRetransmittableOfPacketNumberSpace(
     PacketNumberSpace packet_number_space) const {
-  DCHECK(use_uber_loss_algorithm_);
   if (packet_number_space >= NUM_PACKET_NUMBER_SPACES) {
     QUIC_BUG << "Invalid packet number space: " << packet_number_space;
     return QuicPacketNumber();
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.h b/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.h
index 1a37a1fb5d9..64d1da83a7e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.h
@@ -50,7 +50,8 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   // Notifies session_notifier that frames have been acked. Returns true if any
   // new data gets acked, returns false otherwise.
   bool NotifyFramesAcked(const QuicTransmissionInfo& info,
-                         QuicTime::Delta ack_delay);
+                         QuicTime::Delta ack_delay,
+                         QuicTime receive_timestamp);
 
   // Notifies session_notifier that frames in |info| are considered as lost.
   void NotifyFramesLost(const QuicTransmissionInfo& info,
@@ -90,12 +91,6 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   // Returns the largest packet number that has been sent.
   QuicPacketNumber largest_sent_packet() const { return largest_sent_packet_; }
 
-  // Returns the largest retransmittable packet number that has been sent.
-  QuicPacketNumber largest_sent_retransmittable_packet() const {
-    DCHECK(!use_uber_loss_algorithm_);
-    return largest_sent_retransmittable_packet_;
-  }
-
   QuicPacketNumber largest_sent_largest_acked() const {
     return largest_sent_largest_acked_;
   }
@@ -152,6 +147,12 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   // HasUnackedCryptoData() when session_decides_what_to_write_ is default true.
   bool HasPendingCryptoPackets() const;
 
+  // Returns true if there is any unacked non-crypto stream data.
+  bool HasUnackedStreamData() const {
+    DCHECK(session_decides_what_to_write());
+    return session_notifier_->HasUnackedStreamData();
+  }
+
   // Removes any retransmittable frames from this transmission or an associated
   // transmission.  It removes now useless transmissions, and disconnects any
   // other packets from other transmissions.
@@ -179,7 +180,8 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   // frames or control frames, notify the session notifier they get acked
   // immediately.
   void MaybeAggregateAckedStreamFrame(const QuicTransmissionInfo& info,
-                                      QuicTime::Delta ack_delay);
+                                      QuicTime::Delta ack_delay,
+                                      QuicTime receive_timestamp);
 
   // Notify the session notifier of any stream data aggregated in
   // aggregated_stream_frame_.  No effect if the stream frame has an invalid
@@ -219,8 +221,6 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
     return session_decides_what_to_write_;
   }
 
-  bool use_uber_loss_algorithm() const { return use_uber_loss_algorithm_; }
-
   Perspective perspective() const { return perspective_; }
 
   bool supports_multiple_packet_number_spaces() const {
@@ -261,12 +261,8 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   QuicPacketNumber largest_sent_packet_;
   // Only used when supports_multiple_packet_number_spaces_ is true.
   QuicPacketNumber largest_sent_packets_[NUM_PACKET_NUMBER_SPACES];
-  // The largest sent packet we expect to receive an ack for.
-  // TODO(fayang): Remove largest_sent_retransmittable_packet_ when deprecating
-  // quic_use_uber_loss_algorithm.
-  QuicPacketNumber largest_sent_retransmittable_packet_;
   // The largest sent packet we expect to receive an ack for per packet number
-  // space. Only used if use_uber_loss_algorithm_ is true.
+  // space.
   QuicPacketNumber
       largest_sent_retransmittable_packets_[NUM_PACKET_NUMBER_SPACES];
   // The largest sent largest_acked in an ACK frame.
@@ -274,7 +270,6 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   // The largest received largest_acked from an ACK frame.
   QuicPacketNumber largest_acked_;
   // The largest received largest_acked from ACK frame per packet number space.
-  // Only used if use_uber_loss_algorithm_ is true.
   QuicPacketNumber largest_acked_packets_[NUM_PACKET_NUMBER_SPACES];
 
   // Newly serialized retransmittable packets are added to this map, which
@@ -306,9 +301,6 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   // If true, let session decides what to write.
   bool session_decides_what_to_write_;
 
-  // Latched value of quic_use_uber_loss_algorithm.
-  const bool use_uber_loss_algorithm_;
-
   // If true, supports multiple packet number spaces.
   bool supports_multiple_packet_number_spaces_;
 };
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map_test.cc
index 331a0e8842e..807a95918ab 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map_test.cc
@@ -125,9 +125,7 @@ class QuicUnackedPacketMapTest : public QuicTestWithParam<TestParams> {
     unacked_packets_.RemoveObsoletePackets();
     if (num_packets == 0) {
       EXPECT_TRUE(unacked_packets_.empty());
-      if (!GetQuicReloadableFlag(quic_optimize_inflight_check)) {
-        EXPECT_FALSE(unacked_packets_.HasUnackedRetransmittableFrames());
-      }
+      EXPECT_FALSE(unacked_packets_.HasUnackedRetransmittableFrames());
       return;
     }
     EXPECT_FALSE(unacked_packets_.empty());
@@ -551,7 +549,7 @@ TEST_P(QuicUnackedPacketMapTest, SendWithGap) {
 
 TEST_P(QuicUnackedPacketMapTest, AggregateContiguousAckedStreamFrames) {
   testing::InSequence s;
-  EXPECT_CALL(notifier_, OnFrameAcked(_, _)).Times(0);
+  EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(0);
   unacked_packets_.NotifyAggregatedStreamFrameAcked(QuicTime::Delta::Zero());
 
   QuicTransmissionInfo info1;
@@ -571,20 +569,20 @@ TEST_P(QuicUnackedPacketMapTest, AggregateContiguousAckedStreamFrames) {
   info4.retransmittable_frames.push_back(QuicFrame(stream_frame4));
 
   // Verify stream frames are aggregated.
-  EXPECT_CALL(notifier_, OnFrameAcked(_, _)).Times(0);
-  unacked_packets_.MaybeAggregateAckedStreamFrame(info1,
-                                                  QuicTime::Delta::Zero());
-  EXPECT_CALL(notifier_, OnFrameAcked(_, _)).Times(0);
-  unacked_packets_.MaybeAggregateAckedStreamFrame(info2,
-                                                  QuicTime::Delta::Zero());
-  EXPECT_CALL(notifier_, OnFrameAcked(_, _)).Times(0);
-  unacked_packets_.MaybeAggregateAckedStreamFrame(info3,
-                                                  QuicTime::Delta::Zero());
+  EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(0);
+  unacked_packets_.MaybeAggregateAckedStreamFrame(
+      info1, QuicTime::Delta::Zero(), QuicTime::Zero());
+  EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(0);
+  unacked_packets_.MaybeAggregateAckedStreamFrame(
+      info2, QuicTime::Delta::Zero(), QuicTime::Zero());
+  EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(0);
+  unacked_packets_.MaybeAggregateAckedStreamFrame(
+      info3, QuicTime::Delta::Zero(), QuicTime::Zero());
 
   // Verify aggregated stream frame gets acked since fin is acked.
-  EXPECT_CALL(notifier_, OnFrameAcked(_, _)).Times(1);
-  unacked_packets_.MaybeAggregateAckedStreamFrame(info4,
-                                                  QuicTime::Delta::Zero());
+  EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(1);
+  unacked_packets_.MaybeAggregateAckedStreamFrame(
+      info4, QuicTime::Delta::Zero(), QuicTime::Zero());
 }
 
 // Regression test for b/112930090.
@@ -614,17 +612,17 @@ TEST_P(QuicUnackedPacketMapTest, CannotAggregateIfDataLengthOverflow) {
       if (aggregated_stream_frame.data_length + acked_stream_length <=
           kMaxAggregatedDataLength) {
         // Verify the acked stream frame can be aggregated.
-        EXPECT_CALL(notifier_, OnFrameAcked(_, _)).Times(0);
+        EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(0);
         unacked_packets_.MaybeAggregateAckedStreamFrame(
-            info, QuicTime::Delta::Zero());
+            info, QuicTime::Delta::Zero(), QuicTime::Zero());
         aggregated_data_length += acked_stream_length;
         testing::Mock::VerifyAndClearExpectations(&notifier_);
       } else {
         // Verify the acked stream frame cannot be aggregated because
         // data_length is overflow.
-        EXPECT_CALL(notifier_, OnFrameAcked(_, _)).Times(1);
+        EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(1);
         unacked_packets_.MaybeAggregateAckedStreamFrame(
-            info, QuicTime::Delta::Zero());
+            info, QuicTime::Delta::Zero(), QuicTime::Zero());
         aggregated_data_length = acked_stream_length;
         testing::Mock::VerifyAndClearExpectations(&notifier_);
       }
@@ -637,9 +635,9 @@ TEST_P(QuicUnackedPacketMapTest, CannotAggregateIfDataLengthOverflow) {
     QuicTransmissionInfo info;
     QuicStreamFrame stream_frame(stream_id, true, offset, acked_stream_length);
     info.retransmittable_frames.push_back(QuicFrame(stream_frame));
-    EXPECT_CALL(notifier_, OnFrameAcked(_, _)).Times(1);
-    unacked_packets_.MaybeAggregateAckedStreamFrame(info,
-                                                    QuicTime::Delta::Zero());
+    EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(1);
+    unacked_packets_.MaybeAggregateAckedStreamFrame(
+        info, QuicTime::Delta::Zero(), QuicTime::Zero());
     testing::Mock::VerifyAndClearExpectations(&notifier_);
   }
 }
@@ -662,22 +660,19 @@ TEST_P(QuicUnackedPacketMapTest, CannotAggregateAckedControlFrames) {
   info2.retransmittable_frames.push_back(QuicFrame(&go_away));
 
   // Verify 2 contiguous stream frames are aggregated.
-  EXPECT_CALL(notifier_, OnFrameAcked(_, _)).Times(1);
-  unacked_packets_.MaybeAggregateAckedStreamFrame(info1,
-                                                  QuicTime::Delta::Zero());
+  EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(1);
+  unacked_packets_.MaybeAggregateAckedStreamFrame(
+      info1, QuicTime::Delta::Zero(), QuicTime::Zero());
   // Verify aggregated stream frame gets acked.
-  EXPECT_CALL(notifier_, OnFrameAcked(_, _)).Times(3);
-  unacked_packets_.MaybeAggregateAckedStreamFrame(info2,
-                                                  QuicTime::Delta::Zero());
+  EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(3);
+  unacked_packets_.MaybeAggregateAckedStreamFrame(
+      info2, QuicTime::Delta::Zero(), QuicTime::Zero());
 
-  EXPECT_CALL(notifier_, OnFrameAcked(_, _)).Times(0);
+  EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(0);
   unacked_packets_.NotifyAggregatedStreamFrameAcked(QuicTime::Delta::Zero());
 }
 
 TEST_P(QuicUnackedPacketMapTest, LargestSentPacketMultiplePacketNumberSpaces) {
-  if (!GetQuicReloadableFlag(quic_use_uber_loss_algorithm)) {
-    return;
-  }
   unacked_packets_.EnableMultiplePacketNumberSpacesSupport();
   EXPECT_FALSE(unacked_packets_
                    .GetLargestSentPacketOfPacketNumberSpace(ENCRYPTION_INITIAL)
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_utils.cc b/chromium/net/third_party/quiche/src/quic/core/quic_utils.cc
index a7fe40f6730..40c50afc524 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_utils.cc
@@ -377,8 +377,9 @@ bool QuicUtils::IsIetfPacketShortHeader(uint8_t first_byte) {
 
 // static
 QuicStreamId QuicUtils::GetInvalidStreamId(QuicTransportVersion version) {
-  return version == QUIC_VERSION_99 ? std::numeric_limits<QuicStreamId>::max()
-                                    : 0;
+  return VersionHasIetfQuicFrames(version)
+             ? std::numeric_limits<QuicStreamId>::max()
+             : 0;
 }
 
 // static
@@ -399,6 +400,11 @@ bool QuicUtils::IsCryptoStreamId(QuicTransportVersion version,
 
 // static
 QuicStreamId QuicUtils::GetHeadersStreamId(QuicTransportVersion version) {
+  if (version == QUIC_VERSION_99) {
+    // TODO(b/130659182) Turn this into a QUIC_BUG once we've fully removed
+    // the headers stream in those versions.
+    return GetQuicFlag(FLAGS_quic_headers_stream_id_in_v99);
+  }
   return GetFirstBidirectionalStreamId(version, Perspective::IS_CLIENT);
 }
 
@@ -408,7 +414,7 @@ bool QuicUtils::IsClientInitiatedStreamId(QuicTransportVersion version,
   if (id == GetInvalidStreamId(version)) {
     return false;
   }
-  return version == QUIC_VERSION_99 ? id % 2 == 0 : id % 2 != 0;
+  return VersionHasIetfQuicFrames(version) ? id % 2 == 0 : id % 2 != 0;
 }
 
 // static
@@ -417,7 +423,7 @@ bool QuicUtils::IsServerInitiatedStreamId(QuicTransportVersion version,
   if (id == GetInvalidStreamId(version)) {
     return false;
   }
-  return version == QUIC_VERSION_99 ? id % 2 != 0 : id % 2 == 0;
+  return VersionHasIetfQuicFrames(version) ? id % 2 != 0 : id % 2 == 0;
 }
 
 // static
@@ -454,14 +460,14 @@ StreamType QuicUtils::GetStreamType(QuicStreamId id,
 
 // static
 QuicStreamId QuicUtils::StreamIdDelta(QuicTransportVersion version) {
-  return version == QUIC_VERSION_99 ? 4 : 2;
+  return VersionHasIetfQuicFrames(version) ? 4 : 2;
 }
 
 // static
 QuicStreamId QuicUtils::GetFirstBidirectionalStreamId(
     QuicTransportVersion version,
     Perspective perspective) {
-  if (version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version)) {
     return perspective == Perspective::IS_CLIENT ? 0 : 1;
   } else if (QuicVersionUsesCryptoFrames(version)) {
     return perspective == Perspective::IS_CLIENT ? 1 : 2;
@@ -473,16 +479,12 @@ QuicStreamId QuicUtils::GetFirstBidirectionalStreamId(
 QuicStreamId QuicUtils::GetFirstUnidirectionalStreamId(
     QuicTransportVersion version,
     Perspective perspective) {
-  if (version == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(version)) {
     return perspective == Perspective::IS_CLIENT ? 2 : 3;
   } else if (QuicVersionUsesCryptoFrames(version)) {
     return perspective == Perspective::IS_CLIENT ? 1 : 2;
   }
   return perspective == Perspective::IS_CLIENT ? 3 : 2;
-  if (perspective == Perspective::IS_CLIENT) {
-    return version == QUIC_VERSION_99 ? 2 : 1;
-  }
-  return version == QUIC_VERSION_99 ? 3 : 2;
 }
 
 // static
@@ -523,12 +525,6 @@ QuicConnectionId QuicUtils::CreateRandomConnectionId(
 // static
 bool QuicUtils::VariableLengthConnectionIdAllowedForVersion(
     QuicTransportVersion version) {
-  if (!GetQuicRestartFlag(
-          quic_allow_variable_length_connection_id_for_negotiation)) {
-    return version >= QUIC_VERSION_47;
-  }
-  QUIC_RESTART_FLAG_COUNT(
-      quic_allow_variable_length_connection_id_for_negotiation);
   // We allow variable length connection IDs for unsupported versions to
   // ensure that IETF version negotiation works when other implementations
   // trigger version negotiation with custom connection ID lengths.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_utils.h b/chromium/net/third_party/quiche/src/quic/core/quic_utils.h
index bac025e79a0..294f52fa846 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_utils.h
@@ -85,6 +85,12 @@ class QUIC_EXPORT_PRIVATE QuicUtils {
   // Creates an iovec pointing to the same data as |data|.
   static struct iovec MakeIovec(QuicStringPiece data);
 
+  // Returns the opposite Perspective of the |perspective| passed in.
+  static constexpr Perspective InvertPerspective(Perspective perspective) {
+    return perspective == Perspective::IS_CLIENT ? Perspective::IS_SERVER
+                                                 : Perspective::IS_CLIENT;
+  }
+
   // Returns true if a packet is ackable. A packet is unackable if it can never
   // be acked. Occurs when a packet is never sent, after it is acknowledged
   // once, or if it's a crypto packet we never expect to receive an ack for.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.cc b/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.cc
index 5874f92abb7..49aee67764b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.cc
@@ -15,10 +15,11 @@ namespace quic {
 QuicVersionManager::QuicVersionManager(
     ParsedQuicVersionVector supported_versions)
     : enable_version_99_(GetQuicReloadableFlag(quic_enable_version_99)),
+      enable_version_48_(GetQuicReloadableFlag(quic_enable_version_48)),
       enable_version_47_(GetQuicReloadableFlag(quic_enable_version_47)),
-      enable_version_46_(GetQuicReloadableFlag(quic_enable_version_46)),
-      enable_version_44_(GetQuicReloadableFlag(quic_enable_version_44)),
+      disable_version_44_(GetQuicReloadableFlag(quic_disable_version_44)),
       disable_version_39_(GetQuicReloadableFlag(quic_disable_version_39)),
+      enable_tls_(GetQuicFlag(FLAGS_quic_supports_tls_handshake)),
       allowed_supported_versions_(std::move(supported_versions)) {
   RefilterSupportedVersions();
 }
@@ -38,15 +39,17 @@ const ParsedQuicVersionVector& QuicVersionManager::GetSupportedVersions() {
 
 void QuicVersionManager::MaybeRefilterSupportedVersions() {
   if (enable_version_99_ != GetQuicReloadableFlag(quic_enable_version_99) ||
+      enable_version_48_ != GetQuicReloadableFlag(quic_enable_version_48) ||
       enable_version_47_ != GetQuicReloadableFlag(quic_enable_version_47) ||
-      enable_version_46_ != GetQuicReloadableFlag(quic_enable_version_46) ||
-      enable_version_44_ != GetQuicReloadableFlag(quic_enable_version_44) ||
-      disable_version_39_ != GetQuicReloadableFlag(quic_disable_version_39)) {
+      disable_version_44_ != GetQuicReloadableFlag(quic_disable_version_44) ||
+      disable_version_39_ != GetQuicReloadableFlag(quic_disable_version_39) ||
+      enable_tls_ != GetQuicFlag(FLAGS_quic_supports_tls_handshake)) {
     enable_version_99_ = GetQuicReloadableFlag(quic_enable_version_99);
+    enable_version_48_ = GetQuicReloadableFlag(quic_enable_version_48);
     enable_version_47_ = GetQuicReloadableFlag(quic_enable_version_47);
-    enable_version_46_ = GetQuicReloadableFlag(quic_enable_version_46);
-    enable_version_44_ = GetQuicReloadableFlag(quic_enable_version_44);
+    disable_version_44_ = GetQuicReloadableFlag(quic_disable_version_44);
     disable_version_39_ = GetQuicReloadableFlag(quic_disable_version_39);
+    enable_tls_ = GetQuicFlag(FLAGS_quic_supports_tls_handshake);
     RefilterSupportedVersions();
   }
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.h b/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.h
index db9f2c5880e..a6b7bcbdd93 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.h
@@ -40,14 +40,16 @@ class QUIC_EXPORT_PRIVATE QuicVersionManager {
  private:
   // quic_enable_version_99 flag
   bool enable_version_99_;
+  // quic_enable_version_48 flag
+  bool enable_version_48_;
   // quic_enable_version_47 flag
   bool enable_version_47_;
-  // quic_enable_version_46 flag
-  bool enable_version_46_;
-  // quic_enable_version_44 flag
-  bool enable_version_44_;
+  // quic_disable_version_44 flag
+  bool disable_version_44_;
   // quic_disable_version_39 flag
   bool disable_version_39_;
+  // quic_supports_tls_handshake flag
+  bool enable_tls_;
   // The list of versions that may be supported.
   ParsedQuicVersionVector allowed_supported_versions_;
   // This vector contains QUIC versions which are currently supported based on
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_version_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_version_manager_test.cc
index 9a7b2a328be..886c0d3d4ef 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_version_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_version_manager_test.cc
@@ -16,31 +16,27 @@ namespace {
 class QuicVersionManagerTest : public QuicTest {};
 
 TEST_F(QuicVersionManagerTest, QuicVersionManager) {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 7u,
                 "Supported versions out of sync");
   SetQuicReloadableFlag(quic_enable_version_99, false);
+  SetQuicReloadableFlag(quic_enable_version_48, false);
   SetQuicReloadableFlag(quic_enable_version_47, false);
-  SetQuicReloadableFlag(quic_enable_version_46, false);
-  SetQuicReloadableFlag(quic_enable_version_44, false);
+  SetQuicReloadableFlag(quic_disable_version_44, true);
   SetQuicReloadableFlag(quic_disable_version_39, true);
   QuicVersionManager manager(AllSupportedVersions());
 
   EXPECT_EQ(FilterSupportedTransportVersions(AllSupportedTransportVersions()),
             manager.GetSupportedTransportVersions());
 
-  EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_43}),
+  EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_46, QUIC_VERSION_43}),
             manager.GetSupportedTransportVersions());
 
   SetQuicReloadableFlag(quic_disable_version_39, false);
-  EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_43, QUIC_VERSION_39}),
-            manager.GetSupportedTransportVersions());
-
-  SetQuicReloadableFlag(quic_enable_version_44, true);
   EXPECT_EQ(QuicTransportVersionVector(
-                {QUIC_VERSION_44, QUIC_VERSION_43, QUIC_VERSION_39}),
+                {QUIC_VERSION_46, QUIC_VERSION_43, QUIC_VERSION_39}),
             manager.GetSupportedTransportVersions());
 
-  SetQuicReloadableFlag(quic_enable_version_46, true);
+  SetQuicReloadableFlag(quic_disable_version_44, false);
   EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_46, QUIC_VERSION_44,
                                         QUIC_VERSION_43, QUIC_VERSION_39}),
             manager.GetSupportedTransportVersions());
@@ -51,12 +47,19 @@ TEST_F(QuicVersionManagerTest, QuicVersionManager) {
                                         QUIC_VERSION_39}),
             manager.GetSupportedTransportVersions());
 
-  SetQuicReloadableFlag(quic_enable_version_99, true);
-  EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_99, QUIC_VERSION_47,
+  SetQuicReloadableFlag(quic_enable_version_48, true);
+  EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_48, QUIC_VERSION_47,
                                         QUIC_VERSION_46, QUIC_VERSION_44,
                                         QUIC_VERSION_43, QUIC_VERSION_39}),
             manager.GetSupportedTransportVersions());
 
+  SetQuicReloadableFlag(quic_enable_version_99, true);
+  EXPECT_EQ(
+      QuicTransportVersionVector(
+          {QUIC_VERSION_99, QUIC_VERSION_48, QUIC_VERSION_47, QUIC_VERSION_46,
+           QUIC_VERSION_44, QUIC_VERSION_43, QUIC_VERSION_39}),
+      manager.GetSupportedTransportVersions());
+
   // Ensure that all versions are now supported.
   EXPECT_EQ(FilterSupportedTransportVersions(AllSupportedTransportVersions()),
             manager.GetSupportedTransportVersions());
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_versions.cc b/chromium/net/third_party/quiche/src/quic/core/quic_versions.cc
index 6873eddfe12..950dd1d1cd0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_versions.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_versions.cc
@@ -6,6 +6,7 @@
 
 #include <string>
 
+#include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
 #include "net/third_party/quiche/src/quic/core/quic_tag.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
@@ -25,17 +26,28 @@ QuicVersionLabel MakeVersionLabel(char a, char b, char c, char d) {
   return MakeQuicTag(d, c, b, a);
 }
 
+QuicVersionLabel CreateRandomVersionLabelForNegotiation() {
+  if (!GetQuicReloadableFlag(quic_version_negotiation_grease)) {
+    return MakeVersionLabel(0xda, 0x5a, 0x3a, 0x3a);
+  }
+  QUIC_RELOADABLE_FLAG_COUNT_N(quic_version_negotiation_grease, 2, 2);
+  QuicVersionLabel result;
+  if (!GetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness)) {
+    QuicRandom::GetInstance()->RandBytes(&result, sizeof(result));
+  } else {
+    result = MakeVersionLabel(0xd1, 0x57, 0x38, 0x3f);
+  }
+  result &= 0xf0f0f0f0;
+  result |= 0x0a0a0a0a;
+  return result;
+}
+
 }  // namespace
 
 ParsedQuicVersion::ParsedQuicVersion(HandshakeProtocol handshake_protocol,
                                      QuicTransportVersion transport_version)
     : handshake_protocol(handshake_protocol),
-      transport_version(transport_version) {
-  if (handshake_protocol == PROTOCOL_TLS1_3 &&
-      !GetQuicFlag(FLAGS_quic_supports_tls_handshake)) {
-    QUIC_BUG << "TLS use attempted when not enabled";
-  }
-}
+      transport_version(transport_version) {}
 
 bool ParsedQuicVersion::KnowsWhichDecrypterToUse() const {
   return transport_version >= QUIC_VERSION_47 ||
@@ -55,10 +67,28 @@ bool ParsedQuicVersion::SupportsRetry() const {
   return transport_version > QUIC_VERSION_46;
 }
 
+bool ParsedQuicVersion::SendsVariableLengthPacketNumberInLongHeader() const {
+  return transport_version > QUIC_VERSION_46;
+}
+
 bool ParsedQuicVersion::SupportsClientConnectionIds() const {
-  // This will be enabled in v99 after the rest of the client connection ID
-  // code lands.
-  return false;
+  if (!GetQuicRestartFlag(quic_do_not_override_connection_id)) {
+    // Do not enable this feature in a production version until this flag has
+    // been deprecated.
+    return false;
+  }
+  return transport_version >= QUIC_VERSION_99;
+}
+
+bool ParsedQuicVersion::DoesNotHaveHeadersStream() const {
+  return VersionLacksHeadersStream(transport_version);
+}
+
+bool VersionLacksHeadersStream(QuicTransportVersion transport_version) {
+  if (GetQuicFlag(FLAGS_quic_headers_stream_id_in_v99) == 0) {
+    return false;
+  }
+  return transport_version == QUIC_VERSION_99;
 }
 
 std::ostream& operator<<(std::ostream& os, const ParsedQuicVersion& version) {
@@ -76,8 +106,8 @@ QuicVersionLabel CreateQuicVersionLabel(ParsedQuicVersion parsed_version) {
       proto = 'T';
       break;
     default:
-      QUIC_LOG(ERROR) << "Invalid HandshakeProtocol: "
-                      << parsed_version.handshake_protocol;
+      QUIC_BUG << "Invalid HandshakeProtocol: "
+               << parsed_version.handshake_protocol;
       return 0;
   }
   switch (parsed_version.transport_version) {
@@ -91,6 +121,8 @@ QuicVersionLabel CreateQuicVersionLabel(ParsedQuicVersion parsed_version) {
       return MakeVersionLabel(proto, '0', '4', '6');
     case QUIC_VERSION_47:
       return MakeVersionLabel(proto, '0', '4', '7');
+    case QUIC_VERSION_48:
+      return MakeVersionLabel(proto, '0', '4', '8');
     case QUIC_VERSION_99:
       if (parsed_version.handshake_protocol == PROTOCOL_TLS1_3 &&
           GetQuicFlag(FLAGS_quic_ietf_draft_version) != 0) {
@@ -99,12 +131,12 @@ QuicVersionLabel CreateQuicVersionLabel(ParsedQuicVersion parsed_version) {
       }
       return MakeVersionLabel(proto, '0', '9', '9');
     case QUIC_VERSION_RESERVED_FOR_NEGOTIATION:
-      return MakeVersionLabel(0xda, 0x5a, 0x3a, 0x3a);
+      return CreateRandomVersionLabelForNegotiation();
     default:
-      // This shold be an ERROR because we should never attempt to convert an
-      // invalid QuicTransportVersion to be written to the wire.
-      QUIC_LOG(ERROR) << "Unsupported QuicTransportVersion: "
-                      << parsed_version.transport_version;
+      // This is a bug because we should never attempt to convert an invalid
+      // QuicTransportVersion to be written to the wire.
+      QUIC_BUG << "Unsupported QuicTransportVersion: "
+               << parsed_version.transport_version;
       return 0;
   }
 }
@@ -120,10 +152,8 @@ QuicVersionLabelVector CreateQuicVersionLabelVector(
 }
 
 ParsedQuicVersion ParseQuicVersionLabel(QuicVersionLabel version_label) {
-  std::vector<HandshakeProtocol> protocols = {PROTOCOL_QUIC_CRYPTO};
-  if (GetQuicFlag(FLAGS_quic_supports_tls_handshake)) {
-    protocols.push_back(PROTOCOL_TLS1_3);
-  }
+  std::vector<HandshakeProtocol> protocols = {PROTOCOL_QUIC_CRYPTO,
+                                              PROTOCOL_TLS1_3};
   for (QuicTransportVersion version : kSupportedTransportVersions) {
     for (HandshakeProtocol handshake : protocols) {
       if (version_label ==
@@ -185,15 +215,10 @@ QuicTransportVersionVector AllSupportedTransportVersions() {
 ParsedQuicVersionVector AllSupportedVersions() {
   ParsedQuicVersionVector supported_versions;
   for (HandshakeProtocol protocol : kSupportedHandshakeProtocols) {
-    if (protocol == PROTOCOL_TLS1_3 &&
-        !GetQuicFlag(FLAGS_quic_supports_tls_handshake)) {
-      continue;
-    }
     for (QuicTransportVersion version : kSupportedTransportVersions) {
       if (protocol == PROTOCOL_TLS1_3 &&
           !QuicVersionUsesCryptoFrames(version)) {
-        // The TLS handshake is only deployable if CRYPTO frames are also used,
-        // which are added in v47.
+        // The TLS handshake is only deployable if CRYPTO frames are also used.
         continue;
       }
       supported_versions.push_back(ParsedQuicVersion(protocol, version));
@@ -232,26 +257,24 @@ ParsedQuicVersionVector FilterSupportedVersions(
   ParsedQuicVersionVector filtered_versions;
   filtered_versions.reserve(versions.size());
   for (ParsedQuicVersion version : versions) {
+    if (version.handshake_protocol == PROTOCOL_TLS1_3 &&
+        !GetQuicFlag(FLAGS_quic_supports_tls_handshake)) {
+      continue;
+    }
     if (version.transport_version == QUIC_VERSION_99) {
-      if (GetQuicReloadableFlag(quic_enable_version_99) &&
-          GetQuicReloadableFlag(quic_enable_version_47) &&
-          GetQuicReloadableFlag(quic_enable_version_46) &&
-          GetQuicReloadableFlag(quic_enable_version_44)) {
+      if (GetQuicReloadableFlag(quic_enable_version_99)) {
         filtered_versions.push_back(version);
       }
-    } else if (version.transport_version == QUIC_VERSION_47) {
-      if (GetQuicReloadableFlag(quic_enable_version_47) &&
-          GetQuicReloadableFlag(quic_enable_version_46) &&
-          GetQuicReloadableFlag(quic_enable_version_44)) {
+    } else if (version.transport_version == QUIC_VERSION_48) {
+      if (GetQuicReloadableFlag(quic_enable_version_48)) {
         filtered_versions.push_back(version);
       }
-    } else if (version.transport_version == QUIC_VERSION_46) {
-      if (GetQuicReloadableFlag(quic_enable_version_46) &&
-          GetQuicReloadableFlag(quic_enable_version_44)) {
+    } else if (version.transport_version == QUIC_VERSION_47) {
+      if (GetQuicReloadableFlag(quic_enable_version_47)) {
         filtered_versions.push_back(version);
       }
     } else if (version.transport_version == QUIC_VERSION_44) {
-      if (GetQuicReloadableFlag(quic_enable_version_44)) {
+      if (!GetQuicReloadableFlag(quic_disable_version_44)) {
         filtered_versions.push_back(version);
       }
     } else if (version.transport_version == QUIC_VERSION_39) {
@@ -351,6 +374,7 @@ std::string QuicVersionToString(QuicTransportVersion transport_version) {
     RETURN_STRING_LITERAL(QUIC_VERSION_44);
     RETURN_STRING_LITERAL(QUIC_VERSION_46);
     RETURN_STRING_LITERAL(QUIC_VERSION_47);
+    RETURN_STRING_LITERAL(QUIC_VERSION_48);
     RETURN_STRING_LITERAL(QUIC_VERSION_99);
     default:
       return "QUIC_VERSION_UNSUPPORTED";
@@ -358,6 +382,9 @@ std::string QuicVersionToString(QuicTransportVersion transport_version) {
 }
 
 std::string ParsedQuicVersionToString(ParsedQuicVersion version) {
+  if (version == UnsupportedQuicVersion()) {
+    return "0";
+  }
   return QuicVersionLabelToString(CreateQuicVersionLabel(version));
 }
 
@@ -424,43 +451,27 @@ void QuicVersionInitializeSupportForIetfDraft(int32_t draft_version) {
 
   // Enable necessary flags.
   SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
-  SetQuicReloadableFlag(quic_deprecate_ack_bundling_mode, true);
-  SetQuicReloadableFlag(quic_rpm_decides_when_to_send_acks, true);
-  SetQuicReloadableFlag(quic_use_uber_loss_algorithm, true);
-  SetQuicReloadableFlag(quic_use_uber_received_packet_manager, true);
-  SetQuicReloadableFlag(quic_validate_packet_number_post_decryption, true);
-  SetQuicReloadableFlag(quic_print_tag_hex, true);
-  SetQuicReloadableFlag(quic_send_version_negotiation_fixed_bit, true);
-  SetQuicReloadableFlag(quic_no_client_conn_ver_negotiation, true);
-  SetQuicReloadableFlag(quic_eliminate_static_stream_map_3, true);
-  SetQuicReloadableFlag(quic_tolerate_reneging, true);
+  SetQuicFlag(FLAGS_quic_headers_stream_id_in_v99, 60);
   SetQuicReloadableFlag(quic_simplify_stop_waiting, true);
-  SetQuicRestartFlag(quic_no_server_conn_ver_negotiation2, true);
-  SetQuicRestartFlag(quic_server_drop_version_negotiation, true);
-  SetQuicRestartFlag(quic_enable_accept_random_ipn, true);
-  SetQuicRestartFlag(quic_allow_variable_length_connection_id_for_negotiation,
-                     true);
   SetQuicRestartFlag(quic_do_not_override_connection_id, true);
-  SetQuicRestartFlag(quic_no_framer_object_in_dispatcher, true);
+  SetQuicRestartFlag(quic_use_allocated_connection_ids, true);
+  SetQuicRestartFlag(quic_dispatcher_hands_chlo_extractor_one_version, true);
 }
 
 void QuicEnableVersion(ParsedQuicVersion parsed_version) {
   if (parsed_version.handshake_protocol == PROTOCOL_TLS1_3) {
     SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
   }
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 7u,
                 "Supported versions out of sync");
-  if (parsed_version.transport_version >= QUIC_VERSION_99) {
+  if (parsed_version.transport_version == QUIC_VERSION_99) {
     SetQuicReloadableFlag(quic_enable_version_99, true);
   }
-  if (parsed_version.transport_version >= QUIC_VERSION_47) {
-    SetQuicReloadableFlag(quic_enable_version_47, true);
-  }
-  if (parsed_version.transport_version >= QUIC_VERSION_46) {
-    SetQuicReloadableFlag(quic_enable_version_46, true);
+  if (parsed_version.transport_version == QUIC_VERSION_48) {
+    SetQuicReloadableFlag(quic_enable_version_48, true);
   }
-  if (parsed_version.transport_version >= QUIC_VERSION_44) {
-    SetQuicReloadableFlag(quic_enable_version_44, true);
+  if (parsed_version.transport_version == QUIC_VERSION_47) {
+    SetQuicReloadableFlag(quic_enable_version_47, true);
   }
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_versions.h b/chromium/net/third_party/quiche/src/quic/core/quic_versions.h
index 0a368dfc0bb..72bb32ca4ba 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_versions.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_versions.h
@@ -104,12 +104,15 @@ enum QuicTransportVersion {
   QUIC_VERSION_46 = 46,  // Use IETF draft-17 header format with demultiplexing
                          // bit.
   QUIC_VERSION_47 = 47,  // Allow variable-length QUIC connection IDs.
+  QUIC_VERSION_48 = 48,  // Use CRYPTO frames for the handshake.
   QUIC_VERSION_99 = 99,  // Dumping ground for IETF QUIC changes which are not
                          // yet ready for production.
-  // QUIC_VERSION_RESERVED_FOR_NEGOTIATION is sent over the wire as da5a3a3a
+  // QUIC_VERSION_RESERVED_FOR_NEGOTIATION is sent over the wire as ?a?a?a?a
   // which is part of a range reserved by the IETF for version negotiation
-  // testing. It is intentionally meant to never be supported by servers to
-  // trigger version negotiation when proposed by clients.
+  // testing (see the "Versions" section of draft-ietf-quic-transport).
+  // This version is intentionally meant to never be supported to trigger
+  // version negotiation when proposed by clients and to prevent client
+  // ossification when sent by servers.
   QUIC_VERSION_RESERVED_FOR_NEGOTIATION = 999,
 };
 
@@ -163,8 +166,15 @@ struct QUIC_EXPORT_PRIVATE ParsedQuicVersion {
   // Returns whether this version supports IETF RETRY packets.
   bool SupportsRetry() const;
 
+  // Returns true if this version sends variable length packet number in long
+  // header.
+  bool SendsVariableLengthPacketNumberInLongHeader() const;
+
   // Returns whether this version supports client connection ID.
   bool SupportsClientConnectionIds() const;
+
+  // Returns whether this version does not have the Google QUIC headers stream.
+  bool DoesNotHaveHeadersStream() const;
 };
 
 QUIC_EXPORT_PRIVATE ParsedQuicVersion UnsupportedQuicVersion();
@@ -188,7 +198,7 @@ using QuicVersionLabelVector = std::vector<QuicVersionLabel>;
 //
 // See go/new-quic-version for more details on how to roll out new versions.
 static const QuicTransportVersion kSupportedTransportVersions[] = {
-    QUIC_VERSION_99, QUIC_VERSION_47, QUIC_VERSION_46,
+    QUIC_VERSION_99, QUIC_VERSION_48, QUIC_VERSION_47, QUIC_VERSION_46,
     QUIC_VERSION_44, QUIC_VERSION_43, QUIC_VERSION_39,
 };
 
@@ -336,6 +346,18 @@ QUIC_EXPORT_PRIVATE inline std::string ParsedQuicVersionVectorToString(
                                          std::numeric_limits<size_t>::max());
 }
 
+// Returns true if |transport_version| uses IETF invariant headers.
+QUIC_EXPORT_PRIVATE inline bool VersionHasIetfInvariantHeader(
+    QuicTransportVersion transport_version) {
+  return transport_version > QUIC_VERSION_43;
+}
+
+// Returns true if |transport_version| supports MESSAGE frames.
+QUIC_EXPORT_PRIVATE inline bool VersionSupportsMessageFrames(
+    QuicTransportVersion transport_version) {
+  return transport_version > QUIC_VERSION_44;
+}
+
 // Returns true if QuicSpdyStream encodes body using HTTP/3 specification and
 // sends data frame header along with body.
 QUIC_EXPORT_PRIVATE inline bool VersionHasDataFrameHeader(
@@ -343,6 +365,12 @@ QUIC_EXPORT_PRIVATE inline bool VersionHasDataFrameHeader(
   return transport_version == QUIC_VERSION_99;
 }
 
+// Returns whether |transport_version| has HTTP/3 unidirectional stream type.
+QUIC_EXPORT_PRIVATE inline bool VersionHasStreamType(
+    QuicTransportVersion transport_version) {
+  return transport_version == QUIC_VERSION_99;
+}
+
 // If true:
 // * QuicSpdySession instantiates a QPACK encoder and decoder;
 // * HEADERS frames (containing headers or trailers) are sent on
@@ -365,6 +393,7 @@ QUIC_EXPORT_PRIVATE inline bool VersionUsesQpack(
   const bool uses_qpack = (transport_version == QUIC_VERSION_99);
   if (uses_qpack) {
     DCHECK(VersionHasDataFrameHeader(transport_version));
+    DCHECK(VersionHasStreamType(transport_version));
   }
   return uses_qpack;
 }
@@ -382,13 +411,19 @@ QUIC_EXPORT_PRIVATE inline bool QuicVersionHasLongHeaderLengths(
 // instead of stream 1.
 QUIC_EXPORT_PRIVATE inline bool QuicVersionUsesCryptoFrames(
     QuicTransportVersion transport_version) {
-  return transport_version == QUIC_VERSION_99;
+  return transport_version >= QUIC_VERSION_48;
 }
 
-// Returns whether |transport_version| has HTTP/3 stream type.
-QUIC_EXPORT_PRIVATE inline bool VersionHasStreamType(
+// Returns whether |transport_version| does not have the
+// Google QUIC headers stream.
+QUIC_EXPORT_PRIVATE bool VersionLacksHeadersStream(
+    QuicTransportVersion transport_version);
+
+// Returns whether |transport_version| makes use of IETF QUIC
+// frames or not.
+QUIC_EXPORT_PRIVATE inline bool VersionHasIetfQuicFrames(
     QuicTransportVersion transport_version) {
-  return transport_version == QUIC_VERSION_99;
+  return transport_version >= QUIC_VERSION_99;
 }
 
 // Returns the ALPN string to use in TLS for this version of QUIC.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_versions_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_versions_test.cc
index c19e621fd0a..016ae5f5ca6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_versions_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_versions_test.cc
@@ -5,6 +5,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_versions.h"
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_mock_log.h"
@@ -47,18 +48,8 @@ TEST_F(QuicVersionsTest, QuicVersionToQuicVersionLabel) {
 }
 
 TEST_F(QuicVersionsTest, QuicVersionToQuicVersionLabelUnsupported) {
-  // TODO(rjshade): Change to DFATAL once we actually support multiple versions,
-  // and QuicConnectionTest::SendVersionNegotiationPacket can be changed to use
-  // mis-matched versions rather than relying on QUIC_VERSION_UNSUPPORTED.
-  CREATE_QUIC_MOCK_LOG(log);
-  log.StartCapturingLogs();
-
-  if (QUIC_LOG_ERROR_IS_ON()) {
-    EXPECT_QUIC_LOG_CALL_CONTAINS(log, ERROR,
-                                  "Unsupported QuicTransportVersion: 0");
-  }
-
-  EXPECT_EQ(0u, QuicVersionToQuicVersionLabel(QUIC_VERSION_UNSUPPORTED));
+  EXPECT_QUIC_BUG(QuicVersionToQuicVersionLabel(QUIC_VERSION_UNSUPPORTED),
+                  "Unsupported QuicTransportVersion: 0");
 }
 
 TEST_F(QuicVersionsTest, QuicVersionLabelToQuicTransportVersion) {
@@ -116,17 +107,8 @@ TEST_F(QuicVersionsTest, QuicVersionLabelToHandshakeProtocol) {
   }
 
   // Test a TLS version:
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
   QuicTag tls_tag = MakeQuicTag('3', '4', '0', 'T');
   EXPECT_EQ(PROTOCOL_TLS1_3, QuicVersionLabelToHandshakeProtocol(tls_tag));
-
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, false);
-  if (QUIC_DLOG_INFO_IS_ON()) {
-    EXPECT_QUIC_LOG_CALL_CONTAINS(log, INFO,
-                                  "Unsupported QuicVersionLabel version: T043")
-        .Times(1);
-  }
-  EXPECT_EQ(PROTOCOL_UNSUPPORTED, QuicVersionLabelToHandshakeProtocol(tls_tag));
 }
 
 TEST_F(QuicVersionsTest, ParseQuicVersionLabel) {
@@ -140,9 +122,10 @@ TEST_F(QuicVersionsTest, ParseQuicVersionLabel) {
             ParseQuicVersionLabel(MakeVersionLabel('Q', '0', '4', '6')));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47),
             ParseQuicVersionLabel(MakeVersionLabel('Q', '0', '4', '7')));
+  EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48),
+            ParseQuicVersionLabel(MakeVersionLabel('Q', '0', '4', '8')));
 
-  // Test a TLS version:
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
+  // Test TLS versions:
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_39),
             ParseQuicVersionLabel(MakeVersionLabel('T', '0', '3', '9')));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_43),
@@ -153,22 +136,8 @@ TEST_F(QuicVersionsTest, ParseQuicVersionLabel) {
             ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '6')));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_47),
             ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '7')));
-
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, false);
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '3', '5')));
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '3', '9')));
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '3')));
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '4')));
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '5')));
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '6')));
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '7')));
+  EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_48),
+            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '8')));
 }
 
 TEST_F(QuicVersionsTest, ParseQuicVersionString) {
@@ -182,6 +151,8 @@ TEST_F(QuicVersionsTest, ParseQuicVersionString) {
             ParseQuicVersionString("Q046"));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47),
             ParseQuicVersionString("Q047"));
+  EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48),
+            ParseQuicVersionString("Q048"));
 
   EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString(""));
   EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString("Q 47"));
@@ -199,15 +170,8 @@ TEST_F(QuicVersionsTest, ParseQuicVersionString) {
             ParseQuicVersionString("T046"));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_47),
             ParseQuicVersionString("T047"));
-
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, false);
-  EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString("T035"));
-  EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString("T039"));
-  EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString("T043"));
-  EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString("T044"));
-  EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString("T045"));
-  EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString("T046"));
-  EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString("T047"));
+  EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_48),
+            ParseQuicVersionString("T048"));
 }
 
 TEST_F(QuicVersionsTest, CreateQuicVersionLabel) {
@@ -226,9 +190,11 @@ TEST_F(QuicVersionsTest, CreateQuicVersionLabel) {
   EXPECT_EQ(MakeVersionLabel('Q', '0', '4', '7'),
             CreateQuicVersionLabel(
                 ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47)));
+  EXPECT_EQ(MakeVersionLabel('Q', '0', '4', '8'),
+            CreateQuicVersionLabel(
+                ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48)));
 
   // Test a TLS version:
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
   EXPECT_EQ(MakeVersionLabel('T', '0', '3', '9'),
             CreateQuicVersionLabel(
                 ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_39)));
@@ -244,20 +210,21 @@ TEST_F(QuicVersionsTest, CreateQuicVersionLabel) {
   EXPECT_EQ(MakeVersionLabel('T', '0', '4', '7'),
             CreateQuicVersionLabel(
                 ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_47)));
-
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, false);
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '3', '5')));
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '3', '9')));
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '3')));
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '4')));
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '6')));
-  EXPECT_EQ(UnsupportedQuicVersion(),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '7')));
+  EXPECT_EQ(MakeVersionLabel('T', '0', '4', '8'),
+            CreateQuicVersionLabel(
+                ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_48)));
+
+  // Make sure the negotiation reserved version is in the IETF reserved space.
+  EXPECT_EQ(MakeVersionLabel(0xda, 0x5a, 0x3a, 0x3a) & 0x0f0f0f0f,
+            CreateQuicVersionLabel(ParsedQuicVersion(
+                PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_RESERVED_FOR_NEGOTIATION)) &
+                0x0f0f0f0f);
+
+  // Make sure that disabling randomness works.
+  SetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness, true);
+  EXPECT_EQ(MakeVersionLabel(0xda, 0x5a, 0x3a, 0x3a),
+            CreateQuicVersionLabel(ParsedQuicVersion(
+                PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_RESERVED_FOR_NEGOTIATION)));
 }
 
 TEST_F(QuicVersionsTest, QuicVersionLabelToString) {
@@ -323,7 +290,6 @@ TEST_F(QuicVersionsTest, ParsedQuicVersionToString) {
 
   // Make sure that all supported versions are present in
   // ParsedQuicVersionToString.
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
   for (QuicTransportVersion transport_version : kSupportedTransportVersions) {
     for (HandshakeProtocol protocol : kSupportedHandshakeProtocols) {
       EXPECT_NE("0", ParsedQuicVersionToString(
@@ -342,16 +308,16 @@ TEST_F(QuicVersionsTest, AllSupportedTransportVersions) {
 TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsAllVersions) {
   QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
   SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_44, true);
-  SetQuicReloadableFlag(quic_enable_version_46, true);
+  SetQuicReloadableFlag(quic_disable_version_44, false);
   SetQuicReloadableFlag(quic_enable_version_47, true);
+  SetQuicReloadableFlag(quic_enable_version_48, true);
   SetQuicReloadableFlag(quic_enable_version_99, true);
   ParsedQuicVersionVector parsed_versions;
   for (QuicTransportVersion version : all_versions) {
     parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
   }
   QuicTransportVersionVector expected_versions = {
-      QUIC_VERSION_99, QUIC_VERSION_47, QUIC_VERSION_46,
+      QUIC_VERSION_99, QUIC_VERSION_48, QUIC_VERSION_47, QUIC_VERSION_46,
       QUIC_VERSION_44, QUIC_VERSION_43, QUIC_VERSION_39};
   ParsedQuicVersionVector expected_parsed_versions;
   for (QuicTransportVersion version : expected_versions) {
@@ -366,17 +332,17 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsAllVersions) {
 TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo99) {
   QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
   SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_44, true);
-  SetQuicReloadableFlag(quic_enable_version_46, true);
+  SetQuicReloadableFlag(quic_disable_version_44, false);
   SetQuicReloadableFlag(quic_enable_version_47, true);
+  SetQuicReloadableFlag(quic_enable_version_48, true);
   SetQuicReloadableFlag(quic_enable_version_99, false);
   ParsedQuicVersionVector parsed_versions;
   for (QuicTransportVersion version : all_versions) {
     parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
   }
   QuicTransportVersionVector expected_versions = {
-      QUIC_VERSION_47, QUIC_VERSION_46, QUIC_VERSION_44, QUIC_VERSION_43,
-      QUIC_VERSION_39};
+      QUIC_VERSION_48, QUIC_VERSION_47, QUIC_VERSION_46,
+      QUIC_VERSION_44, QUIC_VERSION_43, QUIC_VERSION_39};
   ParsedQuicVersionVector expected_parsed_versions;
   for (QuicTransportVersion version : expected_versions) {
     expected_parsed_versions.push_back(
@@ -387,19 +353,20 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo99) {
   ASSERT_EQ(expected_parsed_versions, FilterSupportedVersions(parsed_versions));
 }
 
-TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo47) {
+TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo48) {
   QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
   SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_44, true);
-  SetQuicReloadableFlag(quic_enable_version_46, true);
-  SetQuicReloadableFlag(quic_enable_version_47, false);
+  SetQuicReloadableFlag(quic_disable_version_44, false);
+  SetQuicReloadableFlag(quic_enable_version_47, true);
+  SetQuicReloadableFlag(quic_enable_version_48, false);
   SetQuicReloadableFlag(quic_enable_version_99, false);
   ParsedQuicVersionVector parsed_versions;
   for (QuicTransportVersion version : all_versions) {
     parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
   }
   QuicTransportVersionVector expected_versions = {
-      QUIC_VERSION_46, QUIC_VERSION_44, QUIC_VERSION_43, QUIC_VERSION_39};
+      QUIC_VERSION_47, QUIC_VERSION_46, QUIC_VERSION_44, QUIC_VERSION_43,
+      QUIC_VERSION_39};
   ParsedQuicVersionVector expected_parsed_versions;
   for (QuicTransportVersion version : expected_versions) {
     expected_parsed_versions.push_back(
@@ -410,19 +377,19 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo47) {
   ASSERT_EQ(expected_parsed_versions, FilterSupportedVersions(parsed_versions));
 }
 
-TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo46) {
+TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo47) {
   QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
   SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_44, true);
-  SetQuicReloadableFlag(quic_enable_version_46, false);
+  SetQuicReloadableFlag(quic_disable_version_44, false);
   SetQuicReloadableFlag(quic_enable_version_47, false);
+  SetQuicReloadableFlag(quic_enable_version_48, false);
   SetQuicReloadableFlag(quic_enable_version_99, false);
   ParsedQuicVersionVector parsed_versions;
   for (QuicTransportVersion version : all_versions) {
     parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
   }
   QuicTransportVersionVector expected_versions = {
-      QUIC_VERSION_44, QUIC_VERSION_43, QUIC_VERSION_39};
+      QUIC_VERSION_46, QUIC_VERSION_44, QUIC_VERSION_43, QUIC_VERSION_39};
   ParsedQuicVersionVector expected_parsed_versions;
   for (QuicTransportVersion version : expected_versions) {
     expected_parsed_versions.push_back(
@@ -436,16 +403,16 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo46) {
 TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo44) {
   QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
   SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_44, false);
-  SetQuicReloadableFlag(quic_enable_version_46, false);
+  SetQuicReloadableFlag(quic_disable_version_44, true);
   SetQuicReloadableFlag(quic_enable_version_47, false);
+  SetQuicReloadableFlag(quic_enable_version_48, false);
   SetQuicReloadableFlag(quic_enable_version_99, false);
   ParsedQuicVersionVector parsed_versions;
   for (QuicTransportVersion version : all_versions) {
     parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
   }
-  QuicTransportVersionVector expected_versions = {QUIC_VERSION_43,
-                                                  QUIC_VERSION_39};
+  QuicTransportVersionVector expected_versions = {
+      QUIC_VERSION_46, QUIC_VERSION_43, QUIC_VERSION_39};
   ParsedQuicVersionVector expected_parsed_versions;
   for (QuicTransportVersion version : expected_versions) {
     expected_parsed_versions.push_back(
@@ -459,15 +426,16 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo44) {
 TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo39) {
   QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
   SetQuicReloadableFlag(quic_disable_version_39, true);
-  SetQuicReloadableFlag(quic_enable_version_44, false);
-  SetQuicReloadableFlag(quic_enable_version_46, false);
+  SetQuicReloadableFlag(quic_disable_version_44, false);
   SetQuicReloadableFlag(quic_enable_version_47, false);
+  SetQuicReloadableFlag(quic_enable_version_48, false);
   SetQuicReloadableFlag(quic_enable_version_99, false);
   ParsedQuicVersionVector parsed_versions;
   for (QuicTransportVersion version : all_versions) {
     parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
   }
-  QuicTransportVersionVector expected_versions = {QUIC_VERSION_43};
+  QuicTransportVersionVector expected_versions = {
+      QUIC_VERSION_46, QUIC_VERSION_44, QUIC_VERSION_43};
   ParsedQuicVersionVector expected_parsed_versions;
   for (QuicTransportVersion version : expected_versions) {
     expected_parsed_versions.push_back(
@@ -517,36 +485,39 @@ TEST_F(QuicVersionsTest, ParsedVersionsToTransportVersions) {
 // yet a typo was made in doing the #defines and it was caught
 // only in some test far removed from here... Better safe than sorry.
 TEST_F(QuicVersionsTest, CheckVersionNumbersForTypos) {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 7u,
                 "Supported versions out of sync");
   EXPECT_EQ(QUIC_VERSION_39, 39);
   EXPECT_EQ(QUIC_VERSION_43, 43);
   EXPECT_EQ(QUIC_VERSION_44, 44);
   EXPECT_EQ(QUIC_VERSION_46, 46);
   EXPECT_EQ(QUIC_VERSION_47, 47);
+  EXPECT_EQ(QUIC_VERSION_48, 48);
   EXPECT_EQ(QUIC_VERSION_99, 99);
 }
 
 TEST_F(QuicVersionsTest, AlpnForVersion) {
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
   ParsedQuicVersion parsed_version_q047 =
       ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47);
   ParsedQuicVersion parsed_version_t047 =
       ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_47);
+  ParsedQuicVersion parsed_version_q048 =
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48);
+  ParsedQuicVersion parsed_version_t048 =
+      ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_48);
   ParsedQuicVersion parsed_version_t099 =
       ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_99);
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, false);
 
   EXPECT_EQ("h3-google-Q047", AlpnForVersion(parsed_version_q047));
   EXPECT_EQ("h3-google-T047", AlpnForVersion(parsed_version_t047));
+  EXPECT_EQ("h3-google-Q048", AlpnForVersion(parsed_version_q048));
+  EXPECT_EQ("h3-google-T048", AlpnForVersion(parsed_version_t048));
   EXPECT_EQ("h3-google-T099", AlpnForVersion(parsed_version_t099));
 }
 
 TEST_F(QuicVersionsTest, InitializeSupportForIetfDraft) {
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
   ParsedQuicVersion parsed_version_t099 =
       ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_99);
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, false);
   EXPECT_EQ(MakeVersionLabel('T', '0', '9', '9'),
             CreateQuicVersionLabel(parsed_version_t099));
   EXPECT_EQ("h3-google-T099", AlpnForVersion(parsed_version_t099));
@@ -575,29 +546,63 @@ TEST_F(QuicVersionsTest, QuicEnableVersion) {
       ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47);
   ParsedQuicVersion parsed_version_t047 =
       ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_47);
+  ParsedQuicVersion parsed_version_q048 =
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48);
+  ParsedQuicVersion parsed_version_t048 =
+      ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_48);
   ParsedQuicVersion parsed_version_t099 =
       ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_99);
   SetQuicFlag(FLAGS_quic_supports_tls_handshake, false);
   SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_44, true);
-  SetQuicReloadableFlag(quic_enable_version_46, true);
+  SetQuicReloadableFlag(quic_disable_version_44, false);
   SetQuicReloadableFlag(quic_enable_version_47, false);
+  SetQuicReloadableFlag(quic_enable_version_48, false);
   SetQuicReloadableFlag(quic_enable_version_99, false);
 
-  QuicEnableVersion(parsed_version_q047);
-  EXPECT_FALSE(GetQuicFlag(FLAGS_quic_supports_tls_handshake));
-  EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_47));
-  EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
+  {
+    QuicFlagSaver flag_saver;
+    QuicEnableVersion(parsed_version_q047);
+    EXPECT_FALSE(GetQuicFlag(FLAGS_quic_supports_tls_handshake));
+    EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_47));
+    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_48));
+    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
+  }
 
-  QuicEnableVersion(parsed_version_t047);
-  EXPECT_TRUE(GetQuicFlag(FLAGS_quic_supports_tls_handshake));
-  EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_47));
-  EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
+  {
+    QuicFlagSaver flag_saver;
+    QuicEnableVersion(parsed_version_t047);
+    EXPECT_TRUE(GetQuicFlag(FLAGS_quic_supports_tls_handshake));
+    EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_47));
+    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_48));
+    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
+  }
 
-  QuicEnableVersion(parsed_version_t099);
-  EXPECT_TRUE(GetQuicFlag(FLAGS_quic_supports_tls_handshake));
-  EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_47));
-  EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_99));
+  {
+    QuicFlagSaver flag_saver;
+    QuicEnableVersion(parsed_version_q048);
+    EXPECT_FALSE(GetQuicFlag(FLAGS_quic_supports_tls_handshake));
+    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_47));
+    EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_48));
+    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
+  }
+
+  {
+    QuicFlagSaver flag_saver;
+    QuicEnableVersion(parsed_version_t048);
+    EXPECT_TRUE(GetQuicFlag(FLAGS_quic_supports_tls_handshake));
+    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_47));
+    EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_48));
+    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
+  }
+
+  {
+    QuicFlagSaver flag_saver;
+    QuicEnableVersion(parsed_version_t099);
+    EXPECT_TRUE(GetQuicFlag(FLAGS_quic_supports_tls_handshake));
+    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_47));
+    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_48));
+    EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_99));
+  }
 }
 
 TEST_F(QuicVersionsTest, ReservedForNegotiation) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/session_notifier_interface.h b/chromium/net/third_party/quiche/src/quic/core/session_notifier_interface.h
index 83fc0f1985e..89b4a9c28f1 100644
--- a/chromium/net/third_party/quiche/src/quic/core/session_notifier_interface.h
+++ b/chromium/net/third_party/quiche/src/quic/core/session_notifier_interface.h
@@ -19,7 +19,8 @@ class QUIC_EXPORT_PRIVATE SessionNotifierInterface {
   // Called when |frame| is acked. Returns true if any new data gets acked,
   // returns false otherwise.
   virtual bool OnFrameAcked(const QuicFrame& frame,
-                            QuicTime::Delta ack_delay_time) = 0;
+                            QuicTime::Delta ack_delay_time,
+                            QuicTime receive_timestamp) = 0;
 
   // Called when |frame| is retransmitted.
   virtual void OnStreamFrameRetransmitted(const QuicStreamFrame& frame) = 0;
@@ -36,6 +37,9 @@ class QUIC_EXPORT_PRIVATE SessionNotifierInterface {
 
   // Returns true if crypto stream is waiting for acks.
   virtual bool HasUnackedCryptoData() const = 0;
+
+  // Returns true if any stream is waiting for acks.
+  virtual bool HasUnackedStreamData() const = 0;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.cc b/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.cc
index db1f6b480d6..d6fc038639e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.cc
@@ -23,7 +23,7 @@ TlsClientHandshaker::ProofVerifierCallbackImpl::~ProofVerifierCallbackImpl() {}
 
 void TlsClientHandshaker::ProofVerifierCallbackImpl::Run(
     bool ok,
-    const std::string& error_details,
+    const std::string& /*error_details*/,
     std::unique_ptr<ProofVerifyDetails>* details) {
   if (parent_ == nullptr) {
     return;
@@ -53,7 +53,8 @@ TlsClientHandshaker::TlsClientHandshaker(
       proof_verifier_(proof_verifier),
       verify_context_(std::move(verify_context)),
       user_agent_id_(user_agent_id),
-      crypto_negotiated_params_(new QuicCryptoNegotiatedParameters) {}
+      crypto_negotiated_params_(new QuicCryptoNegotiatedParameters),
+      tls_connection_(ssl_ctx, this) {}
 
 TlsClientHandshaker::~TlsClientHandshaker() {
   if (proof_verify_callback_) {
@@ -63,25 +64,11 @@ TlsClientHandshaker::~TlsClientHandshaker() {
 
 // static
 bssl::UniquePtr<SSL_CTX> TlsClientHandshaker::CreateSslCtx() {
-  return TlsHandshaker::CreateSslCtx();
+  return TlsClientConnection::CreateSslCtx();
 }
 
 bool TlsClientHandshaker::CryptoConnect() {
-  CrypterPair crypters;
-  CryptoUtils::CreateTlsInitialCrypters(
-      Perspective::IS_CLIENT, session()->connection()->transport_version(),
-      session()->connection_id(), &crypters);
-  session()->connection()->SetEncrypter(ENCRYPTION_INITIAL,
-                                        std::move(crypters.encrypter));
-  session()->connection()->InstallDecrypter(ENCRYPTION_INITIAL,
-                                            std::move(crypters.decrypter));
   state_ = STATE_HANDSHAKE_RUNNING;
-  // Configure certificate verification.
-  // TODO(nharper): This only verifies certs on initial connection, not on
-  // resumption. Chromium has this callback be a no-op and verifies the
-  // certificate after the connection is complete. We need to re-verify on
-  // resumption in case of expiration or revocation/distrust.
-  SSL_set_custom_verify(ssl(), SSL_VERIFY_PEER, &VerifyCallback);
 
   // Configure the SSL to be a client.
   SSL_set_connect_state(ssl());
@@ -89,8 +76,7 @@ bool TlsClientHandshaker::CryptoConnect() {
     return false;
   }
 
-  std::string alpn_string =
-      AlpnForVersion(session()->supported_versions().front());
+  std::string alpn_string = AlpnForVersion(session()->connection()->version());
   if (alpn_string.length() > std::numeric_limits<uint8_t>::max()) {
     QUIC_BUG << "ALPN too long: '" << alpn_string << "'";
     CloseConnection(QUIC_HANDSHAKE_FAILED, "ALPN too long");
@@ -278,7 +264,7 @@ void TlsClientHandshaker::FinishHandshake() {
     std::string received_alpn_string(reinterpret_cast<const char*>(alpn_data),
                                      alpn_length);
     std::string sent_alpn_string =
-        AlpnForVersion(session()->supported_versions().front());
+        AlpnForVersion(session()->connection()->version());
     if (received_alpn_string != sent_alpn_string) {
       QUIC_LOG(ERROR) << "Client: received mismatched ALPN '"
                       << received_alpn_string << "', expected '"
@@ -298,19 +284,6 @@ void TlsClientHandshaker::FinishHandshake() {
   handshake_confirmed_ = true;
 }
 
-// static
-TlsClientHandshaker* TlsClientHandshaker::HandshakerFromSsl(SSL* ssl) {
-  return static_cast<TlsClientHandshaker*>(
-      TlsHandshaker::HandshakerFromSsl(ssl));
-}
-
-// static
-enum ssl_verify_result_t TlsClientHandshaker::VerifyCallback(
-    SSL* ssl,
-    uint8_t* out_alert) {
-  return HandshakerFromSsl(ssl)->VerifyCert(out_alert);
-}
-
 enum ssl_verify_result_t TlsClientHandshaker::VerifyCert(uint8_t* out_alert) {
   if (verify_result_ != ssl_verify_retry ||
       state_ == STATE_CERT_VERIFY_PENDING) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.h b/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.h
index 3647e10f084..c22fbe9e8cc 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.h
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.h
@@ -9,6 +9,7 @@
 
 #include "third_party/boringssl/src/include/openssl/ssl.h"
 #include "net/third_party/quiche/src/quic/core/crypto/proof_verifier.h"
+#include "net/third_party/quiche/src/quic/core/crypto/tls_client_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_client_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_stream.h"
 #include "net/third_party/quiche/src/quic/core/tls_handshaker.h"
@@ -19,8 +20,9 @@ namespace quic {
 // An implementation of QuicCryptoClientStream::HandshakerDelegate which uses
 // TLS 1.3 for the crypto handshake protocol.
 class QUIC_EXPORT_PRIVATE TlsClientHandshaker
-    : public QuicCryptoClientStream::HandshakerDelegate,
-      public TlsHandshaker {
+    : public TlsHandshaker,
+      public QuicCryptoClientStream::HandshakerDelegate,
+      public TlsClientConnection::Delegate {
  public:
   TlsClientHandshaker(QuicCryptoStream* stream,
                       QuicSession* session,
@@ -51,6 +53,17 @@ class QUIC_EXPORT_PRIVATE TlsClientHandshaker
       const override;
   CryptoMessageParser* crypto_message_parser() override;
 
+ protected:
+  TlsConnection* tls_connection() override { return &tls_connection_; }
+
+  void AdvanceHandshake() override;
+  void CloseConnection(QuicErrorCode error,
+                       const std::string& reason_phrase) override;
+
+  // TlsClientConnection::Delegate implementation:
+  enum ssl_verify_result_t VerifyCert(uint8_t* out_alert) override;
+  TlsConnection::Delegate* ConnectionDelegate() override { return this; }
+
  private:
   // ProofVerifierCallbackImpl handles the result of an asynchronous certificate
   // verification operation.
@@ -83,21 +96,6 @@ class QUIC_EXPORT_PRIVATE TlsClientHandshaker
   bool ProcessTransportParameters(std::string* error_details);
   void FinishHandshake();
 
-  void AdvanceHandshake() override;
-  void CloseConnection(QuicErrorCode error,
-                       const std::string& reason_phrase) override;
-
-  // Certificate verification functions:
-
-  enum ssl_verify_result_t VerifyCert(uint8_t* out_alert);
-  // Static method to supply to SSL_set_custom_verify.
-  static enum ssl_verify_result_t VerifyCallback(SSL* ssl, uint8_t* out_alert);
-
-  // Takes an SSL* |ssl| and returns a pointer to the TlsClientHandshaker that
-  // it belongs to. This is a specialization of
-  // TlsHandshaker::HandshakerFromSsl.
-  static TlsClientHandshaker* HandshakerFromSsl(SSL* ssl);
-
   QuicServerId server_id_;
 
   // Objects used for verifying the server's certificate chain.
@@ -119,6 +117,8 @@ class QUIC_EXPORT_PRIVATE TlsClientHandshaker
   bool handshake_confirmed_ = false;
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters>
       crypto_negotiated_params_;
+
+  TlsClientConnection tls_connection_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.cc b/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.cc
index 51602b42daa..db50f5abf2e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.cc
@@ -13,40 +13,12 @@
 
 namespace quic {
 
-namespace {
-
-class SslIndexSingleton {
- public:
-  static SslIndexSingleton* GetInstance() {
-    static SslIndexSingleton* instance = new SslIndexSingleton();
-    return instance;
-  }
-
-  int HandshakerIndex() const { return ssl_ex_data_index_handshaker_; }
-
- private:
-  SslIndexSingleton() {
-    CRYPTO_library_init();
-    ssl_ex_data_index_handshaker_ =
-        SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
-    CHECK_LE(0, ssl_ex_data_index_handshaker_);
-  }
-
-  SslIndexSingleton(const SslIndexSingleton&) = delete;
-  SslIndexSingleton& operator=(const SslIndexSingleton&) = delete;
-
-  int ssl_ex_data_index_handshaker_;
-};
-
-}  // namespace
-
 TlsHandshaker::TlsHandshaker(QuicCryptoStream* stream,
                              QuicSession* session,
-                             SSL_CTX* ssl_ctx)
+                             SSL_CTX* /*ssl_ctx*/)
     : stream_(stream), session_(session) {
-  ssl_.reset(SSL_new(ssl_ctx));
-  SSL_set_ex_data(ssl(), SslIndexSingleton::GetInstance()->HandshakerIndex(),
-                  this);
+  QUIC_BUG_IF(!GetQuicFlag(FLAGS_quic_supports_tls_handshake))
+      << "Attempted to create TLS handshaker when TLS is disabled";
 }
 
 TlsHandshaker::~TlsHandshaker() {}
@@ -60,7 +32,7 @@ bool TlsHandshaker::ProcessInput(QuicStringPiece input, EncryptionLevel level) {
   // just received input at. If they mismatch, should ProcessInput return true
   // or false? If data is for a future encryption level, it should be queued for
   // later?
-  if (SSL_provide_quic_data(ssl(), BoringEncryptionLevel(level),
+  if (SSL_provide_quic_data(ssl(), TlsConnection::BoringEncryptionLevel(level),
                             reinterpret_cast<const uint8_t*>(input.data()),
                             input.size()) != 1) {
     // SSL_provide_quic_data can fail for 3 reasons:
@@ -82,55 +54,6 @@ bool TlsHandshaker::ProcessInput(QuicStringPiece input, EncryptionLevel level) {
   return true;
 }
 
-// static
-bssl::UniquePtr<SSL_CTX> TlsHandshaker::CreateSslCtx() {
-  CRYPTO_library_init();
-  bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_with_buffers_method()));
-  SSL_CTX_set_min_proto_version(ssl_ctx.get(), TLS1_3_VERSION);
-  SSL_CTX_set_max_proto_version(ssl_ctx.get(), TLS1_3_VERSION);
-  SSL_CTX_set_quic_method(ssl_ctx.get(), &kSslQuicMethod);
-  return ssl_ctx;
-}
-
-// static
-TlsHandshaker* TlsHandshaker::HandshakerFromSsl(const SSL* ssl) {
-  return reinterpret_cast<TlsHandshaker*>(SSL_get_ex_data(
-      ssl, SslIndexSingleton::GetInstance()->HandshakerIndex()));
-}
-
-// static
-EncryptionLevel TlsHandshaker::QuicEncryptionLevel(
-    enum ssl_encryption_level_t level) {
-  switch (level) {
-    case ssl_encryption_initial:
-      return ENCRYPTION_INITIAL;
-    case ssl_encryption_early_data:
-      return ENCRYPTION_ZERO_RTT;
-    case ssl_encryption_handshake:
-      return ENCRYPTION_HANDSHAKE;
-    case ssl_encryption_application:
-      return ENCRYPTION_FORWARD_SECURE;
-  }
-}
-
-// static
-enum ssl_encryption_level_t TlsHandshaker::BoringEncryptionLevel(
-    EncryptionLevel level) {
-  switch (level) {
-    case ENCRYPTION_INITIAL:
-      return ssl_encryption_initial;
-    case ENCRYPTION_HANDSHAKE:
-      return ssl_encryption_handshake;
-    case ENCRYPTION_ZERO_RTT:
-      return ssl_encryption_early_data;
-    case ENCRYPTION_FORWARD_SECURE:
-      return ssl_encryption_application;
-    default:
-      QUIC_BUG << "Invalid encryption level " << level;
-      return ssl_encryption_initial;
-  }
-}
-
 const EVP_MD* TlsHandshaker::Prf() {
   return EVP_get_digestbynid(
       SSL_CIPHER_get_prf_nid(SSL_get_pending_cipher(ssl())));
@@ -154,53 +77,6 @@ std::unique_ptr<QuicDecrypter> TlsHandshaker::CreateDecrypter(
   return decrypter;
 }
 
-const SSL_QUIC_METHOD TlsHandshaker::kSslQuicMethod{
-    TlsHandshaker::SetEncryptionSecretCallback,
-    TlsHandshaker::WriteMessageCallback, TlsHandshaker::FlushFlightCallback,
-    TlsHandshaker::SendAlertCallback};
-
-// static
-int TlsHandshaker::SetEncryptionSecretCallback(
-    SSL* ssl,
-    enum ssl_encryption_level_t level,
-    const uint8_t* read_key,
-    const uint8_t* write_key,
-    size_t secret_len) {
-  // TODO(nharper): replace these vectors and memcpys with spans (which
-  // unfortunately doesn't yet exist in quic/platform/api).
-  std::vector<uint8_t> read_secret(secret_len), write_secret(secret_len);
-  memcpy(read_secret.data(), read_key, secret_len);
-  memcpy(write_secret.data(), write_key, secret_len);
-  HandshakerFromSsl(ssl)->SetEncryptionSecret(QuicEncryptionLevel(level),
-                                              read_secret, write_secret);
-  return 1;
-}
-
-// static
-int TlsHandshaker::WriteMessageCallback(SSL* ssl,
-                                        enum ssl_encryption_level_t level,
-                                        const uint8_t* data,
-                                        size_t len) {
-  HandshakerFromSsl(ssl)->WriteMessage(
-      QuicEncryptionLevel(level),
-      QuicStringPiece(reinterpret_cast<const char*>(data), len));
-  return 1;
-}
-
-// static
-int TlsHandshaker::FlushFlightCallback(SSL* ssl) {
-  HandshakerFromSsl(ssl)->FlushFlight();
-  return 1;
-}
-
-// static
-int TlsHandshaker::SendAlertCallback(SSL* ssl,
-                                     enum ssl_encryption_level_t level,
-                                     uint8_t desc) {
-  HandshakerFromSsl(ssl)->SendAlert(QuicEncryptionLevel(level), desc);
-  return 1;
-}
-
 void TlsHandshaker::SetEncryptionSecret(
     EncryptionLevel level,
     const std::vector<uint8_t>& read_secret,
@@ -217,7 +93,7 @@ void TlsHandshaker::WriteMessage(EncryptionLevel level, QuicStringPiece data) {
 
 void TlsHandshaker::FlushFlight() {}
 
-void TlsHandshaker::SendAlert(EncryptionLevel level, uint8_t desc) {
+void TlsHandshaker::SendAlert(EncryptionLevel /*level*/, uint8_t desc) {
   // TODO(nharper): Alerts should be sent on the wire as a 16-bit QUIC error
   // code computed to be 0x100 | desc (draft-ietf-quic-tls-14, section 4.8).
   // This puts it in the range reserved for CRYPTO_ERROR
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.h b/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.h
index 96589237c92..b4f16e8a3d1 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.h
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.h
@@ -11,6 +11,7 @@
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_message_parser.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_decrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
+#include "net/third_party/quiche/src/quic/core/crypto/tls_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_session.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 
@@ -22,7 +23,8 @@ class QuicCryptoStream;
 // provides functionality common to both the client and server, such as moving
 // messages between the TLS stack and the QUIC crypto stream, and handling
 // derivation of secrets.
-class QUIC_EXPORT_PRIVATE TlsHandshaker : public CryptoMessageParser {
+class QUIC_EXPORT_PRIVATE TlsHandshaker : public TlsConnection::Delegate,
+                                          public CryptoMessageParser {
  public:
   // TlsHandshaker does not take ownership of any of its arguments; they must
   // outlive the TlsHandshaker.
@@ -55,21 +57,6 @@ class QUIC_EXPORT_PRIVATE TlsHandshaker : public CryptoMessageParser {
   virtual void CloseConnection(QuicErrorCode error,
                                const std::string& reason_phrase) = 0;
 
-  // Creates an SSL_CTX and configures it with the options that are appropriate
-  // for both client and server. The caller is responsible for ownership of the
-  // newly created struct.
-  static bssl::UniquePtr<SSL_CTX> CreateSslCtx();
-
-  // From a given SSL* |ssl|, returns a pointer to the TlsHandshaker that it
-  // belongs to. This is a helper method for implementing callbacks set on an
-  // SSL, as it allows the callback function to find the TlsHandshaker instance
-  // and call an instance method.
-  static TlsHandshaker* HandshakerFromSsl(const SSL* ssl);
-
-  static EncryptionLevel QuicEncryptionLevel(enum ssl_encryption_level_t level);
-  static enum ssl_encryption_level_t BoringEncryptionLevel(
-      EncryptionLevel level);
-
   // Returns the PRF used by the cipher suite negotiated in the TLS handshake.
   const EVP_MD* Prf();
 
@@ -78,35 +65,13 @@ class QUIC_EXPORT_PRIVATE TlsHandshaker : public CryptoMessageParser {
   std::unique_ptr<QuicDecrypter> CreateDecrypter(
       const std::vector<uint8_t>& pp_secret);
 
-  SSL* ssl() { return ssl_.get(); }
+  virtual TlsConnection* tls_connection() = 0;
+
+  SSL* ssl() { return tls_connection()->ssl(); }
+
   QuicCryptoStream* stream() { return stream_; }
   QuicSession* session() { return session_; }
 
- private:
-  // TlsHandshaker implements SSL_QUIC_METHOD, which provides the interface
-  // between BoringSSL's TLS stack and a QUIC implementation.
-  static const SSL_QUIC_METHOD kSslQuicMethod;
-
-  // Pointers to the following 4 functions form |kSslQuicMethod|. Each one
-  // is a wrapper around the corresponding instance method below. The |ssl|
-  // argument is used to look up correct TlsHandshaker instance on which to call
-  // the method. According to the BoringSSL documentation, these functions
-  // return 0 on error and 1 otherwise; here they never error and thus always
-  // return 1.
-  static int SetEncryptionSecretCallback(SSL* ssl,
-                                         enum ssl_encryption_level_t level,
-                                         const uint8_t* read_key,
-                                         const uint8_t* write_key,
-                                         size_t secret_len);
-  static int WriteMessageCallback(SSL* ssl,
-                                  enum ssl_encryption_level_t level,
-                                  const uint8_t* data,
-                                  size_t len);
-  static int FlushFlightCallback(SSL* ssl);
-  static int SendAlertCallback(SSL* ssl,
-                               enum ssl_encryption_level_t level,
-                               uint8_t alert);
-
   // SetEncryptionSecret provides the encryption secret to use at a particular
   // encryption level. The secrets provided here are the ones from the TLS 1.3
   // key schedule (RFC 8446 section 7.1), in particular the handshake traffic
@@ -115,29 +80,28 @@ class QUIC_EXPORT_PRIVATE TlsHandshaker : public CryptoMessageParser {
   // indicates whether it is used for encryption or decryption.
   void SetEncryptionSecret(EncryptionLevel level,
                            const std::vector<uint8_t>& read_secret,
-                           const std::vector<uint8_t>& write_secret);
+                           const std::vector<uint8_t>& write_secret) override;
 
   // WriteMessage is called when there is |data| from the TLS stack ready for
   // the QUIC stack to write in a crypto frame. The data must be transmitted at
   // encryption level |level|.
-  void WriteMessage(EncryptionLevel level, QuicStringPiece data);
+  void WriteMessage(EncryptionLevel level, QuicStringPiece data) override;
 
   // FlushFlight is called to signal that the current flight of
   // messages have all been written (via calls to WriteMessage) and can be
   // flushed to the underlying transport.
-  void FlushFlight();
+  void FlushFlight() override;
 
   // SendAlert causes this TlsHandshaker to close the QUIC connection with an
   // error code corresponding to the TLS alert description |desc|.
-  void SendAlert(EncryptionLevel level, uint8_t desc);
+  void SendAlert(EncryptionLevel level, uint8_t desc) override;
 
+ private:
   QuicCryptoStream* stream_;
   QuicSession* session_;
 
   QuicErrorCode parser_error_ = QUIC_NO_ERROR;
   std::string parser_error_detail_;
-
-  bssl::UniquePtr<SSL> ssl_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_handshaker_test.cc b/chromium/net/third_party/quiche/src/quic/core/tls_handshaker_test.cc
index e710d7b166b..f15a2667210 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_handshaker_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_handshaker_test.cc
@@ -4,6 +4,8 @@
 
 #include <string>
 
+#include "net/third_party/quiche/src/quic/core/crypto/tls_client_connection.h"
+#include "net/third_party/quiche/src/quic/core/crypto/tls_server_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
 #include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
@@ -84,9 +86,9 @@ class FakeProofVerifier : public ProofVerifier {
   // run.
   class FailingProofVerifierCallback : public ProofVerifierCallback {
    public:
-    void Run(bool ok,
-             const std::string& error_details,
-             std::unique_ptr<ProofVerifyDetails>* details) override {
+    void Run(bool /*ok*/,
+             const std::string& /*error_details*/,
+             std::unique_ptr<ProofVerifyDetails>* /*details*/) override {
       FAIL();
     }
   };
@@ -210,7 +212,7 @@ class TestQuicCryptoClientStream : public TestQuicCryptoStream {
   explicit TestQuicCryptoClientStream(QuicSession* session)
       : TestQuicCryptoStream(session),
         proof_verifier_(new FakeProofVerifier),
-        ssl_ctx_(TlsClientHandshaker::CreateSslCtx()),
+        ssl_ctx_(TlsClientConnection::CreateSslCtx()),
         handshaker_(new TlsClientHandshaker(
             this,
             session,
@@ -242,7 +244,7 @@ class TestQuicCryptoServerStream : public TestQuicCryptoStream {
                              FakeProofSource* proof_source)
       : TestQuicCryptoStream(session),
         proof_source_(proof_source),
-        ssl_ctx_(TlsServerHandshaker::CreateSslCtx()),
+        ssl_ctx_(TlsServerConnection::CreateSslCtx()),
         handshaker_(new TlsServerHandshaker(this,
                                             session,
                                             ssl_ctx_.get(),
@@ -273,33 +275,22 @@ void ExchangeHandshakeMessages(TestQuicCryptoStream* client,
   }
 }
 
-ParsedQuicVersionVector AllTlsSupportedVersions() {
-  SetQuicReloadableFlag(quic_enable_version_99, true);
-  SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
-  ParsedQuicVersionVector supported_versions;
-  for (QuicTransportVersion version : kSupportedTransportVersions) {
-    if (!QuicVersionUsesCryptoFrames(version)) {
-      // The TLS handshake is only deployable if CRYPTO frames are also used.
-      continue;
-    }
-    supported_versions.push_back(ParsedQuicVersion(PROTOCOL_TLS1_3, version));
-  }
-  return supported_versions;
-}
-
 class TlsHandshakerTest : public QuicTest {
  public:
   TlsHandshakerTest()
-      : client_conn_(new MockQuicConnection(&conn_helper_,
-                                            &alarm_factory_,
-                                            Perspective::IS_CLIENT,
-                                            AllTlsSupportedVersions())),
-        server_conn_(new MockQuicConnection(&conn_helper_,
-                                            &alarm_factory_,
-                                            Perspective::IS_SERVER,
-                                            AllTlsSupportedVersions())),
+      : client_conn_(new MockQuicConnection(
+            &conn_helper_,
+            &alarm_factory_,
+            Perspective::IS_CLIENT,
+            {ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_99)})),
+        server_conn_(new MockQuicConnection(
+            &conn_helper_,
+            &alarm_factory_,
+            Perspective::IS_SERVER,
+            {ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_99)})),
         client_session_(client_conn_, /*create_mock_crypto_stream=*/false),
         server_session_(server_conn_, /*create_mock_crypto_stream=*/false) {
+    SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
     client_stream_ = new TestQuicCryptoClientStream(&client_session_);
     client_session_.SetCryptoStream(client_stream_);
     server_stream_ =
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.cc b/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.cc
index ca56e4dd3d2..81721041847 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.cc
@@ -40,20 +40,9 @@ void TlsServerHandshaker::SignatureCallback::Cancel() {
   handshaker_ = nullptr;
 }
 
-const SSL_PRIVATE_KEY_METHOD TlsServerHandshaker::kPrivateKeyMethod{
-    &TlsServerHandshaker::PrivateKeySign,
-    nullptr,  // decrypt
-    &TlsServerHandshaker::PrivateKeyComplete,
-};
-
 // static
 bssl::UniquePtr<SSL_CTX> TlsServerHandshaker::CreateSslCtx() {
-  bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsHandshaker::CreateSslCtx();
-  SSL_CTX_set_tlsext_servername_callback(
-      ssl_ctx.get(), TlsServerHandshaker::SelectCertificateCallback);
-  SSL_CTX_set_alpn_select_cb(ssl_ctx.get(),
-                             TlsServerHandshaker::SelectAlpnCallback, nullptr);
-  return ssl_ctx;
+  return TlsServerConnection::CreateSslCtx();
 }
 
 TlsServerHandshaker::TlsServerHandshaker(QuicCryptoStream* stream,
@@ -62,17 +51,10 @@ TlsServerHandshaker::TlsServerHandshaker(QuicCryptoStream* stream,
                                          ProofSource* proof_source)
     : TlsHandshaker(stream, session, ssl_ctx),
       proof_source_(proof_source),
-      crypto_negotiated_params_(new QuicCryptoNegotiatedParameters) {
+      crypto_negotiated_params_(new QuicCryptoNegotiatedParameters),
+      tls_connection_(ssl_ctx, this) {
   DCHECK_EQ(PROTOCOL_TLS1_3,
             session->connection()->version().handshake_protocol);
-  CrypterPair crypters;
-  CryptoUtils::CreateTlsInitialCrypters(
-      Perspective::IS_SERVER, session->connection()->transport_version(),
-      session->connection_id(), &crypters);
-  session->connection()->SetEncrypter(ENCRYPTION_INITIAL,
-                                      std::move(crypters.encrypter));
-  session->connection()->InstallDecrypter(ENCRYPTION_INITIAL,
-                                          std::move(crypters.decrypter));
 
   // Configure the SSL to be a server.
   SSL_set_accept_state(ssl());
@@ -95,13 +77,13 @@ void TlsServerHandshaker::CancelOutstandingCallbacks() {
 }
 
 bool TlsServerHandshaker::GetBase64SHA256ClientChannelID(
-    std::string* output) const {
+    std::string* /*output*/) const {
   // Channel ID is not supported when TLS is used in QUIC.
   return false;
 }
 
 void TlsServerHandshaker::SendServerConfigUpdate(
-    const CachedNetworkParameters* cached_network_params) {
+    const CachedNetworkParameters* /*cached_network_params*/) {
   // SCUP messages aren't supported when using the TLS handshake.
 }
 
@@ -131,7 +113,7 @@ bool TlsServerHandshaker::ZeroRttAttempted() const {
 }
 
 void TlsServerHandshaker::SetPreviousCachedNetworkParams(
-    CachedNetworkParameters cached_network_params) {}
+    CachedNetworkParameters /*cached_network_params*/) {}
 
 bool TlsServerHandshaker::ShouldSendExpectCTHeader() const {
   return false;
@@ -264,25 +246,6 @@ void TlsServerHandshaker::FinishHandshake() {
   handshake_confirmed_ = true;
 }
 
-// static
-TlsServerHandshaker* TlsServerHandshaker::HandshakerFromSsl(SSL* ssl) {
-  return static_cast<TlsServerHandshaker*>(
-      TlsHandshaker::HandshakerFromSsl(ssl));
-}
-
-// static
-ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(SSL* ssl,
-                                                             uint8_t* out,
-                                                             size_t* out_len,
-                                                             size_t max_out,
-                                                             uint16_t sig_alg,
-                                                             const uint8_t* in,
-                                                             size_t in_len) {
-  return HandshakerFromSsl(ssl)->PrivateKeySign(
-      out, out_len, max_out, sig_alg,
-      QuicStringPiece(reinterpret_cast<const char*>(in), in_len));
-}
-
 ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(
     uint8_t* out,
     size_t* out_len,
@@ -300,15 +263,6 @@ ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(
   return ssl_private_key_retry;
 }
 
-// static
-ssl_private_key_result_t TlsServerHandshaker::PrivateKeyComplete(
-    SSL* ssl,
-    uint8_t* out,
-    size_t* out_len,
-    size_t max_out) {
-  return HandshakerFromSsl(ssl)->PrivateKeyComplete(out, out_len, max_out);
-}
-
 ssl_private_key_result_t TlsServerHandshaker::PrivateKeyComplete(
     uint8_t* out,
     size_t* out_len,
@@ -326,13 +280,6 @@ ssl_private_key_result_t TlsServerHandshaker::PrivateKeyComplete(
   return ssl_private_key_success;
 }
 
-// static
-int TlsServerHandshaker::SelectCertificateCallback(SSL* ssl,
-                                                   int* out_alert,
-                                                   void* arg) {
-  return HandshakerFromSsl(ssl)->SelectCertificate(out_alert);
-}
-
 int TlsServerHandshaker::SelectCertificate(int* out_alert) {
   const char* hostname = SSL_get_servername(ssl(), TLSEXT_NAMETYPE_host_name);
   if (hostname) {
@@ -357,8 +304,7 @@ int TlsServerHandshaker::SelectCertificate(int* out_alert) {
         chain->certs[i].length(), nullptr);
   }
 
-  SSL_set_chain_and_key(ssl(), certs.data(), certs.size(), nullptr,
-                        &kPrivateKeyMethod);
+  tls_connection_.SetCertChain(certs);
 
   for (size_t i = 0; i < certs.size(); i++) {
     CRYPTO_BUFFER_free(certs[i]);
@@ -375,16 +321,6 @@ int TlsServerHandshaker::SelectCertificate(int* out_alert) {
   return SSL_TLSEXT_ERR_OK;
 }
 
-// static
-int TlsServerHandshaker::SelectAlpnCallback(SSL* ssl,
-                                            const uint8_t** out,
-                                            uint8_t* out_len,
-                                            const uint8_t* in,
-                                            unsigned in_len,
-                                            void* arg) {
-  return HandshakerFromSsl(ssl)->SelectAlpn(out, out_len, in, in_len);
-}
-
 int TlsServerHandshaker::SelectAlpn(const uint8_t** out,
                                     uint8_t* out_len,
                                     const uint8_t* in,
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.h b/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.h
index e27d8967314..71fe6dd0276 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.h
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.h
@@ -9,7 +9,8 @@
 
 #include "third_party/boringssl/src/include/openssl/pool.h"
 #include "third_party/boringssl/src/include/openssl/ssl.h"
-#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
+#include "net/third_party/quiche/src/quic/core/crypto/tls_server_connection.h"
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_stream.h"
 #include "net/third_party/quiche/src/quic/core/tls_handshaker.h"
@@ -20,8 +21,9 @@ namespace quic {
 // An implementation of QuicCryptoServerStream::HandshakerDelegate which uses
 // TLS 1.3 for the crypto handshake protocol.
 class QUIC_EXPORT_PRIVATE TlsServerHandshaker
-    : public QuicCryptoServerStream::HandshakerDelegate,
-      public TlsHandshaker {
+    : public TlsHandshaker,
+      public TlsServerConnection::Delegate,
+      public QuicCryptoServerStream::HandshakerDelegate {
  public:
   TlsServerHandshaker(QuicCryptoStream* stream,
                       QuicSession* session,
@@ -57,17 +59,30 @@ class QUIC_EXPORT_PRIVATE TlsServerHandshaker
       const override;
   CryptoMessageParser* crypto_message_parser() override;
 
-  // Calls SelectCertificate after looking up the TlsServerHandshaker from
-  // |ssl|.
-  static int SelectCertificateCallback(SSL* ssl, int* out_alert, void* arg);
+ protected:
+  TlsConnection* tls_connection() override { return &tls_connection_; }
 
-  // Calls SelectAlpn after looking up the TlsServerHandshaker from |ssl|.
-  static int SelectAlpnCallback(SSL* ssl,
-                                const uint8_t** out,
-                                uint8_t* out_len,
-                                const uint8_t* in,
-                                unsigned in_len,
-                                void* arg);
+  // Called when a new message is received on the crypto stream and is available
+  // for the TLS stack to read.
+  void AdvanceHandshake() override;
+  void CloseConnection(QuicErrorCode error,
+                       const std::string& reason_phrase) override;
+
+  // TlsServerConnection::Delegate implementation:
+  int SelectCertificate(int* out_alert) override;
+  int SelectAlpn(const uint8_t** out,
+                 uint8_t* out_len,
+                 const uint8_t* in,
+                 unsigned in_len) override;
+  ssl_private_key_result_t PrivateKeySign(uint8_t* out,
+                                          size_t* out_len,
+                                          size_t max_out,
+                                          uint16_t sig_alg,
+                                          QuicStringPiece in) override;
+  ssl_private_key_result_t PrivateKeyComplete(uint8_t* out,
+                                              size_t* out_len,
+                                              size_t max_out) override;
+  TlsConnection::Delegate* ConnectionDelegate() override { return this; }
 
  private:
   class SignatureCallback : public ProofSource::SignatureCallback {
@@ -90,17 +105,6 @@ class QUIC_EXPORT_PRIVATE TlsServerHandshaker
     STATE_CONNECTION_CLOSED,
   };
 
-  // |kPrivateKeyMethod| is a vtable pointing to PrivateKeySign and
-  // PrivateKeyComplete used by the TLS stack to compute the signature for the
-  // CertificateVerify message (using the server's private key).
-  static const SSL_PRIVATE_KEY_METHOD kPrivateKeyMethod;
-
-  // Called when a new message is received on the crypto stream and is available
-  // for the TLS stack to read.
-  void AdvanceHandshake() override;
-  void CloseConnection(QuicErrorCode error,
-                       const std::string& reason_phrase) override;
-
   // Called when the TLS handshake is complete.
   void FinishHandshake();
 
@@ -109,61 +113,6 @@ class QUIC_EXPORT_PRIVATE TlsServerHandshaker
   bool SetTransportParameters();
   bool ProcessTransportParameters(std::string* error_details);
 
-  // Calls the instance method PrivateKeySign after looking up the
-  // TlsServerHandshaker from |ssl|.
-  static ssl_private_key_result_t PrivateKeySign(SSL* ssl,
-                                                 uint8_t* out,
-                                                 size_t* out_len,
-                                                 size_t max_out,
-                                                 uint16_t sig_alg,
-                                                 const uint8_t* in,
-                                                 size_t in_len);
-
-  // Signs |in| using the signature algorithm specified by |sig_alg| (an
-  // SSL_SIGN_* value). If the signing operation cannot be completed
-  // synchronously, ssl_private_key_retry is returned. If there is an error
-  // signing, or if the signature is longer than |max_out|, then
-  // ssl_private_key_failure is returned. Otherwise, ssl_private_key_success is
-  // returned with the signature put in |*out| and the length in |*out_len|.
-  ssl_private_key_result_t PrivateKeySign(uint8_t* out,
-                                          size_t* out_len,
-                                          size_t max_out,
-                                          uint16_t sig_alg,
-                                          QuicStringPiece in);
-
-  // Calls the instance method PrivateKeyComplete after looking up the
-  // TlsServerHandshaker from |ssl|.
-  static ssl_private_key_result_t PrivateKeyComplete(SSL* ssl,
-                                                     uint8_t* out,
-                                                     size_t* out_len,
-                                                     size_t max_out);
-
-  // When PrivateKeySign returns ssl_private_key_retry, PrivateKeyComplete will
-  // be called after the async sign operation has completed. PrivateKeyComplete
-  // puts the resulting signature in |*out| and length in |*out_len|. If the
-  // length is greater than |max_out| or if there was an error in signing, then
-  // ssl_private_key_failure is returned. Otherwise, ssl_private_key_success is
-  // returned.
-  ssl_private_key_result_t PrivateKeyComplete(uint8_t* out,
-                                              size_t* out_len,
-                                              size_t max_out);
-
-  // Configures the certificate to use on |ssl_| based on the SNI sent by the
-  // client. Returns an SSL_TLSEXT_ERR_* value (see
-  // https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_tlsext_servername_callback).
-  //
-  // If SelectCertificate returns SSL_TLSEXT_ERR_ALERT_FATAL, then it puts in
-  // |*out_alert| the TLS alert value that the server will send.
-  int SelectCertificate(int* out_alert);
-
-  // Selects which ALPN to use based on the list sent by the client.
-  int SelectAlpn(const uint8_t** out,
-                 uint8_t* out_len,
-                 const uint8_t* in,
-                 unsigned in_len);
-
-  static TlsServerHandshaker* HandshakerFromSsl(SSL* ssl);
-
   State state_ = STATE_LISTENING;
 
   ProofSource* proof_source_;
@@ -176,6 +125,7 @@ class QUIC_EXPORT_PRIVATE TlsServerHandshaker
   bool handshake_confirmed_ = false;
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters>
       crypto_negotiated_params_;
+  TlsServerConnection tls_connection_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.cc b/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.cc
index 75f7c6ac71a..24c3b7cc62f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.cc
@@ -24,12 +24,16 @@ UberQuicStreamIdManager::UberQuicStreamIdManager(
           /*unidirectional=*/true,
           max_open_outgoing_unidirectional_streams,
           max_open_incoming_unidirectional_streams) {}
-void UberQuicStreamIdManager::RegisterStaticStream(QuicStreamId id) {
+void UberQuicStreamIdManager::RegisterStaticStream(
+    QuicStreamId id,
+    bool stream_already_counted) {
   if (QuicUtils::IsBidirectionalStreamId(id)) {
-    bidirectional_stream_id_manager_.RegisterStaticStream(id);
+    bidirectional_stream_id_manager_.RegisterStaticStream(
+        id, stream_already_counted);
     return;
   }
-  unidirectional_stream_id_manager_.RegisterStaticStream(id);
+  unidirectional_stream_id_manager_.RegisterStaticStream(
+      id, stream_already_counted);
 }
 
 void UberQuicStreamIdManager::AdjustMaxOpenOutgoingUnidirectionalStreams(
diff --git a/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.h b/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.h
index 288f0c0a092..45b0d33ff46 100644
--- a/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.h
@@ -28,7 +28,9 @@ class QUIC_EXPORT_PRIVATE UberQuicStreamIdManager {
       QuicStreamCount max_open_incoming_unidirectional_streams);
 
   // Called when a stream with |stream_id| is registered as a static stream.
-  void RegisterStaticStream(QuicStreamId id);
+  // If |stream_already_counted| is true, the static stream is already counted
+  // as an open stream earlier, so no need to count it again.
+  void RegisterStaticStream(QuicStreamId id, bool stream_already_counted);
 
   // Sets the maximum outgoing stream count as a result of doing the transport
   // configuration negotiation. Forces the limit to max_streams, regardless of
diff --git a/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager_test.cc
index 8b1bacea54f..203dbb801f5 100644
--- a/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager_test.cc
@@ -37,26 +37,26 @@ class UberQuicStreamIdManagerTest : public QuicTestWithParam<Perspective> {
   }
 
   QuicStreamId GetNthClientInitiatedBidirectionalId(int n) {
-    return QuicUtils::GetFirstBidirectionalStreamId(
-               connection_->transport_version(), Perspective::IS_CLIENT) +
+    return QuicUtils::GetFirstBidirectionalStreamId(transport_version(),
+                                                    Perspective::IS_CLIENT) +
            kV99StreamIdIncrement * n;
   }
 
   QuicStreamId GetNthClientInitiatedUnidirectionalId(int n) {
-    return QuicUtils::GetFirstUnidirectionalStreamId(
-               connection_->transport_version(), Perspective::IS_CLIENT) +
+    return QuicUtils::GetFirstUnidirectionalStreamId(transport_version(),
+                                                     Perspective::IS_CLIENT) +
            kV99StreamIdIncrement * n;
   }
 
   QuicStreamId GetNthServerInitiatedBidirectionalId(int n) {
-    return QuicUtils::GetFirstBidirectionalStreamId(
-               connection_->transport_version(), Perspective::IS_SERVER) +
+    return QuicUtils::GetFirstBidirectionalStreamId(transport_version(),
+                                                    Perspective::IS_SERVER) +
            kV99StreamIdIncrement * n;
   }
 
   QuicStreamId GetNthServerInitiatedUnidirectionalId(int n) {
-    return QuicUtils::GetFirstUnidirectionalStreamId(
-               connection_->transport_version(), Perspective::IS_SERVER) +
+    return QuicUtils::GetFirstUnidirectionalStreamId(transport_version(),
+                                                     Perspective::IS_SERVER) +
            kV99StreamIdIncrement * n;
   }
 
@@ -86,10 +86,14 @@ class UberQuicStreamIdManagerTest : public QuicTestWithParam<Perspective> {
                                Perspective perspective,
                                bool bidirectional) {
     return ((bidirectional) ? QuicUtils::GetFirstBidirectionalStreamId(
-                                  QUIC_VERSION_99, perspective)
+                                  transport_version(), perspective)
                             : QuicUtils::GetFirstUnidirectionalStreamId(
-                                  QUIC_VERSION_99, perspective)) +
-           ((stream_count - 1) * QuicUtils::StreamIdDelta(QUIC_VERSION_99));
+                                  transport_version(), perspective)) +
+           ((stream_count - 1) * QuicUtils::StreamIdDelta(transport_version()));
+  }
+
+  QuicTransportVersion transport_version() {
+    return connection_->transport_version();
   }
 
   MockQuicConnectionHelper helper_;
@@ -133,7 +137,8 @@ TEST_P(UberQuicStreamIdManagerTest, RegisterStaticStream) {
       manager_->actual_max_allowed_incoming_bidirectional_streams();
   QuicStreamCount actual_max_allowed_incoming_unidirectional_streams =
       manager_->actual_max_allowed_incoming_unidirectional_streams();
-  manager_->RegisterStaticStream(first_incoming_bidirectional_stream_id);
+  manager_->RegisterStaticStream(first_incoming_bidirectional_stream_id,
+                                 /*stream_already_counted = */ false);
   // Verify actual_max_allowed_incoming_bidirectional_streams increases.
   EXPECT_EQ(actual_max_allowed_incoming_bidirectional_streams + 1u,
             manager_->actual_max_allowed_incoming_bidirectional_streams());
@@ -142,7 +147,8 @@ TEST_P(UberQuicStreamIdManagerTest, RegisterStaticStream) {
   EXPECT_EQ(actual_max_allowed_incoming_unidirectional_streams,
             manager_->actual_max_allowed_incoming_unidirectional_streams());
 
-  manager_->RegisterStaticStream(first_incoming_unidirectional_stream_id);
+  manager_->RegisterStaticStream(first_incoming_unidirectional_stream_id,
+                                 /*stream_already_counted = */ false);
   EXPECT_EQ(actual_max_allowed_incoming_bidirectional_streams + 1u,
             manager_->actual_max_allowed_incoming_bidirectional_streams());
   EXPECT_EQ(actual_max_allowed_incoming_unidirectional_streams + 1u,
@@ -269,16 +275,10 @@ TEST_P(UberQuicStreamIdManagerTest, MaybeIncreaseLargestPeerStreamId) {
   EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
   EXPECT_TRUE(manager_->MaybeIncreaseLargestPeerStreamId(StreamCountToId(
       manager_->actual_max_allowed_incoming_bidirectional_streams(),
-      /* Perspective=*/GetParam() == Perspective::IS_SERVER
-          ? Perspective::IS_CLIENT
-          : Perspective::IS_SERVER,
-      /* bidirectional=*/true)));
+      QuicUtils::InvertPerspective(GetParam()), /* bidirectional=*/true)));
   EXPECT_TRUE(manager_->MaybeIncreaseLargestPeerStreamId(StreamCountToId(
       manager_->actual_max_allowed_incoming_bidirectional_streams(),
-      /* Perspective=*/GetParam() == Perspective::IS_SERVER
-          ? Perspective::IS_CLIENT
-          : Perspective::IS_SERVER,
-      /* bidirectional=*/false)));
+      QuicUtils::InvertPerspective(GetParam()), /* bidirectional=*/false)));
 
   std::string error_details =
       GetParam() == Perspective::IS_SERVER
@@ -289,10 +289,7 @@ TEST_P(UberQuicStreamIdManagerTest, MaybeIncreaseLargestPeerStreamId) {
               CloseConnection(QUIC_INVALID_STREAM_ID, error_details, _));
   EXPECT_FALSE(manager_->MaybeIncreaseLargestPeerStreamId(StreamCountToId(
       manager_->actual_max_allowed_incoming_bidirectional_streams() + 1,
-      /* Perspective=*/GetParam() == Perspective::IS_SERVER
-          ? Perspective::IS_CLIENT
-          : Perspective::IS_SERVER,
-      /* bidirectional=*/true)));
+      QuicUtils::InvertPerspective(GetParam()), /* bidirectional=*/true)));
   error_details = GetParam() == Perspective::IS_SERVER
                       ? "Stream id 402 would exceed stream count limit 100"
                       : "Stream id 403 would exceed stream count limit 100";
@@ -300,10 +297,7 @@ TEST_P(UberQuicStreamIdManagerTest, MaybeIncreaseLargestPeerStreamId) {
               CloseConnection(QUIC_INVALID_STREAM_ID, error_details, _));
   EXPECT_FALSE(manager_->MaybeIncreaseLargestPeerStreamId(StreamCountToId(
       manager_->actual_max_allowed_incoming_bidirectional_streams() + 1,
-      /* Perspective=*/GetParam() == Perspective::IS_SERVER
-          ? Perspective::IS_CLIENT
-          : Perspective::IS_SERVER,
-      /* bidirectional=*/false)));
+      QuicUtils::InvertPerspective(GetParam()), /* bidirectional=*/false)));
 }
 
 TEST_P(UberQuicStreamIdManagerTest, OnMaxStreamsFrame) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/uber_received_packet_manager.cc b/chromium/net/third_party/quiche/src/quic/core/uber_received_packet_manager.cc
index a3c79d34428..6df7490a85a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/uber_received_packet_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/uber_received_packet_manager.cc
@@ -78,18 +78,18 @@ void UberReceivedPacketManager::MaybeUpdateAckTimeout(
     QuicTime time_of_last_received_packet,
     QuicTime now,
     const RttStats* rtt_stats,
-    QuicTime::Delta delayed_ack_time) {
+    QuicTime::Delta local_max_ack_delay) {
   if (!supports_multiple_packet_number_spaces_) {
     received_packet_managers_[0].MaybeUpdateAckTimeout(
         should_last_packet_instigate_acks, last_received_packet_number,
-        time_of_last_received_packet, now, rtt_stats, delayed_ack_time);
+        time_of_last_received_packet, now, rtt_stats, local_max_ack_delay);
     return;
   }
   received_packet_managers_[QuicUtils::GetPacketNumberSpace(
                                 decrypted_packet_level)]
       .MaybeUpdateAckTimeout(
           should_last_packet_instigate_acks, last_received_packet_number,
-          time_of_last_received_packet, now, rtt_stats, delayed_ack_time);
+          time_of_last_received_packet, now, rtt_stats, local_max_ack_delay);
 }
 
 void UberReceivedPacketManager::ResetAckStates(
diff --git a/chromium/net/third_party/quiche/src/quic/core/uber_received_packet_manager.h b/chromium/net/third_party/quiche/src/quic/core/uber_received_packet_manager.h
index 21c2c0c7240..c4428041465 100644
--- a/chromium/net/third_party/quiche/src/quic/core/uber_received_packet_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/uber_received_packet_manager.h
@@ -49,7 +49,7 @@ class QUIC_EXPORT_PRIVATE UberReceivedPacketManager {
                              QuicTime time_of_last_received_packet,
                              QuicTime now,
                              const RttStats* rtt_stats,
-                             QuicTime::Delta delayed_ack_time);
+                             QuicTime::Delta local_max_ack_delay);
 
   // Resets ACK related states, called after an ACK is successfully sent.
   void ResetAckStates(EncryptionLevel encryption_level);
diff --git a/chromium/net/third_party/quiche/src/quic/core/uber_received_packet_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/uber_received_packet_manager_test.cc
index b717178248a..64dbb177362 100644
--- a/chromium/net/third_party/quiche/src/quic/core/uber_received_packet_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/uber_received_packet_manager_test.cc
@@ -49,8 +49,6 @@ const QuicTime::Delta kDelayedAckTime =
 class UberReceivedPacketManagerTest : public QuicTest {
  protected:
   UberReceivedPacketManagerTest() {
-    SetQuicReloadableFlag(quic_deprecate_ack_bundling_mode, true);
-    SetQuicReloadableFlag(quic_rpm_decides_when_to_send_acks, true);
     manager_ = QuicMakeUnique<UberReceivedPacketManager>(&stats_);
     clock_.AdvanceTime(QuicTime::Delta::FromSeconds(1));
     rtt_stats_.UpdateRtt(kMinRttMs, QuicTime::Delta::Zero(), QuicTime::Zero());
@@ -239,13 +237,8 @@ TEST_F(UberReceivedPacketManagerTest, OutOfOrderReceiptCausesAckSent) {
 
   RecordPacketReceipt(3, clock_.ApproximateNow());
   MaybeUpdateAckTimeout(kInstigateAck, 3);
-  if (GetQuicRestartFlag(quic_enable_accept_random_ipn)) {
-    // Delayed ack is scheduled.
-    CheckAckTimeout(clock_.ApproximateNow() + kDelayedAckTime);
-  } else {
-    // Should ack immediately since we have missing packets.
-    CheckAckTimeout(clock_.ApproximateNow());
-  }
+  // Delayed ack is scheduled.
+  CheckAckTimeout(clock_.ApproximateNow() + kDelayedAckTime);
 
   RecordPacketReceipt(2, clock_.ApproximateNow());
   MaybeUpdateAckTimeout(kInstigateAck, 2);
@@ -764,7 +757,6 @@ TEST_F(UberReceivedPacketManagerTest,
 
 TEST_F(UberReceivedPacketManagerTest, AckSendingDifferentPacketNumberSpaces) {
   manager_->EnableMultiplePacketNumberSpacesSupport();
-  SetQuicRestartFlag(quic_enable_accept_random_ipn, true);
   EXPECT_FALSE(HasPendingAck());
   EXPECT_FALSE(manager_->IsAckFrameUpdated());
 
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/README.md b/chromium/net/third_party/quiche/src/quic/platform/api/README.md
index d3de2e14073..117e424d00c 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/README.md
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/README.md
@@ -13,43 +13,48 @@ QUIC data types, such as QuicClock and QuicSleep.
 
     Most APIs are used by QUIC core to interact with platform infrastructure
     (i.e. QUIC_LOG) or to wrap around platform dependent data types (i.e.
-    QuicIntervalSet), the dependency is:
+    QuicThread), the dependency is:
 
-    ```dot
-    digraph {
-    application -> quic_core -> quic_platform_api -> quic_platform_impl -> platform_infrastructure
-    application -> platform_infrastructure
-    }
-    ```
+```
+application -> quic_core -> quic_platform_api
+      |                             |
+      v                             v
+platform_infrastructure <- quic_platform_impl
+```
 
 -   APIs used by applications:
 
     Some APIs are used by applications to interact with QUIC core (i.e.
     QuicMemSlice). For such APIs, their dependency model is:
 
-    ```dot
-    digraph {
-    application -> quic_platform_impl -> platform_infrastructure
-    application -> quic_core -> quic_platform_api
-    quic_platform_impl -> quic_platform_api
-    application -> platform_infrastructure
-    }
-    ```
+```
+application -> quic_core -> quic_platform_api
+    |                            ^
+    |                            |
+     -------------------> quic_platform_impl
+    |                            |
+    |                            v
+     -------------------> platform_infrastructure
+```
 
-    An example for such dependency is QuicClock.
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;An example for such dependency
+is QuicClock.
 
-    Or
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Or
 
-    ```dot
-    digraph {
-    application -> quic_platform_impl -> platform_infrastructure
-    application -> quic_core -> quic_platform_api -> quic_platform_impl
-    quic_platform_impl -> quic_platform_api
-    application -> platform_infrastructure
-    }
-    ```
+```
+application -> quic_core -> quic_platform_api
+    |                            ^
+    |                            |
+    |                            v
+     -------------------> quic_platform_impl
+    |                            |
+    |                            v
+     -------------------> platform_infrastructure
+```
 
-    An example for such dependency is QuicMemSlice.
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;An example for such dependency
+is QuicMemSlice.
 
 # Documentation of each API and its usage.
 
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_bbr2_sender.h b/chromium/net/third_party/quiche/src/quic/platform/api/quic_bbr2_sender.h
new file mode 100644
index 00000000000..48bc86a1983
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_bbr2_sender.h
@@ -0,0 +1,16 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_PLATFORM_API_QUIC_BBR2_SENDER_H_
+#define QUICHE_QUIC_PLATFORM_API_QUIC_BBR2_SENDER_H_
+
+#include "net/quic/platform/impl/quic_bbr2_sender_impl.h"
+
+namespace quic {
+
+using QuicBbr2Sender = QuicBbr2SenderImpl;
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_PLATFORM_API_QUIC_BBR2_SENDER_H_
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_ip_address.cc b/chromium/net/third_party/quiche/src/quic/platform/api/quic_ip_address.cc
index 3b48c475f67..6db0838dfd4 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_ip_address.cc
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_ip_address.cc
@@ -4,35 +4,88 @@
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_ip_address.h"
 
+#include <algorithm>
+#include <cstdint>
+#include <cstring>
 #include <string>
 
+#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
+
 namespace quic {
 
+static int ToPlatformAddressFamily(IpAddressFamily family) {
+  switch (family) {
+    case IpAddressFamily::IP_V4:
+      return AF_INET;
+    case IpAddressFamily::IP_V6:
+      return AF_INET6;
+    case IpAddressFamily::IP_UNSPEC:
+      return AF_UNSPEC;
+  }
+  QUIC_BUG << "Invalid IpAddressFamily " << static_cast<int32_t>(family);
+  return AF_UNSPEC;
+}
+
 QuicIpAddress QuicIpAddress::Loopback4() {
-  return QuicIpAddress(QuicIpAddressImpl::Loopback4());
+  QuicIpAddress result;
+  result.family_ = IpAddressFamily::IP_V4;
+  result.address_.bytes[0] = 127;
+  result.address_.bytes[1] = 0;
+  result.address_.bytes[2] = 0;
+  result.address_.bytes[3] = 1;
+  return result;
 }
 
 QuicIpAddress QuicIpAddress::Loopback6() {
-  return QuicIpAddress(QuicIpAddressImpl::Loopback6());
+  QuicIpAddress result;
+  result.family_ = IpAddressFamily::IP_V6;
+  uint8_t* bytes = result.address_.bytes;
+  memset(bytes, 0, 15);
+  bytes[15] = 1;
+  return result;
 }
 
 QuicIpAddress QuicIpAddress::Any4() {
-  return QuicIpAddress(QuicIpAddressImpl::Any4());
+  in_addr address;
+  memset(&address, 0, sizeof(address));
+  return QuicIpAddress(address);
 }
 
 QuicIpAddress QuicIpAddress::Any6() {
-  return QuicIpAddress(QuicIpAddressImpl::Any6());
+  in6_addr address;
+  memset(&address, 0, sizeof(address));
+  return QuicIpAddress(address);
 }
 
-QuicIpAddress::QuicIpAddress(const QuicIpAddressImpl& impl) : impl_(impl) {}
+QuicIpAddress::QuicIpAddress() : family_(IpAddressFamily::IP_UNSPEC) {}
 
 QuicIpAddress::QuicIpAddress(const in_addr& ipv4_address)
-    : impl_(ipv4_address) {}
+    : family_(IpAddressFamily::IP_V4) {
+  address_.v4 = ipv4_address;
+}
 QuicIpAddress::QuicIpAddress(const in6_addr& ipv6_address)
-    : impl_(ipv6_address) {}
+    : family_(IpAddressFamily::IP_V6) {
+  address_.v6 = ipv6_address;
+}
 
 bool operator==(QuicIpAddress lhs, QuicIpAddress rhs) {
-  return lhs.impl_ == rhs.impl_;
+  if (lhs.family_ != rhs.family_) {
+    return false;
+  }
+  switch (lhs.family_) {
+    case IpAddressFamily::IP_V4:
+      return std::equal(lhs.address_.bytes,
+                        lhs.address_.bytes + QuicIpAddress::kIPv4AddressSize,
+                        rhs.address_.bytes);
+    case IpAddressFamily::IP_V6:
+      return std::equal(lhs.address_.bytes,
+                        lhs.address_.bytes + QuicIpAddress::kIPv6AddressSize,
+                        rhs.address_.bytes);
+    case IpAddressFamily::IP_UNSPEC:
+      return true;
+  }
+  QUIC_BUG << "Invalid IpAddressFamily " << static_cast<int32_t>(lhs.family_);
+  return false;
 }
 
 bool operator!=(QuicIpAddress lhs, QuicIpAddress rhs) {
@@ -40,60 +93,143 @@ bool operator!=(QuicIpAddress lhs, QuicIpAddress rhs) {
 }
 
 bool QuicIpAddress::IsInitialized() const {
-  return impl_.IsInitialized();
+  return family_ != IpAddressFamily::IP_UNSPEC;
 }
 
 IpAddressFamily QuicIpAddress::address_family() const {
-  return impl_.address_family();
+  return family_;
 }
 
 int QuicIpAddress::AddressFamilyToInt() const {
-  return impl_.AddressFamilyToInt();
+  return ToPlatformAddressFamily(family_);
 }
 
 std::string QuicIpAddress::ToPackedString() const {
-  return impl_.ToPackedString();
+  switch (family_) {
+    case IpAddressFamily::IP_V4:
+      return std::string(address_.chars, sizeof(address_.v4));
+    case IpAddressFamily::IP_V6:
+      return std::string(address_.chars, sizeof(address_.v6));
+    case IpAddressFamily::IP_UNSPEC:
+      return "";
+  }
+  QUIC_BUG << "Invalid IpAddressFamily " << static_cast<int32_t>(family_);
+  return "";
 }
 
 std::string QuicIpAddress::ToString() const {
-  return impl_.ToString();
+  if (!IsInitialized()) {
+    return "";
+  }
+
+  char buffer[INET6_ADDRSTRLEN] = {0};
+  const char* result =
+      inet_ntop(AddressFamilyToInt(), address_.bytes, buffer, sizeof(buffer));
+  QUIC_BUG_IF(result == nullptr) << "Failed to convert an IP address to string";
+  return buffer;
 }
 
+static const uint8_t kMappedAddressPrefix[] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
+};
+
 QuicIpAddress QuicIpAddress::Normalized() const {
-  return QuicIpAddress(impl_.Normalized());
+  if (!IsIPv6()) {
+    return *this;
+  }
+  if (!std::equal(std::begin(kMappedAddressPrefix),
+                  std::end(kMappedAddressPrefix), address_.bytes)) {
+    return *this;
+  }
+
+  in_addr result;
+  memcpy(&result, &address_.bytes[12], sizeof(result));
+  return QuicIpAddress(result);
 }
 
 QuicIpAddress QuicIpAddress::DualStacked() const {
-  return QuicIpAddress(impl_.DualStacked());
+  if (!IsIPv4()) {
+    return *this;
+  }
+
+  QuicIpAddress result;
+  result.family_ = IpAddressFamily::IP_V6;
+  memcpy(result.address_.bytes, kMappedAddressPrefix,
+         sizeof(kMappedAddressPrefix));
+  memcpy(result.address_.bytes + 12, address_.bytes, kIPv4AddressSize);
+  return result;
 }
 
 bool QuicIpAddress::FromPackedString(const char* data, size_t length) {
-  return impl_.FromPackedString(data, length);
+  switch (length) {
+    case kIPv4AddressSize:
+      family_ = IpAddressFamily::IP_V4;
+      break;
+    case kIPv6AddressSize:
+      family_ = IpAddressFamily::IP_V6;
+      break;
+    default:
+      return false;
+  }
+  memcpy(address_.chars, data, length);
+  return true;
 }
 
 bool QuicIpAddress::FromString(std::string str) {
-  return impl_.FromString(str);
+  for (IpAddressFamily family :
+       {IpAddressFamily::IP_V6, IpAddressFamily::IP_V4}) {
+    int result =
+        inet_pton(ToPlatformAddressFamily(family), str.c_str(), address_.bytes);
+    if (result > 0) {
+      family_ = family;
+      return true;
+    }
+  }
+  return false;
 }
 
 bool QuicIpAddress::IsIPv4() const {
-  return impl_.IsIPv4();
+  return family_ == IpAddressFamily::IP_V4;
 }
 
 bool QuicIpAddress::IsIPv6() const {
-  return impl_.IsIPv6();
+  return family_ == IpAddressFamily::IP_V6;
 }
 
 bool QuicIpAddress::InSameSubnet(const QuicIpAddress& other,
                                  int subnet_length) {
-  return impl_.InSameSubnet(other.impl_, subnet_length);
+  if (!IsInitialized()) {
+    QUIC_BUG << "Attempting to do subnet matching on undefined address";
+    return false;
+  }
+  if ((IsIPv4() && subnet_length > 32) || (IsIPv6() && subnet_length > 128)) {
+    QUIC_BUG << "Subnet mask is out of bounds";
+    return false;
+  }
+
+  int bytes_to_check = subnet_length / 8;
+  int bits_to_check = subnet_length % 8;
+  const uint8_t* const lhs = address_.bytes;
+  const uint8_t* const rhs = other.address_.bytes;
+  if (!std::equal(lhs, lhs + bytes_to_check, rhs)) {
+    return false;
+  }
+  if (bits_to_check == 0) {
+    return true;
+  }
+  DCHECK_LT(static_cast<size_t>(bytes_to_check), sizeof(address_.bytes));
+  int mask = (~0u) << (8u - bits_to_check);
+  return (lhs[bytes_to_check] & mask) == (rhs[bytes_to_check] & mask);
 }
 
 in_addr QuicIpAddress::GetIPv4() const {
-  return impl_.GetIPv4();
+  DCHECK(IsIPv4());
+  return address_.v4;
 }
 
 in6_addr QuicIpAddress::GetIPv6() const {
-  return impl_.GetIPv6();
+  DCHECK(IsIPv6());
+  return address_.v6;
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_ip_address.h b/chromium/net/third_party/quiche/src/quic/platform/api/quic_ip_address.h
index 6d507b4d843..e1a1076cbcb 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_ip_address.h
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_ip_address.h
@@ -9,6 +9,7 @@
 #include <winsock2.h>
 #include <ws2tcpip.h>
 #else
+#include <arpa/inet.h>
 #include <netinet/in.h>
 #include <sys/socket.h>
 #include <sys/types.h>
@@ -17,18 +18,18 @@
 #include <string>
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
-#include "net/quic/platform/impl/quic_ip_address_impl.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_ip_address_family.h"
 
 namespace quic {
 
+// Represents an IP address.
 class QUIC_EXPORT_PRIVATE QuicIpAddress {
-  // A class representing an IPv4 or IPv6 address in QUIC. The actual
-  // implementation (platform dependent) of an IP address is in
-  // QuicIpAddressImpl.
  public:
+  // Sizes of IP addresses of different types, in bytes.
   enum : size_t {
-    kIPv4AddressSize = QuicIpAddressImpl::kIPv4AddressSize,
-    kIPv6AddressSize = QuicIpAddressImpl::kIPv6AddressSize
+    kIPv4AddressSize = 32 / 8,
+    kIPv6AddressSize = 128 / 8,
+    kMaxAddressSize = kIPv6AddressSize,
   };
 
   // TODO(fayang): Remove Loopback*() and use TestLoopback*() in tests.
@@ -37,9 +38,8 @@ class QUIC_EXPORT_PRIVATE QuicIpAddress {
   static QuicIpAddress Any4();
   static QuicIpAddress Any6();
 
-  QuicIpAddress() = default;
+  QuicIpAddress();
   QuicIpAddress(const QuicIpAddress& other) = default;
-  explicit QuicIpAddress(const QuicIpAddressImpl& impl);
   explicit QuicIpAddress(const in_addr& ipv4_address);
   explicit QuicIpAddress(const in6_addr& ipv6_address);
   QuicIpAddress& operator=(const QuicIpAddress& other) = default;
@@ -77,9 +77,20 @@ class QUIC_EXPORT_PRIVATE QuicIpAddress {
   in6_addr GetIPv6() const;
 
  private:
-  QuicIpAddressImpl impl_;
+  union {
+    in_addr v4;
+    in6_addr v6;
+    uint8_t bytes[kMaxAddressSize];
+    char chars[kMaxAddressSize];
+  } address_;
+  IpAddressFamily family_;
 };
 
+inline std::ostream& operator<<(std::ostream& os, const QuicIpAddress address) {
+  os << address.ToString();
+  return os;
+}
+
 }  // namespace quic
 
 #endif  // QUICHE_QUIC_PLATFORM_API_QUIC_IP_ADDRESS_H_
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_ip_address_test.cc b/chromium/net/third_party/quiche/src/quic/platform/api/quic_ip_address_test.cc
index 69424272146..7dfe243068c 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_ip_address_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_ip_address_test.cc
@@ -56,6 +56,84 @@ TEST(QuicIpAddressTest, IPv6) {
   EXPECT_EQ(0xff01u, *(v6_address_ptr + 5));
   EXPECT_EQ(0x23feu, *(v6_address_ptr + 6));
   EXPECT_EQ(0x6745u, *(v6_address_ptr + 7));
+
+  EXPECT_EQ(ip_address, ip_address.Normalized());
+  EXPECT_EQ(ip_address, ip_address.DualStacked());
+}
+
+TEST(QuicIpAddressTest, FromPackedString) {
+  QuicIpAddress loopback4, loopback6;
+  const char loopback4_packed[] = "\x7f\0\0\x01";
+  const char loopback6_packed[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01";
+  EXPECT_TRUE(loopback4.FromPackedString(loopback4_packed, 4));
+  EXPECT_TRUE(loopback6.FromPackedString(loopback6_packed, 16));
+  EXPECT_EQ(loopback4, QuicIpAddress::Loopback4());
+  EXPECT_EQ(loopback6, QuicIpAddress::Loopback6());
+}
+
+TEST(QuicIpAddressTest, MappedAddress) {
+  QuicIpAddress ipv4_address;
+  QuicIpAddress mapped_address;
+
+  EXPECT_TRUE(ipv4_address.FromString("127.0.0.1"));
+  EXPECT_TRUE(mapped_address.FromString("::ffff:7f00:1"));
+
+  EXPECT_EQ(mapped_address, ipv4_address.DualStacked());
+  EXPECT_EQ(ipv4_address, mapped_address.Normalized());
+}
+
+TEST(QuicIpAddressTest, Subnets) {
+  struct {
+    const char* address1;
+    const char* address2;
+    int subnet_size;
+    bool same_subnet;
+  } test_cases[] = {
+      {"127.0.0.1", "127.0.0.2", 24, true},
+      {"8.8.8.8", "127.0.0.1", 24, false},
+      {"8.8.8.8", "127.0.0.1", 16, false},
+      {"8.8.8.8", "127.0.0.1", 8, false},
+      {"8.8.8.8", "127.0.0.1", 2, false},
+      {"8.8.8.8", "127.0.0.1", 1, true},
+
+      {"127.0.0.1", "127.0.0.128", 24, true},
+      {"127.0.0.1", "127.0.0.128", 25, false},
+      {"127.0.0.1", "127.0.0.127", 25, true},
+
+      {"127.0.0.1", "127.0.0.0", 30, true},
+      {"127.0.0.1", "127.0.0.1", 30, true},
+      {"127.0.0.1", "127.0.0.2", 30, true},
+      {"127.0.0.1", "127.0.0.3", 30, true},
+      {"127.0.0.1", "127.0.0.4", 30, false},
+
+      {"127.0.0.1", "127.0.0.2", 31, false},
+      {"127.0.0.1", "127.0.0.0", 31, true},
+
+      {"::1", "fe80::1", 8, false},
+      {"::1", "fe80::1", 1, false},
+      {"::1", "fe80::1", 0, true},
+      {"fe80::1", "fe80::2", 126, true},
+      {"fe80::1", "fe80::2", 127, false},
+  };
+
+  for (const auto& test_case : test_cases) {
+    QuicIpAddress address1, address2;
+    ASSERT_TRUE(address1.FromString(test_case.address1));
+    ASSERT_TRUE(address2.FromString(test_case.address2));
+    EXPECT_EQ(test_case.same_subnet,
+              address1.InSameSubnet(address2, test_case.subnet_size))
+        << "Addresses: " << test_case.address1 << ", " << test_case.address2
+        << "; subnet: /" << test_case.subnet_size;
+  }
+}
+
+TEST(QuicIpAddress, LoopbackAddresses) {
+  QuicIpAddress loopback4;
+  QuicIpAddress loopback6;
+  ASSERT_TRUE(loopback4.FromString("127.0.0.1"));
+  ASSERT_TRUE(loopback6.FromString("::1"));
+  EXPECT_EQ(loopback4, QuicIpAddress::Loopback4());
+  EXPECT_EQ(loopback6, QuicIpAddress::Loopback6());
 }
 
 }  // namespace
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_mem_slice_storage.h b/chromium/net/third_party/quiche/src/quic/platform/api/quic_mem_slice_storage.h
index dc48a43d177..9164e9af74b 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_mem_slice_storage.h
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_mem_slice_storage.h
@@ -30,6 +30,8 @@ class QUIC_EXPORT_PRIVATE QuicMemSliceStorage {
   // Return a QuicMemSliceSpan form of the storage.
   QuicMemSliceSpan ToSpan() { return impl_.ToSpan(); }
 
+  void Append(QuicMemSlice slice) { impl_.Append(std::move(*slice.impl())); }
+
  private:
   QuicMemSliceStorageImpl impl_;
 };
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_mem_slice_storage_test.cc b/chromium/net/third_party/quiche/src/quic/platform/api/quic_mem_slice_storage_test.cc
index d0c25885e9f..a13899d443e 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_mem_slice_storage_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_mem_slice_storage_test.cc
@@ -3,8 +3,10 @@
 // found in the LICENSE file.
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_mem_slice_storage.h"
+
 #include "net/third_party/quiche/src/quic/core/quic_simple_buffer_allocator.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_test_mem_slice_vector.h"
 
 namespace quic {
 namespace test {
@@ -55,6 +57,24 @@ TEST_F(QuicMemSliceStorageImplTest, MultipleIovInMultipleSlice) {
   EXPECT_EQ("bbbb", span.GetData(1));
 }
 
+TEST_F(QuicMemSliceStorageImplTest, AppendMemSlices) {
+  std::string body1(3, 'a');
+  std::string body2(4, 'b');
+  std::vector<std::pair<char*, size_t>> buffers;
+  buffers.push_back(
+      std::make_pair(const_cast<char*>(body1.data()), body1.length()));
+  buffers.push_back(
+      std::make_pair(const_cast<char*>(body2.data()), body2.length()));
+  QuicTestMemSliceVector mem_slices(buffers);
+
+  QuicMemSliceStorage storage(nullptr, 0, nullptr, 0);
+  mem_slices.span().ConsumeAll(
+      [&storage](QuicMemSlice slice) { storage.Append(std::move(slice)); });
+
+  EXPECT_EQ("aaa", storage.ToSpan().GetData(0));
+  EXPECT_EQ("bbbb", storage.ToSpan().GetData(1));
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_socket_address.cc b/chromium/net/third_party/quiche/src/quic/platform/api/quic_socket_address.cc
index e0bb35c4f7d..c53b7463601 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_socket_address.cc
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_socket_address.cc
@@ -2,58 +2,131 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
+
+#include <limits>
 #include <string>
 
-#include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_ip_address.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_ip_address_family.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
 
 namespace quic {
 
 QuicSocketAddress::QuicSocketAddress(QuicIpAddress address, uint16_t port)
-    : impl_(address, port) {}
-
-QuicSocketAddress::QuicSocketAddress(const struct sockaddr_storage& saddr)
-    : impl_(saddr) {}
-
-QuicSocketAddress::QuicSocketAddress(const struct sockaddr& saddr)
-    : impl_(saddr) {}
+    : host_(address), port_(port) {}
+
+QuicSocketAddress::QuicSocketAddress(const struct sockaddr_storage& saddr) {
+  switch (saddr.ss_family) {
+    case AF_INET: {
+      const sockaddr_in* v4 = reinterpret_cast<const sockaddr_in*>(&saddr);
+      host_ = QuicIpAddress(v4->sin_addr);
+      port_ = ntohs(v4->sin_port);
+      break;
+    }
+    case AF_INET6: {
+      const sockaddr_in6* v6 = reinterpret_cast<const sockaddr_in6*>(&saddr);
+      host_ = QuicIpAddress(v6->sin6_addr);
+      port_ = ntohs(v6->sin6_port);
+      break;
+    }
+    default:
+      QUIC_BUG << "Unknown address family passed: " << saddr.ss_family;
+      break;
+  }
+}
 
-QuicSocketAddress::QuicSocketAddress(const QuicSocketAddressImpl& impl)
-    : impl_(impl) {}
+QuicSocketAddress::QuicSocketAddress(const sockaddr* saddr, socklen_t len) {
+  sockaddr_storage storage;
+  static_assert(std::numeric_limits<socklen_t>::max() >= sizeof(storage),
+                "Cannot cast sizeof(storage) to socklen_t as it does not fit");
+  if (len < static_cast<socklen_t>(sizeof(sockaddr)) ||
+      (saddr->sa_family == AF_INET &&
+       len < static_cast<socklen_t>(sizeof(sockaddr_in))) ||
+      (saddr->sa_family == AF_INET6 &&
+       len < static_cast<socklen_t>(sizeof(sockaddr_in6))) ||
+      len > static_cast<socklen_t>(sizeof(storage))) {
+    QUIC_BUG << "Socket address of invalid length provided";
+    return;
+  }
+  memcpy(&storage, saddr, len);
+  *this = QuicSocketAddress(storage);
+}
 
 bool operator==(const QuicSocketAddress& lhs, const QuicSocketAddress& rhs) {
-  return lhs.impl_ == rhs.impl_;
+  return lhs.host_ == rhs.host_ && lhs.port_ == rhs.port_;
 }
 
 bool operator!=(const QuicSocketAddress& lhs, const QuicSocketAddress& rhs) {
-  return lhs.impl_ != rhs.impl_;
+  return !(lhs == rhs);
 }
 
 bool QuicSocketAddress::IsInitialized() const {
-  return impl_.IsInitialized();
+  return host_.IsInitialized();
 }
 
 std::string QuicSocketAddress::ToString() const {
-  return impl_.ToString();
+  switch (host_.address_family()) {
+    case IpAddressFamily::IP_V4:
+      return QuicStrCat(host_.ToString(), ":", port_);
+    case IpAddressFamily::IP_V6:
+      return QuicStrCat("[", host_.ToString(), "]:", port_);
+    default:
+      return "";
+  }
 }
 
 int QuicSocketAddress::FromSocket(int fd) {
-  return impl_.FromSocket(fd);
+  sockaddr_storage addr;
+  socklen_t addr_len = sizeof(addr);
+  int result = getsockname(fd, reinterpret_cast<sockaddr*>(&addr), &addr_len);
+
+  bool success = result == 0 && addr_len > 0 &&
+                 static_cast<size_t>(addr_len) <= sizeof(addr);
+  if (success) {
+    *this = QuicSocketAddress(addr);
+    return 0;
+  }
+  return -1;
 }
 
 QuicSocketAddress QuicSocketAddress::Normalized() const {
-  return QuicSocketAddress(impl_.Normalized());
+  return QuicSocketAddress(host_.Normalized(), port_);
 }
 
 QuicIpAddress QuicSocketAddress::host() const {
-  return QuicIpAddress(impl_.host());
+  return host_;
 }
 
 uint16_t QuicSocketAddress::port() const {
-  return impl_.port();
+  return port_;
 }
 
 sockaddr_storage QuicSocketAddress::generic_address() const {
-  return impl_.generic_address();
+  union {
+    sockaddr_storage storage;
+    sockaddr_in v4;
+    sockaddr_in6 v6;
+  } result;
+  memset(&result.storage, 0, sizeof(result.storage));
+
+  switch (host_.address_family()) {
+    case IpAddressFamily::IP_V4:
+      result.v4.sin_family = AF_INET;
+      result.v4.sin_addr = host_.GetIPv4();
+      result.v4.sin_port = htons(port_);
+      break;
+    case IpAddressFamily::IP_V6:
+      result.v6.sin6_family = AF_INET6;
+      result.v6.sin6_addr = host_.GetIPv6();
+      result.v6.sin6_port = htons(port_);
+      break;
+    default:
+      result.storage.ss_family = AF_UNSPEC;
+      break;
+  }
+  return result.storage;
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_socket_address.h b/chromium/net/third_party/quiche/src/quic/platform/api/quic_socket_address.h
index 85e61d5a235..c91b1f205ea 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_socket_address.h
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_socket_address.h
@@ -9,20 +9,17 @@
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ip_address.h"
-#include "net/quic/platform/impl/quic_socket_address_impl.h"
 
 namespace quic {
 
+// A class representing a socket endpoint address (i.e., IP address plus a
+// port) in QUIC.
 class QUIC_EXPORT_PRIVATE QuicSocketAddress {
-  // A class representing a socket endpoint address (i.e., IP address plus a
-  // port) in QUIC. The actual implementation (platform dependent) of a socket
-  // address is in QuicSocketAddressImpl.
  public:
-  QuicSocketAddress() = default;
+  QuicSocketAddress() {}
   QuicSocketAddress(QuicIpAddress address, uint16_t port);
   explicit QuicSocketAddress(const struct sockaddr_storage& saddr);
-  explicit QuicSocketAddress(const struct sockaddr& saddr);
-  explicit QuicSocketAddress(const QuicSocketAddressImpl& impl);
+  explicit QuicSocketAddress(const sockaddr* saddr, socklen_t len);
   QuicSocketAddress(const QuicSocketAddress& other) = default;
   QuicSocketAddress& operator=(const QuicSocketAddress& other) = default;
   QuicSocketAddress& operator=(QuicSocketAddress&& other) = default;
@@ -41,9 +38,16 @@ class QUIC_EXPORT_PRIVATE QuicSocketAddress {
   sockaddr_storage generic_address() const;
 
  private:
-  QuicSocketAddressImpl impl_;
+  QuicIpAddress host_;
+  uint16_t port_ = 0;
 };
 
+inline std::ostream& operator<<(std::ostream& os,
+                                const QuicSocketAddress address) {
+  os << address.ToString();
+  return os;
+}
+
 }  // namespace quic
 
 #endif  // QUICHE_QUIC_PLATFORM_API_QUIC_SOCKET_ADDRESS_H_
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_socket_address_test.cc b/chromium/net/third_party/quiche/src/quic/platform/api/quic_socket_address_test.cc
new file mode 100644
index 00000000000..3c7010d89a5
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_socket_address_test.cc
@@ -0,0 +1,133 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
+
+#include <memory>
+#include <sstream>
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+
+namespace quic {
+namespace {
+
+TEST(QuicSocketAddress, Uninitialized) {
+  QuicSocketAddress uninitialized;
+  EXPECT_FALSE(uninitialized.IsInitialized());
+}
+
+TEST(QuicSocketAddress, ExplicitConstruction) {
+  QuicSocketAddress ipv4_address(QuicIpAddress::Loopback4(), 443);
+  QuicSocketAddress ipv6_address(QuicIpAddress::Loopback6(), 443);
+  EXPECT_TRUE(ipv4_address.IsInitialized());
+  EXPECT_EQ("127.0.0.1:443", ipv4_address.ToString());
+  EXPECT_EQ("[::1]:443", ipv6_address.ToString());
+  EXPECT_EQ(QuicIpAddress::Loopback4(), ipv4_address.host());
+  EXPECT_EQ(QuicIpAddress::Loopback6(), ipv6_address.host());
+  EXPECT_EQ(443, ipv4_address.port());
+}
+
+TEST(QuicSocketAddress, OutputToStream) {
+  QuicSocketAddress ipv4_address(QuicIpAddress::Loopback4(), 443);
+  std::stringstream stream;
+  stream << ipv4_address;
+  EXPECT_EQ("127.0.0.1:443", stream.str());
+}
+
+TEST(QuicSocketAddress, FromSockaddrIPv4) {
+  union {
+    sockaddr_storage storage;
+    sockaddr addr;
+    sockaddr_in v4;
+  } address;
+
+  memset(&address, 0, sizeof(address));
+  address.v4.sin_family = AF_INET;
+  address.v4.sin_addr = QuicIpAddress::Loopback4().GetIPv4();
+  address.v4.sin_port = htons(443);
+  EXPECT_EQ("127.0.0.1:443",
+            QuicSocketAddress(&address.addr, sizeof(address.v4)).ToString());
+  EXPECT_EQ("127.0.0.1:443", QuicSocketAddress(address.storage).ToString());
+}
+
+TEST(QuicSocketAddress, FromSockaddrIPv6) {
+  union {
+    sockaddr_storage storage;
+    sockaddr addr;
+    sockaddr_in6 v6;
+  } address;
+
+  memset(&address, 0, sizeof(address));
+  address.v6.sin6_family = AF_INET6;
+  address.v6.sin6_addr = QuicIpAddress::Loopback6().GetIPv6();
+  address.v6.sin6_port = htons(443);
+  EXPECT_EQ("[::1]:443",
+            QuicSocketAddress(&address.addr, sizeof(address.v6)).ToString());
+  EXPECT_EQ("[::1]:443", QuicSocketAddress(address.storage).ToString());
+}
+
+TEST(QuicSocketAddres, ToSockaddrIPv4) {
+  union {
+    sockaddr_storage storage;
+    sockaddr_in v4;
+  } address;
+
+  address.storage =
+      QuicSocketAddress(QuicIpAddress::Loopback4(), 443).generic_address();
+  ASSERT_EQ(AF_INET, address.v4.sin_family);
+  EXPECT_EQ(QuicIpAddress::Loopback4(), QuicIpAddress(address.v4.sin_addr));
+  EXPECT_EQ(htons(443), address.v4.sin_port);
+}
+
+TEST(QuicSocketAddress, Normalize) {
+  QuicIpAddress dual_stacked;
+  ASSERT_TRUE(dual_stacked.FromString("::ffff:127.0.0.1"));
+  ASSERT_TRUE(dual_stacked.IsIPv6());
+  QuicSocketAddress not_normalized(dual_stacked, 443);
+  QuicSocketAddress normalized = not_normalized.Normalized();
+  EXPECT_EQ("[::ffff:127.0.0.1]:443", not_normalized.ToString());
+  EXPECT_EQ("127.0.0.1:443", normalized.ToString());
+}
+
+// TODO(vasilvv): either ensure this works on all platforms, or deprecate and
+// remove this API.
+#if defined(__linux__) && !defined(ANDROID)
+#include <errno.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+
+TEST(QuicSocketAddress, FromSocket) {
+  int fd;
+  QuicSocketAddress address;
+  bool bound = false;
+  for (int port = 50000; port < 50400; port++) {
+    fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+    ASSERT_GT(fd, 0);
+
+    address = QuicSocketAddress(QuicIpAddress::Loopback6(), port);
+    sockaddr_storage raw_address = address.generic_address();
+    int bind_result = bind(fd, reinterpret_cast<const sockaddr*>(&raw_address),
+                           sizeof(sockaddr_in6));
+
+    if (bind_result < 0 && errno == EADDRINUSE) {
+      close(fd);
+      continue;
+    }
+
+    ASSERT_EQ(0, bind_result);
+    bound = true;
+    break;
+  }
+  ASSERT_TRUE(bound);
+
+  QuicSocketAddress real_address;
+  ASSERT_EQ(0, real_address.FromSocket(fd));
+  ASSERT_TRUE(real_address.IsInitialized());
+  EXPECT_EQ(real_address, address);
+  close(fd);
+}
+#endif
+
+}  // namespace
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/counting_packet_filter.h b/chromium/net/third_party/quiche/src/quic/quartc/counting_packet_filter.h
index 32feffc7497..4c7c27041ba 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/counting_packet_filter.h
+++ b/chromium/net/third_party/quiche/src/quic/quartc/counting_packet_filter.h
@@ -25,7 +25,7 @@ class CountingPacketFilter : public simulator::PacketFilter {
   void set_packets_to_drop(int count) { packets_to_drop_ = count; }
 
  protected:
-  bool FilterPacket(const simulator::Packet& packet) override {
+  bool FilterPacket(const simulator::Packet& /*packet*/) override {
     if (packets_to_drop_ > 0) {
       --packets_to_drop_;
       return false;
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_crypto_helpers.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_crypto_helpers.cc
index 4653000138b..1446ab352d5 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_crypto_helpers.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_crypto_helpers.cc
@@ -4,16 +4,14 @@
 
 #include "net/third_party/quiche/src/quic/quartc/quartc_crypto_helpers.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 
 namespace quic {
 
 void DummyProofSource::GetProof(const QuicSocketAddress& server_address,
                                 const std::string& hostname,
-                                const std::string& server_config,
-                                QuicTransportVersion transport_version,
-                                QuicStringPiece chlo_hash,
+                                const std::string& /*server_config*/,
+                                QuicTransportVersion /*transport_version*/,
+                                QuicStringPiece /*chlo_hash*/,
                                 std::unique_ptr<Callback> callback) {
   QuicReferenceCountedPointer<ProofSource::Chain> chain =
       GetCertChain(server_address, hostname);
@@ -24,8 +22,8 @@ void DummyProofSource::GetProof(const QuicSocketAddress& server_address,
 }
 
 QuicReferenceCountedPointer<DummyProofSource::Chain>
-DummyProofSource::GetCertChain(const QuicSocketAddress& server_address,
-                               const std::string& hostname) {
+DummyProofSource::GetCertChain(const QuicSocketAddress& /*server_address*/,
+                               const std::string& /*hostname*/) {
   std::vector<std::string> certs;
   certs.push_back(kDummyCertName);
   return QuicReferenceCountedPointer<ProofSource::Chain>(
@@ -33,39 +31,39 @@ DummyProofSource::GetCertChain(const QuicSocketAddress& server_address,
 }
 
 void DummyProofSource::ComputeTlsSignature(
-    const QuicSocketAddress& server_address,
-    const std::string& hostname,
-    uint16_t signature_algorithm,
-    QuicStringPiece in,
+    const QuicSocketAddress& /*server_address*/,
+    const std::string& /*hostname*/,
+    uint16_t /*signature_algorithm*/,
+    QuicStringPiece /*in*/,
     std::unique_ptr<SignatureCallback> callback) {
   callback->Run(true, "Dummy signature");
 }
 
 QuicAsyncStatus InsecureProofVerifier::VerifyProof(
-    const std::string& hostname,
-    const uint16_t port,
-    const std::string& server_config,
-    QuicTransportVersion transport_version,
-    QuicStringPiece chlo_hash,
-    const std::vector<std::string>& certs,
-    const std::string& cert_sct,
-    const std::string& signature,
-    const ProofVerifyContext* context,
-    std::string* error_details,
-    std::unique_ptr<ProofVerifyDetails>* verify_details,
-    std::unique_ptr<ProofVerifierCallback> callback) {
+    const std::string& /*hostname*/,
+    const uint16_t /*port*/,
+    const std::string& /*server_config*/,
+    QuicTransportVersion /*transport_version*/,
+    QuicStringPiece /*chlo_hash*/,
+    const std::vector<std::string>& /*certs*/,
+    const std::string& /*cert_sct*/,
+    const std::string& /*signature*/,
+    const ProofVerifyContext* /*context*/,
+    std::string* /*error_details*/,
+    std::unique_ptr<ProofVerifyDetails>* /*verify_details*/,
+    std::unique_ptr<ProofVerifierCallback> /*callback*/) {
   return QUIC_SUCCESS;
 }
 
 QuicAsyncStatus InsecureProofVerifier::VerifyCertChain(
-    const std::string& hostname,
-    const std::vector<std::string>& certs,
-    const std::string& ocsp_response,
-    const std::string& cert_sct,
-    const ProofVerifyContext* context,
-    std::string* error_details,
-    std::unique_ptr<ProofVerifyDetails>* details,
-    std::unique_ptr<ProofVerifierCallback> callback) {
+    const std::string& /*hostname*/,
+    const std::vector<std::string>& /*certs*/,
+    const std::string& /*ocsp_response*/,
+    const std::string& /*cert_sct*/,
+    const ProofVerifyContext* /*context*/,
+    std::string* /*error_details*/,
+    std::unique_ptr<ProofVerifyDetails>* /*details*/,
+    std::unique_ptr<ProofVerifierCallback> /*callback*/) {
   return QUIC_SUCCESS;
 }
 
@@ -75,28 +73,26 @@ InsecureProofVerifier::CreateDefaultContext() {
 }
 
 QuicConnectionId QuartcCryptoServerStreamHelper::GenerateConnectionIdForReject(
-    QuicTransportVersion version,
-    QuicConnectionId connection_id) const {
+    QuicTransportVersion /*version*/,
+    QuicConnectionId /*connection_id*/) const {
   // TODO(b/124399417):  Request a zero-length connection id here when the QUIC
-  // server perspective supports it.  Right now, the stateless rejector requires
-  // a connection id that is not the same as the client-chosen connection id.
+  // server perspective supports it.
   return QuicUtils::CreateRandomConnectionId();
 }
 
 bool QuartcCryptoServerStreamHelper::CanAcceptClientHello(
-    const CryptoHandshakeMessage& message,
-    const QuicSocketAddress& client_address,
-    const QuicSocketAddress& peer_address,
-    const QuicSocketAddress& self_address,
-    std::string* error_details) const {
+    const CryptoHandshakeMessage& /*message*/,
+    const QuicSocketAddress& /*client_address*/,
+    const QuicSocketAddress& /*peer_address*/,
+    const QuicSocketAddress& /*self_address*/,
+    std::string* /*error_details*/) const {
   return true;
 }
 
 std::unique_ptr<QuicCryptoClientConfig> CreateCryptoClientConfig(
     QuicStringPiece pre_shared_key) {
   auto config = QuicMakeUnique<QuicCryptoClientConfig>(
-      QuicMakeUnique<InsecureProofVerifier>(),
-      TlsClientHandshaker::CreateSslCtx());
+      QuicMakeUnique<InsecureProofVerifier>());
   config->set_pad_inchoate_hello(false);
   config->set_pad_full_hello(false);
   if (!pre_shared_key.empty()) {
@@ -117,8 +113,7 @@ CryptoServerConfig CreateCryptoServerConfig(QuicRandom* random,
   random->RandBytes(source_address_token_secret, kInputKeyingMaterialLength);
   auto config = QuicMakeUnique<QuicCryptoServerConfig>(
       std::string(source_address_token_secret, kInputKeyingMaterialLength),
-      random, QuicMakeUnique<DummyProofSource>(), KeyExchangeSource::Default(),
-      TlsServerHandshaker::CreateSslCtx());
+      random, QuicMakeUnique<DummyProofSource>(), KeyExchangeSource::Default());
 
   // We run QUIC over ICE, and ICE is verifying remote side with STUN pings.
   // We disable source address token validation in order to allow for 0-rtt
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_dispatcher.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_dispatcher.cc
index e6e9c2b0a89..a9d55107539 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_dispatcher.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_dispatcher.cc
@@ -14,7 +14,6 @@ namespace quic {
 QuartcDispatcher::QuartcDispatcher(
     std::unique_ptr<QuicConfig> config,
     std::unique_ptr<QuicCryptoServerConfig> crypto_config,
-    QuicStringPiece crypto_config_serialized,
     QuicVersionManager* version_manager,
     std::unique_ptr<QuicConnectionHelperInterface> helper,
     std::unique_ptr<QuicCryptoServerStream::Helper> session_helper,
@@ -33,7 +32,6 @@ QuartcDispatcher::QuartcDispatcher(
               .length()),
       owned_quic_config_(std::move(config)),
       owned_crypto_config_(std::move(crypto_config)),
-      crypto_config_(crypto_config_serialized),
       delegate_(delegate),
       packet_writer_(packet_writer.get()) {
   // Allow incoming packets to set our expected connection ID length.
@@ -55,7 +53,7 @@ QuartcDispatcher::~QuartcDispatcher() {
 QuartcSession* QuartcDispatcher::CreateQuicSession(
     QuicConnectionId connection_id,
     const QuicSocketAddress& client_address,
-    QuicStringPiece alpn,
+    QuicStringPiece /*alpn*/,
     const ParsedQuicVersion& version) {
   // Make our expected connection ID non-mutable since we have a connection.
   SetShouldUpdateExpectedServerConnectionIdLength(false);
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_dispatcher.h b/chromium/net/third_party/quiche/src/quic/quartc/quartc_dispatcher.h
index 239b6ef0c22..d1128d61afe 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_dispatcher.h
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_dispatcher.h
@@ -32,7 +32,6 @@ class QuartcDispatcher : public QuicDispatcher,
   QuartcDispatcher(
       std::unique_ptr<QuicConfig> config,
       std::unique_ptr<QuicCryptoServerConfig> crypto_config,
-      QuicStringPiece crypto_config_serialized,
       QuicVersionManager* version_manager,
       std::unique_ptr<QuicConnectionHelperInterface> helper,
       std::unique_ptr<QuicCryptoServerStream::Helper> session_helper,
@@ -50,14 +49,10 @@ class QuartcDispatcher : public QuicDispatcher,
   void OnTransportCanWrite() override;
   void OnTransportReceived(const char* data, size_t data_len) override;
 
-  // A serialized server config in quic wire format.
-  QuicStringPiece server_crypto_config() const { return crypto_config_; }
-
  private:
   // Members owned by QuartcDispatcher but not QuicDispatcher.
   std::unique_ptr<QuicConfig> owned_quic_config_;
   std::unique_ptr<QuicCryptoServerConfig> owned_crypto_config_;
-  std::string crypto_config_;
 
   // Delegate invoked when the dispatcher creates a new session.
   Delegate* delegate_;
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint.cc
index 7676c591062..7d01ce85a41 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint.cc
@@ -100,11 +100,11 @@ void QuartcClientEndpoint::OnCongestionControlChange(
                                        latest_rtt);
 }
 
-void QuartcClientEndpoint::OnConnectionClosed(QuicErrorCode error_code,
-                                              const std::string& error_details,
-                                              ConnectionCloseSource source) {
+void QuartcClientEndpoint::OnConnectionClosed(
+    const QuicConnectionCloseFrame& frame,
+    ConnectionCloseSource source) {
   // First, see if we can restart the session with a mutually-supported version.
-  if (error_code == QUIC_INVALID_VERSION && session_ &&
+  if (frame.quic_error_code == QUIC_INVALID_VERSION && session_ &&
       session_->connection() &&
       !session_->connection()->server_supported_versions().empty()) {
     for (const auto& client_version :
@@ -122,7 +122,7 @@ void QuartcClientEndpoint::OnConnectionClosed(QuicErrorCode error_code,
 
   // Permanent version negotiation errors are forwarded to the |delegate_|,
   // along with all other errors.
-  delegate_->OnConnectionClosed(error_code, error_details, source);
+  delegate_->OnConnectionClosed(frame, source);
 }
 
 void QuartcClientEndpoint::OnMessageReceived(QuicStringPiece message) {
@@ -133,6 +133,15 @@ void QuartcClientEndpoint::OnMessageSent(int64_t datagram_id) {
   delegate_->OnMessageSent(datagram_id);
 }
 
+void QuartcClientEndpoint::OnMessageAcked(int64_t datagram_id,
+                                          QuicTime receive_timestamp) {
+  delegate_->OnMessageAcked(datagram_id, receive_timestamp);
+}
+
+void QuartcClientEndpoint::OnMessageLost(int64_t datagram_id) {
+  delegate_->OnMessageLost(datagram_id);
+}
+
 QuartcServerEndpoint::QuartcServerEndpoint(
     QuicAlarmFactory* alarm_factory,
     const QuicClock* clock,
@@ -157,8 +166,8 @@ void QuartcServerEndpoint::Connect(QuartcPacketTransport* packet_transport) {
   DCHECK(pre_connection_helper_ != nullptr);
   dispatcher_ = QuicMakeUnique<QuartcDispatcher>(
       QuicMakeUnique<QuicConfig>(CreateQuicConfig(config_)),
-      std::move(crypto_config_.config), crypto_config_.serialized_crypto_config,
-      version_manager_.get(), std::move(pre_connection_helper_),
+      std::move(crypto_config_.config), version_manager_.get(),
+      std::move(pre_connection_helper_),
       QuicMakeUnique<QuartcCryptoServerStreamHelper>(),
       QuicMakeUnique<QuartcAlarmFactoryWrapper>(alarm_factory_),
       QuicMakeUnique<QuartcPacketWriter>(packet_transport,
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint.h b/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint.h
index 6c7644c9519..0f557a2c18c 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint.h
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint.h
@@ -18,15 +18,6 @@
 
 namespace quic {
 
-// Private implementation of QuartcEndpoint.  Enables different implementations
-// for client and server endpoints.
-class QuartcEndpointImpl {
- public:
-  virtual ~QuartcEndpointImpl() = default;
-
-  virtual QuicStringPiece server_crypto_config() const = 0;
-};
-
 // Endpoint (client or server) in a peer-to-peer Quartc connection.
 class QuartcEndpoint {
  public:
@@ -83,11 +74,12 @@ class QuartcClientEndpoint : public QuartcEndpoint,
   void OnCongestionControlChange(QuicBandwidth bandwidth_estimate,
                                  QuicBandwidth pacing_rate,
                                  QuicTime::Delta latest_rtt) override;
-  void OnConnectionClosed(QuicErrorCode error_code,
-                          const std::string& error_details,
+  void OnConnectionClosed(const QuicConnectionCloseFrame& frame,
                           ConnectionCloseSource source) override;
   void OnMessageReceived(QuicStringPiece message) override;
   void OnMessageSent(int64_t datagram_id) override;
+  void OnMessageAcked(int64_t datagram_id, QuicTime receive_timestamp) override;
+  void OnMessageLost(int64_t datagram_id) override;
 
  private:
   friend class CreateSessionDelegate;
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint_test.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint_test.cc
index 5f8c25d6416..eedbf6a712a 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint_test.cc
@@ -80,11 +80,6 @@ TEST_F(QuartcEndpointTest, ClientCreatesSessionAsynchronously) {
 // attempts to connect using a newer version.
 TEST_F(QuartcEndpointTest,
        QUIC_TEST_DISABLED_IN_CHROME(ServerNegotiatesForOldVersion)) {
-  // Note: for this test, we need support for two versions.  Which two shouldn't
-  // matter, but they must be enabled so that the version manager doesn't filter
-  // them out.
-  SetQuicReloadableFlag(quic_enable_version_46, true);
-
   // Reset the client endpoint to prefer version 46 but also be capable of
   // speaking version 43.
   ParsedQuicVersionVector client_versions;
@@ -126,11 +121,6 @@ TEST_F(QuartcEndpointTest,
 // QUIC versions.
 TEST_F(QuartcEndpointTest,
        QUIC_TEST_DISABLED_IN_CHROME(ServerAcceptsOldVersion)) {
-  // Note: for this test, we need support for two versions.  Which two shouldn't
-  // matter, but they must be enabled so that the version manager doesn't filter
-  // them out.
-  SetQuicReloadableFlag(quic_enable_version_46, true);
-
   // Reset the client endpoint to only speak version 43.
   ParsedQuicVersionVector client_versions;
   client_versions.push_back({PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_43});
@@ -172,11 +162,6 @@ TEST_F(QuartcEndpointTest,
 // completely disjoint sets of versions.
 TEST_F(QuartcEndpointTest,
        QUIC_TEST_DISABLED_IN_CHROME(VersionNegotiationWithDisjointVersions)) {
-  // Note: for this test, we need support for two versions.  Which two shouldn't
-  // matter, but they must be enabled so that the version manager doesn't filter
-  // them out.
-  SetQuicReloadableFlag(quic_enable_version_46, true);
-
   // Reset the client endpoint to only speak version 43.
   ParsedQuicVersionVector client_versions;
   client_versions.push_back({PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_43});
@@ -215,15 +200,6 @@ TEST_F(QuartcEndpointTest,
 // version negotiation.
 TEST_F(QuartcEndpointTest,
        QUIC_TEST_DISABLED_IN_CHROME(CreatesNewSessionWhenRequired)) {
-  // Setting this flag to true requires the client to create a new session when
-  // version negotiation fails.
-  SetQuicReloadableFlag(quic_no_client_conn_ver_negotiation, true);
-
-  // Note: for this test, we need support for two versions.  Which two shouldn't
-  // matter, but they must be enabled so that the version manager doesn't filter
-  // them out.
-  SetQuicReloadableFlag(quic_enable_version_46, true);
-
   // Reset the client endpoint to prefer version 46 but also be capable of
   // speaking version 43.
   ParsedQuicVersionVector client_versions;
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_factory.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_factory.cc
index 06871a2fe97..0c11bd0d85f 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_factory.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_factory.cc
@@ -54,18 +54,9 @@ void ConfigureGlobalQuicSettings() {
   // Fixes behavior of StopReading() with level-triggered stream sequencers.
   SetQuicReloadableFlag(quic_stop_reading_when_level_triggered, true);
 
-  // Fix b/110259444.
-  SetQuicReloadableFlag(quic_fix_spurious_ack_alarm, true);
-
-  // Enable version 46 to enable SendMessage API and 'quic bit' per draft 17.
-  SetQuicReloadableFlag(quic_enable_version_46, true);
-
   // Enable version 47 to enable variable-length connection ids.
   SetQuicReloadableFlag(quic_enable_version_47, true);
 
-  // Fix for inconsistent reporting of crypto handshake.
-  SetQuicReloadableFlag(quic_fix_has_pending_crypto_data, true);
-
   // Ensure that we don't drop data because QUIC streams refuse to buffer it.
   // TODO(b/120099046):  Replace this with correct handling of WriteMemSlices().
   SetQuicFlag(FLAGS_quic_buffered_data_threshold,
@@ -82,8 +73,10 @@ void ConfigureGlobalQuicSettings() {
   // SetQuicReloadableFlag() gets stubbed out.
   SetQuicReloadableFlag(quic_bbr_less_probe_rtt, true);   // Enable BBR6,7,8.
   SetQuicReloadableFlag(quic_unified_iw_options, true);   // Enable IWXX opts.
-  SetQuicReloadableFlag(quic_bbr_slower_startup3, true);  // Enable BBQX opts.
   SetQuicReloadableFlag(quic_bbr_flexible_app_limited, true);  // Enable BBR9.
+
+  // Fix GetPacketHeaderSize
+  SetQuicReloadableFlag(quic_fix_get_packet_header_size, true);
 }
 
 QuicConfig CreateQuicConfig(const QuartcSessionConfig& quartc_session_config) {
@@ -96,7 +89,7 @@ QuicConfig CreateQuicConfig(const QuartcSessionConfig& quartc_session_config) {
 
   // In exoblaze this may return false. DCHECK to avoid problems caused by
   // incorrect flags configuration.
-  DCHECK(GetQuicReloadableFlag(quic_enable_version_46))
+  DCHECK(GetQuicReloadableFlag(quic_enable_version_47))
       << "Your build does not support quic reloadable flags and shouldn't "
          "place Quartc calls";
 
@@ -213,7 +206,9 @@ std::unique_ptr<QuicConnection> CreateQuicConnection(
   // The p-time can go up to as high as 120ms, and when it does, it's
   // when the low overhead is the most important thing. Ideally it should be
   // above 120ms, but it cannot be higher than 0.5*RTO, which equals to 100ms.
-  sent_packet_manager.set_delayed_ack_time(
+  sent_packet_manager.set_local_max_ack_delay(
+      QuicTime::Delta::FromMilliseconds(100));
+  sent_packet_manager.set_peer_max_ack_delay(
       QuicTime::Delta::FromMilliseconds(100));
 
   quic_connection->set_fill_up_link_during_probing(true);
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_fakes.h b/chromium/net/third_party/quiche/src/quic/quartc/quartc_fakes.h
index 13b65b1b532..91ea9a91b58 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_fakes.h
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_fakes.h
@@ -43,9 +43,8 @@ class FakeQuartcEndpointDelegate : public QuartcEndpoint::Delegate {
   }
 
   // Called when connection closes locally, or remotely by peer.
-  void OnConnectionClosed(QuicErrorCode error_code,
-                          const std::string& error_details,
-                          ConnectionCloseSource source) override {
+  void OnConnectionClosed(const QuicConnectionCloseFrame& /*frame*/,
+                          ConnectionCloseSource /*source*/) override {
     connected_ = false;
   }
 
@@ -63,9 +62,19 @@ class FakeQuartcEndpointDelegate : public QuartcEndpoint::Delegate {
     sent_datagram_ids_.push_back(datagram_id);
   }
 
-  void OnCongestionControlChange(QuicBandwidth bandwidth_estimate,
-                                 QuicBandwidth pacing_rate,
-                                 QuicTime::Delta latest_rtt) override {}
+  void OnMessageAcked(int64_t datagram_id,
+                      QuicTime receive_timestamp) override {
+    acked_datagram_id_to_receive_timestamp_.emplace(datagram_id,
+                                                    receive_timestamp);
+  }
+
+  void OnMessageLost(int64_t datagram_id) override {
+    lost_datagram_ids_.push_back(datagram_id);
+  }
+
+  void OnCongestionControlChange(QuicBandwidth /*bandwidth_estimate*/,
+                                 QuicBandwidth /*pacing_rate*/,
+                                 QuicTime::Delta /*latest_rtt*/) override {}
 
   QuartcSession* session() { return session_; }
 
@@ -83,6 +92,16 @@ class FakeQuartcEndpointDelegate : public QuartcEndpoint::Delegate {
     return sent_datagram_ids_;
   }
 
+  // Returns all ACKEd datagram ids in the order ACKs were received.
+  const std::map<int64_t, QuicTime>& acked_datagram_id_to_receive_timestamp()
+      const {
+    return acked_datagram_id_to_receive_timestamp_;
+  }
+
+  const std::vector<int64_t>& lost_datagram_ids() const {
+    return lost_datagram_ids_;
+  }
+
   bool connected() const { return connected_; }
   QuicTime writable_time() const { return writable_time_; }
   QuicTime crypto_handshake_time() const { return crypto_handshake_time_; }
@@ -97,6 +116,8 @@ class FakeQuartcEndpointDelegate : public QuartcEndpoint::Delegate {
   QuartcStream* last_incoming_stream_;
   std::vector<std::string> incoming_messages_;
   std::vector<int64_t> sent_datagram_ids_;
+  std::map<int64_t, QuicTime> acked_datagram_id_to_receive_timestamp_;
+  std::vector<int64_t> lost_datagram_ids_;
   bool connected_ = true;
   QuartcStream::Delegate* stream_delegate_;
   QuicTime writable_time_ = QuicTime::Zero();
@@ -109,7 +130,7 @@ class FakeQuartcStreamDelegate : public QuartcStream::Delegate {
   size_t OnReceived(QuartcStream* stream,
                     iovec* iov,
                     size_t iov_length,
-                    bool fin) override {
+                    bool /*fin*/) override {
     size_t bytes_consumed = 0;
     for (size_t i = 0; i < iov_length; ++i) {
       received_data_[stream->id()] += std::string(
@@ -123,7 +144,7 @@ class FakeQuartcStreamDelegate : public QuartcStream::Delegate {
     errors_[stream->id()] = stream->stream_error();
   }
 
-  void OnBufferChanged(QuartcStream* stream) override {}
+  void OnBufferChanged(QuartcStream* /*stream*/) override {}
 
   bool has_data() { return !received_data_.empty(); }
   std::map<QuicStreamId, std::string> data() { return received_data_; }
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_packet_writer.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_packet_writer.cc
index 64a72a89410..223ad3dcc3f 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_packet_writer.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_packet_writer.cc
@@ -17,8 +17,8 @@ QuartcPacketWriter::QuartcPacketWriter(QuartcPacketTransport* packet_transport,
 WriteResult QuartcPacketWriter::WritePacket(
     const char* buffer,
     size_t buf_len,
-    const QuicIpAddress& self_address,
-    const QuicSocketAddress& peer_address,
+    const QuicIpAddress& /*self_address*/,
+    const QuicSocketAddress& /*peer_address*/,
     PerPacketOptions* options) {
   DCHECK(packet_transport_);
 
@@ -42,7 +42,7 @@ bool QuartcPacketWriter::IsWriteBlocked() const {
 }
 
 QuicByteCount QuartcPacketWriter::GetMaxPacketSize(
-    const QuicSocketAddress& peer_address) const {
+    const QuicSocketAddress& /*peer_address*/) const {
   return max_packet_size_;
 }
 
@@ -59,8 +59,8 @@ bool QuartcPacketWriter::IsBatchMode() const {
 }
 
 char* QuartcPacketWriter::GetNextWriteLocation(
-    const QuicIpAddress& self_address,
-    const QuicSocketAddress& peer_address) {
+    const QuicIpAddress& /*self_address*/,
+    const QuicSocketAddress& /*peer_address*/) {
   return nullptr;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.cc
index 96156896af6..8a918caac56 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.cc
@@ -58,9 +58,12 @@ bool QuartcSession::SendOrQueueMessage(QuicMemSliceSpan message,
 
   // There may be other messages in send queue, so we have to add message
   // to the queue and call queue processing helper.
-  message.ConsumeAll([this, datagram_id](QuicMemSlice slice) {
-    send_message_queue_.emplace_back(std::move(slice), datagram_id);
+  QueuedMessage queued_message;
+  queued_message.datagram_id = datagram_id;
+  message.ConsumeAll([&queued_message](QuicMemSlice slice) {
+    queued_message.message.Append(std::move(slice));
   });
+  send_message_queue_.push_back(std::move(queued_message));
 
   ProcessSendMessageQueue();
 
@@ -68,23 +71,30 @@ bool QuartcSession::SendOrQueueMessage(QuicMemSliceSpan message,
 }
 
 void QuartcSession::ProcessSendMessageQueue() {
-  QuicConnection::ScopedPacketFlusher flusher(
-      connection(), QuicConnection::AckBundling::NO_ACK);
+  QuicConnection::ScopedPacketFlusher flusher(connection());
   while (!send_message_queue_.empty()) {
     QueuedMessage& it = send_message_queue_.front();
-    const size_t message_size = it.message.length();
-    MessageResult result = SendMessage(QuicMemSliceSpan(&it.message));
+    QuicMemSliceSpan span = it.message.ToSpan();
+    const size_t message_size = span.total_length();
+    MessageResult result = SendMessage(span);
 
     // Handle errors.
     switch (result.status) {
-      case MESSAGE_STATUS_SUCCESS:
+      case MESSAGE_STATUS_SUCCESS: {
         QUIC_VLOG(1) << "Quartc message sent, message_id=" << result.message_id
                      << ", message_size=" << message_size;
 
+        auto element = message_to_datagram_id_.find(result.message_id);
+
+        DCHECK(element == message_to_datagram_id_.end())
+            << "Mapped message_id already exists, message_id="
+            << result.message_id << ", datagram_id=" << element->second;
+
+        message_to_datagram_id_[result.message_id] = it.datagram_id;
+
         // Notify that datagram was sent.
         session_delegate_->OnMessageSent(it.datagram_id);
-
-        break;
+      } break;
 
       // If connection is congestion controlled or not writable yet, stop
       // send loop and we'll retry again when we get OnCanWrite notification.
@@ -178,7 +188,7 @@ void QuartcSession::ResetStream(QuicStreamId stream_id,
   }
 }
 
-void QuartcSession::OnCongestionWindowChange(QuicTime now) {
+void QuartcSession::OnCongestionWindowChange(QuicTime /*now*/) {
   DCHECK(session_delegate_);
   const RttStats* rtt_stats = connection_->sent_packet_manager().GetRttStats();
 
@@ -200,12 +210,11 @@ bool QuartcSession::ShouldKeepConnectionAlive() const {
   return GetNumOpenDynamicStreams() > 0;
 }
 
-void QuartcSession::OnConnectionClosed(QuicErrorCode error,
-                                       const std::string& error_details,
+void QuartcSession::OnConnectionClosed(const QuicConnectionCloseFrame& frame,
                                        ConnectionCloseSource source) {
-  QuicSession::OnConnectionClosed(error, error_details, source);
+  QuicSession::OnConnectionClosed(frame, source);
   DCHECK(session_delegate_);
-  session_delegate_->OnConnectionClosed(error, error_details, source);
+  session_delegate_->OnConnectionClosed(frame, source);
 }
 
 void QuartcSession::CloseConnection(const std::string& details) {
@@ -239,13 +248,40 @@ void QuartcSession::OnMessageReceived(QuicStringPiece message) {
   session_delegate_->OnMessageReceived(message);
 }
 
+void QuartcSession::OnMessageAcked(QuicMessageId message_id,
+                                   QuicTime receive_timestamp) {
+  auto element = message_to_datagram_id_.find(message_id);
+
+  if (element == message_to_datagram_id_.end()) {
+    return;
+  }
+
+  session_delegate_->OnMessageAcked(/*datagram_id=*/element->second,
+                                    receive_timestamp);
+
+  // Free up space -- we should never see message_id again.
+  message_to_datagram_id_.erase(element);
+}
+
+void QuartcSession::OnMessageLost(QuicMessageId message_id) {
+  auto it = message_to_datagram_id_.find(message_id);
+  if (it == message_to_datagram_id_.end()) {
+    return;
+  }
+
+  session_delegate_->OnMessageLost(/*datagram_id=*/it->second);
+
+  // Free up space.
+  message_to_datagram_id_.erase(it);
+}
+
 QuicStream* QuartcSession::CreateIncomingStream(QuicStreamId id) {
   return ActivateDataStream(CreateDataStream(id, QuicStream::kDefaultPriority));
 }
 
-QuicStream* QuartcSession::CreateIncomingStream(PendingStream pending) {
-  return ActivateDataStream(
-      CreateDataStream(std::move(pending), QuicStream::kDefaultPriority));
+QuicStream* QuartcSession::CreateIncomingStream(PendingStream* /*pending*/) {
+  QUIC_NOTREACHED();
+  return nullptr;
 }
 
 std::unique_ptr<QuartcStream> QuartcSession::CreateDataStream(
@@ -259,13 +295,6 @@ std::unique_ptr<QuartcStream> QuartcSession::CreateDataStream(
   return InitializeDataStream(QuicMakeUnique<QuartcStream>(id, this), priority);
 }
 
-std::unique_ptr<QuartcStream> QuartcSession::CreateDataStream(
-    PendingStream pending,
-    spdy::SpdyPriority priority) {
-  return InitializeDataStream(QuicMakeUnique<QuartcStream>(std::move(pending)),
-                              priority);
-}
-
 std::unique_ptr<QuartcStream> QuartcSession::InitializeDataStream(
     std::unique_ptr<QuartcStream> stream,
     spdy::SpdyPriority priority) {
@@ -369,12 +398,12 @@ void QuartcClientSession::StartCryptoHandshake() {
 }
 
 void QuartcClientSession::OnProofValid(
-    const QuicCryptoClientConfig::CachedState& cached) {
+    const QuicCryptoClientConfig::CachedState& /*cached*/) {
   // TODO(zhihuang): Handle the proof verification.
 }
 
 void QuartcClientSession::OnProofVerifyDetailsAvailable(
-    const ProofVerifyDetails& verify_details) {
+    const ProofVerifyDetails& /*verify_details*/) {
   // TODO(zhihuang): Handle the proof verification.
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.h b/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.h
index 840f69d084b..638333e7389 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.h
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.h
@@ -14,6 +14,8 @@
 #include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
 #include "net/third_party/quiche/src/quic/core/quic_session.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_mem_slice_storage.h"
 #include "net/third_party/quiche/src/quic/quartc/quartc_packet_writer.h"
 #include "net/third_party/quiche/src/quic/quartc/quartc_stream.h"
 
@@ -68,7 +70,7 @@ class QuartcSession : public QuicSession,
 
   // Return true if transport support message frame.
   bool CanSendMessage() const {
-    return connection()->transport_version() > QUIC_VERSION_44;
+    return VersionSupportsMessageFrames(connection()->transport_version());
   }
 
   void OnCryptoHandshakeEvent(CryptoHandshakeEvent event) override;
@@ -80,8 +82,7 @@ class QuartcSession : public QuicSession,
   void OnCanWrite() override;
   bool SendProbingData() override;
 
-  void OnConnectionClosed(QuicErrorCode error,
-                          const std::string& error_details,
+  void OnConnectionClosed(const QuicConnectionCloseFrame& frame,
                           ConnectionCloseSource source) override;
 
   // QuartcSession methods.
@@ -133,8 +134,7 @@ class QuartcSession : public QuicSession,
 
     // Called when the connection is closed. This means all of the streams will
     // be closed and no new streams can be created.
-    virtual void OnConnectionClosed(QuicErrorCode error_code,
-                                    const std::string& error_details,
+    virtual void OnConnectionClosed(const QuicConnectionCloseFrame& frame,
                                     ConnectionCloseSource source) = 0;
 
     // Called when message (sent as SendMessage) is received.
@@ -156,6 +156,15 @@ class QuartcSession : public QuicSession,
     // plumb that signal up to RTP's congestion control.
     virtual void OnMessageSent(int64_t datagram_id) = 0;
 
+    // Called when message with |datagram_id| gets acked.  |receive_timestamp|
+    // indicates when the peer received this message, according to its own
+    // clock.
+    virtual void OnMessageAcked(int64_t datagram_id,
+                                QuicTime receive_timestamp) = 0;
+
+    // Called when message with |datagram_id| is lost.
+    virtual void OnMessageLost(int64_t datagram_id) = 0;
+
     // TODO(zhihuang): Add proof verification.
   };
 
@@ -171,6 +180,12 @@ class QuartcSession : public QuicSession,
 
   void OnMessageReceived(QuicStringPiece message) override;
 
+  // Called when message with |message_id| gets acked.
+  void OnMessageAcked(QuicMessageId message_id,
+                      QuicTime receive_timestamp) override;
+
+  void OnMessageLost(QuicMessageId message_id) override;
+
   // Returns number of queued (not sent) messages submitted by
   // SendOrQueueMessage. Messages are queued if connection is congestion
   // controlled.
@@ -179,12 +194,10 @@ class QuartcSession : public QuicSession,
  protected:
   // QuicSession override.
   QuicStream* CreateIncomingStream(QuicStreamId id) override;
-  QuicStream* CreateIncomingStream(PendingStream pending) override;
+  QuicStream* CreateIncomingStream(PendingStream* pending) override;
 
   std::unique_ptr<QuartcStream> CreateDataStream(QuicStreamId id,
                                                  spdy::SpdyPriority priority);
-  std::unique_ptr<QuartcStream> CreateDataStream(PendingStream pending,
-                                                 spdy::SpdyPriority priority);
   // Activates a QuartcStream.  The session takes ownership of the stream, but
   // returns an unowned pointer to the stream for convenience.
   QuartcStream* ActivateDataStream(std::unique_ptr<QuartcStream> stream);
@@ -200,9 +213,9 @@ class QuartcSession : public QuicSession,
 
   // Holds message until it's sent.
   struct QueuedMessage {
-    QueuedMessage(QuicMemSlice the_message, int64_t the_datagram_id)
-        : message(std::move(the_message)), datagram_id(the_datagram_id) {}
-    QuicMemSlice message;
+    QueuedMessage() : message(nullptr, 0, nullptr, 0), datagram_id(0) {}
+
+    QuicMemSliceStorage message;
     int64_t datagram_id;
   };
 
@@ -226,6 +239,10 @@ class QuartcSession : public QuicSession,
   // yet or blocked by congestion control. Messages are queued in the order
   // of sent by SendOrQueueMessage().
   QuicDeque<QueuedMessage> send_message_queue_;
+
+  // Maps message ids to datagram ids, so we could translate message ACKs
+  // received from QUIC to datagram ACKs that are propagated up the stack.
+  QuicUnorderedMap<QuicMessageId, int64_t> message_to_datagram_id_;
 };
 
 class QuartcClientSession : public QuartcSession,
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_session_test.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_session_test.cc
index 87174dcc4a6..3b55314fcd7 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_session_test.cc
@@ -26,6 +26,11 @@ namespace quic {
 
 namespace {
 
+using ::testing::ElementsAre;
+using ::testing::ElementsAreArray;
+using ::testing::Gt;
+using ::testing::Pair;
+
 constexpr QuicTime::Delta kPropagationDelay =
     QuicTime::Delta::FromMilliseconds(10);
 // Propagation delay and a bit, but no more than full RTT.
@@ -85,8 +90,9 @@ class QuartcSessionTest : public QuicTest {
 
   // Note that input session config will apply to both server and client.
   // Perspective and packet_transport will be overwritten.
-  void CreateClientAndServerSessions(const QuartcSessionConfig& session_config,
-                                     bool init = true) {
+  void CreateClientAndServerSessions(
+      const QuartcSessionConfig& /*session_config*/,
+      bool init = true) {
     if (init) {
       Init();
     }
@@ -180,6 +186,10 @@ class QuartcSessionTest : public QuicTest {
     EXPECT_THAT(server_session_delegate_->sent_datagram_ids(),
                 testing::ElementsAre(server_datagram_id));
 
+    EXPECT_THAT(
+        server_session_delegate_->acked_datagram_id_to_receive_timestamp(),
+        ElementsAre(Pair(server_datagram_id, Gt(QuicTime::Zero()))));
+
     // Send message from peer 2 to peer 1.
     message = CreateMemSliceVector("Message from client");
     ASSERT_TRUE(
@@ -196,6 +206,10 @@ class QuartcSessionTest : public QuicTest {
 
     EXPECT_THAT(client_session_delegate_->sent_datagram_ids(),
                 testing::ElementsAre(client_datagram_id));
+
+    EXPECT_THAT(
+        client_session_delegate_->acked_datagram_id_to_receive_timestamp(),
+        ElementsAre(Pair(client_datagram_id, Gt(QuicTime::Zero()))));
   }
 
   // Test for sending multiple messages that also result in queueing.
@@ -240,8 +254,14 @@ class QuartcSessionTest : public QuicTest {
     // Wait for peer 2 to receive all messages.
     RunTasks();
 
+    std::vector<testing::Matcher<std::pair<int64_t, QuicTime>>> ack_matchers;
+    for (int64_t id : sent_datagram_ids) {
+      ack_matchers.push_back(Pair(id, Gt(QuicTime::Zero())));
+    }
     EXPECT_EQ(delegate_receiving->incoming_messages(), sent_messages);
     EXPECT_EQ(delegate_sending->sent_datagram_ids(), sent_datagram_ids);
+    EXPECT_THAT(delegate_sending->acked_datagram_id_to_receive_timestamp(),
+                ElementsAreArray(ack_matchers));
   }
 
   // Test sending long messages:
@@ -313,18 +333,46 @@ TEST_F(QuartcSessionTest, SendReceiveStreams) {
 }
 
 TEST_F(QuartcSessionTest, SendReceiveMessages) {
+  // TODO(b/134175506): Remove when IETF QUIC supports receive timestamps.
+  SetQuicReloadableFlag(quic_enable_version_99, false);
+
   CreateClientAndServerSessions(QuartcSessionConfig());
   AwaitHandshake();
   TestSendReceiveMessage();
 }
 
 TEST_F(QuartcSessionTest, SendReceiveQueuedMessages) {
+  // TODO(b/134175506): Remove when IETF QUIC supports receive timestamps.
+  SetQuicReloadableFlag(quic_enable_version_99, false);
+
   CreateClientAndServerSessions(QuartcSessionConfig());
   AwaitHandshake();
   TestSendReceiveQueuedMessages(/*direction_from_server=*/true);
   TestSendReceiveQueuedMessages(/*direction_from_server=*/false);
 }
 
+TEST_F(QuartcSessionTest, SendMultiMemSliceMessage) {
+  CreateClientAndServerSessions(QuartcSessionConfig());
+  AwaitHandshake();
+  ASSERT_TRUE(server_peer_->CanSendMessage());
+
+  std::vector<std::pair<char*, size_t>> buffers;
+  char first_piece[] = "Hello, ";
+  char second_piece[] = "world!";
+  buffers.emplace_back(first_piece, 7);
+  buffers.emplace_back(second_piece, 6);
+  test::QuicTestMemSliceVector message(buffers);
+  ASSERT_TRUE(
+      server_peer_->SendOrQueueMessage(message.span(), /*datagram_id=*/1));
+
+  // Wait for the client to receive the message.
+  RunTasks();
+
+  // The message is not fragmented along MemSlice boundaries.
+  EXPECT_THAT(client_session_delegate_->incoming_messages(),
+              testing::ElementsAre("Hello, world!"));
+}
+
 TEST_F(QuartcSessionTest, SendMessageFails) {
   CreateClientAndServerSessions(QuartcSessionConfig());
   AwaitHandshake();
@@ -355,6 +403,9 @@ TEST_F(QuartcSessionTest, TestCryptoHandshakeCanWriteTriggers) {
 }
 
 TEST_F(QuartcSessionTest, PreSharedKeyHandshake) {
+  // TODO(b/134175506): Remove when IETF QUIC supports receive timestamps.
+  SetQuicReloadableFlag(quic_enable_version_99, false);
+
   QuartcSessionConfig config;
   config.pre_shared_key = "foo";
   CreateClientAndServerSessions(config);
@@ -497,6 +548,54 @@ TEST_F(QuartcSessionTest, StreamRetransmissionDisabled) {
             QUIC_STREAM_CANCELLED);
 }
 
+TEST_F(QuartcSessionTest, LostDatagramNotifications) {
+  // TODO(b/134175506): Remove when IETF QUIC supports receive timestamps.
+  SetQuicReloadableFlag(quic_enable_version_99, false);
+
+  // Disable tail loss probe, otherwise test maybe flaky because dropped
+  // message will be retransmitted to detect tail loss.
+  QuartcSessionConfig session_config;
+  session_config.enable_tail_loss_probe = false;
+  CreateClientAndServerSessions(session_config);
+
+  // Disable probing retransmissions, otherwise test maybe flaky because dropped
+  // message will be retransmitted to to probe for more bandwidth.
+  client_peer_->connection()->set_fill_up_link_during_probing(false);
+  server_peer_->connection()->set_fill_up_link_during_probing(false);
+
+  AwaitHandshake();
+  ASSERT_TRUE(client_peer_->IsCryptoHandshakeConfirmed());
+  ASSERT_TRUE(server_peer_->IsCryptoHandshakeConfirmed());
+
+  // The client sends an ACK for the crypto handshake next.  This must be
+  // flushed before we set the filter to drop the next packet, in order to
+  // ensure that the filter drops a data-bearing packet instead of just an ack.
+  RunTasks();
+
+  // Drop the next packet.
+  client_filter_->set_packets_to_drop(1);
+
+  test::QuicTestMemSliceVector message =
+      CreateMemSliceVector("This message will be lost");
+  ASSERT_TRUE(client_peer_->SendOrQueueMessage(message.span(), 1));
+
+  RunTasks();
+
+  // Send another packet to elicit an ack and trigger loss detection.
+  message = CreateMemSliceVector("This message will arrive");
+  ASSERT_TRUE(client_peer_->SendOrQueueMessage(message.span(), 2));
+
+  RunTasks();
+
+  EXPECT_THAT(server_session_delegate_->incoming_messages(),
+              ElementsAre("This message will arrive"));
+  EXPECT_THAT(client_session_delegate_->sent_datagram_ids(), ElementsAre(1, 2));
+  EXPECT_THAT(
+      client_session_delegate_->acked_datagram_id_to_receive_timestamp(),
+      ElementsAre(Pair(2, Gt(QuicTime::Zero()))));
+  EXPECT_THAT(client_session_delegate_->lost_datagram_ids(), ElementsAre(1));
+}
+
 TEST_F(QuartcSessionTest, ServerRegistersAsWriteBlocked) {
   // Initialize client and server session, but with the server write-blocked.
   Init();
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream.cc
index 5fc10749951..607fa432723 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream.cc
@@ -24,11 +24,6 @@ QuartcStream::QuartcStream(QuicStreamId id, QuicSession* session)
   sequencer()->set_level_triggered(true);
 }
 
-QuartcStream::QuartcStream(PendingStream pending)
-    : QuicStream(std::move(pending), BIDIRECTIONAL, /*is_static=*/false) {
-  sequencer()->set_level_triggered(true);
-}
-
 QuartcStream::~QuartcStream() {}
 
 void QuartcStream::OnDataAvailable() {
@@ -66,9 +61,10 @@ void QuartcStream::OnStreamDataConsumed(size_t bytes_consumed) {
 }
 
 void QuartcStream::OnDataBuffered(
-    QuicStreamOffset offset,
-    QuicByteCount data_length,
-    const QuicReferenceCountedPointer<QuicAckListenerInterface>& ack_listener) {
+    QuicStreamOffset /*offset*/,
+    QuicByteCount /*data_length*/,
+    const QuicReferenceCountedPointer<
+        QuicAckListenerInterface>& /*ack_listener*/) {
   DCHECK(delegate_);
   delegate_->OnBufferChanged(this);
 }
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream.h b/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream.h
index bf15a684732..403ce6d73fe 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream.h
@@ -26,7 +26,6 @@ namespace quic {
 class QuartcStream : public QuicStream {
  public:
   QuartcStream(QuicStreamId id, QuicSession* session);
-  explicit QuartcStream(PendingStream pending);
 
   ~QuartcStream() override;
 
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream_test.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream_test.cc
index d7599e8d9d1..be23b75d5e9 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream_test.cc
@@ -62,7 +62,7 @@ class MockQuicSession : public QuicSession {
 
   // Writes outgoing data from QuicStream to a string.
   QuicConsumedData WritevData(QuicStream* stream,
-                              QuicStreamId id,
+                              QuicStreamId /*id*/,
                               size_t write_length,
                               QuicStreamOffset offset,
                               StreamSendingState state) override {
@@ -82,11 +82,11 @@ class MockQuicSession : public QuicSession {
     return QuicConsumedData(write_length, state != StreamSendingState::NO_FIN);
   }
 
-  QuartcStream* CreateIncomingStream(QuicStreamId id) override {
+  QuartcStream* CreateIncomingStream(QuicStreamId /*id*/) override {
     return nullptr;
   }
 
-  QuartcStream* CreateIncomingStream(PendingStream pending) override {
+  QuartcStream* CreateIncomingStream(PendingStream* /*pending*/) override {
     return nullptr;
   }
 
@@ -97,9 +97,9 @@ class MockQuicSession : public QuicSession {
   }
 
   // Called by QuicStream when they want to close stream.
-  void SendRstStream(QuicStreamId id,
-                     QuicRstStreamErrorCode error,
-                     QuicStreamOffset bytes_written) override {}
+  void SendRstStream(QuicStreamId /*id*/,
+                     QuicRstStreamErrorCode /*error*/,
+                     QuicStreamOffset /*bytes_written*/) override {}
 
   // Sets whether data is written to buffer, or else if this is write blocked.
   void set_writable(bool writable) { writable_ = writable; }
@@ -131,11 +131,11 @@ class DummyPacketWriter : public QuicPacketWriter {
   DummyPacketWriter() {}
 
   // QuicPacketWriter overrides.
-  WriteResult WritePacket(const char* buffer,
-                          size_t buf_len,
-                          const QuicIpAddress& self_address,
-                          const QuicSocketAddress& peer_address,
-                          PerPacketOptions* options) override {
+  WriteResult WritePacket(const char* /*buffer*/,
+                          size_t /*buf_len*/,
+                          const QuicIpAddress& /*self_address*/,
+                          const QuicSocketAddress& /*peer_address*/,
+                          PerPacketOptions* /*options*/) override {
     return WriteResult(WRITE_STATUS_ERROR, 0);
   }
 
@@ -144,7 +144,7 @@ class DummyPacketWriter : public QuicPacketWriter {
   void SetWritable() override {}
 
   QuicByteCount GetMaxPacketSize(
-      const QuicSocketAddress& peer_address) const override {
+      const QuicSocketAddress& /*peer_address*/) const override {
     return 0;
   }
 
@@ -152,8 +152,9 @@ class DummyPacketWriter : public QuicPacketWriter {
 
   bool IsBatchMode() const override { return false; }
 
-  char* GetNextWriteLocation(const QuicIpAddress& self_address,
-                             const QuicSocketAddress& peer_address) override {
+  char* GetNextWriteLocation(
+      const QuicIpAddress& /*self_address*/,
+      const QuicSocketAddress& /*peer_address*/) override {
     return nullptr;
   }
 
@@ -173,7 +174,7 @@ class MockQuartcStreamDelegate : public QuartcStream::Delegate {
   size_t OnReceived(QuartcStream* stream,
                     iovec* iov,
                     size_t iov_length,
-                    bool fin) override {
+                    bool /*fin*/) override {
     EXPECT_EQ(id_, stream->id());
     EXPECT_EQ(stream->ReadOffset(), read_buffer_->size());
     size_t bytes_consumed = 0;
@@ -185,7 +186,7 @@ class MockQuartcStreamDelegate : public QuartcStream::Delegate {
     return bytes_consumed;
   }
 
-  void OnClose(QuartcStream* stream) override { closed_ = true; }
+  void OnClose(QuartcStream* /*stream*/) override { closed_ = true; }
 
   bool closed() { return closed_; }
 
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils.cc b/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils.cc
index 11cfefc8c5d..095472a7b99 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils.cc
@@ -19,14 +19,12 @@
 #include "net/third_party/quiche/src/quic/core/crypto/quic_decrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
-#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_client_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_server_id.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_clock.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
@@ -52,7 +50,7 @@ class CryptoFramerVisitor : public CryptoFramerVisitorInterface {
  public:
   CryptoFramerVisitor() : error_(false) {}
 
-  void OnError(CryptoFramer* framer) override { error_ = true; }
+  void OnError(CryptoFramer* /*framer*/) override { error_ = true; }
 
   void OnHandshakeMessage(const CryptoHandshakeMessage& message) override {
     messages_.push_back(message);
@@ -143,9 +141,7 @@ class FullChloGenerator {
     crypto_config_->ProcessClientHello(
         result_, /*reject_only=*/false, TestConnectionId(1), server_addr_,
         client_addr_, AllSupportedVersions().front(), AllSupportedVersions(),
-        /*use_stateless_rejects=*/true,
-        /*server_designated_connection_id=*/TestConnectionId(2), clock_,
-        QuicRandom::GetInstance(), compressed_certs_cache_, params_,
+        clock_, QuicRandom::GetInstance(), compressed_certs_cache_, params_,
         signed_config_, /*total_framing_overhead=*/50, kDefaultMaxPacketSize,
         GetProcessClientHelloCallback());
   }
@@ -154,12 +150,12 @@ class FullChloGenerator {
    public:
     explicit ProcessClientHelloCallback(FullChloGenerator* generator)
         : generator_(generator) {}
-    void Run(
-        QuicErrorCode error,
-        const std::string& error_details,
-        std::unique_ptr<CryptoHandshakeMessage> message,
-        std::unique_ptr<DiversificationNonce> diversification_nonce,
-        std::unique_ptr<ProofSource::Details> proof_source_details) override {
+    void Run(QuicErrorCode /*error*/,
+             const std::string& /*error_details*/,
+             std::unique_ptr<CryptoHandshakeMessage> message,
+             std::unique_ptr<DiversificationNonce> /*diversification_nonce*/,
+             std::unique_ptr<ProofSource::Details> /*proof_source_details*/)
+        override {
       generator_->ProcessClientHelloDone(std::move(message));
     }
 
@@ -221,8 +217,7 @@ int HandshakeWithFakeServer(QuicConfig* server_quic_config,
 
   QuicCryptoServerConfig crypto_config(
       QuicCryptoServerConfig::TESTING, QuicRandom::GetInstance(),
-      ProofSourceForTesting(), KeyExchangeSource::Default(),
-      TlsServerHandshaker::CreateSslCtx());
+      ProofSourceForTesting(), KeyExchangeSource::Default());
   QuicCompressedCertsCache compressed_certs_cache(
       QuicCompressedCertsCache::kQuicCompressedCertsCacheSize);
   SetupCryptoServerConfigForTest(
@@ -273,8 +268,7 @@ int HandshakeWithFakeClient(MockQuicConnectionHelper* helper,
   // Advance the time, because timers do not like uninitialized times.
   client_conn->AdvanceTime(QuicTime::Delta::FromSeconds(1));
 
-  QuicCryptoClientConfig crypto_config(ProofVerifierForTesting(),
-                                       TlsClientHandshaker::CreateSslCtx());
+  QuicCryptoClientConfig crypto_config(ProofVerifierForTesting());
   TestQuicSpdyClientSession client_session(client_conn, DefaultQuicConfig(),
                                            supported_versions, server_id,
                                            &crypto_config);
@@ -309,7 +303,7 @@ void SetupCryptoServerConfigForTest(const QuicClock* clock,
 
 void SendHandshakeMessageToStream(QuicCryptoStream* stream,
                                   const CryptoHandshakeMessage& message,
-                                  Perspective perspective) {
+                                  Perspective /*perspective*/) {
   const QuicData& data = message.GetSerialized();
   QuicSession* session = QuicStreamPeer::session(stream);
   if (!QuicVersionUsesCryptoFrames(
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils_test.cc b/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils_test.cc
index a62cb969a79..62eafb9d422 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils_test.cc
@@ -4,9 +4,8 @@
 
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
 
-#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/crypto_server_config_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
@@ -59,9 +58,7 @@ class ShloVerifier {
     crypto_config_->ProcessClientHello(
         result_, /*reject_only=*/false,
         /*connection_id=*/TestConnectionId(1), server_addr_, client_addr_,
-        AllSupportedVersions().front(), AllSupportedVersions(),
-        /*use_stateless_rejects=*/true,
-        /*server_designated_connection_id=*/TestConnectionId(2), clock_,
+        AllSupportedVersions().front(), AllSupportedVersions(), clock_,
         QuicRandom::GetInstance(), compressed_certs_cache_, params_,
         signed_config_, /*total_framing_overhead=*/50, kDefaultMaxPacketSize,
         GetProcessClientHelloCallback());
@@ -71,12 +68,12 @@ class ShloVerifier {
    public:
     explicit ProcessClientHelloCallback(ShloVerifier* shlo_verifier)
         : shlo_verifier_(shlo_verifier) {}
-    void Run(
-        QuicErrorCode error,
-        const std::string& error_details,
-        std::unique_ptr<CryptoHandshakeMessage> message,
-        std::unique_ptr<DiversificationNonce> diversification_nonce,
-        std::unique_ptr<ProofSource::Details> proof_source_details) override {
+    void Run(QuicErrorCode /*error*/,
+             const std::string& /*error_details*/,
+             std::unique_ptr<CryptoHandshakeMessage> message,
+             std::unique_ptr<DiversificationNonce> /*diversification_nonce*/,
+             std::unique_ptr<ProofSource::Details> /*proof_source_details*/)
+        override {
       shlo_verifier_->ProcessClientHelloDone(std::move(message));
     }
 
@@ -112,8 +109,7 @@ TEST_F(CryptoTestUtilsTest, TestGenerateFullCHLO) {
   MockClock clock;
   QuicCryptoServerConfig crypto_config(
       QuicCryptoServerConfig::TESTING, QuicRandom::GetInstance(),
-      crypto_test_utils::ProofSourceForTesting(), KeyExchangeSource::Default(),
-      TlsServerHandshaker::CreateSslCtx());
+      crypto_test_utils::ProofSourceForTesting(), KeyExchangeSource::Default());
   QuicSocketAddress server_addr(QuicIpAddress::Any4(), 5);
   QuicSocketAddress client_addr(QuicIpAddress::Loopback4(), 1);
   QuicReferenceCountedPointer<QuicSignedServerConfig> signed_config(
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/failing_proof_source.cc b/chromium/net/third_party/quiche/src/quic/test_tools/failing_proof_source.cc
index 339b793eae8..60b6a95fd11 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/failing_proof_source.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/failing_proof_source.cc
@@ -7,26 +7,26 @@
 namespace quic {
 namespace test {
 
-void FailingProofSource::GetProof(const QuicSocketAddress& server_address,
-                                  const std::string& hostname,
-                                  const std::string& server_config,
-                                  QuicTransportVersion transport_version,
-                                  QuicStringPiece chlo_hash,
+void FailingProofSource::GetProof(const QuicSocketAddress& /*server_address*/,
+                                  const std::string& /*hostname*/,
+                                  const std::string& /*server_config*/,
+                                  QuicTransportVersion /*transport_version*/,
+                                  QuicStringPiece /*chlo_hash*/,
                                   std::unique_ptr<Callback> callback) {
   callback->Run(false, nullptr, QuicCryptoProof(), nullptr);
 }
 
 QuicReferenceCountedPointer<ProofSource::Chain>
-FailingProofSource::GetCertChain(const QuicSocketAddress& server_address,
-                                 const std::string& hostname) {
+FailingProofSource::GetCertChain(const QuicSocketAddress& /*server_address*/,
+                                 const std::string& /*hostname*/) {
   return QuicReferenceCountedPointer<Chain>();
 }
 
 void FailingProofSource::ComputeTlsSignature(
-    const QuicSocketAddress& server_address,
-    const std::string& hostname,
-    uint16_t signature_algorithm,
-    QuicStringPiece in,
+    const QuicSocketAddress& /*server_address*/,
+    const std::string& /*hostname*/,
+    uint16_t /*signature_algorithm*/,
+    QuicStringPiece /*in*/,
     std::unique_ptr<SignatureCallback> callback) {
   callback->Run(false, "");
 }
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/mock_quic_time_wait_list_manager.h b/chromium/net/third_party/quiche/src/quic/test_tools/mock_quic_time_wait_list_manager.h
index 8a394424a73..b46e68b1d49 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/mock_quic_time_wait_list_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/mock_quic_time_wait_list_manager.h
@@ -53,6 +53,13 @@ class MockTimeWaitListManager : public QuicTimeWaitListManager {
                     const QuicSocketAddress& server_address,
                     const QuicSocketAddress& client_address,
                     std::unique_ptr<QuicPerPacketContext> packet_context));
+
+  MOCK_METHOD5(SendPublicReset,
+               void(const QuicSocketAddress&,
+                    const QuicSocketAddress&,
+                    QuicConnectionId,
+                    bool,
+                    std::unique_ptr<QuicPerPacketContext>));
 };
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/packet_dropping_test_writer.h b/chromium/net/third_party/quiche/src/quic/test_tools/packet_dropping_test_writer.h
index eb4ad1cf717..92c895627ff 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/packet_dropping_test_writer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/packet_dropping_test_writer.h
@@ -54,8 +54,9 @@ class PacketDroppingTestWriter : public QuicPacketWriterWrapper {
 
   void SetWritable() override;
 
-  char* GetNextWriteLocation(const QuicIpAddress& self_address,
-                             const QuicSocketAddress& peer_address) override {
+  char* GetNextWriteLocation(
+      const QuicIpAddress& /*self_address*/,
+      const QuicSocketAddress& /*peer_address*/) override {
     // If the wrapped writer supports zero-copy, disable it, because it is not
     // compatible with delayed writes in this class.
     return nullptr;
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.cc
index 4e344a85864..66d1a51434e 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.cc
@@ -16,11 +16,6 @@ namespace quic {
 namespace test {
 
 // static
-void QuicConnectionPeer::SendAck(QuicConnection* connection) {
-  connection->SendAck();
-}
-
-// static
 void QuicConnectionPeer::SetSendAlgorithm(
     QuicConnection* connection,
     SendAlgorithmInterface* send_algorithm) {
@@ -35,22 +30,6 @@ void QuicConnectionPeer::SetLossAlgorithm(
 }
 
 // static
-const QuicFrame QuicConnectionPeer::GetUpdatedAckFrame(
-    QuicConnection* connection) {
-  const bool ack_frame_updated = connection->ack_frame_updated();
-  const QuicFrame ack_frame = connection->GetUpdatedAckFrame();
-  if (connection->use_uber_received_packet_manager_) {
-    DCHECK(!connection->uber_received_packet_manager_
-                .supports_multiple_packet_number_spaces());
-    connection->uber_received_packet_manager_.received_packet_managers_[0]
-        .ack_frame_updated_ = ack_frame_updated;
-  } else {
-    connection->received_packet_manager_.ack_frame_updated_ = ack_frame_updated;
-  }
-  return ack_frame;
-}
-
-// static
 void QuicConnectionPeer::PopulateStopWaitingFrame(
     QuicConnection* connection,
     QuicStopWaitingFrame* stop_waiting) {
@@ -265,18 +244,9 @@ void QuicConnectionPeer::SetNextMtuProbeAt(QuicConnection* connection,
 // static
 void QuicConnectionPeer::SetAckMode(QuicConnection* connection,
                                     AckMode ack_mode) {
-  if (connection->received_packet_manager_.decide_when_to_send_acks()) {
-    if (connection->use_uber_received_packet_manager_) {
-      for (auto& received_packet_manager :
-           connection->uber_received_packet_manager_
-               .received_packet_managers_) {
-        received_packet_manager.ack_mode_ = ack_mode;
-      }
-    } else {
-      connection->received_packet_manager_.ack_mode_ = ack_mode;
-    }
-  } else {
-    connection->ack_mode_ = ack_mode;
+  for (auto& received_packet_manager :
+       connection->uber_received_packet_manager_.received_packet_managers_) {
+    received_packet_manager.ack_mode_ = ack_mode;
   }
 }
 
@@ -284,39 +254,19 @@ void QuicConnectionPeer::SetAckMode(QuicConnection* connection,
 void QuicConnectionPeer::SetFastAckAfterQuiescence(
     QuicConnection* connection,
     bool fast_ack_after_quiescence) {
-  if (connection->received_packet_manager_.decide_when_to_send_acks()) {
-    if (connection->use_uber_received_packet_manager_) {
-      for (auto& received_packet_manager :
-           connection->uber_received_packet_manager_
-               .received_packet_managers_) {
-        received_packet_manager.fast_ack_after_quiescence_ =
-            fast_ack_after_quiescence;
-      }
-    } else {
-      connection->received_packet_manager_.fast_ack_after_quiescence_ =
-          fast_ack_after_quiescence;
-    }
-  } else {
-    connection->fast_ack_after_quiescence_ = fast_ack_after_quiescence;
+  for (auto& received_packet_manager :
+       connection->uber_received_packet_manager_.received_packet_managers_) {
+    received_packet_manager.fast_ack_after_quiescence_ =
+        fast_ack_after_quiescence;
   }
 }
 
 // static
 void QuicConnectionPeer::SetAckDecimationDelay(QuicConnection* connection,
                                                float ack_decimation_delay) {
-  if (connection->received_packet_manager_.decide_when_to_send_acks()) {
-    if (connection->use_uber_received_packet_manager_) {
-      for (auto& received_packet_manager :
-           connection->uber_received_packet_manager_
-               .received_packet_managers_) {
-        received_packet_manager.ack_decimation_delay_ = ack_decimation_delay;
-      }
-    } else {
-      connection->received_packet_manager_.ack_decimation_delay_ =
-          ack_decimation_delay;
-    }
-  } else {
-    connection->ack_decimation_delay_ = ack_decimation_delay;
+  for (auto& received_packet_manager :
+       connection->uber_received_packet_manager_.received_packet_managers_) {
+    received_packet_manager.ack_decimation_delay_ = ack_decimation_delay;
   }
 }
 
@@ -354,7 +304,7 @@ void QuicConnectionPeer::SetSessionDecidesWhatToWrite(
 
 // static
 void QuicConnectionPeer::SetNegotiatedVersion(QuicConnection* connection) {
-  connection->version_negotiation_state_ = QuicConnection::NEGOTIATED_VERSION;
+  connection->version_negotiated_ = true;
 }
 
 // static
@@ -366,13 +316,6 @@ void QuicConnectionPeer::SetMaxConsecutiveNumPacketsWithNoRetransmittableFrames(
 }
 
 // static
-void QuicConnectionPeer::SetNoVersionNegotiation(QuicConnection* connection,
-                                                 bool no_version_negotiation) {
-  *const_cast<bool*>(&connection->no_version_negotiation_) =
-      no_version_negotiation;
-}
-
-// static
 bool QuicConnectionPeer::SupportsReleaseTime(QuicConnection* connection) {
   return connection->supports_release_time_;
 }
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h
index 5df9cd59438..d0797f52adf 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h
@@ -32,16 +32,12 @@ class QuicConnectionPeer {
  public:
   QuicConnectionPeer() = delete;
 
-  static void SendAck(QuicConnection* connection);
-
   static void SetSendAlgorithm(QuicConnection* connection,
                                SendAlgorithmInterface* send_algorithm);
 
   static void SetLossAlgorithm(QuicConnection* connection,
                                LossDetectionInterface* loss_algorithm);
 
-  static const QuicFrame GetUpdatedAckFrame(QuicConnection* connection);
-
   static void PopulateStopWaitingFrame(QuicConnection* connection,
                                        QuicStopWaitingFrame* stop_waiting);
 
@@ -132,8 +128,6 @@ class QuicConnectionPeer {
   static void SetMaxConsecutiveNumPacketsWithNoRetransmittableFrames(
       QuicConnection* connection,
       size_t new_value);
-  static void SetNoVersionNegotiation(QuicConnection* connection,
-                                      bool no_version_negotiation);
   static bool SupportsReleaseTime(QuicConnection* connection);
   static QuicConnection::PacketContent GetCurrentPacketContent(
       QuicConnection* connection);
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_framer_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_framer_peer.cc
index 6eedd601bf3..eea4fd64c4e 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_framer_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_framer_peer.cc
@@ -29,6 +29,13 @@ void QuicFramerPeer::SetLastSerializedServerConnectionId(
 }
 
 // static
+void QuicFramerPeer::SetLastSerializedClientConnectionId(
+    QuicFramer* framer,
+    QuicConnectionId client_connection_id) {
+  framer->last_serialized_client_connection_id_ = client_connection_id;
+}
+
+// static
 void QuicFramerPeer::SetLargestPacketNumber(QuicFramer* framer,
                                             QuicPacketNumber packet_number) {
   framer->largest_packet_number_ = packet_number;
@@ -351,5 +358,22 @@ QuicPacketNumber QuicFramerPeer::GetLargestDecryptedPacketNumber(
   return framer->largest_decrypted_packet_numbers_[packet_number_space];
 }
 
+// static
+bool QuicFramerPeer::ProcessAndValidateIetfConnectionIdLength(
+    QuicDataReader* reader,
+    ParsedQuicVersion version,
+    Perspective perspective,
+    bool should_update_expected_server_connection_id_length,
+    uint8_t* expected_server_connection_id_length,
+    uint8_t* destination_connection_id_length,
+    uint8_t* source_connection_id_length,
+    std::string* detailed_error) {
+  return QuicFramer::ProcessAndValidateIetfConnectionIdLength(
+      reader, version, perspective,
+      should_update_expected_server_connection_id_length,
+      expected_server_connection_id_length, destination_connection_id_length,
+      source_connection_id_length, detailed_error);
+}
+
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_framer_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_framer_peer.h
index 0b17c1958d0..8496718fc29 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_framer_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_framer_peer.h
@@ -25,6 +25,9 @@ class QuicFramerPeer {
   static void SetLastSerializedServerConnectionId(
       QuicFramer* framer,
       QuicConnectionId server_connection_id);
+  static void SetLastSerializedClientConnectionId(
+      QuicFramer* framer,
+      QuicConnectionId client_connection_id);
   static void SetLargestPacketNumber(QuicFramer* framer,
                                      QuicPacketNumber packet_number);
   static void SetPerspective(QuicFramer* framer, Perspective perspective);
@@ -166,6 +169,16 @@ class QuicFramerPeer {
   static QuicPacketNumber GetLargestDecryptedPacketNumber(
       QuicFramer* framer,
       PacketNumberSpace packet_number_space);
+
+  static bool ProcessAndValidateIetfConnectionIdLength(
+      QuicDataReader* reader,
+      ParsedQuicVersion version,
+      Perspective perspective,
+      bool should_update_expected_server_connection_id_length,
+      uint8_t* expected_server_connection_id_length,
+      uint8_t* destination_connection_id_length,
+      uint8_t* source_connection_id_length,
+      std::string* detailed_error);
 };
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.cc
index c5dd747d0db..d4dc008790f 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.cc
@@ -19,7 +19,9 @@ bool QuicPacketCreatorPeer::SendVersionInPacket(QuicPacketCreator* creator) {
 void QuicPacketCreatorPeer::SetSendVersionInPacket(
     QuicPacketCreator* creator,
     bool send_version_in_packet) {
-  if (creator->framer_->transport_version() != QUIC_VERSION_99) {
+  ParsedQuicVersion version = creator->framer_->version();
+  if (!VersionHasIetfQuicFrames(version.transport_version) &&
+      version.handshake_protocol != PROTOCOL_TLS1_3) {
     creator->send_version_in_packet_ = send_version_in_packet;
     return;
   }
@@ -137,5 +139,11 @@ QuicFramer* QuicPacketCreatorPeer::framer(QuicPacketCreator* creator) {
   return creator->framer_;
 }
 
+// static
+void QuicPacketCreatorPeer::EnableGetPacketHeaderSizeBugFix(
+    QuicPacketCreator* creator) {
+  creator->fix_get_packet_header_size_ = true;
+}
+
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h
index e040090f6dd..f8f3d5987ad 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h
@@ -57,6 +57,7 @@ class QuicPacketCreatorPeer {
 
   static EncryptionLevel GetEncryptionLevel(QuicPacketCreator* creator);
   static QuicFramer* framer(QuicPacketCreator* creator);
+  static void EnableGetPacketHeaderSizeBugFix(QuicPacketCreator* creator);
 };
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_server_session_base_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_server_session_base_peer.h
index d2a21a6c9eb..ab5b1f00f7f 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_server_session_base_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_server_session_base_peer.h
@@ -14,18 +14,13 @@ namespace test {
 
 class QuicServerSessionBasePeer {
  public:
-  static QuicStream* GetOrCreateDynamicStream(QuicServerSessionBase* s,
-                                              QuicStreamId id) {
-    return s->GetOrCreateDynamicStream(id);
+  static QuicStream* GetOrCreateStream(QuicServerSessionBase* s,
+                                       QuicStreamId id) {
+    return s->GetOrCreateStream(id);
   }
   static void SetCryptoStream(QuicServerSessionBase* s,
                               QuicCryptoServerStream* crypto_stream) {
     s->crypto_stream_.reset(crypto_stream);
-    if (!QuicVersionUsesCryptoFrames(s->connection()->transport_version())) {
-      s->RegisterStaticStream(
-          QuicUtils::GetCryptoStreamId(s->connection()->transport_version()),
-          crypto_stream);
-    }
   }
   static bool IsBandwidthResumptionEnabled(QuicServerSessionBase* s) {
     return s->bandwidth_resumption_enabled_;
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.cc
index 9eee4944773..e78b0597284 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.cc
@@ -27,7 +27,7 @@ QuicStreamId QuicSessionPeer::GetNextOutgoingUnidirectionalStreamId(
 // static
 void QuicSessionPeer::SetNextOutgoingBidirectionalStreamId(QuicSession* session,
                                                            QuicStreamId id) {
-  if (session->connection()->transport_version() == QUIC_VERSION_99) {
+  if (VersionHasIetfQuicFrames(session->connection()->transport_version())) {
     session->v99_streamid_manager_.bidirectional_stream_id_manager_
         .next_outgoing_stream_id_ = id;
     return;
@@ -38,8 +38,8 @@ void QuicSessionPeer::SetNextOutgoingBidirectionalStreamId(QuicSession* session,
 // static
 void QuicSessionPeer::SetMaxOpenIncomingStreams(QuicSession* session,
                                                 uint32_t max_streams) {
-  if (session->connection()->transport_version() == QUIC_VERSION_99) {
-    QUIC_BUG << "SetmaxOpenIncomingStreams deprecated for IETF QUIC/V99";
+  if (VersionHasIetfQuicFrames(session->connection()->transport_version())) {
+    QUIC_BUG << "SetmaxOpenIncomingStreams deprecated for IETF QUIC";
     session->v99_streamid_manager_.SetMaxOpenIncomingUnidirectionalStreams(
         max_streams);
     session->v99_streamid_manager_.SetMaxOpenIncomingBidirectionalStreams(
@@ -53,9 +53,9 @@ void QuicSessionPeer::SetMaxOpenIncomingStreams(QuicSession* session,
 void QuicSessionPeer::SetMaxOpenIncomingBidirectionalStreams(
     QuicSession* session,
     uint32_t max_streams) {
-  DCHECK_EQ(QUIC_VERSION_99, session->connection()->transport_version())
+  DCHECK(VersionHasIetfQuicFrames(session->connection()->transport_version()))
       << "SetmaxOpenIncomingBidirectionalStreams not supported for Google "
-         "QUIC/not-V99";
+         "QUIC";
   session->v99_streamid_manager_.SetMaxOpenIncomingBidirectionalStreams(
       max_streams);
 }
@@ -63,9 +63,9 @@ void QuicSessionPeer::SetMaxOpenIncomingBidirectionalStreams(
 void QuicSessionPeer::SetMaxOpenIncomingUnidirectionalStreams(
     QuicSession* session,
     uint32_t max_streams) {
-  DCHECK_EQ(QUIC_VERSION_99, session->connection()->transport_version())
+  DCHECK(VersionHasIetfQuicFrames(session->connection()->transport_version()))
       << "SetmaxOpenIncomingUnidirectionalStreams not supported for Google "
-         "QUIC/not-V99";
+         "QUIC";
   session->v99_streamid_manager_.SetMaxOpenIncomingUnidirectionalStreams(
       max_streams);
 }
@@ -73,8 +73,8 @@ void QuicSessionPeer::SetMaxOpenIncomingUnidirectionalStreams(
 // static
 void QuicSessionPeer::SetMaxOpenOutgoingStreams(QuicSession* session,
                                                 uint32_t max_streams) {
-  if (session->connection()->transport_version() == QUIC_VERSION_99) {
-    QUIC_BUG << "SetmaxOpenOutgoingStreams deprecated for IETF QUIC/V99";
+  if (VersionHasIetfQuicFrames(session->connection()->transport_version())) {
+    QUIC_BUG << "SetmaxOpenOutgoingStreams deprecated for IETF QUIC";
     session->v99_streamid_manager_.SetMaxOpenOutgoingUnidirectionalStreams(
         max_streams);
     session->v99_streamid_manager_.SetMaxOpenOutgoingBidirectionalStreams(
@@ -88,9 +88,9 @@ void QuicSessionPeer::SetMaxOpenOutgoingStreams(QuicSession* session,
 void QuicSessionPeer::SetMaxOpenOutgoingBidirectionalStreams(
     QuicSession* session,
     uint32_t max_streams) {
-  DCHECK_EQ(QUIC_VERSION_99, session->connection()->transport_version())
+  DCHECK(VersionHasIetfQuicFrames(session->connection()->transport_version()))
       << "SetmaxOpenOutgoingBidirectionalStreams not supported for Google "
-         "QUIC/not-V99";
+         "QUIC";
   session->v99_streamid_manager_.SetMaxOpenOutgoingBidirectionalStreams(
       max_streams);
 }
@@ -98,9 +98,9 @@ void QuicSessionPeer::SetMaxOpenOutgoingBidirectionalStreams(
 void QuicSessionPeer::SetMaxOpenOutgoingUnidirectionalStreams(
     QuicSession* session,
     uint32_t max_streams) {
-  DCHECK_EQ(QUIC_VERSION_99, session->connection()->transport_version())
+  DCHECK(VersionHasIetfQuicFrames(session->connection()->transport_version()))
       << "SetmaxOpenOutgoingUnidirectionalStreams not supported for Google "
-         "QUIC/not-V99";
+         "QUIC";
   session->v99_streamid_manager_.SetMaxOpenOutgoingUnidirectionalStreams(
       max_streams);
 }
@@ -118,9 +118,9 @@ QuicWriteBlockedList* QuicSessionPeer::GetWriteBlockedStreams(
 }
 
 // static
-QuicStream* QuicSessionPeer::GetOrCreateDynamicStream(QuicSession* session,
-                                                      QuicStreamId stream_id) {
-  return session->GetOrCreateDynamicStream(stream_id);
+QuicStream* QuicSessionPeer::GetOrCreateStream(QuicSession* session,
+                                               QuicStreamId stream_id) {
+  return session->GetOrCreateStream(stream_id);
 }
 
 // static
@@ -130,15 +130,8 @@ QuicSessionPeer::GetLocallyClosedStreamsHighestOffset(QuicSession* session) {
 }
 
 // static
-QuicSession::StaticStreamMap& QuicSessionPeer::static_streams(
-    QuicSession* session) {
-  return session->static_stream_map_;
-}
-
-// static
-QuicSession::DynamicStreamMap& QuicSessionPeer::dynamic_streams(
-    QuicSession* session) {
-  return session->dynamic_streams();
+QuicSession::StreamMap& QuicSessionPeer::stream_map(QuicSession* session) {
+  return session->stream_map();
 }
 
 // static
@@ -167,16 +160,9 @@ void QuicSessionPeer::ActivateStream(QuicSession* session,
 
 // static
 void QuicSessionPeer::RegisterStaticStream(QuicSession* session,
-                                           QuicStreamId id,
-                                           QuicStream* stream) {
-  return session->RegisterStaticStream(id, stream);
-}
-
-// static
-void QuicSessionPeer::RegisterStaticStreamNew(
-    QuicSession* session,
-    std::unique_ptr<QuicStream> stream) {
-  return session->RegisterStaticStreamNew(std::move(stream));
+                                           std::unique_ptr<QuicStream> stream) {
+  return session->RegisterStaticStream(std::move(stream),
+                                       /*stream_already_counted = */ false);
 }
 
 // static
@@ -186,13 +172,15 @@ bool QuicSessionPeer::IsStreamClosed(QuicSession* session, QuicStreamId id) {
 
 // static
 bool QuicSessionPeer::IsStreamCreated(QuicSession* session, QuicStreamId id) {
-  return QuicContainsKey(session->dynamic_streams(), id);
+  return QuicContainsKey(session->stream_map(), id);
 }
 
 // static
 bool QuicSessionPeer::IsStreamAvailable(QuicSession* session, QuicStreamId id) {
-  if (session->connection()->transport_version() == QUIC_VERSION_99) {
-    if (id % QuicUtils::StreamIdDelta(QUIC_VERSION_99) < 2) {
+  if (VersionHasIetfQuicFrames(session->connection()->transport_version())) {
+    if (id % QuicUtils::StreamIdDelta(
+                 session->connection()->transport_version()) <
+        2) {
       return QuicContainsKey(
           session->v99_streamid_manager_.bidirectional_stream_id_manager_
               .available_streams_,
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.h
index 3828981ed94..f027eb564a6 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.h
@@ -52,12 +52,11 @@ class QuicSessionPeer {
 
   static QuicCryptoStream* GetMutableCryptoStream(QuicSession* session);
   static QuicWriteBlockedList* GetWriteBlockedStreams(QuicSession* session);
-  static QuicStream* GetOrCreateDynamicStream(QuicSession* session,
-                                              QuicStreamId stream_id);
+  static QuicStream* GetOrCreateStream(QuicSession* session,
+                                       QuicStreamId stream_id);
   static std::map<QuicStreamId, QuicStreamOffset>&
   GetLocallyClosedStreamsHighestOffset(QuicSession* session);
-  static QuicSession::StaticStreamMap& static_streams(QuicSession* session);
-  static QuicSession::DynamicStreamMap& dynamic_streams(QuicSession* session);
+  static QuicSession::StreamMap& stream_map(QuicSession* session);
   static const QuicSession::ClosedStreams& closed_streams(QuicSession* session);
   static QuicSession::ZombieStreamMap& zombie_streams(QuicSession* session);
   static QuicUnorderedSet<QuicStreamId>* GetDrainingStreams(
@@ -65,9 +64,6 @@ class QuicSessionPeer {
   static void ActivateStream(QuicSession* session,
                              std::unique_ptr<QuicStream> stream);
   static void RegisterStaticStream(QuicSession* session,
-                                   QuicStreamId stream_id,
-                                   QuicStream* stream);
-  static void RegisterStaticStreamNew(QuicSession* session,
                                       std::unique_ptr<QuicStream> stream);
 
   // Discern the state of a stream.  Exactly one of these should be true at a
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.cc
index 956cd88034f..68552a83a0f 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.cc
@@ -16,24 +16,13 @@ QuicHeadersStream* QuicSpdySessionPeer::GetHeadersStream(
   return session->headers_stream();
 }
 
-// static
 void QuicSpdySessionPeer::SetHeadersStream(QuicSpdySession* session,
                                            QuicHeadersStream* headers_stream) {
-  session->headers_stream_.reset(headers_stream);
-  if (headers_stream != nullptr) {
-    session->RegisterStaticStream(headers_stream->id(), headers_stream);
-  }
-}
-
-void QuicSpdySessionPeer::SetUnownedHeadersStream(
-    QuicSpdySession* session,
-    QuicHeadersStream* headers_stream) {
-  for (auto& it : session->dynamic_streams()) {
+  for (auto& it : session->stream_map()) {
     if (it.first == QuicUtils::GetHeadersStreamId(
                         session->connection()->transport_version())) {
       it.second.reset(headers_stream);
-      session->unowned_headers_stream_ =
-          static_cast<QuicHeadersStream*>(it.second.get());
+      session->headers_stream_ = static_cast<QuicHeadersStream*>(it.second.get());
       break;
     }
   }
@@ -57,10 +46,10 @@ void QuicSpdySessionPeer::SetHpackDecoderDebugVisitor(
   session->SetHpackDecoderDebugVisitor(std::move(visitor));
 }
 
-void QuicSpdySessionPeer::SetMaxUncompressedHeaderBytes(
+void QuicSpdySessionPeer::SetMaxInboundHeaderListSize(
     QuicSpdySession* session,
-    size_t set_max_uncompressed_header_bytes) {
-  session->set_max_uncompressed_header_bytes(set_max_uncompressed_header_bytes);
+    size_t max_inbound_header_size) {
+  session->set_max_inbound_header_list_size(max_inbound_header_size);
 }
 
 // static
@@ -81,5 +70,17 @@ QuicStreamId QuicSpdySessionPeer::GetNextOutgoingUnidirectionalStreamId(
   return session->GetNextOutgoingUnidirectionalStreamId();
 }
 
+// static
+QuicReceiveControlStream* QuicSpdySessionPeer::GetReceiveControlStream(
+    QuicSpdySession* session) {
+  return session->receive_control_stream_;
+}
+
+// static
+QuicSendControlStream* QuicSpdySessionPeer::GetSendControlStream(
+    QuicSpdySession* session) {
+  return session->send_control_stream_;
+}
+
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.h
index 47b55e1c7c0..aacf712ae2f 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.h
@@ -5,6 +5,8 @@
 #ifndef QUICHE_QUIC_TEST_TOOLS_QUIC_SPDY_SESSION_PEER_H_
 #define QUICHE_QUIC_TEST_TOOLS_QUIC_SPDY_SESSION_PEER_H_
 
+#include "net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.h"
+#include "net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_write_blocked_list.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_framer.h"
@@ -24,8 +26,6 @@ class QuicSpdySessionPeer {
   static QuicHeadersStream* GetHeadersStream(QuicSpdySession* session);
   static void SetHeadersStream(QuicSpdySession* session,
                                QuicHeadersStream* headers_stream);
-  static void SetUnownedHeadersStream(QuicSpdySession* session,
-                                      QuicHeadersStream* headers_stream);
   static const spdy::SpdyFramer& GetSpdyFramer(QuicSpdySession* session);
   static void SetHpackEncoderDebugVisitor(
       QuicSpdySession* session,
@@ -33,9 +33,9 @@ class QuicSpdySessionPeer {
   static void SetHpackDecoderDebugVisitor(
       QuicSpdySession* session,
       std::unique_ptr<QuicHpackDebugVisitor> visitor);
-  static void SetMaxUncompressedHeaderBytes(
-      QuicSpdySession* session,
-      size_t set_max_uncompressed_header_bytes);
+  // Must be called before Initialize().
+  static void SetMaxInboundHeaderListSize(QuicSpdySession* session,
+                                          size_t max_inbound_header_size);
   static size_t WriteHeadersOnHeadersStream(
       QuicSpdySession* session,
       QuicStreamId id,
@@ -46,6 +46,9 @@ class QuicSpdySessionPeer {
   // |session| can't be nullptr.
   static QuicStreamId GetNextOutgoingUnidirectionalStreamId(
       QuicSpdySession* session);
+  static QuicReceiveControlStream* GetReceiveControlStream(
+      QuicSpdySession* session);
+  static QuicSendControlStream* GetSendControlStream(QuicSpdySession* session);
 };
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_stream_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_stream_peer.cc
index 4d23434e1b7..d7926bb6853 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_stream_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_stream_peer.cc
@@ -5,6 +5,7 @@
 #include "net/third_party/quiche/src/quic/test_tools/quic_spdy_stream_peer.h"
 
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_stream.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 
 namespace quic {
 namespace test {
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_stream_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_stream_peer.h
index 7b3fe7c0a68..6656df0acbb 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_stream_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_spdy_stream_peer.h
@@ -8,9 +8,11 @@
 #include "net/third_party/quiche/src/quic/core/quic_ack_listener_interface.h"
 #include "net/third_party/quiche/src/quic/core/quic_interval_set.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 
 namespace quic {
 
+class QpackDecodedHeadersAccumulator;
 class QuicSpdyStream;
 
 namespace test {
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_client.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_client.cc
index d4608ed8686..e2e33c7a3bf 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_client.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_client.cc
@@ -90,14 +90,14 @@ class RecordingProofVerifier : public ProofVerifier {
   }
 
   QuicAsyncStatus VerifyCertChain(
-      const std::string& hostname,
-      const std::vector<std::string>& certs,
-      const std::string& ocsp_response,
-      const std::string& cert_sct,
-      const ProofVerifyContext* context,
-      std::string* error_details,
-      std::unique_ptr<ProofVerifyDetails>* details,
-      std::unique_ptr<ProofVerifierCallback> callback) override {
+      const std::string& /*hostname*/,
+      const std::vector<std::string>& /*certs*/,
+      const std::string& /*ocsp_response*/,
+      const std::string& /*cert_sct*/,
+      const ProofVerifyContext* /*context*/,
+      std::string* /*error_details*/,
+      std::unique_ptr<ProofVerifyDetails>* /*details*/,
+      std::unique_ptr<ProofVerifierCallback> /*callback*/) override {
     return QUIC_SUCCESS;
   }
 
@@ -210,7 +210,9 @@ MockableQuicClient::MockableQuicClient(
           QuicWrapUnique(
               new RecordingProofVerifier(std::move(proof_verifier)))),
       override_server_connection_id_(EmptyQuicConnectionId()),
-      server_connection_id_overridden_(false) {}
+      server_connection_id_overridden_(false),
+      override_client_connection_id_(EmptyQuicConnectionId()),
+      client_connection_id_overridden_(false) {}
 
 MockableQuicClient::~MockableQuicClient() {
   if (connected()) {
@@ -242,6 +244,17 @@ void MockableQuicClient::UseConnectionId(
   override_server_connection_id_ = server_connection_id;
 }
 
+QuicConnectionId MockableQuicClient::GetClientConnectionId() {
+  return client_connection_id_overridden_ ? override_client_connection_id_
+                                          : QuicClient::GetClientConnectionId();
+}
+
+void MockableQuicClient::UseClientConnectionId(
+    QuicConnectionId client_connection_id) {
+  client_connection_id_overridden_ = true;
+  override_client_connection_id_ = client_connection_id;
+}
+
 void MockableQuicClient::UseWriter(QuicPacketWriterWrapper* writer) {
   mockable_network_helper()->UseWriter(writer);
 }
@@ -339,8 +352,7 @@ ssize_t QuicTestClient::SendRequestAndRstTogether(const std::string& uri) {
   }
 
   QuicSpdyClientSession* session = client()->client_session();
-  QuicConnection::ScopedPacketFlusher flusher(
-      session->connection(), QuicConnection::SEND_ACK_IF_PENDING);
+  QuicConnection::ScopedPacketFlusher flusher(session->connection());
   ssize_t ret = SendMessage(headers, "", /*fin=*/true, /*flush=*/false);
 
   QuicStreamId stream_id = GetNthClientInitiatedBidirectionalStreamId(
@@ -730,9 +742,10 @@ void QuicTestClient::OnClose(QuicSpdyStream* stream) {
   open_streams_.erase(id);
 }
 
-bool QuicTestClient::CheckVary(const spdy::SpdyHeaderBlock& client_request,
-                               const spdy::SpdyHeaderBlock& promise_request,
-                               const spdy::SpdyHeaderBlock& promise_response) {
+bool QuicTestClient::CheckVary(
+    const spdy::SpdyHeaderBlock& /*client_request*/,
+    const spdy::SpdyHeaderBlock& /*promise_request*/,
+    const spdy::SpdyHeaderBlock& /*promise_response*/) {
   return true;
 }
 
@@ -756,6 +769,12 @@ void QuicTestClient::UseConnectionId(QuicConnectionId server_connection_id) {
   client_->UseConnectionId(server_connection_id);
 }
 
+void QuicTestClient::UseClientConnectionId(
+    QuicConnectionId client_connection_id) {
+  DCHECK(!connected());
+  client_->UseClientConnectionId(client_connection_id);
+}
+
 bool QuicTestClient::MigrateSocket(const QuicIpAddress& new_host) {
   return client_->MigrateSocket(new_host);
 }
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_client.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_client.h
index a4ee0d5cb80..7b835620557 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_client.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_client.h
@@ -9,7 +9,7 @@
 #include <memory>
 #include <string>
 
-#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_framer.h"
 #include "net/third_party/quiche/src/quic/core/quic_packet_creator.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
@@ -56,6 +56,8 @@ class MockableQuicClient : public QuicClient {
 
   QuicConnectionId GenerateNewConnectionId() override;
   void UseConnectionId(QuicConnectionId server_connection_id);
+  QuicConnectionId GetClientConnectionId() override;
+  void UseClientConnectionId(QuicConnectionId client_connection_id);
 
   void UseWriter(QuicPacketWriterWrapper* writer);
   void set_peer_address(const QuicSocketAddress& address);
@@ -72,6 +74,9 @@ class MockableQuicClient : public QuicClient {
   // Server connection ID to use, if server_connection_id_overridden_
   QuicConnectionId override_server_connection_id_;
   bool server_connection_id_overridden_;
+  // Client connection ID to use, if client_connection_id_overridden_
+  QuicConnectionId override_client_connection_id_;
+  bool client_connection_id_overridden_;
   CachedNetworkParameters cached_network_paramaters_;
 };
 
@@ -222,6 +227,9 @@ class QuicTestClient : public QuicSpdyStream::Visitor,
   // Configures client_ to use a specific server connection ID instead of a
   // random one.
   void UseConnectionId(QuicConnectionId server_connection_id);
+  // Configures client_ to use a specific client connection ID instead of an
+  // empty one.
+  void UseClientConnectionId(QuicConnectionId client_connection_id);
 
   // Returns nullptr if the maximum number of streams have already been created.
   QuicSpdyClientStream* GetOrCreateStream();
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.cc
index e1f036d3bcd..99c7511daee 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.cc
@@ -153,6 +153,11 @@ std::string Sha1Hash(QuicStringPiece data) {
   return std::string(buffer, QUIC_ARRAYSIZE(buffer));
 }
 
+bool ClearControlFrame(const QuicFrame& frame) {
+  DeleteFrame(&const_cast<QuicFrame&>(frame));
+  return true;
+}
+
 uint64_t SimpleRandom::RandUint64() {
   uint64_t result;
   RandBytes(&result, sizeof(result));
@@ -192,7 +197,7 @@ void SimpleRandom::set_seed(uint64_t seed) {
 
 MockFramerVisitor::MockFramerVisitor() {
   // By default, we want to accept packets.
-  ON_CALL(*this, OnProtocolVersionMismatch(_, _))
+  ON_CALL(*this, OnProtocolVersionMismatch(_))
       .WillByDefault(testing::Return(false));
 
   // By default, we want to accept packets.
@@ -232,130 +237,135 @@ MockFramerVisitor::MockFramerVisitor() {
 
 MockFramerVisitor::~MockFramerVisitor() {}
 
-bool NoOpFramerVisitor::OnProtocolVersionMismatch(ParsedQuicVersion version,
-                                                  PacketHeaderFormat form) {
+bool NoOpFramerVisitor::OnProtocolVersionMismatch(
+    ParsedQuicVersion /*version*/) {
   return false;
 }
 
 bool NoOpFramerVisitor::OnUnauthenticatedPublicHeader(
-    const QuicPacketHeader& header) {
+    const QuicPacketHeader& /*header*/) {
   return true;
 }
 
 bool NoOpFramerVisitor::OnUnauthenticatedHeader(
-    const QuicPacketHeader& header) {
+    const QuicPacketHeader& /*header*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnPacketHeader(const QuicPacketHeader& header) {
+bool NoOpFramerVisitor::OnPacketHeader(const QuicPacketHeader& /*header*/) {
   return true;
 }
 
-void NoOpFramerVisitor::OnCoalescedPacket(const QuicEncryptedPacket& packet) {}
+void NoOpFramerVisitor::OnCoalescedPacket(
+    const QuicEncryptedPacket& /*packet*/) {}
 
-bool NoOpFramerVisitor::OnStreamFrame(const QuicStreamFrame& frame) {
+bool NoOpFramerVisitor::OnStreamFrame(const QuicStreamFrame& /*frame*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnCryptoFrame(const QuicCryptoFrame& frame) {
+bool NoOpFramerVisitor::OnCryptoFrame(const QuicCryptoFrame& /*frame*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnAckFrameStart(QuicPacketNumber largest_acked,
-                                        QuicTime::Delta ack_delay_time) {
+bool NoOpFramerVisitor::OnAckFrameStart(QuicPacketNumber /*largest_acked*/,
+                                        QuicTime::Delta /*ack_delay_time*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnAckRange(QuicPacketNumber start,
-                                   QuicPacketNumber end) {
+bool NoOpFramerVisitor::OnAckRange(QuicPacketNumber /*start*/,
+                                   QuicPacketNumber /*end*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnAckTimestamp(QuicPacketNumber packet_number,
-                                       QuicTime timestamp) {
+bool NoOpFramerVisitor::OnAckTimestamp(QuicPacketNumber /*packet_number*/,
+                                       QuicTime /*timestamp*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnAckFrameEnd(QuicPacketNumber start) {
+bool NoOpFramerVisitor::OnAckFrameEnd(QuicPacketNumber /*start*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnStopWaitingFrame(const QuicStopWaitingFrame& frame) {
+bool NoOpFramerVisitor::OnStopWaitingFrame(
+    const QuicStopWaitingFrame& /*frame*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnPaddingFrame(const QuicPaddingFrame& frame) {
+bool NoOpFramerVisitor::OnPaddingFrame(const QuicPaddingFrame& /*frame*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnPingFrame(const QuicPingFrame& frame) {
+bool NoOpFramerVisitor::OnPingFrame(const QuicPingFrame& /*frame*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnRstStreamFrame(const QuicRstStreamFrame& frame) {
+bool NoOpFramerVisitor::OnRstStreamFrame(const QuicRstStreamFrame& /*frame*/) {
   return true;
 }
 
 bool NoOpFramerVisitor::OnConnectionCloseFrame(
-    const QuicConnectionCloseFrame& frame) {
+    const QuicConnectionCloseFrame& /*frame*/) {
   return true;
 }
 
 bool NoOpFramerVisitor::OnNewConnectionIdFrame(
-    const QuicNewConnectionIdFrame& frame) {
+    const QuicNewConnectionIdFrame& /*frame*/) {
   return true;
 }
 
 bool NoOpFramerVisitor::OnRetireConnectionIdFrame(
-    const QuicRetireConnectionIdFrame& frame) {
+    const QuicRetireConnectionIdFrame& /*frame*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnNewTokenFrame(const QuicNewTokenFrame& frame) {
+bool NoOpFramerVisitor::OnNewTokenFrame(const QuicNewTokenFrame& /*frame*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnStopSendingFrame(const QuicStopSendingFrame& frame) {
+bool NoOpFramerVisitor::OnStopSendingFrame(
+    const QuicStopSendingFrame& /*frame*/) {
   return true;
 }
 
 bool NoOpFramerVisitor::OnPathChallengeFrame(
-    const QuicPathChallengeFrame& frame) {
+    const QuicPathChallengeFrame& /*frame*/) {
   return true;
 }
 
 bool NoOpFramerVisitor::OnPathResponseFrame(
-    const QuicPathResponseFrame& frame) {
+    const QuicPathResponseFrame& /*frame*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnGoAwayFrame(const QuicGoAwayFrame& frame) {
+bool NoOpFramerVisitor::OnGoAwayFrame(const QuicGoAwayFrame& /*frame*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnMaxStreamsFrame(const QuicMaxStreamsFrame& frame) {
+bool NoOpFramerVisitor::OnMaxStreamsFrame(
+    const QuicMaxStreamsFrame& /*frame*/) {
   return true;
 }
 
 bool NoOpFramerVisitor::OnStreamsBlockedFrame(
-    const QuicStreamsBlockedFrame& frame) {
+    const QuicStreamsBlockedFrame& /*frame*/) {
   return true;
 }
 
 bool NoOpFramerVisitor::OnWindowUpdateFrame(
-    const QuicWindowUpdateFrame& frame) {
+    const QuicWindowUpdateFrame& /*frame*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnBlockedFrame(const QuicBlockedFrame& frame) {
+bool NoOpFramerVisitor::OnBlockedFrame(const QuicBlockedFrame& /*frame*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::OnMessageFrame(const QuicMessageFrame& frame) {
+bool NoOpFramerVisitor::OnMessageFrame(const QuicMessageFrame& /*frame*/) {
   return true;
 }
 
-bool NoOpFramerVisitor::IsValidStatelessResetToken(QuicUint128 token) const {
+bool NoOpFramerVisitor::IsValidStatelessResetToken(
+    QuicUint128 /*token*/) const {
   return false;
 }
 
@@ -473,8 +483,8 @@ void MockQuicConnection::AdvanceTime(QuicTime::Delta delta) {
   static_cast<MockQuicConnectionHelper*>(helper())->AdvanceTime(delta);
 }
 
-bool MockQuicConnection::OnProtocolVersionMismatch(ParsedQuicVersion version,
-                                                   PacketHeaderFormat form) {
+bool MockQuicConnection::OnProtocolVersionMismatch(
+    ParsedQuicVersion /*version*/) {
   return false;
 }
 
@@ -676,7 +686,7 @@ TestQuicSpdyClientSession::TestQuicSpdyClientSession(
 
 TestQuicSpdyClientSession::~TestQuicSpdyClientSession() {}
 
-bool TestQuicSpdyClientSession::IsAuthorized(const std::string& authority) {
+bool TestQuicSpdyClientSession::IsAuthorized(const std::string& /*authority*/) {
   return true;
 }
 
@@ -698,9 +708,9 @@ TestPushPromiseDelegate::TestPushPromiseDelegate(bool match)
     : match_(match), rendezvous_fired_(false), rendezvous_stream_(nullptr) {}
 
 bool TestPushPromiseDelegate::CheckVary(
-    const spdy::SpdyHeaderBlock& client_request,
-    const spdy::SpdyHeaderBlock& promise_request,
-    const spdy::SpdyHeaderBlock& promise_response) {
+    const spdy::SpdyHeaderBlock& /*client_request*/,
+    const spdy::SpdyHeaderBlock& /*promise_request*/,
+    const spdy::SpdyHeaderBlock& /*promise_response*/) {
   QUIC_DVLOG(1) << "match " << match_;
   return match_;
 }
@@ -981,7 +991,7 @@ QuicEncryptedPacket* ConstructMisFramedEncryptedPacket(
                                           version.transport_version,
                                           destination_connection_id, &crypters);
     framer.SetEncrypter(ENCRYPTION_INITIAL, std::move(crypters.encrypter));
-    framer.SetDecrypter(ENCRYPTION_INITIAL, std::move(crypters.decrypter));
+    framer.InstallDecrypter(ENCRYPTION_INITIAL, std::move(crypters.decrypter));
   }
   // We need a minimum of 7 bytes of encrypted payload. This will guarantee that
   // we have at least that much. (It ignores the overhead of the stream/crypto
@@ -1116,7 +1126,7 @@ void CreateClientSessionForTest(
 }
 
 void CreateServerSessionForTest(
-    QuicServerId server_id,
+    QuicServerId /*server_id*/,
     QuicTime::Delta connection_start_time,
     ParsedQuicVersionVector supported_versions,
     MockQuicConnectionHelper* helper,
@@ -1147,10 +1157,13 @@ void CreateServerSessionForTest(
 QuicStreamId GetNthClientInitiatedBidirectionalStreamId(
     QuicTransportVersion version,
     int n) {
+  int num = n;
+  if (!VersionLacksHeadersStream(version)) {
+    num++;  // + 1 because spdy_session contains headers stream.
+  }
   return QuicUtils::GetFirstBidirectionalStreamId(version,
                                                   Perspective::IS_CLIENT) +
-         // + 1 because spdy_session contains headers stream.
-         QuicUtils::StreamIdDelta(version) * (n + 1);
+         QuicUtils::StreamIdDelta(version) * num;
 }
 
 QuicStreamId GetNthServerInitiatedBidirectionalStreamId(
@@ -1169,12 +1182,20 @@ QuicStreamId GetNthServerInitiatedUnidirectionalStreamId(
          QuicUtils::StreamIdDelta(version) * n;
 }
 
+QuicStreamId GetNthClientInitiatedUnidirectionalStreamId(
+    QuicTransportVersion version,
+    int n) {
+  return QuicUtils::GetFirstUnidirectionalStreamId(version,
+                                                   Perspective::IS_CLIENT) +
+         QuicUtils::StreamIdDelta(version) * n;
+}
+
 StreamType DetermineStreamType(QuicStreamId id,
                                QuicTransportVersion version,
                                Perspective perspective,
                                bool is_incoming,
                                StreamType default_type) {
-  return version == QUIC_VERSION_99
+  return VersionHasIetfQuicFrames(version)
              ? QuicUtils::GetStreamType(id, perspective, is_incoming)
              : default_type;
 }
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.h
index 4f6a30a17c0..20494d7f3f0 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.h
@@ -208,6 +208,9 @@ std::unique_ptr<QuicPacket> BuildUnsizedDataPacket(
 // Compute SHA-1 hash of the supplied std::string.
 std::string Sha1Hash(QuicStringPiece data);
 
+// Delete |frame| and return true.
+bool ClearControlFrame(const QuicFrame& frame);
+
 // Simple random number generator used to compute random numbers suitable
 // for pseudo-randomly dropping packets in tests.
 class SimpleRandom : public QuicRandom {
@@ -241,8 +244,7 @@ class MockFramerVisitor : public QuicFramerVisitorInterface {
 
   MOCK_METHOD1(OnError, void(QuicFramer* framer));
   // The constructor sets this up to return false by default.
-  MOCK_METHOD2(OnProtocolVersionMismatch,
-               bool(ParsedQuicVersion version, PacketHeaderFormat form));
+  MOCK_METHOD1(OnProtocolVersionMismatch, bool(ParsedQuicVersion version));
   MOCK_METHOD0(OnPacket, void());
   MOCK_METHOD1(OnPublicResetPacket, void(const QuicPublicResetPacket& header));
   MOCK_METHOD1(OnVersionNegotiationPacket,
@@ -298,19 +300,18 @@ class NoOpFramerVisitor : public QuicFramerVisitorInterface {
   NoOpFramerVisitor(const NoOpFramerVisitor&) = delete;
   NoOpFramerVisitor& operator=(const NoOpFramerVisitor&) = delete;
 
-  void OnError(QuicFramer* framer) override {}
+  void OnError(QuicFramer* /*framer*/) override {}
   void OnPacket() override {}
-  void OnPublicResetPacket(const QuicPublicResetPacket& packet) override {}
+  void OnPublicResetPacket(const QuicPublicResetPacket& /*packet*/) override {}
   void OnVersionNegotiationPacket(
-      const QuicVersionNegotiationPacket& packet) override {}
-  void OnRetryPacket(QuicConnectionId original_connection_id,
-                     QuicConnectionId new_connection_id,
-                     QuicStringPiece retry_token) override {}
-  bool OnProtocolVersionMismatch(ParsedQuicVersion version,
-                                 PacketHeaderFormat form) override;
+      const QuicVersionNegotiationPacket& /*packet*/) override {}
+  void OnRetryPacket(QuicConnectionId /*original_connection_id*/,
+                     QuicConnectionId /*new_connection_id*/,
+                     QuicStringPiece /*retry_token*/) override {}
+  bool OnProtocolVersionMismatch(ParsedQuicVersion version) override;
   bool OnUnauthenticatedHeader(const QuicPacketHeader& header) override;
   bool OnUnauthenticatedPublicHeader(const QuicPacketHeader& header) override;
-  void OnDecryptedPacket(EncryptionLevel level) override {}
+  void OnDecryptedPacket(EncryptionLevel /*level*/) override {}
   bool OnPacketHeader(const QuicPacketHeader& header) override;
   void OnCoalescedPacket(const QuicEncryptedPacket& packet) override;
   bool OnStreamFrame(const QuicStreamFrame& frame) override;
@@ -342,7 +343,7 @@ class NoOpFramerVisitor : public QuicFramerVisitorInterface {
   void OnPacketComplete() override {}
   bool IsValidStatelessResetToken(QuicUint128 token) const override;
   void OnAuthenticatedIetfStatelessResetPacket(
-      const QuicIetfStatelessResetPacket& packet) override {}
+      const QuicIetfStatelessResetPacket& /*packet*/) override {}
 };
 
 class MockQuicConnectionVisitor : public QuicConnectionVisitorInterface {
@@ -360,9 +361,8 @@ class MockQuicConnectionVisitor : public QuicConnectionVisitorInterface {
   MOCK_METHOD1(OnRstStream, void(const QuicRstStreamFrame& frame));
   MOCK_METHOD1(OnGoAway, void(const QuicGoAwayFrame& frame));
   MOCK_METHOD1(OnMessageReceived, void(QuicStringPiece message));
-  MOCK_METHOD3(OnConnectionClosed,
-               void(QuicErrorCode error,
-                    const std::string& error_details,
+  MOCK_METHOD2(OnConnectionClosed,
+               void(const QuicConnectionCloseFrame& frame,
                     ConnectionCloseSource source));
   MOCK_METHOD0(OnWriteBlocked, void());
   MOCK_METHOD0(OnCanWrite, void());
@@ -531,8 +531,7 @@ class MockQuicConnection : public QuicConnection {
     QuicConnection::ProcessUdpPacket(self_address, peer_address, packet);
   }
 
-  bool OnProtocolVersionMismatch(ParsedQuicVersion version,
-                                 PacketHeaderFormat form) override;
+  bool OnProtocolVersionMismatch(ParsedQuicVersion version) override;
 
   bool ReallySendControlFrame(const QuicFrame& frame) {
     return QuicConnection::SendControlFrame(frame);
@@ -596,12 +595,11 @@ class MockQuicSession : public QuicSession {
   const QuicCryptoStream* GetCryptoStream() const override;
   void SetCryptoStream(QuicCryptoStream* crypto_stream);
 
-  MOCK_METHOD3(OnConnectionClosed,
-               void(QuicErrorCode error,
-                    const std::string& error_details,
+  MOCK_METHOD2(OnConnectionClosed,
+               void(const QuicConnectionCloseFrame& frame,
                     ConnectionCloseSource source));
   MOCK_METHOD1(CreateIncomingStream, QuicStream*(QuicStreamId id));
-  MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(PendingStream stream));
+  MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(PendingStream* stream));
   MOCK_METHOD1(ShouldCreateIncomingStream2, bool(QuicStreamId id));
   MOCK_METHOD0(ShouldCreateOutgoingBidirectionalStream, bool());
   MOCK_METHOD0(ShouldCreateOutgoingUnidirectionalStream, bool());
@@ -673,19 +671,17 @@ class MockQuicSpdySession : public QuicSpdySession {
   const QuicCryptoStream* GetCryptoStream() const override;
   void SetCryptoStream(QuicCryptoStream* crypto_stream);
 
-  void ReallyOnConnectionClosed(QuicErrorCode error,
-                                const std::string& error_details,
+  void ReallyOnConnectionClosed(const QuicConnectionCloseFrame& frame,
                                 ConnectionCloseSource source) {
-    QuicSession::OnConnectionClosed(error, error_details, source);
+    QuicSession::OnConnectionClosed(frame, source);
   }
 
   // From QuicSession.
-  MOCK_METHOD3(OnConnectionClosed,
-               void(QuicErrorCode error,
-                    const std::string& error_details,
+  MOCK_METHOD2(OnConnectionClosed,
+               void(const QuicConnectionCloseFrame& frame,
                     ConnectionCloseSource source));
   MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(QuicStreamId id));
-  MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(PendingStream stream));
+  MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(PendingStream* stream));
   MOCK_METHOD0(CreateOutgoingBidirectionalStream, QuicSpdyStream*());
   MOCK_METHOD0(CreateOutgoingUnidirectionalStream, QuicSpdyStream*());
   MOCK_METHOD1(ShouldCreateIncomingStream, bool(QuicStreamId id));
@@ -754,7 +750,7 @@ class TestQuicSpdyServerSession : public QuicServerSessionBase {
   ~TestQuicSpdyServerSession() override;
 
   MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(QuicStreamId id));
-  MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(PendingStream stream));
+  MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(PendingStream* stream));
   MOCK_METHOD0(CreateOutgoingBidirectionalStream, QuicSpdyStream*());
   MOCK_METHOD0(CreateOutgoingUnidirectionalStream, QuicSpdyStream*());
   QuicCryptoServerStreamBase* CreateQuicCryptoServerStream(
@@ -819,7 +815,7 @@ class TestQuicSpdyClientSession : public QuicSpdyClientSessionBase {
 
   // TestQuicSpdyClientSession
   MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(QuicStreamId id));
-  MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(PendingStream stream));
+  MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(PendingStream* stream));
   MOCK_METHOD0(CreateOutgoingBidirectionalStream, QuicSpdyStream*());
   MOCK_METHOD0(CreateOutgoingUnidirectionalStream, QuicSpdyStream*());
   MOCK_METHOD1(ShouldCreateIncomingStream, bool(QuicStreamId id));
@@ -882,7 +878,6 @@ class MockSendAlgorithm : public SendAlgorithmInterface {
 
   MOCK_METHOD2(SetFromConfig,
                void(const QuicConfig& config, Perspective perspective));
-  MOCK_METHOD1(SetNumEmulatedConnections, void(int num_connections));
   MOCK_METHOD1(SetInitialCongestionWindowInPackets,
                void(QuicPacketCount packets));
   MOCK_METHOD1(SetMaxCongestionWindow,
@@ -1054,13 +1049,14 @@ class MockSessionNotifier : public SessionNotifierInterface {
   MockSessionNotifier();
   ~MockSessionNotifier() override;
 
-  MOCK_METHOD2(OnFrameAcked, bool(const QuicFrame&, QuicTime::Delta));
+  MOCK_METHOD3(OnFrameAcked, bool(const QuicFrame&, QuicTime::Delta, QuicTime));
   MOCK_METHOD1(OnStreamFrameRetransmitted, void(const QuicStreamFrame&));
   MOCK_METHOD1(OnFrameLost, void(const QuicFrame&));
   MOCK_METHOD2(RetransmitFrames,
                void(const QuicFrames&, TransmissionType type));
   MOCK_CONST_METHOD1(IsFrameOutstanding, bool(const QuicFrame&));
   MOCK_CONST_METHOD0(HasUnackedCryptoData, bool());
+  MOCK_CONST_METHOD0(HasUnackedStreamData, bool());
 };
 
 // Creates a client session for testing.
@@ -1170,6 +1166,9 @@ QuicStreamId GetNthServerInitiatedBidirectionalStreamId(
 QuicStreamId GetNthServerInitiatedUnidirectionalStreamId(
     QuicTransportVersion version,
     int n);
+QuicStreamId GetNthClientInitiatedUnidirectionalStreamId(
+    QuicTransportVersion version,
+    int n);
 
 StreamType DetermineStreamType(QuicStreamId id,
                                QuicTransportVersion version,
@@ -1183,6 +1182,15 @@ QuicMemSliceSpan MakeSpan(QuicBufferAllocator* allocator,
                           QuicStringPiece message_data,
                           QuicMemSliceStorage* storage);
 
+// Used to compare ReceivedPacketInfo.
+MATCHER_P(ReceivedPacketInfoEquals, info, "") {
+  return info.ToString() == arg.ToString();
+}
+
+MATCHER_P(ReceivedPacketInfoConnectionIdEquals, destination_connection_id, "") {
+  return arg.destination_connection_id == destination_connection_id;
+}
+
 }  // namespace test
 }  // namespace quic
 
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simple_quic_framer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/simple_quic_framer.cc
index 06a6718439b..547f6d26c8d 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simple_quic_framer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simple_quic_framer.cc
@@ -24,8 +24,7 @@ class SimpleFramerVisitor : public QuicFramerVisitorInterface {
 
   void OnError(QuicFramer* framer) override { error_ = framer->error(); }
 
-  bool OnProtocolVersionMismatch(ParsedQuicVersion version,
-                                 PacketHeaderFormat form) override {
+  bool OnProtocolVersionMismatch(ParsedQuicVersion /*version*/) override {
     return false;
   }
 
@@ -39,14 +38,15 @@ class SimpleFramerVisitor : public QuicFramerVisitorInterface {
         QuicMakeUnique<QuicVersionNegotiationPacket>((packet));
   }
 
-  void OnRetryPacket(QuicConnectionId original_connection_id,
-                     QuicConnectionId new_connection_id,
-                     QuicStringPiece retry_token) override {}
+  void OnRetryPacket(QuicConnectionId /*original_connection_id*/,
+                     QuicConnectionId /*new_connection_id*/,
+                     QuicStringPiece /*retry_token*/) override {}
 
-  bool OnUnauthenticatedPublicHeader(const QuicPacketHeader& header) override {
+  bool OnUnauthenticatedPublicHeader(
+      const QuicPacketHeader& /*header*/) override {
     return true;
   }
-  bool OnUnauthenticatedHeader(const QuicPacketHeader& header) override {
+  bool OnUnauthenticatedHeader(const QuicPacketHeader& /*header*/) override {
     return true;
   }
   void OnDecryptedPacket(EncryptionLevel level) override {
@@ -58,7 +58,7 @@ class SimpleFramerVisitor : public QuicFramerVisitorInterface {
     return true;
   }
 
-  void OnCoalescedPacket(const QuicEncryptedPacket& packet) override {}
+  void OnCoalescedPacket(const QuicEncryptedPacket& /*packet*/) override {}
 
   bool OnStreamFrame(const QuicStreamFrame& frame) override {
     // Save a copy of the data so it is valid after the packet is processed.
@@ -97,8 +97,8 @@ class SimpleFramerVisitor : public QuicFramerVisitorInterface {
     return true;
   }
 
-  bool OnAckTimestamp(QuicPacketNumber packet_number,
-                      QuicTime timestamp) override {
+  bool OnAckTimestamp(QuicPacketNumber /*packet_number*/,
+                      QuicTime /*timestamp*/) override {
     return true;
   }
 
@@ -191,7 +191,7 @@ class SimpleFramerVisitor : public QuicFramerVisitorInterface {
 
   void OnPacketComplete() override {}
 
-  bool IsValidStatelessResetToken(QuicUint128 token) const override {
+  bool IsValidStatelessResetToken(QuicUint128 /*token*/) const override {
     return false;
   }
 
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier.cc b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier.cc
index e72e0e1b811..16c441c8c32 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier.cc
@@ -135,7 +135,8 @@ void SimpleSessionNotifier::NeuterUnencryptedData() {
     QuicStreamFrame stream_frame(
         QuicUtils::GetCryptoStreamId(connection_->transport_version()), false,
         interval.min(), interval.max() - interval.min());
-    OnFrameAcked(QuicFrame(stream_frame), QuicTime::Delta::Zero());
+    OnFrameAcked(QuicFrame(stream_frame), QuicTime::Delta::Zero(),
+                 QuicTime::Zero());
   }
 }
 
@@ -202,7 +203,8 @@ QuicByteCount SimpleSessionNotifier::StreamBytesToSend() const {
 }
 
 bool SimpleSessionNotifier::OnFrameAcked(const QuicFrame& frame,
-                                         QuicTime::Delta /*ack_delay_time*/) {
+                                         QuicTime::Delta /*ack_delay_time*/,
+                                         QuicTime /*receive_timestamp*/) {
   QUIC_DVLOG(1) << "Acking " << frame;
   if (frame.type == CRYPTO_FRAME) {
     StreamState* state = &crypto_state_[frame.crypto_frame->level];
@@ -281,8 +283,7 @@ void SimpleSessionNotifier::OnFrameLost(const QuicFrame& frame) {
 
 void SimpleSessionNotifier::RetransmitFrames(const QuicFrames& frames,
                                              TransmissionType type) {
-  QuicConnection::ScopedPacketFlusher retransmission_flusher(
-      connection_, QuicConnection::SEND_ACK_IF_QUEUED);
+  QuicConnection::ScopedPacketFlusher retransmission_flusher(connection_);
   connection_->SetTransmissionType(type);
   for (const QuicFrame& frame : frames) {
     if (frame.type == CRYPTO_FRAME) {
@@ -432,6 +433,14 @@ bool SimpleSessionNotifier::HasUnackedCryptoData() const {
   return !bytes_to_ack.Empty();
 }
 
+bool SimpleSessionNotifier::HasUnackedStreamData() const {
+  for (auto it : stream_map_) {
+    if (StreamIsWaitingForAcks(it.first))
+      return true;
+  }
+  return false;
+}
+
 bool SimpleSessionNotifier::OnControlFrameAcked(const QuicFrame& frame) {
   QuicControlFrameId id = GetControlFrameId(frame);
   if (id == kInvalidControlFrameId) {
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier.h b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier.h
index e7d4fdc9b50..74240539ae7 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier.h
@@ -65,13 +65,15 @@ class SimpleSessionNotifier : public SessionNotifierInterface {
 
   // SessionNotifierInterface methods:
   bool OnFrameAcked(const QuicFrame& frame,
-                    QuicTime::Delta ack_delay_time) override;
-  void OnStreamFrameRetransmitted(const QuicStreamFrame& frame) override {}
+                    QuicTime::Delta ack_delay_time,
+                    QuicTime receive_timestamp) override;
+  void OnStreamFrameRetransmitted(const QuicStreamFrame& /*frame*/) override {}
   void OnFrameLost(const QuicFrame& frame) override;
   void RetransmitFrames(const QuicFrames& frames,
                         TransmissionType type) override;
   bool IsFrameOutstanding(const QuicFrame& frame) const override;
   bool HasUnackedCryptoData() const override;
+  bool HasUnackedStreamData() const override;
 
  private:
   struct StreamState {
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier_test.cc b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier_test.cc
index d2aad9f087e..8b931fed34d 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier_test.cc
@@ -88,6 +88,8 @@ TEST_F(SimpleSessionNotifierTest, WriteOrBufferRstStream) {
   EXPECT_CALL(connection_, SendStreamData(5, 1024, 0, FIN))
       .WillOnce(Return(QuicConsumedData(1024, true)));
   notifier_.WriteOrBufferData(5, 1024, FIN);
+  EXPECT_TRUE(notifier_.StreamIsWaitingForAcks(5));
+  EXPECT_TRUE(notifier_.HasUnackedStreamData());
 
   // Reset stream 5 with no error.
   EXPECT_CALL(connection_, SendControlFrame(_))
@@ -96,10 +98,12 @@ TEST_F(SimpleSessionNotifierTest, WriteOrBufferRstStream) {
   notifier_.WriteOrBufferRstStream(5, QUIC_STREAM_NO_ERROR, 1024);
   // Verify stream 5 is waiting for acks.
   EXPECT_TRUE(notifier_.StreamIsWaitingForAcks(5));
+  EXPECT_TRUE(notifier_.HasUnackedStreamData());
 
   // Reset stream 5 with error.
   notifier_.WriteOrBufferRstStream(5, QUIC_ERROR_PROCESSING_STREAM, 1024);
   EXPECT_FALSE(notifier_.StreamIsWaitingForAcks(5));
+  EXPECT_FALSE(notifier_.HasUnackedStreamData());
 }
 
 TEST_F(SimpleSessionNotifierTest, WriteOrBufferPing) {
@@ -154,13 +158,17 @@ TEST_F(SimpleSessionNotifierTest, NeuterUnencryptedData) {
   QuicStreamFrame stream_frame(
       QuicUtils::GetCryptoStreamId(connection_.transport_version()), false,
       1024, 1024);
-  notifier_.OnFrameAcked(QuicFrame(stream_frame), QuicTime::Delta::Zero());
+  notifier_.OnFrameAcked(QuicFrame(stream_frame), QuicTime::Delta::Zero(),
+                         QuicTime::Zero());
   EXPECT_TRUE(notifier_.StreamIsWaitingForAcks(
       QuicUtils::GetCryptoStreamId(connection_.transport_version())));
+  EXPECT_TRUE(notifier_.HasUnackedStreamData());
+
   // Neuters unencrypted data.
   notifier_.NeuterUnencryptedData();
   EXPECT_FALSE(notifier_.StreamIsWaitingForAcks(
       QuicUtils::GetCryptoStreamId(connection_.transport_version())));
+  EXPECT_FALSE(notifier_.HasUnackedStreamData());
 }
 
 TEST_F(SimpleSessionNotifierTest, OnCanWrite) {
@@ -177,6 +185,7 @@ TEST_F(SimpleSessionNotifierTest, OnCanWrite) {
   notifier_.WriteOrBufferData(
       QuicUtils::GetCryptoStreamId(connection_.transport_version()), 1024,
       NO_FIN);
+
   // Send crypto data [1024, 2048) in ENCRYPTION_ZERO_RTT.
   connection_.SetDefaultEncryptionLevel(ENCRYPTION_ZERO_RTT);
   EXPECT_CALL(connection_, SendStreamData(QuicUtils::GetCryptoStreamId(
@@ -315,8 +324,10 @@ TEST_F(SimpleSessionNotifierTest, RetransmitFrames) {
   // Ack stream 3 [3, 7), and stream 5 [8, 10).
   QuicStreamFrame ack_frame1(3, false, 3, 4);
   QuicStreamFrame ack_frame2(5, false, 8, 2);
-  notifier_.OnFrameAcked(QuicFrame(ack_frame1), QuicTime::Delta::Zero());
-  notifier_.OnFrameAcked(QuicFrame(ack_frame2), QuicTime::Delta::Zero());
+  notifier_.OnFrameAcked(QuicFrame(ack_frame1), QuicTime::Delta::Zero(),
+                         QuicTime::Zero());
+  notifier_.OnFrameAcked(QuicFrame(ack_frame2), QuicTime::Delta::Zero(),
+                         QuicTime::Zero());
   EXPECT_FALSE(notifier_.WillingToWrite());
 
   // Force to send.
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/link.h b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/link.h
index 531eff67cf4..5621e1b259f 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/link.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/link.h
@@ -8,6 +8,7 @@
 #include <utility>
 
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
+#include "net/third_party/quiche/src/quic/core/quic_bandwidth.h"
 #include "net/third_party/quiche/src/quic/test_tools/simulator/actor.h"
 #include "net/third_party/quiche/src/quic/test_tools/simulator/port.h"
 
@@ -33,6 +34,9 @@ class OneWayLink : public Actor, public ConstrainedPortInterface {
   void Act() override;
 
   inline QuicBandwidth bandwidth() const { return bandwidth_; }
+  inline void set_bandwidth(QuicBandwidth new_bandwidth) {
+    bandwidth_ = new_bandwidth;
+  }
 
  protected:
   // Get the value of a random delay imposed on each packet.  By default, this
@@ -58,7 +62,7 @@ class OneWayLink : public Actor, public ConstrainedPortInterface {
   UnconstrainedPortInterface* sink_;
   QuicDeque<QueuedPacket> packets_in_transit_;
 
-  const QuicBandwidth bandwidth_;
+  QuicBandwidth bandwidth_;
   const QuicTime::Delta propagation_delay_;
 
   QuicTime next_write_at_;
@@ -82,6 +86,10 @@ class SymmetricLink {
   SymmetricLink& operator=(const SymmetricLink&) = delete;
 
   inline QuicBandwidth bandwidth() { return a_to_b_link_.bandwidth(); }
+  inline void set_bandwidth(QuicBandwidth new_bandwidth) {
+    a_to_b_link_.set_bandwidth(new_bandwidth);
+    b_to_a_link_.set_bandwidth(new_bandwidth);
+  }
 
  private:
   OneWayLink a_to_b_link_;
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.cc b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.cc
index 043eae99e21..28df15f0593 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.cc
@@ -229,7 +229,7 @@ void QuicEndpoint::OnStreamFrame(const QuicStreamFrame& frame) {
   DCHECK_LE(offsets_received_.Size(), 1000u);
 }
 
-void QuicEndpoint::OnCryptoFrame(const QuicCryptoFrame& frame) {}
+void QuicEndpoint::OnCryptoFrame(const QuicCryptoFrame& /*frame*/) {}
 
 void QuicEndpoint::OnCanWrite() {
   if (notifier_ != nullptr) {
@@ -265,9 +265,10 @@ bool QuicEndpoint::AllowSelfAddressChange() const {
 }
 
 bool QuicEndpoint::OnFrameAcked(const QuicFrame& frame,
-                                QuicTime::Delta ack_delay_time) {
+                                QuicTime::Delta ack_delay_time,
+                                QuicTime receive_timestamp) {
   if (notifier_ != nullptr) {
-    return notifier_->OnFrameAcked(frame, ack_delay_time);
+    return notifier_->OnFrameAcked(frame, ack_delay_time, receive_timestamp);
   }
   return false;
 }
@@ -292,6 +293,13 @@ bool QuicEndpoint::HasUnackedCryptoData() const {
   return false;
 }
 
+bool QuicEndpoint::HasUnackedStreamData() const {
+  if (notifier_ != nullptr) {
+    return notifier_->HasUnackedStreamData();
+  }
+  return false;
+}
+
 QuicEndpoint::Writer::Writer(QuicEndpoint* endpoint)
     : endpoint_(endpoint), is_blocked_(false) {}
 
@@ -300,8 +308,8 @@ QuicEndpoint::Writer::~Writer() {}
 WriteResult QuicEndpoint::Writer::WritePacket(
     const char* buffer,
     size_t buf_len,
-    const QuicIpAddress& self_address,
-    const QuicSocketAddress& peer_address,
+    const QuicIpAddress& /*self_address*/,
+    const QuicSocketAddress& /*peer_address*/,
     PerPacketOptions* options) {
   DCHECK(!IsWriteBlocked());
   DCHECK(options == nullptr);
@@ -350,8 +358,8 @@ bool QuicEndpoint::Writer::IsBatchMode() const {
 }
 
 char* QuicEndpoint::Writer::GetNextWriteLocation(
-    const QuicIpAddress& self_address,
-    const QuicSocketAddress& peer_address) {
+    const QuicIpAddress& /*self_address*/,
+    const QuicSocketAddress& /*peer_address*/) {
   return nullptr;
 }
 
@@ -360,26 +368,25 @@ WriteResult QuicEndpoint::Writer::Flush() {
 }
 
 WriteStreamDataResult QuicEndpoint::DataProducer::WriteStreamData(
-    QuicStreamId id,
-    QuicStreamOffset offset,
+    QuicStreamId /*id*/,
+    QuicStreamOffset /*offset*/,
     QuicByteCount data_length,
     QuicDataWriter* writer) {
   writer->WriteRepeatedByte(kStreamDataContents, data_length);
   return WRITE_SUCCESS;
 }
 
-bool QuicEndpoint::DataProducer::WriteCryptoData(EncryptionLevel leve,
-                                                 QuicStreamOffset offset,
-                                                 QuicByteCount data_length,
-                                                 QuicDataWriter* writer) {
+bool QuicEndpoint::DataProducer::WriteCryptoData(EncryptionLevel /*level*/,
+                                                 QuicStreamOffset /*offset*/,
+                                                 QuicByteCount /*data_length*/,
+                                                 QuicDataWriter* /*writer*/) {
   QUIC_BUG << "QuicEndpoint::DataProducer::WriteCryptoData is unimplemented";
   return false;
 }
 
 void QuicEndpoint::WriteStreamData() {
   // Instantiate a flusher which would normally be here due to QuicSession.
-  QuicConnection::ScopedPacketFlusher flusher(
-      &connection_, QuicConnection::SEND_ACK_IF_QUEUED);
+  QuicConnection::ScopedPacketFlusher flusher(&connection_);
 
   while (bytes_to_transfer_ > 0) {
     // Transfer data in chunks of size at most |kWriteChunkSize|.
@@ -400,7 +407,7 @@ void QuicEndpoint::WriteStreamData() {
 
 QuicEndpointMultiplexer::QuicEndpointMultiplexer(
     std::string name,
-    std::initializer_list<QuicEndpoint*> endpoints)
+    const std::vector<QuicEndpoint*>& endpoints)
     : Endpoint((*endpoints.begin())->simulator(), name) {
   for (QuicEndpoint* endpoint : endpoints) {
     mapping_.insert(std::make_pair(endpoint->name(), endpoint));
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.h b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.h
index 8bbdbd7c5e2..7481ddc6b1f 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.h
@@ -87,34 +87,34 @@ class QuicEndpoint : public Endpoint,
   bool HasPendingHandshake() const override;
   bool ShouldKeepConnectionAlive() const override;
 
-  void OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame) override {}
-  void OnBlockedFrame(const QuicBlockedFrame& frame) override {}
-  void OnRstStream(const QuicRstStreamFrame& frame) override {}
-  void OnGoAway(const QuicGoAwayFrame& frame) override {}
-  void OnMessageReceived(QuicStringPiece message) override {}
-  void OnConnectionClosed(QuicErrorCode error,
-                          const std::string& error_details,
-                          ConnectionCloseSource source) override {}
+  void OnWindowUpdateFrame(const QuicWindowUpdateFrame& /*frame*/) override {}
+  void OnBlockedFrame(const QuicBlockedFrame& /*frame*/) override {}
+  void OnRstStream(const QuicRstStreamFrame& /*frame*/) override {}
+  void OnGoAway(const QuicGoAwayFrame& /*frame*/) override {}
+  void OnMessageReceived(QuicStringPiece /*message*/) override {}
+  void OnConnectionClosed(const QuicConnectionCloseFrame& /*frame*/,
+                          ConnectionCloseSource /*source*/) override {}
   void OnWriteBlocked() override {}
   void OnSuccessfulVersionNegotiation(
-      const ParsedQuicVersion& version) override {}
+      const ParsedQuicVersion& /*version*/) override {}
   void OnConnectivityProbeReceived(
-      const QuicSocketAddress& self_address,
-      const QuicSocketAddress& peer_address) override {}
-  void OnCongestionWindowChange(QuicTime now) override {}
-  void OnConnectionMigration(AddressChangeType type) override {}
+      const QuicSocketAddress& /*self_address*/,
+      const QuicSocketAddress& /*peer_address*/) override {}
+  void OnCongestionWindowChange(QuicTime /*now*/) override {}
+  void OnConnectionMigration(AddressChangeType /*type*/) override {}
   void OnPathDegrading() override {}
   void OnAckNeedsRetransmittableFrame() override {}
   void SendPing() override {}
   bool AllowSelfAddressChange() const override;
   void OnForwardProgressConfirmed() override {}
-  bool OnMaxStreamsFrame(const QuicMaxStreamsFrame& frame) override {
+  bool OnMaxStreamsFrame(const QuicMaxStreamsFrame& /*frame*/) override {
     return true;
   }
-  bool OnStreamsBlockedFrame(const QuicStreamsBlockedFrame& frame) override {
+  bool OnStreamsBlockedFrame(
+      const QuicStreamsBlockedFrame& /*frame*/) override {
     return true;
   }
-  bool OnStopSendingFrame(const QuicStopSendingFrame& frame) override {
+  bool OnStopSendingFrame(const QuicStopSendingFrame& /*frame*/) override {
     return true;
   }
 
@@ -122,13 +122,15 @@ class QuicEndpoint : public Endpoint,
 
   // Begin SessionNotifierInterface methods:
   bool OnFrameAcked(const QuicFrame& frame,
-                    QuicTime::Delta ack_delay_time) override;
-  void OnStreamFrameRetransmitted(const QuicStreamFrame& frame) override {}
+                    QuicTime::Delta ack_delay_time,
+                    QuicTime receive_timestamp) override;
+  void OnStreamFrameRetransmitted(const QuicStreamFrame& /*frame*/) override {}
   void OnFrameLost(const QuicFrame& frame) override;
   void RetransmitFrames(const QuicFrames& frames,
                         TransmissionType type) override;
   bool IsFrameOutstanding(const QuicFrame& frame) const override;
   bool HasUnackedCryptoData() const override;
+  bool HasUnackedStreamData() const override;
   // End SessionNotifierInterface implementation.
 
  private:
@@ -212,7 +214,7 @@ class QuicEndpointMultiplexer : public Endpoint,
                                 public UnconstrainedPortInterface {
  public:
   QuicEndpointMultiplexer(std::string name,
-                          std::initializer_list<QuicEndpoint*> endpoints);
+                          const std::vector<QuicEndpoint*>& endpoints);
   ~QuicEndpointMultiplexer() override;
 
   // Receives a packet and passes it to the specified endpoint if that endpoint
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_test.cc b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_test.cc
index 5382eb56b1e..74b48ba16ea 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_test.cc
@@ -189,7 +189,7 @@ TEST_F(QuicEndpointTest, Competition) {
   endpoint_b->AddBytesToTransfer(2 * 1024 * 1024);
   endpoint_c->AddBytesToTransfer(2 * 1024 * 1024);
   QuicTime end_time =
-      simulator_.GetClock()->Now() + QuicTime::Delta::FromSeconds(10);
+      simulator_.GetClock()->Now() + QuicTime::Delta::FromSeconds(12);
   simulator_.RunUntil(
       [this, end_time]() { return simulator_.GetClock()->Now() >= end_time; });
 
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_backend_response.h b/chromium/net/third_party/quiche/src/quic/tools/quic_backend_response.h
index 4ef0fdc1bad..b5789151b2f 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_backend_response.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_backend_response.h
@@ -5,8 +5,8 @@
 #ifndef QUICHE_QUIC_TOOLS_QUIC_BACKEND_RESPONSE_H_
 #define QUICHE_QUIC_TOOLS_QUIC_BACKEND_RESPONSE_H_
 
-#include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
 #include "net/third_party/quiche/src/quic/tools/quic_url.h"
+#include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
 
 namespace quic {
 
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_client.h b/chromium/net/third_party/quiche/src/quic/tools/quic_client.h
index 0e708ec2835..e5d21700418 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_client.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_client.h
@@ -16,7 +16,6 @@
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.h"
 #include "net/third_party/quiche/src/quic/core/quic_config.h"
 #include "net/third_party/quiche/src/quic/core/quic_packet_reader.h"
-#include "net/third_party/quiche/src/quic/core/quic_process_packet_interface.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_epoll.h"
 #include "net/third_party/quiche/src/quic/tools/quic_client_epoll_network_helper.h"
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.cc
index b746ba5f6dc..b03f7cc342d 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.cc
@@ -8,7 +8,6 @@
 #include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_server_id.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
@@ -29,13 +28,11 @@ QuicClientBase::QuicClientBase(
       initialized_(false),
       local_port_(0),
       config_(config),
-      crypto_config_(std::move(proof_verifier),
-                     TlsClientHandshaker::CreateSslCtx()),
+      crypto_config_(std::move(proof_verifier)),
       helper_(helper),
       alarm_factory_(alarm_factory),
       supported_versions_(supported_versions),
       initial_max_packet_length_(0),
-      num_stateless_rejects_received_(0),
       num_sent_client_hellos_(0),
       connection_error_(QUIC_NO_ERROR),
       connected_or_attempting_connect_(false),
@@ -45,7 +42,6 @@ QuicClientBase::~QuicClientBase() = default;
 
 bool QuicClientBase::Initialize() {
   num_sent_client_hellos_ = 0;
-  num_stateless_rejects_received_ = 0;
   connection_error_ = QUIC_NO_ERROR;
   connected_or_attempting_connect_ = false;
 
@@ -83,21 +79,12 @@ bool QuicClientBase::Connect() {
     }
     ParsedQuicVersion version = UnsupportedQuicVersion();
     if (session() != nullptr &&
-        session()->error() != QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT &&
         !CanReconnectWithDifferentVersion(&version)) {
-      // We've successfully created a session but we're not connected, and there
-      // is no stateless reject to recover from and cannot try to reconnect with
-      // different version.  Give up trying.
+      // We've successfully created a session but we're not connected, and we
+      // cannot reconnect with a different version.  Give up trying.
       break;
     }
   }
-  if (!connected() &&
-      GetNumSentClientHellos() > QuicCryptoClientStream::kMaxClientHellos &&
-      session() != nullptr &&
-      session()->error() == QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT) {
-    // The overall connection failed due too many stateless rejects.
-    set_connection_error(QUIC_CRYPTO_TOO_MANY_REJECTS);
-  }
   return session()->connection()->connected();
 }
 
@@ -109,12 +96,9 @@ void QuicClientBase::StartConnect() {
   const bool can_reconnect_with_different_version =
       CanReconnectWithDifferentVersion(&mutual_version);
   if (connected_or_attempting_connect()) {
-    // If the last error was not a stateless reject, then the queued up data
-    // does not need to be resent.
-    // Keep queued up data if client can try to connect with a different
+    // Clear queued up data if client can not try to connect with a different
     // version.
-    if (session()->error() != QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT &&
-        !can_reconnect_with_different_version) {
+    if (!can_reconnect_with_different_version) {
       ClearDataToResend();
     }
     // Before we destroy the last session and create a new one, gather its stats
@@ -130,6 +114,7 @@ void QuicClientBase::StartConnect() {
                          can_reconnect_with_different_version
                              ? ParsedQuicVersionVector{mutual_version}
                              : supported_versions()));
+  session()->connection()->set_client_connection_id(GetClientConnectionId());
   if (initial_max_packet_length_ != 0) {
     session()->connection()->SetMaxPacketLength(initial_max_packet_length_);
   }
@@ -175,11 +160,7 @@ bool QuicClientBase::WaitForEvents() {
 
   DCHECK(session() != nullptr);
   ParsedQuicVersion version = UnsupportedQuicVersion();
-  if (!connected() &&
-
-      CanReconnectWithDifferentVersion(&version)) {
-    DCHECK_NE(session()->error(), QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT);
-
+  if (!connected() && CanReconnectWithDifferentVersion(&version)) {
     QUIC_DLOG(INFO) << "Can reconnect with version: " << version
                     << ", attempting to reconnect.";
 
@@ -275,17 +256,11 @@ int QuicClientBase::GetNumSentClientHellos() {
 
 void QuicClientBase::UpdateStats() {
   num_sent_client_hellos_ += GetNumSentClientHellosFromSession();
-  if (session()->error() == QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT) {
-    ++num_stateless_rejects_received_;
-  }
 }
 
 int QuicClientBase::GetNumReceivedServerConfigUpdates() {
   // If we are not actively attempting to connect, the session object
   // corresponds to the previous connection and should not be used.
-  // We do not need to take stateless rejects into account, since we
-  // don't expect any scup messages to be sent during a
-  // statelessly-rejected connection.
   return !connected_or_attempting_connect_
              ? 0
              : GetNumReceivedServerConfigUpdatesFromSession();
@@ -325,6 +300,10 @@ QuicConnectionId QuicClientBase::GenerateNewConnectionId() {
   return QuicUtils::CreateRandomConnectionId();
 }
 
+QuicConnectionId QuicClientBase::GetClientConnectionId() {
+  return EmptyQuicConnectionId();
+}
+
 bool QuicClientBase::CanReconnectWithDifferentVersion(
     ParsedQuicVersion* version) const {
   if (session_ == nullptr || session_->connection() == nullptr ||
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.h b/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.h
index 0cc4d71ff78..fb15b862b08 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.h
@@ -149,31 +149,17 @@ class QuicClientBase {
     initial_max_packet_length_ = initial_max_packet_length;
   }
 
-  int num_stateless_rejects_received() const {
-    return num_stateless_rejects_received_;
-  }
-
-  // The number of client hellos sent, taking stateless rejects into
-  // account.  In the case of a stateless reject, the initial
-  // connection object may be torn down and a new one created.  The
-  // user cannot rely upon the latest connection object to get the
-  // total number of client hellos sent, and should use this function
-  // instead.
+  // The number of client hellos sent.
   int GetNumSentClientHellos();
 
   // Gather the stats for the last session and update the stats for the overall
   // connection.
   void UpdateStats();
 
-  // The number of server config updates received.  We assume no
-  // updates can be sent during a previously, statelessly rejected
-  // connection, so only the latest session is taken into account.
+  // The number of server config updates received.
   int GetNumReceivedServerConfigUpdates();
 
-  // Returns any errors that occurred at the connection-level (as
-  // opposed to the session-level).  When a stateless reject occurs,
-  // the error of the last session may not reflect the overall state
-  // of the connection.
+  // Returns any errors that occurred at the connection-level.
   QuicErrorCode connection_error() const;
   void set_connection_error(QuicErrorCode connection_error) {
     connection_error_ = connection_error;
@@ -236,9 +222,7 @@ class QuicClientBase {
   // Extract the number of sent client hellos from the session.
   virtual int GetNumSentClientHellosFromSession() = 0;
 
-  // The number of server config updates received.  We assume no
-  // updates can be sent during a previously, statelessly rejected
-  // connection, so only the latest session is taken into account.
+  // The number of server config updates received.
   virtual int GetNumReceivedServerConfigUpdatesFromSession() = 0;
 
   // If this client supports buffering data, resend it.
@@ -268,6 +252,9 @@ class QuicClientBase {
   // connection ID).
   virtual QuicConnectionId GenerateNewConnectionId();
 
+  // Returns the client connection ID to use.
+  virtual QuicConnectionId GetClientConnectionId();
+
   QuicAlarmFactory* alarm_factory() { return alarm_factory_.get(); }
 
   // Subclasses may need to explicitly clear the session on destruction
@@ -326,13 +313,6 @@ class QuicClientBase {
   // zero, the default is used.
   QuicByteCount initial_max_packet_length_;
 
-  // The number of stateless rejects received during the current/latest
-  // connection.
-  // TODO(jokulik): Consider some consistent naming scheme (or other) for member
-  // variables that are kept per-request, per-connection, and over the client's
-  // lifetime.
-  int num_stateless_rejects_received_;
-
   // The number of hellos sent during the current/latest connection.
   int num_sent_client_hellos_;
 
@@ -340,9 +320,8 @@ class QuicClientBase {
   // opposed to that associated with the last session object).
   QuicErrorCode connection_error_;
 
-  // True when the client is attempting to connect or re-connect the session (in
-  // the case of a stateless reject).  Set to false  between a call to
-  // Disconnect() and the subsequent call to StartConnect().  When
+  // True when the client is attempting to connect.  Set to false between a call
+  // to Disconnect() and the subsequent call to StartConnect().  When
   // connected_or_attempting_connect_ is false, the session object corresponds
   // to the previous client-level connection.
   bool connected_or_attempting_connect_;
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_client_bin.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_client_bin.cc
index 06760ce4a70..226e647351a 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_client_bin.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_client_bin.cc
@@ -20,7 +20,7 @@
 //   quic_client www.google.com --body="this is a POST body"
 //
 // Append additional headers to the request:
-//   quic_client www.google.com --headers="Header-A: 1234; Header-B: 5678"
+//   quic_client www.google.com --headers="header-a: 1234; header-b: 5678"
 //
 // Connect to a host different to the URL being requested:
 //   quic_client mail.google.com --host=www.google.com
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_client_epoll_network_helper.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_client_epoll_network_helper.cc
index 117521111f5..d16a128d903 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_client_epoll_network_helper.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_client_epoll_network_helper.cc
@@ -122,12 +122,15 @@ void QuicClientEpollNetworkHelper::RunEventLoop() {
   epoll_server_->WaitForEventsAndExecuteCallbacks();
 }
 
-void QuicClientEpollNetworkHelper::OnRegistration(QuicEpollServer* eps,
-                                                  int fd,
-                                                  int event_mask) {}
-void QuicClientEpollNetworkHelper::OnModification(int fd, int event_mask) {}
-void QuicClientEpollNetworkHelper::OnUnregistration(int fd, bool replaced) {}
-void QuicClientEpollNetworkHelper::OnShutdown(QuicEpollServer* eps, int fd) {}
+void QuicClientEpollNetworkHelper::OnRegistration(QuicEpollServer* /*eps*/,
+                                                  int /*fd*/,
+                                                  int /*event_mask*/) {}
+void QuicClientEpollNetworkHelper::OnModification(int /*fd*/,
+                                                  int /*event_mask*/) {}
+void QuicClientEpollNetworkHelper::OnUnregistration(int /*fd*/,
+                                                    bool /*replaced*/) {}
+void QuicClientEpollNetworkHelper::OnShutdown(QuicEpollServer* /*eps*/,
+                                              int /*fd*/) {}
 
 void QuicClientEpollNetworkHelper::OnEvent(int fd, QuicEpollEvent* event) {
   DCHECK_EQ(fd, GetLatestFD());
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_client_epoll_network_helper.h b/chromium/net/third_party/quiche/src/quic/tools/quic_client_epoll_network_helper.h
index 89d12946c7b..1ca4280fabe 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_client_epoll_network_helper.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_client_epoll_network_helper.h
@@ -15,7 +15,6 @@
 #include "net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index.h"
 #include "net/third_party/quiche/src/quic/core/quic_config.h"
 #include "net/third_party/quiche/src/quic/core/quic_packet_reader.h"
-#include "net/third_party/quiche/src/quic/core/quic_process_packet_interface.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_epoll.h"
 #include "net/third_party/quiche/src/quic/tools/quic_client_base.h"
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_epoll_client_factory.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_epoll_client_factory.cc
index 3b6b2eed714..a74fba36397 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_epoll_client_factory.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_epoll_client_factory.cc
@@ -32,22 +32,23 @@ QuicSocketAddress LookupAddress(std::string host, std::string port) {
   CHECK(info_list != nullptr);
   std::unique_ptr<addrinfo, void (*)(addrinfo*)> info_list_owned(info_list,
                                                                  freeaddrinfo);
-  return QuicSocketAddress(*info_list->ai_addr);
+  return QuicSocketAddress(info_list->ai_addr, info_list->ai_addrlen);
 }
 
 }  // namespace
 
 std::unique_ptr<QuicSpdyClientBase> QuicEpollClientFactory::CreateClient(
-    std::string host,
+    std::string host_for_handshake,
+    std::string host_for_lookup,
     uint16_t port,
     ParsedQuicVersionVector versions,
     std::unique_ptr<ProofVerifier> verifier) {
-  QuicSocketAddress addr = LookupAddress(host, QuicStrCat(port));
+  QuicSocketAddress addr = LookupAddress(host_for_lookup, QuicStrCat(port));
   if (!addr.IsInitialized()) {
-    QUIC_LOG(ERROR) << "Unable to resolve address: " << host;
+    QUIC_LOG(ERROR) << "Unable to resolve address: " << host_for_lookup;
     return nullptr;
   }
-  QuicServerId server_id(host, port, false);
+  QuicServerId server_id(host_for_handshake, port, false);
   return QuicMakeUnique<QuicClient>(addr, server_id, versions, &epoll_server_,
                                     std::move(verifier));
 }
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_epoll_client_factory.h b/chromium/net/third_party/quiche/src/quic/tools/quic_epoll_client_factory.h
index a083643ec3e..2ee26d9703c 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_epoll_client_factory.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_epoll_client_factory.h
@@ -14,7 +14,8 @@ namespace quic {
 class QuicEpollClientFactory : public QuicToyClient::ClientFactory {
  public:
   std::unique_ptr<QuicSpdyClientBase> CreateClient(
-      std::string host,
+      std::string host_for_handshake,
+      std::string host_for_lookup,
       uint16_t port,
       ParsedQuicVersionVector versions,
       std::unique_ptr<ProofVerifier> verifier) override;
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend.cc
index 96faacb6914..5943380abfe 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend.cc
@@ -282,7 +282,7 @@ bool QuicMemoryCacheBackend::IsBackendInitialized() const {
 
 void QuicMemoryCacheBackend::FetchResponseFromBackend(
     const SpdyHeaderBlock& request_headers,
-    const std::string& request_body,
+    const std::string& /*request_body*/,
     QuicSimpleServerBackend::RequestHandler* quic_stream) {
   const QuicBackendResponse* quic_response = nullptr;
   // Find response in cache. If not found, send error response.
@@ -303,7 +303,7 @@ void QuicMemoryCacheBackend::FetchResponseFromBackend(
 
 // The memory cache does not have a per-stream handler
 void QuicMemoryCacheBackend::CloseBackendResponseStream(
-    QuicSimpleServerBackend::RequestHandler* quic_stream) {}
+    QuicSimpleServerBackend::RequestHandler* /*quic_stream*/) {}
 
 std::list<ServerPushInfo> QuicMemoryCacheBackend::GetServerPushResources(
     std::string request_url) {
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_packet_printer_bin.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_packet_printer_bin.cc
index 80ffd4eeb9a..a87f10eadf1 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_packet_printer_bin.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_packet_printer_bin.cc
@@ -48,27 +48,27 @@ class QuicPacketPrinter : public QuicFramerVisitorInterface {
     std::cerr << "OnError: " << QuicErrorCodeToString(framer->error())
               << " detail: " << framer->detailed_error() << "\n";
   }
-  bool OnProtocolVersionMismatch(ParsedQuicVersion received_version,
-                                 PacketHeaderFormat form) override {
+  bool OnProtocolVersionMismatch(ParsedQuicVersion received_version) override {
     framer_->set_version(received_version);
     std::cerr << "OnProtocolVersionMismatch: "
               << ParsedQuicVersionToString(received_version) << "\n";
     return true;
   }
   void OnPacket() override { std::cerr << "OnPacket\n"; }
-  void OnPublicResetPacket(const QuicPublicResetPacket& packet) override {
+  void OnPublicResetPacket(const QuicPublicResetPacket& /*packet*/) override {
     std::cerr << "OnPublicResetPacket\n";
   }
   void OnVersionNegotiationPacket(
-      const QuicVersionNegotiationPacket& packet) override {
+      const QuicVersionNegotiationPacket& /*packet*/) override {
     std::cerr << "OnVersionNegotiationPacket\n";
   }
-  void OnRetryPacket(QuicConnectionId original_connection_id,
-                     QuicConnectionId new_connection_id,
-                     QuicStringPiece retry_token) override {
+  void OnRetryPacket(QuicConnectionId /*original_connection_id*/,
+                     QuicConnectionId /*new_connection_id*/,
+                     QuicStringPiece /*retry_token*/) override {
     std::cerr << "OnRetryPacket\n";
   }
-  bool OnUnauthenticatedPublicHeader(const QuicPacketHeader& header) override {
+  bool OnUnauthenticatedPublicHeader(
+      const QuicPacketHeader& /*header*/) override {
     std::cerr << "OnUnauthenticatedPublicHeader\n";
     return true;
   }
@@ -81,11 +81,11 @@ class QuicPacketPrinter : public QuicFramerVisitorInterface {
     DCHECK_EQ(ENCRYPTION_INITIAL, level);
     std::cerr << "OnDecryptedPacket\n";
   }
-  bool OnPacketHeader(const QuicPacketHeader& header) override {
+  bool OnPacketHeader(const QuicPacketHeader& /*header*/) override {
     std::cerr << "OnPacketHeader\n";
     return true;
   }
-  void OnCoalescedPacket(const QuicEncryptedPacket& packet) override {
+  void OnCoalescedPacket(const QuicEncryptedPacket& /*packet*/) override {
     std::cerr << "OnCoalescedPacket\n";
   }
   bool OnStreamFrame(const QuicStreamFrame& frame) override {
@@ -130,7 +130,7 @@ class QuicPacketPrinter : public QuicFramerVisitorInterface {
     return true;
   }
   bool OnPingFrame(const QuicPingFrame& frame) override {
-    std::cerr << "OnPingFrame\n";
+    std::cerr << "OnPingFrame: " << frame;
     return true;
   }
   bool OnRstStreamFrame(const QuicRstStreamFrame& frame) override {
@@ -194,12 +194,12 @@ class QuicPacketPrinter : public QuicFramerVisitorInterface {
     return true;
   }
   void OnPacketComplete() override { std::cerr << "OnPacketComplete\n"; }
-  bool IsValidStatelessResetToken(QuicUint128 token) const override {
+  bool IsValidStatelessResetToken(QuicUint128 /*token*/) const override {
     std::cerr << "IsValidStatelessResetToken\n";
     return false;
   }
   void OnAuthenticatedIetfStatelessResetPacket(
-      const QuicIetfStatelessResetPacket& packet) override {
+      const QuicIetfStatelessResetPacket& /*packet*/) override {
     std::cerr << "OnAuthenticatedIetfStatelessResetPacket\n";
   }
 
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_server.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_server.cc
index 3696b7cd06b..8820040e565 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_server.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_server.cc
@@ -24,7 +24,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_epoll_connection_helper.h"
 #include "net/third_party/quiche/src/quic/core/quic_packet_reader.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_clock.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
@@ -74,8 +73,7 @@ QuicServer::QuicServer(
       crypto_config_(kSourceAddressTokenSecret,
                      QuicRandom::GetInstance(),
                      std::move(proof_source),
-                     KeyExchangeSource::Default(),
-                     TlsServerHandshaker::CreateSslCtx()),
+                     KeyExchangeSource::Default()),
       crypto_config_options_(crypto_config_options),
       version_manager_(supported_versions),
       packet_reader_(new QuicPacketReader()),
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_server.h b/chromium/net/third_party/quiche/src/quic/tools/quic_server.h
index 1f9c225a2d3..755e5e3fc96 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_server.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_server.h
@@ -63,12 +63,14 @@ class QuicServer : public QuicSpdyServerBase,
   virtual void Shutdown();
 
   // From EpollCallbackInterface
-  void OnRegistration(QuicEpollServer* eps, int fd, int event_mask) override {}
-  void OnModification(int fd, int event_mask) override {}
-  void OnEvent(int fd, QuicEpollEvent* event) override;
-  void OnUnregistration(int fd, bool replaced) override {}
-
-  void OnShutdown(QuicEpollServer* eps, int fd) override {}
+  void OnRegistration(QuicEpollServer* /*eps*/,
+                      int /*fd*/,
+                      int /*event_mask*/) override {}
+  void OnModification(int /*fd*/, int /*event_mask*/) override {}
+  void OnEvent(int /*fd*/, QuicEpollEvent* /*event*/) override;
+  void OnUnregistration(int /*fd*/, bool /*replaced*/) override {}
+
+  void OnShutdown(QuicEpollServer* /*eps*/, int /*fd*/) override {}
 
   void SetChloMultiplier(size_t multiplier) {
     crypto_config_.set_chlo_multiplier(multiplier);
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_server_test.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_server_test.cc
index bb007cbb49a..b1a88a6f13f 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_server_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_server_test.cc
@@ -8,7 +8,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_epoll_alarm_factory.h"
 #include "net/third_party/quiche/src/quic/core/quic_epoll_connection_helper.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
@@ -154,8 +153,7 @@ class QuicServerDispatchPacketTest : public QuicTest {
       : crypto_config_("blah",
                        QuicRandom::GetInstance(),
                        crypto_test_utils::ProofSourceForTesting(),
-                       KeyExchangeSource::Default(),
-                       TlsServerHandshaker::CreateSslCtx()),
+                       KeyExchangeSource::Default()),
         version_manager_(AllSupportedVersions()),
         dispatcher_(
             &config_,
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_crypto_server_stream_helper.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_crypto_server_stream_helper.cc
index 2bb9656cb2f..9d556008eb3 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_crypto_server_stream_helper.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_crypto_server_stream_helper.cc
@@ -23,11 +23,11 @@ QuicSimpleCryptoServerStreamHelper::GenerateConnectionIdForReject(
 }
 
 bool QuicSimpleCryptoServerStreamHelper::CanAcceptClientHello(
-    const CryptoHandshakeMessage& message,
-    const QuicSocketAddress& client_address,
-    const QuicSocketAddress& peer_address,
-    const QuicSocketAddress& self_address,
-    std::string* error_details) const {
+    const CryptoHandshakeMessage& /*message*/,
+    const QuicSocketAddress& /*client_address*/,
+    const QuicSocketAddress& /*peer_address*/,
+    const QuicSocketAddress& /*self_address*/,
+    std::string* /*error_details*/) const {
   return true;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_crypto_server_stream_helper.h b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_crypto_server_stream_helper.h
index f8a58f6f4d0..3480776ff1a 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_crypto_server_stream_helper.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_crypto_server_stream_helper.h
@@ -11,7 +11,7 @@
 namespace quic {
 
 // Simple helper for server crypto streams which generates a new random
-// connection ID for stateless rejects.
+// connection ID for rejects.
 class QuicSimpleCryptoServerStreamHelper
     : public QuicCryptoServerStream::Helper {
  public:
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_backend.h b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_backend.h
index 74afb60c2d2..968ec66dd09 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_backend.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_backend.h
@@ -5,6 +5,7 @@
 #ifndef QUICHE_QUIC_TOOLS_QUIC_SIMPLE_SERVER_BACKEND_H_
 #define QUICHE_QUIC_TOOLS_QUIC_SIMPLE_SERVER_BACKEND_H_
 
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/tools/quic_backend_response.h"
 
 namespace spdy {
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session.cc
index 2b4cae71fc3..2e98cdd3e01 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session.cc
@@ -32,7 +32,11 @@ QuicSimpleServerSession::QuicSimpleServerSession(
                             crypto_config,
                             compressed_certs_cache),
       highest_promised_stream_id_(
-          QuicUtils::GetInvalidStreamId(connection->transport_version())),
+          VersionHasStreamType(connection->transport_version())
+              ? QuicUtils::GetFirstUnidirectionalStreamId(
+                    connection->transport_version(),
+                    Perspective::IS_SERVER)
+              : QuicUtils::GetInvalidStreamId(connection->transport_version())),
       quic_simple_server_backend_(quic_simple_server_backend) {
   DCHECK(quic_simple_server_backend_);
 }
@@ -96,9 +100,9 @@ QuicSpdyStream* QuicSimpleServerSession::CreateIncomingStream(QuicStreamId id) {
 }
 
 QuicSpdyStream* QuicSimpleServerSession::CreateIncomingStream(
-    PendingStream pending) {
+    PendingStream* pending) {
   QuicSpdyStream* stream = new QuicSimpleServerStream(
-      std::move(pending), this, BIDIRECTIONAL, quic_simple_server_backend_);
+      pending, this, BIDIRECTIONAL, quic_simple_server_backend_);
   ActivateStream(QuicWrapUnique(stream));
   return stream;
 }
@@ -145,7 +149,7 @@ void QuicSimpleServerSession::HandleRstOnValidNonexistentStream(
     // Since PromisedStreamInfo are queued in sequence, the corresponding
     // index for it in promised_streams_ can be calculated.
     QuicStreamId next_stream_id = next_outgoing_unidirectional_stream_id();
-    if (connection()->transport_version() == QUIC_VERSION_99) {
+    if (VersionHasIetfQuicFrames(connection()->transport_version())) {
       DCHECK(!QuicUtils::IsBidirectionalStreamId(frame.stream_id));
     }
     DCHECK_GE(frame.stream_id, next_stream_id);
@@ -222,7 +226,10 @@ void QuicSimpleServerSession::HandlePromisedPushRequests() {
   }
 }
 
-void QuicSimpleServerSession::OnCanCreateNewOutgoingStream() {
-  HandlePromisedPushRequests();
+void QuicSimpleServerSession::OnCanCreateNewOutgoingStream(
+    bool unidirectional) {
+  if (unidirectional) {
+    HandlePromisedPushRequests();
+  }
 }
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session.h b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session.h
index c3705342359..d8cd6b5c539 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session.h
@@ -78,12 +78,12 @@ class QuicSimpleServerSession : public QuicServerSessionBase {
       QuicStreamId original_stream_id,
       const spdy::SpdyHeaderBlock& original_request_headers);
 
-  void OnCanCreateNewOutgoingStream() override;
+  void OnCanCreateNewOutgoingStream(bool unidirectional) override;
 
  protected:
   // QuicSession methods:
   QuicSpdyStream* CreateIncomingStream(QuicStreamId id) override;
-  QuicSpdyStream* CreateIncomingStream(PendingStream pending) override;
+  QuicSpdyStream* CreateIncomingStream(PendingStream* pending) override;
   QuicSimpleServerStream* CreateOutgoingBidirectionalStream() override;
   QuicSimpleServerStream* CreateOutgoingUnidirectionalStream() override;
   // Override to return true for locally preserved server push stream.
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session_test.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session_test.cc
index 58c98dd39f8..cef24b79a31 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session_test.cc
@@ -9,11 +9,10 @@
 
 #include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
-#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters.pb.h"
+#include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
@@ -59,11 +58,6 @@ class QuicSimpleServerSessionPeer {
   static void SetCryptoStream(QuicSimpleServerSession* s,
                               QuicCryptoServerStream* crypto_stream) {
     s->crypto_stream_.reset(crypto_stream);
-    if (!QuicVersionUsesCryptoFrames(s->connection()->transport_version())) {
-      s->RegisterStaticStream(
-          QuicUtils::GetCryptoStreamId(s->connection()->transport_version()),
-          crypto_stream);
-    }
   }
 
   static QuicSpdyStream* CreateIncomingStream(QuicSimpleServerSession* s,
@@ -125,8 +119,8 @@ class MockQuicConnectionWithSendStreamData : public MockQuicConnection {
                            alarm_factory,
                            perspective,
                            supported_versions) {
-    auto consume_all_data = [](QuicStreamId id, size_t write_length,
-                               QuicStreamOffset offset,
+    auto consume_all_data = [](QuicStreamId /*id*/, size_t write_length,
+                               QuicStreamOffset /*offset*/,
                                StreamSendingState state) {
       return QuicConsumedData(write_length, state != NO_FIN);
     };
@@ -161,16 +155,16 @@ class MockQuicSimpleServerSession : public QuicSimpleServerSession {
                                 quic_simple_server_backend) {}
   // Methods taking non-copyable types like SpdyHeaderBlock by value cannot be
   // mocked directly.
-  size_t WritePushPromise(QuicStreamId original_stream_id,
-                          QuicStreamId promised_stream_id,
-                          spdy::SpdyHeaderBlock headers) override {
+  void WritePushPromise(QuicStreamId original_stream_id,
+                        QuicStreamId promised_stream_id,
+                        spdy::SpdyHeaderBlock headers) override {
     return WritePushPromiseMock(original_stream_id, promised_stream_id,
                                 headers);
   }
   MOCK_METHOD3(WritePushPromiseMock,
-               size_t(QuicStreamId original_stream_id,
-                      QuicStreamId promised_stream_id,
-                      const spdy::SpdyHeaderBlock& headers));
+               void(QuicStreamId original_stream_id,
+                    QuicStreamId promised_stream_id,
+                    const spdy::SpdyHeaderBlock& headers));
 
   MOCK_METHOD1(SendBlocked, void(QuicStreamId));
 };
@@ -178,11 +172,6 @@ class MockQuicSimpleServerSession : public QuicSimpleServerSession {
 class QuicSimpleServerSessionTest
     : public QuicTestWithParam<ParsedQuicVersion> {
  public:
-  bool ClearControlFrame(const QuicFrame& frame) {
-    DeleteFrame(&const_cast<QuicFrame&>(frame));
-    return true;
-  }
-
   // The function ensures that A) the MAX_STREAMS frames get properly deleted
   // (since the test uses a 'did we leak memory' check ... if we just lose the
   // frame, the test fails) and B) returns true (instead of the default, false)
@@ -201,10 +190,10 @@ class QuicSimpleServerSessionTest
       : crypto_config_(QuicCryptoServerConfig::TESTING,
                        QuicRandom::GetInstance(),
                        crypto_test_utils::ProofSourceForTesting(),
-                       KeyExchangeSource::Default(),
-                       TlsServerHandshaker::CreateSslCtx()),
+                       KeyExchangeSource::Default()),
         compressed_certs_cache_(
             QuicCompressedCertsCache::kQuicCompressedCertsCacheSize) {
+    SetQuicFlag(FLAGS_quic_supports_tls_handshake, true);
     config_.SetMaxIncomingBidirectionalStreamsToSend(kMaxStreamsForTest);
     QuicConfigPeer::SetReceivedMaxIncomingBidirectionalStreams(
         &config_, kMaxStreamsForTest);
@@ -233,7 +222,7 @@ class QuicSimpleServerSessionTest
         ->OnSuccessfulVersionNegotiation(supported_versions.front());
     visitor_ = QuicConnectionPeer::GetVisitor(connection_);
 
-    if (IsVersion99()) {
+    if (VersionHasIetfQuicFrames(transport_version())) {
       EXPECT_CALL(*connection_, SendControlFrame(_))
           .WillRepeatedly(Invoke(
               this, &QuicSimpleServerSessionTest::ClearMaxStreamsControlFrame));
@@ -251,8 +240,8 @@ class QuicSimpleServerSessionTest
         connection_->transport_version(), n);
   }
 
-  bool IsVersion99() const {
-    return connection_->transport_version() == QUIC_VERSION_99;
+  QuicTransportVersion transport_version() const {
+    return connection_->transport_version();
   }
 
   void InjectStopSending(QuicStreamId stream_id,
@@ -260,7 +249,7 @@ class QuicSimpleServerSessionTest
     // Create and inject a STOP_SENDING frame. In GOOGLE QUIC, receiving a
     // RST_STREAM frame causes a two-way close. For IETF QUIC, RST_STREAM causes
     // a one-way close.
-    if (!IsVersion99()) {
+    if (!VersionHasIetfQuicFrames(transport_version())) {
       // Only needed for version 99/IETF QUIC.
       return;
     }
@@ -306,7 +295,7 @@ TEST_P(QuicSimpleServerSessionTest, CloseStreamDueToReset) {
                           QUIC_ERROR_PROCESSING_STREAM, 0);
   EXPECT_CALL(owner_, OnRstStreamReceived(_)).Times(1);
   EXPECT_CALL(*connection_, SendControlFrame(_));
-  if (!IsVersion99()) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // For version 99, this is covered in InjectStopSending()
     EXPECT_CALL(*connection_,
                 OnStreamReset(GetNthClientInitiatedBidirectionalId(0),
@@ -334,7 +323,7 @@ TEST_P(QuicSimpleServerSessionTest, NeverOpenStreamDueToReset) {
                           GetNthClientInitiatedBidirectionalId(0),
                           QUIC_ERROR_PROCESSING_STREAM, 0);
   EXPECT_CALL(owner_, OnRstStreamReceived(_)).Times(1);
-  if (!IsVersion99()) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     EXPECT_CALL(*connection_, SendControlFrame(_));
     // For version 99, this is covered in InjectStopSending()
     EXPECT_CALL(*connection_,
@@ -375,7 +364,7 @@ TEST_P(QuicSimpleServerSessionTest, AcceptClosedStream) {
                          GetNthClientInitiatedBidirectionalId(0),
                          QUIC_ERROR_PROCESSING_STREAM, 0);
   EXPECT_CALL(owner_, OnRstStreamReceived(_)).Times(1);
-  if (!IsVersion99()) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     EXPECT_CALL(*connection_, SendControlFrame(_));
     // For version 99, this is covered in InjectStopSending()
     EXPECT_CALL(*connection_,
@@ -501,7 +490,12 @@ TEST_P(QuicSimpleServerSessionTest, CreateOutgoingDynamicStreamUptoLimit) {
     QuicSpdyStream* created_stream =
         QuicSimpleServerSessionPeer::CreateOutgoingUnidirectionalStream(
             session_.get());
-    EXPECT_EQ(GetNthServerInitiatedUnidirectionalId(i), created_stream->id());
+    if (VersionHasStreamType(connection_->transport_version())) {
+      EXPECT_EQ(GetNthServerInitiatedUnidirectionalId(i + 1),
+                created_stream->id());
+    } else {
+      EXPECT_EQ(GetNthServerInitiatedUnidirectionalId(i), created_stream->id());
+    }
     EXPECT_EQ(i + 1, session_->GetNumOpenOutgoingStreams());
   }
 
@@ -528,12 +522,12 @@ TEST_P(QuicSimpleServerSessionTest, OnStreamFrameWithEvenStreamId) {
 }
 
 TEST_P(QuicSimpleServerSessionTest, GetEvenIncomingError) {
-  // Tests that calling GetOrCreateDynamicStream() on an outgoing stream not
+  // Tests that calling GetOrCreateStream() on an outgoing stream not
   // promised yet should result close connection.
   EXPECT_CALL(*connection_, CloseConnection(QUIC_INVALID_STREAM_ID,
                                             "Data for nonexistent stream", _));
   EXPECT_EQ(nullptr,
-            QuicSessionPeer::GetOrCreateDynamicStream(
+            QuicSessionPeer::GetOrCreateStream(
                 session_.get(), GetNthServerInitiatedUnidirectionalId(1)));
 }
 
@@ -571,7 +565,7 @@ class QuicSimpleServerSessionServerPushTest
         ->OnSuccessfulVersionNegotiation(supported_versions.front());
     // Needed to make new session flow control window and server push work.
 
-    if (IsVersion99()) {
+    if (VersionHasIetfQuicFrames(transport_version())) {
       EXPECT_CALL(*connection_, SendControlFrame(_))
           .WillRepeatedly(Invoke(this, &QuicSimpleServerSessionServerPushTest::
                                            ClearMaxStreamsControlFrame));
@@ -616,7 +610,12 @@ class QuicSimpleServerSessionServerPushTest
     std::string scheme = "http";
     QuicByteCount data_frame_header_length = 0;
     for (unsigned int i = 1; i <= num_resources; ++i) {
-      QuicStreamId stream_id = GetNthServerInitiatedUnidirectionalId(i - 1);
+      QuicStreamId stream_id;
+      if (VersionHasStreamType(connection_->transport_version())) {
+        stream_id = GetNthServerInitiatedUnidirectionalId(i);
+      } else {
+        stream_id = GetNthServerInitiatedUnidirectionalId(i - 1);
+      }
       std::string path =
           partial_push_resource_path + QuicTextUtils::Uint64ToString(i);
       std::string url = scheme + "://" + resource_host + path;
@@ -713,8 +712,14 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
   MaybeConsumeHeadersStreamData();
   size_t num_resources = kMaxStreamsForTest + 1;
   QuicByteCount data_frame_header_length = PromisePushResources(num_resources);
-  QuicStreamId next_out_going_stream_id =
-      GetNthServerInitiatedUnidirectionalId(kMaxStreamsForTest);
+  QuicStreamId next_out_going_stream_id;
+  if (VersionHasStreamType(connection_->transport_version())) {
+    next_out_going_stream_id =
+        GetNthServerInitiatedUnidirectionalId(kMaxStreamsForTest + 1);
+  } else {
+    next_out_going_stream_id =
+        GetNthServerInitiatedUnidirectionalId(kMaxStreamsForTest);
+  }
 
   // After an open stream is marked draining, a new stream is expected to be
   // created and a response sent on the stream.
@@ -746,17 +751,23 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
           QuicConsumedData(kStreamFlowControlWindowSize - offset, false)));
   EXPECT_CALL(*session_, SendBlocked(next_out_going_stream_id));
 
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // The PromisePushedResources call, above, will have used all available
     // stream ids.  For version 99, stream ids are not made available until
     // a MAX_STREAMS frame is received. This emulates the reception of one.
     // For pre-v-99, the node monitors its own stream usage and makes streams
     // available as it closes/etc them.
+    // Version 99 also has unidirectional static streams, so we need to send
+    // MaxStreamFrame of the number of resources + number of static streams.
     session_->OnMaxStreamsFrame(
-        QuicMaxStreamsFrame(0, num_resources, /*unidirectional=*/true));
+        QuicMaxStreamsFrame(0, num_resources + 1, /*unidirectional=*/true));
   }
 
-  session_->StreamDraining(GetNthServerInitiatedUnidirectionalId(0));
+  if (VersionHasStreamType(connection_->transport_version())) {
+    session_->StreamDraining(GetNthServerInitiatedUnidirectionalId(1));
+  } else {
+    session_->StreamDraining(GetNthServerInitiatedUnidirectionalId(0));
+  }
   // Number of open outgoing streams should still be the same, because a new
   // stream is opened. And the queue should be empty.
   EXPECT_EQ(kMaxStreamsForTest, session_->GetNumOpenOutgoingStreams());
@@ -771,25 +782,29 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
   // Having two extra resources to be send later. One of them will be reset, so
   // when opened stream become close, only one will become open.
   size_t num_resources = kMaxStreamsForTest + 2;
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // V99 will send out a STREAMS_BLOCKED frame when it tries to exceed the
     // limit. This will clear the frames so that they do not block the later
     // rst-stream frame.
     EXPECT_CALL(*connection_, SendControlFrame(_))
-        .WillOnce(Invoke(
-            this, &QuicSimpleServerSessionServerPushTest::ClearControlFrame));
+        .WillOnce(Invoke(&ClearControlFrame));
   }
   QuicByteCount data_frame_header_length = PromisePushResources(num_resources);
 
   // Reset the last stream in the queue. It should be marked cancelled.
-  QuicStreamId stream_got_reset =
-      GetNthServerInitiatedUnidirectionalId(kMaxStreamsForTest + 1);
+  QuicStreamId stream_got_reset;
+  if (VersionHasStreamType(connection_->transport_version())) {
+    stream_got_reset =
+        GetNthServerInitiatedUnidirectionalId(kMaxStreamsForTest + 2);
+  } else {
+    stream_got_reset =
+        GetNthServerInitiatedUnidirectionalId(kMaxStreamsForTest + 1);
+  }
   QuicRstStreamFrame rst(kInvalidControlFrameId, stream_got_reset,
                          QUIC_STREAM_CANCELLED, 0);
   EXPECT_CALL(owner_, OnRstStreamReceived(_)).Times(1);
   EXPECT_CALL(*connection_, SendControlFrame(_))
-      .WillOnce(Invoke(
-          this, &QuicSimpleServerSessionServerPushTest::ClearControlFrame));
+      .WillOnce(Invoke(&ClearControlFrame));
   EXPECT_CALL(*connection_,
               OnStreamReset(stream_got_reset, QUIC_RST_ACKNOWLEDGEMENT));
   visitor_->OnRstStream(rst);
@@ -797,8 +812,14 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
   // When the first 2 streams becomes draining, the two queued up stream could
   // be created. But since one of them was marked cancelled due to RST frame,
   // only one queued resource will be sent out.
-  QuicStreamId stream_not_reset =
-      GetNthServerInitiatedUnidirectionalId(kMaxStreamsForTest);
+  QuicStreamId stream_not_reset;
+  if (VersionHasStreamType(connection_->transport_version())) {
+    stream_not_reset =
+        GetNthServerInitiatedUnidirectionalId(kMaxStreamsForTest + 1);
+  } else {
+    stream_not_reset =
+        GetNthServerInitiatedUnidirectionalId(kMaxStreamsForTest);
+  }
   InSequence s;
   QuicStreamOffset offset = 0;
   if (VersionHasStreamType(connection_->transport_version())) {
@@ -827,17 +848,17 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
           QuicConsumedData(kStreamFlowControlWindowSize - offset, false)));
   EXPECT_CALL(*session_, SendBlocked(stream_not_reset));
 
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // The PromisePushedResources call, above, will have used all available
     // stream ids.  For version 99, stream ids are not made available until
     // a MAX_STREAMS frame is received. This emulates the reception of one.
     // For pre-v-99, the node monitors its own stream usage and makes streams
     // available as it closes/etc them.
     session_->OnMaxStreamsFrame(
-        QuicMaxStreamsFrame(0, num_resources, /*unidirectional=*/true));
+        QuicMaxStreamsFrame(0, num_resources + 1, /*unidirectional=*/true));
   }
-  session_->StreamDraining(GetNthServerInitiatedUnidirectionalId(0));
   session_->StreamDraining(GetNthServerInitiatedUnidirectionalId(1));
+  session_->StreamDraining(GetNthServerInitiatedUnidirectionalId(2));
 }
 
 // Tests that closing a open outgoing stream can trigger a promised resource in
@@ -846,24 +867,28 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
        CloseStreamToHandleMorePromisedStream) {
   MaybeConsumeHeadersStreamData();
   size_t num_resources = kMaxStreamsForTest + 1;
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // V99 will send out a stream-id-blocked frame when the we desired to exceed
     // the limit. This will clear the frames so that they do not block the later
     // rst-stream frame.
     EXPECT_CALL(*connection_, SendControlFrame(_))
-        .WillOnce(Invoke(
-            this, &QuicSimpleServerSessionServerPushTest::ClearControlFrame));
+        .WillOnce(Invoke(&ClearControlFrame));
   }
   QuicByteCount data_frame_header_length = PromisePushResources(num_resources);
-  QuicStreamId stream_to_open =
-      GetNthServerInitiatedUnidirectionalId(kMaxStreamsForTest);
+  QuicStreamId stream_to_open;
+  if (VersionHasStreamType(connection_->transport_version())) {
+    stream_to_open =
+        GetNthServerInitiatedUnidirectionalId(kMaxStreamsForTest + 1);
+  } else {
+    stream_to_open = GetNthServerInitiatedUnidirectionalId(kMaxStreamsForTest);
+  }
 
-  // Resetting 1st open stream will close the stream and give space for extra
+  // Resetting an open stream will close the stream and give space for extra
   // stream to be opened.
-  QuicStreamId stream_got_reset = GetNthServerInitiatedUnidirectionalId(0);
+  QuicStreamId stream_got_reset = GetNthServerInitiatedUnidirectionalId(1);
   EXPECT_CALL(owner_, OnRstStreamReceived(_)).Times(1);
   EXPECT_CALL(*connection_, SendControlFrame(_));
-  if (!IsVersion99()) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
     // For version 99, this is covered in InjectStopSending()
     EXPECT_CALL(*connection_,
                 OnStreamReset(stream_got_reset, QUIC_RST_ACKNOWLEDGEMENT));
@@ -897,14 +922,14 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
   EXPECT_CALL(*session_, SendBlocked(stream_to_open));
   QuicRstStreamFrame rst(kInvalidControlFrameId, stream_got_reset,
                          QUIC_STREAM_CANCELLED, 0);
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
     // The PromisePushedResources call, above, will have used all available
     // stream ids.  For version 99, stream ids are not made available until
     // a MAX_STREAMS frame is received. This emulates the reception of one.
     // For pre-v-99, the node monitors its own stream usage and makes streams
     // available as it closes/etc them.
     session_->OnMaxStreamsFrame(
-        QuicMaxStreamsFrame(0, num_resources, /*unidirectional=*/true));
+        QuicMaxStreamsFrame(0, num_resources + 1, /*unidirectional=*/true));
   }
   visitor_->OnRstStream(rst);
   // Create and inject a STOP_SENDING frame. In GOOGLE QUIC, receiving a
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream.cc
index 55d93dcd54d..f8522060af2 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream.cc
@@ -34,11 +34,11 @@ QuicSimpleServerStream::QuicSimpleServerStream(
 }
 
 QuicSimpleServerStream::QuicSimpleServerStream(
-    PendingStream pending,
+    PendingStream* pending,
     QuicSpdySession* session,
     StreamType type,
     QuicSimpleServerBackend* quic_simple_server_backend)
-    : QuicSpdyServerStreamBase(std::move(pending), session, type),
+    : QuicSpdyServerStreamBase(pending, session, type),
       content_length_(-1),
       quic_simple_server_backend_(quic_simple_server_backend) {
   DCHECK(quic_simple_server_backend_);
@@ -62,9 +62,9 @@ void QuicSimpleServerStream::OnInitialHeadersComplete(
 }
 
 void QuicSimpleServerStream::OnTrailingHeadersComplete(
-    bool fin,
-    size_t frame_len,
-    const QuicHeaderList& header_list) {
+    bool /*fin*/,
+    size_t /*frame_len*/,
+    const QuicHeaderList& /*header_list*/) {
   QUIC_BUG << "Server does not support receiving Trailers.";
   SendErrorResponse();
 }
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream.h b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream.h
index e3eaa12c967..ace15713a0d 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream.h
@@ -23,7 +23,7 @@ class QuicSimpleServerStream : public QuicSpdyServerStreamBase,
                          QuicSpdySession* session,
                          StreamType type,
                          QuicSimpleServerBackend* quic_simple_server_backend);
-  QuicSimpleServerStream(PendingStream pending,
+  QuicSimpleServerStream(PendingStream* pending,
                          QuicSpdySession* session,
                          StreamType type,
                          QuicSimpleServerBackend* quic_simple_server_backend);
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream_test.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream_test.cc
index 8aaaf6b73db..7bac18ec95b 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream_test.cc
@@ -10,7 +10,6 @@
 
 #include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
@@ -55,10 +54,10 @@ class TestStream : public QuicSimpleServerStream {
 
   MOCK_METHOD1(WriteHeadersMock, void(bool fin));
 
-  size_t WriteHeaders(spdy::SpdyHeaderBlock header_block,
+  size_t WriteHeaders(spdy::SpdyHeaderBlock /*header_block*/,
                       bool fin,
                       QuicReferenceCountedPointer<QuicAckListenerInterface>
-                          ack_listener) override {
+                      /*ack_listener*/) override {
     WriteHeadersMock(fin);
     return 0;
   }
@@ -100,7 +99,7 @@ class MockQuicSimpleServerSession : public QuicSimpleServerSession {
                                 crypto_config,
                                 compressed_certs_cache,
                                 quic_simple_server_backend) {
-    if (connection->transport_version() == QUIC_VERSION_99) {
+    if (VersionHasIetfQuicFrames(connection->transport_version())) {
       QuicSessionPeer::SetMaxOpenIncomingUnidirectionalStreams(
           this, kMaxStreamsForTest);
       QuicSessionPeer::SetMaxOpenIncomingBidirectionalStreams(
@@ -118,9 +117,8 @@ class MockQuicSimpleServerSession : public QuicSimpleServerSession {
       delete;
   ~MockQuicSimpleServerSession() override = default;
 
-  MOCK_METHOD3(OnConnectionClosed,
-               void(QuicErrorCode error,
-                    const std::string& error_details,
+  MOCK_METHOD2(OnConnectionClosed,
+               void(const QuicConnectionCloseFrame& frame,
                     ConnectionCloseSource source));
   MOCK_METHOD1(CreateIncomingStream, QuicSpdyStream*(QuicStreamId id));
   MOCK_METHOD5(WritevData,
@@ -176,8 +174,7 @@ class QuicSimpleServerStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
             QuicCryptoServerConfig::TESTING,
             QuicRandom::GetInstance(),
             crypto_test_utils::ProofSourceForTesting(),
-            KeyExchangeSource::Default(),
-            TlsServerHandshaker::CreateSslCtx())),
+            KeyExchangeSource::Default())),
         compressed_certs_cache_(
             QuicCompressedCertsCache::kQuicCompressedCertsCacheSize),
         session_(connection_,
@@ -219,10 +216,6 @@ class QuicSimpleServerStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
     return (*stream_->mutable_headers())[key].as_string();
   }
 
-  bool IsVersion99() const {
-    return connection_->transport_version() == QUIC_VERSION_99;
-  }
-
   bool HasFrameHeader() const {
     return VersionHasDataFrameHeader(connection_->transport_version());
   }
@@ -298,6 +291,11 @@ TEST_P(QuicSimpleServerStreamTest, SendQuicRstStreamNoErrorInStopReading) {
 }
 
 TEST_P(QuicSimpleServerStreamTest, TestFramingExtraData) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   InSequence seq;
   std::string large_body = "hello world!!!!!!";
 
@@ -333,6 +331,11 @@ TEST_P(QuicSimpleServerStreamTest, TestFramingExtraData) {
 }
 
 TEST_P(QuicSimpleServerStreamTest, SendResponseWithIllegalResponseStatus) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Send an illegal response with response status not supported by HTTP/2.
   spdy::SpdyHeaderBlock* request_headers = stream_->mutable_headers();
   (*request_headers)[":path"] = "/bar";
@@ -367,6 +370,11 @@ TEST_P(QuicSimpleServerStreamTest, SendResponseWithIllegalResponseStatus) {
 }
 
 TEST_P(QuicSimpleServerStreamTest, SendResponseWithIllegalResponseStatus2) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Send an illegal response with response status not supported by HTTP/2.
   spdy::SpdyHeaderBlock* request_headers = stream_->mutable_headers();
   (*request_headers)[":path"] = "/bar";
@@ -433,6 +441,11 @@ TEST_P(QuicSimpleServerStreamTest, SendPushResponseWith404Response) {
 }
 
 TEST_P(QuicSimpleServerStreamTest, SendResponseWithValidHeaders) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Add a request and response with valid headers.
   spdy::SpdyHeaderBlock* request_headers = stream_->mutable_headers();
   (*request_headers)[":path"] = "/bar";
@@ -466,6 +479,11 @@ TEST_P(QuicSimpleServerStreamTest, SendResponseWithValidHeaders) {
 }
 
 TEST_P(QuicSimpleServerStreamTest, SendResponseWithPushResources) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Tests that if a response has push resources to be send, SendResponse() will
   // call PromisePushResources() to handle these resources.
 
@@ -520,6 +538,11 @@ TEST_P(QuicSimpleServerStreamTest, PushResponseOnClientInitiatedStream) {
 }
 
 TEST_P(QuicSimpleServerStreamTest, PushResponseOnServerInitiatedStream) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   // Tests that PushResponse() should take the given headers as request headers
   // and fetch response from cache, and send it out.
 
@@ -568,6 +591,11 @@ TEST_P(QuicSimpleServerStreamTest, PushResponseOnServerInitiatedStream) {
 }
 
 TEST_P(QuicSimpleServerStreamTest, TestSendErrorResponse) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   EXPECT_CALL(session_, SendRstStream(_, QUIC_STREAM_NO_ERROR, _)).Times(0);
 
   stream_->set_fin_received(true);
@@ -585,6 +613,11 @@ TEST_P(QuicSimpleServerStreamTest, TestSendErrorResponse) {
 }
 
 TEST_P(QuicSimpleServerStreamTest, InvalidMultipleContentLength) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   EXPECT_CALL(session_, SendRstStream(_, QUIC_STREAM_NO_ERROR, _)).Times(0);
 
   spdy::SpdyHeaderBlock request_headers;
@@ -602,6 +635,11 @@ TEST_P(QuicSimpleServerStreamTest, InvalidMultipleContentLength) {
 }
 
 TEST_P(QuicSimpleServerStreamTest, InvalidLeadingNullContentLength) {
+  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+    // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
+    // enabled and fix it.
+    return;
+  }
   EXPECT_CALL(session_, SendRstStream(_, QUIC_STREAM_NO_ERROR, _)).Times(0);
 
   spdy::SpdyHeaderBlock request_headers;
@@ -641,7 +679,7 @@ TEST_P(QuicSimpleServerStreamTest,
   QuicRstStreamFrame rst_frame(kInvalidControlFrameId, stream_->id(),
                                QUIC_STREAM_CANCELLED, 1234);
   stream_->OnStreamReset(rst_frame);
-  if (IsVersion99()) {
+  if (VersionHasIetfQuicFrames(connection_->transport_version())) {
     // For V99 receiving a RST_STREAM causes a 1-way close; the test requires
     // a full close. A CloseWriteSide closes the other half of the stream.
     // Everything should then work properly.
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.cc
index e9e08fd548b..3a3bafe2f3e 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.cc
@@ -45,7 +45,8 @@ QuicSpdyClientBase::QuicSpdyClientBase(
                      std::move(network_helper),
                      std::move(proof_verifier)),
       store_response_(false),
-      latest_response_code_(-1) {}
+      latest_response_code_(-1),
+      max_allowed_push_id_(0) {}
 
 QuicSpdyClientBase::~QuicSpdyClientBase() {
   // We own the push promise index. We need to explicitly kill
@@ -60,6 +61,9 @@ QuicSpdyClientSession* QuicSpdyClientBase::client_session() {
 void QuicSpdyClientBase::InitializeSession() {
   client_session()->Initialize();
   client_session()->CryptoConnect();
+  if (max_allowed_push_id_ > 0) {
+    client_session()->set_max_allowed_push_id(max_allowed_push_id_);
+  }
 }
 
 void QuicSpdyClientBase::OnClose(QuicSpdyStream* stream) {
@@ -103,14 +107,31 @@ std::unique_ptr<QuicSession> QuicSpdyClientBase::CreateQuicClientSession(
 void QuicSpdyClientBase::SendRequest(const SpdyHeaderBlock& headers,
                                      QuicStringPiece body,
                                      bool fin) {
+  if (GetQuicFlag(FLAGS_quic_client_convert_http_header_name_to_lowercase)) {
+    QUIC_CODE_COUNT(quic_client_convert_http_header_name_to_lowercase);
+    SpdyHeaderBlock sanitized_headers;
+    for (const auto& p : headers) {
+      sanitized_headers[QuicTextUtils::ToLower(p.first)] = p.second;
+    }
+
+    SendRequestInternal(std::move(sanitized_headers), body, fin);
+  } else {
+    SendRequestInternal(headers.Clone(), body, fin);
+  }
+}
+
+void QuicSpdyClientBase::SendRequestInternal(SpdyHeaderBlock sanitized_headers,
+                                             QuicStringPiece body,
+                                             bool fin) {
   QuicClientPushPromiseIndex::TryHandle* handle;
-  QuicAsyncStatus rv = push_promise_index()->Try(headers, this, &handle);
+  QuicAsyncStatus rv =
+      push_promise_index()->Try(sanitized_headers, this, &handle);
   if (rv == QUIC_SUCCESS)
     return;
 
   if (rv == QUIC_PENDING) {
     // May need to retry request if asynchronous rendezvous fails.
-    AddPromiseDataToResend(headers, body, fin);
+    AddPromiseDataToResend(sanitized_headers, body, fin);
     return;
   }
 
@@ -119,7 +140,7 @@ void QuicSpdyClientBase::SendRequest(const SpdyHeaderBlock& headers,
     QUIC_BUG << "stream creation failed!";
     return;
   }
-  stream->SendRequest(headers.Clone(), body, fin);
+  stream->SendRequest(std::move(sanitized_headers), body, fin);
 }
 
 void QuicSpdyClientBase::SendRequestAndWaitForResponse(
@@ -195,9 +216,10 @@ void QuicSpdyClientBase::AddPromiseDataToResend(const SpdyHeaderBlock& headers,
       new ClientQuicDataToResend(std::move(new_headers), body, fin, this));
 }
 
-bool QuicSpdyClientBase::CheckVary(const SpdyHeaderBlock& client_request,
-                                   const SpdyHeaderBlock& promise_request,
-                                   const SpdyHeaderBlock& promise_response) {
+bool QuicSpdyClientBase::CheckVary(
+    const SpdyHeaderBlock& /*client_request*/,
+    const SpdyHeaderBlock& /*promise_request*/,
+    const SpdyHeaderBlock& /*promise_response*/) {
   return true;
 }
 
@@ -212,7 +234,7 @@ void QuicSpdyClientBase::OnRendezvousResult(QuicSpdyStream* stream) {
   }
 }
 
-size_t QuicSpdyClientBase::latest_response_code() const {
+int QuicSpdyClientBase::latest_response_code() const {
   QUIC_BUG_IF(!store_response_) << "Response not stored!";
   return latest_response_code_;
 }
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.h b/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.h
index 7481bfaa7f8..b04ba662122 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.h
@@ -39,13 +39,9 @@ class QuicSpdyClientBase : public QuicClientBase,
         const std::string& response_body) = 0;
   };
 
-  // The client uses these objects to keep track of any data to resend upon
-  // receipt of a stateless reject.  Recall that the client API allows callers
-  // to optimistically send data to the server prior to handshake-confirmation.
-  // If the client subsequently receives a stateless reject, it must tear down
-  // its existing session, create a new session, and resend all previously sent
-  // data.  It uses these objects to keep track of all the sent data, and to
-  // resend the data upon a subsequent connection.
+  // A piece of data that can be sent multiple times. For example, it can be a
+  // HTTP request that is resent after a connect=>version negotiation=>reconnect
+  // sequence.
   class QuicDataToResend {
    public:
     // |headers| may be null, since it's possible to send data without headers.
@@ -124,7 +120,7 @@ class QuicSpdyClientBase : public QuicClientBase,
 
   void set_store_response(bool val) { store_response_ = val; }
 
-  size_t latest_response_code() const;
+  int latest_response_code() const;
   const std::string& latest_response_headers() const;
   const std::string& preliminary_response_headers() const;
   const spdy::SpdyHeaderBlock& latest_response_header_block() const;
@@ -140,6 +136,9 @@ class QuicSpdyClientBase : public QuicClientBase,
   }
   bool drop_response_body() const { return drop_response_body_; }
 
+  // Set the max promise id for the client session.
+  void set_max_allowed_push_id(QuicStreamId max) { max_allowed_push_id_ = max; }
+
  protected:
   int GetNumSentClientHellosFromSession() override;
   int GetNumReceivedServerConfigUpdatesFromSession() override;
@@ -181,6 +180,10 @@ class QuicSpdyClientBase : public QuicClientBase,
     QuicSpdyClientBase* client_;
   };
 
+  void SendRequestInternal(spdy::SpdyHeaderBlock sanitized_headers,
+                           QuicStringPiece body,
+                           bool fin);
+
   // Index of pending promised streams. Must outlive |session_|.
   QuicClientPushPromiseIndex push_promise_index_;
 
@@ -209,6 +212,9 @@ class QuicSpdyClientBase : public QuicClientBase,
   std::unique_ptr<ClientQuicDataToResend> push_promise_data_to_resend_;
 
   bool drop_response_body_ = false;
+
+  // The max promise id to set on the client session when created.
+  QuicStreamId max_allowed_push_id_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_toy_client.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_toy_client.cc
index f6e2e155e86..319d3a2d2ec 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_toy_client.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_toy_client.cc
@@ -221,7 +221,7 @@ int QuicToyClient::SendRequestsAndPrintResponses(
 
   // Build the client, and try to connect.
   std::unique_ptr<QuicSpdyClientBase> client = client_factory_->CreateClient(
-      host, port, versions, std::move(proof_verifier));
+      url.host(), host, port, versions, std::move(proof_verifier));
 
   int32_t initial_mtu = GetQuicFlag(FLAGS_initial_mtu);
   client->set_initial_max_packet_length(
@@ -325,7 +325,7 @@ int QuicToyClient::SendRequestsAndPrintResponses(
       return 1;
     }
 
-    size_t response_code = client->latest_response_code();
+    int response_code = client->latest_response_code();
     if (response_code >= 200 && response_code < 300) {
       std::cout << "Request succeeded (" << response_code << ")." << std::endl;
     } else if (response_code >= 300 && response_code < 400) {
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_toy_client.h b/chromium/net/third_party/quiche/src/quic/tools/quic_toy_client.h
index e832ac76697..1a201225a58 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_toy_client.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_toy_client.h
@@ -18,10 +18,12 @@ class QuicToyClient {
    public:
     virtual ~ClientFactory() = default;
 
-    // Creates a new client configured to connect to |host:port| supporting
-    // |versions|, and using |verifier| to verify proofs.
+    // Creates a new client configured to connect to |host_for_lookup:port|
+    // supporting |versions|, using |host_for_handshake| for handshake and
+    // |verifier| to verify proofs.
     virtual std::unique_ptr<QuicSpdyClientBase> CreateClient(
-        std::string host,
+        std::string host_for_handshake,
+        std::string host_for_lookup,
         uint16_t port,
         ParsedQuicVersionVector versions,
         std::unique_ptr<ProofVerifier> verifier) = 0;
diff --git a/chromium/net/third_party/quiche/src/spdy/core/array_output_buffer_test.cc b/chromium/net/third_party/quiche/src/spdy/core/array_output_buffer_test.cc
index 369778d8537..aac657a1fee 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/array_output_buffer_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/array_output_buffer_test.cc
@@ -4,8 +4,7 @@
 
 #include "net/third_party/quiche/src/spdy/core/array_output_buffer.h"
 
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 namespace test {
diff --git a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter.cc b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter.cc
index ad05b1fdb62..278eaab3c97 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter.cc
@@ -21,6 +21,7 @@ const size_t kMaxDecodeBufferSizeBytes = 32 * 1024;  // 32 KB
 HpackDecoderAdapter::HpackDecoderAdapter()
     : hpack_decoder_(&listener_adapter_, kMaxDecodeBufferSizeBytes),
       max_decode_buffer_size_bytes_(kMaxDecodeBufferSizeBytes),
+      max_header_block_bytes_(0),
       header_block_started_(false) {}
 
 HpackDecoderAdapter::~HpackDecoderAdapter() = default;
@@ -64,6 +65,10 @@ bool HpackDecoderAdapter::HandleControlFrameHeadersData(
       return false;
     }
     listener_adapter_.AddToTotalHpackBytes(headers_data_length);
+    if (max_header_block_bytes_ != 0 &&
+        listener_adapter_.total_hpack_bytes() > max_header_block_bytes_) {
+      return false;
+    }
     http2::DecodeBuffer db(headers_data, headers_data_length);
     bool ok = hpack_decoder_.DecodeFragment(&db);
     DCHECK(!ok || db.Empty()) << "Remaining=" << db.Remaining();
@@ -109,6 +114,11 @@ void HpackDecoderAdapter::set_max_decode_buffer_size_bytes(
   hpack_decoder_.set_max_string_size_bytes(max_decode_buffer_size_bytes);
 }
 
+void HpackDecoderAdapter::set_max_header_block_bytes(
+    size_t max_header_block_bytes) {
+  max_header_block_bytes_ = max_header_block_bytes;
+}
+
 size_t HpackDecoderAdapter::EstimateMemoryUsage() const {
   return SpdyEstimateMemoryUsage(hpack_decoder_);
 }
diff --git a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter.h b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter.h
index d54cf1e4755..17c4461ba7b 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter.h
+++ b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter.h
@@ -79,6 +79,10 @@ class SPDY_EXPORT_PRIVATE HpackDecoderAdapter {
   // of individual transport buffers.
   void set_max_decode_buffer_size_bytes(size_t max_decode_buffer_size_bytes);
 
+  // Specifies the maximum size of an on-the-wire header block that will be
+  // accepted.
+  void set_max_header_block_bytes(size_t max_header_block_bytes);
+
   size_t EstimateMemoryUsage() const;
 
  private:
@@ -147,6 +151,9 @@ class SPDY_EXPORT_PRIVATE HpackDecoderAdapter {
   // How much encoded data this decoder is willing to buffer.
   size_t max_decode_buffer_size_bytes_;
 
+  // How much encoded data this decoder is willing to process.
+  size_t max_header_block_bytes_;
+
   // Flag to keep track of having seen the header block start. Needed at the
   // moment because HandleControlFrameHeadersStart won't be called if a handler
   // is not being provided by the caller.
diff --git a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter_test.cc b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter_test.cc
index 0d952d1ad8c..d016841f077 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter_test.cc
@@ -12,8 +12,6 @@
 #include <utility>
 #include <vector>
 
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/http2/hpack/decoder/hpack_decoder_state.h"
 #include "net/third_party/quiche/src/http2/hpack/decoder/hpack_decoder_tables.h"
 #include "net/third_party/quiche/src/http2/hpack/tools/hpack_block_builder.h"
@@ -26,6 +24,7 @@
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_logging.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string_utils.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 using ::http2::HpackEntryType;
 using ::http2::HpackString;
@@ -332,6 +331,33 @@ TEST_P(HpackDecoderAdapterTest, HeaderTooLongToBuffer) {
   EXPECT_FALSE(HandleControlFrameHeadersData(fragment));
 }
 
+// Verify that a header block that exceeds the maximum length is rejected.
+TEST_P(HpackDecoderAdapterTest, HeaderBlockTooLong) {
+  const SpdyString name = "some-key";
+  const SpdyString value = "some-value";
+  const size_t kMaxBufferSizeBytes = 1024;
+
+  HpackBlockBuilder hbb;
+  hbb.AppendLiteralNameAndValue(HpackEntryType::kIndexedLiteralHeader, false,
+                                name, false, value);
+  while (hbb.size() < kMaxBufferSizeBytes) {
+    hbb.AppendLiteralNameAndValue(HpackEntryType::kIndexedLiteralHeader, false,
+                                  "", false, "");
+  }
+  // With no limit on the maximum header block size, the decoder handles the
+  // entire block successfully.
+  HandleControlFrameHeadersStart();
+  EXPECT_TRUE(HandleControlFrameHeadersData(hbb.buffer()));
+  size_t total_bytes;
+  EXPECT_TRUE(HandleControlFrameHeadersComplete(&total_bytes));
+
+  // When a total byte limit is imposed, the decoder bails before the end of the
+  // block.
+  decoder_.set_max_header_block_bytes(kMaxBufferSizeBytes);
+  HandleControlFrameHeadersStart();
+  EXPECT_FALSE(HandleControlFrameHeadersData(hbb.buffer()));
+}
+
 // Decode with incomplete data in buffer.
 TEST_P(HpackDecoderAdapterTest, DecodeWithIncompleteData) {
   HandleControlFrameHeadersStart();
diff --git a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_encoder_test.cc b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_encoder_test.cc
index a4f763cd5d7..4a70dc06a05 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_encoder_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_encoder_test.cc
@@ -7,10 +7,9 @@
 #include <cstdint>
 #include <map>
 
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/http2/test_tools/http2_random.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_huffman_table.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_unsafe_arena.h"
 
 namespace spdy {
diff --git a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_entry_test.cc b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_entry_test.cc
index 507c851d136..224ac187013 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_entry_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_entry_test.cc
@@ -4,7 +4,7 @@
 
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_entry.h"
 
-#include "testing/gtest/include/gtest/gtest.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_header_table_test.cc b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_header_table_test.cc
index 6649cc2d4f6..4001174dd1e 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_header_table_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_header_table_test.cc
@@ -9,10 +9,10 @@
 #include <set>
 #include <vector>
 
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_constants.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_entry.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_huffman_table_test.cc b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_huffman_table_test.cc
index 2febbd82286..efade416d8a 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_huffman_table_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_huffman_table_test.cc
@@ -6,13 +6,12 @@
 
 #include <utility>
 
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/http2/hpack/huffman/hpack_huffman_decoder.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_constants.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_output_stream.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_arraysize.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string_utils.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_output_stream_test.cc b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_output_stream_test.cc
index 823c41bf0c3..9e1988d1bbb 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_output_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_output_stream_test.cc
@@ -6,7 +6,7 @@
 
 #include <cstddef>
 
-#include "testing/gtest/include/gtest/gtest.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_round_trip_test.cc b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_round_trip_test.cc
index 17477a7974d..c035812bcf5 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_round_trip_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_round_trip_test.cc
@@ -7,13 +7,13 @@
 #include <ctime>
 #include <vector>
 
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/http2/test_tools/http2_random.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_constants.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_decoder_adapter.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_encoder.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_test_utils.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 namespace test {
diff --git a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_static_table_test.cc b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_static_table_test.cc
index 4550be018a6..3f519550876 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_static_table_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/hpack/hpack_static_table_test.cc
@@ -7,9 +7,9 @@
 #include <set>
 #include <vector>
 
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_constants.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string_piece.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/http2_frame_decoder_adapter.cc b/chromium/net/third_party/quiche/src/spdy/core/http2_frame_decoder_adapter.cc
index e5e3e9ad411..ac534965536 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/http2_frame_decoder_adapter.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/http2_frame_decoder_adapter.cc
@@ -6,8 +6,8 @@
 
 // Logging policy: If an error in the input is detected, SPDY_VLOG(n) is used so
 // that the option exists to debug the situation. Otherwise, this code mostly
-// uses DVLOG so that the logging does not slow down production code when things
-// are working OK.
+// uses SPDY_DVLOG so that the logging does not slow down production code when
+// things are working OK.
 
 #include <stddef.h>
 
@@ -76,8 +76,9 @@ uint64_t ToSpdyPingId(const Http2PingFields& ping) {
 // Overwrites the fields of the header with invalid values, for the purpose
 // of identifying reading of unset fields. Only takes effect for debug builds.
 // In Address Sanatizer builds, it also marks the fields as un-readable.
-void CorruptFrameHeader(Http2FrameHeader* header) {
+void CorruptFrameHeader(Http2FrameHeader*
 #ifndef NDEBUG
+                            header) {
   // Beyond a valid payload length, which is 2^24 - 1.
   header->payload_length = 0x1010dead;
   // An unsupported frame type.
@@ -88,6 +89,8 @@ void CorruptFrameHeader(Http2FrameHeader* header) {
   // A stream id with the reserved high-bit (R in the RFC) set.
   // 2129510127 when the high-bit is cleared.
   header->stream_id = 0xfeedbeef;
+#else
+                        /*header*/) {
 #endif
 }
 
@@ -395,6 +398,11 @@ void Http2DecoderAdapter::OnHeadersPriority(
   DCHECK(!on_headers_called_);
   on_headers_called_ = true;
   ReportReceiveCompressedFrame(frame_header_);
+  if (!visitor()) {
+    SPDY_BUG << "Visitor is nullptr, handling priority in headers failed."
+             << " priority:" << priority << " frame_header:" << frame_header_;
+    return;
+  }
   visitor()->OnHeaders(frame_header_.stream_id, kHasPriorityFields,
                        priority.weight, priority.stream_dependency,
                        priority.is_exclusive, frame_header_.IsEndStream(),
@@ -455,7 +463,7 @@ void Http2DecoderAdapter::OnPadLength(size_t trailing_length) {
   }
 }
 
-void Http2DecoderAdapter::OnPadding(const char* padding,
+void Http2DecoderAdapter::OnPadding(const char* /*padding*/,
                                     size_t skipped_length) {
   SPDY_DVLOG(1) << "OnPadding: " << skipped_length;
   if (frame_header_.type == Http2FrameType::DATA) {
@@ -614,7 +622,7 @@ void Http2DecoderAdapter::OnAltSvcEnd() {
   SpdyAltSvcWireFormat::AlternativeServiceVector altsvc_vector;
   if (!SpdyAltSvcWireFormat::ParseHeaderFieldValue(alt_svc_value_,
                                                    &altsvc_vector)) {
-    DLOG(ERROR) << "SpdyAltSvcWireFormat::ParseHeaderFieldValue failed.";
+    SPDY_DLOG(ERROR) << "SpdyAltSvcWireFormat::ParseHeaderFieldValue failed.";
     SetSpdyErrorAndNotify(SpdyFramerError::SPDY_INVALID_CONTROL_FRAME);
     return;
   }
@@ -1015,8 +1023,8 @@ void Http2DecoderAdapter::CommonHpackFragmentEnd() {
 
 namespace spdy {
 
-bool SpdyFramerVisitorInterface::OnGoAwayFrameData(const char* goaway_data,
-                                                   size_t len) {
+bool SpdyFramerVisitorInterface::OnGoAwayFrameData(const char* /*goaway_data*/,
+                                                   size_t /*len*/) {
   return true;
 }
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/http2_frame_decoder_adapter.h b/chromium/net/third_party/quiche/src/spdy/core/http2_frame_decoder_adapter.h
index 02deafdf909..3c05858672f 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/http2_frame_decoder_adapter.h
+++ b/chromium/net/third_party/quiche/src/spdy/core/http2_frame_decoder_adapter.h
@@ -94,6 +94,9 @@ class SPDY_EXPORT_PRIVATE Http2DecoderAdapter
   // Set extension callbacks to be called from the framer or decoder. Optional.
   // If called multiple times, only the last visitor will be used.
   void set_extension_visitor(spdy::ExtensionVisitorInterface* visitor);
+  spdy::ExtensionVisitorInterface* extension_visitor() const {
+    return extension_;
+  }
 
   // Set debug callbacks to be called from the framer. The debug visitor is
   // completely optional and need not be set in order for normal operation.
@@ -376,7 +379,8 @@ class SPDY_EXPORT_PRIVATE SpdyFramerVisitorInterface {
   // Called when padding length field is received on a DATA frame.
   // |stream_id| The stream receiving data.
   // |value| The value of the padding length field.
-  virtual void OnStreamPadLength(SpdyStreamId stream_id, size_t value) {}
+  virtual void OnStreamPadLength(SpdyStreamId /*stream_id*/, size_t /*value*/) {
+  }
 
   // Called when padding is received (the trailing octets, not pad_len field) on
   // a DATA frame.
diff --git a/chromium/net/third_party/quiche/src/spdy/core/http2_priority_write_scheduler.h b/chromium/net/third_party/quiche/src/spdy/core/http2_priority_write_scheduler.h
new file mode 100644
index 00000000000..d08d125f933
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/spdy/core/http2_priority_write_scheduler.h
@@ -0,0 +1,773 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_SPDY_CORE_HTTP2_PRIORITY_WRITE_SCHEDULER_H_
+#define QUICHE_SPDY_CORE_HTTP2_PRIORITY_WRITE_SCHEDULER_H_
+
+#include <cstdint>
+#include <deque>
+#include <map>
+#include <memory>
+#include <queue>
+#include <set>
+#include <tuple>
+#include <unordered_map>
+#include <utility>
+#include <vector>
+
+#include "net/third_party/quiche/src/spdy/core/spdy_intrusive_list.h"
+#include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
+#include "net/third_party/quiche/src/spdy/core/write_scheduler.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_bug_tracker.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_containers.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_logging.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_map_util.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_ptr_util.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_string.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_string_utils.h"
+
+namespace spdy {
+
+namespace test {
+template <typename StreamIdType>
+class Http2PriorityWriteSchedulerPeer;
+}
+
+// This data structure implements the HTTP/2 stream priority tree defined in
+// section 5.3 of RFC 7540:
+// http://tools.ietf.org/html/rfc7540#section-5.3
+//
+// Streams can be added and removed, and dependencies between them defined.
+// Streams constitute a tree rooted at stream ID 0: each stream has a single
+// parent stream, and 0 or more child streams.  Individual streams can be
+// marked as ready to read/write, and then the whole structure can be queried
+// to pick the next stream to read/write out of those that are ready.
+template <typename StreamIdType>
+class Http2PriorityWriteScheduler : public WriteScheduler<StreamIdType> {
+ public:
+  using typename WriteScheduler<StreamIdType>::StreamPrecedenceType;
+
+  Http2PriorityWriteScheduler();
+  Http2PriorityWriteScheduler(const Http2PriorityWriteScheduler&) = delete;
+  Http2PriorityWriteScheduler& operator=(const Http2PriorityWriteScheduler&) =
+      delete;
+
+  // WriteScheduler methods
+  void RegisterStream(StreamIdType stream_id,
+                      const StreamPrecedenceType& precedence) override;
+  void UnregisterStream(StreamIdType stream_id) override;
+  bool StreamRegistered(StreamIdType stream_id) const override;
+  StreamPrecedenceType GetStreamPrecedence(
+      StreamIdType stream_id) const override;
+  void UpdateStreamPrecedence(StreamIdType stream_id,
+                              const StreamPrecedenceType& precedence) override;
+  std::vector<StreamIdType> GetStreamChildren(
+      StreamIdType stream_id) const override;
+  void RecordStreamEventTime(StreamIdType stream_id,
+                             int64_t now_in_usec) override;
+  int64_t GetLatestEventWithPrecedence(StreamIdType stream_id) const override;
+  bool ShouldYield(StreamIdType stream_id) const override;
+  void MarkStreamReady(StreamIdType stream_id, bool add_to_front) override;
+  void MarkStreamNotReady(StreamIdType stream_id) override;
+  bool HasReadyStreams() const override;
+  StreamIdType PopNextReadyStream() override;
+  std::tuple<StreamIdType, StreamPrecedenceType>
+  PopNextReadyStreamAndPrecedence() override;
+  size_t NumReadyStreams() const override;
+  bool IsStreamReady(StreamIdType stream_id) const override;
+  size_t NumRegisteredStreams() const override;
+  SpdyString DebugString() const override;
+
+ private:
+  friend class test::Http2PriorityWriteSchedulerPeer<StreamIdType>;
+
+  struct StreamInfo;
+  typedef SpdyInlinedVector<StreamInfo*, 4> StreamInfoVector;
+
+  struct StreamInfo : public SpdyIntrusiveLink<StreamInfo> {
+    // ID for this stream.
+    StreamIdType id;
+    // StreamInfo for parent stream.
+    StreamInfo* parent = nullptr;
+    // Weights can range between 1 and 256 (inclusive).
+    int weight = kHttp2DefaultStreamWeight;
+    // The total weight of this stream's direct descendants.
+    int total_child_weights = 0;
+    // Pointers to StreamInfos for children, if any.
+    StreamInfoVector children;
+    // Whether the stream is ready for writing. The stream is present in
+    // scheduling_queue_ iff true.
+    bool ready = false;
+    // The scheduling priority of this stream. Streams with higher priority
+    // values are scheduled first.
+    // TODO(mpw): rename to avoid confusion with SPDY priorities,
+    //   which this is not.
+    float priority = 0;
+    // Ordinal value for this stream, used to ensure round-robin scheduling:
+    // among streams with the same scheduling priority, streams with lower
+    // ordinal are scheduled first.
+    int64_t ordinal = 0;
+    // Time of latest write event for stream of this priority, in microseconds.
+    int64_t last_event_time_usec = 0;
+
+    // Whether this stream should be scheduled ahead of another stream.
+    bool SchedulesBefore(const StreamInfo& other) const {
+      return (priority != other.priority) ? priority > other.priority
+                                          : ordinal < other.ordinal;
+    }
+
+    // Returns the StreamPrecedenceType for this StreamInfo.
+    StreamPrecedenceType ToStreamPrecedence() const {
+      StreamIdType parent_id =
+          parent == nullptr ? kHttp2RootStreamId : parent->id;
+      bool exclusive = parent != nullptr && parent->children.size() == 1;
+      return StreamPrecedenceType(parent_id, weight, exclusive);
+    }
+  };
+
+  static bool Remove(StreamInfoVector* stream_infos,
+                     const StreamInfo* stream_info);
+
+  // Returns true iff any direct or transitive parent of the given stream is
+  // currently ready.
+  static bool HasReadyAncestor(const StreamInfo& stream_info);
+
+  // Returns StreamInfo for the given stream, or nullptr if it isn't
+  // registered.
+  const StreamInfo* FindStream(StreamIdType stream_id) const;
+  StreamInfo* FindStream(StreamIdType stream_id);
+
+  // Helpers for UpdateStreamPrecedence().
+  void UpdateStreamParent(StreamInfo* stream_info,
+                          StreamIdType parent_id,
+                          bool exclusive);
+  void UpdateStreamWeight(StreamInfo* stream_info, int weight);
+
+  // Update all priority values in the subtree rooted at the given stream, not
+  // including the stream itself. If this results in priority value changes for
+  // scheduled streams, those streams are rescheduled to ensure proper ordering
+  // of scheduling_queue_.
+  // TODO(mpw): rename to avoid confusion with SPDY priorities.
+  void UpdatePrioritiesUnder(StreamInfo* stream_info);
+
+  // Inserts stream into scheduling_queue_ at the appropriate location given
+  // its priority and ordinal. Time complexity is O(scheduling_queue.size()).
+  void Schedule(StreamInfo* stream_info);
+
+  // Removes stream from scheduling_queue_.
+  void Unschedule(StreamInfo* stream_info);
+
+  // Return true if all internal invariants hold (useful for unit tests).
+  // Unless there are bugs, this should always return true.
+  bool ValidateInvariantsForTests() const;
+
+  // Returns true if the parent stream has the given stream in its children.
+  bool StreamHasChild(const StreamInfo& parent_info,
+                      const StreamInfo* child_info) const;
+
+  // Pointee owned by all_stream_infos_.
+  StreamInfo* root_stream_info_;
+  // Maps from stream IDs to StreamInfo objects.
+  SpdySmallMap<StreamIdType, std::unique_ptr<StreamInfo>, 10> all_stream_infos_;
+  // Queue containing all ready streams, ordered with streams of higher
+  // priority before streams of lower priority, and, among streams of equal
+  // priority, streams with lower ordinal before those with higher
+  // ordinal. Note that not all streams in scheduling_queue_ are eligible to be
+  // picked as the next stream: some may have ancestor stream(s) that are ready
+  // and unblocked. In these situations the occluded child streams are left in
+  // the queue, to reduce churn.
+  SpdyIntrusiveList<StreamInfo> scheduling_queue_;
+  // Ordinal value to assign to next node inserted into scheduling_queue_ when
+  // |add_to_front == true|. Decremented after each assignment.
+  int64_t head_ordinal_ = -1;
+  // Ordinal value to assign to next node inserted into scheduling_queue_ when
+  // |add_to_front == false|. Incremented after each assignment.
+  int64_t tail_ordinal_ = 0;
+};
+
+template <typename StreamIdType>
+Http2PriorityWriteScheduler<StreamIdType>::Http2PriorityWriteScheduler() {
+  auto root_stream_info = SpdyMakeUnique<StreamInfo>();
+  root_stream_info_ = root_stream_info.get();
+  root_stream_info->id = kHttp2RootStreamId;
+  root_stream_info->weight = kHttp2DefaultStreamWeight;
+  root_stream_info->parent = nullptr;
+  root_stream_info->priority = 1.0;
+  root_stream_info->ready = false;
+  all_stream_infos_[kHttp2RootStreamId] = std::move(root_stream_info);
+}
+
+template <typename StreamIdType>
+bool Http2PriorityWriteScheduler<StreamIdType>::StreamRegistered(
+    StreamIdType stream_id) const {
+  return SpdyContainsKey(all_stream_infos_, stream_id);
+}
+
+template <typename StreamIdType>
+void Http2PriorityWriteScheduler<StreamIdType>::RegisterStream(
+    StreamIdType stream_id,
+    const StreamPrecedenceType& precedence) {
+  // TODO(mpw): uncomment the SPDY_BUG_IF below once all tests
+  //   (e.g. SpdyClientDispatcher) modified to pass StreamPrecedence instances
+  //   appropriate for protocol version under test.
+  //
+  // SPDY_BUG_IF(precedence.is_spdy3_priority())
+  //     << "Expected HTTP/2 stream dependency";
+
+  if (StreamRegistered(stream_id)) {
+    SPDY_BUG << "Stream " << stream_id << " already registered";
+    return;
+  }
+
+  StreamInfo* parent = FindStream(precedence.parent_id());
+  if (parent == nullptr) {
+    // parent_id may legitimately not be registered yet--see b/15676312.
+    SPDY_VLOG(1) << "Parent stream " << precedence.parent_id()
+                 << " not registered";
+    parent = root_stream_info_;
+  }
+
+  auto new_stream_info = SpdyMakeUnique<StreamInfo>();
+  StreamInfo* new_stream_info_ptr = new_stream_info.get();
+  new_stream_info_ptr->id = stream_id;
+  new_stream_info_ptr->weight = precedence.weight();
+  new_stream_info_ptr->parent = parent;
+  all_stream_infos_[stream_id] = std::move(new_stream_info);
+  if (precedence.is_exclusive()) {
+    // Move the parent's current children below the new stream.
+    using std::swap;
+    swap(new_stream_info_ptr->children, parent->children);
+    new_stream_info_ptr->total_child_weights = parent->total_child_weights;
+    // Update each child's parent.
+    for (StreamInfo* child : new_stream_info_ptr->children) {
+      child->parent = new_stream_info_ptr;
+    }
+    // Clear parent's old child data.
+    DCHECK(parent->children.empty());
+    parent->total_child_weights = 0;
+  }
+  // Add new stream to parent.
+  parent->children.push_back(new_stream_info_ptr);
+  parent->total_child_weights += precedence.weight();
+
+  // Update all priorities under parent, since addition of a stream affects
+  // sibling priorities as well.
+  UpdatePrioritiesUnder(parent);
+
+  // Stream starts with ready == false, so no need to schedule it yet.
+  DCHECK(!new_stream_info_ptr->ready);
+}
+
+template <typename StreamIdType>
+void Http2PriorityWriteScheduler<StreamIdType>::UnregisterStream(
+    StreamIdType stream_id) {
+  if (stream_id == kHttp2RootStreamId) {
+    SPDY_BUG << "Cannot unregister root stream";
+    return;
+  }
+  // Remove the stream from table.
+  auto it = all_stream_infos_.find(stream_id);
+  if (it == all_stream_infos_.end()) {
+    SPDY_BUG << "Stream " << stream_id << " not registered";
+    return;
+  }
+  std::unique_ptr<StreamInfo> stream_info(std::move(it->second));
+  all_stream_infos_.erase(it);
+  // If ready (and hence scheduled), unschedule.
+  if (stream_info->ready) {
+    Unschedule(stream_info.get());
+  }
+
+  StreamInfo* parent = stream_info->parent;
+  // Remove the stream from parent's child list.
+  Remove(&parent->children, stream_info.get());
+  parent->total_child_weights -= stream_info->weight;
+
+  // Move the stream's children to the parent's child list.
+  // Update each child's parent and weight.
+  for (StreamInfo* child : stream_info->children) {
+    child->parent = parent;
+    parent->children.push_back(child);
+    // Divide the removed stream's weight among its children, rounding to the
+    // nearest valid weight.
+    float float_weight = stream_info->weight *
+                         static_cast<float>(child->weight) /
+                         static_cast<float>(stream_info->total_child_weights);
+    int new_weight = floor(float_weight + 0.5);
+    if (new_weight == 0) {
+      new_weight = 1;
+    }
+    child->weight = new_weight;
+    parent->total_child_weights += child->weight;
+  }
+  UpdatePrioritiesUnder(parent);
+}
+
+template <typename StreamIdType>
+typename Http2PriorityWriteScheduler<StreamIdType>::StreamPrecedenceType
+Http2PriorityWriteScheduler<StreamIdType>::GetStreamPrecedence(
+    StreamIdType stream_id) const {
+  const StreamInfo* stream_info = FindStream(stream_id);
+  if (stream_info == nullptr) {
+    // Unknown streams tolerated due to b/15676312. However, return lowest
+    // weight.
+    SPDY_VLOG(1) << "Stream " << stream_id << " not registered";
+    return StreamPrecedenceType(kHttp2RootStreamId, kHttp2MinStreamWeight,
+                                false);
+  }
+  return stream_info->ToStreamPrecedence();
+}
+
+template <typename StreamIdType>
+std::vector<StreamIdType>
+Http2PriorityWriteScheduler<StreamIdType>::GetStreamChildren(
+    StreamIdType stream_id) const {
+  std::vector<StreamIdType> child_vec;
+  const StreamInfo* stream_info = FindStream(stream_id);
+  if (stream_info == nullptr) {
+    SPDY_BUG << "Stream " << stream_id << " not registered";
+  } else {
+    child_vec.reserve(stream_info->children.size());
+    for (StreamInfo* child : stream_info->children) {
+      child_vec.push_back(child->id);
+    }
+  }
+  return child_vec;
+}
+
+template <typename StreamIdType>
+void Http2PriorityWriteScheduler<StreamIdType>::UpdateStreamPrecedence(
+    StreamIdType stream_id,
+    const StreamPrecedenceType& precedence) {
+  // TODO(mpw): uncomment the SPDY_BUG_IF below once all tests
+  //   (e.g. SpdyClientDispatcher) modified to pass StreamPrecedence instances
+  //   appropriate for protocol version under test.
+  //
+  // SPDY_BUG_IF(precedence.is_spdy3_priority())
+  //     << "Expected HTTP/2 stream dependency";
+  if (stream_id == kHttp2RootStreamId) {
+    SPDY_BUG << "Cannot set precedence of root stream";
+    return;
+  }
+
+  StreamInfo* stream_info = FindStream(stream_id);
+  if (stream_info == nullptr) {
+    // TODO(mpw): add to all_stream_infos_ on demand--see b/15676312.
+    SPDY_VLOG(1) << "Stream " << stream_id << " not registered";
+    return;
+  }
+  UpdateStreamParent(stream_info, precedence.parent_id(),
+                     precedence.is_exclusive());
+  UpdateStreamWeight(stream_info, precedence.weight());
+}
+
+template <typename StreamIdType>
+void Http2PriorityWriteScheduler<StreamIdType>::UpdateStreamWeight(
+    StreamInfo* stream_info,
+    int weight) {
+  if (weight == stream_info->weight) {
+    return;
+  }
+  if (stream_info->parent != nullptr) {
+    stream_info->parent->total_child_weights += (weight - stream_info->weight);
+  }
+  stream_info->weight = weight;
+
+  // Change in weight also affects sibling priorities.
+  UpdatePrioritiesUnder(stream_info->parent);
+}
+
+template <typename StreamIdType>
+void Http2PriorityWriteScheduler<StreamIdType>::UpdateStreamParent(
+    StreamInfo* stream_info,
+    StreamIdType parent_id,
+    bool exclusive) {
+  if (stream_info->id == parent_id) {
+    SPDY_BUG << "Cannot set stream to be its own parent";
+    return;
+  }
+  StreamInfo* new_parent = FindStream(parent_id);
+  if (new_parent == nullptr) {
+    // parent_id may legitimately not be registered yet--see b/15676312.
+    SPDY_VLOG(1) << "Parent stream " << parent_id << " not registered";
+    return;
+  }
+
+  // If the new parent is already the stream's parent, we're done.
+  if (stream_info->parent == new_parent) {
+    return;
+  }
+
+  // Next, check to see if the new parent is currently a descendant
+  // of the stream.
+  StreamInfo* last = new_parent->parent;
+  bool cycle_exists = false;
+  while (last != nullptr) {
+    if (last == stream_info) {
+      cycle_exists = true;
+      break;
+    }
+    last = last->parent;
+  }
+
+  if (cycle_exists) {
+    // The new parent moves to the level of the current stream.
+    UpdateStreamParent(new_parent, stream_info->parent->id, false);
+  }
+
+  // Remove stream from old parent's child list.
+  StreamInfo* old_parent = stream_info->parent;
+  Remove(&old_parent->children, stream_info);
+  old_parent->total_child_weights -= stream_info->weight;
+  UpdatePrioritiesUnder(old_parent);
+
+  if (exclusive) {
+    // Move the new parent's current children below the current stream.
+    for (StreamInfo* child : new_parent->children) {
+      child->parent = stream_info;
+      stream_info->children.push_back(child);
+    }
+    stream_info->total_child_weights += new_parent->total_child_weights;
+    // Clear new parent's old child data.
+    new_parent->children.clear();
+    new_parent->total_child_weights = 0;
+  }
+
+  // Make the change.
+  stream_info->parent = new_parent;
+  new_parent->children.push_back(stream_info);
+  new_parent->total_child_weights += stream_info->weight;
+  UpdatePrioritiesUnder(new_parent);
+}
+
+template <typename StreamIdType>
+void Http2PriorityWriteScheduler<StreamIdType>::RecordStreamEventTime(
+    StreamIdType stream_id,
+    int64_t now_in_usec) {
+  if (stream_id == kHttp2RootStreamId) {
+    SPDY_BUG << "Cannot record event time for root stream";
+    return;
+  }
+  StreamInfo* stream_info = FindStream(stream_id);
+  if (stream_info == nullptr) {
+    SPDY_BUG << "Stream " << stream_id << " not registered";
+    return;
+  }
+  stream_info->last_event_time_usec = now_in_usec;
+}
+
+// O(n) in the number of streams, which isn't great. However, this method will
+// soon be superseded by
+// Http2WeightedWriteScheduler::GetLatestEventWithPrecedence(), for which an
+// efficient implementation is straightforward. Also, this method is only
+// called when calculating idle timeouts, so performance isn't key.
+template <typename StreamIdType>
+int64_t Http2PriorityWriteScheduler<StreamIdType>::GetLatestEventWithPrecedence(
+    StreamIdType stream_id) const {
+  if (stream_id == kHttp2RootStreamId) {
+    SPDY_BUG << "Invalid argument: root stream";
+    return 0;
+  }
+  const StreamInfo* stream_info = FindStream(stream_id);
+  if (stream_info == nullptr) {
+    SPDY_BUG << "Stream " << stream_id << " not registered";
+    return 0;
+  }
+  int64_t last_event_time_usec = 0;
+  for (const auto& kv : all_stream_infos_) {
+    const StreamInfo& other = *kv.second;
+    if (other.priority > stream_info->priority) {
+      last_event_time_usec =
+          std::max(last_event_time_usec, other.last_event_time_usec);
+    }
+  }
+  return last_event_time_usec;
+}
+
+// Worst-case time complexity of O(n*d), where n is scheduling queue length and
+// d is tree depth. In practice, should be much shorter, since loop terminates
+// at first writable stream or |stream_id| (whichever is first).
+template <typename StreamIdType>
+bool Http2PriorityWriteScheduler<StreamIdType>::ShouldYield(
+    StreamIdType stream_id) const {
+  if (stream_id == kHttp2RootStreamId) {
+    SPDY_BUG << "Invalid argument: root stream";
+    return false;
+  }
+  const StreamInfo* stream_info = FindStream(stream_id);
+  if (stream_info == nullptr) {
+    SPDY_BUG << "Stream " << stream_id << " not registered";
+    return false;
+  }
+  for (const StreamInfo& scheduled : scheduling_queue_) {
+    if (stream_info == &scheduled) {
+      return false;
+    }
+    if (!HasReadyAncestor(scheduled)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+template <typename StreamIdType>
+void Http2PriorityWriteScheduler<StreamIdType>::MarkStreamReady(
+    StreamIdType stream_id,
+    bool add_to_front) {
+  if (stream_id == kHttp2RootStreamId) {
+    SPDY_BUG << "Cannot mark root stream ready";
+    return;
+  }
+  StreamInfo* stream_info = FindStream(stream_id);
+  if (stream_info == nullptr) {
+    SPDY_BUG << "Stream " << stream_id << " not registered";
+    return;
+  }
+  if (stream_info->ready) {
+    return;
+  }
+  stream_info->ordinal = add_to_front ? head_ordinal_-- : tail_ordinal_++;
+  Schedule(stream_info);
+}
+
+template <typename StreamIdType>
+void Http2PriorityWriteScheduler<StreamIdType>::MarkStreamNotReady(
+    StreamIdType stream_id) {
+  if (stream_id == kHttp2RootStreamId) {
+    SPDY_BUG << "Cannot mark root stream unready";
+    return;
+  }
+  StreamInfo* stream_info = FindStream(stream_id);
+  if (stream_info == nullptr) {
+    SPDY_BUG << "Stream " << stream_id << " not registered";
+    return;
+  }
+  if (!stream_info->ready) {
+    return;
+  }
+  Unschedule(stream_info);
+}
+
+template <typename StreamIdType>
+bool Http2PriorityWriteScheduler<StreamIdType>::Remove(
+    StreamInfoVector* stream_infos,
+    const StreamInfo* stream_info) {
+  for (typename StreamInfoVector::iterator it = stream_infos->begin();
+       it != stream_infos->end(); ++it) {
+    if (*it == stream_info) {
+      stream_infos->erase(it);
+      return true;
+    }
+  }
+  return false;
+}
+
+template <typename StreamIdType>
+bool Http2PriorityWriteScheduler<StreamIdType>::HasReadyAncestor(
+    const StreamInfo& stream_info) {
+  for (const StreamInfo* parent = stream_info.parent; parent != nullptr;
+       parent = parent->parent) {
+    if (parent->ready) {
+      return true;
+    }
+  }
+  return false;
+}
+
+template <typename StreamIdType>
+const typename Http2PriorityWriteScheduler<StreamIdType>::StreamInfo*
+Http2PriorityWriteScheduler<StreamIdType>::FindStream(
+    StreamIdType stream_id) const {
+  auto it = all_stream_infos_.find(stream_id);
+  return it == all_stream_infos_.end() ? nullptr : it->second.get();
+}
+
+template <typename StreamIdType>
+typename Http2PriorityWriteScheduler<StreamIdType>::StreamInfo*
+Http2PriorityWriteScheduler<StreamIdType>::FindStream(StreamIdType stream_id) {
+  auto it = all_stream_infos_.find(stream_id);
+  return it == all_stream_infos_.end() ? nullptr : it->second.get();
+}
+
+template <typename StreamIdType>
+void Http2PriorityWriteScheduler<StreamIdType>::UpdatePrioritiesUnder(
+    StreamInfo* stream_info) {
+  for (StreamInfo* child : stream_info->children) {
+    child->priority = stream_info->priority *
+                      (static_cast<float>(child->weight) /
+                       static_cast<float>(stream_info->total_child_weights));
+    if (child->ready) {
+      // Reposition in scheduling_queue_. Use post-order for scheduling, to
+      // benefit from the fact that children have priority <= parent priority.
+      Unschedule(child);
+      UpdatePrioritiesUnder(child);
+      Schedule(child);
+    } else {
+      UpdatePrioritiesUnder(child);
+    }
+  }
+}
+
+template <typename StreamIdType>
+void Http2PriorityWriteScheduler<StreamIdType>::Schedule(
+    StreamInfo* stream_info) {
+  DCHECK(!stream_info->ready);
+  for (StreamInfo& s : scheduling_queue_) {
+    if (stream_info->SchedulesBefore(s)) {
+      scheduling_queue_.insert(&s, stream_info);
+      stream_info->ready = true;
+      return;
+    }
+  }
+  scheduling_queue_.push_back(stream_info);
+  stream_info->ready = true;
+}
+
+template <typename StreamIdType>
+void Http2PriorityWriteScheduler<StreamIdType>::Unschedule(
+    StreamInfo* stream_info) {
+  DCHECK(stream_info->ready);
+  scheduling_queue_.erase(stream_info);
+  stream_info->ready = false;
+}
+
+template <typename StreamIdType>
+bool Http2PriorityWriteScheduler<StreamIdType>::StreamHasChild(
+    const StreamInfo& parent_info,
+    const StreamInfo* child_info) const {
+  auto found = std::find(parent_info.children.begin(),
+                         parent_info.children.end(), child_info);
+  return found != parent_info.children.end();
+}
+
+template <typename StreamIdType>
+bool Http2PriorityWriteScheduler<StreamIdType>::HasReadyStreams() const {
+  return !scheduling_queue_.empty();
+}
+
+template <typename StreamIdType>
+StreamIdType Http2PriorityWriteScheduler<StreamIdType>::PopNextReadyStream() {
+  return std::get<0>(PopNextReadyStreamAndPrecedence());
+}
+
+template <typename StreamIdType>
+std::tuple<
+    StreamIdType,
+    typename Http2PriorityWriteScheduler<StreamIdType>::StreamPrecedenceType>
+Http2PriorityWriteScheduler<StreamIdType>::PopNextReadyStreamAndPrecedence() {
+  for (StreamInfo& stream_info : scheduling_queue_) {
+    if (!HasReadyAncestor(stream_info)) {
+      Unschedule(&stream_info);
+      return std::make_tuple(stream_info.id, stream_info.ToStreamPrecedence());
+    }
+  }
+  SPDY_BUG << "No ready streams";
+  return std::make_tuple(
+      kHttp2RootStreamId,
+      StreamPrecedenceType(kHttp2RootStreamId, kHttp2MinStreamWeight, false));
+}
+
+template <typename StreamIdType>
+size_t Http2PriorityWriteScheduler<StreamIdType>::NumReadyStreams() const {
+  return scheduling_queue_.size();
+}
+
+template <typename StreamIdType>
+bool Http2PriorityWriteScheduler<StreamIdType>::IsStreamReady(
+    StreamIdType stream_id) const {
+  if (stream_id == kHttp2RootStreamId) {
+    SPDY_BUG << "Try to check whether root stream is ready";
+    return false;
+  }
+  const StreamInfo* stream_info = FindStream(stream_id);
+  if (stream_info == nullptr) {
+    SPDY_BUG << "Stream " << stream_id << " not registered";
+    return false;
+  }
+  return stream_info->ready;
+}
+
+template <typename StreamIdType>
+size_t Http2PriorityWriteScheduler<StreamIdType>::NumRegisteredStreams() const {
+  return all_stream_infos_.size();
+}
+
+template <typename StreamIdType>
+SpdyString Http2PriorityWriteScheduler<StreamIdType>::DebugString() const {
+  return SpdyStrCat("Http2PriorityWriteScheduler {num_registered_streams=",
+                    NumRegisteredStreams(),
+                    " num_ready_streams=", NumReadyStreams(), "}");
+}
+
+template <typename StreamIdType>
+bool Http2PriorityWriteScheduler<StreamIdType>::ValidateInvariantsForTests()
+    const {
+  int total_streams = 0;
+  int streams_visited = 0;
+  // Iterate through all streams in the map.
+  for (const auto& kv : all_stream_infos_) {
+    ++total_streams;
+    ++streams_visited;
+    StreamIdType stream_id = kv.first;
+    const StreamInfo& stream_info = *kv.second;
+
+    // Verify each StreamInfo mapped under the proper stream ID.
+    if (stream_id != stream_info.id) {
+      SPDY_DLOG(INFO) << "Stream ID " << stream_id
+                      << " maps to StreamInfo with ID " << stream_info.id;
+      return false;
+    }
+
+    // All streams except the root should have a parent, and should appear in
+    // the children of that parent.
+    if (stream_info.id != kHttp2RootStreamId &&
+        !StreamHasChild(*stream_info.parent, &stream_info)) {
+      SPDY_DLOG(INFO) << "Parent stream " << stream_info.parent->id
+                      << " is not registered, or does not list stream "
+                      << stream_info.id << " as its child.";
+      return false;
+    }
+
+    if (!stream_info.children.empty()) {
+      int total_child_weights = 0;
+      // Iterate through the stream's children.
+      for (StreamInfo* child : stream_info.children) {
+        ++streams_visited;
+        // Each stream in the list should exist and should have this stream
+        // set as its parent.
+        if (!StreamRegistered(child->id) || child->parent != &stream_info) {
+          SPDY_DLOG(INFO) << "Child stream " << child->id
+                          << " is not registered, "
+                          << "or does not list " << stream_info.id
+                          << " as its parent.";
+          return false;
+        }
+        total_child_weights += child->weight;
+      }
+      // Verify that total_child_weights is correct.
+      if (total_child_weights != stream_info.total_child_weights) {
+        SPDY_DLOG(INFO) << "Child weight totals do not agree. For stream "
+                        << stream_info.id << " total_child_weights has value "
+                        << stream_info.total_child_weights << ", expected "
+                        << total_child_weights;
+        return false;
+      }
+    }
+  }
+
+  // Make sure NumRegisteredStreams() reflects the total number of streams the
+  // map contains.
+  if (total_streams != NumRegisteredStreams()) {
+    SPDY_DLOG(INFO) << "Map contains incorrect number of streams.";
+    return false;
+  }
+  // Validate the validation function; we should have visited each stream twice
+  // (except for the root)
+  DCHECK(streams_visited == 2 * NumRegisteredStreams() - 1);
+  return true;
+}
+
+}  // namespace spdy
+
+#endif  // QUICHE_SPDY_CORE_HTTP2_PRIORITY_WRITE_SCHEDULER_H_
diff --git a/chromium/net/third_party/quiche/src/spdy/core/http2_priority_write_scheduler_test.cc b/chromium/net/third_party/quiche/src/spdy/core/http2_priority_write_scheduler_test.cc
new file mode 100644
index 00000000000..484e59a3a74
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/spdy/core/http2_priority_write_scheduler_test.cc
@@ -0,0 +1,799 @@
+#include "net/third_party/quiche/src/spdy/core/http2_priority_write_scheduler.h"
+
+#include <initializer_list>
+
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test_helpers.h"
+
+using ::testing::AssertionFailure;
+using ::testing::AssertionResult;
+using ::testing::AssertionSuccess;
+using ::testing::ElementsAre;
+using ::testing::IsEmpty;
+using ::testing::UnorderedElementsAre;
+
+namespace spdy {
+
+namespace test {
+
+template <typename StreamIdType>
+class Http2PriorityWriteSchedulerPeer {
+ public:
+  explicit Http2PriorityWriteSchedulerPeer(
+      Http2PriorityWriteScheduler<StreamIdType>* scheduler)
+      : scheduler_(scheduler) {}
+
+  int TotalChildWeights(StreamIdType stream_id) const {
+    return scheduler_->FindStream(stream_id)->total_child_weights;
+  }
+
+  bool ValidateInvariants() const {
+    return scheduler_->ValidateInvariantsForTests();
+  }
+
+ private:
+  Http2PriorityWriteScheduler<StreamIdType>* scheduler_;
+};
+
+class Http2PriorityWriteSchedulerTest : public ::testing::Test {
+ protected:
+  typedef uint32_t SpdyStreamId;
+
+  Http2PriorityWriteSchedulerTest() : peer_(&scheduler_) {}
+
+  Http2PriorityWriteScheduler<SpdyStreamId> scheduler_;
+  Http2PriorityWriteSchedulerPeer<SpdyStreamId> peer_;
+};
+
+TEST_F(Http2PriorityWriteSchedulerTest, RegisterAndUnregisterStreams) {
+  EXPECT_EQ(1u, scheduler_.NumRegisteredStreams());
+  EXPECT_TRUE(scheduler_.StreamRegistered(0));
+  EXPECT_FALSE(scheduler_.StreamRegistered(1));
+
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  EXPECT_EQ(2u, scheduler_.NumRegisteredStreams());
+  ASSERT_TRUE(scheduler_.StreamRegistered(1));
+  EXPECT_EQ(100, scheduler_.GetStreamPrecedence(1).weight());
+  EXPECT_FALSE(scheduler_.StreamRegistered(5));
+  EXPECT_THAT(scheduler_.GetStreamChildren(0), ElementsAre(1));
+
+  scheduler_.RegisterStream(5, SpdyStreamPrecedence(0, 50, false));
+  // Should not be able to add a stream with an id that already exists.
+  EXPECT_SPDY_BUG(
+      scheduler_.RegisterStream(5, SpdyStreamPrecedence(1, 50, false)),
+      "Stream 5 already registered");
+  EXPECT_EQ(3u, scheduler_.NumRegisteredStreams());
+  EXPECT_TRUE(scheduler_.StreamRegistered(1));
+  ASSERT_TRUE(scheduler_.StreamRegistered(5));
+  EXPECT_EQ(50, scheduler_.GetStreamPrecedence(5).weight());
+  EXPECT_FALSE(scheduler_.StreamRegistered(13));
+
+  scheduler_.RegisterStream(13, SpdyStreamPrecedence(5, 130, true));
+  EXPECT_EQ(4u, scheduler_.NumRegisteredStreams());
+  EXPECT_TRUE(scheduler_.StreamRegistered(1));
+  EXPECT_TRUE(scheduler_.StreamRegistered(5));
+  ASSERT_TRUE(scheduler_.StreamRegistered(13));
+  EXPECT_EQ(130, scheduler_.GetStreamPrecedence(13).weight());
+  EXPECT_EQ(5, scheduler_.GetStreamPrecedence(13).parent_id());
+
+  scheduler_.UnregisterStream(5);
+  // Cannot remove a stream that has already been removed.
+  EXPECT_SPDY_BUG(scheduler_.UnregisterStream(5), "Stream 5 not registered");
+  EXPECT_EQ(3u, scheduler_.NumRegisteredStreams());
+  EXPECT_TRUE(scheduler_.StreamRegistered(1));
+  EXPECT_FALSE(scheduler_.StreamRegistered(5));
+  EXPECT_TRUE(scheduler_.StreamRegistered(13));
+  EXPECT_EQ(kHttp2RootStreamId, scheduler_.GetStreamPrecedence(13).parent_id());
+
+  // The parent stream 19 doesn't exist, so this should use 0 as parent stream:
+  scheduler_.RegisterStream(7, SpdyStreamPrecedence(19, 70, false));
+  EXPECT_TRUE(scheduler_.StreamRegistered(7));
+  EXPECT_EQ(0, scheduler_.GetStreamPrecedence(7).parent_id());
+  // Now stream 7 already exists, so this should fail:
+  EXPECT_SPDY_BUG(
+      scheduler_.RegisterStream(7, SpdyStreamPrecedence(1, 70, false)),
+      "Stream 7 already registered");
+  // Try adding a second child to stream 13:
+  scheduler_.RegisterStream(17, SpdyStreamPrecedence(13, 170, false));
+
+  scheduler_.UpdateStreamPrecedence(17, SpdyStreamPrecedence(13, 150, false));
+  EXPECT_EQ(150, scheduler_.GetStreamPrecedence(17).weight());
+
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, RegisterStreamWithSpdy3Priority) {
+  EXPECT_FALSE(scheduler_.StreamRegistered(1));
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(3));
+  EXPECT_EQ(0, scheduler_.NumReadyStreams());
+  EXPECT_TRUE(scheduler_.StreamRegistered(1));
+  EXPECT_EQ(3, scheduler_.GetStreamPrecedence(1).spdy3_priority());
+  EXPECT_EQ(147, scheduler_.GetStreamPrecedence(1).weight());
+  EXPECT_EQ(kHttp2RootStreamId, scheduler_.GetStreamPrecedence(1).parent_id());
+  EXPECT_THAT(scheduler_.GetStreamChildren(1), IsEmpty());
+
+  EXPECT_SPDY_BUG(scheduler_.RegisterStream(1, SpdyStreamPrecedence(4)),
+                  "Expected HTTP/2 stream dependency|"
+                  "Stream 1 already registered");
+  EXPECT_EQ(3, scheduler_.GetStreamPrecedence(1).spdy3_priority());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, GetStreamWeight) {
+  // Unknown streams tolerated due to b/15676312.
+  EXPECT_EQ(kHttp2MinStreamWeight, scheduler_.GetStreamPrecedence(3).weight());
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(0, 130, true));
+  EXPECT_EQ(130, scheduler_.GetStreamPrecedence(3).weight());
+  scheduler_.UpdateStreamPrecedence(3, SpdyStreamPrecedence(0, 50, true));
+  EXPECT_EQ(50, scheduler_.GetStreamPrecedence(3).weight());
+  scheduler_.UnregisterStream(3);
+  EXPECT_EQ(kHttp2MinStreamWeight, scheduler_.GetStreamPrecedence(3).weight());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, GetStreamPriority) {
+  // Unknown streams tolerated due to b/15676312.
+  EXPECT_EQ(kV3LowestPriority,
+            scheduler_.GetStreamPrecedence(3).spdy3_priority());
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(0, 130, true));
+  EXPECT_EQ(3, scheduler_.GetStreamPrecedence(3).spdy3_priority());
+  scheduler_.UpdateStreamPrecedence(3, SpdyStreamPrecedence(0, 50, true));
+  EXPECT_EQ(5, scheduler_.GetStreamPrecedence(3).spdy3_priority());
+  scheduler_.UnregisterStream(3);
+  EXPECT_EQ(kV3LowestPriority,
+            scheduler_.GetStreamPrecedence(3).spdy3_priority());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, GetStreamParent) {
+  // Unknown streams tolerated due to b/15676312.
+  EXPECT_EQ(kHttp2RootStreamId, scheduler_.GetStreamPrecedence(3).parent_id());
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(0, 20, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(2, 30, false));
+  EXPECT_EQ(2, scheduler_.GetStreamPrecedence(3).parent_id());
+  scheduler_.UnregisterStream(3);
+  EXPECT_EQ(kHttp2RootStreamId, scheduler_.GetStreamPrecedence(3).parent_id());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, GetStreamChildren) {
+  EXPECT_SPDY_BUG(EXPECT_THAT(scheduler_.GetStreamChildren(7), IsEmpty()),
+                  "Stream 7 not registered");
+  scheduler_.RegisterStream(7, SpdyStreamPrecedence(0, 70, false));
+  EXPECT_THAT(scheduler_.GetStreamChildren(7), IsEmpty());
+  scheduler_.RegisterStream(9, SpdyStreamPrecedence(7, 90, false));
+  scheduler_.RegisterStream(15, SpdyStreamPrecedence(7, 150, false));
+  EXPECT_THAT(scheduler_.GetStreamChildren(7), UnorderedElementsAre(9, 15));
+  scheduler_.UnregisterStream(7);
+  EXPECT_SPDY_BUG(EXPECT_THAT(scheduler_.GetStreamChildren(7), IsEmpty()),
+                  "Stream 7 not registered");
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, UpdateStreamWeight) {
+  EXPECT_SPDY_BUG(
+      scheduler_.UpdateStreamPrecedence(0, SpdyStreamPrecedence(0, 10, false)),
+      "Cannot set precedence of root stream");
+
+  // For the moment, updating stream precedence on a non-registered stream
+  // should have no effect. In the future, it will lazily cause the stream to
+  // be registered (b/15676312).
+  scheduler_.UpdateStreamPrecedence(3, SpdyStreamPrecedence(0, 10, false));
+  EXPECT_FALSE(scheduler_.StreamRegistered(3));
+
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(0, 10, false));
+  scheduler_.UpdateStreamPrecedence(3, SpdyStreamPrecedence(0, 20, false));
+  EXPECT_EQ(20, scheduler_.GetStreamPrecedence(3).weight());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+
+  EXPECT_SPDY_BUG(
+      scheduler_.UpdateStreamPrecedence(3, SpdyStreamPrecedence(0, 500, false)),
+      "Invalid weight: 500");
+  EXPECT_EQ(kHttp2MaxStreamWeight, scheduler_.GetStreamPrecedence(3).weight());
+  EXPECT_SPDY_BUG(
+      scheduler_.UpdateStreamPrecedence(3, SpdyStreamPrecedence(0, 0, false)),
+      "Invalid weight: 0");
+  EXPECT_EQ(kHttp2MinStreamWeight, scheduler_.GetStreamPrecedence(3).weight());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+
+  scheduler_.UnregisterStream(3);
+}
+
+// Basic case of reparenting a subtree.
+TEST_F(Http2PriorityWriteSchedulerTest, UpdateStreamParentBasicNonExclusive) {
+  /* Tree:
+        0
+       / \
+      1   2
+     / \
+    3   4
+   */
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(4, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.UpdateStreamPrecedence(1, SpdyStreamPrecedence(2, 100, false));
+  EXPECT_THAT(scheduler_.GetStreamChildren(0), ElementsAre(2));
+  EXPECT_THAT(scheduler_.GetStreamChildren(1), UnorderedElementsAre(3, 4));
+  EXPECT_THAT(scheduler_.GetStreamChildren(2), ElementsAre(1));
+  EXPECT_THAT(scheduler_.GetStreamChildren(3), IsEmpty());
+  EXPECT_THAT(scheduler_.GetStreamChildren(4), IsEmpty());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+// Basic case of reparenting a subtree.  Result here is the same as the
+// non-exclusive case.
+TEST_F(Http2PriorityWriteSchedulerTest, UpdateStreamParentBasicExclusive) {
+  /* Tree:
+        0
+       / \
+      1   2
+     / \
+    3   4
+   */
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(4, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.UpdateStreamPrecedence(1, SpdyStreamPrecedence(2, 100, true));
+  EXPECT_THAT(scheduler_.GetStreamChildren(0), ElementsAre(2));
+  EXPECT_THAT(scheduler_.GetStreamChildren(1), UnorderedElementsAre(3, 4));
+  EXPECT_THAT(scheduler_.GetStreamChildren(2), ElementsAre(1));
+  EXPECT_THAT(scheduler_.GetStreamChildren(3), IsEmpty());
+  EXPECT_THAT(scheduler_.GetStreamChildren(4), IsEmpty());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+// We can't set the parent of a nonexistent stream, or set the parent to a
+// nonexistent stream.
+TEST_F(Http2PriorityWriteSchedulerTest, UpdateStreamParentNonexistent) {
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(0, 100, false));
+  for (bool exclusive : {true, false}) {
+    // For the moment, updating stream precedence on a non-registered stream or
+    // attempting to set parent to a nonexistent stream should have no
+    // effect. In the future, it will lazily cause the stream(s) to be
+    // registered (b/15676312).
+
+    // No-op: parent stream 3 not registered
+    scheduler_.UpdateStreamPrecedence(1,
+                                      SpdyStreamPrecedence(3, 100, exclusive));
+
+    // No-op: stream 4 not registered
+    scheduler_.UpdateStreamPrecedence(4,
+                                      SpdyStreamPrecedence(2, 100, exclusive));
+
+    // No-op: stream 3 not registered
+    scheduler_.UpdateStreamPrecedence(3,
+                                      SpdyStreamPrecedence(4, 100, exclusive));
+
+    EXPECT_THAT(scheduler_.GetStreamChildren(0), UnorderedElementsAre(1, 2));
+    EXPECT_THAT(scheduler_.GetStreamChildren(1), IsEmpty());
+    EXPECT_THAT(scheduler_.GetStreamChildren(2), IsEmpty());
+    EXPECT_FALSE(scheduler_.StreamRegistered(3));
+    EXPECT_FALSE(scheduler_.StreamRegistered(4));
+  }
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+// We should be able to add multiple children to streams.
+TEST_F(Http2PriorityWriteSchedulerTest,
+       UpdateStreamParentMultipleChildrenNonExclusive) {
+  /* Tree:
+        0
+       / \
+      1   2
+     / \   \
+    3   4   5
+   */
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(4, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(5, SpdyStreamPrecedence(2, 100, false));
+  scheduler_.UpdateStreamPrecedence(2, SpdyStreamPrecedence(1, 100, false));
+  EXPECT_THAT(scheduler_.GetStreamChildren(0), ElementsAre(1));
+  EXPECT_THAT(scheduler_.GetStreamChildren(1), UnorderedElementsAre(2, 3, 4));
+  EXPECT_THAT(scheduler_.GetStreamChildren(2), ElementsAre(5));
+  EXPECT_THAT(scheduler_.GetStreamChildren(3), IsEmpty());
+  EXPECT_THAT(scheduler_.GetStreamChildren(4), IsEmpty());
+  EXPECT_THAT(scheduler_.GetStreamChildren(5), IsEmpty());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest,
+       UpdateStreamParentMultipleChildrenExclusive) {
+  /* Tree:
+        0
+       / \
+      1   2
+     / \   \
+    3   4   5
+   */
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(4, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(5, SpdyStreamPrecedence(2, 100, false));
+  scheduler_.UpdateStreamPrecedence(2, SpdyStreamPrecedence(1, 100, true));
+  EXPECT_THAT(scheduler_.GetStreamChildren(0), ElementsAre(1));
+  EXPECT_THAT(scheduler_.GetStreamChildren(1), ElementsAre(2));
+  EXPECT_THAT(scheduler_.GetStreamChildren(2), UnorderedElementsAre(3, 4, 5));
+  EXPECT_THAT(scheduler_.GetStreamChildren(3), IsEmpty());
+  EXPECT_THAT(scheduler_.GetStreamChildren(4), IsEmpty());
+  EXPECT_THAT(scheduler_.GetStreamChildren(5), IsEmpty());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, UpdateStreamParentToChildNonExclusive) {
+  /* Tree:
+        0
+        |
+        1
+       / \
+      2   3
+      |
+      4
+   */
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(4, SpdyStreamPrecedence(2, 100, false));
+  scheduler_.UpdateStreamPrecedence(1, SpdyStreamPrecedence(2, 100, false));
+  EXPECT_THAT(scheduler_.GetStreamChildren(0), ElementsAre(2));
+  EXPECT_THAT(scheduler_.GetStreamChildren(1), ElementsAre(3));
+  EXPECT_THAT(scheduler_.GetStreamChildren(2), UnorderedElementsAre(1, 4));
+  EXPECT_THAT(scheduler_.GetStreamChildren(3), IsEmpty());
+  EXPECT_THAT(scheduler_.GetStreamChildren(4), IsEmpty());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, UpdateStreamParentToChildExclusive) {
+  /* Tree:
+        0
+        |
+        1
+       / \
+      2   3
+      |
+      4
+   */
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(4, SpdyStreamPrecedence(2, 100, false));
+  scheduler_.UpdateStreamPrecedence(1, SpdyStreamPrecedence(2, 100, true));
+  EXPECT_THAT(scheduler_.GetStreamChildren(0), ElementsAre(2));
+  EXPECT_THAT(scheduler_.GetStreamChildren(1), UnorderedElementsAre(3, 4));
+  EXPECT_THAT(scheduler_.GetStreamChildren(2), ElementsAre(1));
+  EXPECT_THAT(scheduler_.GetStreamChildren(3), IsEmpty());
+  EXPECT_THAT(scheduler_.GetStreamChildren(4), IsEmpty());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest,
+       UpdateStreamParentToGrandchildNonExclusive) {
+  /* Tree:
+        0
+        |
+        1
+       / \
+      2   3
+     / \
+    4   5
+    |
+    6
+   */
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(4, SpdyStreamPrecedence(2, 100, false));
+  scheduler_.RegisterStream(5, SpdyStreamPrecedence(2, 100, false));
+  scheduler_.RegisterStream(6, SpdyStreamPrecedence(4, 100, false));
+  scheduler_.UpdateStreamPrecedence(1, SpdyStreamPrecedence(4, 100, false));
+  EXPECT_THAT(scheduler_.GetStreamChildren(0), ElementsAre(4));
+  EXPECT_THAT(scheduler_.GetStreamChildren(1), UnorderedElementsAre(2, 3));
+  EXPECT_THAT(scheduler_.GetStreamChildren(2), ElementsAre(5));
+  EXPECT_THAT(scheduler_.GetStreamChildren(3), IsEmpty());
+  EXPECT_THAT(scheduler_.GetStreamChildren(4), UnorderedElementsAre(1, 6));
+  EXPECT_THAT(scheduler_.GetStreamChildren(5), IsEmpty());
+  EXPECT_THAT(scheduler_.GetStreamChildren(6), IsEmpty());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest,
+       UpdateStreamParentToGrandchildExclusive) {
+  /* Tree:
+        0
+        |
+        1
+       / \
+      2   3
+     / \
+    4   5
+    |
+    6
+   */
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(4, SpdyStreamPrecedence(2, 100, false));
+  scheduler_.RegisterStream(5, SpdyStreamPrecedence(2, 100, false));
+  scheduler_.RegisterStream(6, SpdyStreamPrecedence(4, 100, false));
+  scheduler_.UpdateStreamPrecedence(1, SpdyStreamPrecedence(4, 100, true));
+  EXPECT_THAT(scheduler_.GetStreamChildren(0), ElementsAre(4));
+  EXPECT_THAT(scheduler_.GetStreamChildren(1), UnorderedElementsAre(2, 3, 6));
+  EXPECT_THAT(scheduler_.GetStreamChildren(2), ElementsAre(5));
+  EXPECT_THAT(scheduler_.GetStreamChildren(3), IsEmpty());
+  EXPECT_THAT(scheduler_.GetStreamChildren(4), ElementsAre(1));
+  EXPECT_THAT(scheduler_.GetStreamChildren(5), IsEmpty());
+  EXPECT_THAT(scheduler_.GetStreamChildren(6), IsEmpty());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, UpdateStreamParentToParent) {
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(1, 100, false));
+  for (bool exclusive : {true, false}) {
+    scheduler_.UpdateStreamPrecedence(2,
+                                      SpdyStreamPrecedence(1, 100, exclusive));
+    EXPECT_THAT(scheduler_.GetStreamChildren(0), ElementsAre(1));
+    EXPECT_THAT(scheduler_.GetStreamChildren(1), UnorderedElementsAre(2, 3));
+    EXPECT_THAT(scheduler_.GetStreamChildren(2), IsEmpty());
+    EXPECT_THAT(scheduler_.GetStreamChildren(3), IsEmpty());
+  }
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, UpdateStreamParentToSelf) {
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  EXPECT_SPDY_BUG(
+      scheduler_.UpdateStreamPrecedence(1, SpdyStreamPrecedence(1, 100, false)),
+      "Cannot set stream to be its own parent");
+  EXPECT_SPDY_BUG(
+      scheduler_.UpdateStreamPrecedence(1, SpdyStreamPrecedence(1, 100, true)),
+      "Cannot set stream to be its own parent");
+  EXPECT_THAT(scheduler_.GetStreamChildren(0), ElementsAre(1));
+  EXPECT_THAT(scheduler_.GetStreamChildren(1), IsEmpty());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, BlockAndUnblock) {
+  /* Create the tree.
+
+             0
+           / | \
+          /  |  \
+         1   2   3
+        / \   \   \
+       4   5   6   7
+      /|  / \  |   |\
+     8 9 10 11 12 13 14
+    / \
+   15 16
+
+  */
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(4, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(5, SpdyStreamPrecedence(1, 100, false));
+  scheduler_.RegisterStream(8, SpdyStreamPrecedence(4, 100, false));
+  scheduler_.RegisterStream(9, SpdyStreamPrecedence(4, 100, false));
+  scheduler_.RegisterStream(10, SpdyStreamPrecedence(5, 100, false));
+  scheduler_.RegisterStream(11, SpdyStreamPrecedence(5, 100, false));
+  scheduler_.RegisterStream(15, SpdyStreamPrecedence(8, 100, false));
+  scheduler_.RegisterStream(16, SpdyStreamPrecedence(8, 100, false));
+  scheduler_.RegisterStream(12, SpdyStreamPrecedence(2, 100, false));
+  scheduler_.RegisterStream(6, SpdyStreamPrecedence(2, 100, true));
+  scheduler_.RegisterStream(7, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(13, SpdyStreamPrecedence(7, 100, true));
+  scheduler_.RegisterStream(14, SpdyStreamPrecedence(7, 100, false));
+  scheduler_.UpdateStreamPrecedence(7, SpdyStreamPrecedence(3, 100, false));
+  EXPECT_EQ(0, scheduler_.GetStreamPrecedence(1).parent_id());
+  EXPECT_EQ(0, scheduler_.GetStreamPrecedence(2).parent_id());
+  EXPECT_EQ(0, scheduler_.GetStreamPrecedence(3).parent_id());
+  EXPECT_EQ(1, scheduler_.GetStreamPrecedence(4).parent_id());
+  EXPECT_EQ(1, scheduler_.GetStreamPrecedence(5).parent_id());
+  EXPECT_EQ(2, scheduler_.GetStreamPrecedence(6).parent_id());
+  EXPECT_EQ(3, scheduler_.GetStreamPrecedence(7).parent_id());
+  EXPECT_EQ(4, scheduler_.GetStreamPrecedence(8).parent_id());
+  EXPECT_EQ(4, scheduler_.GetStreamPrecedence(9).parent_id());
+  EXPECT_EQ(5, scheduler_.GetStreamPrecedence(10).parent_id());
+  EXPECT_EQ(5, scheduler_.GetStreamPrecedence(11).parent_id());
+  EXPECT_EQ(6, scheduler_.GetStreamPrecedence(12).parent_id());
+  EXPECT_EQ(7, scheduler_.GetStreamPrecedence(13).parent_id());
+  EXPECT_EQ(7, scheduler_.GetStreamPrecedence(14).parent_id());
+  EXPECT_EQ(8, scheduler_.GetStreamPrecedence(15).parent_id());
+  EXPECT_EQ(8, scheduler_.GetStreamPrecedence(16).parent_id());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+
+  EXPECT_EQ(peer_.TotalChildWeights(0),
+            scheduler_.GetStreamPrecedence(1).weight() +
+                scheduler_.GetStreamPrecedence(2).weight() +
+                scheduler_.GetStreamPrecedence(3).weight());
+  EXPECT_EQ(peer_.TotalChildWeights(3),
+            scheduler_.GetStreamPrecedence(7).weight());
+  EXPECT_EQ(peer_.TotalChildWeights(7),
+            scheduler_.GetStreamPrecedence(13).weight() +
+                scheduler_.GetStreamPrecedence(14).weight());
+  EXPECT_EQ(peer_.TotalChildWeights(13), 0);
+  EXPECT_EQ(peer_.TotalChildWeights(14), 0);
+
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, HasReadyStreams) {
+  EXPECT_FALSE(scheduler_.HasReadyStreams());
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 10, false));
+  EXPECT_FALSE(scheduler_.HasReadyStreams());
+  scheduler_.MarkStreamReady(1, false);
+  EXPECT_TRUE(scheduler_.HasReadyStreams());
+  EXPECT_TRUE(scheduler_.IsStreamReady(1));
+  scheduler_.MarkStreamNotReady(1);
+  EXPECT_FALSE(scheduler_.HasReadyStreams());
+  EXPECT_FALSE(scheduler_.IsStreamReady(1));
+  scheduler_.MarkStreamReady(1, true);
+  EXPECT_TRUE(scheduler_.HasReadyStreams());
+  EXPECT_TRUE(scheduler_.IsStreamReady(1));
+  scheduler_.UnregisterStream(1);
+  EXPECT_FALSE(scheduler_.HasReadyStreams());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+  EXPECT_SPDY_BUG(scheduler_.IsStreamReady(1), "Stream 1 not registered");
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, CalculateRoundedWeights) {
+  /* Create the tree.
+
+           0
+          / \
+         1   2
+       /| |\  |\
+      8 3 4 5 6 7
+  */
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(4, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(5, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 10, true));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(0, 5, false));
+  scheduler_.RegisterStream(6, SpdyStreamPrecedence(2, 1, false));
+  scheduler_.RegisterStream(7, SpdyStreamPrecedence(2, 1, false));
+  scheduler_.RegisterStream(8, SpdyStreamPrecedence(1, 1, false));
+
+  // Remove higher-level streams.
+  scheduler_.UnregisterStream(1);
+  scheduler_.UnregisterStream(2);
+
+  // 3.3 rounded down = 3.
+  EXPECT_EQ(3, scheduler_.GetStreamPrecedence(3).weight());
+  EXPECT_EQ(3, scheduler_.GetStreamPrecedence(4).weight());
+  EXPECT_EQ(3, scheduler_.GetStreamPrecedence(5).weight());
+  // 2.5 rounded up = 3.
+  EXPECT_EQ(3, scheduler_.GetStreamPrecedence(6).weight());
+  EXPECT_EQ(3, scheduler_.GetStreamPrecedence(7).weight());
+  // 0 is not a valid weight, so round up to 1.
+  EXPECT_EQ(1, scheduler_.GetStreamPrecedence(8).weight());
+  ASSERT_TRUE(peer_.ValidateInvariants());
+}
+
+TEST_F(Http2PriorityWriteSchedulerTest, GetLatestEventWithPrecedence) {
+  EXPECT_SPDY_BUG(scheduler_.RecordStreamEventTime(3, 5),
+                  "Stream 3 not registered");
+  EXPECT_SPDY_BUG(EXPECT_EQ(0, scheduler_.GetLatestEventWithPrecedence(4)),
+                  "Stream 4 not registered");
+
+  for (int i = 1; i < 5; ++i) {
+    int weight = SpdyStreamPrecedence(i).weight();
+    scheduler_.RegisterStream(i, SpdyStreamPrecedence(0, weight, false));
+  }
+  for (int i = 1; i < 5; ++i) {
+    EXPECT_EQ(0, scheduler_.GetLatestEventWithPrecedence(i));
+  }
+  for (int i = 1; i < 5; ++i) {
+    scheduler_.RecordStreamEventTime(i, i * 100);
+  }
+  for (int i = 1; i < 5; ++i) {
+    EXPECT_EQ((i - 1) * 100, scheduler_.GetLatestEventWithPrecedence(i));
+  }
+}
+
+// Add ready streams at front and back.
+TEST_F(Http2PriorityWriteSchedulerTest, MarkReadyFrontAndBack) {
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 10, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(0, 20, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(0, 20, false));
+  scheduler_.RegisterStream(4, SpdyStreamPrecedence(0, 20, false));
+  scheduler_.RegisterStream(5, SpdyStreamPrecedence(0, 30, false));
+
+  for (int i = 1; i < 6; ++i) {
+    scheduler_.MarkStreamReady(i, false);
+  }
+  EXPECT_EQ(5, scheduler_.PopNextReadyStream());
+  EXPECT_EQ(2, scheduler_.PopNextReadyStream());
+  scheduler_.MarkStreamReady(2, false);
+  EXPECT_EQ(3, scheduler_.PopNextReadyStream());
+  scheduler_.MarkStreamReady(3, false);
+  EXPECT_EQ(4, scheduler_.PopNextReadyStream());
+  scheduler_.MarkStreamReady(4, false);
+  EXPECT_EQ(2, scheduler_.PopNextReadyStream());
+  scheduler_.MarkStreamReady(2, true);
+  EXPECT_EQ(2, scheduler_.PopNextReadyStream());
+  scheduler_.MarkStreamReady(5, false);
+  scheduler_.MarkStreamReady(2, true);
+  EXPECT_EQ(5, scheduler_.PopNextReadyStream());
+}
+
+// Add ready streams at front and back and pop them with
+// PopNextReadyStreamAndPrecedence.
+TEST_F(Http2PriorityWriteSchedulerTest, PopNextReadyStreamAndPrecedence) {
+  scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 10, false));
+  scheduler_.RegisterStream(2, SpdyStreamPrecedence(0, 20, false));
+  scheduler_.RegisterStream(3, SpdyStreamPrecedence(0, 20, false));
+  scheduler_.RegisterStream(4, SpdyStreamPrecedence(0, 20, false));
+  scheduler_.RegisterStream(5, SpdyStreamPrecedence(0, 30, false));
+
+  for (int i = 1; i < 6; ++i) {
+    scheduler_.MarkStreamReady(i, false);
+  }
+  EXPECT_EQ(std::make_tuple(5, SpdyStreamPrecedence(0, 30, false)),
+            scheduler_.PopNextReadyStreamAndPrecedence());
+  EXPECT_EQ(std::make_tuple(2, SpdyStreamPrecedence(0, 20, false)),
+            scheduler_.PopNextReadyStreamAndPrecedence());
+  scheduler_.MarkStreamReady(2, false);
+  EXPECT_EQ(std::make_tuple(3, SpdyStreamPrecedence(0, 20, false)),
+            scheduler_.PopNextReadyStreamAndPrecedence());
+  scheduler_.MarkStreamReady(3, false);
+  EXPECT_EQ(std::make_tuple(4, SpdyStreamPrecedence(0, 20, false)),
+            scheduler_.PopNextReadyStreamAndPrecedence());
+  scheduler_.MarkStreamReady(4, false);
+  EXPECT_EQ(std::make_tuple(2, SpdyStreamPrecedence(0, 20, false)),
+            scheduler_.PopNextReadyStreamAndPrecedence());
+  scheduler_.MarkStreamReady(2, true);
+  EXPECT_EQ(std::make_tuple(2, SpdyStreamPrecedence(0, 20, false)),
+            scheduler_.PopNextReadyStreamAndPrecedence());
+  scheduler_.MarkStreamReady(5, false);
+  scheduler_.MarkStreamReady(2, true);
+  EXPECT_EQ(std::make_tuple(5, SpdyStreamPrecedence(0, 30, false)),
+            scheduler_.PopNextReadyStreamAndPrecedence());
+}
+
+class PopNextReadyStreamTest : public Http2PriorityWriteSchedulerTest {
+ protected:
+  void SetUp() override {
+    /* Create the tree.
+
+             0
+            /|\
+           1 2 3
+          /| |\
+         4 5 6 7
+        /
+       8
+
+    */
+    scheduler_.RegisterStream(1, SpdyStreamPrecedence(0, 100, false));
+    scheduler_.RegisterStream(2, SpdyStreamPrecedence(0, 100, false));
+    scheduler_.RegisterStream(3, SpdyStreamPrecedence(0, 100, false));
+    scheduler_.RegisterStream(4, SpdyStreamPrecedence(1, 100, false));
+    scheduler_.RegisterStream(5, SpdyStreamPrecedence(1, 100, false));
+    scheduler_.RegisterStream(6, SpdyStreamPrecedence(2, 100, false));
+    scheduler_.RegisterStream(7, SpdyStreamPrecedence(2, 100, false));
+    scheduler_.RegisterStream(8, SpdyStreamPrecedence(4, 100, false));
+
+    // Set all nodes ready to write.
+    for (SpdyStreamId id = 1; id <= 8; ++id) {
+      scheduler_.MarkStreamReady(id, false);
+    }
+  }
+
+  AssertionResult PopNextReturnsCycle(
+      std::initializer_list<SpdyStreamId> stream_ids) {
+    int count = 0;
+    const int kNumCyclesToCheck = 2;
+    for (int i = 0; i < kNumCyclesToCheck; i++) {
+      for (SpdyStreamId expected_id : stream_ids) {
+        SpdyStreamId next_id = scheduler_.PopNextReadyStream();
+        scheduler_.MarkStreamReady(next_id, false);
+        if (next_id != expected_id) {
+          return AssertionFailure() << "Pick " << count << ": expected stream "
+                                    << expected_id << " instead of " << next_id;
+        }
+        if (!peer_.ValidateInvariants()) {
+          return AssertionFailure() << "ValidateInvariants failed";
+        }
+        ++count;
+      }
+    }
+    return AssertionSuccess();
+  }
+};
+
+// When all streams are schedulable, only top-level streams should be returned.
+TEST_F(PopNextReadyStreamTest, NoneBlocked) {
+  EXPECT_TRUE(PopNextReturnsCycle({1, 2, 3}));
+}
+
+// When a parent stream is blocked, its children should be scheduled, if
+// priorities allow.
+TEST_F(PopNextReadyStreamTest, SingleStreamBlocked) {
+  scheduler_.MarkStreamNotReady(1);
+
+  // Round-robin only across 2 and 3, since children of 1 have lower priority.
+  EXPECT_TRUE(PopNextReturnsCycle({2, 3}));
+
+  // Make children of 1 have equal priority as 2 and 3, after which they should
+  // be returned as well.
+  scheduler_.UpdateStreamPrecedence(1, SpdyStreamPrecedence(0, 200, false));
+  EXPECT_TRUE(PopNextReturnsCycle({4, 5, 2, 3}));
+}
+
+// Block multiple levels of streams.
+TEST_F(PopNextReadyStreamTest, MultiLevelBlocked) {
+  for (SpdyStreamId stream_id : {1, 4, 5}) {
+    scheduler_.MarkStreamNotReady(stream_id);
+  }
+  // Round-robin only across 2 and 3, since children of 1 have lower priority.
+  EXPECT_TRUE(PopNextReturnsCycle({2, 3}));
+
+  // Make 8 have equal priority as 2 and 3.
+  scheduler_.UpdateStreamPrecedence(1, SpdyStreamPrecedence(0, 200, false));
+  EXPECT_TRUE(PopNextReturnsCycle({8, 2, 3}));
+}
+
+// A removed stream shouldn't be scheduled.
+TEST_F(PopNextReadyStreamTest, RemoveStream) {
+  scheduler_.UnregisterStream(1);
+
+  // Round-robin only across 2 and 3, since previous children of 1 have lower
+  // priority (the weight of 4 and 5 is scaled down when they are elevated to
+  // siblings of 2 and 3).
+  EXPECT_TRUE(PopNextReturnsCycle({2, 3}));
+
+  // Make previous children of 1 have equal priority as 2 and 3.
+  scheduler_.UpdateStreamPrecedence(4, SpdyStreamPrecedence(0, 100, false));
+  scheduler_.UpdateStreamPrecedence(5, SpdyStreamPrecedence(0, 100, false));
+  EXPECT_TRUE(PopNextReturnsCycle({4, 5, 2, 3}));
+}
+
+// Block an entire subtree.
+TEST_F(PopNextReadyStreamTest, SubtreeBlocked) {
+  for (SpdyStreamId stream_id : {1, 4, 5, 8}) {
+    scheduler_.MarkStreamNotReady(stream_id);
+  }
+  EXPECT_TRUE(PopNextReturnsCycle({2, 3}));
+}
+
+// If all parent streams are blocked, children should be returned.
+TEST_F(PopNextReadyStreamTest, ParentsBlocked) {
+  for (SpdyStreamId stream_id : {1, 2, 3}) {
+    scheduler_.MarkStreamNotReady(stream_id);
+  }
+  EXPECT_TRUE(PopNextReturnsCycle({4, 5, 6, 7}));
+}
+
+// Unblocking streams should make them schedulable.
+TEST_F(PopNextReadyStreamTest, BlockAndUnblock) {
+  EXPECT_TRUE(PopNextReturnsCycle({1, 2, 3}));
+  scheduler_.MarkStreamNotReady(2);
+  EXPECT_TRUE(PopNextReturnsCycle({1, 3}));
+  scheduler_.MarkStreamReady(2, false);
+  // Cycle order permuted since 2 effectively appended at tail.
+  EXPECT_TRUE(PopNextReturnsCycle({1, 3, 2}));
+}
+
+// Block nodes in multiple subtrees.
+TEST_F(PopNextReadyStreamTest, ScatteredBlocked) {
+  for (SpdyStreamId stream_id : {1, 2, 6, 7}) {
+    scheduler_.MarkStreamNotReady(stream_id);
+  }
+  // Only 3 returned, since of remaining streams it has highest priority.
+  EXPECT_TRUE(PopNextReturnsCycle({3}));
+
+  // Make children of 1 have priority equal to 3.
+  scheduler_.UpdateStreamPrecedence(1, SpdyStreamPrecedence(0, 200, false));
+  EXPECT_TRUE(PopNextReturnsCycle({4, 5, 3}));
+
+  // When 4 is blocked, its child 8 should take its place, since it has same
+  // priority.
+  scheduler_.MarkStreamNotReady(4);
+  EXPECT_TRUE(PopNextReturnsCycle({8, 5, 3}));
+}
+
+}  // namespace test
+}  // namespace spdy
diff --git a/chromium/net/third_party/quiche/src/spdy/core/mock_spdy_framer_visitor.h b/chromium/net/third_party/quiche/src/spdy/core/mock_spdy_framer_visitor.h
index 124efe584f4..9dd709c4c39 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/mock_spdy_framer_visitor.h
+++ b/chromium/net/third_party/quiche/src/spdy/core/mock_spdy_framer_visitor.h
@@ -8,11 +8,11 @@
 #include <cstdint>
 #include <memory>
 
-#include "testing/gmock/include/gmock/gmock.h"
 #include "net/third_party/quiche/src/spdy/core/http2_frame_decoder_adapter.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_test_utils.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_ptr_util.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string_piece.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/priority_write_scheduler.h b/chromium/net/third_party/quiche/src/spdy/core/priority_write_scheduler.h
index 067153ba8bc..e4385835315 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/priority_write_scheduler.h
+++ b/chromium/net/third_party/quiche/src/spdy/core/priority_write_scheduler.h
@@ -134,7 +134,7 @@ class PriorityWriteScheduler : public WriteScheduler<StreamIdType> {
   }
 
   std::vector<StreamIdType> GetStreamChildren(
-      StreamIdType stream_id) const override {
+      StreamIdType /*stream_id*/) const override {
     return std::vector<StreamIdType>();
   }
 
@@ -258,6 +258,8 @@ class PriorityWriteScheduler : public WriteScheduler<StreamIdType> {
   // Returns the number of ready streams.
   size_t NumReadyStreams() const override { return num_ready_streams_; }
 
+  size_t NumRegisteredStreams() const override { return stream_infos_.size(); }
+
   SpdyString DebugString() const override {
     return SpdyStrCat(
         "PriorityWriteScheduler {num_streams=", stream_infos_.size(),
@@ -265,7 +267,7 @@ class PriorityWriteScheduler : public WriteScheduler<StreamIdType> {
   }
 
   // Returns true if a stream is ready.
-  bool IsStreamReady(StreamIdType stream_id) const {
+  bool IsStreamReady(StreamIdType stream_id) const override {
     auto it = stream_infos_.find(stream_id);
     if (it == stream_infos_.end()) {
       SPDY_DLOG(INFO) << "Stream " << stream_id << " not registered";
diff --git a/chromium/net/third_party/quiche/src/spdy/core/priority_write_scheduler_test.cc b/chromium/net/third_party/quiche/src/spdy/core/priority_write_scheduler_test.cc
index 08a4ff69281..7488820d06d 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/priority_write_scheduler_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/priority_write_scheduler_test.cc
@@ -4,9 +4,9 @@
 
 #include "net/third_party/quiche/src/spdy/core/priority_write_scheduler.h"
 
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_test_utils.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_test_helpers.h"
 
 namespace spdy {
@@ -40,8 +40,10 @@ class PriorityWriteSchedulerTest : public ::testing::Test {
 TEST_F(PriorityWriteSchedulerTest, RegisterUnregisterStreams) {
   EXPECT_FALSE(scheduler_.HasReadyStreams());
   EXPECT_FALSE(scheduler_.StreamRegistered(1));
+  EXPECT_EQ(0u, scheduler_.NumRegisteredStreams());
   scheduler_.RegisterStream(1, SpdyStreamPrecedence(1));
   EXPECT_TRUE(scheduler_.StreamRegistered(1));
+  EXPECT_EQ(1u, scheduler_.NumRegisteredStreams());
 
   // Root stream counts as already registered.
   EXPECT_SPDY_BUG(
@@ -55,12 +57,15 @@ TEST_F(PriorityWriteSchedulerTest, RegisterUnregisterStreams) {
                   "Stream 1 already registered");
 
   scheduler_.RegisterStream(2, SpdyStreamPrecedence(3));
+  EXPECT_EQ(2u, scheduler_.NumRegisteredStreams());
 
   // Verify registration != ready.
   EXPECT_FALSE(scheduler_.HasReadyStreams());
 
   scheduler_.UnregisterStream(1);
+  EXPECT_EQ(1u, scheduler_.NumRegisteredStreams());
   scheduler_.UnregisterStream(2);
+  EXPECT_EQ(0u, scheduler_.NumRegisteredStreams());
 
   // Try redundant unregistration.
   EXPECT_SPDY_BUG(scheduler_.UnregisterStream(1), "Stream 1 not registered");
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_alt_svc_wire_format_test.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_alt_svc_wire_format_test.cc
index c30edf298a5..bda5bc519d4 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_alt_svc_wire_format_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_alt_svc_wire_format_test.cc
@@ -4,9 +4,8 @@
 
 #include "net/third_party/quiche/src/spdy/core/spdy_alt_svc_wire_format.h"
 
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_logging.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_deframer_visitor.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_deframer_visitor.cc
index ac93de41f11..39a2e51b3ef 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_deframer_visitor.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_deframer_visitor.cc
@@ -11,7 +11,6 @@
 #include <limits>
 #include <memory>
 
-#include "testing/gmock/include/gmock/gmock.h"
 #include "net/third_party/quiche/src/http2/platform/api/http2_macros.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_constants.h"
 #include "net/third_party/quiche/src/spdy/core/mock_spdy_framer_visitor.h"
@@ -498,7 +497,7 @@ bool SpdyTestDeframerImpl::OnGoAwayFrameData(const char* goaway_data,
 }
 
 SpdyHeadersHandlerInterface* SpdyTestDeframerImpl::OnHeaderFrameStart(
-    SpdyStreamId stream_id) {
+    SpdyStreamId /*stream_id*/) {
   return this;
 }
 
@@ -736,7 +735,7 @@ void SpdyTestDeframerImpl::OnWindowUpdate(SpdyStreamId stream_id,
 // of the set of currently open streams. For now we'll assume that unknown
 // frame types are unsupported.
 bool SpdyTestDeframerImpl::OnUnknownFrame(SpdyStreamId stream_id,
-                                          uint8_t frame_type) {
+                                          uint8_t /*frame_type*/) {
   SPDY_DVLOG(1) << "OnAltSvc stream_id: " << stream_id;
   CHECK_EQ(frame_type_, UNSET)
       << "   frame_type_=" << Http2FrameTypeToString(frame_type_);
@@ -1018,8 +1017,8 @@ void DeframerCallbackCollector::OnWindowUpdate(
 
 // The SpdyFramer will not process any more data at this point.
 void DeframerCallbackCollector::OnError(
-    http2::Http2DecoderAdapter::SpdyFramerError error,
-    SpdyTestDeframer* deframer) {
+    http2::Http2DecoderAdapter::SpdyFramerError /*error*/,
+    SpdyTestDeframer* /*deframer*/) {
   CollectedFrame cf;
   cf.error_reported = true;
   collected_frames_->push_back(std::move(cf));
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_deframer_visitor.h b/chromium/net/third_party/quiche/src/spdy/core/spdy_deframer_visitor.h
index e3d01b2de99..272a4f6200a 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_deframer_visitor.h
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_deframer_visitor.h
@@ -74,7 +74,6 @@
 #include <utility>
 #include <vector>
 
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/core/http2_frame_decoder_adapter.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol_test_utils.h"
@@ -115,43 +114,43 @@ class SpdyDeframerVisitorInterface {
   static std::unique_ptr<SpdyDeframerVisitorInterface> LogBeforeVisiting(
       std::unique_ptr<SpdyDeframerVisitorInterface> wrapped_visitor);
 
-  virtual void OnAltSvc(std::unique_ptr<SpdyAltSvcIR> frame) {}
-  virtual void OnData(std::unique_ptr<SpdyDataIR> frame) {}
-  virtual void OnGoAway(std::unique_ptr<SpdyGoAwayIR> frame) {}
+  virtual void OnAltSvc(std::unique_ptr<SpdyAltSvcIR> /*frame*/) {}
+  virtual void OnData(std::unique_ptr<SpdyDataIR> /*frame*/) {}
+  virtual void OnGoAway(std::unique_ptr<SpdyGoAwayIR> /*frame*/) {}
 
   // SpdyHeadersIR and SpdyPushPromiseIR each has a SpdyHeaderBlock which
   // significantly modifies the headers, so the actual header entries (name
   // and value strings) are provided in a vector.
-  virtual void OnHeaders(std::unique_ptr<SpdyHeadersIR> frame,
-                         std::unique_ptr<StringPairVector> headers) {}
+  virtual void OnHeaders(std::unique_ptr<SpdyHeadersIR> /*frame*/,
+                         std::unique_ptr<StringPairVector> /*headers*/) {}
 
-  virtual void OnPing(std::unique_ptr<SpdyPingIR> frame) {}
-  virtual void OnPingAck(std::unique_ptr<SpdyPingIR> frame);
-  virtual void OnPriority(std::unique_ptr<SpdyPriorityIR> frame) {}
+  virtual void OnPing(std::unique_ptr<SpdyPingIR> /*frame*/) {}
+  virtual void OnPingAck(std::unique_ptr<SpdyPingIR> /*frame*/);
+  virtual void OnPriority(std::unique_ptr<SpdyPriorityIR> /*frame*/) {}
 
   // SpdyHeadersIR and SpdyPushPromiseIR each has a SpdyHeaderBlock which
   // significantly modifies the headers, so the actual header entries (name
   // and value strings) are provided in a vector.
-  virtual void OnPushPromise(std::unique_ptr<SpdyPushPromiseIR> frame,
-                             std::unique_ptr<StringPairVector> headers) {}
+  virtual void OnPushPromise(std::unique_ptr<SpdyPushPromiseIR> /*frame*/,
+                             std::unique_ptr<StringPairVector> /*headers*/) {}
 
-  virtual void OnRstStream(std::unique_ptr<SpdyRstStreamIR> frame) {}
+  virtual void OnRstStream(std::unique_ptr<SpdyRstStreamIR> /*frame*/) {}
 
   // SpdySettingsIR has a map for settings, so loses info about the order of
   // settings, and whether the same setting appeared more than once, so the
   // the actual settings (parameter and value) are provided in a vector.
-  virtual void OnSettings(std::unique_ptr<SpdySettingsIR> frame,
-                          std::unique_ptr<SettingVector> settings) {}
+  virtual void OnSettings(std::unique_ptr<SpdySettingsIR> /*frame*/,
+                          std::unique_ptr<SettingVector> /*settings*/) {}
 
   // A settings frame with an ACK has no content, but for uniformity passing
   // a frame with the ACK flag set.
-  virtual void OnSettingsAck(std::unique_ptr<SpdySettingsIR> frame);
+  virtual void OnSettingsAck(std::unique_ptr<SpdySettingsIR> /*frame*/);
 
-  virtual void OnWindowUpdate(std::unique_ptr<SpdyWindowUpdateIR> frame) {}
+  virtual void OnWindowUpdate(std::unique_ptr<SpdyWindowUpdateIR> /*frame*/) {}
 
   // The SpdyFramer will not process any more data at this point.
-  virtual void OnError(http2::Http2DecoderAdapter::SpdyFramerError error,
-                       SpdyTestDeframer* deframer) {}
+  virtual void OnError(http2::Http2DecoderAdapter::SpdyFramerError /*error*/,
+                       SpdyTestDeframer* /*deframer*/) {}
 };
 
 class SpdyTestDeframer : public SpdyFramerVisitorInterface {
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_deframer_visitor_test.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_deframer_visitor_test.cc
index e4f7218f740..82a85be2af4 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_deframer_visitor_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_deframer_visitor_test.cc
@@ -9,7 +9,6 @@
 #include <algorithm>
 #include <limits>
 
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/http2/test_tools/http2_random.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_constants.h"
 #include "net/third_party/quiche/src/spdy/core/mock_spdy_framer_visitor.h"
@@ -21,6 +20,7 @@
 #include "net/third_party/quiche/src/spdy/core/spdy_test_utils.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_logging.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_ptr_util.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 namespace test {
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_frame_builder_test.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_frame_builder_test.cc
index 11d3c7b1925..c5f234ede1a 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_frame_builder_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_frame_builder_test.cc
@@ -6,11 +6,11 @@
 
 #include <memory>
 
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/core/array_output_buffer.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_framer.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_export.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_frame_reader_test.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_frame_reader_test.cc
index 8caf60f552e..92c8e9bc5b9 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_frame_reader_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_frame_reader_test.cc
@@ -6,9 +6,9 @@
 
 #include <cstdint>
 
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_arraysize.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_endianness_util.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_framer.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_framer.cc
index 4e3ad1bb570..7891d72e1f6 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_framer.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_framer.cc
@@ -840,7 +840,7 @@ class FlagsSerializationVisitor : public SpdyFrameVisitor {
     }
   }
 
-  void VisitRstStream(const SpdyRstStreamIR& rst_stream) override {
+  void VisitRstStream(const SpdyRstStreamIR& /*rst_stream*/) override {
     flags_ = kNoFlags;
   }
 
@@ -858,7 +858,9 @@ class FlagsSerializationVisitor : public SpdyFrameVisitor {
     }
   }
 
-  void VisitGoAway(const SpdyGoAwayIR& goaway) override { flags_ = kNoFlags; }
+  void VisitGoAway(const SpdyGoAwayIR& /*goaway*/) override {
+    flags_ = kNoFlags;
+  }
 
   // TODO(diannahu): The END_HEADERS flag is incorrect for HEADERS that require
   //     CONTINUATION frames.
@@ -875,7 +877,7 @@ class FlagsSerializationVisitor : public SpdyFrameVisitor {
     }
   }
 
-  void VisitWindowUpdate(const SpdyWindowUpdateIR& window_update) override {
+  void VisitWindowUpdate(const SpdyWindowUpdateIR& /*window_update*/) override {
     flags_ = kNoFlags;
   }
 
@@ -890,13 +892,15 @@ class FlagsSerializationVisitor : public SpdyFrameVisitor {
 
   // TODO(diannahu): The END_HEADERS flag is incorrect for CONTINUATIONs that
   //     require CONTINUATION frames.
-  void VisitContinuation(const SpdyContinuationIR& continuation) override {
+  void VisitContinuation(const SpdyContinuationIR& /*continuation*/) override {
     flags_ = HEADERS_FLAG_END_HEADERS;
   }
 
-  void VisitAltSvc(const SpdyAltSvcIR& altsvc) override { flags_ = kNoFlags; }
+  void VisitAltSvc(const SpdyAltSvcIR& /*altsvc*/) override {
+    flags_ = kNoFlags;
+  }
 
-  void VisitPriority(const SpdyPriorityIR& priority) override {
+  void VisitPriority(const SpdyPriorityIR& /*priority*/) override {
     flags_ = kNoFlags;
   }
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_framer_test.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_framer_test.cc
index 0caa160adc8..abca5a790d3 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_framer_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_framer_test.cc
@@ -12,8 +12,6 @@
 #include <tuple>
 #include <vector>
 
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/core/array_output_buffer.h"
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_constants.h"
 #include "net/third_party/quiche/src/spdy/core/mock_spdy_framer_visitor.h"
@@ -28,6 +26,7 @@
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_ptr_util.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string_utils.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 using ::http2::Http2DecoderAdapter;
 using ::testing::_;
@@ -315,14 +314,14 @@ class TestSpdyVisitor : public SpdyFramerVisitorInterface,
   }
 
   SpdyHeadersHandlerInterface* OnHeaderFrameStart(
-      SpdyStreamId stream_id) override {
+      SpdyStreamId /*stream_id*/) override {
     if (headers_handler_ == nullptr) {
       headers_handler_ = SpdyMakeUnique<TestHeadersHandler>();
     }
     return headers_handler_.get();
   }
 
-  void OnHeaderFrameEnd(SpdyStreamId stream_id) override {
+  void OnHeaderFrameEnd(SpdyStreamId /*stream_id*/) override {
     CHECK(headers_handler_ != nullptr);
     headers_ = headers_handler_->decoded_block().Clone();
     header_bytes_received_ = headers_handler_->header_bytes_parsed();
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_header_block_test.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_header_block_test.cc
index 3511a213918..f8694319d7c 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_header_block_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_header_block_test.cc
@@ -7,9 +7,8 @@
 #include <memory>
 #include <utility>
 
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_test_utils.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 using ::testing::ElementsAre;
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_intrusive_list.h b/chromium/net/third_party/quiche/src/spdy/core/spdy_intrusive_list.h
new file mode 100644
index 00000000000..16917f99ef3
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_intrusive_list.h
@@ -0,0 +1,326 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_SPDY_CORE_SPDY_INTRUSIVE_LIST_H_
+#define QUICHE_SPDY_CORE_SPDY_INTRUSIVE_LIST_H_
+
+// A SpdyIntrusiveList<> is a doubly-linked list where the link pointers are
+// embedded in the elements. They are circularly linked making insertion and
+// removal into a known position constant time and branch-free operations.
+//
+// Usage is similar to an STL list<> where feasible, but there are important
+// differences. First and foremost, the elements must derive from the
+// SpdyIntrusiveLink<> base class:
+//
+//   struct Foo : public SpdyIntrusiveLink<Foo> {
+//     // ...
+//   }
+//
+//   SpdyIntrusiveList<Foo> l;
+//   l.push_back(new Foo);
+//   l.push_front(new Foo);
+//   l.erase(&l.front());
+//   l.erase(&l.back());
+//
+// Intrusive lists are primarily useful when you would have considered embedding
+// link pointers in your class directly for space or performance reasons. An
+// SpdyIntrusiveLink<> is the size of 2 pointers, usually 16 bytes on 64-bit
+// systems. Intrusive lists do not perform memory allocation (unlike the STL
+// list<> class) and thus may use less memory than list<>. In particular, if the
+// list elements are pointers to objects, using a list<> would perform an extra
+// memory allocation for each list node structure, while an SpdyIntrusiveList<>
+// would not.
+//
+// Note that SpdyIntrusiveLink is exempt from the C++ style guide's limitations
+// on multiple inheritance, so it's fine to inherit from both SpdyIntrusiveLink
+// and a base class, even if the base class is not a pure interface.
+//
+// Because the list pointers are embedded in the objects stored in an
+// SpdyIntrusiveList<>, erasing an item from a list is constant time. Consider
+// the following:
+//
+//   map<string,Foo> foo_map;
+//   list<Foo*> foo_list;
+//
+//   foo_list.push_back(&foo_map["bar"]);
+//   foo_list.erase(&foo_map["bar"]); // Compile error!
+//
+// The problem here is that a Foo* doesn't know where on foo_list it resides,
+// so removal requires iteration over the list. Various tricks can be performed
+// to overcome this. For example, a foo_list::iterator can be stored inside of
+// the Foo object. But at that point you'd be better off using an
+// SpdyIntrusiveList<>:
+//
+//   map<string,Foo> foo_map;
+//   SpdyIntrusiveList<Foo> foo_list;
+//
+//   foo_list.push_back(&foo_map["bar"]);
+//   foo_list.erase(&foo_map["bar"]); // Yeah!
+//
+// Note that SpdyIntrusiveLists come with a few limitations. The primary
+// limitation is that the SpdyIntrusiveLink<> base class is not copyable or
+// assignable. The result is that STL algorithms which mutate the order of
+// iterators, such as reverse() and unique(), will not work by default with
+// SpdyIntrusiveLists. In order to allow these algorithms to work you'll need to
+// define swap() and/or operator= for your class.
+//
+// Another limitation is that the SpdyIntrusiveList<> structure itself is not
+// copyable or assignable since an item/link combination can only exist on one
+// SpdyIntrusiveList<> at a time. This limitation is a result of the link
+// pointers for an item being intrusive in the item itself. For example, the
+// following will not compile:
+//
+//   FooList a;
+//   FooList b(a); // no copy constructor
+//   b = a;        // no assignment operator
+//
+// The similar STL code does work since the link pointers are external to the
+// item:
+//
+//   list<int*> a;
+//   a.push_back(new int);
+//   list<int*> b(a);
+//   CHECK(a.front() == b.front());
+//
+// Note that SpdyIntrusiveList::size() runs in O(N) time.
+
+#include <stddef.h>
+#include <iterator>
+
+
+namespace spdy {
+
+template <typename T, typename ListID> class SpdyIntrusiveList;
+
+template <typename T, typename ListID = void> class SpdyIntrusiveLink {
+ protected:
+  // We declare the constructor protected so that only derived types and the
+  // befriended list can construct this.
+  SpdyIntrusiveLink() : next_(nullptr), prev_(nullptr) {}
+
+#ifndef SWIG
+  SpdyIntrusiveLink(const SpdyIntrusiveLink&) = delete;
+  SpdyIntrusiveLink& operator=(const SpdyIntrusiveLink&) = delete;
+#endif  // SWIG
+
+ private:
+  // We befriend the matching list type so that it can manipulate the links
+  // while they are kept private from others.
+  friend class SpdyIntrusiveList<T, ListID>;
+
+  // Encapsulates the logic to convert from a link to its derived type.
+  T* cast_to_derived() { return static_cast<T*>(this); }
+  const T* cast_to_derived() const { return static_cast<const T*>(this); }
+
+  SpdyIntrusiveLink* next_;
+  SpdyIntrusiveLink* prev_;
+};
+
+template <typename T, typename ListID = void> class SpdyIntrusiveList {
+  template <typename QualifiedT, typename QualifiedLinkT> class iterator_impl;
+
+ public:
+  typedef T value_type;
+  typedef value_type *pointer;
+  typedef const value_type *const_pointer;
+  typedef value_type &reference;
+  typedef const value_type &const_reference;
+  typedef size_t size_type;
+  typedef ptrdiff_t difference_type;
+
+  typedef SpdyIntrusiveLink<T, ListID> link_type;
+  typedef iterator_impl<T, link_type> iterator;
+  typedef iterator_impl<const T, const link_type> const_iterator;
+  typedef std::reverse_iterator<const_iterator> const_reverse_iterator;
+  typedef std::reverse_iterator<iterator> reverse_iterator;
+
+  SpdyIntrusiveList() { clear(); }
+  // After the move constructor the moved-from list will be empty.
+  //
+  // NOTE: There is no move assign operator (for now).
+  // The reason is that at the moment 'clear()' does not unlink the nodes.
+  // It makes is_linked() return true when it should return false.
+  // If such node is removed from the list (e.g. from its destructor), or is
+  // added to another list - a memory corruption will occur.
+  // Admitedly the destructor does not unlink the nodes either, but move-assign
+  // will likely make the problem more prominent.
+#ifndef SWIG
+  SpdyIntrusiveList(SpdyIntrusiveList&& src) noexcept {
+    clear();
+    if (src.empty()) return;
+    sentinel_link_.next_ = src.sentinel_link_.next_;
+    sentinel_link_.prev_ = src.sentinel_link_.prev_;
+    // Fix head and tail nodes of the list.
+    sentinel_link_.prev_->next_ = &sentinel_link_;
+    sentinel_link_.next_->prev_ = &sentinel_link_;
+    src.clear();
+  }
+#endif  // SWIG
+
+  iterator begin() { return iterator(sentinel_link_.next_); }
+  const_iterator begin() const { return const_iterator(sentinel_link_.next_); }
+  iterator end() { return iterator(&sentinel_link_); }
+  const_iterator end() const { return const_iterator(&sentinel_link_); }
+  reverse_iterator rbegin() { return reverse_iterator(end()); }
+  const_reverse_iterator rbegin() const {
+    return const_reverse_iterator(end());
+  }
+  reverse_iterator rend() { return reverse_iterator(begin()); }
+  const_reverse_iterator rend() const {
+    return const_reverse_iterator(begin());
+  }
+
+  bool empty() const { return (sentinel_link_.next_ == &sentinel_link_); }
+  // This runs in O(N) time.
+  size_type size() const { return std::distance(begin(), end()); }
+  size_type max_size() const { return size_type(-1); }
+
+  reference front() { return *begin(); }
+  const_reference front() const { return *begin(); }
+  reference back() { return *(--end()); }
+  const_reference back() const { return *(--end()); }
+
+  static iterator insert(iterator position, T *obj) {
+    return insert_link(position.link(), obj);
+  }
+  void push_front(T* obj) { insert(begin(), obj); }
+  void push_back(T* obj) { insert(end(), obj); }
+
+  static iterator erase(T* obj) {
+    link_type* obj_link = obj;
+    // Fix up the next and previous links for the previous and next objects.
+    obj_link->next_->prev_ = obj_link->prev_;
+    obj_link->prev_->next_ = obj_link->next_;
+    // Zero out the next and previous links for the removed item. This will
+    // cause any future attempt to remove the item from the list to cause a
+    // crash instead of possibly corrupting the list structure.
+    link_type* next_link = obj_link->next_;
+    obj_link->next_ = nullptr;
+    obj_link->prev_ = nullptr;
+    return iterator(next_link);
+  }
+
+  static iterator erase(iterator position) {
+    return erase(position.operator->());
+  }
+  void pop_front() { erase(begin()); }
+  void pop_back() { erase(--end()); }
+
+  // Check whether the given element is linked into some list. Note that this
+  // does *not* check whether it is linked into a particular list.
+  // Also, if clear() is used to clear the containing list, is_linked() will
+  // still return true even though obj is no longer in any list.
+  static bool is_linked(const T* obj) {
+    return obj->link_type::next_ != nullptr;
+  }
+
+  void clear() {
+    sentinel_link_.next_ = sentinel_link_.prev_ = &sentinel_link_;
+  }
+  void swap(SpdyIntrusiveList& x) {
+    SpdyIntrusiveList tmp;
+    tmp.splice(tmp.begin(), *this);
+    this->splice(this->begin(), x);
+    x.splice(x.begin(), tmp);
+  }
+
+  void splice(iterator pos, SpdyIntrusiveList& src) {
+    splice(pos, src.begin(), src.end());
+  }
+
+  void splice(iterator pos, iterator i) { splice(pos, i, std::next(i)); }
+
+  void splice(iterator pos, iterator first, iterator last) {
+    if (first == last) return;
+
+    link_type* const last_prev = last.link()->prev_;
+
+    // Remove from the source.
+    first.link()->prev_->next_ = last.operator->();
+    last.link()->prev_ = first.link()->prev_;
+
+    // Attach to the destination.
+    first.link()->prev_ = pos.link()->prev_;
+    pos.link()->prev_->next_ = first.operator->();
+    last_prev->next_ = pos.operator->();
+    pos.link()->prev_ = last_prev;
+  }
+
+ private:
+  static iterator insert_link(link_type* next_link, T* obj) {
+    link_type* obj_link = obj;
+    obj_link->next_ = next_link;
+    link_type* const initial_next_prev = next_link->prev_;
+    obj_link->prev_ = initial_next_prev;
+    initial_next_prev->next_ = obj_link;
+    next_link->prev_ = obj_link;
+    return iterator(obj_link);
+  }
+
+  // The iterator implementation is parameterized on a potentially qualified
+  // variant of T and the matching qualified link type. Essentially, QualifiedT
+  // will either be 'T' or 'const T', the latter for a const_iterator.
+  template <typename QualifiedT, typename QualifiedLinkT>
+  class iterator_impl : public std::iterator<std::bidirectional_iterator_tag,
+                                             QualifiedT> {
+   public:
+    typedef std::iterator<std::bidirectional_iterator_tag, QualifiedT> base;
+
+    iterator_impl() : link_(nullptr) {}
+    iterator_impl(QualifiedLinkT* link) : link_(link) {}
+    iterator_impl(const iterator_impl& x) : link_(x.link_) {}
+
+    // Allow converting and comparing across iterators where the pointer
+    // assignment and comparisons (respectively) are allowed.
+    template <typename U, typename V>
+    iterator_impl(const iterator_impl<U, V>& x) : link_(x.link_) {}
+    template <typename U, typename V>
+    bool operator==(const iterator_impl<U, V>& x) const {
+      return link_ == x.link_;
+    }
+    template <typename U, typename V>
+    bool operator!=(const iterator_impl<U, V>& x) const {
+      return link_ != x.link_;
+    }
+
+    typename base::reference operator*() const { return *operator->(); }
+    typename base::pointer operator->() const {
+      return link_->cast_to_derived();
+    }
+
+    QualifiedLinkT *link() const { return link_; }
+
+#ifndef SWIG  // SWIG can't wrap these operator overloads.
+    iterator_impl& operator++() { link_ = link_->next_; return *this; }
+    iterator_impl operator++(int /*unused*/) {
+      iterator_impl tmp = *this;
+      ++*this;
+      return tmp;
+    }
+    iterator_impl& operator--() { link_ = link_->prev_; return *this; }
+    iterator_impl operator--(int /*unused*/) {
+      iterator_impl tmp = *this;
+      --*this;
+      return tmp;
+    }
+#endif  // SWIG
+
+   private:
+    // Ensure iterators can access other iterators node directly.
+    template <typename U, typename V> friend class iterator_impl;
+
+    QualifiedLinkT* link_;
+  };
+
+  // This bare link acts as the sentinel node.
+  link_type sentinel_link_;
+
+  // These are private and undefined to prevent copying and assigning.
+  SpdyIntrusiveList(const SpdyIntrusiveList&);
+  void operator=(const SpdyIntrusiveList&);
+};
+
+}  // namespace spdy
+
+#endif  // QUICHE_SPDY_CORE_SPDY_INTRUSIVE_LIST_H_
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_intrusive_list_test.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_intrusive_list_test.cc
new file mode 100644
index 00000000000..eee65e34c29
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_intrusive_list_test.cc
@@ -0,0 +1,427 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/spdy/core/spdy_intrusive_list.h"
+
+#include <algorithm>
+#include <cstddef>
+#include <list>
+#include <utility>
+
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_string.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
+
+namespace spdy {
+namespace test {
+
+struct ListId2 {};
+
+struct TestItem : public SpdyIntrusiveLink<TestItem>,
+                  public SpdyIntrusiveLink<TestItem, ListId2> {
+  int n;
+};
+typedef SpdyIntrusiveList<TestItem> TestList;
+typedef std::list<TestItem*> CanonicalList;
+
+void swap(TestItem &a, TestItem &b) {
+  using std::swap;
+  swap(a.n, b.n);
+}
+
+class IntrusiveListTest : public ::testing::Test {
+ protected:
+  void CheckLists() {
+    CheckLists(l1, ll1);
+    if (::testing::Test::HasFailure()) return;
+    CheckLists(l2, ll2);
+  }
+
+  void CheckLists(const TestList &list_a, const CanonicalList &list_b) {
+    ASSERT_EQ(list_a.size(), list_b.size());
+    TestList::const_iterator it_a = list_a.begin();
+    CanonicalList::const_iterator it_b = list_b.begin();
+    while (it_a != list_a.end()) {
+      EXPECT_EQ(&*it_a++, *it_b++);
+    }
+    EXPECT_EQ(list_a.end(), it_a);
+    EXPECT_EQ(list_b.end(), it_b);
+  }
+
+  void PrepareLists(int num_elems_1, int num_elems_2 = 0) {
+    FillLists(&l1, &ll1, e, num_elems_1);
+    FillLists(&l2, &ll2, e + num_elems_1, num_elems_2);
+  }
+
+  void FillLists(TestList *list_a, CanonicalList *list_b, TestItem *elems,
+                 int num_elems) {
+    list_a->clear();
+    list_b->clear();
+    for (int i = 0; i < num_elems; ++i) {
+      list_a->push_back(elems + i);
+      list_b->push_back(elems + i);
+    }
+    CheckLists(*list_a, *list_b);
+  }
+
+  TestItem e[10];
+  TestList l1, l2;
+  CanonicalList ll1, ll2;
+};
+
+TEST(NewIntrusiveListTest, Basic) {
+  TestList list1;
+
+  CHECK_EQ(sizeof(SpdyIntrusiveLink<TestItem>), sizeof(void *) * 2);
+
+  for (int i = 0; i < 10; ++i) {
+    TestItem *e = new TestItem;
+    e->n = i;
+    list1.push_front(e);
+  }
+  CHECK_EQ(list1.size(), 10);
+
+  // Verify we can reverse a list because we defined swap for TestItem.
+  std::reverse(list1.begin(), list1.end());
+  CHECK_EQ(list1.size(), 10);
+
+  // Check both const and non-const forward iteration.
+  const TestList& clist1 = list1;
+  int i = 0;
+  TestList::iterator iter = list1.begin();
+  for (;
+       iter != list1.end();
+       ++iter, ++i) {
+    CHECK_EQ(iter->n, i);
+  }
+  CHECK(iter == clist1.end());
+  CHECK(iter != clist1.begin());
+  i = 0;
+  iter = list1.begin();
+  for (;
+       iter != list1.end();
+       ++iter, ++i) {
+    CHECK_EQ(iter->n, i);
+  }
+  CHECK(iter == clist1.end());
+  CHECK(iter != clist1.begin());
+
+  CHECK_EQ(list1.front().n, 0);
+  CHECK_EQ(list1.back().n, 9);
+
+  // Verify we can swap 2 lists.
+  TestList list2;
+  list2.swap(list1);
+  CHECK_EQ(list1.size(), 0);
+  CHECK_EQ(list2.size(), 10);
+
+  // Check both const and non-const reverse iteration.
+  const TestList& clist2 = list2;
+  TestList::reverse_iterator riter = list2.rbegin();
+  i = 9;
+  for (;
+       riter != list2.rend();
+       ++riter, --i) {
+    CHECK_EQ(riter->n, i);
+  }
+  CHECK(riter == clist2.rend());
+  CHECK(riter != clist2.rbegin());
+
+  riter = list2.rbegin();
+  i = 9;
+  for (;
+       riter != list2.rend();
+       ++riter, --i) {
+    CHECK_EQ(riter->n, i);
+  }
+  CHECK(riter == clist2.rend());
+  CHECK(riter != clist2.rbegin());
+
+  while (!list2.empty()) {
+    TestItem *e = &list2.front();
+    list2.pop_front();
+    delete e;
+  }
+}
+
+TEST(NewIntrusiveListTest, Erase) {
+  TestList l;
+  TestItem *e[10];
+
+  // Create a list with 10 items.
+  for (int i = 0; i < 10; ++i) {
+    e[i] = new TestItem;
+    l.push_front(e[i]);
+  }
+
+  // Test that erase works.
+  for (int i = 0; i < 10; ++i) {
+    CHECK_EQ(l.size(), (10 - i));
+
+    TestList::iterator iter = l.erase(e[i]);
+    CHECK(iter != TestList::iterator(e[i]));
+
+    CHECK_EQ(l.size(), (10 - i - 1));
+    delete e[i];
+  }
+}
+
+TEST(NewIntrusiveListTest, Insert) {
+  TestList l;
+  TestList::iterator iter = l.end();
+  TestItem *e[10];
+
+  // Create a list with 10 items.
+  for (int i = 9; i >= 0; --i) {
+    e[i] = new TestItem;
+    iter = l.insert(iter, e[i]);
+    CHECK_EQ(&(*iter), e[i]);
+  }
+
+  CHECK_EQ(l.size(), 10);
+
+  // Verify insertion order.
+  iter = l.begin();
+  for (TestItem *item : e) {
+    CHECK_EQ(&(*iter), item);
+    iter = l.erase(item);
+    delete item;
+  }
+}
+
+TEST(NewIntrusiveListTest, Move) {
+  // Move contructible.
+
+  {  // Move-construct from an empty list.
+    TestList src;
+    TestList dest(std::move(src));
+    EXPECT_TRUE(dest.empty());
+  }
+
+  {  // Move-construct from a single item list.
+    TestItem e;
+    TestList src;
+    src.push_front(&e);
+
+    TestList dest(std::move(src));
+    EXPECT_TRUE(src.empty());  // NOLINT bugprone-use-after-move
+    ASSERT_THAT(dest.size(), 1);
+    EXPECT_THAT(&dest.front(), &e);
+    EXPECT_THAT(&dest.back(), &e);
+  }
+
+  {  // Move-construct from a list with multiple items.
+    TestItem items[10];
+    TestList src;
+    for (TestItem &e : items) src.push_back(&e);
+
+    TestList dest(std::move(src));
+    EXPECT_TRUE(src.empty());  // NOLINT bugprone-use-after-move
+    // Verify the items on the destination list.
+    ASSERT_THAT(dest.size(), 10);
+    int i = 0;
+    for (TestItem &e : dest) {
+      EXPECT_THAT(&e, &items[i++]) << " for index " << i;
+    }
+  }
+}
+
+TEST(NewIntrusiveListTest, StaticInsertErase) {
+  TestList l;
+  TestItem e[2];
+  TestList::iterator i = l.begin();
+  TestList::insert(i, &e[0]);
+  TestList::insert(&e[0], &e[1]);
+  TestList::erase(&e[0]);
+  TestList::erase(TestList::iterator(&e[1]));
+  EXPECT_TRUE(l.empty());
+}
+
+TEST_F(IntrusiveListTest, Splice) {
+  // We verify that the contents of this secondary list aren't affected by any
+  // of the splices.
+  SpdyIntrusiveList<TestItem, ListId2> secondary_list;
+  for (int i  = 0; i < 3; ++i) {
+    secondary_list.push_back(&e[i]);
+  }
+
+  // Test the basic cases:
+  // - The lists range from 0 to 2 elements.
+  // - The insertion point ranges from begin() to end()
+  // - The transfered range has multiple sizes and locations in the source.
+  for (int l1_count = 0; l1_count < 3; ++l1_count) {
+    for (int l2_count = 0; l2_count < 3; ++l2_count) {
+      for (int pos = 0; pos <= l1_count; ++pos) {
+        for (int first = 0; first <= l2_count; ++first) {
+          for (int last = first; last <= l2_count; ++last) {
+            PrepareLists(l1_count, l2_count);
+
+            l1.splice(std::next(l1.begin(), pos), std::next(l2.begin(), first),
+                      std::next(l2.begin(), last));
+            ll1.splice(std::next(ll1.begin(), pos), ll2,
+                       std::next(ll2.begin(), first),
+                       std::next(ll2.begin(), last));
+
+            CheckLists();
+
+            ASSERT_EQ(3, secondary_list.size());
+            for (int i = 0; i < 3; ++i) {
+              EXPECT_EQ(&e[i], &*std::next(secondary_list.begin(), i));
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
+// Build up a set of classes which form "challenging" type hierarchies to use
+// with an SpdyIntrusiveList.
+struct BaseLinkId {};
+struct DerivedLinkId {};
+
+struct AbstractBase : public SpdyIntrusiveLink<AbstractBase, BaseLinkId> {
+  virtual ~AbstractBase() = 0;
+  virtual SpdyString name() { return "AbstractBase"; }
+};
+AbstractBase::~AbstractBase() {}
+struct DerivedClass : public SpdyIntrusiveLink<DerivedClass, DerivedLinkId>,
+                      public AbstractBase {
+  virtual ~DerivedClass() {}
+  virtual SpdyString name() { return "DerivedClass"; }
+};
+struct VirtuallyDerivedBaseClass : public virtual AbstractBase {
+  virtual ~VirtuallyDerivedBaseClass() = 0;
+  virtual SpdyString name() { return "VirtuallyDerivedBaseClass"; }
+};
+VirtuallyDerivedBaseClass::~VirtuallyDerivedBaseClass() {}
+struct VirtuallyDerivedClassA
+    : public SpdyIntrusiveLink<VirtuallyDerivedClassA, DerivedLinkId>,
+      public virtual VirtuallyDerivedBaseClass {
+  virtual ~VirtuallyDerivedClassA() {}
+  virtual SpdyString name() { return "VirtuallyDerivedClassA"; }
+};
+struct NonceClass {
+  virtual ~NonceClass() {}
+  int data_;
+};
+struct VirtuallyDerivedClassB
+    : public SpdyIntrusiveLink<VirtuallyDerivedClassB, DerivedLinkId>,
+      public virtual NonceClass,
+      public virtual VirtuallyDerivedBaseClass {
+  virtual ~VirtuallyDerivedClassB() {}
+  virtual SpdyString name() { return "VirtuallyDerivedClassB"; }
+};
+struct VirtuallyDerivedClassC
+    : public SpdyIntrusiveLink<VirtuallyDerivedClassC, DerivedLinkId>,
+      public virtual AbstractBase,
+      public virtual NonceClass,
+      public virtual VirtuallyDerivedBaseClass {
+  virtual ~VirtuallyDerivedClassC() {}
+  virtual SpdyString name() { return "VirtuallyDerivedClassC"; }
+};
+
+// Test for multiple layers between the element type and the link.
+namespace templated_base_link {
+template <typename T> struct AbstractBase : public SpdyIntrusiveLink<T> {
+  virtual ~AbstractBase() = 0;
+};
+template <typename T> AbstractBase<T>::~AbstractBase() {}
+struct DerivedClass : public AbstractBase<DerivedClass> {
+  int n;
+};
+}
+
+TEST(NewIntrusiveListTest, HandleInheritanceHierarchies) {
+  {
+    SpdyIntrusiveList<DerivedClass, DerivedLinkId> list;
+    DerivedClass elements[2];
+    EXPECT_TRUE(list.empty());
+    list.push_back(&elements[0]);
+    EXPECT_EQ(1, list.size());
+    list.push_back(&elements[1]);
+    EXPECT_EQ(2, list.size());
+    list.pop_back();
+    EXPECT_EQ(1, list.size());
+    list.pop_back();
+    EXPECT_TRUE(list.empty());
+  }
+  {
+    SpdyIntrusiveList<VirtuallyDerivedClassA, DerivedLinkId> list;
+    VirtuallyDerivedClassA elements[2];
+    EXPECT_TRUE(list.empty());
+    list.push_back(&elements[0]);
+    EXPECT_EQ(1, list.size());
+    list.push_back(&elements[1]);
+    EXPECT_EQ(2, list.size());
+    list.pop_back();
+    EXPECT_EQ(1, list.size());
+    list.pop_back();
+    EXPECT_TRUE(list.empty());
+  }
+  {
+    SpdyIntrusiveList<VirtuallyDerivedClassC, DerivedLinkId> list;
+    VirtuallyDerivedClassC elements[2];
+    EXPECT_TRUE(list.empty());
+    list.push_back(&elements[0]);
+    EXPECT_EQ(1, list.size());
+    list.push_back(&elements[1]);
+    EXPECT_EQ(2, list.size());
+    list.pop_back();
+    EXPECT_EQ(1, list.size());
+    list.pop_back();
+    EXPECT_TRUE(list.empty());
+  }
+  {
+    SpdyIntrusiveList<AbstractBase, BaseLinkId> list;
+    DerivedClass d1;
+    VirtuallyDerivedClassA d2;
+    VirtuallyDerivedClassB d3;
+    VirtuallyDerivedClassC d4;
+    EXPECT_TRUE(list.empty());
+    list.push_back(&d1);
+    EXPECT_EQ(1, list.size());
+    list.push_back(&d2);
+    EXPECT_EQ(2, list.size());
+    list.push_back(&d3);
+    EXPECT_EQ(3, list.size());
+    list.push_back(&d4);
+    EXPECT_EQ(4, list.size());
+    SpdyIntrusiveList<AbstractBase, BaseLinkId>::iterator it = list.begin();
+    EXPECT_EQ("DerivedClass",           (it++)->name());
+    EXPECT_EQ("VirtuallyDerivedClassA", (it++)->name());
+    EXPECT_EQ("VirtuallyDerivedClassB", (it++)->name());
+    EXPECT_EQ("VirtuallyDerivedClassC", (it++)->name());
+  }
+  {
+    SpdyIntrusiveList<templated_base_link::DerivedClass> list;
+    templated_base_link::DerivedClass elements[2];
+    EXPECT_TRUE(list.empty());
+    list.push_back(&elements[0]);
+    EXPECT_EQ(1, list.size());
+    list.push_back(&elements[1]);
+    EXPECT_EQ(2, list.size());
+    list.pop_back();
+    EXPECT_EQ(1, list.size());
+    list.pop_back();
+    EXPECT_TRUE(list.empty());
+  }
+}
+
+
+class IntrusiveListTagTypeTest : public testing::Test {
+ protected:
+  struct Tag {};
+  class Element : public SpdyIntrusiveLink<Element, Tag> {};
+};
+
+TEST_F(IntrusiveListTagTypeTest, TagTypeListID) {
+  SpdyIntrusiveList<Element, Tag> list;
+  {
+    Element e;
+    list.push_back(&e);
+  }
+}
+
+}  // namespace test
+}  // namespace spdy
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_no_op_visitor.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_no_op_visitor.cc
index 5dcc15c70fa..20a19f72fcc 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_no_op_visitor.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_no_op_visitor.cc
@@ -16,12 +16,12 @@ SpdyNoOpVisitor::SpdyNoOpVisitor() {
 SpdyNoOpVisitor::~SpdyNoOpVisitor() = default;
 
 SpdyHeadersHandlerInterface* SpdyNoOpVisitor::OnHeaderFrameStart(
-    SpdyStreamId stream_id) {
+    SpdyStreamId /*stream_id*/) {
   return this;
 }
 
-bool SpdyNoOpVisitor::OnUnknownFrame(SpdyStreamId stream_id,
-                                     uint8_t frame_type) {
+bool SpdyNoOpVisitor::OnUnknownFrame(SpdyStreamId /*stream_id*/,
+                                     uint8_t /*frame_type*/) {
   return true;
 }
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_no_op_visitor.h b/chromium/net/third_party/quiche/src/spdy/core/spdy_no_op_visitor.h
index 80e1535514c..6e4a48a9cd2 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_no_op_visitor.h
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_no_op_visitor.h
@@ -26,59 +26,63 @@ class SpdyNoOpVisitor : public SpdyFramerVisitorInterface,
   ~SpdyNoOpVisitor() override;
 
   // SpdyFramerVisitorInterface methods:
-  void OnError(http2::Http2DecoderAdapter::SpdyFramerError error) override {}
+  void OnError(http2::Http2DecoderAdapter::SpdyFramerError /*error*/) override {
+  }
   SpdyHeadersHandlerInterface* OnHeaderFrameStart(
       SpdyStreamId stream_id) override;
-  void OnHeaderFrameEnd(SpdyStreamId stream_id) override {}
-  void OnDataFrameHeader(SpdyStreamId stream_id,
-                         size_t length,
-                         bool fin) override {}
-  void OnStreamFrameData(SpdyStreamId stream_id,
-                         const char* data,
-                         size_t len) override {}
-  void OnStreamEnd(SpdyStreamId stream_id) override {}
-  void OnStreamPadding(SpdyStreamId stream_id, size_t len) override {}
-  void OnRstStream(SpdyStreamId stream_id, SpdyErrorCode error_code) override {}
-  void OnSetting(SpdySettingsId id, uint32_t value) override {}
-  void OnPing(SpdyPingId unique_id, bool is_ack) override {}
+  void OnHeaderFrameEnd(SpdyStreamId /*stream_id*/) override {}
+  void OnDataFrameHeader(SpdyStreamId /*stream_id*/,
+                         size_t /*length*/,
+                         bool /*fin*/) override {}
+  void OnStreamFrameData(SpdyStreamId /*stream_id*/,
+                         const char* /*data*/,
+                         size_t /*len*/) override {}
+  void OnStreamEnd(SpdyStreamId /*stream_id*/) override {}
+  void OnStreamPadding(SpdyStreamId /*stream_id*/, size_t /*len*/) override {}
+  void OnRstStream(SpdyStreamId /*stream_id*/,
+                   SpdyErrorCode /*error_code*/) override {}
+  void OnSetting(SpdySettingsId /*id*/, uint32_t /*value*/) override {}
+  void OnPing(SpdyPingId /*unique_id*/, bool /*is_ack*/) override {}
   void OnSettingsEnd() override {}
   void OnSettingsAck() override {}
-  void OnGoAway(SpdyStreamId last_accepted_stream_id,
-                SpdyErrorCode error_code) override {}
-  void OnHeaders(SpdyStreamId stream_id,
-                 bool has_priority,
-                 int weight,
-                 SpdyStreamId parent_stream_id,
-                 bool exclusive,
-                 bool fin,
-                 bool end) override {}
-  void OnWindowUpdate(SpdyStreamId stream_id, int delta_window_size) override {}
-  void OnPushPromise(SpdyStreamId stream_id,
-                     SpdyStreamId promised_stream_id,
-                     bool end) override {}
-  void OnContinuation(SpdyStreamId stream_id, bool end) override {}
-  void OnAltSvc(SpdyStreamId stream_id,
-                SpdyStringPiece origin,
+  void OnGoAway(SpdyStreamId /*last_accepted_stream_id*/,
+                SpdyErrorCode /*error_code*/) override {}
+  void OnHeaders(SpdyStreamId /*stream_id*/,
+                 bool /*has_priority*/,
+                 int /*weight*/,
+                 SpdyStreamId /*parent_stream_id*/,
+                 bool /*exclusive*/,
+                 bool /*fin*/,
+                 bool /*end*/) override {}
+  void OnWindowUpdate(SpdyStreamId /*stream_id*/,
+                      int /*delta_window_size*/) override {}
+  void OnPushPromise(SpdyStreamId /*stream_id*/,
+                     SpdyStreamId /*promised_stream_id*/,
+                     bool /*end*/) override {}
+  void OnContinuation(SpdyStreamId /*stream_id*/, bool /*end*/) override {}
+  void OnAltSvc(SpdyStreamId /*stream_id*/,
+                SpdyStringPiece /*origin*/,
                 const SpdyAltSvcWireFormat::AlternativeServiceVector&
-                    altsvc_vector) override {}
-  void OnPriority(SpdyStreamId stream_id,
-                  SpdyStreamId parent_stream_id,
-                  int weight,
-                  bool exclusive) override {}
-  bool OnUnknownFrame(SpdyStreamId stream_id, uint8_t frame_type) override;
+                /*altsvc_vector*/) override {}
+  void OnPriority(SpdyStreamId /*stream_id*/,
+                  SpdyStreamId /*parent_stream_id*/,
+                  int /*weight*/,
+                  bool /*exclusive*/) override {}
+  bool OnUnknownFrame(SpdyStreamId /*stream_id*/,
+                      uint8_t /*frame_type*/) override;
 
   // SpdyFramerDebugVisitorInterface methods:
-  void OnSendCompressedFrame(SpdyStreamId stream_id,
-                             SpdyFrameType type,
-                             size_t payload_len,
-                             size_t frame_len) override {}
-  void OnReceiveCompressedFrame(SpdyStreamId stream_id,
-                                SpdyFrameType type,
-                                size_t frame_len) override {}
+  void OnSendCompressedFrame(SpdyStreamId /*stream_id*/,
+                             SpdyFrameType /*type*/,
+                             size_t /*payload_len*/,
+                             size_t /*frame_len*/) override {}
+  void OnReceiveCompressedFrame(SpdyStreamId /*stream_id*/,
+                                SpdyFrameType /*type*/,
+                                size_t /*frame_len*/) override {}
 
   // SpdyHeadersHandlerInterface methods:
   void OnHeaderBlockStart() override {}
-  void OnHeader(SpdyStringPiece key, SpdyStringPiece value) override {}
+  void OnHeader(SpdyStringPiece /*key*/, SpdyStringPiece /*value*/) override {}
   void OnHeaderBlockEnd(size_t /* uncompressed_header_bytes */,
                         size_t /* compressed_header_bytes */) override {}
 };
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_pinnable_buffer_piece_test.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_pinnable_buffer_piece_test.cc
index d5a6c33f6f5..d62af5bf37a 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_pinnable_buffer_piece_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_pinnable_buffer_piece_test.cc
@@ -4,10 +4,9 @@
 
 #include "net/third_party/quiche/src/spdy/core/spdy_pinnable_buffer_piece.h"
 
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_prefixed_buffer_reader.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_prefixed_buffer_reader_test.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_prefixed_buffer_reader_test.cc
index 1d052c7f21c..f570dfc411d 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_prefixed_buffer_reader_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_prefixed_buffer_reader_test.cc
@@ -4,10 +4,9 @@
 
 #include "net/third_party/quiche/src/spdy/core/spdy_prefixed_buffer_reader.h"
 
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string_piece.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol.cc
index e454e081389..d9b642f4649 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol.cc
@@ -4,6 +4,7 @@
 
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
 
+#include <limits>
 #include <ostream>
 
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_bug_tracker.h"
@@ -24,10 +25,9 @@ std::ostream& operator<<(std::ostream& out, SpdyFrameType frame_type) {
 }
 
 SpdyPriority ClampSpdy3Priority(SpdyPriority priority) {
-  if (priority < kV3HighestPriority) {
-    SPDY_BUG << "Invalid priority: " << static_cast<int>(priority);
-    return kV3HighestPriority;
-  }
+  static_assert(std::numeric_limits<SpdyPriority>::min() == kV3HighestPriority,
+                "The value of given priority shouldn't be smaller than highest "
+                "priority. Check this invariant explicitly.");
   if (priority > kV3LowestPriority) {
     SPDY_BUG << "Invalid priority: " << static_cast<int>(priority);
     return kV3LowestPriority;
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol.h b/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol.h
index 0454d73ff86..2d2ce967e6c 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol.h
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol.h
@@ -196,6 +196,15 @@ enum SpdyErrorCode : uint32_t {
   ERROR_CODE_MAX = ERROR_CODE_HTTP_1_1_REQUIRED
 };
 
+// Type of priority write scheduler.
+enum class WriteSchedulerType {
+  LIFO,  // Last added stream has the highest priority.
+  SPDY,  // Uses SPDY priorities described in
+         // https://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3-1#TOC-2.3.3-Stream-priority.
+  HTTP2,  // Uses HTTP2 (tree-style) priority described in
+          // https://tools.ietf.org/html/rfc7540#section-5.3.
+};
+
 // A SPDY priority is a number between 0 and 7 (inclusive).
 typedef uint8_t SpdyPriority;
 
@@ -1013,7 +1022,7 @@ class SPDY_EXPORT_PRIVATE SpdyFrameVisitor {
   virtual void VisitAltSvc(const SpdyAltSvcIR& altsvc) = 0;
   virtual void VisitPriority(const SpdyPriorityIR& priority) = 0;
   virtual void VisitData(const SpdyDataIR& data) = 0;
-  virtual void VisitUnknown(const SpdyUnknownIR& unknown) {
+  virtual void VisitUnknown(const SpdyUnknownIR& /*unknown*/) {
     // TODO(birenroy): make abstract.
   }
 
@@ -1038,17 +1047,17 @@ class SPDY_EXPORT_PRIVATE SpdyFramerDebugVisitorInterface {
   // a list of name-value pairs.
   // |payload_len| is the uncompressed payload size.
   // |frame_len| is the compressed frame size.
-  virtual void OnSendCompressedFrame(SpdyStreamId stream_id,
-                                     SpdyFrameType type,
-                                     size_t payload_len,
-                                     size_t frame_len) {}
+  virtual void OnSendCompressedFrame(SpdyStreamId /*stream_id*/,
+                                     SpdyFrameType /*type*/,
+                                     size_t /*payload_len*/,
+                                     size_t /*frame_len*/) {}
 
   // Called when a frame containing a compressed payload of
   // name-value pairs is received.
   // |frame_len| is the compressed frame size.
-  virtual void OnReceiveCompressedFrame(SpdyStreamId stream_id,
-                                        SpdyFrameType type,
-                                        size_t frame_len) {}
+  virtual void OnReceiveCompressedFrame(SpdyStreamId /*stream_id*/,
+                                        SpdyFrameType /*type*/,
+                                        size_t /*frame_len*/) {}
 };
 
 // Calculates the number of bytes required to serialize a SpdyHeadersIR, not
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol_test.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol_test.cc
index fc595a23f06..e10d2d6c202 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol_test.cc
@@ -8,9 +8,9 @@
 #include <limits>
 #include <memory>
 
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_bitmasks.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_test_utils.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_test_helpers.h"
 
 namespace spdy {
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol_test_utils.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol_test_utils.cc
index 5714aa9b377..b8ffb4a39da 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol_test_utils.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol_test_utils.cc
@@ -32,8 +32,8 @@ namespace test {
 }
 
 ::testing::AssertionResult VerifySpdyFrameIREquals(
-    const SpdyContinuationIR& expected,
-    const SpdyContinuationIR& actual) {
+    const SpdyContinuationIR& /*expected*/,
+    const SpdyContinuationIR& /*actual*/) {
   return ::testing::AssertionFailure()
          << "VerifySpdyFrameIREquals SpdyContinuationIR not yet implemented";
 }
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol_test_utils.h b/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol_test_utils.h
index bb8bea31268..8012db1240e 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol_test_utils.h
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_protocol_test_utils.h
@@ -19,12 +19,11 @@
 
 #include <typeinfo>
 
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/http2/platform/api/http2_test_helpers.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_test_utils.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_logging.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 namespace test {
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_simple_arena_test.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_simple_arena_test.cc
index fc4b13033b9..217e2d798e2 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_simple_arena_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_simple_arena_test.cc
@@ -6,9 +6,9 @@
 
 #include <vector>
 
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string_piece.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 namespace {
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_test_utils.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_test_utils.cc
index 622a5a696a1..bf54a1a8361 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_test_utils.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_test_utils.cc
@@ -11,9 +11,9 @@
 #include <utility>
 #include <vector>
 
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_endianness_util.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_logging.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 namespace test {
diff --git a/chromium/net/third_party/quiche/src/spdy/core/write_scheduler.h b/chromium/net/third_party/quiche/src/spdy/core/write_scheduler.h
index 07e5fb32c60..98db442437e 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/write_scheduler.h
+++ b/chromium/net/third_party/quiche/src/spdy/core/write_scheduler.h
@@ -147,6 +147,12 @@ class SPDY_EXPORT_PRIVATE WriteScheduler {
   // Returns the number of streams currently marked ready.
   virtual size_t NumReadyStreams() const = 0;
 
+  // Returns true if stream with |stream_id| is ready.
+  virtual bool IsStreamReady(StreamIdType stream_id) const = 0;
+
+  // Returns the number of registered streams.
+  virtual size_t NumRegisteredStreams() const = 0;
+
   // Returns summary of internal state, for logging/debugging.
   virtual SpdyString DebugString() const = 0;
 };
diff --git a/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_containers.h b/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_containers.h
index e4f4c494eb4..9a90556173c 100644
--- a/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_containers.h
+++ b/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_containers.h
@@ -37,6 +37,12 @@ inline size_t SpdyHashStringPair(SpdyStringPiece a, SpdyStringPiece b) {
   return SpdyHashStringPairImpl(a, b);
 }
 
+// Used for maps that are typically small, then it is faster than (for example)
+// hash_map which is optimized for large data sets. SpdySmallMap upgrades itself
+// automatically to a SpdySmallMapImpl-specified map when it runs out of space.
+template <typename Key, typename Value, int Size>
+using SpdySmallMap = SpdySmallMapImpl<Key, Value, Size>;
+
 }  // namespace spdy
 
 #endif  // QUICHE_SPDY_PLATFORM_API_SPDY_CONTAINERS_H_
diff --git a/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_map_util.h b/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_map_util.h
new file mode 100644
index 00000000000..e9b5f857b8c
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_map_util.h
@@ -0,0 +1,19 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_SPDY_PLATFORM_API_SPDY_MAP_UTIL_H_
+#define QUICHE_SPDY_PLATFORM_API_SPDY_MAP_UTIL_H_
+
+#include "net/spdy/platform/impl/spdy_map_util_impl.h"
+
+namespace spdy {
+
+template <class Collection, class Key>
+bool SpdyContainsKey(const Collection& collection, const Key& key) {
+  return SpdyContainsKeyImpl(collection, key);
+}
+
+}  // namespace spdy
+
+#endif  // QUICHE_SPDY_PLATFORM_API_SPDY_MAP_UTIL_H_
diff --git a/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_mem_slice_test.cc b/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_mem_slice_test.cc
index af323f6767d..84313b0a7b2 100644
--- a/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_mem_slice_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_mem_slice_test.cc
@@ -6,7 +6,11 @@
 
 #include <utility>
 
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Weverything"
+
 #include "testing/gtest/include/gtest/gtest.h"
+#pragma clang diagnostic pop
 
 namespace spdy {
 namespace test {
diff --git a/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_string_utils_test.cc b/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_string_utils_test.cc
index 3f7e6a1882f..91656ae165c 100644
--- a/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_string_utils_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_string_utils_test.cc
@@ -6,8 +6,8 @@
 
 #include <cstdint>
 
-#include "testing/gtest/include/gtest/gtest.h"
 #include "net/third_party/quiche/src/spdy/platform/api/spdy_string_piece.h"
+#include "net/third_party/quiche/src/spdy/platform/api/spdy_test.h"
 
 namespace spdy {
 namespace test {
diff --git a/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_test.h b/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_test.h
new file mode 100644
index 00000000000..3b00cc0f6cd
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_test.h
@@ -0,0 +1,10 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_SPDY_PLATFORM_API_SPDY_TEST_H_
+#define QUICHE_SPDY_PLATFORM_API_SPDY_TEST_H_
+
+#include "net/spdy/platform/impl/spdy_test_impl.h"
+
+#endif  // QUICHE_SPDY_PLATFORM_API_SPDY_TEST_H_
diff --git a/chromium/net/third_party/uri_template/uri_template_fuzzer.cc b/chromium/net/third_party/uri_template/uri_template_fuzzer.cc
index e444a0fdf27..148dbbad8d3 100644
--- a/chromium/net/third_party/uri_template/uri_template_fuzzer.cc
+++ b/chromium/net/third_party/uri_template/uri_template_fuzzer.cc
@@ -4,11 +4,11 @@
 
 #include "net/third_party/uri_template/uri_template.h"
 
-#include "base/test/fuzzed_data_provider.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 // Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  base::FuzzedDataProvider fuzzed_data(data, size);
+  FuzzedDataProvider fuzzed_data(data, size);
   std::string uri_template = fuzzed_data.ConsumeRandomLengthString(256);
   // Construct a map containing variable names and corresponding values.
   std::unordered_map<std::string, std::string> parameters;
diff --git a/chromium/net/tools/cachetool/cachetool.cc b/chromium/net/tools/cachetool/cachetool.cc
index 2e57733aabd..7592203f450 100644
--- a/chromium/net/tools/cachetool/cachetool.cc
+++ b/chromium/net/tools/cachetool/cachetool.cc
@@ -12,12 +12,12 @@
 #include "base/format_macros.h"
 #include "base/hash/md5.h"
 #include "base/logging.h"
-#include "base/message_loop/message_loop.h"
 #include "base/run_loop.h"
 #include "base/stl_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/stringprintf.h"
+#include "base/task/single_thread_task_executor.h"
 #include "base/task/thread_pool/thread_pool.h"
 #include "net/base/io_buffer.h"
 #include "net/base/test_completion_callback.h"
@@ -667,7 +667,7 @@ bool ExecuteCommands(CommandMarshal* command_marshal) {
 
 int main(int argc, char* argv[]) {
   base::AtExitManager at_exit_manager;
-  base::MessageLoopForIO message_loop;
+  base::SingleThreadTaskExecutor io_task_executor(base::MessagePump::Type::IO);
   base::CommandLine::Init(argc, argv);
   const base::CommandLine& command_line =
       *base::CommandLine::ForCurrentProcess();
diff --git a/chromium/net/tools/cert_verify_tool/cert_verify_tool.cc b/chromium/net/tools/cert_verify_tool/cert_verify_tool.cc
index 75600e71ab3..ef089bdd9b9 100644
--- a/chromium/net/tools/cert_verify_tool/cert_verify_tool.cc
+++ b/chromium/net/tools/cert_verify_tool/cert_verify_tool.cc
@@ -188,7 +188,9 @@ std::unique_ptr<CertVerifyImpl> CreateCertVerifyImplFromName(
   if (impl_name == "builtin") {
     return std::make_unique<CertVerifyImplUsingProc>(
         "CertVerifyProcBuiltin",
-        net::CreateCertVerifyProcBuiltin(std::move(cert_net_fetcher)));
+        net::CreateCertVerifyProcBuiltin(
+            std::move(cert_net_fetcher),
+            nullptr /* system_trust_store_provider */));
   }
 
   if (impl_name == "pathbuilder")
diff --git a/chromium/net/tools/crash_cache/crash_cache.cc b/chromium/net/tools/crash_cache/crash_cache.cc
index e90f6c5945c..4b01e3b3a31 100644
--- a/chromium/net/tools/crash_cache/crash_cache.cc
+++ b/chromium/net/tools/crash_cache/crash_cache.cc
@@ -13,7 +13,6 @@
 #include "base/command_line.h"
 #include "base/files/file_util.h"
 #include "base/logging.h"
-#include "base/message_loop/message_loop.h"
 #include "base/path_service.h"
 #include "base/process/kill.h"
 #include "base/process/launch.h"
@@ -21,6 +20,7 @@
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
+#include "base/task/single_thread_task_executor.h"
 #include "base/threading/thread.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_export.h"
@@ -327,7 +327,7 @@ int LoadOperations(const base::FilePath& path, RankCrashes action,
 
 // Main function on the child process.
 int SlaveCode(const base::FilePath& path, RankCrashes action) {
-  base::MessageLoopForIO message_loop;
+  base::SingleThreadTaskExecutor io_task_executor(base::MessagePump::Type::IO);
 
   base::FilePath full_path;
   if (!CreateTargetFolder(path, action, &full_path)) {
@@ -337,7 +337,7 @@ int SlaveCode(const base::FilePath& path, RankCrashes action) {
 
   base::Thread cache_thread("CacheThread");
   if (!cache_thread.StartWithOptions(
-          base::Thread::Options(base::MessageLoop::TYPE_IO, 0)))
+          base::Thread::Options(base::MessagePump::Type::IO, 0)))
     return GENERIC;
 
   if (action <= disk_cache::INSERT_ONE_3)
diff --git a/chromium/net/tools/dump_cache/dump_files.cc b/chromium/net/tools/dump_cache/dump_files.cc
index 6ff0c87cc51..6f68ee1d5bd 100644
--- a/chromium/net/tools/dump_cache/dump_files.cc
+++ b/chromium/net/tools/dump_cache/dump_files.cc
@@ -20,9 +20,9 @@
 #include "base/files/file_util.h"
 #include "base/format_macros.h"
 #include "base/macros.h"
-#include "base/message_loop/message_loop.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
+#include "base/task/single_thread_task_executor.h"
 #include "net/disk_cache/blockfile/block_files.h"
 #include "net/disk_cache/blockfile/disk_format.h"
 #include "net/disk_cache/blockfile/mapped_file.h"
@@ -61,8 +61,8 @@ int GetMajorVersionFromFile(const base::FilePath& name) {
 
 // Dumps the contents of the Stats record.
 void DumpStats(const base::FilePath& path, disk_cache::CacheAddr addr) {
-  // We need a message loop, although we really don't run any task.
-  base::MessageLoopForIO loop;
+  // We need a task executor, although we really don't run any task.
+  base::SingleThreadTaskExecutor io_task_executor(base::MessagePump::Type::IO);
 
   disk_cache::BlockFiles block_files(path);
   if (!block_files.Init(false)) {
@@ -445,8 +445,8 @@ int DumpContents(const base::FilePath& input_path) {
   if (!print_csv)
     DumpIndexHeader(input_path.Append(kIndexName), nullptr);
 
-  // We need a message loop, although we really don't run any task.
-  base::MessageLoopForIO loop;
+  // We need a task executor, although we really don't run any task.
+  base::SingleThreadTaskExecutor io_task_executor(base::MessagePump::Type::IO);
   CacheDumper dumper(input_path);
   if (!dumper.Init())
     return -1;
@@ -481,8 +481,8 @@ int DumpLists(const base::FilePath& input_path) {
   if (!ReadHeader(index_name, reinterpret_cast<char*>(&header), sizeof(header)))
     return -1;
 
-  // We need a message loop, although we really don't run any task.
-  base::MessageLoopForIO loop;
+  // We need a task executor, although we really don't run any task.
+  base::SingleThreadTaskExecutor io_task_executor(base::MessagePump::Type::IO);
   CacheDumper dumper(input_path);
   if (!dumper.Init())
     return -1;
@@ -534,8 +534,8 @@ int DumpEntryAt(const base::FilePath& input_path, const std::string& at) {
   if (!ReadHeader(index_name, reinterpret_cast<char*>(&header), sizeof(header)))
     return -1;
 
-  // We need a message loop, although we really don't run any task.
-  base::MessageLoopForIO loop;
+  // We need a task executor, although we really don't run any task.
+  base::SingleThreadTaskExecutor io_task_executor(base::MessagePump::Type::IO);
   CacheDumper dumper(input_path);
   if (!dumper.Init())
     return -1;
diff --git a/chromium/net/tools/gssapi/README.md b/chromium/net/tools/gssapi/README.md
new file mode 100644
index 00000000000..23c70750c2b
--- /dev/null
+++ b/chromium/net/tools/gssapi/README.md
@@ -0,0 +1,5 @@
+# Fake GSSAPI Library
+
+This directory has the pieces necessary to build a fake GSSAPI library that
+looks like the real thing to `//net`'s GSSAPI support. It's used for smoke
+testing the library loading logic.
diff --git a/chromium/net/tools/gssapi/gss_import_name.cc b/chromium/net/tools/gssapi/gss_import_name.cc
new file mode 100644
index 00000000000..fd5a8ec4cc8
--- /dev/null
+++ b/chromium/net/tools/gssapi/gss_import_name.cc
@@ -0,0 +1,25 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/tools/gssapi/gss_types.h"
+
+// These two imports follow the same pattern as those in gss_methods.cc but are
+// separated out so that we can build a GSSAPI library that's missing a couple
+// of imports.
+
+extern "C" GSS_EXPORT OM_uint32
+gss_import_name(OM_uint32* minor_status,
+                const gss_buffer_t input_name_buffer,
+                const gss_OID input_name_type,
+                gss_name_t* output_name) {
+  return 0;
+}
+
+extern "C" GSS_EXPORT OM_uint32 gss_release_name(OM_uint32* minor_status,
+                                                 gss_name_t* input_name) {
+  *minor_status = 0;
+  delete *input_name;
+  *input_name = nullptr;
+  return 0;
+}
diff --git a/chromium/net/tools/gssapi/gss_methods.cc b/chromium/net/tools/gssapi/gss_methods.cc
new file mode 100644
index 00000000000..6a1647ea879
--- /dev/null
+++ b/chromium/net/tools/gssapi/gss_methods.cc
@@ -0,0 +1,80 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <cstring>
+
+#include "net/tools/gssapi/gss_types.h"
+
+// Only the GSSAPI exports used by //net are defined here and in
+// gss_import_name.cc.
+
+extern "C" GSS_EXPORT OM_uint32 gss_release_buffer(OM_uint32* minor_status,
+                                                   gss_buffer_t buffer) {
+  *minor_status = 0;
+  return 0;
+}
+
+extern "C" GSS_EXPORT OM_uint32
+gss_display_name(OM_uint32* minor_status,
+                 const gss_name_t input_name,
+                 gss_buffer_t output_name_buffer,
+                 gss_OID* output_name_type) {
+  return 0;
+}
+
+extern "C" GSS_EXPORT OM_uint32 gss_display_status(OM_uint32* minor_status,
+                                                   OM_uint32 status_value,
+                                                   int status_type,
+                                                   const gss_OID mech_type,
+                                                   OM_uint32* message_contex,
+                                                   gss_buffer_t status_string) {
+  return 0;
+}
+
+extern "C" GSS_EXPORT OM_uint32
+gss_init_sec_context(OM_uint32* minor_status,
+                     const gss_cred_id_t initiator_cred_handle,
+                     gss_ctx_id_t* context_handle,
+                     const gss_name_t target_name,
+                     const gss_OID mech_type,
+                     OM_uint32 req_flags,
+                     OM_uint32 time_req,
+                     const gss_channel_bindings_t input_chan_bindings,
+                     const gss_buffer_t input_token,
+                     gss_OID* actual_mech_type,
+                     gss_buffer_t output_token,
+                     OM_uint32* ret_flags,
+                     OM_uint32* time_rec) {
+  return 0;
+}
+
+extern "C" GSS_EXPORT OM_uint32
+gss_wrap_size_limit(OM_uint32* minor_status,
+                    const gss_ctx_id_t context_handle,
+                    int conf_req_flag,
+                    gss_qop_t qop_req,
+                    OM_uint32 req_output_size,
+                    OM_uint32* max_input_size) {
+  return 0;
+}
+
+extern "C" GSS_EXPORT OM_uint32
+gss_delete_sec_context(OM_uint32* minor_status,
+                       gss_ctx_id_t* context_handle,
+                       gss_buffer_t output_token) {
+  return 0;
+}
+
+extern "C" GSS_EXPORT OM_uint32
+gss_inquire_context(OM_uint32* minor_status,
+                    const gss_ctx_id_t context_handle,
+                    gss_name_t* src_name,
+                    gss_name_t* targ_name,
+                    OM_uint32* lifetime_rec,
+                    gss_OID* mech_type,
+                    OM_uint32* ctx_flags,
+                    int* locally_initiated,
+                    int* open) {
+  return 0;
+}
diff --git a/chromium/net/tools/gssapi/gss_types.h b/chromium/net/tools/gssapi/gss_types.h
new file mode 100644
index 00000000000..5774b49c952
--- /dev/null
+++ b/chromium/net/tools/gssapi/gss_types.h
@@ -0,0 +1,67 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_TOOLS_GSSAPI_GSS_TYPES_H_
+#define NET_TOOLS_GSSAPI_GSS_TYPES_H_
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+// Define a minimal subset of the definitions needed to build a loadable fake
+// GSSAPI library. The bindings follow RFC 2744. The code follows the RFC
+// faithfully with the possible exception of `const` qualifiers for some
+// function arguments.
+//
+// Note that //net/http/http_auth_gssapi_posix* functions depend on the gssapi.h
+// as found on the host platform. For test purposes file does not depend on the
+// system gssapi.h in order to reduce sensitivity to the host environment.
+//
+// These declarations follow RFC 2744 Appendix A with the exception of using
+// C++isms in some places.
+
+using OM_uint32 = uint32_t;
+using gss_qop_t = uint32_t;
+
+struct gss_buffer_desc_struct {
+  size_t length;
+  void* value;
+};
+using gss_buffer_desc = gss_buffer_desc_struct;
+using gss_buffer_t = gss_buffer_desc_struct*;
+
+struct gss_OID_desc_struct {
+  OM_uint32 length;
+  void* elements;
+};
+using gss_OID_desc = gss_OID_desc_struct;
+using gss_OID = gss_OID_desc_struct*;
+
+struct gss_channel_bindings_struct {
+  OM_uint32 initiator_addrtype;
+  gss_buffer_desc initiator_address;
+  OM_uint32 acceptor_addrtype;
+  gss_buffer_desc acceptor_address;
+  gss_buffer_desc application_data;
+};
+using gss_channel_bindings_t = gss_channel_bindings_struct*;
+
+// Following structures are defined as <implementation-specific>.
+
+struct FakeGssName {};
+using gss_name_t = FakeGssName*;
+
+struct FakeGssCredId {};
+using gss_cred_id_t = FakeGssCredId*;
+
+struct FakeGssCtxId {};
+using gss_ctx_id_t = FakeGssCtxId*;
+
+#if defined(WIN32)
+#define GSS_EXPORT __declspec(dllexport)
+#else
+#define GSS_EXPORT __attribute__((visibility("default")))
+#endif
+
+#endif  // NET_TOOLS_GSSAPI_GSS_TYPES_H_
diff --git a/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.cc b/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.cc
index b8ebd28028f..3e3ef70985c 100644
--- a/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.cc
+++ b/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.cc
@@ -83,6 +83,30 @@ void TrieBitBuffer::WriteChar(uint8_t byte,
   WriteBits(item->second.bits, item->second.number_of_bits);
 }
 
+void TrieBitBuffer::WriteSize(size_t size) {
+  switch (size) {
+    case 0:
+      WriteBits(0b00, 2);
+      break;
+    case 1:
+      WriteBits(0b100, 3);
+      break;
+    case 2:
+      WriteBits(0b101, 3);
+      break;
+    case 3:
+      WriteBits(0b110, 3);
+      break;
+    default: {
+      WriteBit(size % 2);
+      for (size_t len = (size + 1) / 2; len > 0; --len) {
+        WriteBit(1);
+      }
+      WriteBit(0);
+    }
+  }
+}
+
 void TrieBitBuffer::AppendBitsElement(uint8_t bits, uint8_t number_of_bits) {
   BitsOrPosition element;
   element.bits = current_byte_;
diff --git a/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.h b/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.h
index afdc698bbcf..434f7d8fc44 100644
--- a/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.h
+++ b/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.h
@@ -46,6 +46,10 @@ class TrieBitBuffer {
                  const HuffmanRepresentationTable& table,
                  HuffmanBuilder* huffman_builder);
 
+  // Writes a size_t |size| in a format that provides a compact representation
+  // for small values. This function's inverse is PreloadDecoder::DecodeSize.
+  void WriteSize(size_t size);
+
   // Writes the entire buffer to |*writer|. Returns the position |*writer| was
   // at before the buffer was written to it.
   uint32_t WriteToBitWriter(BitWriter* writer);
diff --git a/chromium/net/tools/huffman_trie/trie/trie_writer.cc b/chromium/net/tools/huffman_trie/trie/trie_writer.cc
index e510646ee61..54021663e1c 100644
--- a/chromium/net/tools/huffman_trie/trie/trie_writer.cc
+++ b/chromium/net/tools/huffman_trie/trie/trie_writer.cc
@@ -126,10 +126,7 @@ bool TrieWriter::WriteDispatchTables(ReversedEntries::iterator start,
   TrieBitBuffer writer;
 
   std::vector<uint8_t> prefix = LongestCommonPrefix(start, end);
-  for (size_t i = 0; i < prefix.size(); ++i) {
-    writer.WriteBit(1);
-  }
-  writer.WriteBit(0);
+  writer.WriteSize(prefix.size());
 
   if (prefix.size()) {
     for (size_t i = 0; i < prefix.size(); ++i) {
diff --git a/chromium/net/tools/net_watcher/net_watcher.cc b/chromium/net/tools/net_watcher/net_watcher.cc
index 024085ee328..09c55c5d6c5 100644
--- a/chromium/net/tools/net_watcher/net_watcher.cc
+++ b/chromium/net/tools/net_watcher/net_watcher.cc
@@ -20,9 +20,9 @@
 #include "base/json/json_writer.h"
 #include "base/logging.h"
 #include "base/macros.h"
-#include "base/message_loop/message_loop.h"
 #include "base/run_loop.h"
 #include "base/strings/string_split.h"
+#include "base/task/single_thread_task_executor.h"
 #include "base/task/thread_pool/thread_pool.h"
 #include "base/values.h"
 #include "build/build_config.h"
@@ -154,8 +154,8 @@ int main(int argc, char* argv[]) {
       logging::LOG_TO_SYSTEM_DEBUG_LOG | logging::LOG_TO_STDERR;
   logging::InitLogging(settings);
 
-  // Just make the main message loop the network loop.
-  base::MessageLoopForIO network_loop;
+  // Just make the main task executor the network loop.
+  base::SingleThreadTaskExecutor io_task_executor(base::MessagePump::Type::IO);
 
   base::ThreadPoolInstance::CreateAndStartWithDefaultParams("NetWatcher");
 
@@ -184,7 +184,7 @@ int main(int argc, char* argv[]) {
   // Use the network loop as the file loop also.
   std::unique_ptr<net::ProxyConfigService> proxy_config_service(
       net::ProxyResolutionService::CreateSystemProxyConfigService(
-          network_loop.task_runner()));
+          io_task_executor.task_runner()));
 
   // Uses |network_change_notifier|.
   net::NetworkChangeNotifier::AddIPAddressObserver(&net_watcher);
diff --git a/chromium/net/tools/print_certificates.py b/chromium/net/tools/print_certificates.py
index a60bfd7f0cf..5a0518764bd 100755
--- a/chromium/net/tools/print_certificates.py
+++ b/chromium/net/tools/print_certificates.py
@@ -13,6 +13,7 @@ import os
 import re
 import subprocess
 import sys
+import traceback
 
 
 def read_file_to_string(path):
@@ -155,6 +156,9 @@ class ByteReader:
     self.pos += 1
     return i
 
+  def consume_int16(self):
+    return ((self.consume_byte() << 8) + self.consume_byte())
+
   def consume_int24(self):
     return ((self.consume_byte() << 16) + (self.consume_byte() << 8) +
             self.consume_byte())
@@ -170,34 +174,90 @@ class ByteReader:
     return len(self.data) - self.pos
 
 
-def decode_tls_certificate_message(certificate_message):
-  reader = ByteReader(certificate_message)
-  if reader.consume_byte() != 11:
-    sys.stderr.write('HandshakeType != 11. Not a Certificate Message.\n')
-    return []
+def decode_tls10_certificate_message(reader):
+  message_length = reader.consume_int24()
+  if reader.remaining_byte_count() != message_length:
+    raise RuntimeError(
+        'message_length(%d) != remaining_byte_count(%d)\n' % (
+            message_length, reader.remaining_byte_count()))
+
+  certificate_list_length = reader.consume_int24()
+  if reader.remaining_byte_count() != certificate_list_length:
+    raise RuntimeError(
+        'certificate_list_length(%d) != remaining_byte_count(%d)\n' % (
+            certificate_list_length, reader.remaining_byte_count()))
+
+  certificates_der = []
+  while reader.remaining_byte_count():
+    cert_len = reader.consume_int24()
+    certificates_der.append(reader.consume_bytes(cert_len))
+
+  return certificates_der
+
 
+def decode_tls13_certificate_message(reader):
   message_length = reader.consume_int24()
   if reader.remaining_byte_count() != message_length:
-    sys.stderr.write(
+    raise RuntimeError(
         'message_length(%d) != remaining_byte_count(%d)\n' % (
             message_length, reader.remaining_byte_count()))
-    return []
+
+  # Ignore certificate_request_context.
+  certificate_request_context_length = reader.consume_byte()
+  reader.consume_bytes(certificate_request_context_length)
 
   certificate_list_length = reader.consume_int24()
   if reader.remaining_byte_count() != certificate_list_length:
-    sys.stderr.write(
+    raise RuntimeError(
         'certificate_list_length(%d) != remaining_byte_count(%d)\n' % (
             certificate_list_length, reader.remaining_byte_count()))
-    return []
 
   certificates_der = []
   while reader.remaining_byte_count():
+    # Assume certificate_type is X.509.
     cert_len = reader.consume_int24()
     certificates_der.append(reader.consume_bytes(cert_len))
+    # Ignore extensions.
+    extension_len = reader.consume_int16()
+    reader.consume_bytes(extension_len)
 
   return certificates_der
 
 
+def decode_tls_certificate_message(certificate_message):
+  reader = ByteReader(certificate_message)
+  if reader.consume_byte() != 11:
+    sys.stderr.write('HandshakeType != 11. Not a Certificate Message.\n')
+    return []
+
+  # The TLS certificate message encoding changed in TLS 1.3. Rather than
+  # require pasting in and parsing the whole handshake to discover the TLS
+  # version, just try parsing the message with both the old and new encodings.
+
+  # First try the old style certificate message:
+  try:
+    return decode_tls10_certificate_message(reader)
+  except (IndexError, RuntimeError):
+    tls10_traceback = traceback.format_exc()
+
+  # Restart the ByteReader and consume the HandshakeType byte again.
+  reader = ByteReader(certificate_message)
+  reader.consume_byte()
+  # Try the new style certificate message:
+  try:
+    return decode_tls13_certificate_message(reader)
+  except (IndexError, RuntimeError):
+    tls13_traceback = traceback.format_exc()
+
+  # Neither attempt succeeded, just dump some error info:
+  sys.stderr.write("Couldn't parse TLS certificate message\n")
+  sys.stderr.write("TLS1.0 parse attempt:\n%s\n" % tls10_traceback)
+  sys.stderr.write("TLS1.3 parse attempt:\n%s\n" % tls13_traceback)
+  sys.stderr.write("\n")
+
+  return []
+
+
 def extract_tls_certificate_message(netlog_text):
   raw_certificate_message = decode_netlog_hexdump(netlog_text)
   if not raw_certificate_message:
diff --git a/chromium/net/tools/quic/quic_client_message_loop_network_helper.cc b/chromium/net/tools/quic/quic_client_message_loop_network_helper.cc
index 486aab92423..17925dfb6e4 100644
--- a/chromium/net/tools/quic/quic_client_message_loop_network_helper.cc
+++ b/chromium/net/tools/quic/quic_client_message_loop_network_helper.cc
@@ -47,7 +47,7 @@ bool QuicClientMessageLooplNetworkHelper::CreateUDPSocketAndBind(
     quic::QuicIpAddress bind_to_address,
     int bind_to_port) {
   auto socket = std::make_unique<UDPClientSocket>(DatagramSocket::DEFAULT_BIND,
-                                                  &net_log_, NetLogSource());
+                                                  nullptr, NetLogSource());
 
   if (bind_to_address.IsInitialized()) {
     client_address_ =
@@ -85,8 +85,7 @@ bool QuicClientMessageLooplNetworkHelper::CreateUDPSocketAndBind(
     LOG(ERROR) << "GetLocalAddress failed: " << ErrorToShortString(rc);
     return false;
   }
-  client_address_ =
-      quic::QuicSocketAddress(quic::QuicSocketAddressImpl(address));
+  client_address_ = ToQuicSocketAddress(address);
 
   socket_.swap(socket);
   packet_reader_.reset(new QuicChromiumPacketReader(
diff --git a/chromium/net/tools/quic/quic_client_message_loop_network_helper.h b/chromium/net/tools/quic/quic_client_message_loop_network_helper.h
index 3468263ec8d..fa257ad8137 100644
--- a/chromium/net/tools/quic/quic_client_message_loop_network_helper.h
+++ b/chromium/net/tools/quic/quic_client_message_loop_network_helper.h
@@ -18,7 +18,6 @@
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
 #include "net/http/http_response_headers.h"
-#include "net/log/net_log.h"
 #include "net/quic/platform/impl/quic_chromium_clock.h"
 #include "net/quic/quic_chromium_packet_reader.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_stream.h"
@@ -66,9 +65,6 @@ class QuicClientMessageLooplNetworkHelper
   // UDP socket connected to the server.
   std::unique_ptr<UDPClientSocket> socket_;
 
-  // The log used for the sockets.
-  NetLog net_log_;
-
   std::unique_ptr<QuicChromiumPacketReader> packet_reader_;
 
   bool packet_reader_started_;
diff --git a/chromium/net/tools/quic/quic_http_proxy_backend_stream.cc b/chromium/net/tools/quic/quic_http_proxy_backend_stream.cc
index b247cf61073..9c051233938 100644
--- a/chromium/net/tools/quic/quic_http_proxy_backend_stream.cc
+++ b/chromium/net/tools/quic/quic_http_proxy_backend_stream.cc
@@ -12,6 +12,7 @@
 #include "net/http/http_status_code.h"
 #include "net/http/http_util.h"
 #include "net/ssl/ssl_info.h"
+#include "net/traffic_annotation/network_traffic_annotation.h"
 #include "net/url_request/redirect_info.h"
 #include "net/url_request/url_request_context.h"
 
@@ -52,8 +53,7 @@ QuicHttpProxyBackendStream::QuicHttpProxyBackendStream(
       buf_(base::MakeRefCounted<IOBuffer>(kBufferSize)),
       response_completed_(false),
       headers_set_(false),
-      quic_response_(new quic::QuicBackendResponse()),
-      weak_factory_(this) {}
+      quic_response_(new quic::QuicBackendResponse()) {}
 
 QuicHttpProxyBackendStream::~QuicHttpProxyBackendStream() {}
 
@@ -147,7 +147,7 @@ void QuicHttpProxyBackendStream::CopyHeaders(
     // Ignore the spdy headers
     if (!key.empty() && key[0] != ':') {
       // Remove hop-by-hop headers
-      if (base::ContainsKey(kHopHeaders, key)) {
+      if (base::Contains(kHopHeaders, key)) {
         LOG(INFO) << "QUIC Proxy Ignoring Hop-by-hop Request Header: " << key
                   << ":" << value;
       } else {
@@ -188,7 +188,7 @@ void QuicHttpProxyBackendStream::SetUpload(
 void QuicHttpProxyBackendStream::SendRequestOnBackendThread() {
   DCHECK(quic_proxy_task_runner_->BelongsToCurrentThread());
   url_request_ = proxy_context_->GetURLRequestContext()->CreateRequest(
-      url_, net::DEFAULT_PRIORITY, this);
+      url_, net::DEFAULT_PRIORITY, this, MISSING_TRAFFIC_ANNOTATION);
   url_request_->set_method(method_type_);
   url_request_->SetExtraRequestHeaders(request_headers_);
   if (upload_) {
@@ -371,7 +371,7 @@ spdy::SpdyHeaderBlock QuicHttpProxyBackendStream::getAsQuicHeaders(
       if (header_name.compare("status") != 0) {
         if (header_name.compare("content-encoding") != 0) {
           // Remove hop-by-hop headers
-          if (base::ContainsKey(kHopHeaders, header_name)) {
+          if (base::Contains(kHopHeaders, header_name)) {
             LOG(INFO) << "Quic Proxy Ignoring Hop-by-hop Response Header: "
                       << header_name << ":" << header_value;
           } else {
diff --git a/chromium/net/tools/quic/quic_http_proxy_backend_stream.h b/chromium/net/tools/quic/quic_http_proxy_backend_stream.h
index e578c1aaf61..6d87391eb8a 100644
--- a/chromium/net/tools/quic/quic_http_proxy_backend_stream.h
+++ b/chromium/net/tools/quic/quic_http_proxy_backend_stream.h
@@ -156,7 +156,7 @@ class QuicHttpProxyBackendStream : public net::URLRequest::Delegate {
   bool headers_set_;
   std::unique_ptr<quic::QuicBackendResponse> quic_response_;
 
-  base::WeakPtrFactory<QuicHttpProxyBackendStream> weak_factory_;
+  base::WeakPtrFactory<QuicHttpProxyBackendStream> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicHttpProxyBackendStream);
 };
diff --git a/chromium/net/tools/quic/quic_simple_client.cc b/chromium/net/tools/quic/quic_simple_client.cc
index f3a25e8d92f..fb8651d1ffa 100644
--- a/chromium/net/tools/quic/quic_simple_client.cc
+++ b/chromium/net/tools/quic/quic_simple_client.cc
@@ -47,8 +47,7 @@ QuicSimpleClient::QuicSimpleClient(
           quic::QuicWrapUnique(
               new QuicClientMessageLooplNetworkHelper(&clock_, this)),
           std::move(proof_verifier)),
-      initialized_(false),
-      weak_factory_(this) {
+      initialized_(false) {
   set_server_address(server_address);
 }
 
diff --git a/chromium/net/tools/quic/quic_simple_client.h b/chromium/net/tools/quic/quic_simple_client.h
index 2c682a5c7ec..add25ad7f0c 100644
--- a/chromium/net/tools/quic/quic_simple_client.h
+++ b/chromium/net/tools/quic/quic_simple_client.h
@@ -57,7 +57,7 @@ class QuicSimpleClient : public quic::QuicSpdyClientBase {
   // Tracks if the client is initialized to connect.
   bool initialized_;
 
-  base::WeakPtrFactory<QuicSimpleClient> weak_factory_;
+  base::WeakPtrFactory<QuicSimpleClient> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicSimpleClient);
 };
diff --git a/chromium/net/tools/quic/quic_simple_client_bin.cc b/chromium/net/tools/quic/quic_simple_client_bin.cc
index 125ccc0dfff..e8c7a3c0653 100644
--- a/chromium/net/tools/quic/quic_simple_client_bin.cc
+++ b/chromium/net/tools/quic/quic_simple_client_bin.cc
@@ -33,22 +33,9 @@
 // Try to connect to a host which does not speak QUIC:
 //   quic_client http://www.example.com
 
-#include <iostream>
-
-#include "base/at_exit.h"
-#include "base/command_line.h"
 #include "base/logging.h"
-#include "base/message_loop/message_loop.h"
-#include "base/task/thread_pool/thread_pool.h"
 #include "net/base/net_errors.h"
-#include "net/base/privacy_mode.h"
-#include "net/cert/cert_verifier.h"
-#include "net/cert/ct_log_verifier.h"
-#include "net/cert/ct_policy_enforcer.h"
-#include "net/cert/multi_log_ct_verifier.h"
-#include "net/http/transport_security_state.h"
-#include "net/quic/crypto/proof_verifier_chromium.h"
-#include "net/spdy/spdy_http_utils.h"
+#include "net/quic/address_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_server_id.h"
@@ -62,52 +49,41 @@
 #include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
 #include "net/tools/quic/quic_simple_client.h"
 #include "net/tools/quic/synchronous_host_resolver.h"
-#include "url/gurl.h"
 
-using net::CertVerifier;
-using net::CTVerifier;
-using net::MultiLogCTVerifier;
 using quic::ProofVerifier;
-using net::ProofVerifierChromium;
-using quic::QuicStringPiece;
-using quic::QuicTextUtils;
-using net::TransportSecurityState;
-using spdy::SpdyHeaderBlock;
-using std::cout;
-using std::cerr;
-using std::endl;
 
 namespace {
 
 class QuicSimpleClientFactory : public quic::QuicToyClient::ClientFactory {
  public:
   std::unique_ptr<quic::QuicSpdyClientBase> CreateClient(
-      std::string host,
+      std::string host_for_handshake,
+      std::string host_for_lookup,
       uint16_t port,
       quic::ParsedQuicVersionVector versions,
       std::unique_ptr<quic::ProofVerifier> verifier) override {
     net::AddressList addresses;
-    int rv = net::SynchronousHostResolver::Resolve(host, &addresses);
+    int rv = net::SynchronousHostResolver::Resolve(host_for_lookup, &addresses);
     if (rv != net::OK) {
-      LOG(ERROR) << "Unable to resolve '" << host
+      LOG(ERROR) << "Unable to resolve '" << host_for_lookup
                  << "' : " << net::ErrorToShortString(rv);
       return nullptr;
     }
     // Determine IP address to connect to from supplied hostname.
     quic::QuicIpAddress ip_addr;
-    if (!ip_addr.FromString(host)) {
+    if (!ip_addr.FromString(host_for_lookup)) {
       net::AddressList addresses;
-      int rv = net::SynchronousHostResolver::Resolve(host, &addresses);
+      int rv =
+          net::SynchronousHostResolver::Resolve(host_for_lookup, &addresses);
       if (rv != net::OK) {
-        LOG(ERROR) << "Unable to resolve '" << host
+        LOG(ERROR) << "Unable to resolve '" << host_for_lookup
                    << "' : " << net::ErrorToShortString(rv);
         return nullptr;
       }
-      ip_addr =
-          quic::QuicIpAddress(quic::QuicIpAddressImpl(addresses[0].address()));
+      ip_addr = net::ToQuicIpAddress(addresses[0].address());
     }
 
-    quic::QuicServerId server_id(host, port, false);
+    quic::QuicServerId server_id(host_for_handshake, port, false);
     return quic::QuicMakeUnique<net::QuicSimpleClient>(
         quic::QuicSocketAddress(ip_addr, port), server_id, versions,
         std::move(verifier));
diff --git a/chromium/net/tools/quic/quic_simple_server.cc b/chromium/net/tools/quic/quic_simple_server.cc
index 159c413f109..3fb37f67912 100644
--- a/chromium/net/tools/quic/quic_simple_server.cc
+++ b/chromium/net/tools/quic/quic_simple_server.cc
@@ -13,13 +13,13 @@
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
 #include "net/log/net_log_source.h"
+#include "net/quic/address_utils.h"
 #include "net/socket/udp_server_socket.h"
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_handshake.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_data_reader.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/tools/quic_simple_dispatcher.h"
 #include "net/tools/quic/quic_simple_server_packet_writer.h"
 #include "net/tools/quic/quic_simple_server_session_helper.h"
@@ -55,13 +55,11 @@ QuicSimpleServer::QuicSimpleServer(
       crypto_config_(kSourceAddressTokenSecret,
                      quic::QuicRandom::GetInstance(),
                      std::move(proof_source),
-                     quic::KeyExchangeSource::Default(),
-                     quic::TlsServerHandshaker::CreateSslCtx()),
+                     quic::KeyExchangeSource::Default()),
       read_pending_(false),
       synchronous_read_count_(0),
       read_buffer_(base::MakeRefCounted<IOBufferWithSize>(kReadBufferSize)),
-      quic_simple_server_backend_(quic_simple_server_backend),
-      weak_factory_(this) {
+      quic_simple_server_backend_(quic_simple_server_backend) {
   DCHECK(quic_simple_server_backend);
   Initialize();
 }
@@ -96,7 +94,7 @@ QuicSimpleServer::~QuicSimpleServer() = default;
 
 int QuicSimpleServer::Listen(const IPEndPoint& address) {
   std::unique_ptr<UDPServerSocket> socket(
-      new UDPServerSocket(&net_log_, NetLogSource()));
+      new UDPServerSocket(nullptr, NetLogSource()));
 
   socket->AllowAddressReuse();
 
@@ -211,10 +209,8 @@ void QuicSimpleServer::OnReadComplete(int result) {
 
   quic::QuicReceivedPacket packet(read_buffer_->data(), result,
                                   helper_->GetClock()->Now(), false);
-  dispatcher_->ProcessPacket(
-      quic::QuicSocketAddress(quic::QuicSocketAddressImpl(server_address_)),
-      quic::QuicSocketAddress(quic::QuicSocketAddressImpl(client_address_)),
-      packet);
+  dispatcher_->ProcessPacket(ToQuicSocketAddress(server_address_),
+                             ToQuicSocketAddress(client_address_), packet);
 
   StartReading();
 }
diff --git a/chromium/net/tools/quic/quic_simple_server.h b/chromium/net/tools/quic/quic_simple_server.h
index 743b8838afd..6c8c6e99d5a 100644
--- a/chromium/net/tools/quic/quic_simple_server.h
+++ b/chromium/net/tools/quic/quic_simple_server.h
@@ -13,7 +13,6 @@
 #include "base/macros.h"
 #include "net/base/io_buffer.h"
 #include "net/base/ip_endpoint.h"
-#include "net/log/net_log.h"
 #include "net/quic/platform/impl/quic_chromium_clock.h"
 #include "net/quic/quic_chromium_alarm_factory.h"
 #include "net/quic/quic_chromium_connection_helper.h"
@@ -114,12 +113,9 @@ class QuicSimpleServer {
   // The source address of the current read.
   IPEndPoint client_address_;
 
-  // The log to use for the socket.
-  NetLog net_log_;
-
   quic::QuicSimpleServerBackend* quic_simple_server_backend_;
 
-  base::WeakPtrFactory<QuicSimpleServer> weak_factory_;
+  base::WeakPtrFactory<QuicSimpleServer> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicSimpleServer);
 };
diff --git a/chromium/net/tools/quic/quic_simple_server_bin.cc b/chromium/net/tools/quic/quic_simple_server_bin.cc
index c166e3b736a..8d371ba4973 100644
--- a/chromium/net/tools/quic/quic_simple_server_bin.cc
+++ b/chromium/net/tools/quic/quic_simple_server_bin.cc
@@ -10,9 +10,9 @@
 #include "base/at_exit.h"
 #include "base/command_line.h"
 #include "base/logging.h"
-#include "base/message_loop/message_loop.h"
 #include "base/run_loop.h"
 #include "base/strings/string_number_conversions.h"
+#include "base/task/single_thread_task_executor.h"
 #include "base/task/thread_pool/thread_pool.h"
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
@@ -50,7 +50,7 @@ std::unique_ptr<quic::ProofSource> CreateProofSource(
 int main(int argc, char* argv[]) {
   base::ThreadPoolInstance::CreateAndStartWithDefaultParams("quic_server");
   base::AtExitManager exit_manager;
-  base::MessageLoopForIO message_loop;
+  base::SingleThreadTaskExecutor io_task_executor(base::MessagePump::Type::IO);
 
   base::CommandLine::Init(argc, argv);
   base::CommandLine* line = base::CommandLine::ForCurrentProcess();
diff --git a/chromium/net/tools/quic/quic_simple_server_packet_writer.cc b/chromium/net/tools/quic/quic_simple_server_packet_writer.cc
index 6e71a9d8cce..10730abc6d1 100644
--- a/chromium/net/tools/quic/quic_simple_server_packet_writer.cc
+++ b/chromium/net/tools/quic/quic_simple_server_packet_writer.cc
@@ -21,10 +21,7 @@ namespace net {
 QuicSimpleServerPacketWriter::QuicSimpleServerPacketWriter(
     UDPServerSocket* socket,
     quic::QuicDispatcher* dispatcher)
-    : socket_(socket),
-      dispatcher_(dispatcher),
-      write_blocked_(false),
-      weak_factory_(this) {}
+    : socket_(socket), dispatcher_(dispatcher), write_blocked_(false) {}
 
 QuicSimpleServerPacketWriter::~QuicSimpleServerPacketWriter() = default;
 
diff --git a/chromium/net/tools/quic/quic_simple_server_packet_writer.h b/chromium/net/tools/quic/quic_simple_server_packet_writer.h
index 967eda87ce4..76f8b8e82f9 100644
--- a/chromium/net/tools/quic/quic_simple_server_packet_writer.h
+++ b/chromium/net/tools/quic/quic_simple_server_packet_writer.h
@@ -67,7 +67,7 @@ class QuicSimpleServerPacketWriter : public quic::QuicPacketWriter {
   // Whether a write is currently in flight.
   bool write_blocked_;
 
-  base::WeakPtrFactory<QuicSimpleServerPacketWriter> weak_factory_;
+  base::WeakPtrFactory<QuicSimpleServerPacketWriter> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicSimpleServerPacketWriter);
 };
diff --git a/chromium/net/tools/quic/quic_simple_server_test.cc b/chromium/net/tools/quic/quic_simple_server_test.cc
index 6f2fcabe4db..a3410776052 100644
--- a/chromium/net/tools/quic/quic_simple_server_test.cc
+++ b/chromium/net/tools/quic/quic_simple_server_test.cc
@@ -5,10 +5,10 @@
 #include "net/tools/quic/quic_simple_server.h"
 
 #include "base/stl_util.h"
+#include "net/quic/address_utils.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_quic_dispatcher.h"
@@ -29,8 +29,7 @@ class QuicChromeServerDispatchPacketTest : public QuicTest {
       : crypto_config_("blah",
                        quic::QuicRandom::GetInstance(),
                        quic::test::crypto_test_utils::ProofSourceForTesting(),
-                       quic::KeyExchangeSource::Default(),
-                       quic::TlsServerHandshaker::CreateSslCtx()),
+                       quic::KeyExchangeSource::Default()),
         version_manager_(quic::AllSupportedVersions()),
         dispatcher_(&config_,
                     &crypto_config_,
@@ -48,10 +47,8 @@ class QuicChromeServerDispatchPacketTest : public QuicTest {
 
   void DispatchPacket(const quic::QuicReceivedPacket& packet) {
     IPEndPoint client_addr, server_addr;
-    dispatcher_.ProcessPacket(
-        quic::QuicSocketAddress(quic::QuicSocketAddressImpl(server_addr)),
-        quic::QuicSocketAddress(quic::QuicSocketAddressImpl(client_addr)),
-        packet);
+    dispatcher_.ProcessPacket(ToQuicSocketAddress(server_addr),
+                              ToQuicSocketAddress(client_addr), packet);
   }
 
  protected:
diff --git a/chromium/net/tools/quic/synchronous_host_resolver.cc b/chromium/net/tools/quic/synchronous_host_resolver.cc
index 9428d70753d..1f8a16fd7b9 100644
--- a/chromium/net/tools/quic/synchronous_host_resolver.cc
+++ b/chromium/net/tools/quic/synchronous_host_resolver.cc
@@ -12,10 +12,10 @@
 #include "base/location.h"
 #include "base/macros.h"
 #include "base/memory/weak_ptr.h"
-#include "base/message_loop/message_loop.h"
 #include "base/optional.h"
 #include "base/run_loop.h"
 #include "base/single_thread_task_runner.h"
+#include "base/task/single_thread_task_executor.h"
 #include "base/threading/simple_thread.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/host_port_pair.h"
@@ -57,7 +57,7 @@ ResolverThread::ResolverThread()
 ResolverThread::~ResolverThread() = default;
 
 void ResolverThread::Run() {
-  base::MessageLoopForIO loop;
+  base::SingleThreadTaskExecutor io_task_executor(base::MessagePump::Type::IO);
 
   net::NetLog net_log;
   net::HostResolver::ManagerOptions options;
diff --git a/chromium/net/tools/stress_cache/stress_cache.cc b/chromium/net/tools/stress_cache/stress_cache.cc
index e385777f229..ff485cf4820 100644
--- a/chromium/net/tools/stress_cache/stress_cache.cc
+++ b/chromium/net/tools/stress_cache/stress_cache.cc
@@ -25,7 +25,6 @@
 #include "base/files/file_path.h"
 #include "base/location.h"
 #include "base/logging.h"
-#include "base/message_loop/message_loop.h"
 #include "base/path_service.h"
 #include "base/process/launch.h"
 #include "base/process/process.h"
@@ -34,6 +33,7 @@
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
+#include "base/task/single_thread_task_executor.h"
 #include "base/threading/platform_thread.h"
 #include "base/threading/thread.h"
 #include "base/threading/thread_task_runner_handle.h"
@@ -306,7 +306,7 @@ void StressTheCache(int iteration) {
 
   base::Thread cache_thread("CacheThread");
   if (!cache_thread.StartWithOptions(
-          base::Thread::Options(base::MessageLoop::TYPE_IO, 0)))
+          base::Thread::Options(base::MessagePump::Type::IO, 0)))
     return;
 
   g_data = new Data();
@@ -429,7 +429,7 @@ int main(int argc, const char* argv[]) {
 
   // Some time for the memory manager to flush stuff.
   base::PlatformThread::Sleep(base::TimeDelta::FromSeconds(3));
-  base::MessageLoopForIO message_loop;
+  base::SingleThreadTaskExecutor io_task_executor(base::MessagePump::Type::IO);
 
   char* end;
   long int iteration = strtol(argv[1], &end, 0);
diff --git a/chromium/net/tools/testserver/run_testserver.cc b/chromium/net/tools/testserver/run_testserver.cc
index 10ea873cbea..0a997386328 100644
--- a/chromium/net/tools/testserver/run_testserver.cc
+++ b/chromium/net/tools/testserver/run_testserver.cc
@@ -9,9 +9,9 @@
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/logging.h"
-#include "base/message_loop/message_loop.h"
 #include "base/run_loop.h"
 #include "base/strings/utf_string_conversions.h"
+#include "base/task/single_thread_task_executor.h"
 #include "base/test/test_timeouts.h"
 #include "net/test/spawned_test_server/spawned_test_server.h"
 
@@ -24,7 +24,7 @@ static void PrintUsage() {
 
 int main(int argc, const char* argv[]) {
   base::AtExitManager at_exit_manager;
-  base::MessageLoopForIO message_loop;
+  base::SingleThreadTaskExecutor io_task_executor(base::MessagePump::Type::IO);
 
   // Process command line
   base::CommandLine::Init(argc, argv);
diff --git a/chromium/net/tools/transport_security_state_generator/README.md b/chromium/net/tools/transport_security_state_generator/README.md
index b26e4629898..7aa06f4d5f6 100644
--- a/chromium/net/tools/transport_security_state_generator/README.md
+++ b/chromium/net/tools/transport_security_state_generator/README.md
@@ -129,9 +129,10 @@ dispatch-table     = prefix-part         ; a common prefix for the node and its
                      1*value-part        ; 1 or more values or pointers to children
                      end-of-table-value  ; signals the end of the table
 
-prefix-part        = *%b1               ; 0 or more 1 bits indicating the prefix length
-                     %b0                ; 0 bit to indicate the end of the length encoding
+prefix-part        = prefix-length      ; a prefix code encoding of the number
+of characters in the prefix
                      prefix-characters  ; the actual prefix characters
+prefix-length      = 1*BIT  ; See net::extras::PreloadDecoder::DecodeSize for the format
 value-part         = huffman-character node-value
                      ; table with the node value and pointers to children
 
diff --git a/chromium/net/tools/update_ios_bundle_data.py b/chromium/net/tools/update_ios_bundle_data.py
index 144655c3005..02a5505b327 100755
--- a/chromium/net/tools/update_ios_bundle_data.py
+++ b/chromium/net/tools/update_ios_bundle_data.py
@@ -43,6 +43,7 @@ net_unittest_bundle_data_globs = [
     "data/cert_issuer_source_aia_unittest/*.pem",
     "data/cert_issuer_source_static_unittest/*.pem",
     "data/certificate_policies_unittest/*.pem",
+    "data/crl_unittest/*.pem",
     "data/embedded_test_server/*",
     "data/filter_unittests/*",
     "data/name_constraints_unittest/*.pem",
diff --git a/chromium/net/traffic_annotation/network_traffic_annotation.h b/chromium/net/traffic_annotation/network_traffic_annotation.h
index a4f0b8fbd47..6319a81fd10 100644
--- a/chromium/net/traffic_annotation/network_traffic_annotation.h
+++ b/chromium/net/traffic_annotation/network_traffic_annotation.h
@@ -361,12 +361,20 @@ struct MutablePartialNetworkTrafficAnnotationTag {
   net::DefineNetworkTrafficAnnotation(ANNOTATION_ID, "No proto yet.")
 #endif
 
+// These annotations are unavailable on desktop Linux + Windows. They are
+// available on other platforms, since we only audit network annotations on
+// Linux & Windows.
+//
+// On Linux and Windows, use MISSING_TRAFFIC_ANNOTATION or
+// TRAFFIC_ANNOTATION_FOR_TESTS.
+#if (!defined(OS_WIN) && !defined(OS_LINUX)) || defined(OS_CHROMEOS)
 #define NO_TRAFFIC_ANNOTATION_YET \
   net::DefineNetworkTrafficAnnotation("undefined", "Nothing here yet.")
 
 #define NO_PARTIAL_TRAFFIC_ANNOTATION_YET                              \
   net::DefinePartialNetworkTrafficAnnotation("undefined", "undefined", \
                                              "Nothing here yet.")
+#endif
 
 #define MISSING_TRAFFIC_ANNOTATION     \
   net::DefineNetworkTrafficAnnotation( \
diff --git a/chromium/net/url_request/ftp_protocol_handler.cc b/chromium/net/url_request/ftp_protocol_handler.cc
index 9334ca7f637..4b96c5aae73 100644
--- a/chromium/net/url_request/ftp_protocol_handler.cc
+++ b/chromium/net/url_request/ftp_protocol_handler.cc
@@ -18,15 +18,18 @@
 namespace net {
 
 std::unique_ptr<FtpProtocolHandler> FtpProtocolHandler::Create(
-    HostResolver* host_resolver) {
+    HostResolver* host_resolver,
+    FtpAuthCache* auth_cache) {
+  DCHECK(auth_cache);
   return base::WrapUnique(new FtpProtocolHandler(
-      base::WrapUnique(new FtpNetworkLayer(host_resolver))));
+      base::WrapUnique(new FtpNetworkLayer(host_resolver)), auth_cache));
 }
 
 std::unique_ptr<FtpProtocolHandler> FtpProtocolHandler::CreateForTesting(
-    std::unique_ptr<FtpTransactionFactory> ftp_transaction_factory) {
+    std::unique_ptr<FtpTransactionFactory> ftp_transaction_factory,
+    FtpAuthCache* auth_cache) {
   return base::WrapUnique(
-      new FtpProtocolHandler(std::move(ftp_transaction_factory)));
+      new FtpProtocolHandler(std::move(ftp_transaction_factory), auth_cache));
 }
 
 FtpProtocolHandler::~FtpProtocolHandler() = default;
@@ -41,14 +44,14 @@ URLRequestJob* FtpProtocolHandler::MaybeCreateJob(
   }
 
   return new URLRequestFtpJob(request, network_delegate,
-                              ftp_transaction_factory_.get(),
-                              ftp_auth_cache_.get());
+                              ftp_transaction_factory_.get(), ftp_auth_cache_);
 }
 
 FtpProtocolHandler::FtpProtocolHandler(
-    std::unique_ptr<FtpTransactionFactory> ftp_transaction_factory)
+    std::unique_ptr<FtpTransactionFactory> ftp_transaction_factory,
+    FtpAuthCache* auth_cache)
     : ftp_transaction_factory_(std::move(ftp_transaction_factory)),
-      ftp_auth_cache_(new FtpAuthCache) {
+      ftp_auth_cache_(auth_cache) {
   DCHECK(ftp_transaction_factory_);
 }
 
diff --git a/chromium/net/url_request/ftp_protocol_handler.h b/chromium/net/url_request/ftp_protocol_handler.h
index e06aa1ad7dc..e8843be3b54 100644
--- a/chromium/net/url_request/ftp_protocol_handler.h
+++ b/chromium/net/url_request/ftp_protocol_handler.h
@@ -26,15 +26,16 @@ class NET_EXPORT FtpProtocolHandler :
  public:
   ~FtpProtocolHandler() override;
 
-  // Creates an FtpProtocolHandler using an FtpTransactionFactoryImpl and the
-  // specified HostResolver.
-  static std::unique_ptr<FtpProtocolHandler> Create(
-      HostResolver* host_resolver);
+  // Creates an FtpProtocolHandler using the specified HostResolver and
+  // FtpAuthCache. |auth_cache| cannot be null.
+  static std::unique_ptr<FtpProtocolHandler> Create(HostResolver* host_resolver,
+                                                    FtpAuthCache* auth_cache);
 
   // Creates an FtpProtocolHandler using the specified FtpTransactionFactory, to
   // allow a mock to be used for testing.
   static std::unique_ptr<FtpProtocolHandler> CreateForTesting(
-      std::unique_ptr<FtpTransactionFactory> ftp_transaction_factory);
+      std::unique_ptr<FtpTransactionFactory> ftp_transaction_factory,
+      FtpAuthCache* auth_cache);
 
   URLRequestJob* MaybeCreateJob(
       URLRequest* request,
@@ -44,10 +45,11 @@ class NET_EXPORT FtpProtocolHandler :
   friend class FtpTestURLRequestContext;
 
   explicit FtpProtocolHandler(
-      std::unique_ptr<FtpTransactionFactory> ftp_transaction_factory);
+      std::unique_ptr<FtpTransactionFactory> ftp_transaction_factory,
+      FtpAuthCache* auth_cache);
 
   std::unique_ptr<FtpTransactionFactory> ftp_transaction_factory_;
-  std::unique_ptr<FtpAuthCache> ftp_auth_cache_;
+  FtpAuthCache* ftp_auth_cache_;
 
   DISALLOW_COPY_AND_ASSIGN(FtpProtocolHandler);
 };
diff --git a/chromium/net/url_request/http_with_dns_over_https_unittest.cc b/chromium/net/url_request/http_with_dns_over_https_unittest.cc
index 3afa2951821..c91c9ac5667 100644
--- a/chromium/net/url_request/http_with_dns_over_https_unittest.cc
+++ b/chromium/net/url_request/http_with_dns_over_https_unittest.cc
@@ -2,12 +2,16 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "base/big_endian.h"
 #include "base/bind.h"
+#include "base/logging.h"
+#include "base/memory/scoped_refptr.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/proxy_server.h"
 #include "net/dns/context_host_resolver.h"
 #include "net/dns/dns_client.h"
 #include "net/dns/dns_config.h"
+#include "net/dns/dns_query.h"
 #include "net/dns/dns_transaction.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/host_resolver_manager.h"
@@ -70,6 +74,7 @@ class HttpWithDnsOverHttpsTest : public TestWithScopedTaskEnvironment {
     DnsConfig config;
     config.nameservers.push_back(IPEndPoint());
     config.dns_over_https_servers.emplace_back(url.spec(), true /* use_post */);
+    config.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
     dns_client->SetConfig(config);
     resolver_->SetRequestContext(&request_context_);
     resolver_->SetProcParamsForTesting(
@@ -86,19 +91,24 @@ class HttpWithDnsOverHttpsTest : public TestWithScopedTaskEnvironment {
       const test_server::HttpRequest& request) {
     if (request.relative_url.compare("/dns_query") == 0) {
       doh_queries_served_++;
-      uint8_t id1 = request.content[0];
-      uint8_t id2 = request.content[1];
-      std::unique_ptr<test_server::BasicHttpResponse> http_response(
-          new test_server::BasicHttpResponse);
-      const uint8_t header_data[] = {
-          id1,  id2,   // - Same ID as before
-          0x81, 0x80,  // - Different flags, we'll look at this below
-          0x00, 0x01,  // - 1 question
-          0x00, 0x01,  // - 1 answer
-          0x00, 0x00,  // - No authority records
-          0x00, 0x00,  // - No additional records
-      };
-      std::string question = request.content.substr(kHeaderSize);
+
+      // Parse request content as a DnsQuery to access the question.
+      auto request_buffer =
+          base::MakeRefCounted<IOBufferWithSize>(request.content.size());
+      memcpy(request_buffer->data(), request.content.data(),
+             request.content.size());
+      DnsQuery query(std::move(request_buffer));
+      EXPECT_TRUE(query.Parse(request.content.size()));
+
+      char header_data[kHeaderSize];
+      base::BigEndianWriter header_writer(header_data, kHeaderSize);
+      header_writer.WriteU16(query.id());  // Same ID as before
+      char flags[] = {0x81, 0x80};
+      header_writer.WriteBytes(flags, 2);
+      header_writer.WriteU16(1);  // 1 question
+      header_writer.WriteU16(1);  // 1 answer
+      header_writer.WriteU16(0);  // No authority records
+      header_writer.WriteU16(0);  // No additional records
 
       const uint8_t answer_data[]{0xC0, 0x0C,  // - NAME
                                   0x00, 0x01,  // - TYPE
@@ -108,8 +118,12 @@ class HttpWithDnsOverHttpsTest : public TestWithScopedTaskEnvironment {
                                   0x00, 0x04,  // - RDLENGTH = 4 bytes
                                   0x7f, 0x00,  // - RDDATA, IP is 127.0.0.1
                                   0x00, 0x01};
+
+      std::unique_ptr<test_server::BasicHttpResponse> http_response(
+          new test_server::BasicHttpResponse);
       http_response->set_content(
-          std::string((char*)header_data, sizeof(header_data)) + question +
+          std::string(header_data, sizeof(header_data)) +
+          query.question().as_string() +
           std::string((char*)answer_data, sizeof(answer_data)));
       http_response->set_content_type("application/dns-message");
       return std::move(http_response);
diff --git a/chromium/net/url_request/redirect_info.h b/chromium/net/url_request/redirect_info.h
index 524adf95dbf..0984bd09def 100644
--- a/chromium/net/url_request/redirect_info.h
+++ b/chromium/net/url_request/redirect_info.h
@@ -63,6 +63,8 @@ struct NET_EXPORT RedirectInfo {
   // The new first-party URL for cookies.
   GURL new_site_for_cookies;
 
+  // DEPRECATED TODO: Remove this as it was introduced for the cache key and can
+  // be removed now that |network_isolation_key| is set for the redirect cases.
   base::Optional<url::Origin> new_top_frame_origin;
 
   // The new HTTP referrer header.
diff --git a/chromium/net/url_request/test_url_fetcher_factory.cc b/chromium/net/url_request/test_url_fetcher_factory.cc
index 7528b22cea8..5a776242355 100644
--- a/chromium/net/url_request/test_url_fetcher_factory.cc
+++ b/chromium/net/url_request/test_url_fetcher_factory.cc
@@ -359,8 +359,7 @@ FakeURLFetcher::FakeURLFetcher(const GURL& url,
                                const std::string& response_data,
                                HttpStatusCode response_code,
                                URLRequestStatus::Status status)
-    : TestURLFetcher(0, url, d),
-      weak_factory_(this) {
+    : TestURLFetcher(0, url, d) {
   Error error = OK;
   switch(status) {
     case URLRequestStatus::SUCCESS:
diff --git a/chromium/net/url_request/test_url_fetcher_factory.h b/chromium/net/url_request/test_url_fetcher_factory.h
index cbd0cde8a88..2bf8b6f3947 100644
--- a/chromium/net/url_request/test_url_fetcher_factory.h
+++ b/chromium/net/url_request/test_url_fetcher_factory.h
@@ -326,7 +326,7 @@ class FakeURLFetcher : public TestURLFetcher {
   void RunDelegate();
 
   int64_t response_bytes_;
-  base::WeakPtrFactory<FakeURLFetcher> weak_factory_;
+  base::WeakPtrFactory<FakeURLFetcher> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(FakeURLFetcher);
 };
diff --git a/chromium/net/url_request/url_fetcher.cc b/chromium/net/url_request/url_fetcher.cc
index e815b57e7a9..331420fad2e 100644
--- a/chromium/net/url_request/url_fetcher.cc
+++ b/chromium/net/url_request/url_fetcher.cc
@@ -11,6 +11,7 @@ namespace net {
 
 URLFetcher::~URLFetcher() = default;
 
+#if (!defined(OS_WIN) && !defined(OS_LINUX)) || defined(OS_CHROMEOS)
 // static
 std::unique_ptr<URLFetcher> URLFetcher::Create(
     const GURL& url,
@@ -27,6 +28,7 @@ std::unique_ptr<URLFetcher> URLFetcher::Create(
     URLFetcherDelegate* d) {
   return Create(id, url, request_type, d, MISSING_TRAFFIC_ANNOTATION);
 }
+#endif
 
 // static
 std::unique_ptr<URLFetcher> URLFetcher::Create(
diff --git a/chromium/net/url_request/url_fetcher.h b/chromium/net/url_request/url_fetcher.h
index fc8d1d170a9..65799242ac6 100644
--- a/chromium/net/url_request/url_fetcher.h
+++ b/chromium/net/url_request/url_fetcher.h
@@ -14,6 +14,7 @@
 #include "base/callback_forward.h"
 #include "base/memory/ref_counted.h"
 #include "base/supports_user_data.h"
+#include "build/build_config.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_export.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
@@ -109,6 +110,10 @@ class NET_EXPORT URLFetcher {
 
   virtual ~URLFetcher();
 
+  // The unannotated Create() methods are not available on desktop Linux +
+  // Windows. They are available on other platforms, since we only audit network
+  // annotations on Linux & Windows.
+#if (!defined(OS_WIN) && !defined(OS_LINUX)) || defined(OS_CHROMEOS)
   // |url| is the URL to send the request to. It must be valid.
   // |request_type| is the type of request to make.
   // |d| the object that will receive the callback on fetch completion.
@@ -129,6 +134,7 @@ class NET_EXPORT URLFetcher {
       const GURL& url,
       URLFetcher::RequestType request_type,
       URLFetcherDelegate* d);
+#endif
 
   // |url| is the URL to send the request to. It must be valid.
   // |request_type| is the type of request to make.
diff --git a/chromium/net/url_request/url_fetcher_core.cc b/chromium/net/url_request/url_fetcher_core.cc
index f805da8fa56..a6c1740efb0 100644
--- a/chromium/net/url_request/url_fetcher_core.cc
+++ b/chromium/net/url_request/url_fetcher_core.cc
@@ -47,12 +47,12 @@ URLFetcherCore::Registry::Registry() = default;
 URLFetcherCore::Registry::~Registry() = default;
 
 void URLFetcherCore::Registry::AddURLFetcherCore(URLFetcherCore* core) {
-  DCHECK(!base::ContainsKey(fetchers_, core));
+  DCHECK(!base::Contains(fetchers_, core));
   fetchers_.insert(core);
 }
 
 void URLFetcherCore::Registry::RemoveURLFetcherCore(URLFetcherCore* core) {
-  DCHECK(base::ContainsKey(fetchers_, core));
+  DCHECK(base::Contains(fetchers_, core));
   fetchers_.erase(core);
 }
 
diff --git a/chromium/net/url_request/url_fetcher_response_writer.cc b/chromium/net/url_request/url_fetcher_response_writer.cc
index e4237b9a3e2..acc75639ed7 100644
--- a/chromium/net/url_request/url_fetcher_response_writer.cc
+++ b/chromium/net/url_request/url_fetcher_response_writer.cc
@@ -56,8 +56,7 @@ URLFetcherFileWriter::URLFetcherFileWriter(
     const base::FilePath& file_path)
     : file_task_runner_(file_task_runner),
       file_path_(file_path),
-      owns_file_(false),
-      weak_factory_(this) {
+      owns_file_(false) {
   DCHECK(file_task_runner_.get());
 }
 
diff --git a/chromium/net/url_request/url_fetcher_response_writer.h b/chromium/net/url_request/url_fetcher_response_writer.h
index 1415ba60b06..202cf637ed8 100644
--- a/chromium/net/url_request/url_fetcher_response_writer.h
+++ b/chromium/net/url_request/url_fetcher_response_writer.h
@@ -141,7 +141,7 @@ class NET_EXPORT URLFetcherFileWriter : public URLFetcherResponseWriter {
 
   CompletionOnceCallback callback_;
 
-  base::WeakPtrFactory<URLFetcherFileWriter> weak_factory_;
+  base::WeakPtrFactory<URLFetcherFileWriter> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(URLFetcherFileWriter);
 };
diff --git a/chromium/net/url_request/url_request.cc b/chromium/net/url_request/url_request.cc
index d11742cbf44..736dddbe7d6 100644
--- a/chromium/net/url_request/url_request.cc
+++ b/chromium/net/url_request/url_request.cc
@@ -342,9 +342,8 @@ void URLRequest::LogBlockedBy(const char* blocked_by) {
   blocked_by_ = blocked_by;
   use_blocked_by_as_load_param_ = false;
 
-  net_log_.BeginEvent(
-      NetLogEventType::DELEGATE_INFO,
-      NetLog::StringCallback("delegate_blocked_by", &blocked_by_));
+  net_log_.BeginEventWithStringParams(NetLogEventType::DELEGATE_INFO,
+                                      "delegate_blocked_by", blocked_by_);
 }
 
 void URLRequest::LogAndReportBlockedBy(const char* source) {
@@ -435,13 +434,12 @@ int URLRequest::GetResponseCode() const {
   return job_->GetResponseCode();
 }
 
-void URLRequest::set_not_sent_cookies(CookieStatusList excluded_cookies) {
-  not_sent_cookies_ = std::move(excluded_cookies);
+void URLRequest::set_maybe_sent_cookies(CookieStatusList cookies) {
+  maybe_sent_cookies_ = std::move(cookies);
 }
 
-void URLRequest::set_not_stored_cookies(
-    CookieAndLineStatusList excluded_cookies) {
-  not_stored_cookies_ = std::move(excluded_cookies);
+void URLRequest::set_maybe_stored_cookies(CookieAndLineStatusList cookies) {
+  maybe_stored_cookies_ = std::move(cookies);
 }
 
 void URLRequest::SetLoadFlags(int flags) {
@@ -617,16 +615,15 @@ URLRequest::URLRequest(const GURL& url,
       raw_header_size_(0),
       is_pac_request_(false),
       traffic_annotation_(traffic_annotation),
-      upgrade_if_insecure_(false),
-      weak_factory_(this) {
+      upgrade_if_insecure_(false) {
   // Sanity check out environment.
   DCHECK(base::ThreadTaskRunnerHandle::IsSet());
 
   context->url_requests()->insert(this);
-  net_log_.BeginEvent(
-      NetLogEventType::REQUEST_ALIVE,
-      base::BindRepeating(&NetLogURLRequestConstructorCallback, &url, priority_,
-                          traffic_annotation_));
+  net_log_.BeginEvent(NetLogEventType::REQUEST_ALIVE, [&] {
+    return NetLogURLRequestConstructorParams(url, priority_,
+                                             traffic_annotation_);
+  });
 }
 
 void URLRequest::BeforeRequestComplete(int error) {
@@ -639,9 +636,8 @@ void URLRequest::BeforeRequestComplete(int error) {
   OnCallToDelegateComplete();
 
   if (error != OK) {
-    std::string source("delegate");
-    net_log_.AddEvent(NetLogEventType::CANCELLED,
-                      NetLog::StringCallback("source", &source));
+    net_log_.AddEventWithStringParams(NetLogEventType::CANCELLED, "source",
+                                      "delegate");
     StartJob(new URLRequestErrorJob(this, network_delegate_, error));
   } else if (!delegate_redirect_url_.is_empty()) {
     GURL new_url;
@@ -664,12 +660,11 @@ void URLRequest::StartJob(URLRequestJob* job) {
 
   privacy_mode_ = DeterminePrivacyMode();
 
-  net_log_.BeginEvent(
-      NetLogEventType::URL_REQUEST_START_JOB,
-      base::BindRepeating(
-          &NetLogURLRequestStartCallback, &url(), &method_, load_flags_,
-          privacy_mode_,
-          upload_data_stream_ ? upload_data_stream_->identifier() : -1));
+  net_log_.BeginEvent(NetLogEventType::URL_REQUEST_START_JOB, [&] {
+    return NetLogURLRequestStartParams(
+        url(), method_, load_flags_, privacy_mode_,
+        upload_data_stream_ ? upload_data_stream_->identifier() : -1);
+  });
 
   job_.reset(job);
   job_->SetExtraRequestHeaders(extra_request_headers_);
@@ -685,8 +680,8 @@ void URLRequest::StartJob(URLRequestJob* job) {
 
   response_info_.was_cached = false;
 
-  not_sent_cookies_.clear();
-  not_stored_cookies_.clear();
+  maybe_sent_cookies_.clear();
+  maybe_stored_cookies_.clear();
 
   GURL referrer_url(referrer_);
   if (referrer_url != URLRequestJob::ComputeReferrerForPolicy(
@@ -699,9 +694,8 @@ void URLRequest::StartJob(URLRequestJob* job) {
       // We need to clear the referrer anyway to avoid an infinite recursion
       // when starting the error job.
       referrer_.clear();
-      std::string source("delegate");
-      net_log_.AddEvent(NetLogEventType::CANCELLED,
-                        NetLog::StringCallback("source", &source));
+      net_log_.AddEventWithStringParams(NetLogEventType::CANCELLED, "source",
+                                        "delegate");
       RestartWithJob(new URLRequestErrorJob(this, network_delegate_,
                                             ERR_BLOCKED_BY_CLIENT));
       return;
@@ -862,6 +856,10 @@ void URLRequest::NotifyResponseStarted(const URLRequestStatus& status) {
   if (status.status() != URLRequestStatus::SUCCESS)
     set_status(status);
 
+  // |status_| should not be ERR_IO_PENDING when calling into the
+  // URLRequest::Delegate().
+  DCHECK(!status_.is_io_pending());
+
   int net_error = OK;
   if (!status_.is_success())
     net_error = status_.error();
@@ -898,8 +896,8 @@ void URLRequest::FollowDeferredRedirect(
   DCHECK(job_.get());
   DCHECK(status_.is_success());
 
-  not_sent_cookies_.clear();
-  not_stored_cookies_.clear();
+  maybe_sent_cookies_.clear();
+  maybe_stored_cookies_.clear();
 
   status_ = URLRequestStatus::FromError(ERR_IO_PENDING);
   job_->FollowDeferredRedirect(removed_headers, modified_headers);
@@ -909,8 +907,8 @@ void URLRequest::SetAuth(const AuthCredentials& credentials) {
   DCHECK(job_.get());
   DCHECK(job_->NeedsAuth());
 
-  not_sent_cookies_.clear();
-  not_stored_cookies_.clear();
+  maybe_sent_cookies_.clear();
+  maybe_stored_cookies_.clear();
 
   status_ = URLRequestStatus::FromError(ERR_IO_PENDING);
   job_->SetAuth(credentials);
@@ -979,10 +977,9 @@ void URLRequest::Redirect(
   // |redirect_info.new_url|.
   OnCallToDelegateComplete();
   if (net_log_.IsCapturing()) {
-    net_log_.AddEvent(
-        NetLogEventType::URL_REQUEST_REDIRECTED,
-        NetLog::StringCallback("location",
-                               &redirect_info.new_url.possibly_invalid_spec()));
+    net_log_.AddEventWithStringParams(
+        NetLogEventType::URL_REQUEST_REDIRECTED, "location",
+        redirect_info.new_url.possibly_invalid_spec());
   }
 
   if (network_delegate_)
@@ -1038,9 +1035,9 @@ void URLRequest::SetPriority(RequestPriority priority) {
     return;
 
   priority_ = priority;
-  net_log_.AddEvent(
-      NetLogEventType::URL_REQUEST_SET_PRIORITY,
-      NetLog::StringCallback("priority", RequestPriorityToString(priority_)));
+  net_log_.AddEventWithStringParams(NetLogEventType::URL_REQUEST_SET_PRIORITY,
+                                    "priority",
+                                    RequestPriorityToString(priority_));
   if (job_.get())
     job_->SetPriority(priority_);
 }
diff --git a/chromium/net/url_request/url_request.h b/chromium/net/url_request/url_request.h
index f6043de481f..2a0950079cb 100644
--- a/chromium/net/url_request/url_request.h
+++ b/chromium/net/url_request/url_request.h
@@ -578,23 +578,26 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
   // the request is redirected.
   PrivacyMode privacy_mode() { return privacy_mode_; }
 
-  void set_not_sent_cookies(CookieStatusList excluded_cookies);
-  void set_not_stored_cookies(CookieAndLineStatusList excluded_cookies);
+  void set_maybe_sent_cookies(CookieStatusList cookies);
+  void set_maybe_stored_cookies(CookieAndLineStatusList cookies);
 
   // These lists contain a list of cookies that are associated with the given
-  // request but are removed or flagged from the request before use, along with
-  // the reason they were removed or flagged. They are cleared on redirects and
-  // other request restarts that cause sent cookies to be recomputed / new
-  // cookies to potentially be received (such as calling SetAuth() to send HTTP
-  // auth credentials, but not calling ContinueWithCertification() to respond to
-  // client cert challenges), and only contain the cookies relevant to the most
-  // recent roundtrip.
+  // request, both those that were sent and accepted, and those that were
+  // removed or flagged from the request before use. The status indicates
+  // whether they were actually used (INCLUDE), or the reason they were removed
+  // or flagged. They are cleared on redirects and other request restarts that
+  // cause sent cookies to be recomputed / new cookies to potentially be
+  // received (such as calling SetAuth() to send HTTP auth credentials, but not
+  // calling ContinueWithCertification() to respond to client cert challenges),
+  // and only contain the cookies relevant to the most recent roundtrip.
 
   // Populated while the http request is being built.
-  const CookieStatusList& not_sent_cookies() const { return not_sent_cookies_; }
+  const CookieStatusList& maybe_sent_cookies() const {
+    return maybe_sent_cookies_;
+  }
   // Populated after the response headers are received.
-  const CookieAndLineStatusList& not_stored_cookies() const {
-    return not_stored_cookies_;
+  const CookieAndLineStatusList& maybe_stored_cookies() const {
+    return maybe_stored_cookies_;
   }
 
   // The new flags may change the IGNORE_LIMITS flag only when called
@@ -915,8 +918,8 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
                     // expected values are LOAD_* enums above.
   PrivacyMode privacy_mode_;
 
-  CookieStatusList not_sent_cookies_;
-  CookieAndLineStatusList not_stored_cookies_;
+  CookieStatusList maybe_sent_cookies_;
+  CookieAndLineStatusList maybe_stored_cookies_;
 
 #if BUILDFLAG(ENABLE_REPORTING)
   int reporting_upload_depth_;
@@ -1022,7 +1025,7 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
 
   THREAD_CHECKER(thread_checker_);
 
-  base::WeakPtrFactory<URLRequest> weak_factory_;
+  base::WeakPtrFactory<URLRequest> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(URLRequest);
 };
diff --git a/chromium/net/url_request/url_request_context.cc b/chromium/net/url_request/url_request_context.cc
index 8f7623f2632..4b7b5547750 100644
--- a/chromium/net/url_request/url_request_context.cc
+++ b/chromium/net/url_request/url_request_context.cc
@@ -89,12 +89,14 @@ const HttpNetworkSession::Context* URLRequestContext::GetNetworkSessionContext()
   return &network_session->context();
 }
 
+#if (!defined(OS_WIN) && !defined(OS_LINUX)) || defined(OS_CHROMEOS)
 std::unique_ptr<URLRequest> URLRequestContext::CreateRequest(
     const GURL& url,
     RequestPriority priority,
     URLRequest::Delegate* delegate) const {
   return CreateRequest(url, priority, delegate, MISSING_TRAFFIC_ANNOTATION);
 }
+#endif
 
 std::unique_ptr<URLRequest> URLRequestContext::CreateRequest(
     const GURL& url,
@@ -180,6 +182,9 @@ void URLRequestContext::CopyFrom(const URLRequestContext* other) {
 #endif  // BUILDFLAG(ENABLE_REPORTING)
   set_enable_brotli(other->enable_brotli_);
   set_check_cleartext_permitted(other->check_cleartext_permitted_);
+#if !BUILDFLAG(DISABLE_FTP_SUPPORT)
+  set_ftp_auth_cache(other->ftp_auth_cache_);
+#endif  // !BUILDFLAG(DISABLE_FTP_SUPPORT)
 }
 
 }  // namespace net
diff --git a/chromium/net/url_request/url_request_context.h b/chromium/net/url_request/url_request_context.h
index d2a989cea17..41663f7e84f 100644
--- a/chromium/net/url_request/url_request_context.h
+++ b/chromium/net/url_request/url_request_context.h
@@ -17,6 +17,7 @@
 #include "base/memory/weak_ptr.h"
 #include "base/threading/thread_checker.h"
 #include "base/trace_event/memory_dump_provider.h"
+#include "build/build_config.h"
 #include "net/base/net_export.h"
 #include "net/base/request_priority.h"
 #include "net/http/http_network_session.h"
@@ -58,6 +59,10 @@ class URLRequest;
 class URLRequestJobFactory;
 class URLRequestThrottlerManager;
 
+#if !BUILDFLAG(DISABLE_FTP_SUPPORT)
+class FtpAuthCache;
+#endif  // !BUILDFLAG(DISABLE_FTP_SUPPORT)
+
 #if BUILDFLAG(ENABLE_REPORTING)
 class NetworkErrorLoggingService;
 class ReportingService;
@@ -85,12 +90,18 @@ class NET_EXPORT URLRequestContext
   // session.
   const HttpNetworkSession::Context* GetNetworkSessionContext() const;
 
+#if (!defined(OS_WIN) && !defined(OS_LINUX)) || defined(OS_CHROMEOS)
   // This function should not be used in Chromium, please use the version with
   // NetworkTrafficAnnotationTag in the future.
+  //
+  // The unannotated method is not available on desktop Linux + Windows. It's
+  // available on other platforms, since we only audit network annotations on
+  // Linux & Windows.
   std::unique_ptr<URLRequest> CreateRequest(
       const GURL& url,
       RequestPriority priority,
       URLRequest::Delegate* delegate) const;
+#endif
 
   // |traffic_annotation| is metadata about the network traffic send via this
   // URLRequest, see net::DefineNetworkTrafficAnnotation. Note that:
@@ -275,6 +286,13 @@ class NET_EXPORT URLRequestContext
   // Returns current value of the |check_cleartext_permitted| flag.
   bool check_cleartext_permitted() const { return check_cleartext_permitted_; }
 
+#if !BUILDFLAG(DISABLE_FTP_SUPPORT)
+  void set_ftp_auth_cache(FtpAuthCache* auth_cache) {
+    ftp_auth_cache_ = auth_cache;
+  }
+  FtpAuthCache* ftp_auth_cache() { return ftp_auth_cache_; }
+#endif  // !BUILDFLAG(DISABLE_FTP_SUPPORT)
+
   // Sets a name for this URLRequestContext. Currently the name is used in
   // MemoryDumpProvier to annotate memory usage. The name does not need to be
   // unique.
@@ -335,6 +353,9 @@ class NET_EXPORT URLRequestContext
   ReportingService* reporting_service_;
   NetworkErrorLoggingService* network_error_logging_service_;
 #endif  // BUILDFLAG(ENABLE_REPORTING)
+#if !BUILDFLAG(DISABLE_FTP_SUPPORT)
+  FtpAuthCache* ftp_auth_cache_;
+#endif  // !BUILDFLAG(DISABLE_FTP_SUPPORT)
 
   // ---------------------------------------------------------------------------
   // Important: When adding any new members below, consider whether they need to
diff --git a/chromium/net/url_request/url_request_context_builder.cc b/chromium/net/url_request/url_request_context_builder.cc
index 9994043f1da..b65346d9a3c 100644
--- a/chromium/net/url_request/url_request_context_builder.cc
+++ b/chromium/net/url_request/url_request_context_builder.cc
@@ -53,6 +53,7 @@
 #endif
 
 #if !BUILDFLAG(DISABLE_FTP_SUPPORT)
+#include "net/ftp/ftp_auth_cache.h"                // nogncheck
 #include "net/ftp/ftp_network_layer.h"             // nogncheck
 #include "net/url_request/ftp_protocol_handler.h"  // nogncheck
 #endif
@@ -359,16 +360,9 @@ void URLRequestContextBuilder::SetCreateLayeredNetworkDelegateCallback(
 
 void URLRequestContextBuilder::set_proxy_delegate(
     std::unique_ptr<ProxyDelegate> proxy_delegate) {
-  DCHECK(!shared_proxy_delegate_);
   proxy_delegate_ = std::move(proxy_delegate);
 }
 
-void URLRequestContextBuilder::set_shared_proxy_delegate(
-    ProxyDelegate* shared_proxy_delegate) {
-  DCHECK(!proxy_delegate_);
-  shared_proxy_delegate_ = shared_proxy_delegate;
-}
-
 void URLRequestContextBuilder::SetHttpAuthHandlerFactory(
     std::unique_ptr<HttpAuthHandlerFactory> factory) {
   DCHECK(!shared_http_auth_handler_factory_);
@@ -584,14 +578,9 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
 #endif  // BUILDFLAG(ENABLE_REPORTING)
 
   if (proxy_delegate_) {
-    DCHECK(!shared_proxy_delegate_);
     proxy_resolution_service->AssertNoProxyDelegate();
     proxy_resolution_service->SetProxyDelegate(proxy_delegate_.get());
     storage->set_proxy_delegate(std::move(proxy_delegate_));
-  } else if (shared_proxy_delegate_) {
-    proxy_resolution_service->AssertNoProxyDelegate();
-    proxy_resolution_service->SetProxyDelegate(shared_proxy_delegate_);
-    context->set_proxy_delegate(shared_proxy_delegate_);
   }
 
   HttpNetworkSession::Context network_session_context;
@@ -673,8 +662,10 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
 
 #if !BUILDFLAG(DISABLE_FTP_SUPPORT)
   if (ftp_enabled_) {
+    storage->set_ftp_auth_cache(std::make_unique<FtpAuthCache>());
     job_factory->SetProtocolHandler(
-        url::kFtpScheme, FtpProtocolHandler::Create(context->host_resolver()));
+        url::kFtpScheme, FtpProtocolHandler::Create(context->host_resolver(),
+                                                    context->ftp_auth_cache()));
   }
 #endif  // !BUILDFLAG(DISABLE_FTP_SUPPORT)
 
diff --git a/chromium/net/url_request/url_request_context_builder.h b/chromium/net/url_request/url_request_context_builder.h
index 39243580a9b..25147e0c97c 100644
--- a/chromium/net/url_request/url_request_context_builder.h
+++ b/chromium/net/url_request/url_request_context_builder.h
@@ -267,13 +267,6 @@ class NET_EXPORT URLRequestContextBuilder {
 
   // Sets the ProxyDelegate.
   void set_proxy_delegate(std::unique_ptr<ProxyDelegate> proxy_delegate);
-  // Allows sharing the PreoxyDelegates with other URLRequestContexts. Should
-  // not be used if set_proxy_delegate() is used. The consumer must ensure the
-  // ProxyDelegate outlives the URLRequestContext returned by the builder.
-  //
-  // TODO(mmenke): Remove this (And update consumers). See:
-  // https://crbug.com/743251.
-  void set_shared_proxy_delegate(ProxyDelegate* shared_proxy_delegate);
 
   // Sets a specific HttpAuthHandlerFactory to be used by the URLRequestContext
   // rather than the default |HttpAuthHandlerRegistryFactory|. The builder
@@ -416,7 +409,6 @@ class NET_EXPORT URLRequestContextBuilder {
   std::unique_ptr<NetworkDelegate> network_delegate_;
   CreateLayeredNetworkDelegate create_layered_network_delegate_callback_;
   std::unique_ptr<ProxyDelegate> proxy_delegate_;
-  ProxyDelegate* shared_proxy_delegate_ = nullptr;
   std::unique_ptr<CookieStore> cookie_store_;
   std::unique_ptr<HttpAuthHandlerFactory> http_auth_handler_factory_;
   HttpAuthHandlerFactory* shared_http_auth_handler_factory_ = nullptr;
diff --git a/chromium/net/url_request/url_request_context_storage.cc b/chromium/net/url_request/url_request_context_storage.cc
index 21da47e66a1..e47b3123dcd 100644
--- a/chromium/net/url_request/url_request_context_storage.cc
+++ b/chromium/net/url_request/url_request_context_storage.cc
@@ -24,6 +24,10 @@
 #include "net/url_request/url_request_job_factory.h"
 #include "net/url_request/url_request_throttler_manager.h"
 
+#if !BUILDFLAG(DISABLE_FTP_SUPPORT)
+#include "net/ftp/ftp_auth_cache.h"
+#endif  // !BUILDFLAG(DISABLE_FTP_SUPPORT)
+
 #if BUILDFLAG(ENABLE_REPORTING)
 #include "net/network_error_logging/network_error_logging_service.h"
 #include "net/reporting/reporting_service.h"
@@ -144,6 +148,14 @@ void URLRequestContextStorage::set_http_user_agent_settings(
   http_user_agent_settings_ = std::move(http_user_agent_settings);
 }
 
+#if !BUILDFLAG(DISABLE_FTP_SUPPORT)
+void URLRequestContextStorage::set_ftp_auth_cache(
+    std::unique_ptr<FtpAuthCache> ftp_auth_cache) {
+  context_->set_ftp_auth_cache(ftp_auth_cache.get());
+  ftp_auth_cache_ = std::move(ftp_auth_cache);
+}
+#endif  // !BUILDFLAG(DISABLE_FTP_SUPPORT)
+
 #if BUILDFLAG(ENABLE_REPORTING)
 void URLRequestContextStorage::set_reporting_service(
     std::unique_ptr<ReportingService> reporting_service) {
diff --git a/chromium/net/url_request/url_request_context_storage.h b/chromium/net/url_request/url_request_context_storage.h
index 44cae84889c..eaca2bf7d49 100644
--- a/chromium/net/url_request/url_request_context_storage.h
+++ b/chromium/net/url_request/url_request_context_storage.h
@@ -19,6 +19,7 @@ class CertVerifier;
 class CookieStore;
 class CTPolicyEnforcer;
 class CTVerifier;
+class FtpAuthCache;
 class HostResolver;
 class HttpAuthHandlerFactory;
 class HttpNetworkSession;
@@ -82,6 +83,9 @@ class NET_EXPORT URLRequestContextStorage {
       std::unique_ptr<URLRequestThrottlerManager> throttler_manager);
   void set_http_user_agent_settings(
       std::unique_ptr<HttpUserAgentSettings> http_user_agent_settings);
+#if !BUILDFLAG(DISABLE_FTP_SUPPORT)
+  void set_ftp_auth_cache(std::unique_ptr<FtpAuthCache> ftp_auth_cache);
+#endif  // !BUILDFLAG(DISABLE_FTP_SUPPORT)
 
 #if BUILDFLAG(ENABLE_REPORTING)
   void set_reporting_service(
@@ -117,6 +121,9 @@ class NET_EXPORT URLRequestContextStorage {
   std::unique_ptr<TransportSecurityState> transport_security_state_;
   std::unique_ptr<CTVerifier> cert_transparency_verifier_;
   std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer_;
+#if !BUILDFLAG(DISABLE_FTP_SUPPORT)
+  std::unique_ptr<FtpAuthCache> ftp_auth_cache_;
+#endif  // !BUILDFLAG(DISABLE_FTP_SUPPORT)
 
   // Not actually pointed at by the URLRequestContext, but may be used (but not
   // owned) by the HttpTransactionFactory.
diff --git a/chromium/net/url_request/url_request_data_job_fuzzer.cc b/chromium/net/url_request/url_request_data_job_fuzzer.cc
index 1d119c9fa27..0bf92f811aa 100644
--- a/chromium/net/url_request/url_request_data_job_fuzzer.cc
+++ b/chromium/net/url_request/url_request_data_job_fuzzer.cc
@@ -9,7 +9,6 @@
 
 #include "base/memory/singleton.h"
 #include "base/run_loop.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/http/http_request_headers.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
@@ -17,6 +16,7 @@
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_job_factory_impl.h"
 #include "net/url_request/url_request_test_util.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 namespace {
 
@@ -43,7 +43,7 @@ class URLRequestDataJobFuzzerHarness : public net::URLRequest::Delegate {
   }
 
   int CreateAndReadFromDataURLRequest(const uint8_t* data, size_t size) {
-    base::FuzzedDataProvider provider(data, size);
+    FuzzedDataProvider provider(data, size);
     read_lengths_.clear();
 
     // Allocate an IOBuffer with fuzzed size.
diff --git a/chromium/net/url_request/url_request_error_job.cc b/chromium/net/url_request/url_request_error_job.cc
index 0eda199ab0c..aba7e5783bd 100644
--- a/chromium/net/url_request/url_request_error_job.cc
+++ b/chromium/net/url_request/url_request_error_job.cc
@@ -14,11 +14,10 @@
 
 namespace net {
 
-URLRequestErrorJob::URLRequestErrorJob(
-    URLRequest* request, NetworkDelegate* network_delegate, int error)
-    : URLRequestJob(request, network_delegate),
-      error_(error),
-      weak_factory_(this) {}
+URLRequestErrorJob::URLRequestErrorJob(URLRequest* request,
+                                       NetworkDelegate* network_delegate,
+                                       int error)
+    : URLRequestJob(request, network_delegate), error_(error) {}
 
 URLRequestErrorJob::~URLRequestErrorJob() = default;
 
diff --git a/chromium/net/url_request/url_request_error_job.h b/chromium/net/url_request/url_request_error_job.h
index efd6b6696e8..2ce3f8df885 100644
--- a/chromium/net/url_request/url_request_error_job.h
+++ b/chromium/net/url_request/url_request_error_job.h
@@ -30,7 +30,7 @@ class NET_EXPORT URLRequestErrorJob : public URLRequestJob {
 
   int error_;
 
-  base::WeakPtrFactory<URLRequestErrorJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestErrorJob> weak_factory_{this};
 };
 
 }  // namespace net
diff --git a/chromium/net/url_request/url_request_file_dir_job.cc b/chromium/net/url_request/url_request_file_dir_job.cc
index ca05b6c3f43..97d9384b0e2 100644
--- a/chromium/net/url_request/url_request_file_dir_job.cc
+++ b/chromium/net/url_request/url_request_file_dir_job.cc
@@ -36,8 +36,7 @@ URLRequestFileDirJob::URLRequestFileDirJob(URLRequest* request,
       list_complete_(false),
       wrote_header_(false),
       read_pending_(false),
-      read_buffer_length_(0),
-      weak_factory_(this) {}
+      read_buffer_length_(0) {}
 
 void URLRequestFileDirJob::StartAsync() {
   base::PostTaskWithTraitsAndReplyWithResult(
diff --git a/chromium/net/url_request/url_request_file_dir_job.h b/chromium/net/url_request/url_request_file_dir_job.h
index b0858ac976e..4184f3c5b65 100644
--- a/chromium/net/url_request/url_request_file_dir_job.h
+++ b/chromium/net/url_request/url_request_file_dir_job.h
@@ -75,7 +75,7 @@ class NET_EXPORT_PRIVATE URLRequestFileDirJob
   scoped_refptr<IOBuffer> read_buffer_;
   int read_buffer_length_;
 
-  base::WeakPtrFactory<URLRequestFileDirJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestFileDirJob> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(URLRequestFileDirJob);
 };
diff --git a/chromium/net/url_request/url_request_file_job.cc b/chromium/net/url_request/url_request_file_job.cc
index 78968032cbb..955816bd263 100644
--- a/chromium/net/url_request/url_request_file_job.cc
+++ b/chromium/net/url_request/url_request_file_job.cc
@@ -64,8 +64,7 @@ URLRequestFileJob::URLRequestFileJob(
       stream_(new FileStream(file_task_runner)),
       file_task_runner_(file_task_runner),
       remaining_bytes_(0),
-      range_parse_result_(OK),
-      weak_ptr_factory_(this) {}
+      range_parse_result_(OK) {}
 
 void URLRequestFileJob::Start() {
   FileMetaInfo* meta_info = new FileMetaInfo();
diff --git a/chromium/net/url_request/url_request_file_job.h b/chromium/net/url_request/url_request_file_job.h
index d074eb5f490..b41eda0c460 100644
--- a/chromium/net/url_request/url_request_file_job.h
+++ b/chromium/net/url_request/url_request_file_job.h
@@ -132,7 +132,7 @@ class NET_EXPORT URLRequestFileJob : public URLRequestJob {
 
   Error range_parse_result_;
 
-  base::WeakPtrFactory<URLRequestFileJob> weak_ptr_factory_;
+  base::WeakPtrFactory<URLRequestFileJob> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(URLRequestFileJob);
 };
diff --git a/chromium/net/url_request/url_request_ftp_fuzzer.cc b/chromium/net/url_request/url_request_ftp_fuzzer.cc
index 699e060ac74..f2a9e8cf47b 100644
--- a/chromium/net/url_request/url_request_ftp_fuzzer.cc
+++ b/chromium/net/url_request/url_request_ftp_fuzzer.cc
@@ -7,10 +7,10 @@
 
 #include "base/macros.h"
 #include "base/run_loop.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "net/base/request_priority.h"
 #include "net/dns/context_host_resolver.h"
 #include "net/dns/fuzzed_host_resolver_util.h"
+#include "net/ftp/ftp_auth_cache.h"
 #include "net/ftp/ftp_network_transaction.h"
 #include "net/ftp/ftp_transaction_factory.h"
 #include "net/socket/client_socket_factory.h"
@@ -21,6 +21,7 @@
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_job_factory_impl.h"
 #include "net/url_request/url_request_test_util.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 #include "url/gurl.h"
 
 namespace {
@@ -53,7 +54,7 @@ class FuzzedFtpTransactionFactory : public net::FtpTransactionFactory {
 
 // Integration fuzzer for URLRequestFtpJob.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  base::FuzzedDataProvider data_provider(data, size);
+  FuzzedDataProvider data_provider(data, size);
   net::TestURLRequestContext url_request_context(true);
   net::FuzzedSocketFactory fuzzed_socket_factory(&data_provider);
   url_request_context.set_client_socket_factory(&fuzzed_socket_factory);
@@ -66,10 +67,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   url_request_context.set_host_resolver(host_resolver.get());
 
   net::URLRequestJobFactoryImpl job_factory;
+  net::FtpAuthCache auth_cache;
   job_factory.SetProtocolHandler(
       "ftp", net::FtpProtocolHandler::CreateForTesting(
                  std::make_unique<FuzzedFtpTransactionFactory>(
-                     host_resolver.get(), &fuzzed_socket_factory)));
+                     host_resolver.get(), &fuzzed_socket_factory),
+                 &auth_cache));
   url_request_context.set_job_factory(&job_factory);
 
   url_request_context.Init();
diff --git a/chromium/net/url_request/url_request_ftp_job.cc b/chromium/net/url_request/url_request_ftp_job.cc
index ece3f29289b..85b36e22733 100644
--- a/chromium/net/url_request/url_request_ftp_job.cc
+++ b/chromium/net/url_request/url_request_ftp_job.cc
@@ -7,6 +7,7 @@
 #include "base/bind.h"
 #include "base/compiler_specific.h"
 #include "base/location.h"
+#include "base/metrics/histogram_macros.h"
 #include "base/single_thread_task_runner.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/thread_task_runner_handle.h"
@@ -15,6 +16,7 @@
 #include "net/base/load_flags.h"
 #include "net/base/net_errors.h"
 #include "net/ftp/ftp_auth_cache.h"
+#include "net/ftp/ftp_network_transaction.h"
 #include "net/ftp/ftp_response_info.h"
 #include "net/ftp/ftp_transaction_factory.h"
 #include "net/http/http_response_headers.h"
@@ -48,8 +50,7 @@ URLRequestFtpJob::URLRequestFtpJob(
           request_->context()->proxy_resolution_service()),
       read_in_progress_(false),
       ftp_transaction_factory_(ftp_transaction_factory),
-      ftp_auth_cache_(ftp_auth_cache),
-      weak_factory_(this) {
+      ftp_auth_cache_(ftp_auth_cache) {
   DCHECK(proxy_resolution_service_);
   DCHECK(ftp_transaction_factory);
   DCHECK(ftp_auth_cache);
@@ -65,6 +66,13 @@ bool URLRequestFtpJob::IsSafeRedirect(const GURL& location) {
 }
 
 bool URLRequestFtpJob::GetMimeType(std::string* mime_type) const {
+  // When auth has been cancelled, return a blank text/plain page instead of
+  // triggering a download.
+  if (auth_data_ && auth_data_->state == AUTH_STATE_CANCELED) {
+    *mime_type = "text/plain";
+    return true;
+  }
+
   if (ftp_transaction_->GetResponseInfo()->is_directory_listing) {
     *mime_type = "text/vnd.chromium.ftp-dir";
     return true;
@@ -114,6 +122,17 @@ void URLRequestFtpJob::Kill() {
   weak_factory_.InvalidateWeakPtrs();
 }
 
+void URLRequestFtpJob::GetResponseInfo(HttpResponseInfo* info) {
+  // Don't expose the challenge if it has already been successfully
+  // authenticated.
+  if (!auth_data_ || auth_data_->state == AUTH_STATE_HAVE_AUTH)
+    return;
+
+  std::unique_ptr<AuthChallengeInfo> challenge = GetAuthChallengeInfo();
+  if (challenge)
+    info->auth_challenge = *challenge;
+}
+
 void URLRequestFtpJob::OnResolveProxyComplete(int result) {
   proxy_resolve_request_ = nullptr;
 
@@ -164,11 +183,18 @@ void URLRequestFtpJob::OnStartCompleted(int result) {
     set_expected_content_size(
         ftp_transaction_->GetResponseInfo()->expected_content_size);
 
+    if (auth_data_ && auth_data_->state == AUTH_STATE_HAVE_AUTH) {
+      LogFtpStartResult(FTPStartResult::kSuccessAuth);
+    } else {
+      LogFtpStartResult(FTPStartResult::kSuccessNoAuth);
+    }
+
     NotifyHeadersComplete();
   } else if (ftp_transaction_ /* May be null if creation fails. */ &&
              ftp_transaction_->GetResponseInfo()->needs_auth) {
     HandleAuthNeededResponse();
   } else {
+    LogFtpStartResult(FTPStartResult::kFailed);
     NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED, result));
   }
 }
@@ -208,8 +234,6 @@ bool URLRequestFtpJob::NeedsAuth() {
 }
 
 std::unique_ptr<AuthChallengeInfo> URLRequestFtpJob::GetAuthChallengeInfo() {
-  DCHECK(NeedsAuth());
-
   std::unique_ptr<AuthChallengeInfo> result =
       std::make_unique<AuthChallengeInfo>();
   result->is_proxy = false;
@@ -240,16 +264,17 @@ void URLRequestFtpJob::CancelAuth() {
 
   auth_data_->state = AUTH_STATE_CANCELED;
 
-  // Once the auth is cancelled, we proceed with the request as though
-  // there were no auth.  Schedule this for later so that we don't cause
-  // any recursing into the caller as a result of this call.
-  OnStartCompletedAsync(OK);
+  ftp_transaction_.reset();
+  NotifyHeadersComplete();
 }
 
 int URLRequestFtpJob::ReadRawData(IOBuffer* buf, int buf_size) {
   DCHECK_NE(buf_size, 0);
   DCHECK(!read_in_progress_);
 
+  if (!ftp_transaction_)
+    return 0;
+
   int rv =
       ftp_transaction_->Read(buf, buf_size,
                              base::BindOnce(&URLRequestFtpJob::OnReadCompleted,
@@ -269,8 +294,12 @@ void URLRequestFtpJob::HandleAuthNeededResponse() {
       return;
     }
 
-    if (ftp_transaction_ && auth_data_->state == AUTH_STATE_HAVE_AUTH)
+    if (ftp_transaction_ && auth_data_->state == AUTH_STATE_HAVE_AUTH) {
       ftp_auth_cache_->Remove(origin, auth_data_->credentials);
+
+      // The user entered invalid auth
+      LogFtpStartResult(FTPStartResult::kFailed);
+    }
   } else {
     auth_data_ = std::make_unique<AuthData>();
   }
@@ -288,4 +317,8 @@ void URLRequestFtpJob::HandleAuthNeededResponse() {
   }
 }
 
+void URLRequestFtpJob::LogFtpStartResult(FTPStartResult result) {
+  UMA_HISTOGRAM_ENUMERATION("Net.FTP.StartResult", result);
+}
+
 }  // namespace net
diff --git a/chromium/net/url_request/url_request_ftp_job.h b/chromium/net/url_request/url_request_ftp_job.h
index 061f5ad7b7f..a8dd912134a 100644
--- a/chromium/net/url_request/url_request_ftp_job.h
+++ b/chromium/net/url_request/url_request_ftp_job.h
@@ -21,6 +21,15 @@
 
 namespace net {
 
+// These values are persisted to logs. Entries should not be renumbered and
+// numeric values should never be reused.
+enum class FTPStartResult : int {
+  kSuccessNoAuth = 0,
+  kSuccessAuth = 1,
+  kFailed = 2,
+  kMaxValue = kFailed
+};
+
 class NetworkDelegate;
 class FtpTransactionFactory;
 class FtpAuthCache;
@@ -33,16 +42,16 @@ class NET_EXPORT_PRIVATE URLRequestFtpJob : public URLRequestJob {
                    NetworkDelegate* network_delegate,
                    FtpTransactionFactory* ftp_transaction_factory,
                    FtpAuthCache* ftp_auth_cache);
-
- protected:
   ~URLRequestFtpJob() override;
+  void Start() override;
 
+ protected:
   // Overridden from URLRequestJob:
   bool IsSafeRedirect(const GURL& location) override;
   bool GetMimeType(std::string* mime_type) const override;
   IPEndPoint GetResponseRemoteEndpoint() const override;
-  void Start() override;
   void Kill() override;
+  void GetResponseInfo(HttpResponseInfo* info) override;
 
  private:
   class AuthData;
@@ -68,6 +77,8 @@ class NET_EXPORT_PRIVATE URLRequestFtpJob : public URLRequestJob {
 
   void HandleAuthNeededResponse();
 
+  void LogFtpStartResult(FTPStartResult result);
+
   ProxyResolutionService* proxy_resolution_service_;
   ProxyInfo proxy_info_;
   std::unique_ptr<ProxyResolutionService::Request> proxy_resolve_request_;
@@ -82,7 +93,7 @@ class NET_EXPORT_PRIVATE URLRequestFtpJob : public URLRequestJob {
   FtpTransactionFactory* ftp_transaction_factory_;
   FtpAuthCache* ftp_auth_cache_;
 
-  base::WeakPtrFactory<URLRequestFtpJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestFtpJob> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(URLRequestFtpJob);
 };
diff --git a/chromium/net/url_request/url_request_ftp_job_unittest.cc b/chromium/net/url_request/url_request_ftp_job_unittest.cc
new file mode 100644
index 00000000000..f3428222949
--- /dev/null
+++ b/chromium/net/url_request/url_request_ftp_job_unittest.cc
@@ -0,0 +1,265 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/url_request/url_request_ftp_job.h"
+
+#include <memory>
+
+#include "base/test/metrics/histogram_tester.h"
+#include "net/base/auth.h"
+#include "net/base/load_states.h"
+#include "net/base/net_errors.h"
+#include "net/base/request_priority.h"
+#include "net/ftp/ftp_auth_cache.h"
+#include "net/ftp/ftp_response_info.h"
+#include "net/ftp/ftp_transaction.h"
+#include "net/ftp/ftp_transaction_factory.h"
+#include "net/test/test_with_scoped_task_environment.h"
+#include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
+#include "net/url_request/url_request_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+namespace {
+
+class MockFtpTransaction : public FtpTransaction {
+ public:
+  MockFtpTransaction(int start_return_value,
+                     int read_return_value,
+                     bool needs_auth,
+                     std::vector<int> restart_return_values)
+      : start_return_value_(start_return_value),
+        read_return_value_(read_return_value),
+        restart_return_values_(restart_return_values),
+        restart_index_(0) {
+    response_.needs_auth = needs_auth;
+  }
+  ~MockFtpTransaction() override {}
+
+  int Start(const FtpRequestInfo* request_info,
+            CompletionOnceCallback callback,
+            const NetLogWithSource& net_log,
+            const NetworkTrafficAnnotationTag& traffic_annotation) override {
+    return start_return_value_;
+  }
+
+  int RestartWithAuth(const AuthCredentials& credentials,
+                      CompletionOnceCallback callback) override {
+    CHECK(restart_index_ < restart_return_values_.size());
+    return restart_return_values_[restart_index_++];
+  }
+
+  int Read(IOBuffer* buf,
+           int buf_len,
+           CompletionOnceCallback callback) override {
+    return read_return_value_;
+  }
+
+  const FtpResponseInfo* GetResponseInfo() const override { return &response_; }
+
+  LoadState GetLoadState() const override { return LOAD_STATE_IDLE; }
+
+  uint64_t GetUploadProgress() const override { return 0; }
+
+ private:
+  FtpResponseInfo response_;
+  int start_return_value_;
+  int read_return_value_;
+  std::vector<int> restart_return_values_;
+  unsigned int restart_index_;
+
+  DISALLOW_COPY_AND_ASSIGN(MockFtpTransaction);
+};
+
+class MockFtpTransactionFactory : public FtpTransactionFactory {
+ public:
+  MockFtpTransactionFactory(int start_return_value,
+                            int read_return_value,
+                            bool needs_auth,
+                            std::vector<int> restart_return_values)
+      : start_return_value_(start_return_value),
+        read_return_value_(read_return_value),
+        needs_auth_(needs_auth),
+        restart_return_values_(restart_return_values) {}
+
+  ~MockFtpTransactionFactory() override {}
+
+  std::unique_ptr<FtpTransaction> CreateTransaction() override {
+    return std::make_unique<MockFtpTransaction>(start_return_value_,
+                                                read_return_value_, needs_auth_,
+                                                restart_return_values_);
+  }
+
+  void Suspend(bool suspend) override {}
+
+ private:
+  int start_return_value_;
+  int read_return_value_;
+  bool needs_auth_;
+  std::vector<int> restart_return_values_;
+
+  DISALLOW_COPY_AND_ASSIGN(MockFtpTransactionFactory);
+};
+
+class MockURLRequestFtpJobFactory : public URLRequestJobFactory {
+ public:
+  MockURLRequestFtpJobFactory(int start_return_value,
+                              int read_return_value,
+                              bool needs_auth,
+                              std::vector<int> restart_return_values)
+      : auth_cache(new FtpAuthCache()),
+        factory(new MockFtpTransactionFactory(start_return_value,
+                                              read_return_value,
+                                              needs_auth,
+                                              restart_return_values)) {}
+
+  ~MockURLRequestFtpJobFactory() override {
+    delete auth_cache;
+    delete factory;
+  }
+
+  URLRequestJob* MaybeCreateJobWithProtocolHandler(
+      const std::string& scheme,
+      URLRequest* request,
+      NetworkDelegate* network_delegate) const override {
+    return new URLRequestFtpJob(request, network_delegate, factory, auth_cache);
+  }
+
+  URLRequestJob* MaybeInterceptRedirect(URLRequest* request,
+                                        NetworkDelegate* network_delegate,
+                                        const GURL& location) const override {
+    return nullptr;
+  }
+
+  URLRequestJob* MaybeInterceptResponse(
+      URLRequest* request,
+      NetworkDelegate* network_delegate) const override {
+    return nullptr;
+  }
+
+  bool IsHandledProtocol(const std::string& scheme) const override {
+    return scheme == "ftp";
+  }
+
+  bool IsSafeRedirectTarget(const GURL& location) const override {
+    return true;
+  }
+
+ private:
+  FtpAuthCache* auth_cache;
+  MockFtpTransactionFactory* factory;
+
+  DISALLOW_COPY_AND_ASSIGN(MockURLRequestFtpJobFactory);
+};
+
+using UrlRequestFtpJobTest = TestWithScopedTaskEnvironment;
+
+TEST_F(UrlRequestFtpJobTest, HistogramLogSuccessNoAuth) {
+  base::HistogramTester histograms;
+  MockURLRequestFtpJobFactory url_request_ftp_job_factory(OK, OK, false, {OK});
+  TestNetworkDelegate network_delegate;
+  TestURLRequestContext context(true);
+  context.set_network_delegate(&network_delegate);
+  context.set_job_factory(&url_request_ftp_job_factory);
+  context.Init();
+
+  TestDelegate test_delegate;
+  std::unique_ptr<URLRequest> r(context.CreateRequest(
+      GURL("ftp://example.test/"), RequestPriority::DEFAULT_PRIORITY,
+      &test_delegate, TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  r->Start();
+  test_delegate.RunUntilComplete();
+
+  histograms.ExpectBucketCount("Net.FTP.StartResult",
+                               FTPStartResult::kSuccessNoAuth, 1);
+  histograms.ExpectBucketCount("Net.FTP.StartResult",
+                               FTPStartResult::kSuccessAuth, 0);
+  histograms.ExpectBucketCount("Net.FTP.StartResult", FTPStartResult::kFailed,
+                               0);
+}
+
+TEST_F(UrlRequestFtpJobTest, HistogramLogSuccessAuth) {
+  base::HistogramTester histograms;
+  MockURLRequestFtpJobFactory url_request_ftp_job_factory(
+      ERR_FAILED, ERR_FAILED, true, {OK});
+  TestNetworkDelegate network_delegate;
+  TestURLRequestContext context(true);
+  context.set_network_delegate(&network_delegate);
+  context.set_job_factory(&url_request_ftp_job_factory);
+  context.Init();
+
+  TestDelegate test_delegate;
+  test_delegate.set_credentials(
+      AuthCredentials(base::ASCIIToUTF16("user"), base::ASCIIToUTF16("pass")));
+  std::unique_ptr<URLRequest> r(context.CreateRequest(
+      GURL("ftp://example.test/"), RequestPriority::DEFAULT_PRIORITY,
+      &test_delegate, TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  r->Start();
+  test_delegate.RunUntilComplete();
+
+  histograms.ExpectBucketCount("Net.FTP.StartResult",
+                               FTPStartResult::kSuccessNoAuth, 0);
+  histograms.ExpectBucketCount("Net.FTP.StartResult",
+                               FTPStartResult::kSuccessAuth, 1);
+  histograms.ExpectBucketCount("Net.FTP.StartResult", FTPStartResult::kFailed,
+                               0);
+}
+
+TEST_F(UrlRequestFtpJobTest, HistogramLogFailed) {
+  base::HistogramTester histograms;
+  MockURLRequestFtpJobFactory url_request_ftp_job_factory(
+      ERR_FAILED, ERR_FAILED, false, {ERR_FAILED});
+  TestNetworkDelegate network_delegate;
+  TestURLRequestContext context(true);
+  context.set_network_delegate(&network_delegate);
+  context.set_job_factory(&url_request_ftp_job_factory);
+  context.Init();
+
+  TestDelegate test_delegate;
+  std::unique_ptr<URLRequest> r(context.CreateRequest(
+      GURL("ftp://example.test/"), RequestPriority::DEFAULT_PRIORITY,
+      &test_delegate, TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  r->Start();
+  test_delegate.RunUntilComplete();
+
+  histograms.ExpectBucketCount("Net.FTP.StartResult",
+                               FTPStartResult::kSuccessNoAuth, 0);
+  histograms.ExpectBucketCount("Net.FTP.StartResult",
+                               FTPStartResult::kSuccessAuth, 0);
+  histograms.ExpectBucketCount("Net.FTP.StartResult", FTPStartResult::kFailed,
+                               1);
+}
+
+TEST_F(UrlRequestFtpJobTest, HistogramLogFailedInvalidAuthThenSucceed) {
+  base::HistogramTester histograms;
+  MockURLRequestFtpJobFactory url_request_ftp_job_factory(
+      ERR_FAILED, ERR_FAILED, true, {ERR_ACCESS_DENIED, OK});
+  TestNetworkDelegate network_delegate;
+  TestURLRequestContext context(true);
+  context.set_network_delegate(&network_delegate);
+  context.set_job_factory(&url_request_ftp_job_factory);
+  context.Init();
+
+  TestDelegate test_delegate;
+  test_delegate.set_credentials(
+      AuthCredentials(base::ASCIIToUTF16("user"), base::ASCIIToUTF16("pass")));
+  std::unique_ptr<URLRequest> r(context.CreateRequest(
+      GURL("ftp://example.test/"), RequestPriority::DEFAULT_PRIORITY,
+      &test_delegate, TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  r->Start();
+  test_delegate.RunUntilComplete();
+
+  histograms.ExpectBucketCount("Net.FTP.StartResult",
+                               FTPStartResult::kSuccessNoAuth, 0);
+  histograms.ExpectBucketCount("Net.FTP.StartResult",
+                               FTPStartResult::kSuccessAuth, 1);
+  histograms.ExpectBucketCount("Net.FTP.StartResult", FTPStartResult::kFailed,
+                               1);
+}
+}  // namespace
+}  // namespace net
\ No newline at end of file
diff --git a/chromium/net/url_request/url_request_fuzzer.cc b/chromium/net/url_request/url_request_fuzzer.cc
index a8fb3ab8e62..e53ac14ad30 100644
--- a/chromium/net/url_request/url_request_fuzzer.cc
+++ b/chromium/net/url_request/url_request_fuzzer.cc
@@ -10,13 +10,13 @@
 #include <memory>
 
 #include "base/run_loop.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "net/base/request_priority.h"
 #include "net/socket/fuzzed_socket_factory.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_test_util.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 #include "url/gurl.h"
 
 
@@ -35,7 +35,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   if (size > kMaxInputSize)
     return 0;
 
-  base::FuzzedDataProvider data_provider(data, size);
+  FuzzedDataProvider data_provider(data, size);
   net::TestURLRequestContext url_request_context(true);
   net::FuzzedSocketFactory fuzzed_socket_factory(&data_provider);
   url_request_context.set_client_socket_factory(&fuzzed_socket_factory);
diff --git a/chromium/net/url_request/url_request_http_job.cc b/chromium/net/url_request/url_request_http_job.cc
index 94883ec6f97..199798882a7 100644
--- a/chromium/net/url_request/url_request_http_job.cc
+++ b/chromium/net/url_request/url_request_http_job.cc
@@ -292,8 +292,7 @@ URLRequestHttpJob::URLRequestHttpJob(
       awaiting_callback_(false),
       http_user_agent_settings_(http_user_agent_settings),
       total_received_bytes_from_previous_transactions_(0),
-      total_sent_bytes_from_previous_transactions_(0),
-      weak_factory_(this) {
+      total_sent_bytes_from_previous_transactions_(0) {
   URLRequestThrottlerManager* manager = request->context()->throttler_manager();
   if (manager)
     throttling_entry_ = manager->RegisterRequestUrl(request->url());
@@ -323,11 +322,7 @@ void URLRequestHttpJob::Start() {
   request_info_.url = request_->url();
   request_info_.method = request_->method();
 
-  // TODO(crbug.com/963476): Remove this when network_isolation_key is being set
-  // in request_.
-  request_info_.network_isolation_key =
-      NetworkIsolationKey(request_->top_frame_origin());
-
+  request_info_.network_isolation_key = request_->network_isolation_key();
   request_info_.load_flags = request_->load_flags();
   request_info_.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(request_->traffic_annotation());
@@ -405,7 +400,7 @@ void URLRequestHttpJob::NotifyBeforeSendHeadersCallback(
 void URLRequestHttpJob::NotifyHeadersComplete() {
   DCHECK(!response_info_);
   DCHECK_EQ(0, num_cookie_lines_left_);
-  DCHECK(request_->not_stored_cookies().empty());
+  DCHECK(request_->maybe_stored_cookies().empty());
 
   response_info_ = transaction_->GetResponseInfo();
 
@@ -422,7 +417,7 @@ void URLRequestHttpJob::NotifyHeadersComplete() {
 
   // Clear |cs_status_list_| after any processing in case
   // SaveCookiesAndNotifyHeadersComplete is called again.
-  request_->set_not_stored_cookies(std::move(cs_status_list_));
+  request_->set_maybe_stored_cookies(std::move(cs_status_list_));
 
   // The HTTP transaction may be restarted several times for the purposes
   // of sending authorization information. Each time it restarts, we get
@@ -489,9 +484,8 @@ void URLRequestHttpJob::MaybeStartTransactionInternal(int result) {
   if (result == OK) {
     StartTransactionInternal();
   } else {
-    std::string source("delegate");
-    request_->net_log().AddEvent(NetLogEventType::CANCELLED,
-                                 NetLog::StringCallback("source", &source));
+    request_->net_log().AddEventWithStringParams(NetLogEventType::CANCELLED,
+                                                 "source", "delegate");
     // Don't call back synchronously to the delegate.
     base::ThreadTaskRunnerHandle::Get()->PostTask(
         FROM_HERE,
@@ -646,49 +640,50 @@ void URLRequestHttpJob::SetCookieHeaderAndStart(
     const CookieOptions& options,
     const CookieList& cookie_list,
     const CookieStatusList& excluded_list) {
-  DCHECK(request_->not_sent_cookies().empty());
-  CookieStatusList excluded_cookies = excluded_list;
-
-  if (!cookie_list.empty()) {
-    if (!CanGetCookies(cookie_list)) {
-      for (const auto& cookie : cookie_list) {
-        excluded_cookies.push_back(
-            {cookie,
-             CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES});
-      }
-    } else {
-      LogCookieUMA(cookie_list, *request_, request_info_);
-
-      std::string cookie_line = CanonicalCookie::BuildCookieLine(cookie_list);
-      UMA_HISTOGRAM_COUNTS_10000("Cookie.HeaderLength", cookie_line.length());
-      request_info_.extra_headers.SetHeader(HttpRequestHeaders::kCookie,
-                                            cookie_line);
-
-      // Disable privacy mode as we are sending cookies anyway.
-      request_info_.privacy_mode = PRIVACY_MODE_DISABLED;
-    }
+  DCHECK(request_->maybe_sent_cookies().empty());
+  CookieStatusList maybe_sent_cookies = excluded_list;
+
+  net::CanonicalCookie::CookieInclusionStatus status_for_cookie_list =
+      CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES;
+  if (!cookie_list.empty() && CanGetCookies(cookie_list)) {
+    status_for_cookie_list = CanonicalCookie::CookieInclusionStatus::INCLUDE;
+    LogCookieUMA(cookie_list, *request_, request_info_);
+
+    std::string cookie_line = CanonicalCookie::BuildCookieLine(cookie_list);
+    UMA_HISTOGRAM_COUNTS_10000("Cookie.HeaderLength", cookie_line.length());
+    request_info_.extra_headers.SetHeader(HttpRequestHeaders::kCookie,
+                                          cookie_line);
+
+    // Disable privacy mode as we are sending cookies anyway.
+    request_info_.privacy_mode = PRIVACY_MODE_DISABLED;
   }
 
+  // Report status for things in |cookie_list| after the delegate got a chance
+  // to block them.
+  for (const auto& cookie : cookie_list)
+    maybe_sent_cookies.push_back({cookie, status_for_cookie_list});
+
   // Copy any cookies that would not be sent under SameSiteByDefaultCookies
-  // and/or CookiesWithoutSameSiteMustBeSecure, into the |excluded_cookies| list
-  // so that we can display appropriate console warning messages about them.
-  // I.e. they are still included in the Cookie header, but they are *also*
-  // copied into |excluded_cookies| with the CookieInclusionStatus that *would*
-  // apply. This special-casing will go away once SameSiteByDefaultCookies and
-  // CookiesWithoutSameSiteMustBeSecure are on by default, as the affected
-  // cookies will just be excluded in the first place.
+  // and/or CookiesWithoutSameSiteMustBeSecure with an informative status into
+  // the |maybe_sent_cookies| list so that we can display appropriate console
+  // warning messages about them. I.e. they are still included in the Cookie
+  // header, but they are *also* copied into |maybe_sent_cookies| with the
+  // CookieInclusionStatus that *would* apply. This special-casing will go away
+  // once SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure are on
+  // by default, as the affected cookies will just be excluded in the first
+  // place.
   for (const CanonicalCookie& cookie : cookie_list) {
     CanonicalCookie::CookieInclusionStatus
         include_but_maybe_would_exclude_status =
             cookie_util::CookieWouldBeExcludedDueToSameSite(cookie, options);
     if (include_but_maybe_would_exclude_status !=
         CanonicalCookie::CookieInclusionStatus::INCLUDE) {
-      excluded_cookies.push_back(
+      maybe_sent_cookies.push_back(
           {cookie, include_but_maybe_would_exclude_status});
     }
   }
 
-  request_->set_not_sent_cookies(std::move(excluded_cookies));
+  request_->set_maybe_sent_cookies(std::move(maybe_sent_cookies));
 
   StartTransaction();
 }
@@ -701,9 +696,8 @@ void URLRequestHttpJob::SaveCookiesAndNotifyHeadersComplete(int result) {
   OnCallToDelegateComplete();
 
   if (result != OK) {
-    std::string source("delegate");
-    request_->net_log().AddEvent(NetLogEventType::CANCELLED,
-                                 NetLog::StringCallback("source", &source));
+    request_->net_log().AddEventWithStringParams(NetLogEventType::CANCELLED,
+                                                 "source", "delegate");
     NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED, result));
     return;
   }
@@ -787,14 +781,14 @@ void URLRequestHttpJob::OnSetCookieResult(
     base::Optional<CanonicalCookie> cookie,
     std::string cookie_string,
     CanonicalCookie::CookieInclusionStatus status) {
-  if (status != CanonicalCookie::CookieInclusionStatus::INCLUDE) {
-    cs_status_list_.emplace_back(std::move(cookie), std::move(cookie_string),
-                                 status);
-  } else {
+  cs_status_list_.emplace_back(std::move(cookie), std::move(cookie_string),
+                               status);
+
+  if (status == CanonicalCookie::CookieInclusionStatus::INCLUDE) {
     DCHECK(cookie.has_value());
-    // Even if the status is INCLUDE, copy any cookies that would not be set
-    // under SameSiteByDefaultCookies and/or CookiesWithoutSameSiteMustBeSecure
-    // into |cs_status_list_| so that we can display appropriate console warning
+    // Copy any cookies that would not be sent under SameSiteByDefaultCookies
+    // and/or CookiesWithoutSameSiteMustBeSecure into |cs_status_list_| with a
+    // descriptive status so that we can display appropriate console warning
     // messages about them. I.e. they are still set, but they are *also* copied
     // into |cs_status_list_| with the CookieInclusionStatus that *would* apply.
     // This special-casing will go away once SameSiteByDefaultCookies and
@@ -919,10 +913,8 @@ void URLRequestHttpJob::OnStartCompleted(int result) {
         if (error == ERR_IO_PENDING) {
           awaiting_callback_ = true;
         } else {
-          std::string source("delegate");
-          request_->net_log().AddEvent(
-              NetLogEventType::CANCELLED,
-              NetLog::StringCallback("source", &source));
+          request_->net_log().AddEventWithStringParams(
+              NetLogEventType::CANCELLED, "source", "delegate");
           OnCallToDelegateComplete();
           NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED, error));
         }
@@ -994,8 +986,8 @@ void URLRequestHttpJob::RestartTransactionWithAuth(
   // TODO(https://crbug.com/968327/): This is weird, as all other clearing is at
   // the URLRequest layer. Should this call into URLRequest so it can share
   // logic at that layer with SetAuth()?
-  request_->set_not_sent_cookies({});
-  request_->set_not_stored_cookies({});
+  request_->set_maybe_sent_cookies({});
+  request_->set_maybe_stored_cookies({});
 
   AddCookieHeaderAndStart();
 }
@@ -1105,10 +1097,8 @@ std::unique_ptr<SourceStream> URLRequestHttpJob::SetUpSourceStream() {
         return upstream;
       case SourceStream::TYPE_UNKNOWN:
         // Unknown encoding type. Pass through raw response body.
-        // Despite of reporting to UMA, request will not be canceled; though
+        // Request will not be canceled; though
         // it is expected that user will see malformed / garbage response.
-        FilterSourceStream::ReportContentDecodingFailed(
-            FilterSourceStream::TYPE_UNKNOWN);
         return upstream;
       case SourceStream::TYPE_GZIP_FALLBACK_DEPRECATED:
       case SourceStream::TYPE_SDCH_DEPRECATED:
@@ -1233,7 +1223,6 @@ void URLRequestHttpJob::SetAuth(const AuthCredentials& credentials) {
 }
 
 void URLRequestHttpJob::CancelAuth() {
-  // Proxy gets set first, then WWW.
   if (proxy_auth_state_ == AUTH_STATE_NEED_AUTH) {
     proxy_auth_state_ = AUTH_STATE_CANCELED;
   } else {
@@ -1241,26 +1230,18 @@ void URLRequestHttpJob::CancelAuth() {
     server_auth_state_ = AUTH_STATE_CANCELED;
   }
 
-  // These will be reset in OnStartCompleted.
-  response_info_ = nullptr;
-  receive_headers_end_ = base::TimeTicks::Now();
-  // TODO(davidben,mmenke): We should either reset override_response_headers_
-  // here or not call NotifyHeadersReceived a second time on the same response
-  // headers. See https://crbug.com/810063.
-
-  ResetTimer();
+  // The above lines should ensure this is the case.
+  DCHECK(!NeedsAuth());
 
-  // OK, let the consumer read the error page...
-  //
-  // Because we set the AUTH_STATE_CANCELED flag, NeedsAuth will return false,
-  // which will cause the consumer to receive OnResponseStarted instead of
-  // OnAuthRequired.
-  //
-  // We have to do this via InvokeLater to avoid "recursing" the consumer.
+  // Let the consumer read the HTTP error page. NeedsAuth() should now return
+  // false, so NotifyHeadersComplete() should not request auth from the client
+  // again.
   //
+  // Have to do this via PostTask to avoid re-entrantly calling into the
+  // consumer.
   base::ThreadTaskRunnerHandle::Get()->PostTask(
-      FROM_HERE, base::BindOnce(&URLRequestHttpJob::OnStartCompleted,
-                                weak_factory_.GetWeakPtr(), OK));
+      FROM_HERE, base::BindOnce(&URLRequestHttpJob::NotifyFinalHeadersReceived,
+                                weak_factory_.GetWeakPtr()));
 }
 
 void URLRequestHttpJob::ContinueWithCertificate(
@@ -1421,10 +1402,6 @@ void URLRequestHttpJob::RecordTimer() {
   request_creation_time_ = base::Time();
 
   UMA_HISTOGRAM_MEDIUM_TIMES("Net.HttpTimeToFirstByte", to_start);
-  if (request_info_.upload_data_stream &&
-      request_info_.upload_data_stream->size() > 1024 * 1024) {
-    UMA_HISTOGRAM_MEDIUM_TIMES("Net.HttpTimeToFirstByte.LargeUpload", to_start);
-  }
 }
 
 void URLRequestHttpJob::ResetTimer() {
diff --git a/chromium/net/url_request/url_request_http_job.h b/chromium/net/url_request/url_request_http_job.h
index b02453a3e3a..0162bfbf60b 100644
--- a/chromium/net/url_request/url_request_http_job.h
+++ b/chromium/net/url_request/url_request_http_job.h
@@ -255,7 +255,7 @@ class NET_EXPORT_PRIVATE URLRequestHttpJob : public URLRequestJob {
   RequestHeadersCallback request_headers_callback_;
   ResponseHeadersCallback response_headers_callback_;
 
-  base::WeakPtrFactory<URLRequestHttpJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestHttpJob> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(URLRequestHttpJob);
 };
diff --git a/chromium/net/url_request/url_request_http_job_unittest.cc b/chromium/net/url_request/url_request_http_job_unittest.cc
index 928db3b782b..d4c0aaae29d 100644
--- a/chromium/net/url_request/url_request_http_job_unittest.cc
+++ b/chromium/net/url_request/url_request_http_job_unittest.cc
@@ -27,7 +27,6 @@
 #include "net/http/http_transaction_test_util.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/net_buildflags.h"
 #include "net/socket/next_proto.h"
@@ -50,7 +49,7 @@
 
 #if defined(OS_ANDROID)
 #include "base/android/jni_android.h"
-#include "jni/AndroidNetworkLibraryTestUtil_jni.h"
+#include "net/net_test_jni_headers/AndroidNetworkLibraryTestUtil_jni.h"
 #endif
 
 using net::test::IsError;
@@ -1381,16 +1380,11 @@ TEST_F(URLRequestHttpJobTest, HSTSInternalRedirectTest) {
     d.RunUntilComplete();
 
     if (test.upgrade_expected) {
-      net::TestNetLogEntry::List entries;
-      net_log_.GetEntries(&entries);
-      int redirects = 0;
+      auto entries = net_log_.GetEntriesWithType(
+          net::NetLogEventType::URL_REQUEST_REDIRECT_JOB);
+      int redirects = entries.size();
       for (const auto& entry : entries) {
-        if (entry.type == net::NetLogEventType::URL_REQUEST_REDIRECT_JOB) {
-          redirects++;
-          std::string value;
-          EXPECT_TRUE(entry.GetStringValue("reason", &value));
-          EXPECT_EQ("HSTS", value);
-        }
+        EXPECT_EQ("HSTS", GetStringValueFromParams(entry, "reason"));
       }
       EXPECT_EQ(1, redirects);
       EXPECT_EQ(1, d.received_redirect_count());
diff --git a/chromium/net/url_request/url_request_job.cc b/chromium/net/url_request/url_request_job.cc
index 3a7efeaf5b0..e5d16bd32b8 100644
--- a/chromium/net/url_request/url_request_job.cc
+++ b/chromium/net/url_request/url_request_job.cc
@@ -35,8 +35,7 @@ namespace net {
 namespace {
 
 // Callback for TYPE_URL_REQUEST_FILTERS_SET net-internals event.
-base::Value SourceStreamSetCallback(SourceStream* source_stream,
-                                    NetLogCaptureMode /* capture_mode */) {
+base::Value SourceStreamSetParams(SourceStream* source_stream) {
   base::Value event_params(base::Value::Type::DICTIONARY);
   event_params.SetStringKey("filters", source_stream->Description());
   return event_params;
@@ -87,9 +86,7 @@ URLRequestJob::URLRequestJob(URLRequest* request,
       expected_content_size_(-1),
       network_delegate_(network_delegate),
       last_notified_total_received_bytes_(0),
-      last_notified_total_sent_bytes_(0),
-      weak_factory_(this) {
-}
+      last_notified_total_sent_bytes_(0) {}
 
 URLRequestJob::~URLRequestJob() {
 }
@@ -433,6 +430,22 @@ void URLRequestJob::NotifyHeadersComplete() {
     }
   }
 
+  NotifyFinalHeadersReceived();
+  // |this| may be destroyed at this point.
+}
+
+void URLRequestJob::NotifyFinalHeadersReceived() {
+  DCHECK(!NeedsAuth() || !GetAuthChallengeInfo());
+
+  if (has_handled_response_)
+    return;
+
+  // While the request's status is normally updated in NotifyHeadersComplete(),
+  // URLRequestHttpJob::CancelAuth() posts a task to invoke this method
+  // directly, which bypasses that logic.
+  if (request_->status().is_io_pending())
+    request_->set_status(URLRequestStatus());
+
   has_handled_response_ = true;
   if (request_->status().is_success()) {
     DCHECK(!source_stream_);
@@ -457,13 +470,11 @@ void URLRequestJob::NotifyHeadersComplete() {
     } else {
       request_->net_log().AddEvent(
           NetLogEventType::URL_REQUEST_FILTERS_SET,
-          base::Bind(&SourceStreamSetCallback,
-                     base::Unretained(source_stream_.get())));
+          [&] { return SourceStreamSetParams(source_stream_.get()); });
     }
   }
 
   request_->NotifyResponseStarted(URLRequestStatus());
-
   // |this| may be destroyed at this point.
 }
 
@@ -710,10 +721,10 @@ void URLRequestJob::RecordBytesRead(int bytes_read) {
   if (request_->context()->network_quality_estimator()) {
     if (prefilter_bytes_read() == bytes_read) {
       request_->context()->network_quality_estimator()->NotifyHeadersReceived(
-          *request_);
+          *request_, prefilter_bytes_read());
     } else {
       request_->context()->network_quality_estimator()->NotifyBytesRead(
-          *request_);
+          *request_, prefilter_bytes_read());
     }
   }
 
diff --git a/chromium/net/url_request/url_request_job.h b/chromium/net/url_request/url_request_job.h
index 5e8e3079ffc..c24ee2ec609 100644
--- a/chromium/net/url_request/url_request_job.h
+++ b/chromium/net/url_request/url_request_job.h
@@ -276,6 +276,10 @@ class NET_EXPORT URLRequestJob {
   // Notifies the job that headers have been received.
   void NotifyHeadersComplete();
 
+  // Called when the final set headers have been received (no more redirects to
+  // follow, and no more auth challenges that will be responded to).
+  void NotifyFinalHeadersReceived();
+
   // Notifies the request that a start error has occurred.
   void NotifyStartError(const URLRequestStatus& status);
 
@@ -458,7 +462,7 @@ class NET_EXPORT URLRequestJob {
   // completed.
   CompletionOnceCallback read_raw_callback_;
 
-  base::WeakPtrFactory<URLRequestJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestJob> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(URLRequestJob);
 };
diff --git a/chromium/net/url_request/url_request_job_factory_impl.cc b/chromium/net/url_request/url_request_job_factory_impl.cc
index c98a0b24b6d..ad38c62b175 100644
--- a/chromium/net/url_request/url_request_job_factory_impl.cc
+++ b/chromium/net/url_request/url_request_job_factory_impl.cc
@@ -36,7 +36,7 @@ bool URLRequestJobFactoryImpl::SetProtocolHandler(
     return true;
   }
 
-  if (base::ContainsKey(protocol_handler_map_, scheme))
+  if (base::Contains(protocol_handler_map_, scheme))
     return false;
   protocol_handler_map_[scheme] = std::move(protocol_handler);
   return true;
@@ -76,7 +76,7 @@ URLRequestJob* URLRequestJobFactoryImpl::MaybeInterceptResponse(
 bool URLRequestJobFactoryImpl::IsHandledProtocol(
     const std::string& scheme) const {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-  return base::ContainsKey(protocol_handler_map_, scheme) ||
+  return base::Contains(protocol_handler_map_, scheme) ||
          URLRequestJobManager::GetInstance()->SupportsScheme(scheme);
 }
 
diff --git a/chromium/net/url_request/url_request_job_factory_impl_unittest.cc b/chromium/net/url_request/url_request_job_factory_impl_unittest.cc
index 7f887ea5372..55664cf79f9 100644
--- a/chromium/net/url_request/url_request_job_factory_impl_unittest.cc
+++ b/chromium/net/url_request/url_request_job_factory_impl_unittest.cc
@@ -30,7 +30,7 @@ namespace {
 class MockURLRequestJob : public URLRequestJob {
  public:
   MockURLRequestJob(URLRequest* request, NetworkDelegate* network_delegate)
-      : URLRequestJob(request, network_delegate), weak_factory_(this) {}
+      : URLRequestJob(request, network_delegate) {}
 
   void Start() override {
     // Start reading asynchronously so that all error reporting and data
@@ -48,7 +48,7 @@ class MockURLRequestJob : public URLRequestJob {
     NotifyHeadersComplete();
   }
 
-  base::WeakPtrFactory<MockURLRequestJob> weak_factory_;
+  base::WeakPtrFactory<MockURLRequestJob> weak_factory_{this};
 };
 
 class DummyProtocolHandler : public URLRequestJobFactory::ProtocolHandler {
diff --git a/chromium/net/url_request/url_request_netlog_params.cc b/chromium/net/url_request/url_request_netlog_params.cc
index 8497c236f9d..a9c705a47e3 100644
--- a/chromium/net/url_request/url_request_netlog_params.cc
+++ b/chromium/net/url_request/url_request_netlog_params.cc
@@ -13,28 +13,25 @@
 
 namespace net {
 
-base::Value NetLogURLRequestConstructorCallback(
-    const GURL* url,
+base::Value NetLogURLRequestConstructorParams(
+    const GURL& url,
     RequestPriority priority,
-    NetworkTrafficAnnotationTag traffic_annotation,
-    NetLogCaptureMode /* capture_mode */) {
+    NetworkTrafficAnnotationTag traffic_annotation) {
   base::Value dict(base::Value::Type::DICTIONARY);
-  dict.SetStringKey("url", url->possibly_invalid_spec());
+  dict.SetStringKey("url", url.possibly_invalid_spec());
   dict.SetStringKey("priority", RequestPriorityToString(priority));
   dict.SetIntKey("traffic_annotation", traffic_annotation.unique_id_hash_code);
   return dict;
 }
 
-base::Value NetLogURLRequestStartCallback(
-    const GURL* url,
-    const std::string* method,
-    int load_flags,
-    PrivacyMode privacy_mode,
-    int64_t upload_id,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogURLRequestStartParams(const GURL& url,
+                                        const std::string& method,
+                                        int load_flags,
+                                        PrivacyMode privacy_mode,
+                                        int64_t upload_id) {
   base::Value dict(base::Value::Type::DICTIONARY);
-  dict.SetStringKey("url", url->possibly_invalid_spec());
-  dict.SetStringKey("method", *method);
+  dict.SetStringKey("url", url.possibly_invalid_spec());
+  dict.SetStringKey("method", method);
   dict.SetIntKey("load_flags", load_flags);
   dict.SetIntKey("privacy_mode", privacy_mode == PRIVACY_MODE_ENABLED);
   if (upload_id > -1)
diff --git a/chromium/net/url_request/url_request_netlog_params.h b/chromium/net/url_request/url_request_netlog_params.h
index 6fd10177998..248a891559f 100644
--- a/chromium/net/url_request/url_request_netlog_params.h
+++ b/chromium/net/url_request/url_request_netlog_params.h
@@ -13,6 +13,7 @@
 #include "net/base/net_export.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/request_priority.h"
+#include "net/log/net_log_capture_mode.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
 
 class GURL;
@@ -23,23 +24,18 @@ class Value;
 
 namespace net {
 
-class NetLogCaptureMode;
-
 // Returns a Value containing NetLog parameters for constructing a URLRequest.
-NET_EXPORT base::Value NetLogURLRequestConstructorCallback(
-    const GURL* url,
+NET_EXPORT base::Value NetLogURLRequestConstructorParams(
+    const GURL& url,
     RequestPriority priority,
-    NetworkTrafficAnnotationTag traffic_annotation,
-    NetLogCaptureMode /* capture_mode */);
+    NetworkTrafficAnnotationTag traffic_annotation);
 
 // Returns a Value containing NetLog parameters for starting a URLRequest.
-NET_EXPORT base::Value NetLogURLRequestStartCallback(
-    const GURL* url,
-    const std::string* method,
-    int load_flags,
-    PrivacyMode privacy_mode,
-    int64_t upload_id,
-    NetLogCaptureMode /* capture_mode */);
+NET_EXPORT base::Value NetLogURLRequestStartParams(const GURL& url,
+                                                   const std::string& method,
+                                                   int load_flags,
+                                                   PrivacyMode privacy_mode,
+                                                   int64_t upload_id);
 
 }  // namespace net
 
diff --git a/chromium/net/url_request/url_request_quic_perftest.cc b/chromium/net/url_request/url_request_quic_perftest.cc
index 4941e92af34..732e363f7c0 100644
--- a/chromium/net/url_request/url_request_quic_perftest.cc
+++ b/chromium/net/url_request/url_request_quic_perftest.cc
@@ -70,7 +70,7 @@ std::unique_ptr<test_server::HttpResponse> HandleRequest(
       "Alt-Svc",
       base::StringPrintf("quic=\"%s:%d\"; v=\"%u\"", kAltSvcHost, kAltSvcPort,
                          HttpNetworkSession::Params()
-                             .quic_supported_versions[0]
+                             .quic_params.supported_versions[0]
                              .transport_version));
   http_response->set_code(HTTP_OK);
   http_response->set_content(kHelloOriginResponse);
@@ -115,7 +115,7 @@ class URLRequestQuicPerfTest : public ::testing::Test {
         new HttpNetworkSession::Params);
     params->enable_quic = true;
     params->enable_user_alternate_protocol_ports = true;
-    params->quic_allow_remote_alt_svc = true;
+    params->quic_params.allow_remote_alt_svc = true;
     context_->set_host_resolver(host_resolver_.get());
     context_->set_http_network_session_params(std::move(params));
     context_->set_cert_verifier(&cert_verifier_);
diff --git a/chromium/net/url_request/url_request_quic_unittest.cc b/chromium/net/url_request/url_request_quic_unittest.cc
index 067d83f8025..afb88f2fead 100644
--- a/chromium/net/url_request/url_request_quic_unittest.cc
+++ b/chromium/net/url_request/url_request_quic_unittest.cc
@@ -16,7 +16,7 @@
 #include "net/dns/mock_host_resolver.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
+#include "net/log/test_net_log_util.h"
 #include "net/quic/crypto/proof_source_chromium.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/gtest_util.h"
@@ -60,7 +60,8 @@ class URLRequestQuicTest : public TestWithScopedTaskEnvironment {
                                            OK);
     // To simplify the test, and avoid the race with the HTTP request, we force
     // QUIC for these requests.
-    params->origins_to_force_quic_on.insert(HostPortPair(kTestServerHost, 443));
+    params->quic_params.origins_to_force_quic_on.insert(
+        HostPortPair(kTestServerHost, 443));
     params->enable_quic = true;
     params->enable_server_push_cancellation = true;
     context_->set_host_resolver(host_resolver_.get());
@@ -93,17 +94,6 @@ class URLRequestQuicTest : public TestWithScopedTaskEnvironment {
                                    TRAFFIC_ANNOTATION_FOR_TESTS);
   }
 
-  void ExtractNetLog(NetLogEventType type,
-                     TestNetLogEntry::List* entry_list) const {
-    TestNetLogEntry::List entries;
-    net_log_.GetEntries(&entries);
-
-    for (const auto& entry : entries) {
-      if (entry.type == type)
-        entry_list->push_back(entry);
-    }
-  }
-
   unsigned int GetRstErrorCountReceivedByServer(
       quic::QuicRstStreamErrorCode error_code) const {
     return (static_cast<quic::QuicSimpleDispatcher*>(server_->dispatcher()))
@@ -111,23 +101,25 @@ class URLRequestQuicTest : public TestWithScopedTaskEnvironment {
   }
 
   static const NetLogSource FindPushUrlSource(
-      const TestNetLogEntry::List& entries,
+      const std::vector<NetLogEntry>& entries,
       const std::string& push_url) {
     std::string entry_push_url;
     for (const auto& entry : entries) {
       if (entry.phase == NetLogEventPhase::BEGIN &&
           entry.source.type ==
-              NetLogSourceType::SERVER_PUSH_LOOKUP_TRANSACTION &&
-          entry.GetStringValue("push_url", &entry_push_url) &&
-          entry_push_url == push_url) {
-        return entry.source;
+              NetLogSourceType::SERVER_PUSH_LOOKUP_TRANSACTION) {
+        auto entry_push_url =
+            GetOptionalStringValueFromParams(entry, "push_url");
+        if (entry_push_url && *entry_push_url == push_url) {
+          return entry.source;
+        }
       }
     }
     return NetLogSource();
   }
 
-  static const TestNetLogEntry* FindEndBySource(
-      const TestNetLogEntry::List& entries,
+  static const NetLogEntry* FindEndBySource(
+      const std::vector<NetLogEntry>& entries,
       const NetLogSource& source) {
     for (const auto& entry : entries) {
       if (entry.phase == NetLogEventPhase::END &&
@@ -137,6 +129,9 @@ class URLRequestQuicTest : public TestWithScopedTaskEnvironment {
     return nullptr;
   }
 
+ protected:
+  TestNetLog net_log_;
+
  private:
   void StartQuicServer() {
     // Set up in-memory cache.
@@ -183,7 +178,6 @@ class URLRequestQuicTest : public TestWithScopedTaskEnvironment {
   std::unique_ptr<MappedHostResolver> host_resolver_;
   std::unique_ptr<QuicSimpleServer> server_;
   std::unique_ptr<TestURLRequestContext> context_;
-  TestNetLog net_log_;
   quic::QuicMemoryCacheBackend memory_cache_backend_;
   MockCertVerifier cert_verifier_;
 };
@@ -312,13 +306,12 @@ TEST_F(URLRequestQuicTest, CancelPushIfCached_SomeCached) {
   EXPECT_TRUE(request->status().is_success());
 
   // Extract net logs on client side to verify push lookup transactions.
-  net::TestNetLogEntry::List entries;
-  ExtractNetLog(NetLogEventType::SERVER_PUSH_LOOKUP_TRANSACTION, &entries);
+  auto entries = net_log_.GetEntriesWithType(
+      NetLogEventType::SERVER_PUSH_LOOKUP_TRANSACTION);
 
   ASSERT_EQ(4u, entries.size());
 
   std::string value;
-  int net_error;
   std::string push_url_1 =
       base::StringPrintf("https://%s%s", kTestServerHost, "/kitten-1.jpg");
   std::string push_url_2 =
@@ -328,9 +321,9 @@ TEST_F(URLRequestQuicTest, CancelPushIfCached_SomeCached) {
   EXPECT_TRUE(source_1.IsValid());
 
   // No net error code for this lookup transaction, the push is found.
-  const TestNetLogEntry* end_entry_1 = FindEndBySource(entries, source_1);
-  EXPECT_FALSE(end_entry_1->params);
-  EXPECT_FALSE(end_entry_1->GetIntegerValue("net_error", &net_error));
+  const NetLogEntry* end_entry_1 = FindEndBySource(entries, source_1);
+  EXPECT_FALSE(end_entry_1->HasParams());
+  EXPECT_FALSE(GetOptionalNetErrorCodeFromParams(*end_entry_1));
 
   const NetLogSource source_2 = FindPushUrlSource(entries, push_url_2);
   EXPECT_TRUE(source_2.IsValid());
@@ -338,10 +331,9 @@ TEST_F(URLRequestQuicTest, CancelPushIfCached_SomeCached) {
 
   // Net error code -400 is found for this lookup transaction, the push is not
   // found in the cache.
-  const TestNetLogEntry* end_entry_2 = FindEndBySource(entries, source_2);
-  EXPECT_TRUE(end_entry_2->params);
-  EXPECT_TRUE(end_entry_2->GetIntegerValue("net_error", &net_error));
-  EXPECT_EQ(net_error, -400);
+  const NetLogEntry* end_entry_2 = FindEndBySource(entries, source_2);
+  EXPECT_TRUE(end_entry_2->HasParams());
+  EXPECT_EQ(-400, GetNetErrorCodeFromParams(*end_entry_2));
 
   // Verify the reset error count received on the server side.
   EXPECT_LE(1u, GetRstErrorCountReceivedByServer(quic::QUIC_STREAM_CANCELLED));
@@ -405,13 +397,12 @@ TEST_F(URLRequestQuicTest, CancelPushIfCached_AllCached) {
   EXPECT_TRUE(request->status().is_success());
 
   // Extract net logs on client side to verify push lookup transactions.
-  net::TestNetLogEntry::List entries;
-  ExtractNetLog(NetLogEventType::SERVER_PUSH_LOOKUP_TRANSACTION, &entries);
+  auto entries = net_log_.GetEntriesWithType(
+      NetLogEventType::SERVER_PUSH_LOOKUP_TRANSACTION);
 
   EXPECT_EQ(4u, entries.size());
 
   std::string value;
-  int net_error;
   std::string push_url_1 =
       base::StringPrintf("https://%s%s", kTestServerHost, "/kitten-1.jpg");
   std::string push_url_2 =
@@ -421,18 +412,18 @@ TEST_F(URLRequestQuicTest, CancelPushIfCached_AllCached) {
   EXPECT_TRUE(source_1.IsValid());
 
   // No net error code for this lookup transaction, the push is found.
-  const TestNetLogEntry* end_entry_1 = FindEndBySource(entries, source_1);
-  EXPECT_FALSE(end_entry_1->params);
-  EXPECT_FALSE(end_entry_1->GetIntegerValue("net_error", &net_error));
+  const NetLogEntry* end_entry_1 = FindEndBySource(entries, source_1);
+  EXPECT_FALSE(end_entry_1->HasParams());
+  EXPECT_FALSE(GetOptionalNetErrorCodeFromParams(*end_entry_1));
 
   const NetLogSource source_2 = FindPushUrlSource(entries, push_url_2);
   EXPECT_TRUE(source_1.IsValid());
   EXPECT_NE(source_1.id, source_2.id);
 
   // No net error code for this lookup transaction, the push is found.
-  const TestNetLogEntry* end_entry_2 = FindEndBySource(entries, source_2);
-  EXPECT_FALSE(end_entry_2->params);
-  EXPECT_FALSE(end_entry_2->GetIntegerValue("net_error", &net_error));
+  const NetLogEntry* end_entry_2 = FindEndBySource(entries, source_2);
+  EXPECT_FALSE(end_entry_2->HasParams());
+  EXPECT_FALSE(GetOptionalNetErrorCodeFromParams(*end_entry_2));
 
   // Verify the reset error count received on the server side.
   EXPECT_LE(2u, GetRstErrorCountReceivedByServer(quic::QUIC_STREAM_CANCELLED));
@@ -459,13 +450,12 @@ TEST_F(URLRequestQuicTest, DoNotCancelPushIfNotFoundInCache) {
   EXPECT_TRUE(request->status().is_success());
 
   // Extract net logs on client side to verify push lookup transactions.
-  net::TestNetLogEntry::List entries;
-  ExtractNetLog(NetLogEventType::SERVER_PUSH_LOOKUP_TRANSACTION, &entries);
+  auto entries = net_log_.GetEntriesWithType(
+      NetLogEventType::SERVER_PUSH_LOOKUP_TRANSACTION);
 
   EXPECT_EQ(4u, entries.size());
 
   std::string value;
-  int net_error;
   std::string push_url_1 =
       base::StringPrintf("https://%s%s", kTestServerHost, "/kitten-1.jpg");
   std::string push_url_2 =
@@ -473,18 +463,16 @@ TEST_F(URLRequestQuicTest, DoNotCancelPushIfNotFoundInCache) {
 
   const NetLogSource source_1 = FindPushUrlSource(entries, push_url_1);
   EXPECT_TRUE(source_1.IsValid());
-  const TestNetLogEntry* end_entry_1 = FindEndBySource(entries, source_1);
-  EXPECT_TRUE(end_entry_1->params);
-  EXPECT_TRUE(end_entry_1->GetIntegerValue("net_error", &net_error));
-  EXPECT_EQ(net_error, -400);
+  const NetLogEntry* end_entry_1 = FindEndBySource(entries, source_1);
+  EXPECT_TRUE(end_entry_1->HasParams());
+  EXPECT_EQ(-400, GetNetErrorCodeFromParams(*end_entry_1));
 
   const NetLogSource source_2 = FindPushUrlSource(entries, push_url_2);
   EXPECT_TRUE(source_2.IsValid());
   EXPECT_NE(source_1.id, source_2.id);
-  const TestNetLogEntry* end_entry_2 = FindEndBySource(entries, source_2);
-  EXPECT_TRUE(end_entry_2->params);
-  EXPECT_TRUE(end_entry_2->GetIntegerValue("net_error", &net_error));
-  EXPECT_EQ(net_error, -400);
+  const NetLogEntry* end_entry_2 = FindEndBySource(entries, source_2);
+  EXPECT_TRUE(end_entry_2->HasParams());
+  EXPECT_EQ(-400, GetNetErrorCodeFromParams(*end_entry_2));
 
   // Verify the reset error count received on the server side.
   EXPECT_EQ(0u, GetRstErrorCountReceivedByServer(quic::QUIC_STREAM_CANCELLED));
diff --git a/chromium/net/url_request/url_request_redirect_job.cc b/chromium/net/url_request/url_request_redirect_job.cc
index 028d0b6f1a9..e59860b55da 100644
--- a/chromium/net/url_request/url_request_redirect_job.cc
+++ b/chromium/net/url_request/url_request_redirect_job.cc
@@ -16,6 +16,7 @@
 #include "base/values.h"
 #include "net/base/load_timing_info.h"
 #include "net/base/net_errors.h"
+#include "net/http/http_log_util.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_util.h"
 #include "net/log/net_log.h"
@@ -33,8 +34,7 @@ URLRequestRedirectJob::URLRequestRedirectJob(URLRequest* request,
     : URLRequestJob(request, network_delegate),
       redirect_destination_(redirect_destination),
       response_code_(response_code),
-      redirect_reason_(redirect_reason),
-      weak_factory_(this) {
+      redirect_reason_(redirect_reason) {
   DCHECK(!redirect_reason_.empty());
 }
 
@@ -62,9 +62,8 @@ void URLRequestRedirectJob::GetLoadTimingInfo(
 }
 
 void URLRequestRedirectJob::Start() {
-  request()->net_log().AddEvent(
-      NetLogEventType::URL_REQUEST_REDIRECT_JOB,
-      NetLog::StringCallback("reason", &redirect_reason_));
+  request()->net_log().AddEventWithStringParams(
+      NetLogEventType::URL_REQUEST_REDIRECT_JOB, "reason", redirect_reason_);
   base::ThreadTaskRunnerHandle::Get()->PostTask(
       FROM_HERE, base::BindOnce(&URLRequestRedirectJob::StartAsync,
                                 weak_factory_.GetWeakPtr()));
@@ -115,10 +114,10 @@ void URLRequestRedirectJob::StartAsync() {
       HttpUtil::AssembleRawHeaders(header_string));
   DCHECK(fake_headers_->IsRedirect(nullptr));
 
-  request()->net_log().AddEvent(
+  NetLogResponseHeaders(
+      request()->net_log(),
       NetLogEventType::URL_REQUEST_FAKE_RESPONSE_HEADERS_CREATED,
-      base::Bind(&HttpResponseHeaders::NetLogCallback,
-                 base::Unretained(fake_headers_.get())));
+      fake_headers_.get());
 
   // TODO(mmenke):  Consider calling the NetworkDelegate with the headers here.
   // There's some weirdness about how to handle the case in which the delegate
diff --git a/chromium/net/url_request/url_request_redirect_job.h b/chromium/net/url_request/url_request_redirect_job.h
index 097ffa88824..8d7b861bbf8 100644
--- a/chromium/net/url_request/url_request_redirect_job.h
+++ b/chromium/net/url_request/url_request_redirect_job.h
@@ -61,7 +61,7 @@ class NET_EXPORT URLRequestRedirectJob : public URLRequestJob {
 
   scoped_refptr<HttpResponseHeaders> fake_headers_;
 
-  base::WeakPtrFactory<URLRequestRedirectJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestRedirectJob> weak_factory_{this};
 };
 
 }  // namespace net
diff --git a/chromium/net/url_request/url_request_simple_job.cc b/chromium/net/url_request/url_request_simple_job.cc
index 6b5b5851373..c514128a861 100644
--- a/chromium/net/url_request/url_request_simple_job.cc
+++ b/chromium/net/url_request/url_request_simple_job.cc
@@ -35,10 +35,7 @@ void CopyData(const scoped_refptr<IOBuffer>& buf,
 
 URLRequestSimpleJob::URLRequestSimpleJob(URLRequest* request,
                                          NetworkDelegate* network_delegate)
-    : URLRangeRequestJob(request, network_delegate),
-      next_data_offset_(0),
-      weak_factory_(this) {
-}
+    : URLRangeRequestJob(request, network_delegate), next_data_offset_(0) {}
 
 void URLRequestSimpleJob::Start() {
   // Start reading asynchronously so that all error reporting and data
diff --git a/chromium/net/url_request/url_request_simple_job.h b/chromium/net/url_request/url_request_simple_job.h
index a27e8198908..18ead7d10f4 100644
--- a/chromium/net/url_request/url_request_simple_job.h
+++ b/chromium/net/url_request/url_request_simple_job.h
@@ -70,7 +70,7 @@ class NET_EXPORT URLRequestSimpleJob : public URLRangeRequestJob {
   std::string charset_;
   scoped_refptr<base::RefCountedMemory> data_;
   int64_t next_data_offset_;
-  base::WeakPtrFactory<URLRequestSimpleJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestSimpleJob> weak_factory_{this};
 };
 
 }  // namespace net
diff --git a/chromium/net/url_request/url_request_test_job.cc b/chromium/net/url_request/url_request_test_job.cc
index da2b8d61ef7..45861e5386d 100644
--- a/chromium/net/url_request/url_request_test_job.cc
+++ b/chromium/net/url_request/url_request_test_job.cc
@@ -157,8 +157,7 @@ URLRequestTestJob::URLRequestTestJob(URLRequest* request,
       async_buf_(nullptr),
       async_buf_size_(0),
       response_headers_length_(0),
-      async_reads_(false),
-      weak_factory_(this) {}
+      async_reads_(false) {}
 
 URLRequestTestJob::URLRequestTestJob(URLRequest* request,
                                      NetworkDelegate* network_delegate,
@@ -176,8 +175,7 @@ URLRequestTestJob::URLRequestTestJob(URLRequest* request,
       response_headers_(base::MakeRefCounted<net::HttpResponseHeaders>(
           net::HttpUtil::AssembleRawHeaders(response_headers))),
       response_headers_length_(response_headers.size()),
-      async_reads_(false),
-      weak_factory_(this) {}
+      async_reads_(false) {}
 
 URLRequestTestJob::~URLRequestTestJob() {
   base::Erase(g_pending_jobs.Get(), this);
diff --git a/chromium/net/url_request/url_request_test_job.h b/chromium/net/url_request/url_request_test_job.h
index 88df017b3d1..59e91cc61c6 100644
--- a/chromium/net/url_request/url_request_test_job.h
+++ b/chromium/net/url_request/url_request_test_job.h
@@ -200,7 +200,7 @@ class NET_EXPORT_PRIVATE URLRequestTestJob : public URLRequestJob {
 
   bool async_reads_;
 
-  base::WeakPtrFactory<URLRequestTestJob> weak_factory_;
+  base::WeakPtrFactory<URLRequestTestJob> weak_factory_{this};
 };
 
 }  // namespace net
diff --git a/chromium/net/url_request/url_request_throttler_entry.cc b/chromium/net/url_request/url_request_throttler_entry.cc
index 4d482fb4611..9f8ddc7beaf 100644
--- a/chromium/net/url_request/url_request_throttler_entry.cc
+++ b/chromium/net/url_request/url_request_throttler_entry.cc
@@ -51,11 +51,9 @@ const int URLRequestThrottlerEntry::kDefaultMaximumBackoffMs = 15 * 60 * 1000;
 const int URLRequestThrottlerEntry::kDefaultEntryLifetimeMs = 2 * 60 * 1000;
 
 // Returns NetLog parameters when a request is rejected by throttling.
-base::Value NetLogRejectedRequestCallback(
-    const std::string* url_id,
-    int num_failures,
-    const base::TimeDelta& release_after,
-    NetLogCaptureMode /* capture_mode */) {
+base::Value NetLogRejectedRequestParams(const std::string* url_id,
+                                        int num_failures,
+                                        const base::TimeDelta& release_after) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetStringKey("url", *url_id);
   dict.SetIntKey("num_failures", num_failures);
@@ -155,10 +153,11 @@ bool URLRequestThrottlerEntry::ShouldRejectRequest(
     const URLRequest& request) const {
   bool reject_request = false;
   if (!is_backoff_disabled_ && GetBackoffEntry()->ShouldRejectRequest()) {
-    net_log_.AddEvent(NetLogEventType::THROTTLING_REJECTED_REQUEST,
-                      base::Bind(&NetLogRejectedRequestCallback, &url_id_,
-                                 GetBackoffEntry()->failure_count(),
-                                 GetBackoffEntry()->GetTimeUntilRelease()));
+    net_log_.AddEvent(NetLogEventType::THROTTLING_REJECTED_REQUEST, [&] {
+      return NetLogRejectedRequestParams(
+          &url_id_, GetBackoffEntry()->failure_count(),
+          GetBackoffEntry()->GetTimeUntilRelease());
+    });
     reject_request = true;
   }
 
diff --git a/chromium/net/url_request/url_request_throttler_manager.cc b/chromium/net/url_request/url_request_throttler_manager.cc
index aa35994b0dc..9b91c881e7a 100644
--- a/chromium/net/url_request/url_request_throttler_manager.cc
+++ b/chromium/net/url_request/url_request_throttler_manager.cc
@@ -78,10 +78,9 @@ scoped_refptr<URLRequestThrottlerEntryInterface>
     // the entry for localhost URLs.
     if (IsLocalhost(url)) {
       if (!logged_for_localhost_disabled_ && IsLocalhost(url)) {
-        std::string host = url.host();
         logged_for_localhost_disabled_ = true;
-        net_log_.AddEvent(NetLogEventType::THROTTLING_DISABLED_FOR_HOST,
-                          NetLog::StringCallback("host", &host));
+        net_log_.AddEventWithStringParams(
+            NetLogEventType::THROTTLING_DISABLED_FOR_HOST, "host", url.host());
       }
 
       // TODO(joi): Once sliding window is separate from back-off throttling,
diff --git a/chromium/net/url_request/url_request_unittest.cc b/chromium/net/url_request/url_request_unittest.cc
index 1b646f59a28..9ebd699e3e9 100644
--- a/chromium/net/url_request/url_request_unittest.cc
+++ b/chromium/net/url_request/url_request_unittest.cc
@@ -43,6 +43,7 @@
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
+#include "base/test/bind_test_util.h"
 #include "base/test/metrics/histogram_tester.h"
 #include "base/test/scoped_feature_list.h"
 #include "base/threading/thread_task_runner_handle.h"
@@ -93,7 +94,6 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_source.h"
 #include "net/log/test_net_log.h"
-#include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/net_buildflags.h"
 #include "net/proxy_resolution/proxy_resolution_service.h"
@@ -132,10 +132,6 @@
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/platform_test.h"
 
-#if defined(OS_FUCHSIA)
-#define USE_BUILTIN_CERT_VERIFIER
-#endif
-
 #if !BUILDFLAG(DISABLE_FILE_SUPPORT)
 #include "net/base/filename_util.h"
 #include "net/url_request/file_protocol_handler.h"
@@ -143,6 +139,7 @@
 #endif
 
 #if !BUILDFLAG(DISABLE_FTP_SUPPORT) && !defined(OS_ANDROID)
+#include "net/ftp/ftp_auth_cache.h"
 #include "net/ftp/ftp_network_layer.h"
 #include "net/url_request/ftp_protocol_handler.h"
 #endif
@@ -289,6 +286,19 @@ void FillBuffer(char* buffer, size_t len) {
 }
 #endif
 
+CookieList GetAllCookies(URLRequestContext* request_context) {
+  CookieList cookie_list;
+  base::RunLoop run_loop;
+  request_context->cookie_store()->GetAllCookiesAsync(
+      base::BindLambdaForTesting([&](const CookieList& cookies,
+                                     const CookieStatusList& excluded_list) {
+        cookie_list = cookies;
+        run_loop.Quit();
+      }));
+  run_loop.Run();
+  return cookie_list;
+}
+
 void TestLoadTimingCacheHitNoNetwork(
     const LoadTimingInfo& load_timing_info) {
   EXPECT_FALSE(load_timing_info.socket_reused);
@@ -526,7 +536,7 @@ class BlockingNetworkDelegate : public TestNetworkDelegate {
   // Closure to run to exit RunUntilBlocked().
   base::OnceClosure on_blocked_;
 
-  base::WeakPtrFactory<BlockingNetworkDelegate> weak_factory_;
+  base::WeakPtrFactory<BlockingNetworkDelegate> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(BlockingNetworkDelegate);
 };
@@ -537,8 +547,7 @@ BlockingNetworkDelegate::BlockingNetworkDelegate(BlockMode block_mode)
       auth_retval_(AUTH_REQUIRED_RESPONSE_NO_ACTION),
       block_on_(0),
       target_auth_credentials_(nullptr),
-      stage_blocked_for_callback_(NOT_BLOCKED),
-      weak_factory_(this) {}
+      stage_blocked_for_callback_(NOT_BLOCKED) {}
 
 void BlockingNetworkDelegate::RunUntilBlocked() {
   base::RunLoop run_loop;
@@ -725,13 +734,15 @@ class TestURLRequestContextWithProxy : public TestURLRequestContext {
  public:
   // Does not own |delegate|.
   TestURLRequestContextWithProxy(const std::string& proxy,
-                                 NetworkDelegate* delegate)
+                                 NetworkDelegate* delegate,
+                                 bool delay_initialization = false)
       : TestURLRequestContext(true) {
     context_storage_.set_proxy_resolution_service(
         ProxyResolutionService::CreateFixed(proxy,
                                             TRAFFIC_ANNOTATION_FOR_TESTS));
     set_network_delegate(delegate);
-    Init();
+    if (!delay_initialization)
+      Init();
   }
   ~TestURLRequestContextWithProxy() override = default;
 };
@@ -2384,19 +2395,15 @@ TEST_F(URLRequestTest, Identifiers) {
   ASSERT_NE(req->identifier(), other_req->identifier());
 }
 
-#if defined(OS_IOS)
-// TODO(droger): Check that a failure to connect to the proxy is reported to
-// the network delegate. crbug.com/496743
-#define MAYBE_NetworkDelegateProxyError DISABLED_NetworkDelegateProxyError
-#else
-#define MAYBE_NetworkDelegateProxyError NetworkDelegateProxyError
-#endif
-TEST_F(URLRequestTest, MAYBE_NetworkDelegateProxyError) {
+TEST_F(URLRequestTest, NetworkDelegateProxyError) {
   MockHostResolver host_resolver;
   host_resolver.rules()->AddSimulatedFailure("*");
 
   TestNetworkDelegate network_delegate;  // Must outlive URLRequests.
-  TestURLRequestContextWithProxy context("myproxy:70", &network_delegate);
+  TestURLRequestContextWithProxy context("myproxy:70", &network_delegate,
+                                         true /* delay_initialization */);
+  context.set_host_resolver(&host_resolver);
+  context.Init();
 
   TestDelegate d;
   std::unique_ptr<URLRequest> req(
@@ -2907,8 +2914,7 @@ TEST_F(URLRequestTest, DoNotSendCookies_ViaPolicy) {
 
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
-    TestNetLogEntry::List entries;
-    net_log_.GetEntries(&entries);
+    auto entries = net_log_.GetEntries();
     for (const auto& entry : entries) {
       EXPECT_NE(entry.type,
                 NetLogEventType::COOKIE_GET_BLOCKED_BY_NETWORK_DELEGATE);
@@ -2932,8 +2938,7 @@ TEST_F(URLRequestTest, DoNotSendCookies_ViaPolicy) {
 
     EXPECT_EQ(1, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
-    TestNetLogEntry::List entries;
-    net_log_.GetEntries(&entries);
+    auto entries = net_log_.GetEntries();
     ExpectLogContainsSomewhereAfter(
         entries, 0, NetLogEventType::COOKIE_GET_BLOCKED_BY_NETWORK_DELEGATE,
         NetLogEventPhase::NONE);
@@ -2963,8 +2968,7 @@ TEST_F(URLRequestTest, DoNotSaveCookies_ViaPolicy) {
 
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
-    TestNetLogEntry::List entries;
-    net_log_.GetEntries(&entries);
+    auto entries = net_log_.GetEntries();
     for (const auto& entry : entries) {
       EXPECT_NE(entry.type,
                 NetLogEventType::COOKIE_SET_BLOCKED_BY_NETWORK_DELEGATE);
@@ -2986,8 +2990,7 @@ TEST_F(URLRequestTest, DoNotSaveCookies_ViaPolicy) {
 
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(2, network_delegate.blocked_set_cookie_count());
-    TestNetLogEntry::List entries;
-    net_log_.GetEntries(&entries);
+    auto entries = net_log_.GetEntries();
     ExpectLogContainsSomewhereAfter(
         entries, 0, NetLogEventType::COOKIE_SET_BLOCKED_BY_NETWORK_DELEGATE,
         NetLogEventPhase::NONE);
@@ -5694,7 +5697,7 @@ class AsyncDelegateLogger : public base::RefCounted<AsyncDelegateLogger> {
   // DELEGATE_INFO NetLog events that an AsyncDelegateLogger should have
   // recorded.  Returns the index of entry after the expected number of
   // events this logged, or entries.size() if there aren't enough entries.
-  static size_t CheckDelegateInfo(const TestNetLogEntry::List& entries,
+  static size_t CheckDelegateInfo(const std::vector<NetLogEntry>& entries,
                                   size_t log_position) {
     // There should be 4 DELEGATE_INFO events: Two begins and two ends.
     if (log_position + 3 >= entries.size()) {
@@ -5704,9 +5707,9 @@ class AsyncDelegateLogger : public base::RefCounted<AsyncDelegateLogger> {
     std::string delegate_info;
     EXPECT_EQ(NetLogEventType::DELEGATE_INFO, entries[log_position].type);
     EXPECT_EQ(NetLogEventPhase::BEGIN, entries[log_position].phase);
-    EXPECT_TRUE(entries[log_position].GetStringValue("delegate_blocked_by",
-                                                     &delegate_info));
-    EXPECT_EQ(kFirstDelegateInfo, delegate_info);
+    EXPECT_EQ(
+        kFirstDelegateInfo,
+        GetStringValueFromParams(entries[log_position], "delegate_blocked_by"));
 
     ++log_position;
     EXPECT_EQ(NetLogEventType::DELEGATE_INFO, entries[log_position].type);
@@ -5715,9 +5718,9 @@ class AsyncDelegateLogger : public base::RefCounted<AsyncDelegateLogger> {
     ++log_position;
     EXPECT_EQ(NetLogEventType::DELEGATE_INFO, entries[log_position].type);
     EXPECT_EQ(NetLogEventPhase::BEGIN, entries[log_position].phase);
-    EXPECT_TRUE(entries[log_position].GetStringValue("delegate_blocked_by",
-                                                     &delegate_info));
-    EXPECT_EQ(kSecondDelegateInfo, delegate_info);
+    EXPECT_EQ(
+        kSecondDelegateInfo,
+        GetStringValueFromParams(entries[log_position], "delegate_blocked_by"));
 
     ++log_position;
     EXPECT_EQ(NetLogEventType::DELEGATE_INFO, entries[log_position].type);
@@ -5977,8 +5980,7 @@ TEST_F(URLRequestTestHTTP, DelegateInfoBeforeStart) {
     EXPECT_EQ(OK, request_delegate.request_status());
   }
 
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
   size_t log_position = ExpectLogContainsSomewhereAfter(
       entries, 0, NetLogEventType::DELEGATE_INFO, NetLogEventPhase::BEGIN);
 
@@ -6019,8 +6021,7 @@ TEST_F(URLRequestTestHTTP, NetworkDelegateInfo) {
   EXPECT_EQ(1, network_delegate.destroyed_requests());
 
   size_t log_position = 0;
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
   static const NetLogEventType kExpectedEvents[] = {
       NetLogEventType::NETWORK_DELEGATE_BEFORE_URL_REQUEST,
       NetLogEventType::NETWORK_DELEGATE_BEFORE_START_TRANSACTION,
@@ -6074,8 +6075,7 @@ TEST_F(URLRequestTestHTTP, NetworkDelegateInfoRedirect) {
   EXPECT_EQ(1, network_delegate.destroyed_requests());
 
   size_t log_position = 0;
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
   static const NetLogEventType kExpectedEvents[] = {
       NetLogEventType::NETWORK_DELEGATE_BEFORE_URL_REQUEST,
       NetLogEventType::NETWORK_DELEGATE_BEFORE_START_TRANSACTION,
@@ -6149,8 +6149,7 @@ TEST_F(URLRequestTestHTTP, NetworkDelegateInfoAuth) {
   EXPECT_EQ(1, network_delegate.destroyed_requests());
 
   size_t log_position = 0;
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
   static const NetLogEventType kExpectedEvents[] = {
       NetLogEventType::NETWORK_DELEGATE_BEFORE_URL_REQUEST,
       NetLogEventType::NETWORK_DELEGATE_BEFORE_START_TRANSACTION,
@@ -6209,8 +6208,7 @@ TEST_F(URLRequestTestHTTP, URLRequestDelegateInfo) {
     EXPECT_EQ(OK, request_delegate.request_status());
   }
 
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
 
   size_t log_position = 0;
 
@@ -6263,8 +6261,7 @@ TEST_F(URLRequestTestHTTP, URLRequestDelegateInfoOnRedirect) {
     EXPECT_EQ(OK, request_delegate.request_status());
   }
 
-  TestNetLogEntry::List entries;
-  net_log_.GetEntries(&entries);
+  auto entries = net_log_.GetEntries();
 
   // Delegate info should only have been logged in OnReceivedRedirect and
   // OnResponseStarted.
@@ -6323,8 +6320,7 @@ TEST_F(URLRequestTestHTTP, URLRequestDelegateOnRedirectCancelled) {
       base::RunLoop().RunUntilIdle();
     }
 
-    TestNetLogEntry::List entries;
-    net_log.GetEntries(&entries);
+    auto entries = net_log.GetEntries();
 
     // Delegate info is always logged in both OnReceivedRedirect and
     // OnResponseStarted.  In the CANCEL_ON_RECEIVED_REDIRECT, the
@@ -8059,6 +8055,8 @@ TEST_F(URLRequestTestHTTP, CapRefererDisabled) {
 
   // If the feature isn't enabled, a long `referer` will remain long.
   TestDelegate d;
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndDisableFeature(features::kCapRefererHeaderLength);
   std::unique_ptr<URLRequest> req(default_context().CreateRequest(
       http_test_server()->GetURL("/echoheader?Referer"), DEFAULT_PRIORITY, &d,
       TRAFFIC_ANNOTATION_FOR_TESTS));
@@ -8536,7 +8534,52 @@ TEST_F(URLRequestTestHTTP, BasicAuthWithCookies) {
   }
 }
 
-TEST_F(URLRequestTest, CatchFilteredCookies) {
+TEST_F(URLRequestTestHTTP, BasicAuthWithCookiesCancelAuth) {
+  ASSERT_TRUE(http_test_server()->Start());
+
+  GURL url_requiring_auth =
+      http_test_server()->GetURL("/auth-basic?set-cookie-if-challenged");
+
+  // Request a page that will give a 401 containing a Set-Cookie header.
+  // Verify that cookies are set before credentials are provided, and then
+  // cancelling auth does not result in setting the cookies again.
+  TestNetworkDelegate network_delegate;  // Must outlive URLRequest.
+  TestURLRequestContext context(true);
+  context.set_network_delegate(&network_delegate);
+  context.Init();
+
+  TestDelegate d;
+
+  EXPECT_TRUE(GetAllCookies(&context).empty());
+
+  std::unique_ptr<URLRequest> r(context.CreateRequest(
+      url_requiring_auth, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+  r->set_site_for_cookies(url_requiring_auth);
+  r->Start();
+  d.RunUntilAuthRequired();
+
+  // Cookie should have been set.
+  EXPECT_EQ(1, network_delegate.set_cookie_count());
+  CookieList cookies = GetAllCookies(&context);
+  ASSERT_EQ(1u, cookies.size());
+  EXPECT_EQ("got_challenged", cookies[0].Name());
+  EXPECT_EQ("true", cookies[0].Value());
+
+  // Delete cookie.
+  context.cookie_store()->DeleteAllAsync(CookieStore::DeleteCallback());
+
+  // Cancel auth and continue the request.
+  r->CancelAuth();
+  d.RunUntilComplete();
+  ASSERT_TRUE(r->response_headers());
+  EXPECT_EQ(401, r->response_headers()->response_code());
+
+  // Cookie should not have been set again.
+  EXPECT_TRUE(GetAllCookies(&context).empty());
+  EXPECT_EQ(1, network_delegate.set_cookie_count());
+}
+
+TEST_F(URLRequestTest, ReportCookieActivity) {
   HttpTestServer test_server;
   ASSERT_TRUE(test_server.Start());
 
@@ -8547,36 +8590,61 @@ TEST_F(URLRequestTest, CatchFilteredCookies) {
   TestURLRequestContext context(true);
   context.set_network_delegate(&network_delegate);
   context.Init();
-  // Make sure cookies blocked from being stored are caught.
+  // Make sure cookies blocked from being stored are caught, and those that are
+  // accepted are reported as well.
   {
     TestDelegate d;
-    GURL test_url = test_server.GetURL("/set-cookie?not_stored_cookie=true");
+    GURL test_url = test_server.GetURL(
+        "/set-cookie?not_stored_cookie=true&"
+        "stored_cookie=tasty"
+        "&path_cookie=narrow;path=/set-cookie");
     std::unique_ptr<URLRequest> req(context.CreateRequest(
         test_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->set_site_for_cookies(test_url);
     req->Start();
     d.RunUntilComplete();
 
-    ASSERT_EQ(1u, req->not_stored_cookies().size());
+    ASSERT_EQ(3u, req->maybe_stored_cookies().size());
     EXPECT_EQ("not_stored_cookie",
-              req->not_stored_cookies().front().cookie->Name());
+              req->maybe_stored_cookies()[0].cookie->Name());
     EXPECT_EQ(
         net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES,
-        req->not_stored_cookies().front().status);
+        req->maybe_stored_cookies()[0].status);
+    EXPECT_EQ("stored_cookie", req->maybe_stored_cookies()[1].cookie->Name());
+    EXPECT_EQ(net::CanonicalCookie::CookieInclusionStatus::INCLUDE,
+              req->maybe_stored_cookies()[1].status);
+    EXPECT_EQ("stored_cookie", req->maybe_stored_cookies()[1].cookie->Name());
+    EXPECT_EQ(net::CanonicalCookie::CookieInclusionStatus::INCLUDE,
+              req->maybe_stored_cookies()[2].status);
+    EXPECT_EQ("path_cookie", req->maybe_stored_cookies()[2].cookie->Name());
   }
-  // Set a cookie to be blocked later
   {
     TestDelegate d;
-    GURL test_url = test_server.GetURL("/set-cookie?not_sent_cookies=true");
+    // Make sure cookies blocked from being sent are caught.
+    GURL test_url = test_server.GetURL("/echoheader?Cookie");
     std::unique_ptr<URLRequest> req(context.CreateRequest(
         test_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->set_site_for_cookies(test_url);
     req->Start();
     d.RunUntilComplete();
+
+    EXPECT_TRUE(d.data_received().find("stored_cookie=tasty") ==
+                std::string::npos);
+
+    ASSERT_EQ(2u, req->maybe_sent_cookies().size());
+    EXPECT_EQ("path_cookie", req->maybe_sent_cookies()[0].cookie.Name());
+    EXPECT_EQ(net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_NOT_ON_PATH,
+              req->maybe_sent_cookies()[0].status);
+    EXPECT_EQ("stored_cookie", req->maybe_sent_cookies()[1].cookie.Name());
+    EXPECT_EQ(
+        net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES,
+        req->maybe_sent_cookies()[1].status);
   }
+
+  network_delegate.unset_block_get_cookies();
   {
+    // Now with sending cookies re-enabled, it should actually be sent.
     TestDelegate d;
-    // Make sure cookies blocked from being sent are caught.
     GURL test_url = test_server.GetURL("/echoheader?Cookie");
     std::unique_ptr<URLRequest> req(context.CreateRequest(
         test_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
@@ -8584,18 +8652,52 @@ TEST_F(URLRequestTest, CatchFilteredCookies) {
     req->Start();
     d.RunUntilComplete();
 
-    EXPECT_TRUE(d.data_received().find("not_sent_cookies=true") ==
+    EXPECT_TRUE(d.data_received().find("stored_cookie=tasty") !=
                 std::string::npos);
 
-    ASSERT_EQ(1u, req->not_sent_cookies().size());
-    EXPECT_EQ("not_sent_cookies",
-              req->not_sent_cookies().front().cookie.Name());
-    EXPECT_EQ(
-        net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES,
-        req->not_sent_cookies().front().status);
+    ASSERT_EQ(2u, req->maybe_sent_cookies().size());
+    EXPECT_EQ("path_cookie", req->maybe_sent_cookies()[0].cookie.Name());
+    EXPECT_EQ(net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_NOT_ON_PATH,
+              req->maybe_sent_cookies()[0].status);
+    EXPECT_EQ("stored_cookie", req->maybe_sent_cookies()[1].cookie.Name());
+    EXPECT_EQ(net::CanonicalCookie::CookieInclusionStatus::INCLUDE,
+              req->maybe_sent_cookies()[1].status);
   }
 }
 
+TEST_F(URLRequestTestHTTP, AuthChallengeCancelCookieCollect) {
+  ASSERT_TRUE(http_test_server()->Start());
+  GURL url_requiring_auth =
+      http_test_server()->GetURL("/auth-basic?set-cookie-if-challenged");
+
+  FilteringTestLayeredNetworkDelegate filtering_network_delegate(
+      std::make_unique<TestNetworkDelegate>());
+  filtering_network_delegate.SetCookieFilter("got_challenged");
+  TestURLRequestContext context(true);
+  context.set_network_delegate(&filtering_network_delegate);
+  context.Init();
+
+  TestDelegate delegate;
+
+  std::unique_ptr<URLRequest> request(
+      context.CreateRequest(url_requiring_auth, DEFAULT_PRIORITY, &delegate,
+                            TRAFFIC_ANNOTATION_FOR_TESTS));
+  request->set_site_for_cookies(url_requiring_auth);
+  request->Start();
+
+  delegate.RunUntilAuthRequired();
+  ASSERT_EQ(1u, request->maybe_stored_cookies().size());
+  EXPECT_EQ(
+      net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES,
+      request->maybe_stored_cookies()[0].status);
+  EXPECT_EQ("got_challenged=true",
+            request->maybe_stored_cookies()[0].cookie_string);
+
+  // This shouldn't DCHECK-fail.
+  request->CancelAuth();
+  delegate.RunUntilComplete();
+}
+
 TEST_F(URLRequestTestHTTP, AuthChallengeWithFilteredCookies) {
   ASSERT_TRUE(http_test_server()->Start());
 
@@ -8603,8 +8705,8 @@ TEST_F(URLRequestTestHTTP, AuthChallengeWithFilteredCookies) {
       http_test_server()->GetURL("/auth-basic?set-cookie-if-challenged");
   GURL url_requiring_auth_wo_cookies =
       http_test_server()->GetURL("/auth-basic");
-  // Check not_stored_cookies is populated first round trip, and cleared on the
-  // second.
+  // Check maybe_stored_cookies is populated first round trip, and cleared on
+  // the second.
   {
     FilteringTestLayeredNetworkDelegate filtering_network_delegate(
         std::make_unique<TestNetworkDelegate>());
@@ -8626,7 +8728,10 @@ TEST_F(URLRequestTestHTTP, AuthChallengeWithFilteredCookies) {
     EXPECT_EQ(1, filtering_network_delegate.blocked_set_cookie_count());
 
     // The number of cookies blocked from the most recent round trip.
-    ASSERT_EQ(1u, request->not_stored_cookies().size());
+    ASSERT_EQ(1u, request->maybe_stored_cookies().size());
+    EXPECT_EQ(
+        net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES,
+        request->maybe_stored_cookies().front().status);
 
     // Now check the second round trip
     request->SetAuth(AuthCredentials(kUser, kSecret));
@@ -8634,17 +8739,17 @@ TEST_F(URLRequestTestHTTP, AuthChallengeWithFilteredCookies) {
     EXPECT_THAT(delegate.request_status(), IsOk());
 
     // There are DCHECKs in URLRequestHttpJob that would fail if
-    // not_sent_cookies and not_stored_cookies were not cleared properly.
+    // maybe_sent_cookies and maybe_stored_cookies were not cleared properly.
 
     // Make sure the cookie was actually filtered and not sent.
     EXPECT_EQ(std::string::npos,
               delegate.data_received().find("Cookie: got_challenged=true"));
 
-    // The number of cookies blocked from the most recent round trip.
-    ASSERT_EQ(0u, request->not_stored_cookies().size());
+    // The number of cookies that most recent round trip tried to set.
+    ASSERT_EQ(0u, request->maybe_stored_cookies().size());
   }
 
-  // Check not_sent_cookies on first round trip (and cleared for the second).
+  // Check maybe_sent_cookies on first round trip (and cleared for the second).
   {
     FilteringTestLayeredNetworkDelegate filtering_network_delegate(
         std::make_unique<TestNetworkDelegate>());
@@ -8670,13 +8775,16 @@ TEST_F(URLRequestTestHTTP, AuthChallengeWithFilteredCookies) {
 
     delegate.RunUntilAuthRequired();
 
-    ASSERT_EQ(1u, request->not_sent_cookies().size());
+    ASSERT_EQ(1u, request->maybe_sent_cookies().size());
     EXPECT_EQ("another_cookie",
-              request->not_sent_cookies().front().cookie.Name());
-    EXPECT_EQ("true", request->not_sent_cookies().front().cookie.Value());
+              request->maybe_sent_cookies().front().cookie.Name());
+    EXPECT_EQ("true", request->maybe_sent_cookies().front().cookie.Value());
+    EXPECT_EQ(
+        net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES,
+        request->maybe_sent_cookies().front().status);
 
-    // Check not_sent_cookies on second roundtrip.
-    request->set_not_sent_cookies({});
+    // Check maybe_sent_cookies on second roundtrip.
+    request->set_maybe_sent_cookies({});
     cm->DeleteAllAsync(CookieStore::DeleteCallback());
     cm->SetCookieWithOptionsAsync(url_requiring_auth_wo_cookies,
                                   "one_more_cookie=true", CookieOptions(),
@@ -8687,7 +8795,7 @@ TEST_F(URLRequestTestHTTP, AuthChallengeWithFilteredCookies) {
     EXPECT_THAT(delegate.request_status(), IsOk());
 
     // There are DCHECKs in URLRequestHttpJob that would fail if
-    // not_sent_cookies and not_stored_cookies we not cleared properly.
+    // maybe_sent_cookies and maybe_stored_cookies were not cleared properly.
 
     // Make sure the cookie was actually filtered.
     EXPECT_EQ(std::string::npos,
@@ -8697,9 +8805,12 @@ TEST_F(URLRequestTestHTTP, AuthChallengeWithFilteredCookies) {
     EXPECT_EQ(2, filtering_network_delegate.blocked_get_cookie_count());
 
     // // The number of cookies blocked from the most recent round trip.
-    ASSERT_EQ(1u, request->not_sent_cookies().size());
+    ASSERT_EQ(1u, request->maybe_sent_cookies().size());
     EXPECT_EQ("one_more_cookie",
-              request->not_sent_cookies().front().cookie.Name());
+              request->maybe_sent_cookies().front().cookie.Name());
+    EXPECT_EQ(
+        net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES,
+        request->maybe_sent_cookies().front().status);
   }
 }
 
@@ -8984,7 +9095,7 @@ TEST_F(URLRequestTestHTTP, RedirectWithFilteredCookies) {
 
   GURL original_url_wo_cookie(
       http_test_server()->GetURL("/server-redirect?" + redirect_to.spec()));
-  // Check not_stored_cookies on first round trip.
+  // Check maybe_stored_cookies on first round trip.
   {
     FilteringTestLayeredNetworkDelegate filtering_network_delegate(
         std::make_unique<TestNetworkDelegate>());  // Must outlive URLRequest.
@@ -9007,31 +9118,37 @@ TEST_F(URLRequestTestHTTP, RedirectWithFilteredCookies) {
     EXPECT_EQ(1, filtering_network_delegate.blocked_set_cookie_count());
 
     // The number of cookies blocked from the most recent round trip.
-    ASSERT_EQ(1u, request->not_stored_cookies().size());
+    ASSERT_EQ(1u, request->maybe_stored_cookies().size());
     EXPECT_EQ("server-redirect",
-              request->not_stored_cookies().front().cookie->Name());
-    EXPECT_EQ("true", request->not_stored_cookies().front().cookie->Value());
+              request->maybe_stored_cookies().front().cookie->Name());
+    EXPECT_EQ("true", request->maybe_stored_cookies().front().cookie->Value());
+    EXPECT_EQ(
+        net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES,
+        request->maybe_stored_cookies().front().status);
 
-    // Check not_stored_cookies on second round trip (and clearing from the
+    // Check maybe_stored_cookies on second round trip (and clearing from the
     // first).
     request->FollowDeferredRedirect(base::nullopt, base::nullopt);
     delegate.RunUntilComplete();
     EXPECT_THAT(delegate.request_status(), IsOk());
 
     // There are DCHECKs in URLRequestHttpJob that would fail if
-    // not_sent_cookies and not_stored_cookies we not cleared properly.
+    // maybe_sent_cookies and maybe_stored_cookies we not cleared properly.
 
     // Make sure it was blocked twice.
     EXPECT_EQ(2, filtering_network_delegate.blocked_set_cookie_count());
 
     // The number of cookies blocked from the most recent round trip.
-    ASSERT_EQ(1u, request->not_stored_cookies().size());
+    ASSERT_EQ(1u, request->maybe_stored_cookies().size());
     EXPECT_EQ("server-redirect",
-              request->not_stored_cookies().front().cookie->Name());
-    EXPECT_EQ("other", request->not_stored_cookies().front().cookie->Value());
+              request->maybe_stored_cookies().front().cookie->Name());
+    EXPECT_EQ("other", request->maybe_stored_cookies().front().cookie->Value());
+    EXPECT_EQ(
+        net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES,
+        request->maybe_stored_cookies().front().status);
   }
 
-  // Check not_sent_cookies on first round trip.
+  // Check maybe_sent_cookies on first round trip.
   {
     FilteringTestLayeredNetworkDelegate filtering_network_delegate(
         std::make_unique<TestNetworkDelegate>());
@@ -9056,12 +9173,15 @@ TEST_F(URLRequestTestHTTP, RedirectWithFilteredCookies) {
 
     delegate.RunUntilRedirect();
 
-    ASSERT_EQ(1u, request->not_sent_cookies().size());
+    ASSERT_EQ(1u, request->maybe_sent_cookies().size());
     EXPECT_EQ("another_cookie",
-              request->not_sent_cookies().front().cookie.Name());
+              request->maybe_sent_cookies().front().cookie.Name());
+    EXPECT_EQ(
+        net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES,
+        request->maybe_sent_cookies().front().status);
 
-    // Check not_sent_cookies on second round trip
-    request->set_not_sent_cookies({});
+    // Check maybe_sent_cookies on second round trip
+    request->set_maybe_sent_cookies({});
     cm->DeleteAllAsync(CookieStore::DeleteCallback());
     cm->SetCookieWithOptionsAsync(original_url_wo_cookie,
                                   "one_more_cookie=true", CookieOptions(),
@@ -9072,15 +9192,18 @@ TEST_F(URLRequestTestHTTP, RedirectWithFilteredCookies) {
     EXPECT_THAT(delegate.request_status(), IsOk());
 
     // There are DCHECKs in URLRequestHttpJob that would fail if
-    // not_sent_cookies and not_stored_cookies we not cleared properly.
+    // maybe_sent_cookies and maybe_stored_cookies we not cleared properly.
 
     EXPECT_EQ(2, filtering_network_delegate.blocked_get_cookie_count());
 
     // The number of cookies blocked from the most recent round trip.
-    ASSERT_EQ(1u, request->not_sent_cookies().size());
+    ASSERT_EQ(1u, request->maybe_sent_cookies().size());
     EXPECT_EQ("one_more_cookie",
-              request->not_sent_cookies().front().cookie.Name());
-    EXPECT_EQ("true", request->not_sent_cookies().front().cookie.Value());
+              request->maybe_sent_cookies().front().cookie.Name());
+    EXPECT_EQ("true", request->maybe_sent_cookies().front().cookie.Value());
+    EXPECT_EQ(
+        net::CanonicalCookie::CookieInclusionStatus::EXCLUDE_USER_PREFERENCES,
+        request->maybe_sent_cookies().front().status);
   }
 }
 
@@ -11352,7 +11475,19 @@ class HTTPSOCSPTest : public HTTPSRequestTest {
   std::unique_ptr<ScopedTestEVPolicy> ev_test_policy_;
 };
 
+static bool UsingBuiltinCertVerifier() {
+#if defined(OS_FUCHSIA)
+  return true;
+#elif BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
+  if (base::FeatureList::IsEnabled(features::kCertVerifierBuiltinFeature))
+    return true;
+#endif
+  return false;
+}
+
 static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() {
+  if (UsingBuiltinCertVerifier())
+    return 0;
 #if defined(OS_WIN) || defined(OS_MACOSX)
   // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't
   // have that ability on other platforms.
@@ -11372,8 +11507,9 @@ static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() {
 // If it does not, then tests which rely on 'hard fail' behaviour should be
 // skipped.
 static bool SystemSupportsHardFailRevocationChecking() {
-#if defined(OS_WIN) || defined(USE_NSS_CERTS) || \
-    defined(USE_BUILTIN_CERT_VERIFIER)
+  if (UsingBuiltinCertVerifier())
+    return true;
+#if defined(OS_WIN) || defined(USE_NSS_CERTS)
   return true;
 #else
   return false;
@@ -11385,6 +11521,8 @@ static bool SystemSupportsHardFailRevocationChecking() {
 // several tests are effected because our testing EV certificate won't be
 // recognised as EV.
 static bool SystemUsesChromiumEVMetadata() {
+  if (UsingBuiltinCertVerifier())
+    return true;
 #if defined(PLATFORM_USES_CHROMIUM_EV_METADATA)
   return true;
 #else
@@ -11415,6 +11553,8 @@ static bool SystemSupportsOCSP() {
 }
 
 static bool SystemSupportsOCSPStapling() {
+  if (UsingBuiltinCertVerifier())
+    return true;
 #if defined(OS_ANDROID)
   return false;
 #elif defined(OS_MACOSX)
@@ -11481,17 +11621,17 @@ TEST_F(HTTPSOCSPTest, Invalid) {
   CertStatus cert_status;
   DoConnection(ssl_options, &cert_status);
 
-#if defined(USE_BUILTIN_CERT_VERIFIER)
-  // TODO(649017): This test uses soft-fail revocation checking, but returns an
-  // invalid OCSP response (can't parse). CertVerifyProcBuiltin currently
-  // doesn't consider this a candidate for soft-fail (only considers
-  // network-level failures as skippable).
-  EXPECT_EQ(CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
-            cert_status & CERT_STATUS_UNABLE_TO_CHECK_REVOCATION);
-#else
-  EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(),
-            cert_status & CERT_STATUS_ALL_ERRORS);
-#endif
+  if (UsingBuiltinCertVerifier()) {
+    // TODO(649017): This test uses soft-fail revocation checking, but returns
+    // an invalid OCSP response (can't parse). CertVerifyProcBuiltin currently
+    // doesn't consider this a candidate for soft-fail (only considers
+    // network-level failures as skippable).
+    EXPECT_EQ(CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
+              cert_status & CERT_STATUS_UNABLE_TO_CHECK_REVOCATION);
+  } else {
+    EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(),
+              cert_status & CERT_STATUS_ALL_ERRORS);
+  }
 
   // Without a positive OCSP response, we shouldn't show the EV status.
   EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
@@ -11562,18 +11702,18 @@ TEST_F(HTTPSOCSPTest, IntermediateResponseTooOld) {
   CertStatus cert_status;
   DoConnection(ssl_options, &cert_status);
 
-#if defined(USE_BUILTIN_CERT_VERIFIER)
-  // The builtin verifier enforces the baseline requirements for max age of an
-  // intermediate's OCSP response.
-  EXPECT_EQ(CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
-            cert_status & CERT_STATUS_ALL_ERRORS);
-  EXPECT_EQ(0u, cert_status & CERT_STATUS_IS_EV);
-#else
-  // The platform verifiers are more lenient.
-  EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
-  EXPECT_EQ(SystemUsesChromiumEVMetadata(),
-            static_cast<bool>(cert_status & CERT_STATUS_IS_EV));
-#endif
+  if (UsingBuiltinCertVerifier()) {
+    // The builtin verifier enforces the baseline requirements for max age of an
+    // intermediate's OCSP response.
+    EXPECT_EQ(CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
+              cert_status & CERT_STATUS_ALL_ERRORS);
+    EXPECT_EQ(0u, cert_status & CERT_STATUS_IS_EV);
+  } else {
+    // The platform verifiers are more lenient.
+    EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
+    EXPECT_EQ(SystemUsesChromiumEVMetadata(),
+              static_cast<bool>(cert_status & CERT_STATUS_IS_EV));
+  }
   EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
 }
 
@@ -12022,14 +12162,14 @@ TEST_F(HTTPSHardFailTest, FailsOnOCSPInvalid) {
   CertStatus cert_status;
   DoConnection(ssl_options, &cert_status);
 
-#if defined(USE_BUILTIN_CERT_VERIFIER)
-  // TODO(crbug.com/649017): Should we consider invalid response as
-  //                         affirmatively revoked?
-  EXPECT_EQ(CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
-            cert_status & CERT_STATUS_UNABLE_TO_CHECK_REVOCATION);
-#else
-  EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_REVOKED);
-#endif
+  if (UsingBuiltinCertVerifier()) {
+    // TODO(crbug.com/649017): Should we consider invalid response as
+    //                         affirmatively revoked?
+    EXPECT_EQ(CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
+              cert_status & CERT_STATUS_UNABLE_TO_CHECK_REVOCATION);
+  } else {
+    EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_REVOKED);
+  }
 
   // Without a positive OCSP response, we shouldn't show the EV status.
   EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
@@ -12079,14 +12219,19 @@ TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndRevokedOCSP) {
   CertStatus cert_status;
   DoConnection(ssl_options, &cert_status);
 
-// Currently only works for Windows and OS X. When using NSS, it's not
-// possible to determine whether the check failed because of actual
-// revocation or because there was an OCSP failure.
+  // Currently only works for Windows and OS X. When using NSS, it's not
+  // possible to determine whether the check failed because of actual
+  // revocation or because there was an OCSP failure.
+  if (UsingBuiltinCertVerifier()) {
+    // TODO(https://crbug.com/410574): Handle this in builtin verifier too?
+    EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
+  } else {
 #if defined(OS_WIN) || defined(OS_MACOSX)
-  EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS);
+    EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS);
 #else
-  EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
+    EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
 #endif
+  }
 
   EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
   EXPECT_EQ(SystemUsesChromiumEVMetadata(),
@@ -12353,7 +12498,7 @@ class URLRequestTestFTP : public URLRequestTest {
   void SetUpFactory() override {
     // Add FTP support to the default URLRequestContext.
     job_factory_impl_->SetProtocolHandler(
-        "ftp", FtpProtocolHandler::Create(&host_resolver_));
+        "ftp", FtpProtocolHandler::Create(&host_resolver_, &ftp_auth_cache_));
   }
 
   std::string GetTestFileContents() {
@@ -12368,6 +12513,7 @@ class URLRequestTestFTP : public URLRequestTest {
 
  protected:
   MockHostResolver host_resolver_;
+  FtpAuthCache ftp_auth_cache_;
 
   SpawnedTestServer ftp_test_server_;
 };
@@ -12681,6 +12827,26 @@ TEST_F(URLRequestTestFTP, RawBodyBytes) {
   EXPECT_EQ(6, req->GetRawBodyBytes());
 }
 
+TEST_F(URLRequestTestFTP, FtpAuthCancellation) {
+  ftp_test_server_.set_no_anonymous_ftp_user(true);
+  ASSERT_TRUE(ftp_test_server_.Start());
+  TestDelegate d;
+  std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+      ftp_test_server_.GetURL("simple.html"), DEFAULT_PRIORITY, &d,
+      TRAFFIC_ANNOTATION_FOR_TESTS));
+  req->Start();
+  d.RunUntilComplete();
+
+  ASSERT_TRUE(d.auth_required_called());
+  EXPECT_EQ(OK, d.request_status());
+  EXPECT_TRUE(req->auth_challenge_info());
+  std::string mime_type;
+  req->GetMimeType(&mime_type);
+  EXPECT_EQ("text/plain", mime_type);
+  EXPECT_EQ("", d.data_received());
+  EXPECT_EQ(-1, req->GetExpectedContentSize());
+}
+
 class URLRequestTestFTPOverHttpProxy : public URLRequestTestFTP {
  public:
   // Test interface:
diff --git a/chromium/net/websockets/websocket_basic_handshake_stream.cc b/chromium/net/websockets/websocket_basic_handshake_stream.cc
index 65f63e06624..3199a93dec5 100644
--- a/chromium/net/websockets/websocket_basic_handshake_stream.cc
+++ b/chromium/net/websockets/websocket_basic_handshake_stream.cc
@@ -179,8 +179,7 @@ WebSocketBasicHandshakeStream::WebSocketBasicHandshakeStream(
       requested_sub_protocols_(std::move(requested_sub_protocols)),
       requested_extensions_(std::move(requested_extensions)),
       stream_request_(request),
-      websocket_endpoint_lock_manager_(websocket_endpoint_lock_manager),
-      weak_ptr_factory_(this) {
+      websocket_endpoint_lock_manager_(websocket_endpoint_lock_manager) {
   DCHECK(connect_delegate);
   DCHECK(request);
 }
@@ -406,15 +405,12 @@ std::unique_ptr<WebSocketStream> WebSocketBasicHandshakeStream::Upgrade() {
           state_.read_buf(), sub_protocol_, extensions_);
   DCHECK(extension_params_.get());
   if (extension_params_->deflate_enabled) {
-    RecordDeflateMode(
-        extension_params_->deflate_parameters.client_context_take_over_mode());
-
     return std::make_unique<WebSocketDeflateStream>(
         std::move(basic_stream), extension_params_->deflate_parameters,
         std::make_unique<WebSocketDeflatePredictorImpl>());
-  } else {
-    return basic_stream;
   }
+
+  return basic_stream;
 }
 
 base::WeakPtr<WebSocketHandshakeStreamBase>
diff --git a/chromium/net/websockets/websocket_basic_handshake_stream.h b/chromium/net/websockets/websocket_basic_handshake_stream.h
index 69e14b8b28e..31986aa653f 100644
--- a/chromium/net/websockets/websocket_basic_handshake_stream.h
+++ b/chromium/net/websockets/websocket_basic_handshake_stream.h
@@ -149,7 +149,7 @@ class NET_EXPORT_PRIVATE WebSocketBasicHandshakeStream final
 
   WebSocketEndpointLockManager* const websocket_endpoint_lock_manager_;
 
-  base::WeakPtrFactory<WebSocketBasicHandshakeStream> weak_ptr_factory_;
+  base::WeakPtrFactory<WebSocketBasicHandshakeStream> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(WebSocketBasicHandshakeStream);
 };
diff --git a/chromium/net/websockets/websocket_basic_stream.cc b/chromium/net/websockets/websocket_basic_stream.cc
index 0fa933d581b..3862ec39ab7 100644
--- a/chromium/net/websockets/websocket_basic_stream.cc
+++ b/chromium/net/websockets/websocket_basic_stream.cc
@@ -11,9 +11,11 @@
 #include <utility>
 
 #include "base/bind.h"
+#include "base/command_line.h"
 #include "base/logging.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/numerics/safe_conversions.h"
+#include "base/strings/string_number_conversions.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/socket/client_socket_handle.h"
@@ -94,13 +96,17 @@ int CalculateSerializedSizeAndTurnOnMaskBit(
 
 }  // namespace
 
+// Overrides default read buffer size for WebSocket. This flag will be used to
+// investigate the performance issue of crbug.com/865001 and be deleted later
+// on.
+const char kWebSocketReadBufferSize[] = "websocket-read-buffer-size";
+
 WebSocketBasicStream::WebSocketBasicStream(
     std::unique_ptr<Adapter> connection,
     const scoped_refptr<GrowableIOBuffer>& http_read_buffer,
     const std::string& sub_protocol,
     const std::string& extensions)
-    : read_buffer_(base::MakeRefCounted<IOBufferWithSize>(kReadBufferSize)),
-      connection_(std::move(connection)),
+    : connection_(std::move(connection)),
       http_read_buffer_(http_read_buffer),
       sub_protocol_(sub_protocol),
       extensions_(extensions),
@@ -109,6 +115,21 @@ WebSocketBasicStream::WebSocketBasicStream(
   if (http_read_buffer_.get() && http_read_buffer_->offset() == 0)
     http_read_buffer_ = nullptr;
   DCHECK(connection_->is_initialized());
+  base::CommandLine* const command_line =
+      base::CommandLine::ForCurrentProcess();
+  DCHECK(command_line);
+  int websocket_buffer_size = kReadBufferSize;
+  if (command_line->HasSwitch(kWebSocketReadBufferSize)) {
+    std::string size_string =
+        command_line->GetSwitchValueASCII(kWebSocketReadBufferSize);
+    if (!base::StringToInt(size_string, &websocket_buffer_size) ||
+        websocket_buffer_size <= 0) {
+      websocket_buffer_size = kReadBufferSize;
+    }
+  }
+  DVLOG(1) << "WebSocketReadBufferSize is " << websocket_buffer_size;
+  read_buffer_ =
+      (base::MakeRefCounted<IOBufferWithSize>(websocket_buffer_size));
 }
 
 WebSocketBasicStream::~WebSocketBasicStream() { Close(); }
diff --git a/chromium/net/websockets/websocket_basic_stream.h b/chromium/net/websockets/websocket_basic_stream.h
index 05d2696709b..aea8103a251 100644
--- a/chromium/net/websockets/websocket_basic_stream.h
+++ b/chromium/net/websockets/websocket_basic_stream.h
@@ -194,6 +194,8 @@ class NET_EXPORT_PRIVATE WebSocketBasicStream : public WebSocketStream {
   CompletionOnceCallback read_callback_;
 };
 
+NET_EXPORT extern const char kWebSocketReadBufferSize[];
+
 }  // namespace net
 
 #endif  // NET_WEBSOCKETS_WEBSOCKET_BASIC_STREAM_H_
diff --git a/chromium/net/websockets/websocket_basic_stream_adapters.cc b/chromium/net/websockets/websocket_basic_stream_adapters.cc
index 7bdf9dbbd2d..789804f0eb7 100644
--- a/chromium/net/websockets/websocket_basic_stream_adapters.cc
+++ b/chromium/net/websockets/websocket_basic_stream_adapters.cc
@@ -57,8 +57,7 @@ WebSocketSpdyStreamAdapter::WebSocketSpdyStreamAdapter(
       stream_error_(ERR_CONNECTION_CLOSED),
       delegate_(delegate),
       write_length_(0),
-      net_log_(net_log),
-      weak_factory_(this) {
+      net_log_(net_log) {
   stream_->SetDelegate(this);
 }
 
diff --git a/chromium/net/websockets/websocket_basic_stream_adapters.h b/chromium/net/websockets/websocket_basic_stream_adapters.h
index 350a7224475..6c2ee1f3b1f 100644
--- a/chromium/net/websockets/websocket_basic_stream_adapters.h
+++ b/chromium/net/websockets/websocket_basic_stream_adapters.h
@@ -144,7 +144,7 @@ class NET_EXPORT_PRIVATE WebSocketSpdyStreamAdapter
 
   NetLogWithSource net_log_;
 
-  base::WeakPtrFactory<WebSocketSpdyStreamAdapter> weak_factory_;
+  base::WeakPtrFactory<WebSocketSpdyStreamAdapter> weak_factory_{this};
 };
 
 }  // namespace net
diff --git a/chromium/net/websockets/websocket_basic_stream_test.cc b/chromium/net/websockets/websocket_basic_stream_test.cc
index 77d07df3add..1a23048da1e 100644
--- a/chromium/net/websockets/websocket_basic_stream_test.cc
+++ b/chromium/net/websockets/websocket_basic_stream_test.cc
@@ -117,8 +117,7 @@ class WebSocketBasicStreamSocketTest : public TestWithScopedTaskEnvironment {
             nullptr /* quic_stream_factory */,
             nullptr /* proxy_delegate */,
             nullptr /* http_user_agent_settings */,
-            SSLClientSocketContext(),
-            SSLClientSocketContext(),
+            nullptr /* ssl_client_context */,
             nullptr /* socket_performance_watcher_factory */,
             nullptr /* network_quality_estimator */,
             nullptr /* net_log */,
diff --git a/chromium/net/websockets/websocket_channel.cc b/chromium/net/websockets/websocket_channel.cc
index d9224258836..0a5408ad59a 100644
--- a/chromium/net/websockets/websocket_channel.cc
+++ b/chromium/net/websockets/websocket_channel.cc
@@ -321,13 +321,6 @@ void WebSocketChannel::SendAddChannelRequest(
 void WebSocketChannel::SetState(State new_state) {
   DCHECK_NE(state_, new_state);
 
-  if (new_state == CONNECTED)
-    established_on_ = base::TimeTicks::Now();
-  if (state_ == CONNECTED && !established_on_.is_null()) {
-    UMA_HISTOGRAM_LONG_TIMES(
-        "Net.WebSocket.Duration", base::TimeTicks::Now() - established_on_);
-  }
-
   state_ = new_state;
 }
 
@@ -392,6 +385,12 @@ WebSocketChannel::ChannelState WebSocketChannel::SendFrame(
   // |this| may have been deleted.
 }
 
+// Overrides default quota resend threshold size for WebSocket. This flag will
+// be used to investigate the performance issue of crbug.com/865001 and be
+// deleted later on.
+const char kWebSocketReceiveQuotaThreshold[] =
+    "websocket-renderer-receive-quota-max";
+
 ChannelState WebSocketChannel::AddReceiveFlowControlQuota(int64_t quota) {
   DCHECK(state_ == CONNECTING || state_ == CONNECTED || state_ == SEND_CLOSED ||
          state_ == CLOSE_WAIT);
@@ -571,7 +570,7 @@ void WebSocketChannel::OnConnectSuccess(
   // TODO(ricea): Get flow control information from the WebSocketStream once we
   // have a multiplexing WebSocketStream.
   current_send_quota_ = send_quota_high_water_mark_;
-  event_interface_->OnFlowControl(send_quota_high_water_mark_);
+  event_interface_->OnSendFlowControlQuotaAdded(send_quota_high_water_mark_);
 
   // |stream_request_| is not used once the connection has succeeded.
   stream_request_.reset();
@@ -669,7 +668,7 @@ ChannelState WebSocketChannel::OnWriteDone(bool synchronous, int result) {
           // server, if the protocol in use supports quota.
           int fresh_quota = send_quota_high_water_mark_ - current_send_quota_;
           current_send_quota_ += fresh_quota;
-          event_interface_->OnFlowControl(fresh_quota);
+          event_interface_->OnSendFlowControlQuotaAdded(fresh_quota);
           return CHANNEL_ALIVE;
         }
       }
diff --git a/chromium/net/websockets/websocket_channel.h b/chromium/net/websockets/websocket_channel.h
index 613d4958239..0ca6868e4df 100644
--- a/chromium/net/websockets/websocket_channel.h
+++ b/chromium/net/websockets/websocket_channel.h
@@ -153,6 +153,11 @@ class NET_EXPORT WebSocketChannel {
   void OnFinishOpeningHandshake(
       std::unique_ptr<WebSocketHandshakeResponseInfo> response);
 
+  // The renderer calls AddReceiveFlowControlQuota() to the browser per
+  // recerving this amount of data so that the browser can continue sending
+  // remaining data to the renderer.
+  static const uint64_t kReceiveQuotaThreshold = 1 << 15;
+
  private:
   class PendingReceivedFrame;
 
@@ -410,13 +415,11 @@ class NET_EXPORT WebSocketChannel {
   // message to the renderer. This can be false if the message is empty so far.
   bool initial_frame_forwarded_;
 
-  // For UMA. The time when OnConnectSuccess() method was called and |stream_|
-  // was set.
-  base::TimeTicks established_on_;
-
   DISALLOW_COPY_AND_ASSIGN(WebSocketChannel);
 };
 
+NET_EXPORT extern const char kWebSocketReceiveQuotaThreshold[];
+
 }  // namespace net
 
 #endif  // NET_WEBSOCKETS_WEBSOCKET_CHANNEL_H_
diff --git a/chromium/net/websockets/websocket_channel_test.cc b/chromium/net/websockets/websocket_channel_test.cc
index 981a1c22e9a..cb83f9c021b 100644
--- a/chromium/net/websockets/websocket_channel_test.cc
+++ b/chromium/net/websockets/websocket_channel_test.cc
@@ -179,7 +179,7 @@ class MockWebSocketEventInterface : public WebSocketEventInterface {
                void(bool,
                     WebSocketMessageType,
                     const std::vector<char>&));           // NOLINT
-  MOCK_METHOD1(OnFlowControl, void(int64_t));             // NOLINT
+  MOCK_METHOD1(OnSendFlowControlQuotaAdded, void(int64_t));  // NOLINT
   MOCK_METHOD0(OnClosingHandshake, void(void));           // NOLINT
   MOCK_METHOD1(OnFailChannel, void(const std::string&));  // NOLINT
   MOCK_METHOD3(OnDropChannel,
@@ -235,7 +235,7 @@ class FakeWebSocketEventInterface : public WebSocketEventInterface {
                    WebSocketMessageType type,
                    scoped_refptr<IOBuffer> data,
                    size_t data_size) override {}
-  void OnFlowControl(int64_t quota) override {}
+  void OnSendFlowControlQuotaAdded(int64_t quota) override {}
   void OnClosingHandshake() override {}
   void OnFailChannel(const std::string& message) override {}
   void OnDropChannel(bool was_clean,
@@ -660,7 +660,7 @@ class EchoeyFakeWebSocketStream : public FakeWebSocketStream {
 // 2. Calling either callback may delete the stream altogether.
 class ResetOnWriteFakeWebSocketStream : public FakeWebSocketStream {
  public:
-  ResetOnWriteFakeWebSocketStream() : closed_(false), weak_ptr_factory_(this) {}
+  ResetOnWriteFakeWebSocketStream() : closed_(false) {}
 
   int WriteFrames(std::vector<std::unique_ptr<WebSocketFrame>>* frames,
                   CompletionOnceCallback callback) override {
@@ -697,7 +697,7 @@ class ResetOnWriteFakeWebSocketStream : public FakeWebSocketStream {
   bool closed_;
   // An IO error can result in the socket being deleted, so we use weak pointers
   // to ensure correct behaviour in that case.
-  base::WeakPtrFactory<ResetOnWriteFakeWebSocketStream> weak_ptr_factory_;
+  base::WeakPtrFactory<ResetOnWriteFakeWebSocketStream> weak_ptr_factory_{this};
 };
 
 // This mock is for verifying that WebSocket protocol semantics are obeyed (to
@@ -926,7 +926,7 @@ class WebSocketChannelSendUtf8Test
     // whether these methods are called or not.
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _))
         .Times(AnyNumber());
-    EXPECT_CALL(*event_interface_, OnFlowControl(_))
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_))
         .Times(AnyNumber());
   }
 };
@@ -990,9 +990,9 @@ TEST_F(WebSocketChannelTest, SendFlowControlDuringHandshakeOkay) {
 TEST_F(WebSocketChannelEventInterfaceTest, ConnectSuccessReported) {
   // false means success.
   EXPECT_CALL(*event_interface_, OnAddChannelResponse("", ""));
-  // OnFlowControl is always called immediately after connect to provide initial
-  // quota to the renderer.
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  // OnSendFlowControlQuotaAdded is always called immediately after connect to
+  // provide initial quota to the renderer.
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
 
   CreateChannelAndConnect();
 
@@ -1015,7 +1015,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, NonWebSocketSchemeRejected) {
 
 TEST_F(WebSocketChannelEventInterfaceTest, ProtocolPassed) {
   EXPECT_CALL(*event_interface_, OnAddChannelResponse("Bob", ""));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
 
   CreateChannelAndConnect();
 
@@ -1026,7 +1026,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ProtocolPassed) {
 TEST_F(WebSocketChannelEventInterfaceTest, ExtensionsPassed) {
   EXPECT_CALL(*event_interface_,
               OnAddChannelResponse("", "extension1, extension2"));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
 
   CreateChannelAndConnect();
 
@@ -1046,7 +1046,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, DataLeftFromHandshake) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(true, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("HELLO")));
@@ -1069,7 +1069,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, CloseAfterHandshake) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_, OnClosingHandshake());
     EXPECT_CALL(
         *event_interface_,
@@ -1090,7 +1090,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ConnectionCloseAfterHandshake) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_,
                 OnDropChannel(false, kWebSocketErrorAbnormalClosure, _));
   }
@@ -1110,7 +1110,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, NormalAsyncRead) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(checkpoint, Call(1));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(true, WebSocketFrameHeader::kOpCodeText,
@@ -1138,7 +1138,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, AsyncThenSyncRead) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(true, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("HELLO")));
@@ -1177,7 +1177,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, FragmentedMessage) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(false, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("THREE")));
@@ -1211,7 +1211,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, NullMessage) {
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   EXPECT_CALL(
       *event_interface_,
       OnDataFrameVector(true, WebSocketFrameHeader::kOpCodeText, AsVector("")));
@@ -1227,7 +1227,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, AsyncAbnormalClosure) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_,
                 OnDropChannel(false, kWebSocketErrorAbnormalClosure, _));
   }
@@ -1245,7 +1245,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ConnectionReset) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_,
                 OnDropChannel(false, kWebSocketErrorAbnormalClosure, _));
   }
@@ -1265,7 +1265,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, MaskedFramesAreRejected) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(
         *event_interface_,
         OnFailChannel(
@@ -1287,7 +1287,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, UnknownOpCodeIsRejected) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_,
                 OnFailChannel("Unrecognized frame opcode: 4"));
   }
@@ -1317,7 +1317,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ControlFrameInDataMessage) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(false, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("SPLIT ")));
@@ -1340,7 +1340,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, PongWithNullData) {
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::ASYNC, OK, frames);
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
 
   CreateChannelAndConnectSuccessfully();
   base::RunLoop().RunUntilIdle();
@@ -1359,7 +1359,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, FrameAfterInvalidFrame) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(
         *event_interface_,
         OnFailChannel(
@@ -1377,7 +1377,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, SmallWriteDoesntUpdateQuota) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   }
 
   CreateChannelAndConnectSuccessfully();
@@ -1395,9 +1395,9 @@ TEST_F(WebSocketChannelEventInterfaceTest, LargeWriteUpdatesQuota) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(checkpoint, Call(1));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(checkpoint, Call(2));
   }
 
@@ -1416,13 +1416,13 @@ TEST_F(WebSocketChannelEventInterfaceTest, QuotaReallyIsRefreshed) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(checkpoint, Call(1));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(checkpoint, Call(2));
     // If quota was not really refreshed, we would get an OnDropChannel()
     // message.
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(checkpoint, Call(3));
   }
 
@@ -1446,7 +1446,8 @@ TEST_F(WebSocketChannelEventInterfaceTest, WriteOverQuotaIsRejected) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(kDefaultInitialQuota));
+    EXPECT_CALL(*event_interface_,
+                OnSendFlowControlQuotaAdded(kDefaultInitialQuota));
     EXPECT_CALL(*event_interface_, OnFailChannel("Send quota exceeded"));
   }
 
@@ -1463,7 +1464,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, FailedWrite) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(checkpoint, Call(1));
     EXPECT_CALL(*event_interface_,
                 OnDropChannel(false, kWebSocketErrorAbnormalClosure, _));
@@ -1484,7 +1485,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, SendCloseDropsChannel) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_,
                 OnDropChannel(true, kWebSocketNormalClosure, "Fred"));
   }
@@ -1512,7 +1513,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, CloseDuringConnection) {
 TEST_F(WebSocketChannelEventInterfaceTest, OnDropChannelCalledOnce) {
   set_stream(std::make_unique<ResetOnWriteFakeWebSocketStream>());
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
 
   EXPECT_CALL(*event_interface_,
               OnDropChannel(false, kWebSocketErrorAbnormalClosure, ""))
@@ -1536,7 +1537,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, CloseWithNoPayloadGivesStatus1005) {
                                  ERR_CONNECTION_CLOSED);
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   EXPECT_CALL(*event_interface_, OnClosingHandshake());
   EXPECT_CALL(*event_interface_,
               OnDropChannel(true, kWebSocketErrorNoStatusReceived, _));
@@ -1555,7 +1556,7 @@ TEST_F(WebSocketChannelEventInterfaceTest,
                                  ERR_CONNECTION_CLOSED);
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   EXPECT_CALL(*event_interface_, OnClosingHandshake());
   EXPECT_CALL(*event_interface_,
               OnDropChannel(true, kWebSocketErrorNoStatusReceived, _));
@@ -1571,7 +1572,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, SyncProtocolErrorGivesStatus1002) {
                                  ERR_WS_PROTOCOL_ERROR);
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
 
   EXPECT_CALL(*event_interface_, OnFailChannel("Invalid frame header"));
 
@@ -1585,7 +1586,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, AsyncProtocolErrorGivesStatus1002) {
                                  ERR_WS_PROTOCOL_ERROR);
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
 
   EXPECT_CALL(*event_interface_, OnFailChannel("Invalid frame header"));
 
@@ -1597,7 +1598,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, StartHandshakeRequest) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_, OnStartOpeningHandshakeCalled());
   }
 
@@ -1615,7 +1616,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, FinishHandshakeRequest) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_, OnFinishOpeningHandshakeCalled());
   }
 
@@ -1668,7 +1669,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, DataAfterCloseIsRejected) {
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
 
   {
     InSequence s;
@@ -1689,7 +1690,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, OneByteClosePayloadMessage) {
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   EXPECT_CALL(
       *event_interface_,
       OnFailChannel(
@@ -1708,7 +1709,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ClosePayloadReservedStatusMessage) {
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   EXPECT_CALL(
       *event_interface_,
       OnFailChannel(
@@ -1727,7 +1728,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ClosePayloadInvalidReason) {
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   EXPECT_CALL(
       *event_interface_,
       OnFailChannel(
@@ -1752,7 +1753,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ReservedBitsMustNotBeSet) {
                                std::move(raw_frames));
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   EXPECT_CALL(*event_interface_,
               OnFailChannel(
                   "One or more reserved bits are on: reserved1 = 1, "
@@ -1770,7 +1771,7 @@ TEST_F(WebSocketChannelEventInterfaceTest,
                                  ERR_IO_PENDING);
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   // This checkpoint object verifies that the OnDropChannel message comes after
   // the timeout.
   Checkpoint checkpoint;
@@ -1807,7 +1808,7 @@ TEST_F(WebSocketChannelEventInterfaceTest,
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::ASYNC, OK, frames);
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   Checkpoint checkpoint;
   TestClosure completion;
   {
@@ -1957,7 +1958,7 @@ TEST_F(WebSocketChannelFlowControlTest, SingleFrameMessageSplitSync) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(false, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("FO")));
@@ -1988,7 +1989,7 @@ TEST_F(WebSocketChannelFlowControlTest, SingleFrameMessageSplitAsync) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(checkpoint, Call(1));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(false, WebSocketFrameHeader::kOpCodeText,
@@ -2033,7 +2034,7 @@ TEST_F(WebSocketChannelFlowControlTest, MultipleFrameSplit) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(false, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("FIRST FRAME IS")));
@@ -2074,7 +2075,7 @@ TEST_F(WebSocketChannelFlowControlTest, EmptyMessageNoQuota) {
   {
     InSequence s;
     EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(false, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("FIRST ")));
@@ -2112,7 +2113,7 @@ TEST_F(WebSocketChannelFlowControlTest, CloseFrameShouldNotOvertakeDataFrames) {
   Checkpoint checkpoint;
   InSequence s;
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   EXPECT_CALL(*event_interface_,
               OnDataFrameVector(false, WebSocketFrameHeader::kOpCodeText,
                                 AsVector("FIRST ")));
@@ -2160,7 +2161,7 @@ TEST_F(WebSocketChannelFlowControlTest, DoNotSendMultipleCloseRespondFrames) {
   Checkpoint checkpoint;
   InSequence s;
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   EXPECT_CALL(*event_interface_,
               OnDataFrameVector(false, WebSocketFrameHeader::kOpCodeText,
                                 AsVector("FIRST ")));
@@ -2592,7 +2593,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ReadBinaryFramesAre8BitClean) {
                                std::move(frames));
   set_stream(std::move(stream));
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(_));
+  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
   EXPECT_CALL(
       *event_interface_,
       OnDataFrameVector(
@@ -2708,7 +2709,8 @@ TEST_F(WebSocketChannelEventInterfaceTest, ReceivedInvalidUtf8) {
   set_stream(std::move(stream));
 
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(kDefaultInitialQuota));
+  EXPECT_CALL(*event_interface_,
+              OnSendFlowControlQuotaAdded(kDefaultInitialQuota));
   EXPECT_CALL(*event_interface_,
               OnFailChannel("Could not decode a text frame as UTF-8."));
 
@@ -2899,7 +2901,8 @@ TEST_F(WebSocketChannelEventInterfaceTest, BogusContinuation) {
   set_stream(std::move(stream));
 
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(kDefaultInitialQuota));
+  EXPECT_CALL(*event_interface_,
+              OnSendFlowControlQuotaAdded(kDefaultInitialQuota));
   EXPECT_CALL(*event_interface_,
               OnDataFrameVector(false, WebSocketFrameHeader::kOpCodeBinary,
                                 AsVector("frame1")));
@@ -2921,7 +2924,8 @@ TEST_F(WebSocketChannelEventInterfaceTest, MessageStartingWithContinuation) {
   set_stream(std::move(stream));
 
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(kDefaultInitialQuota));
+  EXPECT_CALL(*event_interface_,
+              OnSendFlowControlQuotaAdded(kDefaultInitialQuota));
   EXPECT_CALL(*event_interface_,
               OnFailChannel("Received unexpected continuation frame."));
 
@@ -2941,7 +2945,8 @@ TEST_F(WebSocketChannelEventInterfaceTest, DataFramesNonEmptyOrFinal) {
   set_stream(std::move(stream));
 
   EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnFlowControl(kDefaultInitialQuota));
+  EXPECT_CALL(*event_interface_,
+              OnSendFlowControlQuotaAdded(kDefaultInitialQuota));
   EXPECT_CALL(
       *event_interface_,
       OnDataFrameVector(true, WebSocketFrameHeader::kOpCodeText, AsVector("")));
diff --git a/chromium/net/websockets/websocket_deflate_stream_fuzzer.cc b/chromium/net/websockets/websocket_deflate_stream_fuzzer.cc
index 195ad38512a..3c20868cf5f 100644
--- a/chromium/net/websockets/websocket_deflate_stream_fuzzer.cc
+++ b/chromium/net/websockets/websocket_deflate_stream_fuzzer.cc
@@ -12,7 +12,6 @@
 #include "base/memory/scoped_refptr.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
-#include "base/test/fuzzed_data_provider.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/websockets/websocket_deflate_parameters.h"
@@ -22,6 +21,7 @@
 #include "net/websockets/websocket_extension.h"
 #include "net/websockets/websocket_frame.h"
 #include "net/websockets/websocket_stream.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 namespace net {
 
@@ -43,7 +43,7 @@ constexpr size_t MIN_USEFUL_SIZE =
 
 class WebSocketFuzzedStream final : public WebSocketStream {
  public:
-  explicit WebSocketFuzzedStream(base::FuzzedDataProvider* fuzzed_data_provider)
+  explicit WebSocketFuzzedStream(FuzzedDataProvider* fuzzed_data_provider)
       : fuzzed_data_provider_(fuzzed_data_provider) {}
 
   int ReadFrames(std::vector<std::unique_ptr<WebSocketFrame>>* frames,
@@ -90,11 +90,11 @@ class WebSocketFuzzedStream final : public WebSocketStream {
     return frame;
   }
 
-  base::FuzzedDataProvider* fuzzed_data_provider_;
+  FuzzedDataProvider* fuzzed_data_provider_;
 };
 
 void WebSocketDeflateStreamFuzz(const uint8_t* data, size_t size) {
-  base::FuzzedDataProvider fuzzed_data_provider(data, size);
+  FuzzedDataProvider fuzzed_data_provider(data, size);
   uint8_t flags = fuzzed_data_provider.ConsumeIntegral<uint8_t>();
   bool server_no_context_takeover = flags & 0x1;
   bool client_no_context_takeover = (flags >> 1) & 0x1;
diff --git a/chromium/net/websockets/websocket_deflater.h b/chromium/net/websockets/websocket_deflater.h
index 3aa6f246530..d72c7335559 100644
--- a/chromium/net/websockets/websocket_deflater.h
+++ b/chromium/net/websockets/websocket_deflater.h
@@ -23,8 +23,6 @@ class IOBufferWithSize;
 
 class NET_EXPORT_PRIVATE WebSocketDeflater {
  public:
-  // Do not reorder or remove entries of this enum. The values of them are used
-  // in UMA.
   enum ContextTakeOverMode {
     DO_NOT_TAKE_OVER_CONTEXT,
     TAKE_OVER_CONTEXT,
diff --git a/chromium/net/websockets/websocket_end_to_end_test.cc b/chromium/net/websockets/websocket_end_to_end_test.cc
index 7edcbb0b9a3..3082311a225 100644
--- a/chromium/net/websockets/websocket_end_to_end_test.cc
+++ b/chromium/net/websockets/websocket_end_to_end_test.cc
@@ -104,7 +104,7 @@ class ConnectTestingEventInterface : public WebSocketEventInterface {
                    scoped_refptr<IOBuffer> data,
                    size_t data_size) override;
 
-  void OnFlowControl(int64_t quota) override;
+  void OnSendFlowControlQuotaAdded(int64_t quota) override;
 
   void OnClosingHandshake() override;
 
@@ -178,7 +178,7 @@ void ConnectTestingEventInterface::OnDataFrame(bool fin,
                                                scoped_refptr<IOBuffer> data,
                                                size_t data_size) {}
 
-void ConnectTestingEventInterface::OnFlowControl(int64_t quota) {}
+void ConnectTestingEventInterface::OnSendFlowControlQuotaAdded(int64_t quota) {}
 
 void ConnectTestingEventInterface::OnClosingHandshake() {}
 
diff --git a/chromium/net/websockets/websocket_event_interface.h b/chromium/net/websockets/websocket_event_interface.h
index 0edf249082a..d154ea698f3 100644
--- a/chromium/net/websockets/websocket_event_interface.h
+++ b/chromium/net/websockets/websocket_event_interface.h
@@ -56,9 +56,8 @@ class NET_EXPORT WebSocketEventInterface {
                            size_t buffer_size) = 0;
 
   // Called to provide more send quota for this channel to the renderer
-  // process. Currently the quota units are always bytes of message body
-  // data. In future it might depend on the type of multiplexing in use.
-  virtual void OnFlowControl(int64_t quota) = 0;
+  // process.
+  virtual void OnSendFlowControlQuotaAdded(int64_t quota) = 0;
 
   // Called when the remote server has Started the WebSocket Closing
   // Handshake. The client should not attempt to send any more messages after
diff --git a/chromium/net/websockets/websocket_frame_parser_fuzzer.cc b/chromium/net/websockets/websocket_frame_parser_fuzzer.cc
index 90c5d92bcd4..acb3db3f36c 100644
--- a/chromium/net/websockets/websocket_frame_parser_fuzzer.cc
+++ b/chromium/net/websockets/websocket_frame_parser_fuzzer.cc
@@ -7,12 +7,12 @@
 
 #include <vector>
 
-#include "base/test/fuzzed_data_provider.h"
 #include "net/websockets/websocket_frame_parser.h"
+#include "third_party/libFuzzer/src/utils/FuzzedDataProvider.h"
 
 // Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  base::FuzzedDataProvider fuzzed_data_provider(data, size);
+  FuzzedDataProvider fuzzed_data_provider(data, size);
   net::WebSocketFrameParser parser;
   std::vector<std::unique_ptr<net::WebSocketFrameChunk>> frame_chunks;
   while (fuzzed_data_provider.remaining_bytes() > 0) {
diff --git a/chromium/net/websockets/websocket_handshake_stream_base.cc b/chromium/net/websockets/websocket_handshake_stream_base.cc
index 11d00c69c42..16b4db5952b 100644
--- a/chromium/net/websockets/websocket_handshake_stream_base.cc
+++ b/chromium/net/websockets/websocket_handshake_stream_base.cc
@@ -145,10 +145,4 @@ void WebSocketHandshakeStreamBase::RecordHandshakeResult(
                             HandshakeResult::NUM_HANDSHAKE_RESULT_TYPES);
 }
 
-void WebSocketHandshakeStreamBase::RecordDeflateMode(
-    WebSocketDeflateParameters::ContextTakeOverMode deflate_mode) {
-  UMA_HISTOGRAM_ENUMERATION("Net.WebSocket.DeflateMode", deflate_mode,
-                            WebSocketDeflater::NUM_CONTEXT_TAKEOVER_MODE_TYPES);
-}
-
 }  // namespace net
diff --git a/chromium/net/websockets/websocket_handshake_stream_base.h b/chromium/net/websockets/websocket_handshake_stream_base.h
index 860e0af5ee3..4fa19ad30f5 100644
--- a/chromium/net/websockets/websocket_handshake_stream_base.h
+++ b/chromium/net/websockets/websocket_handshake_stream_base.h
@@ -147,8 +147,6 @@ class NET_EXPORT WebSocketHandshakeStreamBase : public HttpStream {
                                  WebSocketExtensionParams* params);
 
   void RecordHandshakeResult(HandshakeResult result);
-  void RecordDeflateMode(
-      WebSocketDeflateParameters::ContextTakeOverMode deflate_mode);
 
  private:
   DISALLOW_COPY_AND_ASSIGN(WebSocketHandshakeStreamBase);
diff --git a/chromium/net/websockets/websocket_handshake_stream_create_helper_test.cc b/chromium/net/websockets/websocket_handshake_stream_create_helper_test.cc
index 4acedb1f674..3678bf58f6d 100644
--- a/chromium/net/websockets/websocket_handshake_stream_create_helper_test.cc
+++ b/chromium/net/websockets/websocket_handshake_stream_create_helper_test.cc
@@ -14,6 +14,7 @@
 #include "net/base/completion_once_callback.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/ip_endpoint.h"
+#include "net/base/load_flags.h"
 #include "net/base/net_errors.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/proxy_server.h"
@@ -73,8 +74,7 @@ class MockClientSocketHandleFactory {
             nullptr /* quic_stream_factory */,
             nullptr /* proxy_delegate */,
             nullptr /* http_user_agent_settings */,
-            SSLClientSocketContext(),
-            SSLClientSocketContext(),
+            nullptr /* ssl_client_context */,
             nullptr /* socket_performance_watcher_factory */,
             nullptr /* network_quality_estimator */,
             nullptr /* net_log */,
diff --git a/chromium/net/websockets/websocket_http2_handshake_stream.cc b/chromium/net/websockets/websocket_http2_handshake_stream.cc
index 055c4d5064a..99910c99b8d 100644
--- a/chromium/net/websockets/websocket_http2_handshake_stream.cc
+++ b/chromium/net/websockets/websocket_http2_handshake_stream.cc
@@ -53,8 +53,7 @@ WebSocketHttp2HandshakeStream::WebSocketHttp2HandshakeStream(
       request_info_(nullptr),
       stream_closed_(false),
       stream_error_(OK),
-      response_headers_complete_(false),
-      weak_ptr_factory_(this) {
+      response_headers_complete_(false) {
   DCHECK(connect_delegate);
   DCHECK(request);
 }
@@ -246,9 +245,6 @@ std::unique_ptr<WebSocketStream> WebSocketHttp2HandshakeStream::Upgrade() {
   if (!extension_params_->deflate_enabled)
     return basic_stream;
 
-  RecordDeflateMode(
-      extension_params_->deflate_parameters.client_context_take_over_mode());
-
   return std::make_unique<WebSocketDeflateStream>(
       std::move(basic_stream), extension_params_->deflate_parameters,
       std::make_unique<WebSocketDeflatePredictorImpl>());
diff --git a/chromium/net/websockets/websocket_http2_handshake_stream.h b/chromium/net/websockets/websocket_http2_handshake_stream.h
index af734454cec..23ab9d2cd9c 100644
--- a/chromium/net/websockets/websocket_http2_handshake_stream.h
+++ b/chromium/net/websockets/websocket_http2_handshake_stream.h
@@ -177,7 +177,7 @@ class NET_EXPORT_PRIVATE WebSocketHttp2HandshakeStream
   // to avoid including extension-related header files here.
   std::unique_ptr<WebSocketExtensionParams> extension_params_;
 
-  base::WeakPtrFactory<WebSocketHttp2HandshakeStream> weak_ptr_factory_;
+  base::WeakPtrFactory<WebSocketHttp2HandshakeStream> weak_ptr_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(WebSocketHttp2HandshakeStream);
 };
diff --git a/chromium/net/websockets/websocket_stream.cc b/chromium/net/websockets/websocket_stream.cc
index 1ed8337a566..fb788833252 100644
--- a/chromium/net/websockets/websocket_stream.cc
+++ b/chromium/net/websockets/websocket_stream.cc
@@ -123,7 +123,6 @@ class WebSocketStreamRequestImpl : public WebSocketStreamRequestAPI {
                                             &delegate_,
                                             kTrafficAnnotation)),
         connect_delegate_(std::move(connect_delegate)),
-        perform_upgrade_has_been_called_(false),
         api_delegate_(std::move(api_delegate)) {
     HttpRequestHeaders headers = additional_headers;
     headers.SetHeader(websockets::kUpgrade, websockets::kWebSocketLowercase);
@@ -189,17 +188,11 @@ class WebSocketStreamRequestImpl : public WebSocketStreamRequestAPI {
 
   void PerformUpgrade() {
     DCHECK(timer_);
-    CHECK(!perform_upgrade_has_been_called_);
-    // TODO(bnc): Change to DCHECK after https://crbug.com/850183 is fixed.
-    CHECK(connect_delegate_);
-
-    perform_upgrade_has_been_called_ = true;
+    DCHECK(connect_delegate_);
 
     timer_->Stop();
 
     if (!handshake_stream_) {
-      // TODO(https://crbug.com/850183):
-      // Find out why this can happen and make it stop.
       ReportFailureWithMessage(
           "No handshake stream has been created "
           "or handshake stream is already destroyed.");
@@ -209,9 +202,7 @@ class WebSocketStreamRequestImpl : public WebSocketStreamRequestAPI {
     std::unique_ptr<URLRequest> url_request = std::move(url_request_);
     WebSocketHandshakeStreamBase* handshake_stream = handshake_stream_.get();
     handshake_stream_.reset();
-    // TODO(bnc): Combine into one line after https://crbug.com/850183 is fixed.
-    std::unique_ptr<WebSocketStream> stream = handshake_stream->Upgrade();
-    connect_delegate_->OnSuccess(std::move(stream));
+    connect_delegate_->OnSuccess(handshake_stream->Upgrade());
 
     // This is safe even if |this| has already been deleted.
     url_request->CancelWithError(ERR_WS_UPGRADE);
@@ -275,8 +266,7 @@ class WebSocketStreamRequestImpl : public WebSocketStreamRequestAPI {
  private:
   void OnHandshakeStreamCreated(
       WebSocketHandshakeStreamBase* handshake_stream) {
-    // TODO(bnc): Change to DCHECK after https://crbug.com/850183 is fixed.
-    CHECK(handshake_stream);
+    DCHECK(handshake_stream);
 
     handshake_stream_ = handshake_stream->GetWeakPtr();
   }
@@ -299,9 +289,6 @@ class WebSocketStreamRequestImpl : public WebSocketStreamRequestAPI {
   // succeeded.
   base::WeakPtr<WebSocketHandshakeStreamBase> handshake_stream_;
 
-  // TODO(bnc): Remove after https://crbug.com/850183 is fixed.
-  bool perform_upgrade_has_been_called_;
-
   // The failure message supplied by WebSocketBasicHandshakeStream, if any.
   std::string failure_message_;
 
diff --git a/chromium/net/websockets/websocket_stream_test.cc b/chromium/net/websockets/websocket_stream_test.cc
index 13d350c115f..66e30b5dce0 100644
--- a/chromium/net/websockets/websocket_stream_test.cc
+++ b/chromium/net/websockets/websocket_stream_test.cc
@@ -1613,7 +1613,7 @@ TEST_P(WebSocketMultiProtocolStreamCreateTest, Http2StreamReset) {
     stream_request_.reset();
 
     EXPECT_TRUE(has_failed());
-    EXPECT_EQ("Stream closed with error: net::ERR_SPDY_PROTOCOL_ERROR",
+    EXPECT_EQ("Stream closed with error: net::ERR_HTTP2_PROTOCOL_ERROR",
               failure_message());
 
     auto samples = histogram_tester.GetHistogramSamplesSinceCreation(